UNIVERSITY EXAMINATIONS: 2016/2017
EXAMINATION FOR THE DEGREE OF MASTER OF SCIENCE IN
DATA COMMUNICATIONS
MDCN 5302 COMPUTER SECURITY & FORENSICS
DATE: DECEMBER, 2016 TIME: 2 HOURS
INSTRUCTIONS: Answer Question One & ANY OTHER TWO questions.
QUESTION ONE: 20 MARKS (COMPULSORY)
a) While performing computer forensic investigation on emails, the investigator can get a data
not only from the body of the email, but also from the header. Describe with examples five
different types of data that can be extracted from the e-mail header. (5 Marks)
b) Real evidence, testimonial, hearsay and and admissible evidence are types of evidence that you
may come across during computer forensic investigation. Clearly describe them giving an
example of each. (6 Marks)
c) It is best practice to work with a copy of the original. However there exits situations whereby
you may need to work directly with the original. Explain two scenarios that allow for forensic
investigator to work directly on the original data. (4 Marks)
d) Discuss five rules of digital evidence. (5 Marks)
QUESTION TWO: 15 MARKS
a) You are given a hard disk belonging to a suspected criminal. Explain the complete steps to
make forensic copy of the hard disk. The steps should start immediately after you have
suspected criminal attack. Do not forget to include the steps for change of custodian procedure
and case documentation (9 Marks)
b) There exist quite a number of computer crimes nowadays. Describe three types of computer
committed against companies and provide an example for each (3 Marks)
c) In order to maintain the integrity of evidence, the chain of custody must be strictly observed.
Describe three of the chain of custody procedures (3 Marks)
QUESTION THREE: 15 MARKS
a) Understanding the overall computer forensics investigation model is crucial to ensure that the
results of the investigation by all affected parties. By use of a diagram, describe, in the correct
order, all the phases of the Generic Computer Forensic Investigation Model (GCFIM)
(10 Marks)
b) Describe the factors considered critical in Daubert’s evidence admissibility test.
(5 Marks)
QUESTION FOUR: 15 MARKS
a) Differentiate between statute law and law case highlighting how each is applicable should
the investigations end up in court of law. (2 Marks)
b) Windows OS does not produce system data and artifacts that can be used as evidence.
Describe three types of generated system data and artifacts. (3 Marks)
c) One of the employees of XYZ Company is suspected of stealing money electronically from
one of the company’s account and depositing the money into his own account. He is the
new account’s manager and been provided with a PC and is having access to the internet.
He always seen carrying a fancy looking flash drive that he used on the computer to listen
to music in mp3 format. Formulate the investigation steps that a forensic investigator
should take. Describe your steps from the time you entered the accounts mangers room
until the end of the investigation process. You are free to make assumptions. You must also
specify any tools or software used in the investigation
(10 Marks)