HI6043 COMPUTER FORENSICS AND ANALYSIS FINAL ASSESSMENT – EXAM
Trimester 1, 2022
Assessment Weight: 50 total marks
- All questions must be answered by using the answer boxes provided in this paper.
- Completed answers must be submitted to Blackboard by the published due date and time.
Please ensure you follow the submission instructions at the end of this paper.
This assessment consists of five (5) questions and is designed to assess your level of knowledge of the key topics covered in this unit
Question 1 (10 marks)
In this question, you are investigating a private sector case that involves a possible termination of an employee of a large commercial organisation. You have been given access to the employee computer on which some inappropriate files were discovered. The employee swears that he has never accessed these files.
How would you proceed to investigate this case by analysing the computer employee has used, who has access to the computer and what other possible relevant directions that you consider?
ANSWER: ** Answer box will enlarge as you type here
Question 2 (10 marks)
You are investigating a case where you suspect that there may be virtual machines are being used on the suspect computer. What are the main clues that you should be looking for to know whether there is a VM running on the suspect computer? If there is a VM running on the computer, how you will conduct your forensics analyses on that VM? What acquisition method on running VM you will use and why you choose this method?
Question 3 (10 marks)
This question has following two parts. Answer both parts.
- You are investigating an email fraud case on a suspect computer. You have been given limited access to the suspect computer. What is the best data acquisition method that you will use in this scenario? Provide reasons why this is the best selected method. Explain the acquisition process in detail explaining its advantages and limitations? [2 + 5 + 1.5 marks]
- You are appearing in a court of law for a case hearing as an expert digital forensics examiner. Your role in this court appearing will be as an expert witness. Explain in detail what is the difference between an expert witness and a fact witness in the court of law? How will you approach to this testimony as an expert witness? [3 + 2 marks]
Question 4 (10 marks)
Microsoft Operating Systems are widely used for personal as well as official use. You come across a MS OS where you are searching for data files for investigating a critical case. Assuming NTFS (New Technology File System) based MS OS, answer the following questions.
- What are sectors and clusters? Explain briefly their structure and relationship to each [2 marks]
- What are logical and virtual cluster numbers? How they differ from each other? [2 marks]
- You are examining MFT (Master File Table) record of a data file in WinHex editor. At what offset values of MFT header you will find size of MFT record and length of MFT header? Why attributes 0x10 and 0x30 are important in MFT header? What information you can find at these attribute values? [6 marks]
Question 5 (10 marks)
In digital forensics investigations, digital evidence plays a critical role.
- Explain with some examples what is a digital evidence? [2 marks]
- Why it is important to take care of digital evidence and what possible measures you will take to prevent the integrity of the digital evidence? [3 marks]
- What is chain of custody (CoC)? List some of the key attributes of a CoC [5 marks]
END OF FINAL ASSESSMENT
- Save submission with your STUDENT ID NUMBER and UNIT CODEg. SGH1234 HI6043
- Submission must be in MICROSOFT WORD format only
- Upload your submission to the appropriate link on Blackboard
- You have two attempts to submit your assessment with only the final submission being marked.
Please ensure your submission is the correct document as special consideration is not given if you make a mistake.
- All submissions are automatically passed through SafeAssign to assess academic integrity.