PricingBlogAbout Us

University Exam Questions on Computer Forensics and Investigation

Verified

Added on  2020/04/15

|6
|1141
|88
Homework Assignment
AI Summary
This document presents a set of solved exam questions covering various aspects of computer forensics. The questions address key topics such as the differences between bit stream and file backup, data acquisition methods including raw format advantages and disadvantages, and email investigation techniques like IP address tracing. It further explores file systems (FAT and NTFS), hashing algorithms (MD5 and SHA-1), mobile forensics data storage, and the distinction between static and live data acquisition. The assignment also outlines steps in a cyber-forensic investigation, emphasizing evidence preservation and the use of specialist tools, and concludes with methods to identify unknown files using data recovery software. The solution provides comprehensive answers to each question, making it a valuable resource for students studying computer forensics.
Document Page
Running head: EXAM QUESTIONS
EXAM QUESTIONS
Name of the Student
Name of the University
Author Note
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
2EXAM QUESTIONS
Bit stream Backup
Bit stream back up involves back up of all the data which are in the hard disk drive or
another type of storage media on the other hand the file backup copy involves only the
backup of the data which is on the desired disk and not all the system’s data. The bit stream
copy can be considered to be more secured than the file backup copy.
Data acquisition
a)
Advantage:
The raw format can be converted to any format according to the need of the user.
The size of the data is considerable more than taking into consideration any format.
Disadvantage
The editing of the raw format can be sometimes be very much hectic.
Sometimes specialized software has to be used for the conversion of the format.
b) Linux command to create a raw image is qemu-img. The benefits that can be achieved
from the command is that.
It can directly create a shortcut of image creation.
It can modify any image which is being processed in the system.
Email investigation
a) The first thing that should be done is the IP Address of the sender should be known
and from it the location can be traced. The IP address can be found from many websites over
the internet.
Document Page
3EXAM QUESTIONS
b) The main aspect that can be uncovered is the origin of the email and the correct IP
address which is involved in the sending of the message. The IP address can be considered as
one of the most important aspect when dealing with email spamming as it could involve all
the details of the sender of the message. By this means the actual origin of the message can
be easily be found out.
File system
a) The file system can be considered as a method or a data structure that can be used by
an operating system to keep track of the files on the disk or partition; that is the way the files
are organized in the disk.
b) Two common file system which are utilized in modern window based system is FAT
and NTFS. The most recent among them is the NTFS which is used as default in the window
10.
c) FAT stands for File Allocation Table and MFT stands for Master file Table.
d) The FAT file system usually contains four different sectors which are as follows.
Boot sector: this is basically a reserved sector which is located on the first part of the disc.
It contains the operating system’s necessary boot loader code.
FAT Region: this region usually contains two copies of the file allocation table.
Data region: this is where the directory of the data is stored.
Root Directory Region: this is the region where all the information about the table and the
files exist.
Hashing

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

Document Page
4EXAM QUESTIONS
a) A hashing algorithm is any function that is basically used to map data of arbitrary size to a
fixed size data. The value which is returned from the hashing algorithm are called hash value.
b) The hashing algorithm mainly uses mathematical algorithm in order to secure a
system or the data in the system. This directly helps in securing as putting emphasis on the
password security aspect in a system. The main point is that with the implementation of the
hashing algorithm the security issue in a system can be minimized.
c) The three rules of the forensic hash are:
Getting the hash function appropriate as this deals with the security issue in a system
Forensic hash can be used to alter a code or file whenever needed.
Forensic hash should always be implemented in a way that normal user does not get the
hashing function which is being used.
d) Two hashing algorithm that are commonly used for the forensic purpose are MD5 and
SHA 1.
Mobile
The four places where information can be saved in a mobile are mobile memory card,
phones internal memory, SIM card and the GPS module which is in the device.
Static or volatile
Static acquisition: There are many ways of acquiring data in a computer forensics. The Static
acquisition can be considered as one of the most basic and common way of data acquiring in
computer forensics. Static acquisition directly acquires the data from a nonvolatile source.
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
5EXAM QUESTIONS
Live acquisition: A live acquisition is basically where the data is retrieved from a device
which is digital via its normal interface. For example switching a computer on and running a
program from within the framework of the operating system.
The main goal of the static acquisition is to obtain data for the reason of computer forensics,
the data which is obtained from source which are volatile
The main goal of the live acquisition is same as static acquisition, the difference lies in the
form of the data. In live acquisition the data is digital.
The example of static acquisition is data which has been possessed earlier but due to
computer forensic it is being investigated now. The example of live acquisition is obtaining
the data in a live environment.
Steps in Cyber Investigation
The key steps in a cyber-forensic investigation are:
Adhere to ACPO (Association of chief police officer) guidelines for the recovery of the
evidence with a comprehensive auditable process.
Preserve the evidence: The data which is stored in the computer can be easily destroyed
or made inadmissible as evidence very easily. One of the most important step is getting
the right method for acquiring the data.
Never work on the media original: Ones any device is confirmed of having any device it
should be forensically be examined in order to process for future investigation. Specialist
tools are used for the purpose and software’s are taken used in order to conduct proper
investigation.
Examination must be repeatable: The concept of the computer forensics is an exact
science. International law, human right, and protocols form the ACPO, NHTCU ensure
Document Page
6EXAM QUESTIONS
that the evidence which is collected is internationally approved methodology and can be
presented in a court ready statement or alternative our “expert witness” services may be
used.
Unknown Files
The computer data recovery software can be used to identify the file from the
unknown files

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

chevron_up_icon
1 out of 6
circle_padding
hide_on_mobile
zoom_out_icon
logo.png

Your All-in-One AI-Powered Toolkit for Academic Success.

  +13062052269
info@desklib.com

Available 24*7 on WhatsApp / Email

[object Object]
Unlock your academic potential

Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.