Scribd
Upload
158 views3 pages

Digital Forensics Final Exam Solutions

Uploaded by

Muntasir Mamun
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
158 views3 pages

Digital Forensics Final Exam Solutions

Uploaded by

Muntasir Mamun
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Final Exam Solution - Digital Forensics

and Investigation
Jagannath University
M.Sc. 2nd Semester - Final Examination
Course Code: CSE-5210
Course Title: Digital Forensics and Investigation

1. Define computer forensics and explain bit stream copy & bit stream image.
Computer forensics involves the identification, preservation, extraction, and documentation
of computer evidence. It is used in the investigation of crimes where digital data plays a
part. A bit stream copy is an exact copy of the entire contents of a storage device, bit-by-bit,
including empty space. A bit stream image is the file that results from this process,
preserving the data for analysis.

2. What is computer crime? Why do you need Mini-WinFE Boot CD/DVD or USB
drive, explain it in brief.
Computer crime refers to any illegal activity involving computers or digital systems.
Examples include hacking, phishing, identity theft, and ransomware. Mini-WinFE Boot
CD/DVD or USB is used in forensic investigations to boot a system into a forensic
environment without altering the original data, ensuring safe data acquisition.

3. Explain the ways to determine the best acquisition method.


The best acquisition method depends on the situation: for live systems, live acquisition is
used; for turned-off systems, static acquisition is ideal. The decision also considers device
type, encryption status, volatility of data, and legal protocols.

4. What do you mean by remote acquisition? Explain with Prodiscover Basic or


Encase Enterprise.
Remote acquisition is the process of collecting data from a suspect’s machine over a
network without physically accessing it. Prodiscover Basic and Encase Enterprise allow for
secure remote data acquisition while preserving the integrity of evidence.

5. What is curving or salvaging? How does repair damaged file header?


Curving or salvaging refers to recovering data from damaged or corrupted media. Repairing
damaged file headers involves using forensic tools that identify and reconstruct the file
structure based on known signatures or backup file tables.
6. Explain the purpose of a virtual machine for computer forensics and
investigation.
Virtual machines allow investigators to safely analyze suspicious software or data in an
isolated environment. They can recreate suspect environments without altering the original
system.

7. Explain the roles of Windows Registry for computer forensics and


investigation.
Windows Registry stores critical information such as user activities, installed programs,
login data, and USB history. Investigators analyze registry entries to understand user
behavior and system configurations.

8. Describe tasks performed by computer forensics tools.


Tasks include disk imaging, data recovery, keyword searching, email analysis, log analysis,
file carving, timeline creation, and reporting.

9. Explain Resilient file system in brief.


Resilient File System (ReFS) is a Microsoft file system designed for high data availability,
integrity, and scalability. It includes features like automatic integrity checking, data
scrubbing, and error correction.

10. Explain common data hiding techniques in brief.


Data hiding techniques include steganography, alternate data streams, hidden partitions,
file obfuscation, and using system or hidden file attributes to conceal data.

11. What is write blocker? Explain software-write blocker and hardware-write


blocker.
Write blockers prevent writing to storage devices during forensic acquisition. Software
write blockers are programs that block write commands, while hardware write blockers are
physical devices used to connect drives safely.

12. Write down the steps for reconstructing file fragments.


1. Identify file fragments using signature analysis
2. Reorder fragments using timestamps or content similarity
3. Reconstruct file using hex editors or forensic tools
4. Verify file integrity through hash values.

13. An employee suspects password compromise. He changed it but it seems


used again. What might be going on?
Possibly, a keylogger or malware is installed. The system may be accessed remotely or
credentials stored in a browser or insecure location were stolen.
14. What is drive slack? Explain it according to digital forensics.
Drive slack is the unused space in a cluster that may contain remnants of previously stored
files. Forensic investigators analyze this space for hidden or residual data.

15. Explain different types of digital evidence storage formats.


Common formats include:
- RAW: Bit-for-bit copy without compression
- E01: EnCase format with metadata and compression
- AFF: Advanced Forensic Format supporting metadata and hashing.

16. What is the necessity of live acquisition? Explain standard procedure.


Live acquisition is necessary for collecting volatile data like RAM, running processes, and
network connections. Standard procedure: isolate system, document, acquire volatile data,
collect system info, ensure chain of custody.

17. What is validation protocol? Explain digital forensics examination protocol.


Validation protocol ensures forensic tools provide accurate, reproducible results.
Examination protocol includes identification, acquisition, analysis, documentation, and
presentation phases.

18. Describe certification and training requirements for digital forensics labs.
Labs need certifications like ISO 17025, trained personnel, secure environment, proper
documentation, and tool validation. Analysts often hold certifications like CHFI, GCFA, or
EnCE.

19. What procedural steps should a digital forensic investigator follow when
analyzing emails?
1. Secure and image the evidence
2. Identify relevant email data
3. Extract email content and metadata
4. Analyze headers, IPs, attachments
5. Document findings and prepare report.

20. What are the critical factors to consider in email investigation?


Consider sender identity, timestamp accuracy, spoofing, attachments, IP trails, encryption
status, and mail server logs.

21. How can investigators handle encrypted/signed emails in investigations?


Use decryption keys (if legal), collaborate with providers, analyze metadata, use passphrase
recovery, or try brute-force if permitted. Digital signatures help verify authenticity.

You might also like