Varsha

T3 2021: ICT741 Digital Forensics

Tutorial 9

Questions and Projects are prepared from Cengage Learning Resource ‘Guide to Computer Forensics and Investigations’. Nelson, B, Phillips, A. &
Steuart, C 2018, Sixth Edition, Cengage Learning US. Mason. OH

ICT741 Tutorial 9 Compiled by: Dr.Saeid Iranmanesh Date 5 Dec 2021

 Review Questions

1. List four places where mobile device information might be stored.

Internal memory, SIM card, removable cards, server
2. Which of the following relies on a central database that tracks account
data, location data, and subscriber information?
MSC
3. GSM divides a mobile station into SIM and ME.
4. SD cards have a capacity of up to which of the following?
64 GB
5. Describe two ways you can isolate a mobile device from incoming signals.
 Place the device into airplane mode
 Place the device into a paint can that contains radio wave blocking paint or
multiple antistatic bags
6. Remote wiping of a mobile device can result in which of the information?
 Removing account information
 Returning the phone to the original factory settings
 Deleting contacts
7. The Internet of Things includes Radio Frequency Identification (RFID)
sensors as well as wired, wireless, and mobile devices.
8. According to SANS DFIR Forensics, which of the following tasks should
you perform if a mobile device is on and unlocked?
 Isolate the device from the network
 Disable the screen lock
 Remove the passcode
9. What are the three levels of cloud services defined by NIST?
SaaS, PaaS, IaaS
10. What capabilities should a forensics tool have to acquire data from a
cloud?
 Examine virtual systems
 Expand and contract data storage capabilities as needed for service changes.
 Identify and acquire data from the cloud
11. A(n) CSA or cloud service agreement is a contract between a CSP and
the customer that describes what services are being provided and at what level.
12. Which of the following is a mechanism the ECPA describes for the
government to get electronic information from a provider?

Questions and Projects are prepared from Cengage Learning Resource ‘Guide to Computer Forensics and Investigations’. Nelson, B, Phillips, A. &
Steuart, C 2018, Sixth Edition, Cengage Learning US. Mason. OH

ICT741 Tutorial 9 Compiled by: Dr.Saeid Iranmanesh Date 5 Dec 2021

 Subpoenas with prior notice, Search warrants, Court orders
13. What are the two states of encrypted data in a secure cloud?
 Data in motion and data at rest
14. Evidence of cloud access found on a smartphone usually means which
cloud service level was in use?
SaaS
15.Which of the following cloud deployment methods typically offers no
security?
Public Cloud
16. A CSP’s incident response team typically consists of which staff? List at
least three positions.
System administrators, network administrators, and legal advisors
17. When should a temporary restraining order be requested for cloud
environments?
When a search warrant requires seizing a CSP's hardware and software used by other
parties not involved in the case
18. Public cloud services such as Dropbox and OneDrive use what encryption
applications?
Sophos Safeguard and Sophos Mobile Control

Questions and Projects are prepared from Cengage Learning Resource ‘Guide to Computer Forensics and Investigations’. Nelson, B, Phillips, A. &
Steuart, C 2018, Sixth Edition, Cengage Learning US. Mason. OH

ICT741 Tutorial 9 Compiled by: Dr.Saeid Iranmanesh Date 5 Dec 2021

 Quick Quiz 1
1. Global System for Mobile Communications (GSM) uses the Time Division Multiple
Access technique, so multiple phones take turns sharing a channel.

2. Typically, phones store system data in EEPROM, which enables service providers to
reprogram phones without having to physically access memory chips.

3. Sim Cards are usually found in GSM devices and consist of a microprocessor and
internal memory.

4. Which of the three cloud service levels allows customers to rent hardware and install
whatever OSs and applications they need?

IaaS (Infrastructure as a Service)

5. A principle of software architecture in which a single installation of a program runs

on a server accessed by multiple entities is known as Multitenancy.

6. Destroying, altering, hiding, or failing to preserve evidence is known as Spoliation.

Questions and Projects are prepared from Cengage Learning Resource ‘Guide to Computer Forensics and Investigations’. Nelson, B, Phillips, A. &
Steuart, C 2018, Sixth Edition, Cengage Learning US. Mason. OH

ICT741 Tutorial 9 Compiled by: Dr.Saeid Iranmanesh Date 5 Dec 2021

 Quick Quiz 2

1. Because of Wiretap laws, checking providers’ servers requires a search warrant or

subpoena.

2. The chip-off mobile forensics method requires physically removing the flash memory
chip and gathering information at the binary level.

3. A new field is Vehicle system forensics, which addresses the many parts that have
sensors in cars.

4. Encrypted data in the cloud is in two states. Which state is used to describe data that is
being transmitted over a network?
Data in motion

5. A tool with application programming interfaces (APIs) that allow reconfiguring a

cloud on the fly is known as management plane.

Questions and Projects are prepared from Cengage Learning Resource ‘Guide to Computer Forensics and Investigations’. Nelson, B, Phillips, A. &
Steuart, C 2018, Sixth Edition, Cengage Learning US. Mason. OH

ICT741 Tutorial 9 Compiled by: Dr.Saeid Iranmanesh Date 5 Dec 2021