Question Repository for APRIL/MAY 2022 Examinations

Subject Code CS8074 Subject Name Cyber Forensics Common To

Faculty Name Dr.E.Sujatha Department Computer Science and Engineering CSE & IT

(PART A – 2 Marks)
UNIT - I
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)

QA101 Define Computer Crime. CO1 K1 3

QA102 Compare Identity Theft and Identity Fraud. CO1 K2 5

QA103 List the steps for planning investigation. CO1 K1 4

Illustrate the Criminal and Civil proceedings which can be used as computer Forensics Evi- CO1
QA104 dence. K2 4

Demonstrate how will you plan the most critical aspects of computer Evidence. CO1
QA105 K2 4
 UNIT - II
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)

QA201 Outline the guidelines to process an incident or crime scene. CO2 K2 4

QA202 Demonstrate the role of Technical Advisor. K2 4

CO2

QA203 Name few computer forensics software tools. K1 3

CO2

List the general tasks investigators perform while working with Digital Evidence. CO2
QA204 K1 4

CO2
QA205 What is meant by “Zoned Bit Recording(ZBR)”. K1 3
 UNIT - III
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)

Construct steganography isolate a mobile device from incoming signals and in what way it is
QA301 CO3 K3 5
related to MVNO (Mobile Virtual Network Operator).

CO3
QA302 Demonstrate whether you need a search warrant to retrieve information from a system server. K2 5

CO3
QA303 Illustrate how the Router logs can be used to verify the types of E-mail data. K2 5

CO3
QA304 What is the purpose of PUK (Pin Unlock Key)? K1 4

Demonstrate whether password recovery is included in all the computer forensic tools is used CO3
QA305 K2 5
or not. Why?
 UNIT - IV
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)

QA401 Define Zero-day attack. CO4 K1 3

CO4
QA402 Outline countermeasures can be taken against foot-printing. K2 4

Explain how do attackers plan and use remote keyloggers.

CO4
QA403 K2 5

CO4
QA404 K2 4
Summarize NETBIOS enumeration.

Illustrate how can we defend against password cracking. CO4

QA405 K2 4
 UNIT - V
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)

QA501 Illustrate the importance of Ping of Death. CO5 K2 5

CO5
QA502 Demonstrate patches and hotfixes and its management. K2 4

CO5
QA503 Illustrate cookie poisoning working principle. K2 4

CO5
QA504 Compare ‘LAND attack’ and ‘SMURF attack’. K2 4

Outline which of the tools is only for Sun Solaris systems. CO5
QA505 K2 5
 (PART B – 13 Marks - Either Or Type)

UNIT - I
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)

QB101 (a) Demonstrate in detail about Traditional Problem associated with Computer Crime. CO1 K2 4

(Or)

QB101 (b) Explain the types of Cyber Forensics. CO1 K2 3

Construct a plan to get different types data using windows data acquisition tool and deter-
QB102 (a) mine the contingency planning for image Acquisition. CO1 K3 5

(Or)

Develop a Remote Network Acquisition Tools in Cyber Forensics.

QB102 (b) CO1 K3 4

Solve:
(i) Analyze the concept of data acquisition methods and explain how you could work in a
QB103 (a) case of clustering. CO1 K3 5
(ii)Analyze the physical requirements for a computer forensics lab.

(Or)

Experiment with following Procedures for Corporate high-tech investigation

QB103 (b) (i) E-mail abuse Investigation CO1 K3 5
(ii) Media Leak Investigation
 UNIT - II
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)

QB201 (a) Illustrate Working with Windows and DOS Systems. CO2 K2 3

(Or)

QB201 (b) Outline about Processing crime and Incident Scene. CO2 K2 3

QB202 (a) Experiment with hardware tools associated with cyber-crime application. CO2 K3 4

(Or)

Solve: Compose a solution to run the computer safely, if a suspect computer is running on
QB202 (b) windows 7. CO2 K3 5

Solve: Why corporate investigations are typically easier than law enforcement investiga-
QB203 (a) tions. Recommend the process of investigations and justify the solutions. CO2 K3 5

(Or)

Experiment with the processes involved in preparing for a search and also the seizing
QB203 (b) procedure for the Digital Evidence. CO2 K3 5
 UNIT - III
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)

QB301 (a) Demonstrate the process of Remote Acquisition during Forensics process. CO3 K3 3

(Or)

QB301 (b) Illustrate Email Investigation Process with suitable examples. CO3 K3 4

Solve: You are using Disk Manager to view primary and extended partitions on a suspect
drive. The program reports the extended partitions total size as larger than the sum of the
sizes of logical partitions in the extended partition. Evaluate the following terms when :-
(i) Disk is Corrupted
QB302 (a) CO3 K3 5
(ii) There is no hidden Partition.
(iii) Nothing: this is what you’d expect to see.
(iv) The drive is formatted incorrectly.
Password is Unknown.
(Or)

Develop Standard Procedures for Network Forensics and explain the working of any one
QB302 (b) network tool. CO3 K3 5

QB303 (a) Apply mobile device forensics process in a crime scene application. CO3 K3 5

(Or)

QB303 (b) Make use of data hiding techniques, illustrate real time scenario. CO3 K3 5
 UNIT - IV
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)

Illustrate the different methodology for footprinting. Explain the footprinting through
QB401 (a) CO4 K2 3
search engine.

(Or)

Explain DNS poisoning. What are the steps to launch DNS poisoning attacks? What are the
QB401 (b) CO4 K2 3
types of DNS poisoning attacks?

Outline how does Microsoft authentication take place? Explain. How are hash passwords
QB402 (a) CO4 K2 4
stored in Microsoft security accounts manager?

(Or)

QB402 (b) Summarize the penetration testing for virus. CO4 K2 3

Demonstrate the different ways in which computer gets infected with virus? What are the
QB403 (a) techniques used for infecting computers with viruses? CO4 K2 4

(Or)

Illustrate the countermeasures against SMTP, LDAP and SMB enumeration.

QB403 (b) CO4 K2 4
 UNIT - V
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)

Demonstrate the impact of social engineering attack on an organization.

QB501 (a) CO5 K2 4

(Or)

Illustrate Organized Crime Syndicates. Explain their organizational chart.

QB501 (b) CO5 K2 4

Explain how can brute force be used for session hijacking. What is referrer attack?
QB502 (a) CO5 K2 4

(Or)

Explain in detail about BOTs/BOTNETs work and mention the points of differences be-
QB502 (b) tween them. CO5 K2 4

Outline the different types of attacks on authentication mechanisms of web applications.

QB503 (a) CO5 K2 4

(Or)
 Summarize the following SQL injection attacks with examples:
a) Code analysis
b) Attack Analysis
c) Updating a table
QB503 (b) CO5 K2 5
d) Adding new records
e) Identifying table name
f) Deleting the table

(PART C – 15 Marks - Either Or Type)

UNIT - I
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)

Solve: Evaluate the problems and challenges forensic examiners face when preparing and
QC101 (a) CO1 K3 5
processing investigations, including the ideas and questions they must consider.

(Or)

Solve: Recommend the solutions for the investigation of Employee termination case, inter-
QC101 (b) net abuse investigation, Attorney Client Privilege investigation in corporate hightech inves- CO1 K3 5
tigation.

UNIT - II
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)
QC201 (a) Analyze and validate the results of a forensic analysis, you should do which of the fol- CO2 K4 5
lowing:
 (a) Calculate the hash value of tools
(b) Use a different tool to compare the results of evidence you find.
(c) Repeat the steps used to obtain the digital evidence using the same tool and recalcu-
late.
(i) The hash value to verify the results.
(ii) Do both (a) and (b)
(iii) Do both (b) and (c)
Do both (a) and (c)
(Or)
Examine: When considering new forensics software, you should do which of the fol-
lowing. Justify your answer.
QC201 (b) (i) Uninstall other forensics software. CO2 K4 5
(ii) Reinstall the OS.
(iii) Test and validate the software.

UNIT - III
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)
Experiment with e-mail evidence, an investigator must be knowledgeable about an
QC301 (a) e-mail server’s internal operations. True or False? Justify your answer with suitable CO3 K3 5
usecases.

(Or)

Solve: When acquiring a mobile device at an investigation scene, you should leave it
QC301 (b) connected to a PC so that you can observe synchronization as it takes place. True or CO3 K3 5
False? Justify your answer.

UNIT - IV
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)
 Construct SSH tunnelling and how many machines are required for it. Illustrate with an
QC401 (a) example. CO4 K3 5

(Or)

Identify how can image, text, audio and video steganography be detected and explain with
QC401 (b) real time scenario. CO4 K3 5

UNIT - V
Knowledge
Difficulty
Q. No. Questions CO Level
Level (1-5)
(Blooms)

QC501 (a) Experiment with social engineering through impersonation on social networking sites. CO5 K3 5

(Or)

Make use of Blackberry Enterprise solution architecture, explain the features of Blackberry
QC501 (b) CO5 K3 5
devices and define Blackberry OS.

Knowledge Level (Blooms Taxonomy)

 Applying
K1 Remembering (Knowledge) K2 Understanding (Comprehension) K3
(Application of Knowledge)

K4 Analysing (Analysis) K5 Evaluating (Evaluation) K6 Creating (Synthesis)

Note: For each Question, mention as follows

(i) K1 or K2 etc. for Knowledge Level

(ii) CO1, CO2 etc. for Course Outcomes

(iii) Any number from 1 to 5 for Difficulty Level (With 1 as Most Easy & 5 as Most Difficult)