SCHOOL OF BUSINESS AND TECHNOLOGY

BACHELOR OF COMPUTER SCIENCE

BACHELOR OF INFORMATION TECHNOLOGY
CSC 350: COMPUTER FORENSICS AND AUDITING
BIT 424: INFORMATION SYSTEMS FORENSICS AND AUDITING
CAT 2 TIME: 1 HOUR
INSTRUCTIONS: ANSWER ALL THE QUESTIONS

KELVIN MUNENE.
BSIT/2020/45981.

a) State reasons why is cordoning off a crime scene important? (3 marks)

 To prevent contamination of the scene and any evidence in the scene.
 To protect the scene from further damage.
 To control access to the scene for authorized personnel only.
 To preserve the integrity of the scene.
b) What is a file slack? Why should a forensic expert be concerned about file slack?
(3marks)

File slack is the unused space at the end of a file on a computer's hard drive which occurs
because files are not always the same size as the clusters in which they are stored.

When a file is deleted, it is not actually erased from the hard drive. Instead, the operating system
simply marks the space as free, so that it can be overwritten by new data. However, the data that
was originally in the file may still be recoverable from the slack space. Forensic experts are
concerned about file slack because it can contain deleted or overwritten data.

c) Why is maintaining proper chain of custody of evidence important? (2 marks)

Maintenance of proper chain of custody of evidence is important to ensure the authenticity,

integrity, and admissibility of the evidence in court as it can help to ensure that justice is served
and that the right person is held accountable for their actions.
 d) What is Steganalysis? (2 marks)

Steganalysis is the study of detecting messages hidden using steganography. It is analogous to

cryptanalysis applied to cryptography. The goal of steganalysis is to identify suspected packages,
determine whether or not they have a payload encoded into them, and, if possible, recover that
payload.

e) What is the most common legal difficulty faced by organizations seeking to redress
cybercrime in courts? (2 marks)

The most common legal difficulty faced by organizations seeking to Prosecute cybercrime in
courts is jurisdiction. Cybercrime is often committed across borders, which can make it difficult
to determine which country's laws apply. This can also make it difficult to obtain evidence from
other countries, as each country has its own laws governing the collection and sharing of
evidence.

f) Who Uses Computer Forensics? (6 marks)

 Law enforcement agencies: Law enforcement agencies use computer forensics to
investigate cybercrimes, such as hacking and fraud.
 Corporations: Corporations use computer forensics to investigate internal data
breaches, intellectual property theft, and employee misconduct.
 Government agencies: Government agencies use computer forensics to investigate
national security threats, such as terrorism and espionage.
 Individuals: Individuals use computer forensics to recover lost or deleted data, to
investigate identity theft, and to prove their innocence in a legal matter.
g) Identify and explain the four-step process in Computer Forensics (4 marks)
1. Identification and Collection of evidence: This step involves collecting the digital
evidence from the source device which can be done by imaging the device's hard
drive or by collecting specific files or folders.
2. Examining the digital evidence: The examination process is examining the digital
material to identify potential evidence. This could entail employing specialized
software to look for specific keywords or patterns.
 3. Analysis: The next step is to analyze the digital evidence to assess its significance.
This could include determining the source of the evidence, the time and date of the
evidence, and the acts required to produce the evidence.
4. Reporting: The reporting process is involves generating a report that explains the
investigation's results. This report should be concise, straightforward, and objective.
h) In order to maintain the integrity of evidence, the chain of custody procedures must be
strictly observed. Describe Three of the chain of custody procedures (3 marks)
1. Proper documentation: All acts involving evidence must be properly documented.
This contains information such as who had access to the evidence, when it was
obtained, and what was done with it. The documentation should be concise,
precise, and objective.
2. Physical security: The evidence must always be kept in a secure area. This means
that the site must be physically secure, and the evidence must be safeguarded
against unwanted access.
3. Chain of custody: A chain of custody document monitors the passage of evidence
from the time it is obtained until it is presented in court. The chain of custody
must be unbroken, which means that a clear record of who has possession of the
evidence at all times must be kept.
i) A digital fingerprint such as MD5 and SHA- 1 can be used to preserve evidence. List the
two functions achieved by these digital finger prints on evidence. (2 marks)
1. Data integrity: Digital fingerprints can be used to verify the integrity of data. This
means they can be used to assess whether data has been altered since it was created or
collected.
2. Data identification: Data can be identified using digital fingerprints. This implies they
may be used to uniquely identify a piece of data even after it has been duplicated or
relocated.
j) Windows operating system does produce system data and artifacts that can be used as
evidence. Briefly explain any three types of system generated data and artifacts.
(3 marks)
 Event logs: Event logs keep track of what happens on a Windows system. Logins,
logouts, file access, and program use are examples of such events. Event logs can
be a crucial piece of evidence since they show who was using the system and
what they were doing.
 Registry: A registry is a database that maintains Windows system configuration
information. This data may contain user accounts, installed apps, and hardware
configurations. The registry can be a valuable source of evidence because it
contains information about the system's settings and the user's activity.
 Prefetch files: Windows creates prefetch files to speed up the loading of apps.
These files include information on the files used by an application, as well as their
loading order. Prefetch files can be a useful source of evidence since they provide
information about the apps that were run on the system and the order in which
they were run.