Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
’
HRITIIBIR UI'IIVERSITY
OF SCIENCE RrID TECHNOLOGY
FACULTY OF COMPUTING AND INFORMATICS
DEPARTMENT OF COMPUTER SCIENCE
QUALIFICATION: BACHELOR OF COMPUTER SCIENCE HONS : DIGITAL FORENSICS
QUALIFICATION CODE: 08 BHDF LEVEL: 8
COURSE: MOBILE FORENSICS COURSE CODE: MBF821S
DATE: NOVEMBER 2017 SESSION: THEORY
DURATION: 2HOURS MARKS: 100
FIRST OPPORTUNITY EXAMINATION QUESTION PAPER
EXAMINER: MR. ATTLEE.M. GAMUNDANI
MODERATOR: DR. AMELIA. PHILLIPS
THIS QUESTION PAPER CONSISTS OF 3 PAGES
(Excluding this front page)
INSTRUCTIONS
Answer ALL the questions in Section A and Section B.
Write clearly and neatly.
Begin answering each question on a new page.
Number the answers clearly as per the question paper numbering.
Marks/Scores per question paper are given in U.P‘P‘PWN!‘ NUST examination rules and regulations apply.
SECTION A [40 MARKS]:
Answer all questions in this Section. An answer to each question should start on a new page.
Question 1
(a) Digital evidence from a mobile device can be located in many areas, can you cite any four such
areas and indicate the type of evidence you would find there. [8 Marks]
(b) Explain what you understand by chain of custody. [2 Marks]
(c) List and elaborate on two (2) acquisition procedures for mobile device evidence. [4 Marks]
(d) A mobile phone can directly and indirectly be involved in a crime. illustrate any direct
involvement and any indirect involvement by way of an example. [6 Marks]
Question 2
(a) Outline the procedure for establishing forensically sterile conditions (give three points).
[6 Marks]
(b) If you are testifying in court as a forensic expert, what two attributes may help your standing as
an expert? [4 Marks]
III(c)”
Mobile Forensics is not computer Forensics Dispute this statement citing some examples.
[5 Marks]
(d) Match the following investigative objectives (i) to (v) in Table 1, to their respective proper chain
of custody practices (A) to (E). [5 Marks]
Table 1: Matching investigative objectives to their proper chain of custody practices.
(i)Document the activities (A).Verify the integrity of the copy to the source
(ii) Authenticate the copy (B).Ensure fairness in the evaluation
(iii) Acquire the evidence (C).Create a copy without altering the original
(iv) Be objective and unbiased (D). Keep detailed records and photographs
(v) Analyze and filter the (E). Perform the technical analysis while retaining its
evidence integrity
Page 2
SECTION B [60 MARKS]:
Answer all questions in this section. Begin answering each question on a new page.
Question 3
(a) You have been tasked to investigate a mobile-based crime at organisation 2. Explain at least five
key on—scene activities that you will execute during your investigation. [10 Marks]
(b) Suppose you used logical tools, indicate ten (10) items that you could pull from the mobile
device in question, on a best—case scenario basis. [10 Marks]
Question 4
(a) Consider investigating an Internet abuse allegations at Company Y. Outline the steps you would
take to conduct such an investigation if a windows based mobile device was involved.
[10 Marks]
(b) Which two key areas will you attribute to mobile device forensics investigation beyond the
device itself? [4 Marks]
(c) During the mobile device forensic process, the data capture involves different procedures.
Identify and explain any three such procedures. [6 Marks]
Question 5
CASE: Mobile device forensics in texting and driving
Tutaleni was involved in a car accident that could lead to a culpable homicide case. Following his
trial, the appellant, aged 30 years, was convicted of culpable homicide by the Walvis Bay
Magistrate's Court and sentenced to 4 years imprisonment, 2 of which were suspended for a period
of 5 years on the usual conditions.
NUST Investigators received the client’s Samsung 58 and performed an in depth forensics
examination. NUST investigators focused on text messages, emails, call history and web browsing
that took place around the time of the accident. The mobile device was imaged which essentially
created a ”snap shot” of all of the data on the phone at that specific point in time. This snap shot
determined whether or not the mobile device sent or received texts at the time of the accident.
This investigation also determined if the user was on the phone or surfing the web at the time of
the accident.
Page 3
(a) While recovering deleted data from a smart phone is successful in most circumstances there are
problems that can arise in the imaging process. Highlight such problems in the context of the
case presented here. [10 Marks]
(b) Design a short forensic report based on the investigation you might have conducted with your
team based on the case presented here. [10 Marks]
*****END OF EXAMINATION PAPER*****
Page 4