’

HRITIIBIR UI'IIVERSITY

OF SCIENCE RrID TECHNOLOGY

FACULTY OF COMPUTING AND INFORMATICS

DEPARTMENT OF COMPUTER SCIENCE

QUALIFICATION: BACHELOR OF COMPUTER SCIENCE HONS : DIGITAL FORENSICS

QUALIFICATION CODE: 08 BHDF LEVEL: 8

COURSE: MOBILE FORENSICS COURSE CODE: MBF821S

DATE: NOVEMBER 2017 SESSION: THEORY

DURATION: 2HOURS MARKS: 100

FIRST OPPORTUNITY EXAMINATION QUESTION PAPER

EXAMINER: MR. ATTLEE.M. GAMUNDANI

MODERATOR: DR. AMELIA. PHILLIPS

THIS QUESTION PAPER CONSISTS OF 3 PAGES

(Excluding this front page)

INSTRUCTIONS

Answer ALL the questions in Section A and Section B.

Write clearly and neatly.

Begin answering each question on a new page.

Number the answers clearly as per the question paper numbering.

Marks/Scores per question paper are given in U.P‘P‘PWN!‘ NUST examination rules and regulations apply.

SECTION A [40 MARKS]:

Answer all questions in this Section. An answer to each question should start on a new page.

Question 1

(a) Digital evidence from a mobile device can be located in many areas, can you cite any four such

areas and indicate the type of evidence you would find there. [8 Marks]

(b) Explain what you understand by chain of custody. [2 Marks]

(c) List and elaborate on two (2) acquisition procedures for mobile device evidence. [4 Marks]

(d) A mobile phone can directly and indirectly be involved in a crime. illustrate any direct

involvement and any indirect involvement by way of an example. [6 Marks]

Question 2

(a) Outline the procedure for establishing forensically sterile conditions (give three points).

[6 Marks]

(b) If you are testifying in court as a forensic expert, what two attributes may help your standing as

an expert? [4 Marks]

III(c)”

Mobile Forensics is not computer Forensics Dispute this statement citing some examples.

[5 Marks]

(d) Match the following investigative objectives (i) to (v) in Table 1, to their respective proper chain

of custody practices (A) to (E). [5 Marks]

Table 1: Matching investigative objectives to their proper chain of custody practices.

(i)Document the activities (A).Verify the integrity of the copy to the source

(ii) Authenticate the copy (B).Ensure fairness in the evaluation

(iii) Acquire the evidence (C).Create a copy without altering the original

(iv) Be objective and unbiased (D). Keep detailed records and photographs

(v) Analyze and filter the (E). Perform the technical analysis while retaining its

evidence integrity

Page 2

SECTION B [60 MARKS]:

Answer all questions in this section. Begin answering each question on a new page.

Question 3

(a) You have been tasked to investigate a mobile-based crime at organisation 2. Explain at least five

key on—scene activities that you will execute during your investigation. [10 Marks]

(b) Suppose you used logical tools, indicate ten (10) items that you could pull from the mobile

device in question, on a best—case scenario basis. [10 Marks]

Question 4

(a) Consider investigating an Internet abuse allegations at Company Y. Outline the steps you would

take to conduct such an investigation if a windows based mobile device was involved.

[10 Marks]

(b) Which two key areas will you attribute to mobile device forensics investigation beyond the

device itself? [4 Marks]

(c) During the mobile device forensic process, the data capture involves different procedures.

Identify and explain any three such procedures. [6 Marks]

Question 5

CASE: Mobile device forensics in texting and driving

Tutaleni was involved in a car accident that could lead to a culpable homicide case. Following his

trial, the appellant, aged 30 years, was convicted of culpable homicide by the Walvis Bay

Magistrate's Court and sentenced to 4 years imprisonment, 2 of which were suspended for a period

of 5 years on the usual conditions.

NUST Investigators received the client’s Samsung 58 and performed an in depth forensics

examination. NUST investigators focused on text messages, emails, call history and web browsing

that took place around the time of the accident. The mobile device was imaged which essentially

created a ”snap shot” of all of the data on the phone at that specific point in time. This snap shot

determined whether or not the mobile device sent or received texts at the time of the accident.

This investigation also determined if the user was on the phone or surfing the web at the time of

the accident.

Page 3

(a) While recovering deleted data from a smart phone is successful in most circumstances there are

problems that can arise in the imaging process. Highlight such problems in the context of the

case presented here. [10 Marks]

(b) Design a short forensic report based on the investigation you might have conducted with your

team based on the case presented here. [10 Marks]

*****END OF EXAMINATION PAPER*****

Page 4