Information Technology - Computer Forensics

Final Exam

Total of 100 points. You may need to briefly research some of these, otherwise, lean heavily on your course readings. UMUC grading policies apply – so cite your sources, otherwise there will be a 20% markdown per question. You do not have to cite sources for the multiple choice questions. Note that any “copied” answers from Internet sources will receive 0 points.

1. (10 points) Summarize where data of interest to a forensic investigator would reside in Linux systems. Discuss a tool that would be used to extract that data during an investigation.

2. (10 points) Discuss the difference between validation and verification and why they are important to computer forensics.

3. (10 points). Discuss the components of a Microsoft Windows system which may hold content of interest to a forensic investigator. Discuss these in terms of their relevance and volatility that impact how carefully, or quickly, the data from these areas needs to be retrieved. Include, at a minimum, data found in the MBR, registry, and swap file (pagefile).

4. (10 points) How does the boot process differ between Unix, Macintosh, and Windows systems? Why is it important to a forensic investigator to understand how these systems differ when booting?

5. (10 points). Discuss some of the content found within an email header that can be useful in an investigation. Name one tool that could be used in an email investigation, and describe the information it retrieves.

6. (10 points) Discuss at least 3 challenges associated with performing a forensic investigation on a mobile device. Discuss a tool that would be used in a forensic investigation on a mobile device.

7. (10 point question) Define steganography, why an attacker or criminal might use it, and what tools can be used by the investigator to determine if steganography has been used?

8. (10 points) Discuss the role that volatility plays in a digital forensics investigation and how you would approach recovering the most volatile data.

9. (10) points Discuss the challenges to investigating a crime when data exists on a cloud service, such as AWS.

10. (10 point question) Read the following scenario and respond to the questions below:

As a digital forensics examiner, you have been called to the scene of a kidnapping. Several witnesses have told the investigator that the victim was very excited about a new person they met online. Your job at the scene as a digital forensics examiner is to recommend to the investigating officer a course of action as to what digital evidence may or may not be needed to investigate this crime.

a. Provide a list of potential digital evidence that the investigator is going to want to seize for possible forensic examination. Be thorough, as the lead investigator in this case is not computer savvy.

b. What additional sources of evidence might there be besides the digital equipment and media that would have been seized? How would you gain access to this evidence?