Computer Forensics: BISF 2204

Levi Njogu Thuo 22/05685

Open book Assignment
QUESTION ONE
1) Describe the steps involved in a typical computer forensic investigation process (6Marks)
Identification: Determine which devices and data sources might have pertinent information for
the inquiry.
Preservation: Make a copy of the data and make sure that no unauthorized changes are made in
order to secure and maintain its integrity.
Collection: Compile the required proof from the devices that have been identified, such as digital
communications, network logs, and hard disks.
Analysis: Examine the data to find pertinent details and trends. This entails looking through logs,
files, and information to gain case-related insights.
Reporting: Compile results in an understandable and organized report that includes a description
of the analysis techniques and conclusions reached.
Presentation: Use evidence produced in a way that is legally admissible to present findings to
stakeholders or in a court of law.

2) Discuss the importance of utilizing up-to-date computer forensics software and hardware tools
in forensic investigations. (4Marks)
Compatibility with New Technologies: New operating systems, encrypted apps, and updated
software versions are technologies that cybercriminals frequently employ. Modern forensic
technologies can adapt to these changes, investigators may access and examine data from the
newest gadgets, software, and file types. Some data may be unavailable or misconstrued without
updated tools, which could jeopardize the inquiry.

Increased Accuracy and Efficiency: More recent forensics solutions frequently integrate
sophisticated algorithms and streamlined processes, enabling quicker and more accurate data
analysis. Modern software can process vast amounts of data, look for pertinent evidence, and
spot patterns more quickly, cutting down on the amount of time needed to finish investigations
and lowering the possibility of human error in data processing.

Improved Reliability and Security: Outdated programs may leave forensic data susceptible to
contemporary viruses and online dangers. Improved security features in more recent tools
safeguard the integrity of the investigative data and the systems that analyze it. When gathering
and analyzing evidence, trustworthy, up-to-date tools are more effective at preserving data
accuracy and lowering the possibility of corruption.

Legal Compliance and Admissibility: To guarantee the accuracy and dependability of the
evidence offered, courts frequently require forensic investigations to employ current, industry-
standard instruments. Since antiquated techniques could be contested or questioned, thereby
weakening the case, forensic investigators can make sure their results are admissible in court by
utilizing modern equipment.
3 Evaluate the impact of emerging technologies, such as artificial intelligence and blockchain in
the field of computer forensics (2MKS)
 4) Explain the concept of network forensics and its importance in investigating cybercrimes
(4Marks)
Network forensics is the practice of monitoring, capturing, analyzing, and interpreting network
traffic to investigate cybercrimes and unauthorized activity within a network. Unlike traditional
forensics, which often focuses on stored data, network forensics deals primarily with live data in
transit between computers, devices, and servers. This process provides insights into how an
attack was carried out, who the attacker may be, and what damage was caused.
Real-Time Threat Detection: Network forensics enables enterprises to quickly respond by
identifying active threats including malware infections, intrusions, and data breaches.
Investigators can identify suspect activity, such as attempts at data exfiltration, illegal access, or
odd traffic patterns, in real time by recording live network data.
Reconstruction and Analysis of Attacks: By using network forensics, investigators can figure out
how an attack happened, what tools and strategies were employed, and what attack vector was
used. Finding weaknesses that attackers exploit and creating defenses against similar instances in
the future depend on this information.
Finding the Attackers and the Sources of Malicious Activity: IP addresses, geolocation data, and
communication patterns may be found through network forensic analysis, which may help
identify the attacker or eliminate possible possibilities.

5) Outline and explain the qualifications and responsibilities of a computer forensics expert
witness (4Marks)
Formal Education: A bachelor's degree in computer science, cybersecurity, or a related field is
often required, and advanced degrees are advantageous.
Proficiency in Forensic Tools: Expert witnesses should be proficient in using forensic software

Communication and Testimony Skills:The ability to communicate technical findings in simple

terms, both in written reports and in court.

6)Describe the content of the email headers and how the information is useful to an investigator.
(6Marks)

Identifies the email address of the sender :Helps determine who sent the email, though it may be
spoofed. Investigators can cross-check this address against other information to verify
authenticity.

Shows the recipient's email address Verifies intended recipients and can help confirm if the email
reached additional unintended or unknown addresses (useful in spam and phishing cases).

Subject: Contains the subject line as written by the sender helps investigators understand the
context or intent of the email and can be used to search for related emails in an investigation.
 Date: Indicates the date and time the email was sent useful for establishing timelines in an
investigation, particularly when correlating events or identifying suspicious or unexpected
activity

Message-ID: A unique identifier assigned to each email by the originating mail server allows
investigators to trace and match emails, verify originality, and detect if an email has been
tampered with or forged.

Received: Lists each server the email passed through on its way to the recipient, including IP
addresses, server names, and timestamps this is a critical field for tracing the email’s path,
helping to determine the original sending server and identifying potential points of compromise
or redirection.
7) Distinguish between the terminologies “Live forensics” and “Dead forensics” approaches in
computer investigations (4MKS)
Live forensics is the process of analyzing a computer system while it is still running. It involves
capturing volatile data, such as active network connections, running processes, RAM content,
and logged-in users, which would otherwise be lost if the system were shut down while involves
examining a powered-off system. This approach focuses on nonvolatile data stored on hard
drives or other storage devices, including files, logs, and system configurations.
8) Explain the role of metadata in computer forensics (2MKS)
File History: Metadata reveals creation, modification, and access dates, helping investigators
establish timelines and understand the context of user actions.
Ownership and Permissions: It indicates file ownership and access rights, assisting in
determining who could alter or view the data, which is vital for identifying accountability in
investigations.
9) Discuss two types of digital investigations typically conducted in a business environment
(4MKS)
Internal Investigations Involves collecting data from employee devices, emails, and logs,
analyzing this data for evidence of wrongdoing, and documenting findings for potential
disciplinary actions or compliance.
Incident Response Investigations Includes identifying and confirming the incident, containing
the threat, eradicating the cause, and conducting post-incident analysis to prevent future
occurrences.
10 Differentiate between the terminologies “Interview” and “Interrogation” as used in computer
forensics profession and investigations (4MKS)
Interview is a conversation with witnesses or other individuals to gather information about an
investigation. It’s usually non-confrontational and aims to gather facts while an interrogation is a
more direct and sometimes aggressive questioning of suspects to get confessions or critical
information. It focuses on confirming or challenging known facts.
11) Outline the four typical investigation phases as used in computer forensics (4MKS)
Preparation- this involves planning and setting up for the investigation.
Collection- this focuses on gathering digital evidence from the target systems
Analysis- this is where investigators analyze the collected evidence to extract relevant
information
Reporting- this involves documenting the findings of the investigation and presenting them
12) Discuss the acronyms DIRT and BAIT as used in business computer forensics technology to
collect valuable evidence and gain insights into cyber threats and malicious activities(4MKS)
DIRT (Digital Incident Response Team): A team of experts that responds to cyber incidents,
collects evidence, and assesses the impact.
BAIT (Behavioral Analysis and Intelligence Tracking): Tools or strategies used to analyze
behavior patterns, helping to detect and investigate malicious activities.
13) Computer security investigations involve various types of evidence that help identify and
mitigate security incidents, assess damages, and hold individuals accountable for their actions.
Explain such three types of evidence (3Marks)
Digital Evidence includes any data stored or transmitted in digital form
Network Evidence consists of data captured from network traffic
Physical Evidence includes tangible items related to a security incident
14) Explain any three services that the computer forensic professionals should be able to perform
(6MKS)
Data Recovery Computer forensic professionals are skilled in recovering lost, deleted, or
corrupted data from various digital storage media, including hard drives, SSDs, and memory
cards.
Evidence Collection and Preservation Forensic professionals are responsible for systematically
collecting digital evidence while maintaining its integrity and chain of custody.
Analysis of Digital Evidence Forensic professionals analyze the collected digital evidence to
identify relevant information, detect unauthorized access, and reconstruct events related to
security incidents
15) Discuss two reasons why collecting evidence is important in digital forensics (4MKS)
Legal Admissibility and Accountability Evidence collected during a digital forensic investigation
must adhere to strict legal standards to be admissible in court.
Incident Reconstruction and Understanding Collecting evidence allows investigators to
reconstruct the events leading up to and following a security incident.

16) Explain the term “Volatile evidence”, citing two examples of volatile evidence (3MKS
Volatile evidence refers to data that is temporary and can be lost if power is lost, systems are
rebooted, or when devices are shut down.
Random Access Memory (RAM) Contents
Network Connections and Active Sessions
17) Distinguish between the terminologies “Inculpatory evidence” and “exculpatory evidence” as
used in computer forensics (4MKS)
Inculpatory Evidence is Evidence that suggests an individual is guilty of a crime or wrongdoing
while Exculpatory Evidence is evidence that may clear an individual of guilt or reduce their
liability in a crime.
18) Discuss the following keywords as applied in computer forensics
i. Digital forensics Lab (2MKS)
This is a specialized facility equipped to conduct forensic analysis of digital devices and data.
ii. Risk management (2MKS)
This the systematic process of identifying, assessing, and prioritizing risks followed by the
coordinated application of resources to minimize, control, and monitor the impact of unforeseen
events
19) Outline four benefits of the professional forensic methodology (4MKS)
Enhanced Accuracy and Reliability-A professional forensic methodology establishes
standardized procedures for evidence collection, analysis, and reporting.
Improved Documentation and Chain of Custody-The methodology emphasizes meticulous
documentation of every step in the forensic process, including how evidence is collected,
handled, and analyzed.
Comprehensive Investigative Approach- A professional forensic methodology employs a
multidisciplinary approach, utilizing various forensic disciplines and techniques
Legal Compliance and Ethical Standards-Following a recognized forensic methodology ensures
that investigators adhere to legal and ethical standards throughout the forensic process.
20 ) Describe the widows registry as used in relation to computer forensics (3MKS)
User Activity Tracking: The Registry can provide insights into user activities, such as login
times, last accessed files, and application usage.
Installed Software and Configuration:Investigators can determine what software was installed on
the system, when it was installed, and whether any suspicious applications were present.
System Configuration and Security Settings: The Registry holds configuration settings for
system security policies, firewall settings, and user permissions.
21. Explain the term HASHING as used in digital forensics investigations [5MARKS]
Hashing is the process of converting data (such as files, documents, or other digital information)
into a fixed-length string of characters using a mathematical algorithm.
This process utilizes cryptographic hash functions to create a digital fingerprint of the data,
which is essential for ensuring data integrity and authenticity during forensic investigations
22. Discuss in detail any four different types of anti-forensics techniques used by attackers.(4
Marks)
Data Deletion: Attackers delete files or data to remove evidence of their activities. They might
use regular deletion methods, which only remove pointers to files, or secure deletion tools that
overwrite data, making it hard to recover.
Data Obfuscation: This technique involves disguising or altering data to prevent detection.
Attackers may encrypt files, change file extensions, or modify metadata, making it difficult for
investigators to understand what the data really is.
Rootkits: Attackers can use rootkits to hide their presence on a system. Rootkits modify system
functions to conceal malware and other actions from detection, making it challenging for
forensic investigators to find evidence of a breach.
Log Tampering: This involves changing or deleting system logs to erase traces of actions taken
by attackers. By manipulating log files, attackers can hide their activities, making it harder for
investigators to track what happened during an attack.
23. .Name 2 hashing algorithms that can be utilized in computer forensics. Give an example of
their application in Digital Forensics.(4Marks)
MD5: Often used to create a unique fingerprint of files for verifying integrity during evidence
collection.
SHA-1: Used to ensure data integrity by generating a hash value for forensic images, confirming
that they haven’t been altered.
24. What is the importance of hashing in computer forensics(3Marks)

Data Integrity Verification Hashing creates a unique "digital fingerprint" of files and evidence

Evidence Authentication Provides a mathematical way to verify the authenticity of digital

evidence

File Identification Can identify known files through hash databases

25Provide and describe two types of write blockers(6Marks)

Hardware Write Blockers Hardware write blockers are physical devices that are placed between
the forensic workstation and the storage media (e.g., hard drives, SSDs, USB drives) to ensure
that no data can be written to the media while it is being analyzed or imaged

Software Write Blockers Software write blockers are applications that run on forensic
workstations to prevent write operations to the storage media.

26 State the main role of a computer forensic professional in computer forensics (2MKS)
The main role of computer forensics professional is to collect, preserve, and analyze digital
evidence carefully so it’s useful in court

27 e) State the main role of a computer forensic professional in computer forensics (2MKS)
Evidence Preservation: Ensuring the proper collection and maintenance of digital evidence to
uphold its integrity and chain of custody.
Data Analysis: Using forensic tools to analyze and document findings related to cyber incidents,
which support investigations and legal proceedings.
28 ) d) What is a “Honeypot” cyber security technique as used by the cyber criminals? (2MKS)
A honeypot is a cybersecurity technique that involves creating a decoy system or network
designed to attract and deceive cybercriminals. The primary purpose of a honeypot is to lure
attackers away from valuable systems and gather information about their methods and intentions

29 Outline four benefits of the professional forensic methodology (4MKS)

Consistency: Ensures uniform investigation processes.

Thoroughness: Helps uncover all relevant evidence.

Admissibility: Increases chances of findings being accepted in court.

Documentation: Provides detailed records of procedures and findings

30)Highlight the objectives of digital Forensics. (3 marks)

Identify Evidence: Locate and gather relevant digital information that can aid in investigations.
Preserve Integrity: Ensure that digital evidence is collected and maintained without alteration to
uphold its authenticity.

Analyze Data: Examine the evidence to uncover facts, patterns, and timelines that support legal
or organizational objectives.