SESSION 2 (60), 202060 – ITC597 Page 1 of 3School of Computing and MathematicsExamination SESSION 2 (60), 202060ITC597 Digital Forensics – SAMPLE EXAM ONLYThis paper is for Distance Education (Distance), Port Macquarie, Study Centre Sydneyand Study Centre Melbourne students.EXAM CONDITIONS:NO REFERENCE MATERIALS PERMITTEDNo calculator is permittedNo dictionary permitted WRITING TIME:2 hours plus 10 minutes reading timeWriting is permitted during reading time MATERIALS SUPPLIED BY UNIVERSITY:N/A – This is online exam.MATERIALS PERMITTED IN EXAMINATION:(No electronic aids are permitted e.g. laptops, calculators, phones)NUMBER OF QUESTIONS: Five (05)VALUE: 50%INSTRUCTIONS TO CANDIDATES:1. This is online exam. There are total five (05) questions in the exam. Eachquestion is worth 10 marks. There are total 50 marks for the exam.2. You MUST pass the final exam (i.e. obtain at least 50% marks or more) to passthe subject.SESSION 2 (60), 202060 – ITC597 Page 2 of 3Note: There are total FIVE (05) questions. Each question has 10 marks andthere are total 50 marks for the exam. Attempt all questions and answersshould contain your own understanding, thinking, evaluation and analyses.Question 1.In topic 1 of this subject, you learnt about the investigations triangle thatemphasis on the role of other fields with digital forensics. Explain in yourown words, the functions and responsibilities of each group from each sideof the triangle. Why do you think it is important for these three groups towork as a team for an organisation?Question 2.A2Z Forensics is a digital forensics investigation firm that conductsforensic investigations for public as well as private sectors. You areworking in this firm as a forensics specialist for a number of years now.The firm is establishing a new forensics lab to meet the futurerequirements. You have been asked to prepare a business case for thisnew lab. Your job is to focus on three aspects of the new lab which arehardware, software and lab security. Based on the knowledge of topic 2,prepare a brief business case, summarise and justify the equipment (bothhardware and software) you recommend for this new lab that will meetfuture requirements. Also, briefly explain the security measures yourecommend for this new lab.Question 3.As a private sector investigator, you are investigating an important case foran office. You have been given access to the office computer network andthe computers that may contain some important information related to thecase. You are allowed to speak the network administrator. In this scenario,what data acquisition method will you prefer to use? Justify your answer.Also, outline the problems you expect to encounter and explain how torectify them describing your solution. Identify any potential customerprivacy issues that should be considered.Question 4.A2Z Forensics has hired you to investigate an email that has beenreceived by one of their employee. This email looks suspicious to thecompany and they want to know the information such as from where andwhen this email was generated and also any other related information.They have provided you the email header as shown in the figure below.You have been asked to analyse this email header and describe theinformation while evaluating this header file. The company also wants totrace back the origin of this email. In this scenario, what would yourecommend the company in order to trace back this email?SESSION 2 (60), 202060 – ITC597 Page 3 of 3Figure for Question 4: An e-mail header with line numbers added (The email addresses are not real addresses.)Question 5.Assume you have been given a scrambled text file with some hidden textdata similar to the one in your assessment. What will be the best methodthat you will use to unscramble the file and why would you choose thismethod? Justify your answer. [5 marks]You have collected a digital evidence from a crime scene and calculatedits hash value using WinHex editor with MD5 algorithm. You have storedthe evidence in a forensics lab. After a week, when you started analysingthe evidence, you again calculated the hash value of the evidence usingAutopsy and with SHA-1 algorithm. You found that the hash value of theevidence is now changed. Describe why the hash value now is differentthan the one you calculated when you acquired the evidence? [5 marks]END OF EXAMINATION
