 |
MCF811S - MOBILE AND CLOUD FORENSICS - 2ND OPP - JULY 2024 |
|
|
1 Page 1 |
▲back to top |
n Am I B I A u n IVE Rs I TY
OF SCIEnCE Ano TECHnOLOGY
FACULTY OF COMPUTING AND INFORMATICS
DEPARTMENTOF CYBERSECURITY
QUALIFICATION : BACHELOR OF COMPUTER SCIENCE {HONOUR) IN DIGITAL FORENSICS
QUALIFICATION CODE: 08BHDS
LEVEL: 8
COURSE: MOBILE AND CLOUD FORENSICS
COURSE CODE: MCF811S
DATE: JULY 2024
DURATION: 3 HOURS
SESSION: 2 (THEORY)
MARKS: 100
SECOND OPPORTUNITY/SUPPLEMENTARY EXAMINATION QUESTION PAPER
EXAMINER (S)
MR. ISAAC NHAMU
MODERATOR
DR. NKOSINATHI MPOFU
THIS EXAM QUESTIONPAPERCONSISTSOF 4 PAGES
(Excluding this front page)
INSTRUCTIONS
1. Answer ALL the questions on the answer scripts.
2. Write clearly and neatly.
3. Number the answers clearly.
4. When answering questions you should be guided by the allocation of marks in [ ]. Do not give too
few or too many facts in your answers.
PERMISSIBLEMATERIALS
1. None.
|
|
2 Page 2 |
▲back to top |
•I
Question 1
The mobile device forensics tool classification system was created by Sam Brothers to give
investigators an overview of available tools, from least complicated to most complex, for the
purpose of gathering mobile evidence. The classification or levels are frequently illustrated as
a triangle with five layers as in Figure 1.
ChiiP-off
I, .,
ielexDump
\\ ..,.,
\\
Logical Anal~sis,
ManuaI E:draclkm
Figure 1: Sam Brothers tool levelling pyramid
Explain/describe a technique used to acquire digital evidence from a mobile device at
each level, and give a scenario when each can be used.
[10]
Question 2
a. Compare digital evidence to physical evidence. In your comparison, give at least three
advantages of digital evidence over physical evidence and at least two advantages of
physical evidence over digital evidence.
[10]
a. List five digital forensics artifacts that can retrieved from a mobile phone. [5]
Page 11
|
|
3 Page 3 |
▲back to top |
Question 3
a. Why is it important to understand the file system of a mobile device in digital
forensics.
[2]
b. Figure 2 below shows the HFSplus file system used by modern iOS devices.
Reserved (1024 t)ytes)
Volume Header
Allocation File
Extents Overtlow File
File Data
or
Free Space
Catalog File
Attributes File
Startup File
AlternateVolume Header
Reserved (512 bytes)
Figure 2: The HFSplus volume structure
State how the following sections of this volume/file system could be used for digital
forensics:
i. Allocation file
[2]
ii. Extent overflow file
[2]
iii. Catalogue file
[2]
iv. Attribute file
[2]
Page I 2
|
|
4 Page 4 |
▲back to top |
Question4
c. What is cell site analysis? How is it useful to mobile forensics.
[3]
d. Expand the abbreviations, GSM and CDMA.
[1]
e. Outline two main differences that make digital forensic investigations unique for GSM
phones and CDMA phones.
[4]
f. Figure 2 shows the architecture of a GSM cellular network. Expand the abbreviations
and state what information of forensic value can be obtained from:
i. BTS
ii. BSC
iii. HLR
iv. VLR
v. EIR
vi. Aue
[12]
~~IIH11la
~}filmfi
I ©UIS i
\\'-(~SA~biBs I~ntLerf_a,c,e,
Um
11:
I
/:1II1\\,l_@_~_J_L/:_h_li/:,)J,,
A
- - - - Air Interface(Um) - - - - • Interface(BSCto MSC)
Figure 3: Architecture of a GSM mobile network
Question 5
Outline two benefits and three hinderance of virtualisation to cloud forensics. [10]
Page I 3
|
|
5 Page 5 |
▲back to top |
Question 6
You are given that a crime was committed and in the commission of the crime an iOS device
was recovered. Given the following different scenarios, state what action can be taken to
preserve information on the device in each case:
i. Device turned on and unlocked,
ii. Device turned on and locked,
iii. Device turned off and without passcode,
iv. Device turned off and with passcode.
[20]
Question 7
Reverse Engineering is important in mobile forensics and might be the only way evidence on
a phone may be accessible. However, it does affect the digital forensics investigative process.
a. Besides rooting and starting the device in recovery mode, explain three ways
passcodes in Android phones can be circumvented.
[6]
b. How can each of the methods you identified in a. be prevented.
[3]
c. Rooting a phone is one way of circumventing passcodes,
i. Explain three ways of rooting an Android phone.
[3]
ii. List three potential dangers of rooting a phone.
[3]
<<<<<<<<END >>>>>>>>
Page I 4