 |
AIL811S - ADVANCED INTRUSION AND LOG ANALYSIS - 1ST OPP - JUNE 2025 |
|
|
1 Page 1 |
▲back to top |
n Am I BI A u n IVER s I TY
OF SCIEnCE Ano TECHnOLOGY
FACULTY OF COMPUTING AND INFORMATICS
DEPARTMENTOF CYBERSECURITY
QUALIFICATION:BACHELOROF COMPUTERSCIENCE(HONS DIGITALFORENSICS)
QUALIFICATIONCODE: 08 BHDS
LEVEL:8
COURSE:ADVANCEDINTRUSIONAND LOGANALYSIS
COURSECODE: AIL811S
DATE: JUNE 2025
SESSION:THEORY
DURATION: 3 HOURS
MARKS: 100
EXAMINER(S)
FIRSTOPPORTUNITYEXAMINATION QUESTIONPAPER
PROFATTLEEM. GAMUNDANI
DR ARPITJAiN
MODERATOR:
MS NAEMI GERSON
THISQUESTIONPAPERCONSISTSOF 3 PAGES
(excluding this front page)
INSTRUCTIONS
1. Answer ALL the questions.
2. Write clearly and neatly.
3. In answering questions, be guided by the allocated marks.
4. Number your answers by the numbering used in this question paper.
1. None
PERMISSIBLEMATERIALS
|
|
2 Page 2 |
▲back to top |
SECTION A: Scenario-Based Questions - 60 Marks
Question 1: Analysing System Storage
A digital forensic investigator is tasked with examining a compromised workstation
suspected of unauthorised data exfiltration.
{a) Explain how the investigator would apply Master File Table (MFT) and Registry
analysis to determine evidence of user activity.
[6 marks]
{b) Discuss how the Autopsy tool assists in forensic analysis and how it differs from
traditional log examination.
[4 marks]
Question 2: Analysing System Memory
During an advanced persistent threat (APT) investigation, the attacker used fileless
malware suspected to reside in memory.
Describe the end-to-end methodology for memory analysis, including tool selection
(e.g., Redline and Volatility) and the indicators of compromise (loCs) that should be
extracted.
[10 Marks]
Question 3: Reporting After Log Analysis
You have completed an investigation into an insider threat that involved the
exfiltration of confidential documents.
Draft an outline of a professional incident response report that includes incident status,
findings, timelines, technical analysis, and recommendations.
[10 marks]
Question 4: Intrusion Detection and Network Forensics
You have completed an investigation into an insider threat that involved the
exfiltration of confidential documents.
Draft an outline of a professional incident response report that includes incident status,
findings, timelines, technical analysis, and recommendations.
[10 marks]
Page 2
|
|
3 Page 3 |
▲back to top |
Question 5: Threat Intelligence Application
A telecommunications company wants to proactively mitigate threats.
Explain how the organisation can use threat intelligence platforms and sources to build
predictive defence capabilities. Include types of intelligence (strategic, operational,
tactical, technical).
[10 marks]
Question 6: Log Management Systems
A multinational enterprise is evaluating centralised log management solutions.
Compare and contrast the benefits of using a Security Information and Event
Management (SIEM) system with traditional syslog-based monitoring.
Include discussion on alert correlation, normalisation, and scalability. [10 marks]
I Case Study Based Questions [40 Marks]
Question 7: Al- Driven IDS Model Development
A cloud services provider is deploying a machine learning-based Intrusion Detection
System (IDS) to enhance detection accuracy and reduce alert fatigue. They have
shortlisted three ML algorithms (Random Forest, SVM, and !<-Means) and are using a
labelled dataset from their past incidents.
(a) Design a pipeline for implementing this IDS, from data preprocessing to model
evaluation.
[8 marks]
(b) Discuss the importance of feature engineering and how dimensionality
reduction techniques (e.g., PCA)can improve model performance. [6 marks]
(c) Propose a strategy for dealing with false positives and model drift over time.
[6 marks]
Page 3
|
|
4 Page 4 |
▲back to top |
o
I
1
•
Question 8: Case Log Analysis - Industrial loT Breach
Scenario:
A smart manufacturing plant is using Industrial loT (lloT) devices. A security audit found
the following log excerpts from the central monitoring dashboard:
• Log Entry 1
Time: 2025-03-10 14:23:15
Device: PLC-001
Event: Unauthorised
Modbus write
Source IP: 192.168.50.23
Action: Command blocked
request
• Log Entry 2
Time: 2025-03-10 14:25:02
Device: PLC-001
Event: Device rebooted unexpectedly
Reason: Remote command
Source IP: 192.168.50.23
• Log Entry 3
Time: 2025-03-10 14:30:45
SIEM Alert: Lateral movement
Source IP: 192.168.50.23
Target: SCADA-CORE-01
attempt
detected
(a) Identify the indicators of compromise and classify the stages of attack using the
MITREATT&CK framework.
[10 marks]
(b) Recommend immediate response actions and suggest long-term mitigation
strategies using log management and intrusion prevention best practices.
[10 marks]
*****END OF EXAMINATION PAPER*****
Page 4