 |
MCF811S - MOBILE AND CLOUD FORENSICS - 1ST OPP - JUNE 2024 |
|
|
1 Page 1 |
▲back to top |
n Am I BI A u n IVER s I TY
OF SCIEnCE Ano TECHn0L0GY
FACULTY OF COMPUTING AND INFORMATICS
DEPARTMENTOF CYBERSECURITY
QUALIFICATION: BACHELOROF COMPUTERSCIENCE(HONOUR) IN DIGITALFORENSICS
QUALIFICATIONCODE:0BBHDS
LEVEL: 8
COURSE:MOBILEAND CLOUDFORENSICS
COURSECODE: MCF811S
DATE: JUNE 2024
DURATION: 3 HOURS
SESSION:1 (THEORY)
MARKS: 100
EXAMINER (S)
FIRSTOPPORTUNITYEXAMINATION QUESTION PAPER
MR. ISAACNHAMU
MODERATOR
DR. NKOSINATHI MPOFU
THIS EXAM QUESTION PAPERCONSISTSOF 4 PAGES
(Excluding this front page)
INSTRUCTIONS
1. Answer ALL the questions on the answer scripts.
2. Write clearly and neatly.
3. Number the answers clearly.
4. When answering questions you should be guided by the allocation of marks in [].Do
few or too many facts in your answers.
not give too
PERMISSIBLEMATERIALS
1. None.
|
|
2 Page 2 |
▲back to top |
Question 1
There is no well-established standard process for mobile forensics. However, Figure 1 below
provides an overview of process considerations for the extraction of evidence from mobile
devices.
Intake
Identification
Archiving
Figure 1: Mobile phone evidence extraction process
Explain what happens at steps/phase 1, 2, 3, 4 and 6.
[10]
Question 2
a. List five digital forensics artifacts that can be retrieved from a mobile phone's SIM
card.
[5]
b. State any five challenges of acquiring evidence from the cloud.
[5]
Page I 1
|
|
3 Page 3 |
▲back to top |
Question 3
Virtualization technology makes cloud computing possible. Cloud providers set up and maintain their
own data centres. They create different virtual environments that use the underlying hardware
resources. Figure 2 below shows Type 1 and Type 2 deployment of Hypervisors.
?:?) fiiifiHII
..tiii/HI
OS
OS
Native (Bare-metal)
Hosted
Figure 2: Type 1 (left) and Type 2 (right) Hypervisors
a. Describe the main difference between the two?
[2]
b. Explain in detail, two advantages of acquiring evidence from a Type 1 over a Type 2
hypervisor system.
[4]
c. Explain in detail, two advantages of acquiring evidence from a Type 2 over a Type 1
hypervisor system.
[4]
Question 4
Before initiating a cloud investigation, you should review the SLA to identify restrictions that
might limit the collection and analysing of data.
a. State five pieces of information that are normally included in an SLA for cloud
customers.
[5]
b. For each of the items stated in a. state how they could hinder or assist in mobile
forensics.
[5)
Page I 2
|
|
4 Page 4 |
▲back to top |
Question 5
Figure 3 below shows the security architecture diagram for iOS.
I I Hardware Key
Software
App Sandbox
User Partition
OS Partition
Encrypted FileSystem
Kernel
Secure Enclave
Secure Element
l
Hardware
l
Crypto Engine
DeviceKey
Group Key
Apple Root Certificate
Figure3: Security architecture diagramfor iOS
a.
What happens when you delete a file in an iOS device?
[2]
b.
With reference to iOS, what is sand boxing?
[2]
C.
Why is sandboxing important in digital forensics?
[3]
d.
What are some of the pitfalls of this technique in the context of digital forensics.
Give two.
[3]
Question 6
Describe the following methods of accessing a passcode protected phone and outline the
risks each presents to the mobile forensics investigative process.
a. Jailbreaking
b. Rooting
[10]
Page I 3
|
|
5 Page 5 |
▲back to top |
Question 7
The mobile industry in the world is divided between the three technologies GSM, CDMAand
iDen. It is necessary for us to understand the basic differentiation of the three technologies
as they may have an impact on the Forensic Investigative process.
i. Present the fundamental technical aspects of the three systems in your
presentation describe briefly how each affects the mobile forensics
investigative process.
[15]
ii. Describethe two main challenges of 5G technologies on the mobile forensics
investigative process.
[5]
Question 8
While searching inside the house of a person under investigation, law enforcement agents
found and seized, among other things, computers and a smartphone. After cataloguing and
documenting everything, they put all the materials into boxes to bring them back to the
laboratory. Once back in their laboratory, when acquiring the smart phone in order to proceed
with the forensics analysis, they noticed that the smartphone was empty and it appeared to
be brand new. The owner had wiped it remotely.
This therefore emphasises the importance of isolating the mobile device from all radio
networks as a fundamental step in the process of preservation of evidence:
a. There are several ways to achieve this (isolating mobile phones), all with their own
pros and cons. Outline five forensic methods of isolating mobile phone give at least
one pro and one con of each.
[15]
b. List any other five anti-forensics techniques that are used in an attempt to affect the
mobile investigative process.
[5]
<<<<<<<<END >>>>>>>>
PageI 4