SlideShare a Scribd company logo
DEPARTMENT OF INFORMATION TECHNOLOGY
Subject Code : CS6004 Subject Name : Cyber Forensics
Class : IV IT / VIII Subject In – Charge : Dr. P. Subathra, Prof./IT
R. Arthy, AP/IT
QUESTION BANK
UNIT IV
EVIDENCE COLLECTION AND FORENSICS TOOLS
Processing Crime and Incident Scenes – Working with Windows and DOS Systems. Current
Computer Forensics Tools: Software/ Hardware Tools.
Q. No Question Marks
Knowledge
Level
Number of
Times in
AU
PART – A
Processing Crime and Incident Scenes
1.
Label any three types of field kit to be used in crime scene. [May
2017] 2 K1 1
2.
State the motivations for computer intrusion or theft of information in
contemporary society. [Nov 2018]
2 K2 1
3. How to identify the cyber crime? [May 2019] 2 K2 1
4. Give examples for Computer crimes. 2 K1 -
Working with Windows and DOS Systems
5.
When you delete a image/audio/video, do you really delete it? Is it
possible to revert the deleted data? [May 2018]
2 K2 1
6. List out some of the open – source encryption tools. 2 K1 -
7. Define FAT and VFAT. 2 K1 -
8. What is meant by Encrypting File System? 2 K1 -
Current Computer Forensics Tools: Software/ Hardware Tools.
9.
Classify and compare hardware and software Forensic tools. [May
2017]
2 K2 1
10. Define Master Boot Record (MBR). [Nov 2017] 2 K1 1
11. What is Zoned Bit Recording (ZBR)? [Nov 2017] 2 K1 1
12. What is a virtual machine? [May 2018] 2 K1 1
Q. No Question Marks
Knowledge
Level
Number of
Times in
AU
13. Distinguish between Validation and discrimination. [Nov 2018] 2 K2 1
14. List out any two forensics tool for evidence collection. [May 2019] 2 K1 1
15. List out the disk drive components. 2 K1 -
16. Define track density. 2 K1 -
17. List out the properties handled at the driver’s hardware. 2 K1 -
18. Write down the tasks for planning your investigation. 2 K1 -
19. Write down the task performed by computer forensics tools. 2 K1 -
20. What is meant by acquisition and list out its functions? 2 K1 -
21. Define writer – blocker. 2 K1 -
PART - B
Processing Crime and Incident Scenes
22.
Analyze how the following techniques are used:
a) Processing Data centers with RAID systems. (8)
b) Documents evidence in the lab. (4)
c) Processing and handling digital evidence. (4)
[Nov 2017]
16 [13] K2 1
23.
Explain briefly the RAID architecture and its types with the data
acquisition structure. Also explain the data centers used in processing
the RAID systems. [May 2017]
16 [13] K2 1
24.
Outline the process of preparing to acquire digital evidence,
processing an incident or crime scene and processing data centers
with RAID systems. [May 2018]
16 [13] K2 1
25.
Outline the seizing procedure for the digital evidence at the crime
scene. [Nov 2018] 13 K2 1
26.
How to process the cyber crime and incident scenes? Explain it. [May
2019] 13 K2 1
Working with Windows and DOS Systems
27.
Explain in detail about how the understanding NTFA, FAT, FAT32
file system plays a crucial role in cyber forensic. [May2017] 16 [13] K2 1
28.
Examine the MS-DOS startup tasks and about other Disk operating
system in details. [Nov 2017] 16 [13] K2 1
29.
Explain the following: NTFS data streams, NTFS compressed files
and NTFS encrypting file system. [May 2018] 16 [13] K2 1
30. Illustrate with an example to examine the NTFS disks. [Nov 2018] 13 K2 1
Current Computer Forensics Tools: Software/ Hardware Tools
31.
Demonstrate the use of computer forensic hardware and software
tools used to solve the different types of forensics. [Nov 2018] 13 K2 1
PART - C
Q. No Question Marks
Knowledge
Level
Number of
Times in
AU
Working with Windows and DOS Systems
32.
You're using Disk Manager to view primary and extended partitions
on a suspect's drive. The program reports the extended partitions total
size as larger than the sum of the sizes of logical partitions in this
extended partition. Justify the following terms when,
i) The disk is corrupted.
ii) There's a hidden partition.
iii) Nothing; this is what you'd expect to see.
iv) Password is unknown.
[Nov 2018]
15 K3 1
Current Computer Forensics Tools: Software/ Hardware Tools
33.
Interpret and validate the results of a forensics analysis, you should do
which of the following:
i) Calculate the hash value with two different tools.
ii) Use a different tool to compare the results of evidence you find.
iii) Repeat the steps used to obtain the digital evidence, using the
same tool, and recalculate.
iv) The hash value to verify the results.
v) Do both i) and ii)
vi) Do both ii) and iii)
vii) Do both i) and iii)
15 K3 1
34.
Consider the situations. Employer files have been deleted, disks have
been reformatted or other steps have been taken to conceal or destroy
the evidence. How to recover the evidence using any forensics tool to
safe guard the employee? [May 2019]
15 K3 1
35.
A patient with a heart ailment was transported to a hospital where an
angiogram was performed. The patient later had a stint inserted into
an artery along with a second angiogram, but died shortly thereafter.
A third angiogram was performed immediately after the patient's
death. Images of the angiogram procedures were purportedly stored
on computer hard drives. The day following the patient's death,
hospital staffs were able to locate images for the first and third
angiograms but could not find any images of the second procedure.
The hospital and doctor were sued for medical malpractice and
wrongful death. The plaintiffs also claimed the defendants had
deliberately deleted the images of the second angiogram that
allegedly proved the wrongful death claim. A CES team (CFST) was
engaged by the doctor's insurance company to locate images of the
second angiogram on the computer hard drive. Explain the possible
actions that the CFST took to locate the images. [May 2019]
15 K3 1
Subject In – Charge Subject Matter Expert HoD/IT
DEPARTMENT OF INFORMATION TECHNOLOGY
Subject Code : CS6004 Subject Name : Cyber Forensics
Class : IV IT / VIII Subject In – Charge : Dr. P. Subathra, Prof./IT
R. Arthy, AP/IT
QUESTION BANK
UNIT V
ANALYSIS AND VALIDATION
Validating Forensics Data – Data Hiding Techniques – Performing Remote Acquisition – Network
Forensics – Email Investigations – Cell Phone and Mobile Devices Forensics
Q. No Question Marks
Knowledge
Level
Number of
Times in
AU
PART – A
Validating Forensics Data
1.
List out the file systems in which FTK can perform forensic
analysis.
2 K1 -
2. Define scope creep. 2 K1 -
3. What is meant by Known File Filters (KFF)? 2 K1 -
4. What is meant by auto image checksum verification? 2 K1 -
Data Hiding Techniques
5. Describe Bit Shifting with an example. [Nov 2017] 2 K2 1
6. What is steganography? [May 2018] 2 K1 1
7. Show various Steganalysis attack methods. [Nov 2018] 2 K1 1
8. What is meant by key escrow? 2 K1 -
9. List out some of the password cracking tools. 2 K1 -
10. Define rainbow table. 2 K1 -
11. List out the three ways to recover passwords. 2 K1 -
Performing Remote Acquisition
12. How to perform the remote acquisition process? [May 2019] 2 K1 1
13. What is meant by remote acquisition? 2 K1 -
Network Forensics
14.
Name any three standard procedures used in Network Forensics.
[May 2017]
2 K1 1
15. Define order of volatility (OOV). [Nov 2018] 2 K1 1
16. Write any one the network forensics scenario. [May 2019] 2 K1 1
17. Define network forensics. 2 K1 -
18. What is the use of network logs? 2 K1 -
19. Define layered network defense network strategy. 2 K1 -
20. What is the purpose of Tepdump program? 2 K1 -
21. What is the usage of ethereal network analysis tool? 2 K1 -
22. Define Sysinternals and give examples. 2 K1 -
23. Define Knoppix security tools distribution (STD). 2 K1 -
24. Define phishing. 2 K1 -
Email Investigations
25.
Decide the roles of Client and Servers in Email Investigations. [May
2017]
2 K1 1
26.
Mention the e-mail storage format available in Novell Evolution.
[Nov 2017]
2 K1 1
27. Give examples for e-mail forensics tools. [May 2018] 2 K1 1
28. Give examples for e-mail server program. 2 K1 -
29. What is the significance of e-mail forensics tools? 2 K1 -
30. Define spoofing. 2 K1 -
Cell Phone and Mobile Devices Forensics
31. Write down the main components used for mobile communication. 2 K1 -
32. Define Orthogonal frequency division multiplexing. 2 K1 -
33. List out the technologies supported by 4G networks. 2 K1 -
PART - B
Validating Forensics Data
34.
Discuss the procedure to validate the hexadecimal editors. [May
2017]
8 K2 1
35. Explain in detail about the process of validating forensics data. 13 K2 -
Data Hiding Techniques
36.
Briefly explain any one steganography algorithm to hide data in an
image. [May 2017] (or) Write short notes on Data Hiding
Techniques. [May 2019]
8 K2 2
37.
Explain data hiding techniques and how to apply the data hiding
techniques in various applications. [Nov 2017, Nov 2018]
8, 13 K2 1
Network Forensics
38. Elaborate about the network tools. 13 K2 -
Email Investigations
39.
Examine and list the procedure to analyze the UNIX and Microsoft
E-mail server logs. [May 2017]
16 [13] K2 1
40.
Describe in detail about specialized E-mail forensic tools. [Nov
2017]
8 K2 1
41.
Explain the steps involved in examining in Microsoft e-mail server
logs and explain it in detail. [Nov 2017, Nov 2018]
8, 15 K2 2
42.
Explain the process of investigating e-mail crimes and violation.
[May 2018]
16 [13] K2 1
43. Write a short note on Email Investigations. [May 2019] 6 K2 1
Cell Phone and Mobile Devices Forensics
44. Elaborate about mobile device forensics. [Nov 2017] 8 K2 1
45.
Appraise the acquisition procedures for cell phones and mobile
devices. [May 2018]
16 [13] K2 1
PART - C
E-Mail Investigation
46.
One of the Senior Service Manager working with the bank,
received an email message from one of this client who requested an
immediate financial transaction to send 1.25 Cr for vendor
payment. In the received email, the client was holding exactly his
original email address. As the client who holds a prestigious
designation running several business organizations used to send
frequent such emails. Because of which, the Bank official’s started
the procedure to send the amount to the concerned recipient
wherein it was proved fatal. The situation became worse when the
client was found unknown who was asked to send the amount as a
vendor payment. Help the forensic department to identify the
victim.
15 K3 -
Cell Phone and Mobile Devices Forensics
47.
A man has been arrested by the Crime Branch of Mumbai Police
for allegedly sending threatening text messages to Bollywood
actress. The accused sent four messages to the actress, threatening
to kill her children of she did not pay him, say sources. How to do
mobile device forensics on this case? [May 2019]
15 K3 1
Subject In – Charge Subject Matter Expert HoD/IT

More Related Content

Cyber forensics question bank

  • 1. DEPARTMENT OF INFORMATION TECHNOLOGY Subject Code : CS6004 Subject Name : Cyber Forensics Class : IV IT / VIII Subject In – Charge : Dr. P. Subathra, Prof./IT R. Arthy, AP/IT QUESTION BANK UNIT IV EVIDENCE COLLECTION AND FORENSICS TOOLS Processing Crime and Incident Scenes – Working with Windows and DOS Systems. Current Computer Forensics Tools: Software/ Hardware Tools. Q. No Question Marks Knowledge Level Number of Times in AU PART – A Processing Crime and Incident Scenes 1. Label any three types of field kit to be used in crime scene. [May 2017] 2 K1 1 2. State the motivations for computer intrusion or theft of information in contemporary society. [Nov 2018] 2 K2 1 3. How to identify the cyber crime? [May 2019] 2 K2 1 4. Give examples for Computer crimes. 2 K1 - Working with Windows and DOS Systems 5. When you delete a image/audio/video, do you really delete it? Is it possible to revert the deleted data? [May 2018] 2 K2 1 6. List out some of the open – source encryption tools. 2 K1 - 7. Define FAT and VFAT. 2 K1 - 8. What is meant by Encrypting File System? 2 K1 - Current Computer Forensics Tools: Software/ Hardware Tools. 9. Classify and compare hardware and software Forensic tools. [May 2017] 2 K2 1 10. Define Master Boot Record (MBR). [Nov 2017] 2 K1 1 11. What is Zoned Bit Recording (ZBR)? [Nov 2017] 2 K1 1 12. What is a virtual machine? [May 2018] 2 K1 1
  • 2. Q. No Question Marks Knowledge Level Number of Times in AU 13. Distinguish between Validation and discrimination. [Nov 2018] 2 K2 1 14. List out any two forensics tool for evidence collection. [May 2019] 2 K1 1 15. List out the disk drive components. 2 K1 - 16. Define track density. 2 K1 - 17. List out the properties handled at the driver’s hardware. 2 K1 - 18. Write down the tasks for planning your investigation. 2 K1 - 19. Write down the task performed by computer forensics tools. 2 K1 - 20. What is meant by acquisition and list out its functions? 2 K1 - 21. Define writer – blocker. 2 K1 - PART - B Processing Crime and Incident Scenes 22. Analyze how the following techniques are used: a) Processing Data centers with RAID systems. (8) b) Documents evidence in the lab. (4) c) Processing and handling digital evidence. (4) [Nov 2017] 16 [13] K2 1 23. Explain briefly the RAID architecture and its types with the data acquisition structure. Also explain the data centers used in processing the RAID systems. [May 2017] 16 [13] K2 1 24. Outline the process of preparing to acquire digital evidence, processing an incident or crime scene and processing data centers with RAID systems. [May 2018] 16 [13] K2 1 25. Outline the seizing procedure for the digital evidence at the crime scene. [Nov 2018] 13 K2 1 26. How to process the cyber crime and incident scenes? Explain it. [May 2019] 13 K2 1 Working with Windows and DOS Systems 27. Explain in detail about how the understanding NTFA, FAT, FAT32 file system plays a crucial role in cyber forensic. [May2017] 16 [13] K2 1 28. Examine the MS-DOS startup tasks and about other Disk operating system in details. [Nov 2017] 16 [13] K2 1 29. Explain the following: NTFS data streams, NTFS compressed files and NTFS encrypting file system. [May 2018] 16 [13] K2 1 30. Illustrate with an example to examine the NTFS disks. [Nov 2018] 13 K2 1 Current Computer Forensics Tools: Software/ Hardware Tools 31. Demonstrate the use of computer forensic hardware and software tools used to solve the different types of forensics. [Nov 2018] 13 K2 1 PART - C
  • 3. Q. No Question Marks Knowledge Level Number of Times in AU Working with Windows and DOS Systems 32. You're using Disk Manager to view primary and extended partitions on a suspect's drive. The program reports the extended partitions total size as larger than the sum of the sizes of logical partitions in this extended partition. Justify the following terms when, i) The disk is corrupted. ii) There's a hidden partition. iii) Nothing; this is what you'd expect to see. iv) Password is unknown. [Nov 2018] 15 K3 1 Current Computer Forensics Tools: Software/ Hardware Tools 33. Interpret and validate the results of a forensics analysis, you should do which of the following: i) Calculate the hash value with two different tools. ii) Use a different tool to compare the results of evidence you find. iii) Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate. iv) The hash value to verify the results. v) Do both i) and ii) vi) Do both ii) and iii) vii) Do both i) and iii) 15 K3 1 34. Consider the situations. Employer files have been deleted, disks have been reformatted or other steps have been taken to conceal or destroy the evidence. How to recover the evidence using any forensics tool to safe guard the employee? [May 2019] 15 K3 1 35. A patient with a heart ailment was transported to a hospital where an angiogram was performed. The patient later had a stint inserted into an artery along with a second angiogram, but died shortly thereafter. A third angiogram was performed immediately after the patient's death. Images of the angiogram procedures were purportedly stored on computer hard drives. The day following the patient's death, hospital staffs were able to locate images for the first and third angiograms but could not find any images of the second procedure. The hospital and doctor were sued for medical malpractice and wrongful death. The plaintiffs also claimed the defendants had deliberately deleted the images of the second angiogram that allegedly proved the wrongful death claim. A CES team (CFST) was engaged by the doctor's insurance company to locate images of the second angiogram on the computer hard drive. Explain the possible actions that the CFST took to locate the images. [May 2019] 15 K3 1 Subject In – Charge Subject Matter Expert HoD/IT
  • 4. DEPARTMENT OF INFORMATION TECHNOLOGY Subject Code : CS6004 Subject Name : Cyber Forensics Class : IV IT / VIII Subject In – Charge : Dr. P. Subathra, Prof./IT R. Arthy, AP/IT QUESTION BANK UNIT V ANALYSIS AND VALIDATION Validating Forensics Data – Data Hiding Techniques – Performing Remote Acquisition – Network Forensics – Email Investigations – Cell Phone and Mobile Devices Forensics Q. No Question Marks Knowledge Level Number of Times in AU PART – A Validating Forensics Data 1. List out the file systems in which FTK can perform forensic analysis. 2 K1 - 2. Define scope creep. 2 K1 - 3. What is meant by Known File Filters (KFF)? 2 K1 - 4. What is meant by auto image checksum verification? 2 K1 - Data Hiding Techniques 5. Describe Bit Shifting with an example. [Nov 2017] 2 K2 1 6. What is steganography? [May 2018] 2 K1 1 7. Show various Steganalysis attack methods. [Nov 2018] 2 K1 1 8. What is meant by key escrow? 2 K1 - 9. List out some of the password cracking tools. 2 K1 - 10. Define rainbow table. 2 K1 - 11. List out the three ways to recover passwords. 2 K1 - Performing Remote Acquisition 12. How to perform the remote acquisition process? [May 2019] 2 K1 1 13. What is meant by remote acquisition? 2 K1 -
  • 5. Network Forensics 14. Name any three standard procedures used in Network Forensics. [May 2017] 2 K1 1 15. Define order of volatility (OOV). [Nov 2018] 2 K1 1 16. Write any one the network forensics scenario. [May 2019] 2 K1 1 17. Define network forensics. 2 K1 - 18. What is the use of network logs? 2 K1 - 19. Define layered network defense network strategy. 2 K1 - 20. What is the purpose of Tepdump program? 2 K1 - 21. What is the usage of ethereal network analysis tool? 2 K1 - 22. Define Sysinternals and give examples. 2 K1 - 23. Define Knoppix security tools distribution (STD). 2 K1 - 24. Define phishing. 2 K1 - Email Investigations 25. Decide the roles of Client and Servers in Email Investigations. [May 2017] 2 K1 1 26. Mention the e-mail storage format available in Novell Evolution. [Nov 2017] 2 K1 1 27. Give examples for e-mail forensics tools. [May 2018] 2 K1 1 28. Give examples for e-mail server program. 2 K1 - 29. What is the significance of e-mail forensics tools? 2 K1 - 30. Define spoofing. 2 K1 - Cell Phone and Mobile Devices Forensics 31. Write down the main components used for mobile communication. 2 K1 - 32. Define Orthogonal frequency division multiplexing. 2 K1 - 33. List out the technologies supported by 4G networks. 2 K1 - PART - B Validating Forensics Data 34. Discuss the procedure to validate the hexadecimal editors. [May 2017] 8 K2 1 35. Explain in detail about the process of validating forensics data. 13 K2 - Data Hiding Techniques 36. Briefly explain any one steganography algorithm to hide data in an image. [May 2017] (or) Write short notes on Data Hiding Techniques. [May 2019] 8 K2 2
  • 6. 37. Explain data hiding techniques and how to apply the data hiding techniques in various applications. [Nov 2017, Nov 2018] 8, 13 K2 1 Network Forensics 38. Elaborate about the network tools. 13 K2 - Email Investigations 39. Examine and list the procedure to analyze the UNIX and Microsoft E-mail server logs. [May 2017] 16 [13] K2 1 40. Describe in detail about specialized E-mail forensic tools. [Nov 2017] 8 K2 1 41. Explain the steps involved in examining in Microsoft e-mail server logs and explain it in detail. [Nov 2017, Nov 2018] 8, 15 K2 2 42. Explain the process of investigating e-mail crimes and violation. [May 2018] 16 [13] K2 1 43. Write a short note on Email Investigations. [May 2019] 6 K2 1 Cell Phone and Mobile Devices Forensics 44. Elaborate about mobile device forensics. [Nov 2017] 8 K2 1 45. Appraise the acquisition procedures for cell phones and mobile devices. [May 2018] 16 [13] K2 1 PART - C E-Mail Investigation 46. One of the Senior Service Manager working with the bank, received an email message from one of this client who requested an immediate financial transaction to send 1.25 Cr for vendor payment. In the received email, the client was holding exactly his original email address. As the client who holds a prestigious designation running several business organizations used to send frequent such emails. Because of which, the Bank official’s started the procedure to send the amount to the concerned recipient wherein it was proved fatal. The situation became worse when the client was found unknown who was asked to send the amount as a vendor payment. Help the forensic department to identify the victim. 15 K3 - Cell Phone and Mobile Devices Forensics 47. A man has been arrested by the Crime Branch of Mumbai Police for allegedly sending threatening text messages to Bollywood actress. The accused sent four messages to the actress, threatening to kill her children of she did not pay him, say sources. How to do mobile device forensics on this case? [May 2019] 15 K3 1 Subject In – Charge Subject Matter Expert HoD/IT