10 marks

1. Describe the basic components of computer hardware, such as memory, CPU operations,
and hard disk construction.

The core components of a computer include:

Memory (RAM): Random Access Memory is a volatile memory used to temporarily store data
actively being used. It provides fast read and write capabilities essential for the efficient execution of
instructions.
CPU Operations: The Central Processing Unit (CPU) is the brain of the computer, performing
arithmetic and logical operations. It has components like the Arithmetic Logic Unit (ALU), Control
Unit, and Registers, which work together to execute instructions via the fetch-decode-execute cycle.
Hard Disk Construction: A hard disk is a non-volatile storage device comprising platters coated with a
magnetic material, a read/write head, and a spindle. Data is stored in binary format and accessed
through spinning platters and precise positioning of the read/write head.

2. Assess the CPU, memory, and hard drive architecture.

CPU Architecture:

Modern CPUs utilize either RISC (Reduced Instruction Set Computer) or CISC (Complex Instruction Set
Computer) designs. RISC CPUs use a smaller set of instructions for efficiency, while CISC processors
handle more complex operations per instruction. Multi-core CPUs allow parallel processing,
improving multitasking and computational speed. Features like hyper-threading simulate additional
cores for enhanced performance.

Memory Architecture: Memory follows a hierarchical structure:

Registers: Embedded within the CPU for ultra-fast data access.

 Cache Memory: Located closer to the CPU, divided into levels (L1, L2, L3), providing quicker
access than RAM.
 RAM: Primary volatile memory for active data.
 Virtual Memory: Uses hard disk space to simulate additional RAM, though slower.

Hard Drive Architecture:

Hard drives include mechanical HDDs and faster SSDs. HDDs rely on spinning magnetic platters and
mechanical arms, whereas SSDs use flash memory cells for superior speed. Storage interfaces such as
SATA and NVMe determine data transfer rates, with NVMe offering superior performance due to
direct communication with the CPU.

3. Describe the steps involved in monitoring users in digital forensics investigations, along with
typical resources and difficulties.

Planning and Authorization:

 Obtain proper legal authorization to avoid violating privacy laws.

 Define the scope and objectives of the monitoring activity.

Data Collection:
  User Activity Logs: Retrieve system logs, browser histories, and access logs.
 Keyloggers: Capture keystrokes to identify passwords or sensitive input.
 Packet Sniffers: Analyze network traffic using tools like Wireshark.

Data Preservation: Secure data copies to prevent tampering, ensuring chain-of-custody protocols.

Data Analysis: Employ forensic tools to examine collected data, identifying anomalies or traces of
malicious activities.

Reporting: Document findings clearly and concisely to present evidence in legal or investigative
settings.

Resources and Challenges:

 Resources: Forensic software (e.g., FTK, EnCase), hardware for imaging, and skilled
personnel.
 Challenges: Legal complexities, encryption barriers, and handling large volumes of data.

4. Categorize the methods for breaking passwords.

1. Brute Force Attacks:

 Tries all possible character combinations.

 Requires significant computational power and time.

2. Dictionary Attacks:

 Uses precompiled lists of common passwords.

 More efficient than brute force but limited to known words or phrases.

3. Rainbow Table Attacks:

 Exploits precomputed hash chains to reverse cryptographic hashes.

 Faster than brute force for cracking hashed passwords but requires substantial storage.

4. Phishing and Social Engineering: Tricking users into revealing their passwords through deceptive
means, such as fake login pages.

5. Keylogging:

 Records user input to capture credentials.

 Implemented via software or hardware devices.

5. Describe how networking protocols help to secure communication and computer systems.

SSL/TLS (Secure Socket Layer/Transport Layer Security):

Provides end-to-end encryption for secure communication over the internet, ensuring confidentiality
and integrity.

HTTPS (Hyper Text Transfer Protocol Secure):

A combination of HTTP and SSL/TLS, used for secure web browsing by encrypting data transmitted
between browsers and servers.

IPSec (Internet Protocol Security):

Secures communication at the network layer, providing encryption, authentication, and integrity for
IP packets.

SSH (Secure Shell):

Encrypts remote terminal sessions, preventing eavesdropping and data theft during command-line
interactions.

6. Talk about the procedure and significance of bit stream picture creation in digital forensics.

Procedure:

 Preparation: Use write blockers to prevent alterations to the original device.

 Image Acquisition: Create a bit-for-bit copy of the storage medium using forensic tools like
EnCase.
 Verification: Use hashing algorithms (MD5, SHA-256) to ensure the image's integrity.

Significance:

 Preserves the exact state of the original evidence, including deleted or hidden data.
 Allows repeatable forensic analysis without compromising the original evidence.
 Critical for maintaining the admissibility of digital evidence in court.

7. How will you compare and contrast the various forms of malware, such as Trojan horses,
worms, and viruses, and their effects on computer systems?

Viruses:

 Requires a host file to spread.

 Can damage or corrupt files and software.

Worms:

 Spreads autonomously across networks.

 Consumes bandwidth and system resources.

Trojan Horses:

 Disguised as legitimate software to deceive users.

 Often used to create backdoors for unauthorized access.

Comparison:

 Worms are more disruptive to networks due to autonomous spreading.

 Trojans rely on user deception and often have long-term consequences like espionage.

OTHERS
 1) Explain the concept of Data storage of memory allocation in modern operating system.

Modern operating systems manage data storage and memory allocation efficiently to maximize
performance and resource utilization.

 Virtual Memory: Allocates virtual addresses to processes, allowing the system to use disk
space as an extension of RAM.
 Paging: Divides memory into fixed-size blocks (pages), enabling efficient swapping between
RAM and storage.
 Segmentation: Divides memory into variable-sized segments based on program structure,
such as code, stack, and data.
 Dynamic Memory Allocation: Allows processes to request memory during runtime, using
methods like malloc (in C/C++) or garbage collection in higher-level languages.
 File Storage: Data is stored in hierarchical file systems, utilizing directories and files for
organization. Storage is managed through inode structures in file systems like NTFS or ext4.

2) Describe the process of preparing evidence for seizure of digital forensics

 Planning and Authorization: Obtain legal warrants and define the scope of evidence
collection.
 Documentation: Photograph the crime scene, log device states, and record serial numbers to
maintain integrity.
 Isolation: Disconnect devices from networks to prevent tampering or remote access.
 Imaging: Create bit-by-bit forensic images of storage media to ensure data integrity.
 Seizure: Securely transport evidence to forensic labs, following chain-of-custody protocols.
 Preservation: Store original devices in secure, climate-controlled environments.

3) What are the main functions of the file system in operating system?
 Data Storage and Retrieval: Efficiently stores and retrieves files using hierarchical structures.
 File Organization: Maintains directory trees, enabling logical grouping of files.
 Access Control: Implements permissions and user authentication to restrict unauthorized
access.
 Space Management: Tracks free and allocated space, optimizing storage utilization.
 Error Recovery: Provides mechanisms to detect and recover from file system errors.
4) Discuss the challenges of ensuring privacy in digital forensic examination.
 Data Sensitivity: Investigations often access private data unrelated to the case, raising ethical
concerns.
 Legal Compliance: Adhering to data protection laws like GDPR while collecting evidence.
 Encryption: Encountering encrypted files or devices that hinder access to evidence.
 Cloud Storage: Retrieving data from remote servers while maintaining jurisdictional
boundaries.
 Minimizing Collateral Intrusion: Ensuring that non-relevant data from other users on shared
devices remains untouched.

5) Briefly explain the purpose of use of forensic tools in investigating computes crimes.
 Data Recovery: Retrieve deleted or hidden files.
 Imaging: Create forensic duplicates of storage devices without altering original data.
  Analysis: Examine file structures, logs, and system artifacts.
 Network Monitoring: Capture and analyze traffic for signs of unauthorized access.
 Reporting: Generate comprehensive reports for legal proceedings.

6) Define & give example of command computer types.

Command computers are systems designed to execute specific instructions or commands provided
by users or other systems. They are typically tailored for mission-critical tasks, such as military
operations or industrial automation.

Example:

 Military Command Systems: Used for strategic planning and execution.

 SCADA Systems: Monitor and control industrial processes in energy or manufacturing
sectors.

7) Discuss the role of networking protocols in securing computer systems communications

Networking protocols enhance security by enforcing encryption, authentication, and data integrity:

 SSL/TLS: Encrypts web traffic, securing data transmission.

 IPSec: Ensures secure VPN connections at the IP layer.
 HTTPS: Combines HTTP with SSL/TLS for encrypted web interactions.
 SMTP with STARTTLS: Encrypts email communications.
 SSH: Secures terminal access for remote management.

These protocols mitigate risks like interception, tampering, and identity theft in digital
communication.

8) Describe the process & importance of creating a bit stream image in digital forensics.

Process:

 Write Protection: Use write blockers to prevent accidental alterations.

 Imaging: Employ tools like EnCase to create a bit-by-bit copy of the storage medium.
 Hash Verification: Generate hash values (e.g., MD5, SHA-256) to ensure image integrity.
 Storage: Secure the original and imaged copies in tamper-proof containers.

Importance:

 Integrity Preservation: Maintains the original evidence in its untouched state.

 Admissibility: Ensures evidence is court-admissible by proving authenticity.
 Comprehensive Analysis: Captures hidden and deleted data for detailed examination.

9) Describe the fundamentals of computer hardware including, hard disk construction, memory
& processor functions.
1. Hard Disk Construction

 Platters: Circular disks made of aluminum or glass coated with a magnetic material. Data is
written onto and read from these platters.
 Spindle: A rotating axis that spins the platters at high speeds, typically measured in
revolutions per minute (RPM). Higher RPM values generally equate to faster data retrieval.
 Read/Write Heads: Positioned over the platters, these heads magnetize or demagnetize tiny
regions to store binary data (1s and 0s). They hover nanometers above the platter surface.
 Actuator Arm: Moves the read/write heads to specific locations on the platter for data
access.
 Controller Board: An electronic circuit board that manages the operations of the drive and
communicates with the rest of the computer.

2. Memory Functions

 Random Access Memory (RAM): Volatile memory used to store data that the CPU accesses
frequently. It acts as a workspace, enabling fast data retrieval and processing.
 Read-Only Memory (ROM): Non-volatile memory used to store firmware or essential
instructions for booting the computer.
 High-speed memory located close to the CPU. It stores frequently used instructions and data,
reducing latency and improving processing speed.
 Permanent storage devices like hard drives, solid-state drives (SSDs), and optical disks. Unlike
RAM, this memory retains data even when the computer is powered off.

3. Processor Functions

 Fetch: Retrieving instructions or data from memory.

 Decode: Interpreting the fetched instructions into a language the CPU can understand.
 Execute: Performing the required operations, such as arithmetic calculations or data
transfers.
 Store: Saving results back into memory or registers.

10) Compare & contrast the types of malwares including viruses, worms, Trojans & their impacts
on computer system.

Viruses:

 Characteristics: Attach to legitimate files or programs and require user action (e.g., opening a
file) to activate.
 Propagation: Spreads by infecting other files on the same system or through external
devices.
 Impact: Can corrupt files, delete data, and affect system performance.

Worms:

 Characteristics: Self-replicating programs that spread independently without user action.

 Propagation: Exploits network vulnerabilities to infect other systems.
 Impact: Consumes bandwidth, slows network performance, and may install backdoors for
attackers.

Trojans:
  Characteristics: Disguised as legitimate software to trick users into installing them.
 Propagation: Requires user action to install but does not self-replicate.
 Impact: Creates backdoors, steals data, or facilitates further attacks.

11) Briefly describe the diff. between LAN, WAN & MAN.

12) What's the importance of encoding methods in data storage.

 Data Compression: Reduces file size for efficient use of storage space. Examples include MP3
(audio) and JPEG (images).
 Error Detection and Correction: Encoding methods like parity checks and Reed-Solomon
codes ensure data integrity during transmission or storage.
 Compatibility: Standardized encoding (e.g., UTF-8) ensures data is accessible across different
systems and platforms.
 Security: Encryption-based encoding protects sensitive data from unauthorized access.

13) List & describe the steps involved in restoring deleted files during forensic investigations.
 Securing the System: Prevent further operations to avoid overwriting deleted files.
 Disk Imaging: Create a bit-by-bit copy of the storage medium for analysis.
 File System Analysis: Use forensic tools (e.g., FTK, Autopsy) to examine file allocation tables
and identify deleted files.
 Metadata Recovery: Extract file metadata, including timestamps and locations.
 Carving Files: Recover file fragments using data carving techniques based on known file
signatures.
 Verification: Validate the recovered files using checksums or hashes to ensure integrity.
 Documentation: Document the recovery process and findings for legal or investigative
purposes.

14) Discuss in detail the history & evolution of operating system covering major milestone from
DOS to modern OS

1. First Generation (1940s - Early 1950s): No Operating System

 Early computers like the ENIAC operated without an operating system.

 Programs were manually loaded and executed using punch cards or switches.
 Only one program could run at a time, and users interacted directly with the hardware.
  This era saw minimal automation, and computation was limited by the lack of system
management tools.

2. Second Generation (1950s - 1960s): Batch Processing Systems

 The advent of magnetic tape replaced punch cards, enabling batch processing.
 Early OS like GM-NAA I/O (developed for the IBM 704 in 1956) were introduced.
 These systems grouped jobs together into batches to maximize resource utilization.
 Key limitations: No user interaction during job execution and no multitasking.

3. Third Generation (1960s - 1970s): Multiprogramming and Time-Sharing

 Introduction of transistors and integrated circuits made computers faster and more
affordable.
 Multiprogramming: Allowed multiple jobs to reside in memory simultaneously, enabling
efficient CPU usage.
 Time-Sharing Systems (TSS): Allowed multiple users to interact with the system concurrently.
 Example: MULTICS (1969), a precursor to UNIX, introduced advanced time-sharing features.
 Operating systems like UNIX (1969) emerged, offering portability, multitasking, and multi-
user capabilities.

4. Fourth Generation (1970s - 1980s): Personal Computers and Graphical Interfaces

 Development of microprocessors enabled the rise of personal computers (PCs).

 Early OS for PCs included CP/M (1974) and MS-DOS (1981), which were command-line based.
 Graphical User Interfaces (GUIs) emerged with systems like Xerox Alto (1973), paving the way
for user-friendly interfaces.
 Apple's Macintosh OS (1984) and Microsoft Windows (1985) popularized GUIs for general
consumers.

5. Fifth Generation (1990s): Networking and Multimedia Integration

 Networking became integral to operating systems, with the rise of the Internet.
 Microsoft's Windows 95 introduced a GUI and built-in networking features.
 Open-source OS like Linux (1991) gained traction, offering customization and community-
driven development.
 Multimedia support expanded, with systems optimized for video, audio, and graphics.

6. Modern Era (2000s - Present): Mobile, Cloud, and AI-Driven Systems

 Mobile Operating Systems: Apple's iOS (2007) and Google's Android (2008) revolutionized
mobile computing, emphasizing touch interfaces and app ecosystems.
 Cloud Integration: OS like Google Chrome OS and virtualized environments depend heavily
on cloud services.
 Security and User Experience: Advanced security features, seamless updates, and user-
centric designs became priorities.
 Artificial Intelligence: AI-powered features such as voice assistants (e.g., Siri, Cortana) and
intelligent resource management are now standard.
 Cross-Platform Compatibility: Systems like Windows 11 and macOS emphasize compatibility
across devices, including desktops, tablets, and smartphones.

15) Explain the legal & ethical considerations involved in digital forensic investigations with e.g.
Legal Considerations:

 Authorization and Warrants

 Chain of Custody
 Data Protection Laws
 Admissibility of Evidence

Ethical Considerations:

 Privacy Concerns
 Professional Integrity
 Cultural Sensitivity
 Transparency

16) Describe the process & significance of extracting & analysing digital artifacts in a computer
forensic investigation.

Process of Extraction and Analysis:

 Evidence Preservation: Use write blockers and create forensic images of storage media to
prevent data alteration.
 Artifact Identification: Identify relevant artifacts based on the case, such as email logs,
temporary files, or registry keys. Tools like Autopsy or FTK are used to locate and extract
artifacts.
 Data Parsing: Convert raw data into readable formats. For example, extracting timestamps or
decoding proprietary formats.
 Correlation: Link extracted artifacts to user actions, such as matching file access logs with
timestamps.
 Validation: Use hash values to confirm the integrity of recovered data.
 Reporting: Present findings clearly in a manner suitable for legal proceedings, including
timelines and summaries.

Significance:

 Reconstructing Events: Artifacts can reveal the sequence of actions leading to a security
breach or illegal activity.
 Identifying Malicious Activity: Detect signs of malware, unauthorized access, or data theft
through log analysis.
 Legal Proceedings: Extracted artifacts serve as crucial evidence in court. For instance, email
headers can trace the origin of phishing attempts.
 Preventative Insights: Analysis highlights vulnerabilities exploited by attackers, guiding future
security measures