Paper 2023

QUESTION ONE (20 marks) - Compulsory

a) Workflow used in a Forensics Investigative Methodology (9 Marks)

The forensic investigative methodology involves the following structured workflow:

1. Identification
o Determine the t.ype of incident and identify the digital devices and data
sources involved (e.g., hard drives, emails, network logs).
o Example: Identifying an employee’s computer suspected of containing
evidence of fraud.
2. Preservation
o Secure the digital evidence to prevent data modification or loss.
o Use write blockers, create disk images, and document the chain of custody.
o Example: Imaging a hard drive to ensure original data is untouched.
3. Collection
o Acquire data from identified sources using forensic tools like FTK or EnCase.
o Includes physical (e.g., hard drives) and logical (e.g., email archives) evidence
collection.
4. Examination
o Analyze the data for relevant artifacts using forensic techniques.
o Example: Searching for deleted files or encrypted data.
5. Analysis
o Interpret the findings, correlate data points, and determine their relevance to
the investigation.
o Example: Identifying timestamps of unauthorized file access.
6. Documentation
o Document every step of the investigation, including tools used and findings.
This ensures transparency and admissibility in court.
7. Presentation
o Prepare the findings in a clear, concise format for legal teams or court
presentations.

b) Why is the Chain of Custody an Important Element of Computer Forensics? (6

Marks)

The chain of custody refers to the documented process that tracks the handling of evidence
from the time it is collected to its presentation in court. Its importance includes:

1. Maintaining Integrity of Evidence

o Ensures the evidence remains unaltered and is reliable for legal proceedings.
2. Legal Admissibility
o Courts require proof that evidence has been handled appropriately to prevent
tampering or contamination.
 3. Accountability
o Assigns responsibility for evidence at every stage, ensuring transparency.
4. Avoiding Legal Challenges
o Any gap in the chain could lead to the evidence being inadmissible or
questioned during cross-examination.

c) Identify the Two Types of Data Acquisition and Describe Them (5 Marks)

1. Physical Acquisition
o Copies all data from a device, including deleted and unallocated spaces.
o Example: Creating a complete bit-by-bit image of a hard drive.
2. Logical Acquisition
o Copies active files and directories but does not include deleted or hidden data.
o Example: Extracting user documents and emails from a system.

QUESTION TWO (15 marks)

a) Key Considerations in Setting up a Computer Forensics Lab (5 Marks)

1. Secure Location:
o The lab must be in a secure location to prevent unauthorized access.
2. Specialized Equipment:
o Ensure the availability of forensic tools (e.g., write blockers, imaging tools).
3. Data Storage:
o Large, secure storage solutions for evidence preservation.
4. Compliance:
o Adherence to legal standards and regulations governing digital evidence.
5. Trained Personnel:
o Employ certified forensic analysts with relevant expertise.

b) Roles in a Forensic Investigative Team (5 Marks)

1. Digital Forensics Analyst

o Conducts data collection, preservation, and analysis.
2. Incident Response Specialist
o Handles real-time investigations of cyber incidents.
3. Legal Advisor
o Provides legal guidance and ensures compliance with regulations.
4. Malware Analyst
o Examines malicious software and determines its origin and purpose.
5. Team Lead/Manager
o Oversees the investigation, ensuring adherence to timelines and objectives.
c) Guidelines for Building an Investigative Team (5 Marks)

1. Define Roles Clearly:

o Assign specific responsibilities to team members based on expertise.
2. Training and Certification:
o Ensure all team members are trained in the latest forensic tools and
methodologies.
3. Communication Plan:
o Establish clear channels for collaboration and reporting.
4. Access Control:
o Restrict access to evidence and tools to authorized personnel only.
5. Regular Updates:
o Conduct regular team briefings to review progress and adapt to challenges.

QUESTION THREE (15 marks)

a) Phases Involved in the Forensics Investigation Process (5 Marks)

1. Preparation:
o Define objectives and gather tools and resources.
2. Identification:
o Locate potential evidence and determine its relevance.
3. Collection:
o Acquire evidence using sound forensic methods.
4. Analysis:
o Examine and interpret data to identify patterns or anomalies.
5. Presentation:
o Document findings and present them in court-admissible formats.

b) Impact of Poor Evidence Handling on Admissibility (5 Marks)

• Consequences:
o Evidence could be declared inadmissible, weakening the case.
o Legal challenges and claims of tampering could arise.
• Document:
o The Chain of Custody is the key document that tracks how evidence is
handled.

c) Steps in Presenting Evidence as an Expert Witness (5 Marks)

1. Qualification as an Expert Witness:

o Establish credentials and experience to the court.
2. Evidence Presentation:
o Present findings clearly and concisely.
 3. Exhibit Handling:
o Explain how evidence was collected, preserved, and analyzed.
4. Cross-Examination:
o Answer questions posed by opposing counsel.
5. Professional Conduct:
o Maintain impartiality and stick to facts during testimony.

QUESTION FOUR (15 marks)

a) Rules of Thumb for Data Acquisition (5 Marks)

1. Work on Copies Only:

o Never analyze the original data; use forensic copies instead.
2. Preserve Data Integrity:
o Use write blockers to avoid modifying evidence.
3. Document the Process:
o Maintain detailed records of all actions taken.
4. Follow Legal Standards:
o Ensure compliance with laws governing data acquisition.
5. Test Tools:
o Verify the reliability of tools before use.

b) Role of Write Blockers in Forensics Investigations (5 Marks)

• Definition:
o Write blockers are tools that prevent any modification to a storage device
during analysis.
• Role:
o Ensure evidence remains intact by allowing read-only access.
o Example: A write blocker is used to safely image a suspect’s hard drive
without altering the data.

Paper 2022

QUESTION ONE – COMPULSORY [20 MARKS]

a) Discuss in detail the contents of a search and seizure plan. (5 Marks)

A search and seizure plan outlines the procedures for identifying, collecting, and preserving
evidence during an investigation. Key contents include:

1. Objectives of the Search:

 o Define the purpose, such as collecting evidence of cybercrimes, intellectual
property theft, or unauthorized access.
2. Scope of the Search:
o Identify target devices (e.g., laptops, desktops, mobile phones, USB drives)
and the type of evidence sought, such as emails, encrypted files, or logs.
3. Legal Authorization:
o Include search warrants or other legal approvals required to seize devices or
search premises.
4. Personnel Involved:
o Identify the investigation team, including forensic experts, IT specialists, and
legal advisors.
5. Preservation of Evidence:
o Detail how evidence will be preserved to maintain its integrity, including the
use of write blockers and secure storage.
6. Chain of Custody Documentation:
o Ensure all evidence is logged and tracked throughout the process to maintain
its admissibility in court.
7. Tools and Techniques:
o Specify the tools (e.g., forensic software, imaging devices) and methods used
to collect evidence without altering it.

b) Challenges Cybercrimes Pose to Investigators (6 Marks)

Cybercrimes present unique challenges for forensic investigators. Examples include:

1. Anonymity of Attackers:
o Cybercriminals often use techniques like VPNs, Tor, or proxy servers to mask
their identity.
o Example: An attacker defrauds an e-commerce platform using stolen credit
card details, routing their activities through multiple IP addresses.
2. Encryption:
o Encrypted data and communication channels (e.g., WhatsApp, Signal) make
accessing evidence difficult.
o Example: An insider encrypts company emails and files before unauthorized
exfiltration.
3. Anti-Forensics Techniques:
o Attackers use data obfuscation, steganography, or file wiping to hinder
investigations.
o Example: A hacker deletes logs and overwrites unallocated disk space to
erase their tracks.
4. Cross-Border Investigations:
o Cybercrimes often involve jurisdictions with varying legal frameworks,
complicating evidence collection and prosecution.
o Example: A ransomware gang based in Eastern Europe targets businesses in
Kenya.
5. Volume of Data:
o Analyzing large volumes of logs, emails, and file systems can overwhelm
investigators.
 oExample: Reviewing 100 TB of corporate data to locate malicious activity.
6. Rapidly Evolving Technology:
o Investigators must continually adapt to new malware, tools, and tactics.
o Example: Investigating an AI-generated phishing campaign.

c) Mandatory Requirements for Selecting a Data Acquisition Tool (5 Marks)

When selecting a data acquisition tool, investigators must ensure it meets the following
requirements:

1. Forensic Soundness:
o The tool must preserve the integrity of data and ensure no modifications occur
during acquisition.
o Example: FTK Imager creates a bit-by-bit copy while maintaining data
integrity.
2. Compatibility:
o It should support various file systems (e.g., NTFS, FAT32) and storage
devices.
o Example: EnCase can analyze data from HDDs, SSDs, and mobile devices.
3. Efficiency:
o The tool should handle large datasets and complete acquisition promptly.
o Example: Imaging a 1 TB hard drive without delays.
4. Reporting Capability:
o It must generate detailed logs to document the acquisition process.
o Example: Autopsy includes acquisition details for chain-of-custody purposes.
5. Legal Compliance:
o The tool should comply with local and international forensic standards.
o Example: Using tools approved under ISO 27037 ensures admissibility in
court.

d) Four Types of Anti-Forensics Techniques (4 Marks)

1. Data Wiping:
o Overwrites data to make recovery impossible.
o Example: Using software like DBAN to erase a hard drive.
2. Encryption:
o Encrypts files or devices, making data inaccessible without the correct
decryption key.
o Example: A criminal encrypts their entire drive with BitLocker.
3. Steganography:
o Hides data within non-suspicious files like images or videos.
o Example: Embedding malicious code in an innocent-looking PNG file.
4. Log Tampering:
o Alters or deletes system logs to erase traces of activity.
o Example: A hacker removes login entries from the server's log files.
QUESTION TWO [15 MARKS]

a) Investigating a Web Attack (10 Marks)

1. Identify the Attack:

o Analyze logs to determine the type of attack (e.g., SQL injection, cross-site
scripting).
o Example: Unusual database queries suggest an SQL injection.
2. Isolate Affected Systems:
o Disconnect compromised systems to prevent further damage.
3. Collect Evidence:
o Gather web server logs, database records, and application source code.
o Example: Capture requests targeting vulnerable parameters in URLs.
4. Analyze the Attack Path:
o Identify how the attacker gained entry and escalated privileges.
o Example: A vulnerable login page allowed credential harvesting.
5. Mitigate Vulnerabilities:
o Apply patches, secure configurations, and implement firewalls.

b) Legal Issues with Logs (5 Marks)

1. Data Privacy:
o Logs must comply with data protection regulations (e.g., GDPR).
2. Retention Periods:
o Determine how long logs can be retained legally.
3. Chain of Custody:
o Maintain proper documentation to ensure logs are admissible.
4. Anonymization:
o Logs containing sensitive data should be anonymized.
5. Access Control:
o Restrict access to logs to authorized personnel only.

QUESTION THREE [15 MARKS]

Contents of a Forensics Investigation Report (15 Marks)

1. Executive Summary:
o High-level overview of findings.
2. Objective:
o Purpose of the investigation.
3. Scope:
o What was examined (e.g., devices, systems).
4. Evidence Collected:
o Details of the data sources and acquisition process.
 5. Analysis:
o Findings, such as malicious activity or tampered files.
6. Conclusion:
o Summary of key points.
7. Recommendations:
o Steps for remediation and prevention.

QUESTION FOUR [15 MARKS]

a) First Responder Procedure (4 Marks)

1. Secure the Scene.

2. Document Evidence Location.
3. Disconnect Devices Safely.
4. Transport Evidence Securely.

b) Data Acquisition and Duplication Steps (5 Marks)

1. Create a Forensic Image.

2. Verify Image Integrity.
3. Use the Logical Acquisition Format for Documents.

c) Detailed Forensic Plan (6 Marks)

1. Identify Scope.
2. Preserve Evidence.
3. Analyze Data.
4. Document and Report.

Paper 2024

QUESTION ONE (20 Marks) - Compulsory

a) Steps in a Typical Computer Forensic Investigation Process (4 Marks)

1. Identification
o Recognize potential evidence sources and define the investigation's scope.
o Example: Identifying a compromised laptop in a data breach.
2. Preservation
o Protect evidence from alteration using tools like write blockers.
o Example: Creating a bit-by-bit image of a suspect's hard drive.
 3. Collection
o Acquire evidence from devices or networks while maintaining its integrity.
o Example: Extracting email logs from a mail server.
4. Analysis
o Examine the evidence to uncover relevant information.
o Example: Detecting malware behavior through log analysis.
5. Documentation
o Record all actions taken during the investigation.
6. Presentation
o Summarize findings for legal or organizational purposes.

b) Importance of Up-to-Date Tools in Forensic Investigations (4 Marks)

1. Accuracy:
o Modern tools improve accuracy in data recovery and analysis.
o Example: Advanced disk imaging tools ensure every byte is captured.
2. Efficiency:
o Up-to-date tools speed up investigation processes.
o Example: Faster decryption algorithms reduce analysis time.
3. Adaptation to Evolving Technologies:
o New tools handle emerging threats like encrypted ransomware.
4. Legal Compliance:
o Current tools align with forensic standards for evidence admissibility.

c) Requirements for Setting Up a Computer Forensics Laboratory (4 Marks)

1. Secure Location:
o A controlled environment with restricted access.
2. Forensic Workstations:
o High-performance computers with dedicated forensic software.
3. Specialized Tools:
o Hardware like write blockers and software for disk imaging and memory
analysis.
4. Storage:
o Secure storage for evidence with redundancy systems.

d) Network Forensics and Its Importance (4 Marks)

• Concept:
Network forensics involves capturing, recording, and analyzing network traffic to
uncover cybercrimes.
• Importance:
o Incident Response: Detect and mitigate attacks in real time.
o Evidence Collection: Provide proof of unauthorized access or data breaches.
 o Example: Investigating DDoS attacks by analyzing traffic patterns.

e) Qualifications and Responsibilities of a Computer Forensics Expert Witness (4

Marks)

1. Qualifications:
o Certifications like Certified Computer Forensics Examiner (CCFE).
o Extensive experience in forensic investigations.
2. Responsibilities:
o Analyze evidence and prepare detailed reports.
o Testify in court and explain findings in simple terms.

QUESTION TWO (15 Marks)

a) Tools and Techniques for Mobile Device Forensics (5 Marks)

1. Tools:
oCellebrite: Extracts data from phones, including deleted files.
oOxygen Forensic Suite: Analyzes app data and communication logs.
2. Techniques:
o Physical Extraction: Creates a bit-by-bit copy of device storage.
o Logical Extraction: Retrieves active data like contacts and messages.
o Data Carving: Recovers deleted files from unallocated space.

b) Disk Imaging and Memory Analysis Tools (10 Marks)

Category Tool Use Case Advantages Disadvantages

Disk Creates bit-by-bit Preserves integrity Time-consuming for
FTK Imager
Imaging copies of hard drives of evidence large drives
Robust reporting
EnCase Imaging and analysis Expensive
tools
Analyzes RAM for
Memory Open-source and
Volatility malware or active Steep learning curve
Analysis versatile
data
Magnet RAM Captures volatile Simple and fast for
Limited to RAM data
Capture memory volatile data

QUESTION THREE (15 Marks)

a) Data Acquisition Methods in Forensics (5 Marks)

 1. Bit-Stream Imaging:
o Creates a sector-by-sector copy of storage media.
o Advantage: Preserves deleted data.
o Disadvantage: Requires significant time and storage.
2. Logical Acquisition:
o Copies only active data.
o Advantage: Faster and requires less storage.
o Disadvantage: Misses hidden or deleted files.
3. Live Data Acquisition:
o Captures data from a running system.
o Advantage: Useful for volatile data like active processes.
o Disadvantage: High risk of altering data during acquisition.

b) Challenges in Email Investigations (5 Marks)

1. Encryption:
o Emails secured with encryption are difficult to access.
2. Anonymity:
o Spoofed sender addresses complicate tracing.
3. Volume of Data:
o Large mailboxes require extensive analysis.
4. Cross-Jurisdictional Issues:
o Emails stored on servers in different countries face legal challenges.
5. Deleted Emails:
o Recovery of deleted emails is not always guaranteed.

c) Methods for File Recovery in Forensics (5 Marks)

1. File System Analysis:

o Examine metadata to locate and restore deleted files.
2. Data Carving:
o Extract file fragments based on known signatures.
3. Backup Analysis:
o Retrieve files from system backups.

QUESTION FOUR (15 Marks)

a) Key Considerations When Processing Evidence (5 Marks)

1. Chain of Custody:
o Maintain documentation of evidence handling.
2. Integrity:
o Use write blockers to avoid altering data.
3. Legal Compliance:
 o Adhere to local and international laws governing digital evidence.
4. Storage Security:
o Store evidence in secure, tamper-proof environments.
5. Documentation:
o Record every step taken to ensure transparency.

b) Categories of Computer Forensic Tasks (5 Marks)

1. Disk Forensics:
o Analyze storage media for tampered or deleted files.
2. Network Forensics:
o Monitor traffic for unauthorized activities.
3. Email Forensics:
o Investigate email trails for phishing or fraud.
4. Memory Forensics:
o Examine volatile memory for active malware.
5. Mobile Forensics:
o Retrieve and analyze data from mobile devices.