Exam Information CSI5107 Network Security

The following slides are designed to prompt your thinking with regards to the content covered in this unit The exam is not just about describing or defining concepts. The exam is about the application of your knowledge of digital forensic concepts towards different issues.

To pass the unit you must obtain at least 50% of the available marks in the exam AND obtain at least 50 marks in the unit in total

Module 1 What is computer forensics? Civil versus criminal case requirements Incuplatory versus exculpatory evidence Computer forensics versus data recovery? Why is planning important in computer forensics? Consideration when preparing for an investigation? Why is planning important?

Module 2 What is a computer forensics plan? Why is it important? What does it contain? Digital forensic reports – purpose? What is the purpose of segregating a report into issues (chapters)? What is the purpose of a running sheet? You should be able to communicate the findings of an investigation

Module 3 Acquisition formats Static versus live acquisitions Raw Proprietary Advanced Forensics Format (AFF) Definitions, examples, pros and cons of each Static versus live acquisitions Logical versus physical acquisitions Focus on process, procedure, tools/software commands, benefits, issues and constraints

Module 3 Security requirements before acquisitions Media preparation, policies, procedures etc. Forensic tool benefits and their limitations Validation techniques MD5 vs SHA1 vs etc. Issues with acquiring a RAID Network and remote acquisitions

Module 4 Understand binary/hex conversions etc. Little vs big endian – OS dependency What does the ‘endian’ mean when interpreting data with a hex editor? Why should we care in what order data is stored? Sectors vs clusters File slack Partitions Boot code Rules of evidence: Admissible – Conform to legal rules for admissibility in court Authentic – Possible to tie evidentiary material to the incident Complete – Must tell the whole story not just a perspective Reliable – Nothing from the time the evidence is collected and handled should be able to cast doubt on its authenticity and reliability Believable – It must be readily believable and understandable by a court

Module 5 What is a file system? Explain how a FAT FS works? Directory entry structure Reading/deleting files Explain how an NTFS FS works? MFT, records, record structure Windows registry benefits in forensics Structure, data, offline acquisition

Module 6 Graphic file types – contemporary formats EXIF metadata and its use in forensics File signature – purpose, benefits, limitations Fragmented vs continuous file carving Issues related to fragmented files Software strategies to carve fragmented files Scalpel carving processes and procedures Smart carving benefits and limitations

Module 6 Web browser forensics analysis Potential digital artefacts from web browsers How can web browser history be used to show intent? What files do we look for with browsers such as...Internet Explorer, Firefox, Chrome The effects of anti-web browser forensic tools on digital forensics

Module 7 How do we evaluate digital forensic tools? Standards? Models? Methods? Hardware vs software forensic tools Define, explain, provide specific examples Acquisition Validation and discrimination Extraction Reconstruction Reporting

Module 8 How to determine what data to collect and analyse? NSRL RDS databases – pros/cons? limitations? How to implement/use a RDS? Validation techniques of collected data Locating/analysing hidden data Tools for detecting encryption, breaking passwords, detecting concealment

Module 9 Email investigations Email headers as a source of evidence Structure of email headers Interpreting data in email headers Email forensic tools their functionality/limitations/benefits Issues/challenges with cloud forensics

Module 10 Order of Volatility – impact on the collection of evidence – what should you prioritize? The impact of virtual machines on computer investigations? Tools for live acquisitions Network forensics – purpose/benefits/tools

Module 11 Types of evidence from smartphones? Issues with gathering evidence from phones Types of tools their limitations and purpose Physical vs logical vs manual acquisition Flash file systems issues for forensics Bypassing FTL benefits? JTAG/Flasher tools processes

CSG2305 exam 2 hour exam 1 section 10 questions @ 5 marks each Each question will require up to ½ a page to be answered sufficiently Questions cover entire unit Lecture notes, workshops, text book, tools, procedures, additional readings

CSG5126 exam 3 hour exam 2 sections Section A - 1 question @ 20 marks Scenario based question focusing on correctly undertaking a forensic investigation Tools, procedures, best practices etc. Section B – 6 questions @ 5 marks each Each question will require up to ½ a page to be answered sufficiently

Study Notes Read all lecture notes Complete all tutorial/workshop activities Read appropriate chapters in text book Read additional readings found on Blackboard Some questions are based on theory others are based on application of commands and processed within tools/software

No notes or calculators are permitted in the exam The text book or other supportive material is not permitted within the exam Write legibly If we can’t read your writing, we cannot award you marks for your answer!