M.Sc. (I.T.) Sem.

IV
COMPUTER FORENSICS
QUESTION BANK (2014 2015)

Unit 1: Chapter 1
1. What is forensic science? What is computer forensics? How is it different from other
related fields?
2. Explain the investigation triad.
3. Explain in brief the history of computer forensics.
4. How can computer forensics resources be developed?
5. What are the categories of computer investigations and forensics? Explain.
6. Explain the legal process to conduct computer investigation for potential criminal
violations of law.
7. What are typical computer supported crimes that occur in corporates? How can these
be prevented? (or Write a short note on Corporate Investigations.)
8. Why is it necessary to maintain professional conduct during computer investigation?
How can this be maintained?
9. What is professional conduct? Why is it important? What is the purpose of maintaining
a professional journal?
10. Why should companies appoint an authorized requester for computer investigations?
11. What is the purpose of an affidavit?
12. What are the necessary components of a search warrant?
Unit 1: Chapter 2
13. List standard systems analysis steps to be applied when preparing a case.
14. Explain the multi-evidence form used in corporate What information does it contain?
15. Explain the single-evidence form used in corporate What information does it contain?
16. Explain the procedures for corporate High-tech investigations.
17. What do we need to conduct an investigation involving Internet abuse? Enumerate the
steps for processing of an Internet abuse case.
18. What do we need to conduct an investigation involving Email abuse? Enumerate the
steps for processing of an Email abuse case.
19. Enumerate the basic steps for investigating Attorney-Client Privilege investigations.
20. What are the guidelines for media leak investigations? Mention the steps for
investigating media leaks.
21. List the staff needed when planning an industrial espionage investigation. Give the
guidelines when initiating an international espionage investigation. What are the
planning considerations for industrial espionage investigations?
22. Explain the interviews and interrogations in High-Tech investigations.
23. What are the requirements to set up a workstation for computer forensics?
24. What is a bit-stream image? How is it created? Explain.
Unit 1: Chapter 3
25. What are the requirements for forensics lab certification? Explain.
26. What are the duties of forensic lab manager and staff?
27. How is computer forensics lab budget planned? Explain.
28. What are the different certifications to advance the career in computing investigations
and forensic analysis?
29. What are the physical requirements for computer forensics lab?
30. How are workstations selected for police, private and corporate computer forensics lab?

1
31. What is disaster recovery plan? Why is it necessary for a computer forensics lab to
have a disaster recovery plan?
32. How is a business case prepared for a computer forensics lab?
33. Which organization has guidelines on how to operate a computer forensics lab? What
term refers to labs constructed to shield EMR emissions?
Unit 1: Chapter 4
34. What is data acquisition? What are its types? What is its goal? Explain.
35. What are the different formats for digital evidence? Explain.
36. What are the different data collection methods? Explain.
37. What are the different tools for data acquisition? Explain.
38. What are the different ways to validate the acquired data? Explain.
39. What are the concerns while getting an image of a RAID servers disk? List some
vendors offering RAID acquisition functions.
40. What are the different remote network acquisition tools? Explain.
41. What are the different forensics acquisition tools? Explain.
42. What is hashing algorithm? Which hashing algorithm utilities can be run from a Linux
shell prompt? Explain.
Unit 2: Chapter 5
43. State and explain the general tasks that the investigators perform when working with
digital evidence.
44. State and explain any six rules of evidence.
45. How is evidence collected it private sector incidents? Explain.
46. Explain the fourth amendment to the United states constitution.
47. Explain the tasks to be completed before searching for evidence.
48. Why should the computer incident or crime scene be secured? Who is responsible for
securing the scene?
49. Enumerate the guidelines for seizing digital evidence at the scene.
50. What are the steps to be followed after recording the scene, shutting down the system
and packing the evidence?
51. What do we need a technical advisor? What are the responsibilities of technical
advisors?
52. What are the steps to create image files of digital evidence?
53. How is digital evidence stored? Explain.
54. Give a sample evidence custody form. What are its functions?
55. What are the three rules for forensics hashes? How can we obtain digital hash?
56. With the help of an example, explain the criminal investigation.
Unit 2: Chapter 6
57. What is a file system? Explain the computer boot sequence.
58. What are the components of disk drives? Explain.
59. Explain the Microsoft file structures.
60. What is a disk partition? State the hexadecimal codes in the partition table and the
corresponding file systems.
61. What is master boot record? Explain the FAT file systems.
62. Explain the new technology file system.(or Explain the structure of NTFS disks)
63. What are the metadata records in the master file table of NTFS?
64. Explain the attributes in the master file table.
65. Explain the NTFS data streams with examples.
66. Explain the NTFS encrypting file system. Explain the EFS recovery agent.

2
67. What happens when a file is deleted from windows explorer and from the command
prompt? Explain.
68. Enumerate the features of the current whole disk encryption tools. What are the
hardware and software requirements of Microsofts Bitlocker?
69. List some third party and open source whole disk encryption tools.
70. What is windows registry? Explain the following terms of windows registry: Registry
editor, HKEY, Key, Subkey, branch, value, default value, hives.
71. Explain the functions of the following registry HKEYs:
i. HKEY_CLASS_ROOT
ii. HKEY_CURRENT_USER
iii. HKEY_LOCAL_MACHINE
iv. HKEY_USERS
v. HKEY_CURRENT_CONFIG
vi. HKEY_DYN_DATA
72. What are the steps executed when a NTFS computer is switched on? What are the
startup files of windows XP? What are the system files of windows XP?
73. Explain the MS-DOS startup tasks.
74. What are virtual machines? Explain.
Unit 2: Chapter 7
75. List few questions we need to answer while evaluation computer forensics tools.
76. What are the different types of computer forensics tools? Explain.
77. What re the tasks performed by computer forensics tools? Explain each task.
78. Discuss the validation and discrimination issues when dealing with computer evidence.
79. What is extraction? What are its subfunctions? Explain.
80. What is the purpose of having reconstruction feature in forensics tool? Explain the
subfunctions of reconstruction.
81. Explain the command line and GUI computer forensics software tools.
82. What is a forensics workstation? What are its different categories? What is a write
blocker?
83. What criteria must be met so that so that when new software and hardware become
available, testing standards are in place for the lab?
84. Describe the methods for validating and testing computer forensics tools.
Unit 3: Chapter 8
85. Explain the MAC OS X HPS+ file system.
86. Explain the boot process of MAC OS.
87. List and explain any three Macintosh forensics tools.
88. Explain the four components of UNIX that define the system.
89. What is inode? What information is contained in inode?
90. Explain the Linux/UNIX boot process.
91. Explain the physical structure of a compact disk.
92. Write a short note on examining SCSI disks, IDT, EIDE and SATA disks.
Unit 3: Chapter 9
93. How is the data to be collected and analysed determined in computer forensics
investigation?
94. Enumerate the basic steps for computer forensics investigations.
95. Why an investigation plan may require refining and modification? Explain with
example.
96. List and explain the tools used to validate forensics data.
97. State and explain different data hiding techniques.

3
98. How can partitions be hidden? Explain.
99. Explain marking bad clusters as data hiding technique.
100. What is bit-shifting? How is it used for data hiding? How can bits be shifted?
101. What is steganography? How can steganography files be identified?
102. Describe the methods for performing a remote acquisition.
Unit 3: Chapter 10
103. Explain the different graphic file formats.
104. What is lossy and lossless compression? What are the advantages and disadvantages of
each?
105. How can the graphic files be located and recovered?
106. How can unknown graphic formats be identified? Explain.
107. Discuss the copyright issues with graphics.
Unit 4: Chapter 11
108. What are the primary concerns in conducting forensic examination of virtual machines?
109. Give an overview of network forensics.
110. Explain the three modes of protection of defence in depth.
111. Enumerate the general steps for live acquisition.
112. What is the standard procedure used for network forensics?
113. List the different network tools and explain any two.
Unit 4: Chapter 12
114. Explain the role of email in forensic investigations.
115. List and explain the tasks in investigating e-mail crimes and violations.
116. What are e-mail servers? Explain their role in forensic investigations.
117. Explain the ole or client and server in email.
118. List and explain the tools for e-mail forensics.
Unit 4: Chapter 13
119. Write a note on different types of digital network.
120. Explain technologies used by 4G networks
121. Explain the components found inside mobile device.
122. What is a personal digital assistant? What are the different types of peripheral memory
cards used with PDAs?
123. Explain SIM file structure.
124. Write a note on mobile forensics tools.
125. Explain following terms:
i. CMDA
ii. EEPROM
iii. EDGE
iv. TDMA
v. ITU
vi. OFDM
126. Explain iPhone readers.
127. Describe procedures for acquiring data from cell phones and mobile devices.
128. State and explain different mobile forensics equipment.
Unit 5: Chapter 14
129. Explain importance of reports in forensics investigations.
130. Why should a report be limited specifics? How is it done?
131. Explain the different types of reports.
132. Explain guidelines for writing reports.
133. What should be included in written preliminary report?

4
134. Explain the structure of a report.
135. Mention criteria which should be used to write reports.
136. What are the factors involved in designing the layout and presentation of reports?
137. Explain different forensics software tools used to generate report.
138. What is the major advantage of automated forensics tools in report writing?
Unit 5: Chapter 15
139. Explain guidelines for giving testimony as a technical/scientific or expert witness
140. Enumerate the guidelines for ensuring the integrity of forensic evidence.
141. Explain the role of consulting expert. Who is an expert witness?
142. What technical definitions must be prepared ahead of time for testimony as expert
witness? Why should contact with media be avoided during legal actions?
143. List the typical order of trial proceedings.
144. State and explain the guidelines for testifying in court
145. What are the general rules for using graphics during testimony?
146. How can testimony problems be avoided?
147. What is prosecutorial misconduct? Explain.
148. What preparation must be done for testifying during direct examination?
149. What preparation must be done for testifying during cross examination?
150. What is the difference between deposition and trial testimony? What are the two
different types of depositions?
151. Explain the guidelines for testifying at deposition to avoid problems.
152. Explain the guidelines for testifying at hearings.
153. Describe procedures for preparing forensics evidence for testimony.
Unit 5: Chapter 16
154. Explain how ethics and codes apply to expert witnesses.
155. Explain the role of computer forensics examiner in testifying.
156. What are the considerations in disqualifying an expert?
157. What are the traps about which the experts should be cautious? What ethical errors
should be avoided while testifying?
158. Give the guidelines of International Society of Forensic Computer Examiners code of
ethics.
159. What are the ethical difficulties in expert testimony?
160. Explain how other organizations codes of ethics apply to expert testimony.
161. Explain the process of carving data manually.