Q1 [10 marks in total] a) Describe, in detail, the actions you would take to ensure a fully compliant forensics process, from the moment you are escorted to the vicinity of the computer room until you have completed your investigation. [4 marks]

b) Compare, using examples, two different theories of Computer Forensics and Digital Investigation and list areas in which they differ. [3 marks]

c) List, with examples, the information you would record when creating and maintaining a timeline for the investigation. [2 marks]

d) Describe the forensic importance, if any, of the items found in the boxes on the computer room floor. [1 mark]

Q2 [10 marks in total] a) Within the scope of a computer forensics investigation, describe with examples, how the Epidemic Threshold for malware propagation might influence the information gathering process. [2 marks]

b) Assume that the Systems Administrator of the seized servers attempts to use the Trojan Horse defence. List, with examples, at least four types of artefacts on a Windows Server that would possibly disprove the defence. [4 marks]

c) Describe, with examples, the forensically correct process for handling the disk drives scattered across the floor when seizing and onsite-gathering. [2 marks]

d) Describe, with examples, the process and commands required to make a forensically-sound copy of a hard drive. [2 marks]