The document proposes digital forensic readiness techniques to counter online exam fraud. It discusses how students commonly cheat in online exams, such as accessing online content, screen sharing, opening new tabs, and inspecting HTML code. It then proposes 11 digital forensic readiness techniques that could be used to gather evidence in these situations, such as recording PC activity, using keylogging, monitoring typing patterns, deploying security cameras, logging browser activity, recording mouse activity, recording programmable device data, using webcams to verify student identity, employing biometric identification, and performing continuous authentication. The techniques were evaluated based on implementation difficulty, cost, and efficiency.

1. Proposed High-Level Solutions to Counter Online Examination Fraud Using Digital Forensic Readiness
Techniques
Ivans Kigwana
1
, Hein Venter
2
University of Pretoria, Hatfield, South Africa
ivans.kigwana@gmail.com
1
hventer@cs.up.ac.za
2
Abstract
In this current digital age, most of the tasks are conducted electronically. Some academic institutions have not
been left behind as they have adopted the norm of presenting exams via online means to students. The
present-day paradigm creates opportunities for students to use this as an opening to cheat or commit online
examination fraud because of the absence of exam proctors. Having electronic evidence would be vital if there
was a disciplinary hearing into examination fraud. In the case when an institution is not prepared before-hand
for such an incident, it is likely that there won’t be important electronic evidence that is admissible before the
disciplinary committee. In this case, it could be damaging to the institution’s reputation and how it handles its
academic affairs. In order to prepare institutions for such an incident, there should be proactive measures
(digital forensic readiness measures) that need to be in place. These digital forensic readiness techniques can
be used interchangeably because most, if not all of them, capture different kinds of data. So the institution
needs a proper plan on what data might be useful before any technique can be implemented. Various factors
such as cost of implementation and difficulty of implementation of these digital forensic readiness methods
make its implementation even more difficult. This paper aims to explore the various ways how students
commit online examination fraud and later propose high level digital forensic readiness techniques that can be
used to capture as much information as possible before-hand which can later be used when there is need for a
digital forensic investigation or perhaps suspicion of examination malpractice. We later evaluate the proposed
techniques based on difficulty of implementation, cost of implementation and efficiency of operation of each
particular technique. As motivation, we choose six (6) techniques which are explained in detail to help the
reader understand why and how they can be used to suit a given digital forensic readiness purpose.
Keywords: Digital Forensics, Digital Forensic Readiness, Online Examination Fraud
1 Introduction
Over the years, technology has developed to an enormous extent. In most sectors of the economy, there is
some aspect of technological deployment that helps employees deliver their work more efficiently. One such
sector is the education sector. Currently, most education institutions – starting from junior level to higher
academic institutions – have adopted technology-related studies as modules in their curriculum. Other
institutions have gone the extra mile in offering online assignments, tests and exams to students as a way of
saving time and money spent on stationery. A crucial notion behind this innovation is to limit cases involving
cheating in traditional exams by introducing online exams. However, some students still use technology to
come up with innovative ways of cheating online exams and some are lucky enough to never get caught. Some
students assume that anything on the web is free and available for public usage; therefore they do not commit
an offence by using it in their favour (Scanlon, 2003).
The rapid growth in internet usage at institutions of higher education has presented a big challenge to
academic heads with regard to online academic programmes offered to students (Renard, 1999). Access to the
internet may also tempt students to cheat in exams because there is no one supervising them.

2. Some scholars believe that since some students are used to face-to-face interaction with their lecturers and
easy access to faculty administration, their stress levels increase (Gibbons et al., 2002) when they are exposed
to having everything delivered online. Some students fail to cope up with this stress may end up choosing to
cheat the exam.
What about the case of supervised online exams where some students are caught red-handed cheating and
others are not noticed? (King et al., 2009).
Academic authorities constantly try to come up with ways of stopping and punishing students caught cheating
or who are suspected of having cheated in exams. Most of the traditional detection methods have their own
shortcomings, which makes it hard for anyone to prove examination malpractice once the exam has been
written and submitted by the student. With regard to gathering evidence, it is almost impossible and very
costly to get digital information that can be used as potential evidence to convict someone for cheating, even
when s/he is a suspect.
In this research, we explore and explain in detail some of the possible ways how students cheat in online
exams, followed by possible high-level solutions to each. We discuss how digital forensic readiness can be
applied in the assessment situation as a way of detecting cheating, convicting suspects in disciplinary hearings
and possibly reducing the opportunities for online exam cheating.
The remainder of this paper is organised as follows: in Section 2 we provide some background on digital
forensics, and discuss digital forensic readiness and online exam fraud, incorporating it with related work.
Section 3 presents the different scenarios in which exam fraud occurs and the proposed digital forensic
readiness techniques to be applied in each scenario. In Section 4 we evaluate each proposed DFR techniques,
and our discussions follow in Section 5. Section 6 provides a conclusion to the paper and suggests future work
in this field.
2 Background
In this section we provide some background on digital forensics in general, digital forensic readiness and the
issue of online examination fraud. We also discuss related work in these three subsections.
2.1 Digital Forensics (DF)
Digital Forensics, sometimes referred to as computer forensics, became known in the 1970s (Kohn et al.,
2013). At that time, most computer forensics cases involved financial fraud. Currently, DF has proved vital in
solving computer-related crimes including but not limited to bank fraud, as well as other crime that involves
information in digital format (Garfinkel, 2010). Because we belong to a generation where a large part of our
day involves contact with digital devices and/or using them in our daily lives, we leave behind much
information on such devices even though we don’t realise it. When an investigation is to be carried out,
different forensic tools can be used to reconstruct events and attain evidence from among the information left
on digital devices by both victim and suspect.
Most current DF techniques were initially meant for data recovery. For instance, scholars in (Wood et al.,
1987) note a story of experts who were tasked to recover a copy of a fragmented database file that had
accidentally been deleted by a fellow researcher. In the early years, experts relied heavily on time sharing
machines and computing services that were located centrally (Garfinkel, 2010), while formal processes, tools
and proper training of personnel were seriously lacking.
2.2 Digital Forensic Readiness (DFR)
DF is usually carried out after the crime has been committed. DFR, on the other hand, is introduced as a
precautionary measure before the crime is committed. This means one has to follow the established guidelines
of a DFR process model as explained in ISO/IEC 27043:2015. This standard provides insight into guidelines that

3. are based on idealised models for a common incident investigation process across different scenarios that
involve DF.
The advantages associated with DFR include:
▪ Saves on the costs of acquiring potential evidence since information is collected prior to the incident
and stored safely.
▪ Saves time since there is already information to start with when an investigation is demanded.
The DFR process model as explained in ISO/IEC 27043:2015 comprises the following three main groups:
▪ Planning process group; – where all planning for the readiness process is done includes the following
DFR processes: scenario definition; identification of potential digital evidence sources; pre-incident
gathering; storage and handling of data representing potential digital evidence; pre-incident analysis
of data representing potential digital evidence; incident detection and definition of system
architecture process.
▪ Implementation process group – where all activities planned in the planning process group are
implemented – consists of activities such as: implementation of system architectures; implementation
of pre-incident gathering; storage and handling of data that represents the potential digital evidence;
implementation of pre-incident analysis of data that represents the potential digital evidence; and
implementation of the incident detection process.
▪ Assessment process group – where the success of the implementation process group is assessed –
involves the assessment of the implementation process; and the process for the implementation of
assessment results.
2.3 Fraud in Online Exams
When we talk about fraud in online exams, we are looking at cheating and the related malpractices performed
by students who write online exams. Students use different ways to cheat in online exams. Some methods
have been used for many years, but have never been addressed or solved completely, for instance paying off
someone else to write exams on behalf of the legitimate student. Others are new innovations by students,
arising from advancements in technology, for instance inspecting the Hypertext Mark-up Language (HTML)
code to check for possible answers embedded in code. Students can use many other possible ways to cheat in
online exams. Some of these methods are explained in the next section of this paper, and in each case we
propose DFR techniques to be used in the specific situation.
Different studies have been conducted to find solutions to fraud. Some professional courses focus primarily on
helping one understand the basics of a fraud examination process as published in web article (Examiners,
2013). However, most of these professional courses focus on fraud in general, not fraud in online exams.
Freifeld (Freifeld, 2013) gives tips on how to secure and prevent cheating in computer-based testing programs.
In his article, he explains different scenarios of how students have been caught cheating in online exams. For
instance a student was arrested for sitting for a “pencil-and-paper exam” on behalf of several other students
over a period of three years by forging IDs and writing exams at different locations to avoid detection.
Although this was not an online exam, it provides an insight into how far this practice has gone and how it
affects the education industry.
Another example involving tech devices recounted by the same author in (Freifeld, 2013) happened in 2012
when 1,500 people were suspected of selling transmitters and earpieces to students with the aim of cheating.
These people who sold such devices to students were later arrested. All this happened in China, because of the
tough competition to enter the top education institutions.
A web article published by Microsoft (Microsoft, 2015) lays down the testing session protocols used in an
online proctored exam. They all look effective to prevent the student from cheating. However, they miss

4. certain features that can help detect the state of the workstation on which the student is taking the exam.
Most of the protocols followed require the student to be checked by someone remotely using a webcam to
inspect different parts of the body and the room where the exam is being taken. However, nothing is said
about the computer itself, whether it was checked before and during the course of the exam.
In the next section, we discuss some of the ways in which students try to commit online exam fraud.
3 DFR for Online Examination Fraud
In this section, we discuss the notion of applying DFR in online examinations and make suggestions on how to
use it to detect and/or capture information from students that can be used in the case of a DF investigation.
We explain some of the ways how students cheat in online exams and subsequently propose DFR techniques
that can be used in each case. Some of the methods that students use to cheat in online exams and that are
discussed here include accessing online content, screen share, opening new tabs/pages, inspecting HTML
code, using programmable devices, using impersonators, exchanging workstations in the course of the exam,
and bribing supervisors.
This is evidently not an exhaustive list, as there may be other ways of committing online exam fraud that we
have not even come across at the time this research was conducted. Each technique will be given a unique
identifier, namely technique 1 (T1) to technique 13 (T13). We explain our findings in detail in the sub-sections
below.
3.1 Accessing online content
Accessing online content involves the use of shared Google docs, browsing the web while writing the exam,
and use of on-line slides in a closed-book exam. Students may well use any of the examples given to get access
to answers or to share information with other students during the exam. The following DFR techniques can be
employed in this is situation:
▪ T1 - Recording and/or logging pc activity, for instance process lists and applications accessed in the
course of the exam. With this technique, one can know if the student accessed any application whilst
writing the exam and exactly what information they got from those applications.
▪ T2 - Using a key logging application that can monitor and log keys used and words/phrases searched
by the student. This technique helps one to know how the student made use of the computer to
cheat in the exam.
▪ T3 - Designing an application to monitor and capture the typing speed and typing patterns of each
student. This can also be used to verify if the student wrote the exam themselves or got help from
someone in case there are unexplainable variances in typing speeds and patterns.
▪ T4 - Deploying spy cameras to monitor pc activity. These do not interfere with the running of the
exam, because they are placed in strategic positions to help those in the control room to remotely
monitor pc activity and any student movements during the exam session.
▪ T5 - Background auto screen recording. This technique helps gather all activity taking place on the pc,
for instance applications opened, pages or folders accessed, but it does not interfere with the running
of the exam. If spy cameras are not efficient to monitor pc activity, then this technique comes in
handy.
3.2 Screen share
It is possible to use an application to split the pc’s display screen. This allows the student to have access to the
exam and at the same time access other forbidden information to aid their objective of cheating. T1 and T5
can be used as DFR techniques to counter online exam fraud in this situation.

5. 3.3 Opening new pages in separate tabs/pages
Students can furthermore cheat by opening new tabs on the same page that the exam is being written, while it
might look as if they are not leaving the main window nevertheless open a new page. DFR techniques that we
can use in this situation include T1, T2 and T4. Others are:
▪ T6 - Logging browser activity. This technique enables investigators to know what web-pages were
accessed while the exam was in progress and the information contained in those webpages. If such
information is crucial to the investigation, then it is used as evidence for exam fraud against the
victim.
3.4 Inspecting element/HTML code
In some browsers like Chrome and Firefox, one can get access to html code by right-clicking on the webpage.
There is an option at the end of the drop-down menu that reads “Inspect element”. Students can use this
option to check for answers by going through the code. Although this technique does not apply to all online
exam systems, we found situations where one could get correct answers to the questions, especially if the
questions are of a multiple-choice nature. DFR techniques that can be deployed in this situation include T5 and
T6. Another technique we can use to curb cheating in this situation is:
▪ T7 - Recording mouse activity. Applying this technique would disclose what kind of information a
student got access to by using the mouse. For instance, if a student used the mouse to check the html
code for browsers like Chrome and Firefox, the investigator should be able to know this and how it
happened.
3.5 Using programmable devices
Some students use devices like graphing/programmable calculators (Garavalia et al., 2007) to store complex
mathematical formulas/equations that they might later need when writing the exam. Some of these devices
also store text graphs and other digital images. Cheating can be detected by:
▪ T8 - Recording all information on these devices before, during and after the exam as a prerequisite to
use them for exam purposes. Specialised DF devices can be used to get information from these
devices, including checking through the archives. The latter should be done while following the
standard DF investigation procedures, so that no information is compromised in the process.
3.6 Using an impersonator
Some students go as far as hiring someone, usually a fellow student, to sit for the exam on their behalf. It may
be easy to detect an impersonator if the class has a few students, but in a situation where hundreds or
thousands of students write the exam, it will be next to impossible – even more so if the impersonator is an
identical twin. The traditional way to verify one’s identity is by asking the student for his/her student card. In
the case that a student’s identity has been manipulated, one can use T3 in this situation. Other techniques to
curb online fraud are the following:
▪ T9 - Use a webcam to record the student’s identity so as to later cross-reference it with the registered
student’s details. This will be effective if an impersonator sat on behalf of another student. However,
this technique will come short if the student was an identical twin.
▪ T10 - Methods like finger printing, voice recognition, and eye scanning can also be used if one needs
immediate results and not necessarily gathering information for readiness purposes. Either of these
methods can be used to verify a student’s identity before entering the examination room.
▪ T11 - Continuous authentication can be used too, such as asking random questions that only a
legitimate student would know, like asking for lecturer’s name, lecture times and venue(s), etc. This is
not necessarily a DFR technique, but it can help eliminate impersonators from getting access to exams
and sitting on another student's’ behalf.

6. 3.7 Switching computers during an exam
Students can also commit exam fraud by switching computers during the exam. Since online assessment does
not involve the use of paper-based material where handwritings may differ from person to person, it is easier
for students to cheat in such exams. One brighter student can go and sit at another student’s workstation and
write the exam on his/her behalf, and no one will notice that any malpractice took place unless the exam
supervisor were to catch the students in the course of switching workstations. This type of cheating can be
handled by using T3 and T4 which can provide graphical proof of student movements during the course of the
exam.
3.8 Bribing the supervisor
Students can bribe the exam supervisor prior to the exam, so that when they do cheat, the supervisor will not
report them. This rarely happens, but the possibility cannot be ruled out. Another scenario involves a
supervisor catching the student cheating and the student tries to pay off the supervisor to stop him/her from
taking the matter further. Solutions proposed here are not DFR methods, but they can help too. Examples are:
▪ T12 - Rotating supervisors during the exam. Move away from the traditional method of using the
same supervisor for the whole exam and make sure three or more supervisors invigilate the same
exam, working in rotation.
▪ T13 - Assigning the supervisor for a specific exam a few minutes before the exam commences. This
will help reduce the opportunity for bribery, since the students will not know who will supervise what
exam until the last minute when it’s too late to bribe anyone.
Next we evaluate the proposed DFR techniques that can apply in different situations of online examination
fraud.
4 Evaluation
In this section, we consider the DFR techniques proposed earlier and evaluate them based on their difficulty
and cost of implementation, as well as how efficient a technique can be operated. We subsequently give each
technique a score. Table 1 shows the evaluation in detail. The values in the second to the fourth column
headings are meant to give a score of which technique is more efficient when particular factors are
considered. Under “Difficulty of implementation”, the highest value (3) means that the technique is hard to
implement, medium (2) means implementation is not so difficult, and low (1) means it can be implemented
easily. “Cost of implementation” is scored as “Yes (2)”, which means the technique is very expensive and “No
(1)” meaning the cost is reasonable. “Efficiency of operation” has three values: “Yes (1)” meaning the
technique is indeed efficient, “somewhat (2)” meaning it is not always reliable, and “No (3)” meaning the
technique is not efficient. The values in the “Score (total)” column are a result of the summation of each row.
A lower value in the last column is indicative of a better and more reliable technique. The table shows the
techniques sorted in ascending order, starting with the lowest value (highest-priority technique) to the highest
value (lowest-priority technique), and is explained in more detail later.

7. Table 1: Evaluation of our Proposed DFR Techniques
DFR Techniques
Difficulty of
Implementation
Cost of
implementation
Efficiency of
operation (Yes=1,
Somewhat=2,
No=3)
Score
(total)High
=3
Medium
=2
Low
=1
Yes =2 No =1
T2 - Key logging 1 1 1 3
T6 - Log browser activity 2 1 1 4
T3 - Use keystroke pattern
recognition to verify identity
2 1 1 4
T11 - Continuous
authentication
2 1 1 4
T1 - Record/ log pc activity,
e.g. process lists and
applications during the
course of the exam
1 2 1 4
T12 - Rotate supervisors
during the exam
1 1 2 4
T7 - Record mouse activity 1 1 2 4
T4 - Use spy cameras to
monitor/record pc activity
and student movements
2 2 1 5
T5 – Record background auto
screen
2 2 1 5
T9 - Use webcam to record
students’ identity to later
cross-reference with details
of registered student
2 2 1 5
T8 - Record/log all
information on
programmable devices before
the start of the exam
2 2 1 5
T13 - Assign supervisors for a
particular exam just before
the exam commences
3 1 1 5
T10 - Use identification
methods like fingerprints,
voice recognition, eye
scanning
3 2 1 6
The two techniques represented in italics in table 1 indicate the techniques that are not DFR techniques.
However, they can be digitally implemented, for instance T13 and T12 can be implemented by designing a
system that randomly assigns supervisors on a rotation basis. The two techniques were added as solutions
because we do not merely propose DFR solutions but we also intend to limit opportunities for students to
cheat in online exams.
A brief explanation is given of some of the techniques presented in table 1. This explanation can serve as a
guide to those intending to use any of the listed techniques in their online exam systems. However, due to
space constraints, only techniques T10, T8, T5, T4, T6 and T2 will be discussed in this paper. Two low-priority
techniques ‘T10 and T8’ were selected (T13 was skipped because it is not considered a DFR technique),
followed by two techniques with average priority ‘T5 and T4’, and two high-priority techniques ‘T6 and T2’.
The techniques are explained in the order mentioned, that is, from bottom up.

8. T10 (using identification methods like fingerprints, voice recognition, eye scanning) requires state-of-the-art
machines that are costly to buy and maintain, as qualified personnel are needed for monitoring purposes.
Implementing T10 is also difficult because of the labour involved, the cost of software to run the system and
the security aspects of the whole platform. Since the information gathered by means of this technique would
be needed for verification purposes at a later stage, the researchers cannot afford any compromise in the data
collected. The factors mentioned would impact negatively on the efficiency of this technique.
T8 (recording/logging all information on programmable devices before the start of the exam) requires
administrative labour and employees would have to be trained thoroughly on how to extract and preserve
digital data from hardware. Procuring such tools and the other expenses involved would make it costly to
implement this technique. In the long run, efficiency is affected if the wrong people or tools are used in the
process.
T4 (using spy cameras to monitor/record pc activity and student movements) would require high-resolution
cameras to record what is going on from a distance. Such cameras are expensive and use a lot of processing
power, large storage spaces and memory to function. Competent personnel would be required to install and
monitor them. However, if implemented, they would help a lot to provide graphical proof of what happened.
Difficulty to implement T5 (recording background auto screen) was rated “medium” because we believe
designing such an application does not require much in terms of labour. However, it requires a large amount of
processing power to keep the application running and satisfy its storage needs. This affects the overall cost of
this technique since one would have to purchase workstations with enough processing power and memory to
accommodate the recording application and not slow down or disrupt the progress of the exam.
T6 (logging browser activity) comes in second best among the presented techniques because of the kind of
data that is collected when this technique is implemented. Data collected from the web application is a good
source of potential information for DFR purposes. Implementing a browser logging application is relatively
easy when one has the right personnel and resources to collect and store such information. The technique is
not considered costly, since it does not require much labour to design and implement such an application.
T2 (key logging) is shown to be the most efficient technique among those presented in this paper, as it is easy
to implement when one has the right personnel to design an application suitable for your system. The key
logging application is also not considered very costly compared to other techniques presented here, yet it
captures most of the necessary information needed for readiness purposes.
5 Discussion
We looked at some of the ways how students commit exam fraud and discussed the circumstances in which
each one of them can occur. High-level DFR solutions were proposed as a way of being forensically ready in
case an investigation has to be conducted into exam fraud. Some of the solutions cover a wider scope, i.e. they
can be applied as DFR techniques in more than one situation.
The DFR techniques are well defined in each scenario, as well as how they can be used to capture DF
information that can be used as evidence in a disciplinary hearing.
The proposed solutions are evaluated based on the difficulty and cost of implementing the technique and in its
operating efficiency, and each technique is subsequently given a score obtained from the summation of values
in each row.
We intend in future to involve other stakeholders at academic institutions (such as higher-ranked
administrative staff members) to obtain their feedback concerning this area of study so as to make an even
more thorough scientific evaluation of the research problem that we identified in this study.

9. 6 Conclusions and Future Work
Every academic institution wants to find ways of stopping exam fraud and punishing students who are caught
breaking the institution’s rules and regulations pertaining to assessment. However, in many cases students
commit exam fraud and go unnoticed. Deploying the right DFR techniques would help an institution to be
prepared with enough credible information that is admissible in the case of a disciplinary hearing.
In this paper, we presented different methods students use to cheat in online exams and proposed high-level
DFR techniques that can be applied in each case. We later presented an evaluation of all these techniques,
based on their difficulty and cost of implementation and operating efficiency, and we calculated a score for
each. As part of our future work, we intend to come up with a model that can be used to incorporate some of
these techniques so that they can be applied to an online examination system and capture credible
information that will be relevant when a DF investigation into online exam fraud needs to be conducted.
References
The 10 most inventive cheating attempts on online exams [Online]. eSchoolMedia & eCampus News.
Available: http://www.ecampusnews.com/top-news/exams-online-cheating-400/.
How Students Cheat Online [Online]. Available: http://www.onlineschoolscenter.com/cheating-
online/.
ISO/IEC 27043:2015 [Online]. ISO. Available:
http://www.iso.org/iso/catalogue_detail.htm?csnumber=44407.
Online Diplomas and Degrees in Fraud Examination [Online]. Available:
http://study.com/online_diplomas_in_fraud_examination.html.
EXAMINERS, A. O. C. F. 2013. Understanding the Basics of Fraud Examination (Online Self-Study)
[Online]. ACFE. Available: http://www.acfe.com/products.aspx?id=2852.
FREIFELD, L. 2013. SECURING EXAMS AGAINST FRAUD [Online]. Available:
http://www.trainingmag.com/content/securing-exams-against-fraud.
GARAVALIA, L., OLSON, E., RUSSELL, E. & CHRISTENSEN, L. 2007. How do students cheat. Psychology
of academic cheating, 33-58.
GARFINKEL, S. L. 2010. Digital forensics research: The next 10 years. digital investigation, 7, S64-S73.
GIBBONS, A., MIZE, C. D. & ROGERS, K. L. 2002. That's My Story and I'm Sticking to It: Promoting
Academic Integrity in the Online Environment.
KING, C. G., GUYETTE JR, R. W. & PIOTROWSKI, C. 2009. Online Exams and Cheating: An Empirical
Analysis of Business Students' Views. Journal of Educators Online, 6, n1.
KOHN, M. D., ELOFF, M. M. & ELOFF, J. H. 2013. Integrated digital forensic process model. Computers
& Security, 38, 103-115.
MICROSOFT. 2015. Online proctored exams [Online]. Available:
https://www.microsoft.com/learning/en-za/online-proctored-exams.aspx.
RENARD, L. 1999. Cut and paste 101: Plagiarism and the net. Educational Leadership, 57, 38-42.
SCANLON, P. M. 2003. Student online plagiarism: how do we respond? College Teaching, 51, 161-
165.
WOOD, C. C., BANKS, W. W., GUARRO, S. B., GARCIA, A. A., HAMPEL, V. E. & SARTORIO, H. P. 1987.
Computer security: a comprehensive controls checklist, Wiley-Interscience.