Professional Documents
Culture Documents
DFPT1 PDF
DFPT1 PDF
Semester VI Subject: DF
1) Define Digital forensics and digital evidence. State the rules of Digital forensics and rules of digital
evidence.
Ans: Digital Forensics: The use of scientifically derived and proven methods toward the (CID
APPV)==> Preservation, Collection, Validation,Identification, Analysis, Interpretation, Documentation
and Presentation of digital evidence derived from digital sources for the purpose of facilitating or
furthering the Reconstruction of events found to be criminal, or helping to anticipate unauthorized
actions shown to be disruptive to planned operations .
Rule 2. A copy (image) is made onto forensically sterile media. New media should always be used if
available.
Rule 3. The copy of the evidence must be an exact, bit-by-bit copy. (Sometimes referred to as a bit-
stream copy).
Rule 4. The computer (any digital device) and the data on it must be protected during the acquisition of
the media to ensure that the data is not modified. Use a write blocking device that prevents accidental
damage to the drive contents by allowing read commands but blocking write commands.
Rule 5. The examination must be conducted in such a way as to prevent any modification of the
evidence.
Rule 6. The chain of the custody of all evidence must be clearly maintained to provide an audit log of
whom might have accessed the evidence and at what time.
Digital Evidence: Digital evidence is any information or data that can be confident or trusted and can
prove something related to case in trial and is stored on / received by/ transmitted by electronic devices.
eg.text messages, emails, pictures, videos and internet searches.
Rules of Digital Evidence: Rules of evidence are concerned with amount, quality and type of proof
which helps us to prove in legislation .
1. Admissible. Evidence must have been preserved and gathered in such a way that it can be used in
court. Failure to obtain a proper warrant, breaking the chain of evidence, and mishandling or destroying
the evidence renders it inadmissible.
2. Authentic. The evidence must be relevant to the case, and the forensic examiner must be able to
account for the origin of the evidence.A relationship must be established between computer, the message,
and the person who sent the message.
3.Complete: A clear and complete picture must be presented that can account for how the evidence came
to be. Incomplete evidence may go unnoticed, which can be even more dangerous than no evidence at all.
4. Reliable: There ought to be no doubt about the reality of the specialists' decision. The techniques used
must be credible and generally accepted in the field. If the examiner made any errors or used questionable
techniques, this could cast reasonable doubt on a case.
5.Believable: A forensic examiner must be able to explain, with clarity and conciseness, what processes
he used and how the integrity of the evidence was preserved.The evidence must be easily explainable and
believable.
2) What are the challenges in digital forensics? Explain evidence handling procedure.
1.Authentication of Evidences
In other words, for providing a piece of evidence of the testimony, it is necessary to have authentic
evidence by a spectator who has a personal knowledge to its origin.
3. Evidence Validation
The challenge is to ensure that providing or obtaining the data that you have collected is similar to the
data provided or presented in the court.To meet the challenge of validation, it is necessary to ensure that
the original media matches the forensic duplication by using MD5 hashes.The verify function within
the Encase application can be used while duplicating a hard drive with Encase. To perform a forensic
duplication using dd, record a MD5 hash for both the original evidence media and the files which
compose the forensic duplication.
Challenges in DFI:
1. Technical challenges – e.g. differing media formats, encryption, steganography, anti- forensics,
live acquisition and analysis.
2. Legal challenges – e.g. jurisdictional issues, privacy issues and a lack of standardized
international legislation.
3. Resource challenges – e.g. volume of data, time taken to acquire and analyse forensic media.
➢ Only a few computer files form valid evidence, and it may take a lot of time to locate them.
➢ When information is deleted, in such case searching it inside files is worthless.
➢ If files are protected by passwords, investigators must find a way to read protected data in an
unauthorized manner.
➢ Data may be stored in damaged device and investigator may search it in working device
➢ Every case is different, identifying techniques and tools will take a long time.
➢ It is difficult to prove that the data under examination is unaltered.
Evidence Handling Procedure:
1.Evidence System Description:.If examining the contents of a hard drive currently placed within a
computer, record information about the computer system under examination. (regarding the status and
identification).
2.Digital photographs:Take digital photographs of the original system and/or media that is being
duplicated.
Reasons:
1. Any claim that you have damaged the property can be protected .
2. The system can be returned back to its state prior to forensic duplication.
3. Current configuration can be captured such as network connections, modem connections and any
other peripherals.
3.Evidence tag: Fill out an evidence tag for the original media or for the forensic duplication (The hard
drive you will keep as best evidence and store in your evidence safe).
5.Storage:Store the best evidence copy of the evidence media in your evidence safe. Protect and prevent
unauthorized access during storage.Do not expose to electromagnetic fields, or extreme temperatures.
6.Evidence Log:An evidence custodian enters a record of the best evidence into the evidence log for each
piece of best evidence inside the evidence safe. Contents:
7.Working copy: All examinations are performed on a forensic copy of the best evidence, called a
working copy.
8.Backup copies: An evidence custodian ensures that backup copies of the best evidence are created once
the principal investigator for the case states that the data will no longer be needed in an expeditious
manner.This minimizes the malevolent effects of equipment failure or natural disasters
9.Disposition: An evidence custodian ensures that all disposition dates assigned by the principal
investigator are met.Disposition is executed in 4 ways:
Then the chain of custody is complete, and the item should be removed from the evidence system.
The original and first copy of the custody document are retained in the final disposition file.
All evidence custody documentation should be retained for 5 years from the date of final disposition.
10.Monthly Audit: An evidence custodian performs a monthly audit to ensure all of the best evidence is
present, properly stored, and labeled. It's a checklist for reviewing the evidence safe and readiness of our
incident response capability.
3) Explain ethical issues involved in digital forensics ====> . Document ref Link
Ans:Ethics in Digital forensics is a set of moral principles that regulate the use of Digital devices.Some
common issues of digital forensics include:
4) Why is forensic duplication required? What are the requirements of forensic duplication tool?
Forensic Duplication: An accurate copy of data(An image of every accessible bit from the source
medium) that is created with the goal of being admissible as evidence in legal proceedings.Forensic
duplicate stores every bit of information from source in a raw bitstream format.
2. Digital evidence can be duplicated with no degradation from copy to copy which is not the case with
most other forms of evidence.
Forensic Duplication tool Requirements:
5) State and explain the steps of the analysis process in digital forensics.
3. Inspect the data content: Looking for the two following types of evidence:
1. Network anomalies
2. Common host-based artifacts of data theft
3. Login activity outside of expected hours
4. Odd connection durations
5. Unexpected connection sources (eg.remote session from a workstation to a server)
6. Periods of abnormally high CPU or disk utilization (common when compressing data)
7. File artifacts associated with the use of common compression tools
8. Recently installed or modified services, or the presence of other persistence mechanisms
9. Check for Malware
Steps:
1. Avoid disclosing your identity to any strangers.
2. Always use the latest antivirus software to guard against virus attacks.
3. Never send your credit card number to any site which is not secured.
4. Use of firewall
5. Change passwords frequently
6. Uninstall unnecessary software
7. Websites must monitor their traffic
8. Parents must restrict and monitor their children's use of the internet.
9. Web servers in public domain must be segregated physically and protected from internal network.
2. Scanning :
Pre attack phase: In scanning, the attacker begins to actively probe a target machine or network
For vulnerabilities that can be exploited. He tries to extract specific info on the basis of info gathered
during reconnaissance.
Port Scanner:Scanning includes use of dialer, port scanners, network mappers, ping tools vulnerability
scanners. The tools used in this process are Nessus,Nexpose, Wireshark, and NMAP
Info Extract: Attacker extracts info such as live machines port,port status,OS details,device type,system
uptime.
4. Maintaining access:After gaining access, the hacker installs some backdoors,rootkits,trojans in order
to enter into the system when he/she needs access in this owned system in future(retain ownership).
Metasploit is the preferred tool in this process. He also tries to maintain exclusive access by blocking out
others. Such a compromised system is used by him to launch further attacks.
5.Clearing Tracks :This process is actually an unethical activity.It has to do with the deletion of logs of
all the activities like server system and application log. Delete any evidence that might lead to his
prosecution.
Team’s Mission:
1. Evidence collection
2. Documentation
3. Storage
4. Shipment
5. Procedures must enforce integrity, provide for authentication and validation
3. Preparing the Infrastructure:
A. Asset Management: Have all information in one place. The following information must
be kept:
1. Date provisioned
2. Ownership
3. Business unit
4. Role or services
5. Physical location
6. Network configuration
7. Contact information
B. Performing Survey:
1. OS
2. Hardware
3. Networking technologies
4. Network diagram
5. Security software
6. Endpoint applications
7. Business applications
Issues: what to log and for how long to keep,Centralized vs. decentralized logging,OS vs.
application logs.
Windows OS:Include log-on and log-off events,Log process creation and termination
activities,Increase local storage for each event