T.E.

Semester VI Subject: DF

1) Define Digital forensics and digital evidence. State the rules of Digital forensics and rules of digital
evidence.

Ans: Digital Forensics: The use of scientifically derived and proven methods toward the (CID
APPV)==> Preservation, Collection, Validation,Identification, Analysis, Interpretation, Documentation
and Presentation of digital evidence derived from digital sources for the purpose of facilitating or
furthering the Reconstruction of events found to be criminal, or helping to anticipate unauthorized
actions shown to be disruptive to planned operations .

Rules of Digital Forensics:

Rule 1. An examination should never be performed on the original media.

Rule 2. A copy (image) is made onto forensically sterile media. New media should always be used if
available.

Rule 3. The copy of the evidence must be an exact, bit-by-bit copy. (Sometimes referred to as a bit-
stream copy).

Rule 4. The computer (any digital device) and the data on it must be protected during the acquisition of
the media to ensure that the data is not modified. Use a write blocking device that prevents accidental
damage to the drive contents by allowing read commands but blocking write commands.

Rule 5. The examination must be conducted in such a way as to prevent any modification of the
evidence.

Rule 6. The chain of the custody of all evidence must be clearly maintained to provide an audit log of
whom might have accessed the evidence and at what time.

Digital Evidence: Digital evidence is any information or data that can be confident or trusted and can
prove something related to case in trial and is stored on / received by/ transmitted by electronic devices.
eg.text messages, emails, pictures, videos and internet searches.

Rules of Digital Evidence: Rules of evidence are concerned with amount, quality and type of proof
which helps us to prove in legislation .

1. Admissible. Evidence must have been preserved and gathered in such a way that it can be used in
court. Failure to obtain a proper warrant, breaking the chain of evidence, and mishandling or destroying
the evidence renders it inadmissible.

2. Authentic. The evidence must be relevant to the case, and the forensic examiner must be able to
account for the origin of the evidence.A relationship must be established between computer, the message,
and the person who sent the message.

3.Complete: A clear and complete picture must be presented that can account for how the evidence came
to be. Incomplete evidence may go unnoticed, which can be even more dangerous than no evidence at all.

4. Reliable: There ought to be no doubt about the reality of the specialists' decision. The techniques used
must be credible and generally accepted in the field. If the examiner made any errors or used questionable
techniques, this could cast reasonable doubt on a case.
5.Believable: A forensic examiner must be able to explain, with clarity and conciseness, what processes
he used and how the integrity of the evidence was preserved.The evidence must be easily explainable and
believable.

Rule 103: Rule of Evidence

1. Maintaining a claim of error

2. No renewal of objection or proof
3. Aim an offer of proof
4. Plain error taken as notice

2) What are the challenges in digital forensics? Explain evidence handling procedure.

Ans: Challenges in digital Forensics:

1.Authentication of Evidences
In other words, for providing a piece of evidence of the testimony, it is necessary to have authentic
evidence by a spectator who has a personal knowledge to its origin.

2. Maintaining the chain of custody

The evidences collected should not be accessed by any unauthorized individual and must be stored in a
tamper-proof manner.For each item obtained, there must be a complete chain of custody record.One must
be able to trace the location of evidence from the moment it was collected to the moment it was presented
in a judicial proceeding.

3. Evidence Validation
The challenge is to ensure that providing or obtaining the data that you have collected is similar to the
data provided or presented in the court.To meet the challenge of validation, it is necessary to ensure that
the original media matches the forensic duplication by using MD5 hashes.The verify function within
the Encase application can be used while duplicating a hard drive with Encase. To perform a forensic
duplication using dd, record a MD5 hash for both the original evidence media and the files which
compose the forensic duplication.

Challenges in DFI:

1. Technical challenges – e.g. differing media formats, encryption, steganography, anti- forensics,
live acquisition and analysis.
2. Legal challenges – e.g. jurisdictional issues, privacy issues and a lack of standardized
international legislation.
3. Resource challenges – e.g. volume of data, time taken to acquire and analyse forensic media.

➢ Only a few computer files form valid evidence, and it may take a lot of time to locate them.
➢ When information is deleted, in such case searching it inside files is worthless.
➢ If files are protected by passwords, investigators must find a way to read protected data in an
unauthorized manner.
➢ Data may be stored in damaged device and investigator may search it in working device
➢ Every case is different, identifying techniques and tools will take a long time.
➢ It is difficult to prove that the data under examination is unaltered.
Evidence Handling Procedure:

1.Evidence System Description:.If examining the contents of a hard drive currently placed within a
computer, record information about the computer system under examination. (regarding the status and
identification).

2.Digital photographs:Take digital photographs of the original system and/or media that is being
duplicated.

Reasons:

1. Any claim that you have damaged the property can be protected .
2. The system can be returned back to its state prior to forensic duplication.
3. Current configuration can be captured such as network connections, modem connections and any
other peripherals.

3.Evidence tag: Fill out an evidence tag for the original media or for the forensic duplication (The hard
drive you will keep as best evidence and store in your evidence safe).

Tag contains following information:

1. Origin(place, person)
2. Search permission requirements
3. Explanation of the item
4. Type of contents
5. Chain Of Custody:Timestamp of evidence reception, receiver info, Evidence case and tag
number and Chain of custody (CoC): Chronological documentation or paper trail that records the
sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence

4.Evidence label: Media should be appropriately labeled with an evidence label.

5.Storage:Store the best evidence copy of the evidence media in your evidence safe. Protect and prevent
unauthorized access during storage.Do not expose to electromagnetic fields, or extreme temperatures.

6.Evidence Log:An evidence custodian enters a record of the best evidence into the evidence log for each
piece of best evidence inside the evidence safe. Contents:

1. Tag number of evidence

2. Date of evidence
3. Details of action taken
4. The action performed by the consultant
5. The information for the media being acted upon.

7.Working copy: All examinations are performed on a forensic copy of the best evidence, called a
working copy.

8.Backup copies: An evidence custodian ensures that backup copies of the best evidence are created once
the principal investigator for the case states that the data will no longer be needed in an expeditious
manner.This minimizes the malevolent effects of equipment failure or natural disasters

9.Disposition: An evidence custodian ensures that all disposition dates assigned by the principal
investigator are met.Disposition is executed in 4 ways:

1. Dispose off the evidence appropriately

2. Return the evidence agency that owns or is accountable for the property
 3. Transfer the evidence to the cognizant staff judge advocate, legal officer, or civil authority
4. Retain the evidence in custody

Then the chain of custody is complete, and the item should be removed from the evidence system.
The original and first copy of the custody document are retained in the final disposition file.
All evidence custody documentation should be retained for 5 years from the date of final disposition.

10.Monthly Audit: An evidence custodian performs a monthly audit to ensure all of the best evidence is
present, properly stored, and labeled. It's a checklist for reviewing the evidence safe and readiness of our
incident response capability.

3) Explain ethical issues involved in digital forensics ====> . Document ref Link
Ans:Ethics in Digital forensics is a set of moral principles that regulate the use of Digital devices.Some
common issues of digital forensics include:

1. Intellectual Property Resources

2. Privacy Concerns:It is expected that disk and user device manufacturers should provide
backdoors to aid investigators to bypass lockouts and ensure effective digital forensic
analysis.There is a genuine possibility that such techniques would find their way into the wrong
hands, who would breach the confidentialities attached in infringing and embarrassing manners.
3. How computers affect society.
4. Fear of Unpredictability :Due to the complexities in the nature of digital artefacts from which
evidence is gathered, various digital forensic tools exploit various techniques to perform the same
tasks thus confusing users which computing behaviours are deemed inappropriate. This leads to
fear which tends to influence the computing activities of users, as they become conservative rather
than expressive.
5. Exploitation of Tools : Experienced computer experts can reverse engineer or extend modules of
a digital forensic system – especially open source systems. These tools are even used to hamper
their own effectiveness in anti-forensic moves, thus discrediting the information they produce as
results.
6. Inconsistent Educational/Training Outcomes: Use of digital forensic systems require
prerequisite specialized skills which are not acquirable from general computing education. They
are imparted through specific education.However, there are significant differences in the quality
and quantity of skills learnt at various training centres due to a lack of regulation. As a result there
are concerns about the specific set of qualifications that are necessary to prove that a person is
adequately competent enough to use certain digital forensic systems.

4) Why is forensic duplication required? What are the requirements of forensic duplication tool?

Forensic Duplication: An accurate copy of data(An image of every accessible bit from the source
medium) that is created with the goal of being admissible as evidence in legal proceedings.Forensic
duplicate stores every bit of information from source in a raw bitstream format.

Forensic duplication is required for 2 main reasons:

1. Allows working from a duplicate image which:

(a) Preserves the original digital evidence.

(b) Prevents inadvertent alteration of original digital evidence during examination.

(c) Allows recreation of the duplicate image, if necessary.

2. Digital evidence can be duplicated with no degradation from copy to copy which is not the case with
most other forms of evidence.
Forensic Duplication tool Requirements:

The tool must do the following:

1. Make a bitstream duplicate or an image of an original disk or partition.

2. Not alter the original disk.
3. Verify disk image file integrity.
4. Log I/O errors
5. Create a forensic duplicate of original storage media.
6. Handle read errors.
7. Make no changes to source medium
8. Produce results that are verifiable by 2nd party using scientific methods.
9. While accessing source:
a. No errors: Produce bitstream duplicate.
b. Errors: Create qualified bitstream duplicate
c. IO errors: Create qualified bitstream duplicate , log the IO error in accessible and readable
form. Log contents⇒ Type,Location of error.
10. Access disk drives through one or more well defined interfaces.
11. While copying a source to destination:
a. size(Destination > Source): Document the contents of the areas on the destination that are
not a part of the copy.
b. size(Destination < Source): Notify user , truncate copy log this action
12. Have proper documentation including both mandatory and optional requirements.

Examples: DD,Ghost,SafeBack,ProDiscover Basic

5) State and explain the steps of the analysis process in digital forensics.

Performing analysis on new data- the scientific method:

1. Define and understand objectives.
Identify (or designate) who will define the objectives and ensure the entire investigative team is
aware of who that person is.
2. Obtain relevant data: Explore possible data sources and understand how you can use them.
1. Sources: Desktops,laptops,hdd ,external storage, Virtual desktops, Servers, Mobile
devices,Network and cloud devices.
2. Four high-level categories of evidence:
a. Operating system:file systems,state information, os logs,registry, syslog,etc
b. Application:Internet browser cache,database files, web server logs,
chat program user preferences and logs, email client data files etc.
c. Userdata:User data on other systems throughout the environment.
eg., e-mail, documents, spreadsheets, or source code may be stored in centralized locations
for each user.
d. Network services and instrumentation:DHCP, DNS, and proxy servers,IDS/IPS systems,
and firewalls.

3. Inspect the data content: Looking for the two following types of evidence:
1. Network anomalies
2. Common host-based artifacts of data theft
3. Login activity outside of expected hours
4. Odd connection durations
5. Unexpected connection sources (eg.remote session from a workstation to a server)
6. Periods of abnormally high CPU or disk utilization (common when compressing data)
7. File artifacts associated with the use of common compression tools
 8. Recently installed or modified services, or the presence of other persistence mechanisms
9. Check for Malware

4. Perform any necessary conversion or normalization.

5. Select a method: Choose one of the following methods:

1. Use of external resources
2. Manual inspection
3. Use of specialized tools
4. Data minimization through sorting and filtering
5. Statistical analysis
6. Keyword searching
7. File and record carving
6. Perform the analysis.
7. Evaluate the results.
You should evaluate results periodically throughout the analysis process. Once the process is
Complete, you should evaluate how well the result answers the investigative questions.
If the results you are looking at don’t help, you may need to consider a different approach or
different sources of evidence.

7) Explain different categories of cyber crimes with examples.

1. Cybercrimes Against People :

Cybercrimes committed against people include crimes such as cyber porn, transmission of child
pornography, harassment of an individual through email, false legal agreement scams, etc.
2. Cybercrimes Against Property :
Crimes in this category include computer devilry, meaning destruction of others property and
transmission of harmful viruses, worms, or programs.
3. Cybercrimes Against Government
Cyber terrorism is a distinct crime in this category. The spread of internet has shown that this medium is
used by people and teams to threaten the
international governments conjointly to terrorize the voters of a rustic
4. Cybercrime against society
• This one affects society as a whole, for example: financial crimes against public organizations, selling
illegal products, trafficking, online gambling, forgery, etc.
5. Cybercrime against companies/organizations
This is one of the most common types of cyber crime today.
When a company’s online presence or any of its products are hacked, it becomes a serious problem that
can result in a big number of consequences for the company, as well as their employees, associates and
customers.
Examples include data breaches, cyber extortion
8) What are the roles of computers in cyber crime? Explain how to prevent cyber crime.

Ans :Roles of computers in cyber crime

Computers can play the following: To combat Crime

1. Communication tool
2. DNA Testing
3. Criminal Database management
4. Fingerprinting
5. Crime Scene reconstruction and forensics. #simulations
6. CCTV monitoring
Prevention of Cyber Crime:
Follow the 5 Ps of Online Security:
1. Precaution
2. Prevention
3. Protection
4. Preservation
5. Perseverance

Steps:
1. Avoid disclosing your identity to any strangers.
2. Always use the latest antivirus software to guard against virus attacks.
3. Never send your credit card number to any site which is not secured.
4. Use of firewall
5. Change passwords frequently
6. Uninstall unnecessary software
7. Websites must monitor their traffic
8. Parents must restrict and monitor their children's use of the internet.
9. Web servers in public domain must be segregated physically and protected from internal network.

9) What is ethical hacking? Explain the steps involved in ethical hacking.

Ans: Ethical Hacking is the methodology of seeking out weaknesses,loopholes in a

pc/network/information system for testing purpose.
1. Reconnaissance: Preparatory phase where a hacker seeks to gather as much information about target.
Reconnaissance is the phase where the attacker gathers information about a target using active or
passive.NMAP, Hping, Maltego, and Google Dorks.
Active: Interacting directly with the target by any means. Eg Telephone Calls
Passive:Interacting indirectly with the target. Eg Through public records or new releases.

2. Scanning :
Pre attack phase: In scanning, the attacker begins to actively probe a target machine or network
For vulnerabilities that can be exploited. He tries to extract specific info on the basis of info gathered
during reconnaissance.
Port Scanner:Scanning includes use of dialer, port scanners, network mappers, ping tools vulnerability
scanners. The tools used in this process are Nessus,Nexpose, Wireshark, and NMAP
Info Extract: Attacker extracts info such as live machines port,port status,OS details,device type,system
uptime.

3. Gaining Access: The vulnerability is located

and you attempt to exploit it in order to enter
into the system.The primary tool that is used in this process is Metasploit. Attacker can get access at the
OS, App or Network Layer. Privileges can be escalated to get complete access. Eg. Password cracking,
DOS session hijacking, buffer overflows.

4. Maintaining access:After gaining access, the hacker installs some backdoors,rootkits,trojans in order
to enter into the system when he/she needs access in this owned system in future(retain ownership).
Metasploit is the preferred tool in this process. He also tries to maintain exclusive access by blocking out
others. Such a compromised system is used by him to launch further attacks.

5.Clearing Tracks :This process is actually an unethical activity.It has to do with the deletion of logs of
all the activities like server system and application log. Delete any evidence that might lead to his
prosecution.

11) What are the goals of Incident response?

● Prevents a disjointed, noncohesive response (which could be disastrous)

● Confirms or dispels whether an incident occurred
● Promotes accumulation of accurate information
● Establishes controls for proper retrieval and handling of evidence
● Protects privacy rights established by law and policy
● Minimizes disruption to business and network operations
● Allows for criminal or civil action against perpetrators
 ● Provides accurate reports and useful recommendations
● Provides rapid detection and containment
● Minimizes exposure and compromise of proprietary data
● Protects your organization’s reputation and assets
● Educates senior management
● Promotes rapid detection and/or prevention of such incidents in the future (via lessons learned,
policy changes, and so on)

12) Explain the steps involved in pre incident preparation.

1. Preparing the Organization:

a. Identifying risks: Getting the big picture of the organization’s risk and identifying What
the critical assets are what is their exposure and threat and What regulatory requirements
the organization has to comply.
b. Policies that promote a successful IR: Acceptable Use Policy, Security Policy, Remote
Access Policy, Internet Usage Policy
c. Working with outsourced IT: A written agreement that specifies what will or will not be
provided in case of an investigation.
d. Global infrastructure issues: Policy and Labor Regulations, Team Coordination, Data
Accessibility.
e. Educating users on host-based security:
i. About actions that should or should not be taken from Computer Security and IR
viewpoint
ii. Policy about software installed by users
iii. Adhering to security measures
f. Handle technical issues
2. Preparing the IR Team:The team must be detail oriented, not rush the important things, and
document their actions.

Team’s Mission:

1. Conduct a complete impartial investigation

2. Quickly confirm or dispel whether the incident occurred
3. Assess damage and scope
4. Control and contain incident
5. Collect and document evidence
6. Provide a liaison to law enforcement and legal authorities
7. Maintain need confidentiality
8. Provide expert testimony
9. Provide recommendations to management

Resources for IR Team

1. Training: University / Industry training centers

Requirement(The tools must be forensically sound)

1. Data protection – Encrypt data using software / hardware

2. Memory
3. CPU
4. I/O busses
5. Portability
6. Use write-blockers
7. Use of virtual machines are better
 Evidence Handling: Appropriate procedures for

1. Evidence collection
2. Documentation
3. Storage
4. Shipment
5. Procedures must enforce integrity, provide for authentication and validation
3. Preparing the Infrastructure:

Computing device configuration:Majority of evidence are found on computing devices results of

an investigation vastly depends on device configuration.The followings are four suggested areas:

A. Asset Management: Have all information in one place. The following information must
be kept:
1. Date provisioned
2. Ownership
3. Business unit
4. Role or services
5. Physical location
6. Network configuration
7. Contact information

B. Performing Survey:

1. OS
2. Hardware
3. Networking technologies
4. Network diagram
5. Security software
6. Endpoint applications
7. Business applications

C. Instrumentation:Log files are of extreme importance

Issues: what to log and for how long to keep,Centralized vs. decentralized logging,OS vs.
application logs.

Windows OS:Include log-on and log-off events,Log process creation and termination
activities,Increase local storage for each event

Unix-based OS:Enable process accounting, if possible Increase local storage

In both types of OS, forward logs to a centralized location.

D. Additional steps to improve security:

1. Establish a patching solution for OS and applications

2. Try to use two-factor authentication and enforce good passwords
3. Deploy firewall and AV solutions
4. Remove local administrative access