Q1. Define Digital Forensics.
(P4 - Appeared 1 Time) (5-10 Marks)
Ans: Digital Forensics
● Digital Forensics is defined as the process of preservation,
identification, extraction, and documentation of computer evidence
which can be used by the court of law.
● Digital Forensics is also referred to as Digital Forensic science, a
branch of computer forensic science that includes the restoration
and inspection of material detected in digital devices, often in
relation to a cybercrime.
● It is a science of finding evidence from digital media like a
computer, mobile phone, server, or network. It provides the
forensic team with the best techniques and tools to solve
complicated digital-related cases.
● Digital forensic can also be defined as collection, preservation,
analysis and presentation of computer/cyber-related evidence.
Q2. Define Digital Forensics Categories. Explain Database Forensics
in Brief. (P4 - Appeared 1 Time) (5-10 Marks)
Ans: Digital Forensics is the practice of identifying, acquiring and
analyzing electronic evidence. Below are the different categories of
Digital Forensics:
1. Computer Forensics:
The purpose of computer forensics is to obtain evidence
from various computer systems, storage mediums, or
electronic documents.
2. Network Forensics:
The purpose of Network Forensics is to monitor and analyze
computer network traffic, including LAN/WAN and internet
traffic, with the aim of gathering information, collecting evidence,
or detecting and determining the extent of intrusions and the
amount of compromised data.
3. Mobile Devices Forensics:
This involves the recovery of digital evidence or data from mobile
devices. This can include call and communication data, such as
call logs, text messages, and in-app communication via Whatsapp,
WeChat, etc as well as location information via inbuilt GPS
Q3. What Is a Digital Forensic Incident? Define Computer Security
Incident. (P4 - Appeared 1 Time) (5-10 Marks)
Ans: Digital Forensic Incident:
● A digital forensic incident is an event that involves the collection
and analysis of digital evidence for the purpose of investigating
and resolving security incidents.
● This type of incident typically involves the use of specialized
tools and techniques to analyze digital data, such as log files,
network traffic, and storage devices.
● Digital forensic incidents can include a wide range of security-
related events, such as network breaches, unauthorized access,
data theft, and malware infections.
● The goal of a digital forensic incident is to identify the scope
and impact of the incident, as well as to gather evidence that
can be used in legal proceedings or to improve security
controls.
Computer security incident:
● Computer Security Incident is any event that involves the
unauthorized access, use, disclosure, or destruction of
computer systems, networks, or data. These incidents can
range from relatively minor events, such as failed login
attempts, to major breaches that result in the theft of sensitive
data or the disruption of critical services.
● Computer security incidents can have a wide range of causes,
including human error, malware infections, phishing attacks, and
insider threats. The impact of these incidents can be significant,
including financial losses, reputational damage, and legal liabilities.
● To respond to computer security incidents, organizations
typically implement incident response plans that include
procedures for detecting, investigating, containing, and
recovering from security incidents. These plans may involve a
range of stakeholders, including IT teams, legal and compliance
departments, and external partners such as law enforcement
agencies.
4. Digital Image Forensics:
The extraction and analysis of digitally acquired photographic
images to validate their authenticity by recovering the metadata of
the image file to ascertain its history.
5. Memory Forensics: The recovery of evidence from RAM of a
running computer, also called live acquisition.
6. Database Forensics:
Database forensics is a branch of digital forensic science relating
to the forensic study of databases and their related metadata.
Database forensics involves investigating access to databases and
reporting changes made to the data. You can apply database
forensics to various purposes. For example, you can use database
forensics to identify database transactions that indicate fraud.
Alternatively, your database forensics analysis may focus on
timestamps associated with the update time of a row in your
relational database being inspected and tested for validity in order
to verify the actions of a database user. Alternatively, a forensic
examination may focus on identifying transactions within a
database system or application that indicate evidence of
wrongdoing, such as fraud. This investigation aims to inspect and
test the database for validity and verify the actions of a certain
database user. Software tools can be used to manipulate and
analyze data. These tools also provide audit logging capabilities
which provide documented proof of what tasks or analysis a
forensic examiner performed on the database. The forensic study
of relational databases requires a knowledge of the standard used
to encode data on the computer disk. Because the forensic analysis
of a database is not executed in isolation, the technological
framework within which a subject database exists is crucial to
understanding and resolving questions of data authenticity and
integrity especially as it relates to database users.
Q4. Explain Goals of Incident Response. (P4 - Appeared 1 Time) (5-10
Marks)
Ans: The primary goal of incident response is to effectively remove a
threat from the organization’s computing environment, while minimizing
damages and restoring normal operations as quickly as possible. This
goal is accomplished through two main activities:
1. INVESTIGATE
● Determine the initial attack vector
● Determine the malware tool used
● Determine which systems were affected.
● Determine what the attacker accomplished.
● Determine if the incident is ongoing.
● Establish the time frame of the incident.
2. REMEDIATE
● Using the information obtained from the investigation to
develop & implement a remediation plan.
We emphasize the goals of corporate security professionals with
legitimate business concerns in our incidents response methodology. In
addition, we also take into consideration the concerns of law enforcement
officials. Therefore, we have developed a procedure that promotes a
coordinated, cohesive response and achieves the following:
● Prevention of a disjoint and non-cohesive response (which could
be disastrous).
● Occurrence of incident is confirmed or dispelled.
● Promotes collection of accurate information.
● Proper retrieval and handling of evidence establishment
is controlled.
● Protection of privacy rights established by law and policy.
● Minimization of disruption to business and network operations.
● Accurate reports and useful recommendations are provided.
● Rapid detection and containment are provided.
● Minimization to exposure and compromise proprietary data.
● Tries to protect your organization’s reputation and assets.
● Educates senior administration.
● Promotion of rapid detection and/or prevention of such incidents in
the future (via lessons learned, policy changes, etc)
Q5. Define CSIRT. (P4 - Appeared 1 Time) (5-10 Marks)
Ans: CSIRT:
● CSIRT stands for Computer Security Incident Response Team.
● CSIRT is a team whose members worked for the incident
response process. In order to resolve an incident/attack, the
CSIRT works together as an interdisciplinary team.
● CSIRT has the appropriate legal, technical, and other
expertise necessary. Its members decide whether to apply an
incident response or not based on the seriousness of the
incident.
● When an organization requires its capabilities, the CSIRT is
normally an effective team accumulation to conduct an initial
response process.
● There is always a division between human resources who
investigate laptop security incidents and people who investigate
normal crimes.
● Separate functions for company security human resources and
laptop security human resources area units are characterized by
several companies.
● Network attacks(e.g. Laptop intrusions and Denial of Service
attacks) are solely responded to by the Computer Security Incident
Response Team.
B. Preparing the CSIRT: The organization assembles a
CSIRT team responsible for handling the attack.
They are provided with necessary training along
with desired software and hardware.
2. Detection of incident:
● The most critical phase of the process
● This phase starts when any illegal or unauthorized
event occurs.
● The detection can be done by: End user(customer),
System admin or IDS.
● End users file their complaint through contacting the
help desk.
● Whereas admins contact their immediate supervisor.
● IDS alarm the information security personnel.
3. Initial Response:
By recording the basic particulars of surrounding the incident,
collecting the incident response team, and informing the
individuals who need to know about the incident, the initial
response team performs an initial investigation.
4. Formulate response strategy:
Regulate the best response team and gain the management
approval based on the outcomes for all known facts. On the basis
of conclusions, try to regulate the civil, criminal, administrative, or
other actions which are inappropriate to be drawn from the
investigation.
5. Investigate the incidents:
Perform a comprehensive collection of data, to determine
what happened, when it happened, who did it, and how it can
be prevented in the future.
6. Reporting:
The most difficult phase in the process. The challenge is to
create reports that precisely describe an incident. Flawless
report information about the investigation in such a manner that
it becomes useful to decision makers.
Q6. What Is meant by Incident Response Methodology. Explain Steps of
Incident Methodology. (P4 - Appeared 1 Time) (5-10 Marks)
Ans: Incident response methodology- It is an approach to addressing and
managing the aftermath of a security breach or attack(also known as
incident) and the goal is to handle the situation in a way that limits
damage and reduces recovery time and costs.
Computer Incidents are complicated, fragile and must be handled
precisely and with caution. To achieve this precision, we use the
approach of diving incident resolution into component steps and test the
input and output.
The fig. Below illustrates the process steps:
So, the steps to incident response can be broadly classified as:
1. Pre-incident preparation:
● This phase deals with preparing the organization with
proper workforce and management before the incident.
● It is done before the incident occurs.
● This phase includes:
A. Preparing the organization: This deals with
making the organization immune to the attack.
Q7. What Is The Phase After Detection of an Incident In Computer
Forensics? (P4 - Appeared 1 Time) (5-10 Marks)
Ans: Once the incident has been identified and detected, the
following phases should be followed.
1. Recording the details after initial Detection. -
Checklist is very important for an organized incident response
team to work efficiently.
● Initial response checklist: For recording details after the
initial notification of an incident. We can divide this
checklist into two main sections: one for general
information and the other for more-specific information.
● Second Section of the initial response checklist: This could
be used by CSIRT members to address the technical details
surrounding the incident.
2. Incident Declaration -
● In most of the cases, it will be immediately obvious whether
or not the activity is actually a computer security incident in
which suspicious activity is reported. However, in a few
cases, if an incident occurred based on the details
recorded in the initial response checklist it may be difficult
to determine.
● If you cannot immediately tell if an incident has occurred,
we recommend that you assign a case or incident number
making it worth investigating.
● Once an incident is declared, the incident has an incident
number to be used as a specific reference to that incident.
3. Assembling the Computer Security Incident Response Team-
Responding to incidents, many organizations have a CSIRT that
is formed in response to a particular situation or incident rather
than an established and dedicated centralized team. Therefore,
the CSIRT needs to be staffed in real time after an incident is
detected.
4. Performing Traditional Investigation Steps -
The investigation stage includes defining the ”who, what,
when, where, how and why” surrounding an incident.
5. Conducting Interviews-
● The first step is to start asking the “who, what, when,
and how” questions, when your CSIRT learns of a
suspected incident.
 ● These questions allow you to determine some facts
surrounding the incident, such as the location of the
relevant systems,administrative contacts, etc.
● The more answers you can obtain the more easy it would
be to assess the situation.
6. Formulating a Response Strategy-
The most important aspect of incident response is arguably your
strategy. In this phase, you consider what remedial steps to take to
recover from the incident. Your response strategy should also
include initiating adverse action against an internal employee or an
external attacker.
Q8. Define Characteristics And Goals Of Digital Forensics. (P4 -
Appeared 1 Time) (5-10 Marks)
Ans: Characteristics of Digital Forensics:
1. Preservation- The digital evidence is preserved for further
procedure which also makes it easy to re-confirm anything
whenever any information is required about the incident.
2. Extraction - The data from the evidence are extracted and as
when it is required it is used for the analysis.
3. Documentation - All the summary has been documented as it is
done without any delay so a proper report is maintained and no
confusions or wrong decisions are taken during the process.
Goal of digital forensics-
1. Is to extract data from the electronic evidence.
2. Process it into actionable intelligence
3. Present the findings for prosecution.
Q2. How many Types of Digital Evidence? (P4 - Appeared 1 Time) (5-10
Ans: Types of Digital Evidence:
1. Logs: Logs belong in the visible data type category, which can
be anything from:
● OS logs: Examples include events pertaining to system
access, security alerts, the duration of a user’s login session,
when the device was shut down, etc. Typically, OS logs are
stored in a particular system directory.
● Database Logs: Since they mostly reveal what changes
were made to a particular database, these can be a vital
source of crime evidence as well as a useful approach for
debugging and troubleshooting in the unfortunate event of
any technical issues with the database in question.
2. Video Footage and Images:
Out of all the types of digital evidence, video footage and images
can be classified as the visible data type, just like the logs. There
are many types of digital evidence that fall into this category,
including CCTV footage, videos recorded on a mobile device, digital
camera footage, voice recordings, etc.However, unlike your typical
logs, multimedia files may require specialized tools to investigate
that go beyond typical multimedia players.
3. Archives:
Since archives are regular files accessible straight from the file
explorer, they fall into the visible data type group. Various types of
evidence can come in the form of an archive, whether it be:
Zip/Rar/similar files, Databases, Backups, Software-specific
archives etc. Technically, since they can contain all sorts of
extractable file formats, archives can be regarded as a wildcard
source of evidence.
4. Metadata:
Metadata falls into the invisible data type category because it
typically requires special software to be able to view it. For instance,
a photo file on a hard drive or storage media can contain
additional data regarding the file’s creation such as where the photo
was taken, otherwise known as EXIF data.
5. Residual Data:
Residual data is deleted or overwritten data that may contain digital
evidence if successfully recovered. Since it’s not typically visible
through a file browser, it’s classified as an invisible data type.
Q1. Explain Digital Evidence In Brief. (P4 - Appeared 1 Time) (5-10
Marks)
Ans: Digital Evidence:
● Computers are used for committing crime, and, thanks to the
burgeoning science of digital evidence forensics, law
enforcement now uses computers to fight crime.
● Digital evidence is information stored or transmitted in binary form
that may be relied on in court. It can be found on a computer hard
drive, a mobile phone, among other places.
● Digital evidence is commonly associated with electronic crime, or
e-crime, such as child pornography or credit card fraud. However,
digital evidence is now used to prosecute all types of crimes, not
just e-crime. For example, suspects' email or mobile phone files
might contain critical evidence regarding their intent, their
whereabouts at the time of a crime and their relationship with other
suspects.
● In an effort to fight e-crime and to collect relevant digital evidence
for all crimes, law enforcement agencies are incorporating the
collection and analysis of digital evidence, also known as
computer forensics, into their infrastructure.
● The field of computer security includes events that provide a
successful courtroom experience, which are both worthwhile
and satisfactory.
● Investigation of a computer security incident leads to a legal
proceeding, such as court proceedings, where the digital
evidence and documents obtained are likely used as exhibits in
the trial.
● To meet the requirements of the judging body and to withstand or
face any challenges, it is essential to follow the evidence-handling
procedures.
● Digital evidence is any information or data of value to an
investigation that is stored on, received by, or transmitted by an
electronic device.
Q3. What Kind of Challenges are Faced By Digital Evidence Explain?
(P4 - Appeared 1 Time) (5-10 Marks)
Ans: Challenges faced by Digital Evidence are-
1. Explosion of complexity
Evidence is no longer confined within a single host but, rather,
is scattered among different physical or virtual locations, such
as online social networks, cloud resources, and personal
networks–attached storage units. For this reason, more expertise,
tools, and time are needed to completely and correctly reconstruct
evidence. Partially automating some tasks has been highly
criticized by the digital investigation community, because it could
quickly deteriorate the quality of the investigation.
2. Development of standards
Despite technological advances, files are still the most popular
digital artifacts to be collected, categorized, and analyzed. Thus,
the research community has tried to agree on standard formats,
schema, and ontologies—but without much success.
They add that investigations of cutting-edge cyber crimes might
require processing information in a collaborative manner or using
outsourced storage and computation. Therefore, a core step for
the digital forensics community will be the development of proper
standard formats and abstractions.
3. Privacy-preserving investigations
Nowadays, people bring into cyberspace many aspects of their
lives, primarily through online social networks or social media
sites. Unfortunately, collecting information to reconstruct and
locate an attack can severely violate users’ privacy and is linked
to other hurdles when cloud computing is involved.
4. Legitimacy
Modern infrastructures are becoming complex and virtualized,
often shifting their complexity at the border (such as in fog
computing) or delegating some duties to third parties (such as in
platform-as-a-service frameworks).
Thus,an important challenge for modern digital forensics will be
executing investigations legally, for instance, without violating
laws in borderless scenarios.
 5. Rise of anti-forensics techniques
Defensive measures encompass encryption, obfuscation,
and cloaking techniques, including information hiding.
Cooperation among international jurisdictions notwithstanding,
investigating cybercrime and collecting evidence is essential in
building airtight cases for law enforcement. For that, security
experts need the best tools to investigate.
Digital forensics is fundamental to investigations performed in a
reality that’s often tightly coupled with its cyber extension. Modern
digital societies are subject to cybercriminal activities and fraud
leading to economic losses or hazards for individuals. Therefore,
the new wave of forensics tools should be engineered to support
heterogeneous investigations, preserve privacy, and offer
scalability.
Q4. What Are The Criteria for Admissibility of Evidence? (P4 - Appeared
Ans: The criteria for Admissibility of Evidence are:
1. Relevance:
For evidence to be admissible, it must tend to prove or disprove
some fact at issue in the proceeding. However, if the utility of this
evidence is outweighed by its tendency to cause the fact finder to
disapprove of the party it is introduced against for some
unrelated reason, it is not admissible. Furthermore, certain
public-policy considerations bar the admission of otherwise
relevant evidence.
2. Reliability:
For evidence to be admissible enough to be admitted, the party
proffering the evidence must be able to show that the source of
the evidence makes it so. If evidence is in the form of witness
testimony, the party that introduces the evidence must lay the
groundwork for the witness's credibility and knowledge. Hearsay is
generally barred for its lack of reliability. If the evidence is
documentary, the party proffering the evidence must be able to
show that it is authentic, and must be able to demonstrate the
chain of custody from the original author to the present holder.
The trial judge performs a "gatekeeping" role in excluding
unreliable testimony.
Q6. What Are The Components of Chain of Custody? (P4 - Appeared 1
Time) (5-10 Marks)
Ans: Components of Chain Of Custody:
1. Data Collection
After an incident, the chain of custody starts from the collection of
evidence and its state. Each acquired piece of evidence is to be
labeled with its source, the time of its collection, where it is stored,
and who has access to it. All of this is documented to preserve
the integrity of the evidence.
2. Examination
The examination of the captured evidence carried out by the digital
forensics team is then documented precisely. This includes taking
notes of the complete process, who examined it, and the evidence
uncovered.
3. Analysis
The collected evidence is then transferred for analysis, and again,
each step of the analysis is recorded. Analysts use digital
forensics tools to reconstruct the background of the evidence and
draw unbiased conclusions, which are documented.
4. Reporting
The final stage is to report the findings to the court in a
professional digital forensics report, following standards set by
organizations such as the National Institute of Standards and
Technology (NIST). The report covers key aspects of the chain of
custody, which include: the tools used to collect and process the
evidence, the chain of custody statement, a list of the data sources,
identified issues and vulnerabilities, and the next possible steps to
take. All of this adds to the authenticity and viability of the
evidence and makes it presentable to the court.
Q5. What Are Some Of The Challenges in Evidence Handling? (P4
- Appeared 1 Time) (5-10 Marks)
Ans: While responding to a computer security incident, a failure to
adequately document is one of the most common mistakes made by
computer security professionals. The challenges faced in evidence
handling must be properly understood by all investigators,
Investigators should also understand how to meet these challenges.
● Authentication of Evidence:
The laws of many state jurisdictions define data as “written-works”
and “record-keeping”. Before introducing them as evidence,
documents and recorded materials must be authenticated. In other
words, for providing a piece of evidence of the testimony, it is
necessary to have authenticated evidence by a spectator who has
a personal knowledge of its origin.
● Chain of Custody:
Maintaining the chain of custody means that the evidence
collected should not be accessed by any unauthorized
individual and must be stored in a tamper-proof manner. For
each item obtained, there must be a complete chain of custody
record.
● Evidence Validation:
The challenge is to ensure that providing or obtaining the data
that you have collected is similar to the data provided or
presented in the court.. To meet the challenge of validation, it is
necessary to ensure that the original media matches the forensic
duplication by using MD5 hashes.
Q7. What Are The Digital Forensics Examination Process? Explain
Process Of Seizure.
Ans: The Digital Forensics Examination Process includes:
1. Identification-
It is the first step in the forensic process. The identification
process mainly includes things like what evidence is present,
where it is stored, and lastly, how it is stored (in which format).
Electronic storage media can be personal computers, Mobile
phones, PDAs, etc.
2. Preservation -
In this phase, data is isolated, secured, and preserved. It
includes preventing people from using the digital device so that
digital evidence is not tampered with.
3. Analysis -
In this step, investigation agents reconstruct fragments of data and
draw conclusions based on evidence found. However, it might take
numerous iterations of examination to support a specific crime
theory.
4. Documentation -
In this process, a record of all the visible data must be created.
It helps in recreating the crime scene and reviewing it. It
Involves proper documentation of the crime scene along with
photographing, sketching, and crime-scene mapping.
5. Presentation -
In this last step, the process of summarization and explanation
of conclusions is done.However, it should be written in a
layperson’s terms using abstracted terminologies. All abstracted
terminologies should reference the specific details.
● Seizure: Prior to actual examination, the digital media is seized. In
criminal cases, this will be performed by law enforcement
personnel to preserve the chain of custody. The seizure process
includes:
1. Calculating hash value of the suspect storage media.
2. Creating digital fingerprints of the same at a system
on chip(SoC).
3. Calculating hash value of the forensic image as well.
Q8. What Are some issues that should be considered in Acquiring
Digital Evidence from the Cloud?
Ans: Issues in acquiring digital evidence - there are many issues
occurring in acquiring digital evidence.
• Identify the target :– this is the biggest issue in acquiring digital
evidence from cloud computing. We know that in a cloud computing
environment it is difficult to identify the target means where the evidence
will be present?
• Jurisdiction problem :– if suppose that once the target has been
identified. And suppose that resources exist out of the county then how
can you investigate in the other country because we know that every
country has its own jurisdiction. So we can say that jurisdiction is the
biggest issue in acquiring digital evidence from cloud computing.
• Collection the evidence :– when we talk about the collection of the
evidence from the cloud then there is no specific single source of
collecting the evidence.
• Legality of evidence :– as we know that digital evidence always
comes under doubt means is it legal? So the legality of digital
evidence most of the time comes under challenge in the court of law.
• Chain of custody :– another issue is chain of custody we know that in
digital forensic the concept of chain of custody is important. Who will
be holding the evidence and who will be doing the analysis and in this
concept the responsibilities also differentiate from level to level. Here a
document between the law enforcement agencies, which consist of the
information regarding the client and law enforcement?
• Third party issue :– we know that in cloud computing third parties are
involved. And it works as a service provider. If investigators find the third
party resources which are involved in the crime then investigators take
the permission to collect the data. If third parties live outside means in
another country then investigators again face problem in the investigation
process.
• Privacy :– when we talk about the data and information then privacy
also occurs with it. If we put light on the definition of privacy then there
are no clear definitions which talk about privacy. Privacy differs from
person to person.
Q10. Explain Forensic Image formats? (P4 - Appeared 1 Time)
Ans: Most IR groups can produce and process three primary types
of forensic images:
1. Complete Disk Image -
The process for getting a “complete disk image” is meant to
duplicate each addressable computer memory unit on the medium.
This includes Host Protected Areas(HPAs) and Drive Configuration
Overlays(DCOs). Though some difficulties might exist,the
speculation remains that the resultant image captures each
allocation unit at that moment in time.
2. Partition Image -
Most forensic imaging tools permit you to specify a personal
partition, or volume, as the source for a picture. A partition image
may be a set of a whole disk image and contains all of the
allocation units from a personal partition on a drive. This includes
the unallocated space and file slack present within that partition.
A partition image still affords you the chance to perform low-level
analysis and arrange to undelete files and examine slack areas
from that position.
3. Logical image -
A logical image is a smaller amount of Associate in Nursing
“image” and additional of a straightforward copy. It is the type of
duplication referred to as “Simple Duplication”. A logical image is
less of an “image” and more of a simple copy. Although logical
copies are typically the last resort and make most examiners
cringe when they hear one is inbound, there are solid reasons why
they are the duplication of choice.
4. Image integrity -
When a forensic image is formed, cryptologic checksums are
generated for two reasons. First, once the image is taken from a
drive, which is offline(static) and preserved, the hash is employed
to verify and demonstrate that the forensic image could be a true
and correct illustration of the initial. Second, the hash is employed
to sight if the info was changed since the purpose of your time at
which the image was created. Once you are working with static
pictures, the hashes serve each function.
Q9. Why Is Forensic Duplication Necessary? (P4 - Appeared 1 Time)
Ans: Forensic duplicate is a document file containing every bit of
information obtained from the source in a raw bitstream format. The data
is stored as it is from the hard drive to forensic duplicate devices.
● This file does not contain any extra data other than an error
message while reading the content from the original. After
Duplication process, forensic duplicates can be compressed.
● In all cases, the computer/media is the main “crime scene.” It
is important that this crime scene is protected because once
the digital evidence is contaminated it cannot be
decontaminated.
● The investigator should take care to not change the digital
evidence during any step of investigation. As most media are
“magnetic based” and the data is volatile, examining a live file
system changes the state of the evidence
● Hence, the forensic duplication importance can be summarized as:
1. Working from a duplicate image provides following
features-
a. Preserves the original digital evidence.
b. Prevents inadvertent alteration of original digital
evidence during examination.
c. Allows recreation of the duplicate image, if
necessary.
2. Digital evidence can be duplicated with no degradation
from copy to copy-
This is not the case with most other forms of evidence.
Q11. Define Forensic Duplication Techniques. (P4 - Appeared 1 Time)
Ans: Forensic Duplication- Every storage media consists of certain data.
For the forensic purpose, the data needs to be copied in a manner that
does not change any information available in the device. The common
techniques are follows
● Logical Backup- It copies the directories & directories & files of a
logical volume. It does not capture other data that may be present
on the media, like deleted files or residual data stored in the slack
spaces.
● Bit Stream Imaging- Also known as imaging or cloning, it
generates copies of the original media bit-for-bit. It can be done in
a disk-to-disk (from target media to another media) or ‘disk-to-file’
(from media to single logical file) fashion ; and requires more
space-time.
● Write blocker- These are the hardware or software tools which
prevent a computer from writing on a storage media. The
suspected storage media is directly connected to the hardware
write-blocker, and then the write blocker is connected to the device
taking the backup. Similarly, a software write blocker is loaded
onto the suspect computer, before the copying device is connected
to that.
Q12. Explain Acquiring Digital Evidence In Brief. (P4 - Appeared 1 Time)
Ans: The way of collecting digital forensic evidence is very important. The
evidence in this area is volatile and delicate. It should be noted that due
to improper handling, the investigation may be disrupted. In other words,
acquisition, storage, transmission, and the preservation of evidence
require precise procedures.
When securing digital evidence, the following characteristics need to
be ensured:
● Correctness of the data – the recovered data must be exactly
the same as the source data.
● Authenticity – actual data from the analyzed medium.
 ● Integrity – the analyzed data is not altered; the alteration can be
detected.
● Confidentiality, availability.
Depending on the type of data and the digital device, the method of data
acquisition is selected. There are several methods, for example logical
disk-to-disk file, disk-to-disk copy, disk-to-image file and also sparse data
copy of a file or folder.
The method of obtaining digital evidence also depends on whether
the device is switched off or on.
● If it is switched on, it is live acquisition. The evidence is collected
from a running system. Data changes because of both
provisioning and normal system operation. So in conclusion, live
acquisition enables the collection of volatile data, but also
influences the data.
● In case of postmortem acquisition, the evidence is collected from
storage media of a system that is shut down. Moreover,
postmortem provides better integrity preservation and does not
influence the data. However, volatile data can be lost in the
process of shutting down a system.
A significant factor in the acquisition of digital evidence is its volatility.
Based on their level of fragility, the most volatile are acquired first.
A few facts to keep in mind when acquiring data from workstations
or servers:
● Deleted data is still not completely lost. Often it is possible to
recover files and get information about when they were deleted.
● Lot of information about how the computer was used can be
recovered from the system.
● Formatting a disk does not remove all data.
● Information about visited websites can be retrieved relatively easily.
● Data is unusable unless it is decrypted.
● Simple actions such as looking through the files on a running
computer or booting up the computer have the potential to destroy
or modify the available evidence data, as it is not write-protected.
● Additionally, contamination is harder to control because the tools
and commands may change file access dates and times, use
shared libraries or DLLs, trigger the execution of malicious
software (malware), or—worst case—force a reboot that results
in losing all volatile data.
● Therefore, the investigators must be very careful while
performing the live acquisition process.
● Volatile information assists in determining a logical timeline of the
security incident, network connections, command history,
processes running, connected peripherals and devices, as well
as the users, logged onto the system.
Q14. What Are The Risks and Challenges of Hard Drive Imaging?
Ans: The main disadvantage is that system disk images tend to go
stale because they represent a snapshot of a configuration at a given
point in time.
If you capture a disk image today, then deploy it to a new device six
months from now, the device will start out six months behind on security
patches. As soon as you have deployed, you will have to wait while the
OS and applications download and install all the intervening security
updates. In other words, you will have to allow a significant window of
time before the device is secure and ready for provisioning.
Another challenge with images occurs when newer versions of
applications you’ve “baked in” are introduced into your environment.
Steps need to be taken to update the image to reflect those changes. In
short, this puts you in a constant cycle of creating, updating, testing your
images.
Q13. What Are The Best Forensic Image File Format? Explain Acquiring
Volatile Memory (Live Acquisition).
Ans: The best forensic image file format is the one that meets the
specific needs of the investigation, taking into account factors such as
the type and size of the data being collected, the tools and techniques
being used, and the intended use of the resulting image.
Some commonly used forensic image file formats include raw, E01, and
AFF. Raw format is a bit-for-bit copy of the original media, while E01 and
AFF are advanced forensic formats that support metadata, compression,
and encryption.
● Acquiring volatile memory, or live acquisition, involves collecting
data from the system's volatile memory, such as RAM or cache,
while the system is still running. This type of acquisition can be
useful in situations where there is a risk of losing important data if
the system is shut down or rebooted, or if the data is only
available in memory.
● To acquire volatile memory, investigators typically use specialized
tools that can create a copy of the memory contents, either to a
file or directly to another system. This process must be performed
carefully, as any changes to the system memory can alter or
destroy the data being collected.
● Live acquisition can provide valuable information in a forensic
investigation, including evidence of running processes, network
connections, and user activity. However, it can also present
challenges, such as the need to analyze large amounts of data in
real-time and the potential for interference from system processes
or other factors.
● Overall, acquiring volatile memory is a complex and specialized
process that requires expertise and careful planning to ensure
the integrity and accuracy of the data collected.
● The method of acquiring digital evidence from a device which is on,
is known as Live Acquisition or Acquiring volatile memory.
● Live Data Acquisition is the process of extracting volatile
information present in the registries, cache, and RAM of digital
devices through its normal interface. The volatile information is
dynamic in nature and changes with time, therefore, the
investigators should collect the data in real time.
Q15. Define Network Acquisition. (P4 - Appeared 1 Time) (5-10 Marks)
Ans: Network Acquisition:
● Network acquisition is the process of collecting and analyzing data
from computer networks, either for forensic purposes or for
security monitoring. This process typically involves using
specialized tools and techniques to capture network traffic, such
as packets transmitted between devices on the network.
● Network acquisition is an important aspect of computer forensics,
as it enables investigators to gather evidence related to security
incidents or criminal activity. By analyzing network traffic,
investigators can identify patterns of behavior, track the movement
of data, and trace the origin of attacks.
● The network acquisition process can vary depending on the
specific goals and requirements of the investigation. For example,
investigators may choose to capture all network traffic or focus on
specific protocols or devices of interest. Additionally, the
acquisition process may involve the use of specialized hardware or
software tools to ensure the integrity and completeness of the data
collected.
● Overall, network acquisition is a critical component of modern
forensic investigations, enabling investigators to reconstruct
digital activities and provide evidence in legal proceedings.

Q1. Why There is need to Analyze Hard Drive Forensic Images? (P4
- Appeared 1 Time) (5-10 Marks)
Ans: When a computer is identified as possibly containing electronic
evidence, it is imperative to follow a strict set of procedures to ensure a
proper (i.e. admissible) extraction of any evidence that may exist on the
subject computer.
● The first thing to remember is the “golden rule of electronic
evidence” – never, in any way, modify the original media if at all
possible.
● Thus, before any data analysis occurs, it usually makes sense to
create an exact, bit stream copy of the original storage media that
exists on the subject computer.
● A forensic image is sometimes referred to as a mirror image or
ghost image. Mirror imaging or ghost imaging does not always
generate a true forensic image.
● The same is true for cloning a hard drive. A forensic image may
include a single or multiple hard drives, floppy disk(s), CD(s),
Zip drive(s) or DVD(s), plus many other types of storage media
that now exist.
● Imaging the subject media by making a bit-for-bit copy of all
sectors on the media is a well-established process that is
commonly performed on the hard drive level, hence often referred
to as hard drive imaging, bit stream imaging or forensic imaging.
● The creation of a true forensic hard drive image is a highly detailed
process. If you do not have it performed by a trained professional,
you may severely compromise your chances of obtaining
admissible evidence as a result of your discovery efforts.
● Also, to avoid accusations of evidence tampering or spoliation, it
is a recommended best practice that imaging be performed by an
objective third party.
● Suggested protocols for hard drive imaging can be found within
guidelines standardized by institutions and organizations like the
Department of Justice (DOJ) and the National Institute of
Standards and Technology (NIST).
Q4. Explain Viruses In Brief. (P4 - Appeared 1 Time) (5-10 Marks)
Ans: A computer virus is a program made to damage or cause
destruction on an infected computer. It extends by e-mail attachments,
transferable devices, websites having malevolent scripts and file
downloads. A computer virus attaches itself with the host files and will
activate whenever one opens the infected files. The virus can duplicate
itself and then infect the other files on the computer causing more harm.
Different Types Of Computer Virus On The Basis Of Action :
1. Macro Viruses - These viruses infect the files formed using
several applications or programs that include macros like doc, pps,
xls and mdb. They involuntarily infect the archive with macros and
also templates and documents that are enclosed in the file. They
hide in files shared from e-mail and networks.
2. Memory Resident Viruses - They generally attach themselves
within the computer memory. They become active when the OS
runs and end up infecting other open files. They are concealed in
RAM.
3. Direct Action Viruses - These viruses mostly duplicate or take
action once they are executed. When a certain condition is met,
the viruses will act by infecting the files in the directory or the folder
specified in the AUTOEXEC.BAT. The viruses are usually seen in
the hard disk’s root index, but they keep on changing location. For
example: Vienna virus.
4. Directory Virus - It is also recognized as cluster virus or file
system virus. They infect the computer’s directory by altering the
pathway signifying file position. They are generally to be found in
the disk but have an effect on the entire directory. For example:
dir-2 virus
5. Web Scripting Virus - The majority web pages consist of some
intricate codes in order to generate an interactive and attention-
grabbing content. Such a set of laws is regularly demoralized to
cause certain objectionable actions. They typically invent from
the infected web pages or browsers. For example: JS.Fortnight –
a virus that spreads via malicious emails.
6. Multipartite Virus - These kinds of viruses can spread in various
ways. Their method varies according to their OS installed and
the existence of certain files. They tend to hide in the
computer’s memory but do not infect the hard disk.
Q2. How Do You Analyze The Forensic Image ?
Ans: The forensic analysis process includes four steps:
1. Use a write-blocker to prevent damaging the evidentiary value of
the drive.
Using a Write-blocker: A write-blocker is a device that allows
acquisition of information on a drive and acts to prevent the
possibility of accidentally damaging the evidentiary value of the
drive contents. The write-blocker allows read commands to pass,
but blocks write commands — hence the name.
2. Mount up and/or process the image through forensics software:
After making sure the drive is write-protected, an analyst can view
the data in the image that was created. The image is typically
mounted by or ‘loaded into’ forensics software, for analysis which
usually involves searching various areas on the disk for evidence
of malicious activity or presence of malware.
3. Perform forensic analysis by examining common areas on the
disk image for possible malware, evidence, violating company
policy, etc.
4. If potential evidence is identified, perform further analysis to
determine the cause and establish the timeline of the event(s).
Q3. Define Malware. What kinds of Malware used In digital Forensics?
Ans: Malware: It is a computer software such as a virus that the user
does not know about or want and is designed to damage how a
computer or computer network works.
Malware Forensics: It is a way of finding, analyzing & investigating
various properties of malware to seek out the culprits and reason for the
attack. Types of Malware:
The category of malware is predicated upon different parameters like
how it affects the system, functionality or the intent of the program,
spreading mechanism, and whether the program asks for user’s
permission or consent before performing certain operations. a number of
the commonly encountered malwares are:
1. Backdoor 8. Scareware
2. Botnet 9. Worm or Virus
3. Downloader 10. Credential-stealing program, etc.
4. Launcher
5. Rootkit
6. HackTool
7. Rogue application
7. Spyware - A program made to supervise your proceedings on a
computer. A general type of spyware is a key-logger program. This
program can trace every keystroke and mouse click you have
done.
8. Worms - A nasty little program can cause less speed in a network.
A worm will duplicate itself and multiply from computer to
computer. Worms are commonly spread through email
attachments.
Q5. What Are The Essential Skills and Tools for Malware Analysis.
Ans: Skills required for Malware analysis are:
● Knowledge of operating systems and networking
● Programming skills
● Understanding of security principles
● Ability to identify, contain, disassemble, and mitigate zero-day
malware
● Ability to reverse engineer code
● Ability to work with high-level programming language
● Being resourceful
● Thinking outside the box
● Good communication skills
● Curious and determined
Malware has become a huge threat to organizations across the globe.
Something as simple as opening an email attachment can end up
costing a company millions of dollars if the appropriate controls are not in
place. Tools required for Malware Analysis are:
● PeStudio
● Process Hacker
● Process Monitor (ProcMon)
● ProcDot
● Autoruns
● Fiddler
● Wireshark
● x64dbg
● Ghidra
● Radare2/Cutter
● Cuckoo Sandbox
Q6. Define Worms. (P4 - Appeared 1 Time) (5-10 Marks)
Ans: A computer worm is a standalone malware computer program that
duplicates itself so that it can extend to other computers. Often, it uses a
computer network to multiply itself, relying on security failures on the
target computer to access it.
Unlike a computer virus, it does not require to join itself to an
accessible program.
● Worms nearly at all times cause at least some harm to the
network, still only by consuming bandwidth, while viruses almost
forever crook or change files on a targeted computer.
● Many worms that have been formed are intended only to spread,
and do not make an effort to alter the system they go by.
● However, as the Morris worm and my doom showed, even
these "payload free" worms can cause significant interference
by rising network traffic and other unintentional effects.
● A "payload" is code in the worm formed to do more than multiply
the worm it might delete files on a host system (e.g., the
ExploreZip worm), encrypt files in a crypto viral extortion attack,
or send documents via email.
● A very ordinary payload for worms is to install a backdoor in the
infected computer to permit the formation of a "zombie" PC
under power of the worm creator.
● Networks of such machinery are frequently known to be bonnets
and are very usually used by spam senders for transferring
scrap email or to hide their website's address.
● Spammers are therefore thought to be a source of financial
support for the formation of such worms, and the worm writers
have been caught selling lists of IP addresses of infected
machines. Others try to blackmail companies with threatened DoS
attacks.
3. Interactive Behavior Analysis
Behavior Analysis involves examining how the sample interacts in a lab to
clearly understand its file system, network activities, processes, and
registry. Analysts may further conduct memory forensics to learn how the
malware functions and how much memory it utilizes. If the analysts find
out that the malware has specific capabilities, they set up a simulation to
test their observations. Behavioral analysis needs a creative analyst who
possesses advanced skills as the process is complex and time-
consuming and needs automated tools to perform effectively.
TOOLS:
Wireshark is used to observe network packets. Process Hacker is used
to observing processes being executed in the memory. Process Monitor
is used to observe the real-time file system, process activity, and
registry for Windows. ProcDot provides the user with an interactive and
graphical representation of the recorded activities.
4. Manual Code Reversing
Reversing the malicious code of the file can decode encrypted data
stored by default, determine the file domain's logic, and see the
functionalities of the file that were overlooked or conceded while
performing behavioral analysis. Hence to manually reverse a code the
analysts require debuggers and disassemblers aided by a decompiler
and a variety of plugins or specialized tools that automate some aspects.
Code reversing is a rare skill. Executing code reversals takes up a lot of
time, so malware investigators often skip this step and miss out on
valuable insights into the malware's nature.
TOOLS:
IDA Pro is one of the best and most popular reverse engineering
software tools and is an interactive disassembler with a built-in command
language that supports various executable formats as well as processors
and operating systems. It has many plugins that extend the
disassembler's functionality like Hex-Rays Decompiler, Lighthouse,
ClassInformer, BinDiff, and IDA-Function-Tagger.
Q7. Explain List of Malware Analysis Tools and Techniques.
Ans: Malware analysis is a process that requires a few formulated
steps. These steps form a pyramid, and the complexity and skill
requirements increase as we approach the top of the pyramid. It
includes:
1. Fully Automated Analysis
This is one of the easiest and quickest ways to assess suspicious files.
This type of analysis is used to determine the potential effects of the
malware if it were to infiltrate the network and function. It also produces a
detailed, easy-to-read report regarding the security teams' file activity,
network traffic, and registry keys. Fully automated analysis is considered
the best way to sift through large quantities of malware on network
infrastructure.
TOOLS:
Cuckoo Sandbox is an open-source automated malware analysis
platform used to perform fully automated analysis. It can also be adjusted
to run some custom scripts and also generate comprehensive reports. A
few other tools that can be used for fully automated analysis are: Malheur
is used to analyze the data collected by behavioral sandboxes.
2. Static Properties Analysis
This is done to get a deeper look at the malware. The static properties of
malware are examined like header details, metadata, malware code,
hashes, and embedded resources. All this data is required to create IOCs
and can be easily collected as malware execution is not required to
capture the static properties. So the insights gathered during static
properties analysis assists in deciding whether a deeper investigation
with more comprehensive techniques is required and helps determine
further steps.
TOOLS:
PeStudio is a tool used to automate static properties analysis that
flags suspicious artifacts within executable files and displays file
hashes that can be searched on malware repositories like TotalHash
or VirusTotal to analyze the malware further. It can also be used to
examine libraries, embedded strings, imports, or other IOCs.
Q1. Define Investigating Windows Systems In Brief.
Ans: Once you have set up your forensic workstation with proper tools
and recorded the low-level partition data from the target image, you are
now set to conduct your investigation. For a formal examination of target
system,
following investigation steps are required:
1. Review all pertinent logs.
2. Perform keyword searches.
3. Review relevant files.
4. Identify unauthorized user accounts or groups.
5. Identify rogue processes and services.
6. Look for unusual or hidden files/directories.
7. Check for illegal entry points.
8. Inspect jobs run by the Scheduler service.
9. Analyze trust relationships.
10. Review security identifiers.
These steps are not filed chronologically or in order of importance. You
may need to perform each of these steps or a few of them. Your
approach depends on your response plan and the circumstance of the
incident.
It is important to know where we plan to look for evidence, before you
dive into forensic analysis. The location will depend on specific cases,
but in general can be found in following areas:
● Volatile data in kernel structures.
● Slack space, where you can obtain information from previously
deleted files that are unrecoverable.
● The logical file system.
● The event logs.
● The printer spool
● The registry, which you should think of as an enormous log file, etc

Q2. Explain File Recovery in Digital Forensics. (P4 - Appeared 1 Time)
(5-10 Marks)
Ans: File recovery is a process that involves retrieving inaccessible
data files from damaged or corrupted storage storage systems or
media files.
● Recovery of data, whether it is a whole file or some part of it,
is becoming increasingly important as people’s dependence
on technology becomes more prevalent.
● File recovery is an essential service and an integral part in
digital forensics, since it could be a great clue with respect to
forensic search.
● As there is a lot of collective data that is included in a file, it is
easy to find incident information.
● As the file also contains Data of creation, Information about
authors and editors, the forensic team could get a lot of help in
their research.
● Aside from failure or mistakes, Ransomware, a malware
program that often leads to unpaid ransom or paid ransoms with
no recovery, is becoming more prevalent and is targeting
hospital systems for their secure data. In these cases, data
backups are critical to recovering data.
● At its most basic, the process of carving involves searching a
data stream for file headers and magic values, determining the
file end point, and saving this substream out into a carved file.
● Carving is still an open problem and is an area of ongoing,
active experimentation.
● Many experimental programs are designed to implement specific
new ideas in carving, as well as more utilitarian programs geared
toward operational use.
Q5. What Is The Role Of Windows Registry Analysis?
Ans: Role Of Windows Registry Analysis -
● For a Forensic analyst, the Registry is a treasure box of
information.
● It is the database that contains the default settings, user,
and system defined settings in windows computer.
● The Registry contains information that Windows continually
references during operation, such as profiles for each user, the
applications installed on the computer and the types of documents
that each can create, property sheet settings for folders and
application icons, what hardware exists on the system, and the
ports that are being used.
● Registry serves as a repository, monitoring, observing and
recording the activities performed by the user in the computer.
● The Data is stored in the main folders in a Tree like structure which
is called Hive and its subfolders are called KEYS and SUBKEYS
where each component’s configuration is stored called VALUES.
● Some Important aspects of Windows Registry are:
1. Windows Registry can be considered as a gold mine of
forensic evidence.
2. We can create new registries manually or we can modify the
ones that already exist.
3. Original files that contain registry values are stored in the
system directory itself.
4. Registry files are system protected and can not be accessed by
any user unless administration access is provided.
5. For the investigation purpose, the forensic investigator
analyzes registry files via tools such as Registry Viewer,
Regshot, Registry Browser etc..
6. Trojans and Malware information can be found in the registries.
Q3. What Is The Windows Recycle Bin Forensics?
Ans: An icon on the Windows desktop represents a directory in which
deleted files are temporarily stored. This enables you to retrieve files
that you may have accidentally deleted. From time to time, you’ll want
to purge the recycle bin to free up space on your hard disk.
● You can also configure Windows so that it doesn’t use the recycle
bin at all, but then you won’t be able to retrieve accidentally
deleted files.
● When a file is deleted in the Microsoft Windows operating system,
it doesn’t delete it permanently; it is stored in the recycle bin. If a
user wants to restore the deleted file from the recycle bin, it can be
done.
● If the user holds the shift key at the time of deleting a file, then
the file will be deleted permanently without being stored in the
recycle bin.
● In this case, the file is moved to a hidden, system folder where it is
renamed and stored until further instructions are given as to what
is to happen to the file.
● From the forensic point of view, the recycle bin is a gold mine for
gathering evidence, clues, etc. By analyzing the recycle bin, we
can recover useful data.
● To understand how the information files are structured and how
the naming convention works, there must first be an
understanding of how the recycle bin works.
● When a user “deletes” a file in Windows, the file itself is not
actually deleted. The file at this point is copied into the recycle
bin’s system folder, where it is held until the user gives further
instructions on what to do with the file.
● This location varies, depending on the version of Windows the
user is running.
Q4. Define Data Carving. (P4 - Appeared 1 Time) (5-10 Marks)
Ans: Extraction of meaningful file content from otherwise
unstructured streams of data is a science and an art unto itself.
● This discipline has been the focus of multiple presentations
at Digital Forensic Research Workshop over the years, and
advancements continue to be made to this day.
Q6. Explain USB Device Forensics. (P4 - Appeared 1 Time) (5-10 Marks)
Ans: The use of USB devices to store personal data and information is
increasing day by day due to the portability and the plug-and-play nature
of these devices.
● A USB (Universal Serial Bus) device provides storage
capacity ranging from 2 GB to 128 GB or more.
● Due to the stealthy nature of these devices, USB drives can be
used to store malicious and dangerous programs and files, such
as packet sniffers, keyloggers, malicious files, etc. to carry out
malicious tasks by hackers and script kiddies.
● When incriminating information such as blackmailing is deleted
from a USB device, then USB forensics will come into play to
retrieve the deleted information.
● The retrieval or recovery of deleted data from USB drives is what
we call USB forensics.
● Universal Serial Bus flash drives, commonly known as USB flash
drives are the most common storage devices which can be
found as evidence in Digital Forensics Investigation.
Q7. Define File Format Identification In Forensics.
Ans: A file is a collection of data which may be read or executed by a
computer. As the computers we use are binary, they are stored as a list
of 1s and 0s.
● When a program opens a file, it must interpret the list of ones
and zeros, we can’t always assume we are looking at ASCII text
files!
● Without any identifying information, it’s very hard to open a file.
Imagine being a linguist and being told that the script you must
decode was a set of 32,000 1s and 0s.
● This would be a gargantuan task, closer to a philosophical
exercise than a linguistic one.
● To take an extreme example, in some fictional file format, 0 might
mean “substitute for this 0 the entire works of William
Shakespeare” and 1 might mean “email any previous text to all
known contacts”. In fact, there is no fixed standard on how files
should encode information about their format.
 ● In place of them, three conventions have arisen. The first is the
use of extension conventions. The characters after the (final) dot
on in a filename are associated with a file standard and a program
which can open them.
● This method relies on developers respecting a one-to-one
correspondence from extension to file type.
● Given the volume of software and the limited number of file
extensions, this is not the case. Additionally, even files created
by the same program with the same extension may not be
mutually compatible due to version changes.
● The second method of identification is more reliable, but also
requires more maintenance work. It relies on the developer of a
file format specifying a ‘magic number’ which identifies a file. This
‘magic number’ is in practice a series of bytes.
● The jpeg image format has reserved the sequence FF D8 FF
DB, whilst many common formats have their own
● These numbers are in Hexadecimal, which is a convenient way
of expressing binary. This solution is more robust because the
file contains within itself a reference to its structure, which can
be looked up on a registry.
● However, a magic number is almost always a good predictor of
a file type, but it is not infallible.
● At this point we have three methods of identifying files: one
explicit and fragile, one explicit but optional, and one implicit and
high-maintenance.
● These three methods are all used by the most common file
analysis tools, such as the unix command file or the archival
analysis tool
DROID.
● These file signatures document the extrinsic information of the file
extension name and intrinsic information about the location of
identifying byte sequences, which may be either magic numbers
or invariant sequences of bytes within a file.
6. Network Miner: This tool is used as a passive network sniffer to
capture or to detect the operating systems ports, sessions, hostnames,
etc.
7. Autopsy: This is the GUI based tool that is used to analyze hard disks
and smartphones.
8. Forensic Investigator: This is a Splunk toolkit which is used in HEX
conversion, Base64 conversion, metascan lookups, and many more
other features that are essential in forensic analysis.
9. HashMyFiles: This tool is used to calculate the SHA1 and MD5
hashes. It works on all the latest websites.
10. FAW (Forensic Acquisition of Websites): This tool is used to acquire
web pages image, HTML, source code of the web page. This tool can be
integrated with Wireshark.
Q10. Explain Cortana Forensics In Detail.
Ans: For decoding and exporting Cortana data, four custom python
scripts have been developed to aid forensic investigations.
● A GUI tool has been introduced to extract and list Cortana
web searches.
● The forensic usefulness of Cortana artifacts is demonstrated
in terms of a timeline constructed over a period of time.
● Cortana, one of the new features introduced by Microsoft in
Windows 10 desktop operating systems, is a voice activated
personal digital assistant that can be used for searching stuff on
device or web, setting up reminders, tracking users' upcoming
flights, getting news tailored to users' interests, sending text
and emails, and more.
● Being the platform relatively new, the forensic examination
of Cortana has been largely unexplored in the literature.
● A GUI tool called CortanaDigger is developed for extracting and
listing web search strings, as well as timestamps of search made
by a user on Cortana box.
● Several experiments are conducted to track reminders (based
on time, place, and person) and detect anti-forensic attempts like
evidence modification and evidence destruction carried out on
Cortana artifacts.
Q8. What Are The Windows Features of Forensics Analysis?
Ans: When doing Windows Forensic Analysis, it can be quite
overwhelming to see a large amount of data that one needs to collect,
assuming you know what you are looking for. In case you don’t know
what you are looking for, the entire process becomes twice as hard.
Windows artifacts are the objects which hold information about the
activities that are performed by the Windows user. The type of
information and the location of the artifact varies from one operating
system to another. Windows artifacts contain sensitive information that is
collected and analyzed at the time of forensic analysis.
Features of Windows Forensic analysis:
● Tracks user communications using a window device
● It maintains a list of activities that a user performs on the
windows device.
● Artifacts objects are pre-installed or present in the windows
device which are used for forensic analysis so no need for extra
memory.
● A user how hard it tries, cannot completely erase its behavior
with the system so evidence from the system always lies within.
Q9. What Are The Methods Involved In Windows Forensics?
Ans: Methods that are used for windows forensics are:
1. Magnet Encrypted Disk Detector: This tool is used to check the
encrypted physical drives. This tool supports PGP, Safe boot encrypted
volumes, Bitlocker, etc.
2. Magnet RAM Capture: This tool is used to analyze the physical
memory of the system.
3. Wireshark: This is a network analyzer tool and a capture tool that is
used to see what traffic is going in your network.
4. RAM Capture: As the name suggests, this is a free tool that is
used to extract the entire contents of the volatile memory i.e. RAM.
5. NMAP: This is the most popular tool that is used to find open ports on
the target machine. Using this tool you can find the vulnerability of any
target to hack.
Q11. Define Reviewing Pertinent Logs In Terms Of Forensics?
(P4 - Appeared 1 Time) (5-10 Marks)
Ans: The system log, application log, and security log are the three files
that Windows NT, 2000, and XP operating system maintains. You will be
able to obtain the following information by reviewing these logs:
1. Determine which users have been accessing specific files.
2. Determine who has been successfully logging on to a system.
3. Determine who has been trying unsuccessfully to log on to
a system.
4. Track usage of specific applications.
5. Track alterations to the audit policy.
6. Track changes to user permissions
System log records System processes and device driver activities.
Windows includes device drivers that fail to start properly; hardware
failures; duplicate IP addresses; and the starting, pausing, and stopping
of services are audited by system events. The Application log is
populated by activities related to user programs and commercial off-the-
shelf applications.
Application events that are audited by Windows include any errors or
information that an application wants to report. The number of failed log-
ons , amount of disk usage, and other important metrics can also be
included by Application log. In the Security log, we find System auditing
and the security processes used by Windows. Auditing done by
Windows for Security events include changes in user privileges, changes
in the audit policy, file and directory access, printer activity and system
logons and logoffs.
Q12. How will Performing Keyword Searches?
Ans: Keyword research refers to the process of discovering what search
terms your target audience is entering in search engines to find
businesses and websites like yours and optimizing your content so you
appear in the search engine results.
How to do Keyword Research:
1. How To Find Keyword Ideas :-
The first stage of keyword research is to brainstorm ideas for
seed keywords, and there are several ways to do this.
● Your Target Audience :
Everything starts with your audience and what they want. Think
about their needs, wants, and especially their pain points and
problems. Start to compile your wide list of words, ideas, and
topics that surround your niche or business.
● Think About Questions :
Question-based keyword queries are valuable as they can help
you to capture featured snippets and can be a way to jump rank
on highly competitive keywords.
2. How To Analyze Keywo0rds :-
Once you have your raw list, it’s time to start to analyze and
sort by value and opportunity.
● Search Volume:
Search volume will tell you if anyone is actively searching for this
term. For a first-stage strategy, you should aim for keywords with a
mid-range and long-tail volume for quick wins and then build up to
approach more competitive terms with higher volumes.
Head keywords with super high volumes (like ‘iPhone’) are not the
best keywords to focus on as they can be too ambiguous and
rarely have a specific intent.
Also, the amount of work that is needed to rank can be too high
a barrier for entry unless you have an established domain of
significant authority.
Q13. What Is File Analysis In Digital Forensics? (P4 - Appeared 1 Time)
(5-10 Marks)
Ans: Forensic analysis deals with files on media—deleted files, files in
folders, files in other files, and all stored on or in some container. The
goal of media analysis is to identify, extract, and analyze these files and
the file systems they lie upon.
● Analysis is the process in which one applies intelligence to the
data set and ideally comes up with meaningful results.
● It focuses primarily on the concepts behind identifying and
extracting file system artifacts and information about files.
● A file system abstraction model is used to describe the functions
of file systems and the artifacts generated by these functions.
Timeline analysis is quite useful when performed properly.
● In addition to file systems in volumes on physical media, one has
to deal with file systems in other containers.
● One example is the Macintosh-specific DMG container, and two
major containers that one is likely to encounter are Virtual
Machine Disk Images and Forensic Containers.
● Container formats geared toward forensic imaging have some
functionality above and beyond a raw disk image.
● This can include things such as internal consistency checking,
case information management, compression, and encryption.
● A good forensic imaging process generates an exact duplicate of
the source media under investigation.
● Search Intent :
After you have sorted your raw lists by search volumes, it’s then
time to review the intent for each keyword that you would like to
target.
● Topic Clusters :
Grouping keywords into topic clusters is an advanced keyword
strategy that can help to strengthen the topic authority of a site.
To do this, you would start with a high-volume head keyword and
then research a series of keywords that supports that head term.
After creating pages of content that target each keyword, you
use internal linking to connect pages with the same topic.
3. How To Choose Organic Keywords :-
After sorting the volumes, intent, and topics, you will need to
decide if you have a chance of ranking on a term by looking at how
much competition there is for each keyword.
● Keyword Difficulty:
Keyword difficulty is one of the most important keyword metrics
when doing your research.
If a keyword is so competitive that you need hundreds of
thousands of dollars to rank, then you need to get strategic.
The easiest way to calculate keyword difficulty is to use a
research tool that gives a score for each keyword.
● Connecting To Your Objectives And Goals :
Unless a keyword can actually deliver a result for you – do you
want to target it?
As we said above, targeting head terms is not the best strategy as
they will, at best, deliver browsing or drive-by visitors. Unless you
are a big brand with a big budget that is aiming for brand
awareness, This is not the best application of your resources and
budget. Choosing your keyword priority should start with what can
give you the best return in the shortest time frame.
Q14. Explain Identifying Unauthorized User Accounts or Groups in
Identifying Rogue Processes. -
Ans: Rogue devices are just plain malicious by nature. They exist for
the sole purpose of stealing sensitive information like credit card
numbers, passwords, and more.
● They harm your network and, in the process, can harm your
company's reputation. In rare cases, rogue devices can even
permanently damage systems, if there is no rogue device
detection tool in your company.
● Wireless networks are inherently less secure than wired
networks. With traditional (non-wireless) networks, data flows
over physical and continuously-monitored circuits.
● On the other hand, in wireless networks, data is transmitted
using radio signals. Because your IP network is designed to
provide distributed access, it’s porous and intended to be
accessible by many types of devices.
● Therefore the objective of IT administrators should be to limit
access to only authorized devices. Controlling which devices
can connect to your network is crucial for ensuring the privacy
and integrity of corporate assets and data.
● For rogue network device detection, a network must have at least
three things.:-
1. Periodic scanning: One popular method of rogue device prevention
from having unrestricted access to your network is to scan
your office for wireless devices on a daily, weekly, or monthly
basis.
2. Continuous monitoring: If you periodically scan your office, you
will probably find many wireless devices that belong to your
company, your neighbors, and your guests. Every time a scan is
done, new sets of devices will be found. Continuously monitoring
your network allows you to maintain a list of known devices so
that you can tell when a new one shows up.
3. Immediate alerting: If a new device is discovered in your network
or the status of a device changes suddenly, an IT engineer needs
to be informed immediately. This is why you need a
comprehensive alerting system in your network, especially if it
contains a large number of devices.
Q15. What Is The Security Risks Checking for Unauthorized Access
Points.
Ans: A rogue access point is an access point installed on a network
without the network owner’s permission.
If an attacker owns the access point, they can intercept the data (e.g. PII)
flowing through the network.The risk is that unauthorized wireless
access points could be used to leak sensitive information, including
passwords and cardholder data, outside of the business. This is not
sanctioned by the local administrator but is operating on the network
anyway.
● Passive interception
In passive interception, a rogue access point can read your data
but cannot manipulate it. If you connect to a network with a rogue
access point and enter your password on a site over HTTP, the
rogue access point can read your password.
Passive interception can also collect a user's Internet footprint. By
monitoring DNS requests and other Internet traffic, the rogue
access point can profile your Internet behavior. This profile can
expose private information about you such as the types of
websites you visit.
● Active interception
In active interception, a rogue access point can also manipulate
your data. They can read the incoming user data, modify the
data however they want, and send the modified user data to the
destination endpoint.
For example, if a user visits a banking website and tries to
deposit money into an account, a rogue access point can redirect
the deposit to an attacker’s account.
Q1. Explain Android Forensics In Brief.
Ans: Android forensics is a branch of mobile device forensics relating
to recovery of digital evidence or data from an android operating
system under forensically sound conditions.
● The phrase mobile device usually refers to mobile phones;
however, it can also relate to any digital device that has both
internal memory and communication ability, including PDA devices,
GPS devices and tablet computers.
● Mobile phones are proven to be valuable sources of information
in the majority of investigations.
● Parties in litigation seeking to prove wrongdoing often find
important evidence, clues and traces by analyzing activities stored
on cell phones and smart devices, including contacts and their
creation dates as well as when and how often certain phone
numbers were called.It is always a challenge for forensic
examiners to discover the evidences from the Android devices.
● Android has a different and newer file system, directory
structure, runtime environment, kernel and libraries which
make Android more complex to forensic examiners.
Interesting locations for Forensics Investigation:
● Phone Browser Memory
● Application storage
● External Card
● SQLite database files
● SMS
● GPS data
● Call records
● Contact list
Forensic Process of Android Device
1. Creating 1:1 Image
2. Creating Image of Android device
3. Recovering Data
4. Analyzing the Data
5. Analyzing SQLite database files
6. Reporting Evidences
Q16. Define AnalyzingTrust Relationships. (P4 - Appeared 1 Time) (5-10
Marks)
Ans: A logical connection that is established between directory domains
so that the rights and privileges of users and devices in one domain is
shared with the other. For example, it allows users to log in once and
have access to all associated resources without having to be
authenticated again. For example, Forests and Trees:
The domain hierarchy in the Windows Active Directory system. A tree is a
group of domains that have the same DNS name; for example, abc.com
(the top domain), sales.abc.com and support.abc.com (the child domains).
A forest is a collection of trees, which can be treated as one
administrative unit by the user designated as Enterprise Administrator
(EA), and Active Directory automatically manages trusts between
domains. For security purposes, organizations have set up multiple
forests, but trusts between forests must be managed manually by the
administrator.
Q2. What Is The Mobile Device Forensic Investigation?
Ans:Mobile forensics is the process of recovering digital evidence from
mobile devices using accepted methods. Unlike traditional digital
forensics processes, mobile forensics solely focuses on retrieving
information from mobile devices such as smartphones, androids, and
tablets. Mobile devices contain an abundance of information from text
messages and web search history to location data, so they can be
extremely useful for an investigation by law enforcement.
Investigators must follow specific guidelines for evidence to be accepted
in a court of law. Here are the steps in the mobile forensics process:
Step 1: Seizure
The mobile forensics process begins with the seizure of the devices in
question. Like any other evidence in a forensic investigation, the
devices must be handled with great care to preserve evidence and
prevent mishandling.
Step 2: Acquisition
After the device is seized and secured, it’s time to extract the evidence.
That’s done by duplicating its files with a software imaging tool. The
duplicate maintains the integrity of the original files and can be used as
evidence for the original copy.
Step 3: Analysis
Mobile devices contain loads of data. The “analysis” step of the
forensic process focuses on extracting useful and relevant data.
Step 4: Examination
Lastly, the gathered evidence must be presented to any other
forensic examiners or a court that will determine its relevance to the
case.
Q3. Define Storage location.
Ans:A storage location is a physical or virtual location where data is
stored and retrieved. It can be a physical location, such as a hard drive
or a flash drive, or a virtual location, such as cloud storage or a network
share.
● Storage locations can be used to store various types of data,
including files, documents, images, videos, and other types of
digital content.
● The storage location can be accessed by a computer or
other electronic device to retrieve or store data.
● The data can be stored in various formats, such as text, audio,
video, or image files, and can be organized and managed using
file systems and other storage management tools.
● The capacity of a storage location can vary, from a few gigabytes
in a flash drive to several petabytes in a data center. The
performance of the storage location, such as read and write speed,
can also vary depending on the type of storage technology used,
such as solid-state drives (SSDs), hard disk drives (HDDs), or
cloud-based storage solutions.
● Overall, storage locations are critical components of modern
computing systems and play a crucial role in data storage,
retrieval, and management.
Q4. What Are The Acquisition methods?Explain Any One In Detail.
Ans: Forensics data acquisitions are stored in three different formats:
raw, proprietary, and AFF. Most proprietary formats and AFF store
metadata about the acquired data in the image file.
The four methods of acquiring data for forensics analysis are disk- to-
image file, disk-to-disk copy, logical disk- to- disk or disk- to- data file, or
sparse data copy of a folder or file.
Large disks might require using tape backup devices. With enough
tapes, any size drive or RAID drive can be backed up. Tape backups
run more slowly but are a reliable method for forensics acquisitions.
Q5. What Is Data Analysis?
Ans: Data analysis is defined as a process of cleaning, transforming,
and modeling data to discover useful information for business decision-
making.
● The purpose of Data Analysis is to extract useful information
from data and take the decision based upon the data analysis.
● A simple example of Data analysis is whenever we take any
decision in our day-to-day life is by thinking about what happened
last time or what will happen by choosing that particular decision.
● This is nothing but analyzing our past or future and making
decisions based on it. For that, we gather memories of our past
or dreams of our future. So that is nothing but data analysis. Now
the same thing an analyst does for business purposes, is called
Data Analysis.
There are several types of Data Analysis techniques that exist based on
business and technology. However, the major Data Analysis methods
are:
● Text Analysis
● Statistical Analysis
● Diagnostic Analysis
● Predictive Analysis
● Prescriptive Analysis
Data Analysis consists of the following phases:
● Data Requirement Gathering
● Data Collection
● Data Cleaning
● Data Analysis
● Data Interpretation
● Data Visualization
Logical acquisition-
● Logical Acquisition is about extracting the logical storage objects,
such as files and directories, that reside on the filesystem.
● Logical acquisition of mobile phones is performed using the device
manufacturer application programming interface to synchronize the
phone's contents with a computer. Many of the forensic tools
perform a logical acquisition.
● It is much easier for a forensic tool to organize and present the
data extracted through logical acquisition. However, the forensic
analyst must understand how the acquisition occurs and whether
the mobile is modified in any way during the process.
● Depending on the phone and forensic tools used, all or some of
the data is acquired.
● Logical acquisitions of cell phones are performed using cell
phone forensic software.
● A logical acquisition typically only recovers data on a cell phone
that is not deleted.
● Depending on the phone and the forensic tools used, some or all
of the data might be able to be acquired.
● For instance, where only some of the data can be acquired, this
means that the text messages, contact list, and call history might
be acquirable using the cell phone forensics tools, but the
images and ringtones are not.
● Even if only existing data can be captured from a cell phone,
there are good reasons for performing a logical acquisition
instead of simply taking pictures of the information on the phone
from the device itself.
● When a logical acquisition is performed, the data can be
preserved in stasis and the phone returned to the custodian to
which it belongs.
● You would then have a snapshot in time of the cell phone evidence
as it existed when the acquisition was performed, which preserves
that evidence and also allows for verification.
Q6. Explain 5 GPS forensics .
Ans:
The fields of electronic evidence are no longer concentrated entirely on
the conventional media but have to encounter various types of embedded
devices out of which the GPS receiver is one among them. These GPS
receiver devices consist of vital information if used by anti-social
elements or terrorism etc.
These handheld or vehicle mounted GPS devices have their own
proprietary operating systems, file system formats and different
techniques of communication. The analysis of such suspected GPS
devices or receivers requires exclusive software and hardware tools as
well as knowledge of the principal, working mechanism and areas where
digital data is stored.
There are five (5) different types of GPS receivers they are :-
(i) not self contain receiver – without screen or R232 receivers or GPS
Mice,
(ii) Self contained receivers or a computer is integrated in a GPS receiver,
(iii) sophisticated receivers used by ONGC, military services,
(iv) dedicated single purpose GPS systems like CAR GPS and
(v) GPS incorporated in phones – modern smart phone systems etc.
The GPS receiver device as presently dealt with i.e. GARMIN consists of
different types of models available in the market which can be divided
into three main types :–
(1)Device with Secure Digital (SD) cards,
(2) Device with only internal flash memory and
(3) GPS devices with internal hard drive.
Forensically the image of GPS devices can be acquired as bit stream
image except for the device which has only the internal flash memory
device. The GPS receivers normally accumulate the information in a file
format of “.cfg” file. The analysis of the “.cfg” file indicates that the first
destination in the ‘.cfg’ file is the home location if entered, and the last
two entries link to the start of the last calculated route and the last
entered destination.

Q7. Define GPS Evidentiary data. (P4 - Appeared 1 Time) (5-10 Marks)
Ans: GPS (Global Positioning System) evidentiary data refers to location-
based information collected by GPS devices and used as evidence in
legal proceedings. This data is typically used in criminal cases, where the
location of a suspect at a particular time is critical to the case.
● GPS evidentiary data can include the exact location of a device at
a specific time, as well as the time and date of the location fix. It
can also include information about the GPS device itself, such as
the make and model, serial number, and firmware version.
● GPS evidentiary data can be used to prove or disprove an
individual's presence at a particular location at a specific time.
This data is often collected by law enforcement agencies using
GPS tracking devices or by requesting location data from service
providers such as mobile phone companies.
● GPS evidentiary data must be collected and preserved in a
manner that meets the standards of the legal system to ensure its
admissibility as evidence in court. This includes ensuring the
accuracy and authenticity of the data, as well as maintaining a
chain of custody to demonstrate that the data has not been
tampered with or altered in any way.
Q8. What Is The GPS Exchange Forma (GPX)?
Ans: GPS Exchange Format (GPX) is an XML-based file format used to
store and exchange GPS data between GPS devices and software
applications. GPX files can contain waypoints, tracks, and routes, which
can be used to record and share information about outdoor activities
such as hiking, biking, and geocaching.
GPX files can be created using GPS devices, software applications, or
online mapping services. The file format is based on the XML standard,
which makes it easy to read and process by other software applications.
GPX files can be opened and edited using a wide range of software
applications, including GIS (Geographic Information System) software,
mapping software, and web browsers.
Q10. Define The Extraction of Waypoints and TrackPoints.
Ans: The extraction of waypoints and trackpoints refers to the process of
identifying and recording specific location coordinates during a journey or
activity.
● Waypoints are specific locations that are marked for future
reference, often used in navigation.
● These can include landmarks, intersections, or other points
of interest. They can be manually entered into a GPS device
or extracted from digital maps.
● Trackpoints, on the other hand, are location coordinates that are
recorded automatically by a GPS device at regular intervals
during an activity, such as hiking or driving.
● These data points create a track log that can be used to map the
route taken, track progress, and analyze performance.
● The extraction of waypoints and trackpoints is an important part of
GPS-based navigation, as it allows for accurate tracking of
movement and location data, which can be used for a variety of
purposes such as analyzing performance, planning routes, or
navigating unfamiliar terrain.
Q11. Explain Tracks and Display the Tracks on a Map.
Ans: In the context of digital forensics, a track refers to a series of
locations recorded by a GPS device or other location-aware technology.
These tracks can provide valuable evidence in investigations related to
criminal activity, fraud, or other types of illicit behavior.
● To display tracks on a map, investigators typically use specialized
tools that can parse and visualize the location data. These tools
can show the locations recorded by the device over time, as well
as provide additional information such as the speed, altitude, and
direction of movement.
● One common tool for displaying tracks on a map is Google Earth,
which can import GPS data and display it as a series of points on a
3D map. Investigators can use this tool to visualize the movement
of a suspect or vehicle, as well as to identify areas of interest or
potential evidence.
GPX files can contain a variety of information, including:
● Waypoints: A specific point of interest, such as a trailhead,
summit, or campsite. Waypoints can include a name, description,
coordinates, and elevation.
● Tracks: A recorded path of movement, which can be used to
retrace a route or analyze performance data. Tracks can include
timestamps, coordinates, and elevation data.
● Routes: A pre-planned path of movement, which can be used to
navigate a specific route. Routes can include waypoints and
other navigational information.
GPX files are widely used by outdoor enthusiasts, including hikers, bikers,
and geocachers, to record and share information about their activities.
They are also used by researchers, conservationists, and land managers
to track and analyze movement patterns of wildlife and other natural
resources.
Q9. Explain GPX Files.
Ans: A GPX file is a GPS data saved in the GPS Exchange format.
GPX files are commonly used for exchanging GPS location data which
includes routes, and tracks with others creating maps.
● GPX files are saved in XML format that allows GPS data to be
more easily imported and read by multiple programs and web
services.
● A GPX file, also known as a GPS Exchange Format file, is simply
a text file with geographic information such as waypoints, tracks,
and routes saved in it. You can use GPX files to transfer that
information between GPS units and computers.
● If you open up a GPX file, you'll see that it's simply a text file. You
can open a GPX file with any text editor or word processor. There
are also more sophisticated tools that offer mapping and are
easier to work with.
● The GPX file was specified in the text format so that any type
of device could easily open and read it without a fuss.
● The GPX file format is called an "open standard" meaning that it
can be used on any device for free regardless of brand. In order
for that to work, there has to be standard tag names within the
GPX file.
Those standard tag names were first established in 2002, and
then updated in 2004 with the latest version of GPX, GPX 1.1.
● Other tools used for displaying tracks on a map may include
proprietary software developed by forensic technology vendors,
as well as open-source tools such as the GPS Visualizer or
OpenStreetMap.
● Overall, displaying tracks on a map can provide valuable insights
and evidence in forensic investigations, enabling investigators to
reconstruct movements and identify patterns of behavior.
However, it requires careful analysis and interpretation of the data
to ensure that the results are accurate and reliable.
Q12. What Is SIM Cards Forensics?
Ans: With the rapid evolution of the smartphone industry, mobile
device forensics has become essential in cybercrime investigation.
Currently, evidence forensically-retrieved from a mobile device is in
the form of call logs, contacts, and SMSs; a mobile forensic
investigator should also be aware of the vast amount of user data and
network information that are stored in the mobile SIM card such as
ICCID, IMSI, and ADN.
● Mobile phone forensics, the most challenging digital forensics
field, should be enriched with SIM card forensics.
● The SIM (Subscriber Identity Module) is a smart card that is used
in mobile phones to store user data and network information that
is required to activate the handset for use.
● Since the introduction of UMTS, better known as 3G
technologies, USIM cards are favored. While SIM cards provide
network access, the tiny computer within a USIMenables it to
handle several mini-applications and video calls if it is supported
by the network and the handset.
● Furthermore, data exchanges are encrypted with stronger keys
than those provided by SIMs. Additionally, a USIM’s phonebook is
much bigger, with the ability to store thousands of richer contacts
that might contain email addresses, photos, and several additional
phone numbers.
● A smartphone might be the key to an entire investigation; thus, an
investigator’s task in uncovering evidence will be much harder if it
is not supported with the necessary knowledge.
● SIM card forensics is a promising area that can provide
investigators with a plethora of evidentiary data, given that
they have the right knowledge and tools to extract it in a
forensically-sound manner.
Q13. Define The Subscriber Identification Module (SIM).
Ans: SIM is a removable smart card for mobile phones that stores
network specific information used to authenticate and identify
subscribers on the network.
1. SIM is the smart card used in GSM and UMTS (as USIM)
networks to identify the subscribers. It has integrated secure
storage and cryptographic functions.
2. A Subscriber Identity Module is a removable smart card for
mobile cellular telephony devices such as mobile computers and
mobile phones. SIM cards securely store the service-subscriber
key (IMSI) used to identify a GSM subscriber. The SIM card
allows users to change phones by simply removing the SIM card
from one mobile phone and inserting it into another mobile phone
or broadband telephony device.
3. It is part of a removable smart card ICC (Integrated Circuit Card),
also known as SIM Cards, for mobile, telephony devices (such
as computers) and mobile phones. SIM cards securely store the
service-subscriber key (IMSI) used to identify a subscriber.
4. The portable database that is carried inside the mobile station.
● Schematic Transformation (Y-to-XML): This module integrates
data residing in different data sources possibly with different
formats, structures, schema, and semantics. The module uses a
multi-source data extractor/wrapper approach to transform data to
a XML representation.
● Syntactic-to-Semantic Transformation (XML-to-OWL): This module
uses the JXML2OWL framework (described in section 4.2) to map
XML Schema documents to existing OWL ontologies and
automatically transform XML instance documents into individuals
of the mapped ontology. This module is crucial for organizations
that plan to move from a syntactic representation of data using
XML to a semantic one using OWL.
● Ontologies (OWL): SIM introduces the ability to extract data from
various data source types (unstructured, semi-structured, and
structured) and wrap the result in OWL (Web Ontology
Language) format (OWL, 2004), providing a homogenous
access to a heterogeneous set of information sources. The
decision to adopt OWL as the ontology language is based on the
fact that this is the World Wide Web Consortium (W3C)
recommendation for building ontologies.
Q15. Define Security In Terms of Forensics.
Ans: Security in terms of forensics refers to the practices and measures
taken to ensure the integrity, confidentiality, and availability of digital
data and systems, as well as the ability to investigate and respond to
security incidents.
● Forensic security involves collecting and analyzing digital evidence
to determine the cause, extent, and impact of security incidents,
such as cyber attacks, data breaches, and unauthorized access.
This may involve using specialized tools and techniques to recover
deleted or hidden data, trace network traffic, and identify the
source of the attack.
● To maintain forensic security, organizations must implement a
range of security controls and procedures, including access
controls, network monitoring, incident response plans, and regular
backups. These measures help to prevent security incidents, as
well as enable effective response and recovery in the event of a
breach or other incident.
Q14. Explain SIM Architecture With Appropriate Diagram.
Ans: The development of our Semantic data Integration Middleware (SIM)
is a complex issue since it requires the integration of distributed systems
with infrastructures that are not frequently encountered in more traditional
centralized systems.architecture for SIM composed of four layers: data
sources, Schematic Transformation, Syntactic-to-Semantic
Transformation, and ontology. The relationships between these layers are
illustrated as follows:
These four modules have the following objectives and responsibilities:
● Data Sources (Y): The data sources define the scope of the
integration system, thus data source diversity provides a wider
integration range and data visibility. SIM can connect to B2B
traditional data source formats, such as structured (e.g. relational
databases), semi-structured (e.g. XML) and unstructured (e.g.
Web pages and plain text files), EDI (Electronic Data Interchange),
and Web services. The supported data source types can easily be
increased to support other formats
● Overall, forensic security is an essential aspect of modern digital
environments, helping to protect sensitive data, maintain
business continuity, and ensure compliance with regulatory
requirements.
Q16. What Is Evidence Extraction? (P4 - Appeared 1 Time) (5-10 Marks)
Ans: Evidence extraction refers to the process of identifying, collecting,
and analyzing digital evidence from various sources, such as computers,
mobile devices, or other digital storage media. The goal of evidence
extraction is to obtain information that can be used in legal or
investigative proceedings.
The process of evidence extraction involves several steps, including:
1. Identification of potential sources of digital evidence, such as hard
drives, memory cards, or cloud storage accounts.
2. Acquisition of digital evidence through forensic techniques, such
as imaging or copying digital storage media.
3. Preservation of the original evidence to maintain its integrity and
prevent any alterations or tampering.
4. Analysis of the acquired evidence to identify relevant information,
such as files, emails, or internet browsing history.
5. Presentation of the evidence in a clear and concise manner for
use in legal or investigative proceedings.
Evidence extraction is an important aspect of digital forensics, which
involves the collection and analysis of digital evidence for use in legal or
investigative proceedings. It plays a critical role in determining the facts
of a case and providing proof of criminal or fraudulent activities. .
Q1.What is web browser forensics? Which Browser Has The Forensic
Data?
Ans: Browser data can be critical to a digital investigation and Chrome
stores both typical internet usage data as well as some data that is
unique to this browser.
● A forensic examination of Chrome data can reveal information
about a user’s internet activities, synced devices, and
accounts.
● Every browser stores certain basic pieces of information about the
websites a user has visited. The history database stores a record
of websites accessed with the date and time of the last visit. The
browser cache stores content from visited sites, such as images
and text.
● Chrome may provide even more information than some other
browsers due to robust synchronization between devices. The
popularity of Chrome and the ubiquity of Google accounts means
that access to one device can provide substantial information
about other devices and accounts.
● Chrome has a well-known feature called “Incognito Mode” which
allows users to browse the internet with a greater amount of
privacy. When browsing in Incognito Mode, Chrome does not
retain a history of websites, downloads, or cookies.
● However, this information is still stored temporarily, mainly in
RAM, and therefore can be recovered in some circumstances,
particularly if the device has not been powered off. Even in
Incognito Mode, using Chrome leaves plenty of traces, and
some data regarding the user’s activities will persist on the
device for a long time.
● An experienced examiner can use forensic tools to extract
and interpret this data.
Q3. Explain Sender Policy Framework (SPF).
Ans: The Sender Policy Framework (SPF) is an email authentication
protocol and part of email cybersecurity used to stop phishing attacks.
● It allows your company to specify who is allowed to send email on
behalf of your domain. This is useful because in a typical phishing
attack, the threat actor spoofs the sender address to look like an
official business account or someone the victim may know.
● SPF blocks spammers and other attackers from sending email
that appears to be from a legitimate organization. SMTP (Simple
Mail Transfer Protocol) does not place any restrictions on the
source address for emails, so SPF defines a process for the
domain owners to identify which IP addresses are authorized to
forward email for their domains.
● SPF defines a format for adding a record in the Domain Name
System (DNS) that indicates valid email servers. Receiving email
servers that get email from an email service under SPF must
check the TXT records when they perform DNS lookup on the
inbound email.
● The SPF policy framework is an authentication scheme and
a machine-readable language.
● Each participating domain declares attributes that uniquely
describe their mail, including authorized senders. This description
is represented in an SPF record, which is published in DNS
records.
● An SPF client program performs a query searching for the
correct SPF record, in order to determine whether a message
comes from an authorized source.
● There are seven possible query results, including pass, which
means that the message meets the domain's definition for
legitimate messages; fail, which means that a message does not
meet that requirement; and further stipulations for mail that don't fit
either category, such as messages from domains that do not
publish SPF data.
● SPF and other authentication-based measures are designed to
redress a vulnerability in SMTP, the main protocol used in
sending email, which does not include an authentication
mechanism.
Q2. Define Email forensics.
Ans: With the prominence of the internet, emails have emerged as the
most popular application for business communication, document transfers
and transactions from computers and mobile phones. With this
emergence, email security protocols have also been implemented to
mitigate the illegitimate actions of criminals, such as business email
compromise, phishing emails, and ransomware. However, there comes a
time when specific emails need to be examined and data extracted for
legal matters such as civil litigation and legally aided criminal
investigations. This is where email forensics is applied.
Email forensics is exactly what it sounds like. The analysis of emails and
the content within to determine the legitimacy, source, date, time, the
actual sender, and recipients in a forensically sound manner. The aim of
this is to provide admissible digital evidence for use in civil or criminal
courts.
Email forensics is dedicated to investigating, extracting, and analyzing
emails to collect digital evidence as findings in order to crack crimes
and certain incidents, in a forensically sound manner.
The process of email forensics, it’s conducted across various aspects
of emails, which mainly includesEmail messages
● Email addresses(sender and recipient)
● IP addresses
● Date and time
● User information
● Attachments
● Passwords
● logs (Cloud, server, and local computer)
To deeply and overall investigate the above crucial elements of email,
potential clues are going to be obtained to help push the progress of
a criminal investigation.
Hence, knowing how to conduct scientific and effective email forensics
has come into account.
Q4. Define Domain Key Identified Mail (DKIM).
Ans: DKIM (Domain Keys Identified Mail) is an email authentication
technique that allows the receiver to check that an email was indeed
sent and authorized by the owner of that domain.
● This is done by giving the email a digital signature. This DKIM
signature is a header that is added to the message and is
secured with encryption.
● Once the receiver (or receiving system) determines that an email
is signed with a valid DKIM signature, it’s certain that parts of the
email among which the message body and attachments haven’t
been modified.
● Usually, DKIM signatures are not visible to end-users, the
validation is done on a server level.
● Implementing the DKIM standard will improve email deliverability.
If you use DKIM record together with DMARC (and even SPF)
you can also protect your domain against malicious emails sent
on behalf of your domains.
● Though, in practice these goals are achieved more effectively if
you use the DKIM record together with DMARC (and even SPF).
● DMARC and DMARC Analyzer use both SPF and DKIM.
Together they provide synergy and the best result for email
security and deliverability.
Q5. What is Domain based Message Authentication Reporting and
Confirmation (DMARC)?
Ans:DMARC operates by checking that the domain in the message's
From: field (also called "RFC5322") is "aligned" with other authenticated
domain names. If either SPF or DKIM alignment checks pass, then the
DMARC alignment test passes.
● Alignment may be specified as strict or relaxed. For strict
alignment, the domain names must be identical. For relaxed
alignment, the top-level "Organizational Domain" must match.
● A DMARC policy allows a sender's domain to indicate that
their email messages are protected by SPF and/or DKIM, and
tells a receiver what to do if neither of those authentication
methods passes – such as to reject the message or
quarantine it.
● Like SPF and DKIM, DMARC uses the concept of a domain
owner, the entity or entities that are authorized to make changes
to a given DNS domain.
● SPF checks that the IP address of the sending server is authorized
by the owner of the domain that appears in the SMTP MAIL FROM
command.
● In addition to requiring that the SPF check passes, DMARC
checks that RFC5321.MailFrom aligns with 5322
Domain-Based Message Authentication, Reporting and Confirmation
(DMARC) is an email authentication policy that protects against bad
actors using fake email addresses disguised to look like legitimate
emails from trusted sources. DMARC makes it easier for email senders
and receivers to determine whether or not an email legitimately
originated from the identified sender. Further, DMARC provides the user
with instructions for handling the email if it is fraudulent.
DMARC is capable of producing two separate types of reports.
Aggregate reports are sent to the address specified following the rua.
Forensic reports are emailed to the address following the ruf tag. These
mail addresses must be specified in URI mailto format (e.g.
mailto:worker@example.net ). Multiple reporting addresses are valid and
must each be in full URI format, separated by a comma.
Q8. What Are Content Layouts of an Investigative Report?
Ans: The content layouts of an investigative report consists of the
following:
1. Executive Summary: The contextual information of the state of
affairs that brought about the essential for an investigation is the
“executive summary” unit. This is the section that the senior
management just might read; they will probably not read the
report. Therefore, the things that matter should be included in
this section in short detail.
2. Objectives: We use the objective section to outline all the tasks
that our investigation intended to accomplish. Prior to any forensic
analysis, this task list should be discussed and approved by
decision makers, legal counsel, and/or the client.
3. Computer evidence analyzed: The detailed information regarding
the assignment of evidence tag numbers and media serial
numbers, as well as descriptions of the evidence, is provided in
this section.
4. Relevant findings: Summary of the findings of probative value is
provided in this section. It answers the question,”What relevant
items were found during the investigation?” The relevant
findings should be listed in order of importance, or relevance to
the case.
5. Supporting details: An in-depth look and analysis of the relative
findings is provided in this section. It outlines how we found or
arrived at the conclusion outlined in the “Relative Findings”
section.
6. Investigative leads: In this section, we outline action items that
could be performed to discover additional information pertinent to
the investigation. If more time or additional resources were
provided to the examiner or investigator, these are the
outstanding tasks that could be completed. To a law enforcement
officer, this section is more critical.
Q7. What Are The Different Types of Reports Produced In Investigative
Forensics?
Ans: The importance of ensuring the results of any digital forensic (DF)
examination are effectively communicated cannot be understated. In
most cases, this communication will be done via written report, yet
despite this there is arguably limited best practice guidance available
which is specific for this field in regards to report construction.
There are many different ways to effectively document an investigation.
Whichever method is used, the investigator should take steps to ensure
the reliability of the documentation.” Thus, an investigation may yield
different reports – an oral report, executive summary, or a full
investigative report.
● Oral Report
Just as it sounds, an oral report involves the investigator
delivering the investigative findings verbally. It is commonly
referred to as a “verbal report” or an “oral debrief.”
● Executive Summary
Executive summaries are the most adaptable of the written
reports. They can range from simply setting forth the
investigative methodology and findings, to including all of the
investigator’s analysis, and anything in between. It allows the
investigator to focus on the analysis without a comprehensive
recitation of the evidence or factual background.
● Investigative Report
Finally, the investigative report. The investigative report
typically is an all-inclusive document. It includes everything
from the nature of the complaint, the investigative scope, the
investigator’s role and methodology, a full recitation of the
evidence gathered, and a detailed analysis supporting the
findings.
7. Additional report subsections:In our computer forensic reports,
there are several additional subsections that we often include.
Some of the subsections are as follows,these subsections are
useful in specific cases and not all. It depends on the needs and
wants of the end consumer.
● Attacker methodology
● User applications
● Internet activity or Web browsing history
● Recommendations
Q9. What Are The Guidelines for Writing a Good forensic Report?
Ans: Following points are to be considered for writing a report:
1. Document investigative steps immediately and clearly :-
It requires discipline and organization in documenting investigative
steps immediately, but it is essential to be successful in report
writing. Do not use shorthand or shortcuts. Unclear notations,
incomplete scribbling, or unclear documentation will eventually
lead to redundant efforts, forced translation of notes, confirmation
notes and a failure to comprehend notes by yourself or others.
2. Know the goals of your analysis :- Before beginning your analysis
for examination, know what the goals are. Every crime has
elements of proof, for law enforcement examiners. Your report
should unearth evidence that confirms and dispels these elements.
The bottom line is that the more focused your reports are, the
more effective they are.
3. Organize your report :- Write “macro to micro”. Organize your
forensic report to start at the high level and have the complexity of
your report increase as your audience continues to read it. This
way to get the essence of your conclusions, the executives need
to read only the first page or so, and there is no need to
understand the low-level details that support your claims.

4. Follow a template :-A standardized report template should be
followed. This makes your report writing more scalable,
establishes a repeatable standard and saves time.
5. Use consistent identifier: There can be confusion created in a
report by referring to an item in different ways, such as referring to
the same computer as system, PC, box, web server,etc.
Deve;oping a consistent, unwavering way of to reference each
item throughout your report is critical to eliminate such ambiguity
or confusion.
6. Use attachments and appendices: To maintain the flow of your
report, use attachments or appendices. Right in the middle of
your conclusions, you do not want to interrupt your forensics
report with 15 pages of source code. Any information, files, and
file fragments that you point out in your report over a page long
should be included as appendices or attachments.
7. Have coworkers read your reports: To read your forensics reports,
employ other coworkers. This helps develop reports that are
comprehensible to nontechnical personnel, who have an impact on
your incident response strategy and resolution. While writing a
report, the consumer level,knowledge of your audience and
technical capability should also be considered.
8. Use MD5 hashes:Whether it is an entire hard drive or specific
files, create and record the MD5 hashes of your proof.
Performing MD5 hashes for all evidence provides support to the
claim that you are diligent and attentive to the special
requirements of forensic examination.
9. Include metadata: Record and include the metadata for every file
or file fragment cited in your report. This metadata includes the
time/data stamps, full path of the file, the file size and the file’s
MD5 sum. To increase computer confidence, this identifying data
will help to eliminate even the confusion.
Q1. Define Investigating Windows Systems In Brief.
Q2. Explain File Recovery in Digital Forensics.
Q3. What Is The Windows Recycle Bin Forensics?
Q4. Define Data Carving.
Q5. What Is The Role Of Windows Registry Analysis?
Q6. Explain USB Device Forensics.
Q7. Define File Format Identification In Forensics.
Q8. What Are The Windows Features of Forensics Analysis?
Q9. What Are The Methods Involved In Windows Forensics?
Q10. Explain Cortana Forensics In Detail.
Q11. Define Reviewing Pertinent Logs In Terms Of Forensics?
Q12. How will Performing Keyword Searches?
Q13. What Is File Analysis In Digital Forensics?
Q14. Explain Identifying Unauthorized User Accounts or Groups in
Identifying Rogue Processes. -
Q15. What Is The Security Risks Checking for Unauthorized Access
Points.
Q16. Define AnalyzingTrust Relationships.
Q1. Explain Android Forensics In Brief.
Q2. What Is The Mobile Device Forensic Investigation?
Q3. Define Storage location.
Q4. What Are The Acquisition methods?Explain Any One In Detail.
Q5. What Is Data Analysis?
Q6. Explain 5 GPS forensics .
Q7. Define GPS Evidentiary data.
Q8. What Is The GPS Exchange Forma (GPX)?
Q9. Explain GPX Files.
Q10. Define The Extraction of Waypoints and TrackPoints.
Q11. Explain Tracks and Display the Tracks on a Map.
Q12. What Is SIM Cards Forensics?
Q13. Define The Subscriber Identification Module (SIM).
Q14. Explain SIM Architecture With Appropriate Diagram.
Q15. Define Security In Terms of Forensics.
Q16. What Is Evidence Extraction?
Q1. Define Digital Forensics.
Q2. Define Digital Forensics Categories. Explain Database Forensics in
Brief.
Q3. What Is a Digital Forensic Incident? Define Computer Security
Incident.
Q4. Explain Goals of Incident Response.
Q5. Define CSIRT.
Q6. What Is meant by Incident Response Methodology. Explain Steps of
Incident Methodology.
Q7. What Is The Phase After Detection of an Incident In Computer
Forensics?
Q8. Define Characteristics And Goals Of Digital Forensics.
Q1. Explain Digital Evidence In Brief.
Q2. How many Types of Digital Evidence?
Q3. What Kind of Challenges are Faced By Digital Evidence Explain?
Q4. What Are The Criteria for Admissibility of Evidence?
Q5. What Are Some Of The Challenges in Evidence Handling?
Q6. What Are The Components of Chain of Custody?
Q7. What Are The Digital Forensics Examination Process? Explain
Process Of Seizure.
Q8. What Are some issues that should be considered in Acquiring Digital
Evidence from the Cloud?
Q9. Why Is Forensic Duplication Necessary?
Q10. Explain Forensic Image formats?
Q11. Define Forensic Duplication Techniques.
Q12. Explain Acquiring Digital Evidence In Brief.
Q13. What Are The Best Forensic Image File Format? Explain Acquiring
Volatile Memory (Live Acquisition).
Q14. What Are The Risks and Challenges of Hard Drive Imaging?
Q15. Define Network Acquisition.
Q1. Why There is need to Analyze Hard Drive Forensic Images?
Q2. How Do You Analyze The Forensic Image ?
Q3. Define Malware. What kinds of Malware used In digital Forensics?
Q4. Explain Viruses In Brief.
Q5. What Are The Essential Skills and Tools for Malware Analysis.
Q6. Define Worms.
Q7. Explain List of Malware Analysis Tools and Techniques.
Q1.What is web browser forensics? Which Browser Has The Forensic
Data?
Q2. Define Email forensics.
Q3. Explain Sender Policy Framework (SPF).
Q4. Define Domain Key Identified Mail (DKIM).
Q5. What is Domain based Message Authentication Reporting and
Confirmation (DMARC)?
Q7. What Are The Different Types of Reports Produced In Investigative
Forensics?
Q8. What Are Content Layouts of an Investigative Report?
Q9. What Are The Guidelines for Writing a Good forensic Report?