Professional Documents
Culture Documents
Q3. What Is a Digital Forensic Incident? Define Computer Security Q4. Explain Goals of Incident Response. (P4 - Appeared 1 Time) (5-10
Incident. (P4 - Appeared 1 Time) (5-10 Marks) Marks)
Ans: Digital Forensic Incident: Ans: The primary goal of incident response is to effectively remove a
● A digital forensic incident is an event that involves the collection threat from the organization’s computing environment, while minimizing
and analysis of digital evidence for the purpose of investigating damages and restoring normal operations as quickly as possible. This
and resolving security incidents. goal is accomplished through two main activities:
● This type of incident typically involves the use of specialized 1. INVESTIGATE
tools and techniques to analyze digital data, such as log files, ● Determine the initial attack vector
network traffic, and storage devices. ● Determine the malware tool used
● Digital forensic incidents can include a wide range of security- ● Determine which systems were affected.
related events, such as network breaches, unauthorized access, ● Determine what the attacker accomplished.
data theft, and malware infections. ● Determine if the incident is ongoing.
● The goal of a digital forensic incident is to identify the scope ● Establish the time frame of the incident.
and impact of the incident, as well as to gather evidence that
can be used in legal proceedings or to improve security 2. REMEDIATE
controls. ● Using the information obtained from the investigation to
develop & implement a remediation plan.
Computer security incident:
● Computer Security Incident is any event that involves the We emphasize the goals of corporate security professionals with
unauthorized access, use, disclosure, or destruction of legitimate business concerns in our incidents response methodology. In
computer systems, networks, or data. These incidents can addition, we also take into consideration the concerns of law enforcement
range from relatively minor events, such as failed login officials. Therefore, we have developed a procedure that promotes a
attempts, to major breaches that result in the theft of sensitive coordinated, cohesive response and achieves the following:
data or the disruption of critical services. ● Prevention of a disjoint and non-cohesive response (which could
● Computer security incidents can have a wide range of causes, be disastrous).
including human error, malware infections, phishing attacks, and ● Occurrence of incident is confirmed or dispelled.
insider threats. The impact of these incidents can be significant, ● Promotes collection of accurate information.
including financial losses, reputational damage, and legal liabilities. ● Proper retrieval and handling of evidence establishment
● To respond to computer security incidents, organizations is controlled.
typically implement incident response plans that include ● Protection of privacy rights established by law and policy.
procedures for detecting, investigating, containing, and ● Minimization of disruption to business and network operations.
recovering from security incidents. These plans may involve a ● Accurate reports and useful recommendations are provided.
range of stakeholders, including IT teams, legal and compliance ● Rapid detection and containment are provided.
departments, and external partners such as law enforcement ● Minimization to exposure and compromise proprietary data.
agencies. ● Tries to protect your organization’s reputation and assets.
● Educates senior administration.
● Promotion of rapid detection and/or prevention of such incidents in
the future (via lessons learned, policy changes, etc)
Q5. Define CSIRT. (P4 - Appeared 1 Time) (5-10 Marks) Q6. What Is meant by Incident Response Methodology. Explain Steps of
Incident Methodology. (P4 - Appeared 1 Time) (5-10 Marks)
Ans: CSIRT:
● CSIRT stands for Computer Security Incident Response Team. Ans: Incident response methodology- It is an approach to addressing and
● CSIRT is a team whose members worked for the incident managing the aftermath of a security breach or attack(also known as
response process. In order to resolve an incident/attack, the incident) and the goal is to handle the situation in a way that limits
CSIRT works together as an interdisciplinary team. damage and reduces recovery time and costs.
● CSIRT has the appropriate legal, technical, and other Computer Incidents are complicated, fragile and must be handled
expertise necessary. Its members decide whether to apply an precisely and with caution. To achieve this precision, we use the
incident response or not based on the seriousness of the approach of diving incident resolution into component steps and test the
incident. input and output.
● When an organization requires its capabilities, the CSIRT is The fig. Below illustrates the process steps:
normally an effective team accumulation to conduct an initial
response process.
● There is always a division between human resources who
investigate laptop security incidents and people who investigate
normal crimes.
● Separate functions for company security human resources and
laptop security human resources area units are characterized by
several companies.
● Network attacks(e.g. Laptop intrusions and Denial of Service
attacks) are solely responded to by the Computer Security Incident
Response Team.
1. Pre-incident preparation:
● This phase deals with preparing the organization with
proper workforce and management before the incident.
● It is done before the incident occurs.
● This phase includes:
A. Preparing the organization: This deals with
making the organization immune to the attack.
B. Preparing the CSIRT: The organization assembles a Q7. What Is The Phase After Detection of an Incident In Computer
CSIRT team responsible for handling the attack. Forensics? (P4 - Appeared 1 Time) (5-10 Marks)
They are provided with necessary training along Ans: Once the incident has been identified and detected, the
with desired software and hardware. following phases should be followed.
2. Detection of incident: 1. Recording the details after initial Detection. -
● The most critical phase of the process Checklist is very important for an organized incident response
● This phase starts when any illegal or unauthorized team to work efficiently.
event occurs. ● Initial response checklist: For recording details after the
● The detection can be done by: End user(customer), initial notification of an incident. We can divide this
System admin or IDS. checklist into two main sections: one for general
● End users file their complaint through contacting the information and the other for more-specific information.
help desk. ● Second Section of the initial response checklist: This could
● Whereas admins contact their immediate supervisor. be used by CSIRT members to address the technical details
● IDS alarm the information security personnel. surrounding the incident.
3. Initial Response: 2. Incident Declaration -
By recording the basic particulars of surrounding the incident, ● In most of the cases, it will be immediately obvious whether
collecting the incident response team, and informing the or not the activity is actually a computer security incident in
individuals who need to know about the incident, the initial which suspicious activity is reported. However, in a few
response team performs an initial investigation. cases, if an incident occurred based on the details
4. Formulate response strategy: recorded in the initial response checklist it may be difficult
Regulate the best response team and gain the management to determine.
approval based on the outcomes for all known facts. On the basis ● If you cannot immediately tell if an incident has occurred,
of conclusions, try to regulate the civil, criminal, administrative, or we recommend that you assign a case or incident number
other actions which are inappropriate to be drawn from the making it worth investigating.
investigation. ● Once an incident is declared, the incident has an incident
5. Investigate the incidents: number to be used as a specific reference to that incident.
Perform a comprehensive collection of data, to determine 3. Assembling the Computer Security Incident Response Team-
what happened, when it happened, who did it, and how it can Responding to incidents, many organizations have a CSIRT that
be prevented in the future. is formed in response to a particular situation or incident rather
6. Reporting: than an established and dedicated centralized team. Therefore,
The most difficult phase in the process. The challenge is to the CSIRT needs to be staffed in real time after an incident is
create reports that precisely describe an incident. Flawless detected.
report information about the investigation in such a manner that 4. Performing Traditional Investigation Steps -
it becomes useful to decision makers. The investigation stage includes defining the ”who, what,
when, where, how and why” surrounding an incident.
5. Conducting Interviews-
● The first step is to start asking the “who, what, when,
and how” questions, when your CSIRT learns of a
suspected incident.
● These questions allow you to determine some facts
surrounding the incident, such as the location of the Q1. Explain Digital Evidence In Brief. (P4 - Appeared 1 Time) (5-10
relevant systems,administrative contacts, etc. Marks)
● The more answers you can obtain the more easy it would
be to assess the situation. Ans: Digital Evidence:
6. Formulating a Response Strategy- ● Computers are used for committing crime, and, thanks to the
The most important aspect of incident response is arguably your burgeoning science of digital evidence forensics, law
strategy. In this phase, you consider what remedial steps to take to enforcement now uses computers to fight crime.
recover from the incident. Your response strategy should also
include initiating adverse action against an internal employee or an ● Digital evidence is information stored or transmitted in binary form
external attacker. that may be relied on in court. It can be found on a computer hard
drive, a mobile phone, among other places.
Q8. Define Characteristics And Goals Of Digital Forensics. (P4 - ● Digital evidence is commonly associated with electronic crime, or
Appeared 1 Time) (5-10 Marks) e-crime, such as child pornography or credit card fraud. However,
digital evidence is now used to prosecute all types of crimes, not
Ans: Characteristics of Digital Forensics: just e-crime. For example, suspects' email or mobile phone files
might contain critical evidence regarding their intent, their
1. Preservation- The digital evidence is preserved for further whereabouts at the time of a crime and their relationship with other
procedure which also makes it easy to re-confirm anything suspects.
whenever any information is required about the incident. ● In an effort to fight e-crime and to collect relevant digital evidence
for all crimes, law enforcement agencies are incorporating the
2. Extraction - The data from the evidence are extracted and as collection and analysis of digital evidence, also known as
when it is required it is used for the analysis. computer forensics, into their infrastructure.
3. Documentation - All the summary has been documented as it is ● The field of computer security includes events that provide a
done without any delay so a proper report is maintained and no successful courtroom experience, which are both worthwhile
confusions or wrong decisions are taken during the process. and satisfactory.
● Investigation of a computer security incident leads to a legal
Goal of digital forensics- proceeding, such as court proceedings, where the digital
1. Is to extract data from the electronic evidence. evidence and documents obtained are likely used as exhibits in
the trial.
2. Process it into actionable intelligence
● To meet the requirements of the judging body and to withstand or
3. Present the findings for prosecution. face any challenges, it is essential to follow the evidence-handling
procedures.
Q2. How many Types of Digital Evidence? (P4 - Appeared 1 Time) (5-10 Q3. What Kind of Challenges are Faced By Digital Evidence Explain?
Ans: Types of Digital Evidence: (P4 - Appeared 1 Time) (5-10 Marks)
1. Logs: Logs belong in the visible data type category, which can
be anything from: Ans: Challenges faced by Digital Evidence are-
● OS logs: Examples include events pertaining to system 1. Explosion of complexity
access, security alerts, the duration of a user’s login session, Evidence is no longer confined within a single host but, rather,
when the device was shut down, etc. Typically, OS logs are is scattered among different physical or virtual locations, such
stored in a particular system directory. as online social networks, cloud resources, and personal
● Database Logs: Since they mostly reveal what changes networks–attached storage units. For this reason, more expertise,
were made to a particular database, these can be a vital tools, and time are needed to completely and correctly reconstruct
source of crime evidence as well as a useful approach for evidence. Partially automating some tasks has been highly
debugging and troubleshooting in the unfortunate event of criticized by the digital investigation community, because it could
any technical issues with the database in question. quickly deteriorate the quality of the investigation.
2. Video Footage and Images: 2. Development of standards
Out of all the types of digital evidence, video footage and images Despite technological advances, files are still the most popular
can be classified as the visible data type, just like the logs. There digital artifacts to be collected, categorized, and analyzed. Thus,
are many types of digital evidence that fall into this category, the research community has tried to agree on standard formats,
including CCTV footage, videos recorded on a mobile device, digital schema, and ontologies—but without much success.
camera footage, voice recordings, etc.However, unlike your typical They add that investigations of cutting-edge cyber crimes might
logs, multimedia files may require specialized tools to investigate require processing information in a collaborative manner or using
that go beyond typical multimedia players. outsourced storage and computation. Therefore, a core step for
3. Archives: the digital forensics community will be the development of proper
Since archives are regular files accessible straight from the file standard formats and abstractions.
explorer, they fall into the visible data type group. Various types of 3. Privacy-preserving investigations
evidence can come in the form of an archive, whether it be: Nowadays, people bring into cyberspace many aspects of their
Zip/Rar/similar files, Databases, Backups, Software-specific lives, primarily through online social networks or social media
archives etc. Technically, since they can contain all sorts of sites. Unfortunately, collecting information to reconstruct and
extractable file formats, archives can be regarded as a wildcard locate an attack can severely violate users’ privacy and is linked
source of evidence. to other hurdles when cloud computing is involved.
4. Metadata: 4. Legitimacy
Metadata falls into the invisible data type category because it Modern infrastructures are becoming complex and virtualized,
typically requires special software to be able to view it. For instance, often shifting their complexity at the border (such as in fog
a photo file on a hard drive or storage media can contain computing) or delegating some duties to third parties (such as in
additional data regarding the file’s creation such as where the photo platform-as-a-service frameworks).
was taken, otherwise known as EXIF data. Thus,an important challenge for modern digital forensics will be
5. Residual Data: executing investigations legally, for instance, without violating
Residual data is deleted or overwritten data that may contain digital laws in borderless scenarios.
evidence if successfully recovered. Since it’s not typically visible
through a file browser, it’s classified as an invisible data type.
5. Rise of anti-forensics techniques Q5. What Are Some Of The Challenges in Evidence Handling? (P4
Defensive measures encompass encryption, obfuscation, - Appeared 1 Time) (5-10 Marks)
and cloaking techniques, including information hiding. Ans: While responding to a computer security incident, a failure to
Cooperation among international jurisdictions notwithstanding, adequately document is one of the most common mistakes made by
investigating cybercrime and collecting evidence is essential in computer security professionals. The challenges faced in evidence
building airtight cases for law enforcement. For that, security handling must be properly understood by all investigators,
experts need the best tools to investigate. Investigators should also understand how to meet these challenges.
Digital forensics is fundamental to investigations performed in a
reality that’s often tightly coupled with its cyber extension. Modern ● Authentication of Evidence:
digital societies are subject to cybercriminal activities and fraud
leading to economic losses or hazards for individuals. Therefore, The laws of many state jurisdictions define data as “written-works”
the new wave of forensics tools should be engineered to support and “record-keeping”. Before introducing them as evidence,
heterogeneous investigations, preserve privacy, and offer documents and recorded materials must be authenticated. In other
scalability. words, for providing a piece of evidence of the testimony, it is
necessary to have authenticated evidence by a spectator who has
Q4. What Are The Criteria for Admissibility of Evidence? (P4 - Appeared a personal knowledge of its origin.
Q6. What Are The Components of Chain of Custody? (P4 - Appeared 1 Q7. What Are The Digital Forensics Examination Process? Explain
Time) (5-10 Marks) Process Of Seizure.
Ans: Components of Chain Of Custody: Ans: The Digital Forensics Examination Process includes:
1. Identification-
1. Data Collection It is the first step in the forensic process. The identification
After an incident, the chain of custody starts from the collection of process mainly includes things like what evidence is present,
evidence and its state. Each acquired piece of evidence is to be where it is stored, and lastly, how it is stored (in which format).
labeled with its source, the time of its collection, where it is stored, Electronic storage media can be personal computers, Mobile
and who has access to it. All of this is documented to preserve phones, PDAs, etc.
the integrity of the evidence. 2. Preservation -
In this phase, data is isolated, secured, and preserved. It
2. Examination includes preventing people from using the digital device so that
The examination of the captured evidence carried out by the digital digital evidence is not tampered with.
forensics team is then documented precisely. This includes taking 3. Analysis -
notes of the complete process, who examined it, and the evidence In this step, investigation agents reconstruct fragments of data and
uncovered. draw conclusions based on evidence found. However, it might take
numerous iterations of examination to support a specific crime
3. Analysis theory.
The collected evidence is then transferred for analysis, and again, 4. Documentation -
each step of the analysis is recorded. Analysts use digital In this process, a record of all the visible data must be created.
forensics tools to reconstruct the background of the evidence and It helps in recreating the crime scene and reviewing it. It
draw unbiased conclusions, which are documented. Involves proper documentation of the crime scene along with
photographing, sketching, and crime-scene mapping.
4. Reporting 5. Presentation -
The final stage is to report the findings to the court in a In this last step, the process of summarization and explanation
professional digital forensics report, following standards set by of conclusions is done.However, it should be written in a
organizations such as the National Institute of Standards and layperson’s terms using abstracted terminologies. All abstracted
Technology (NIST). The report covers key aspects of the chain of terminologies should reference the specific details.
custody, which include: the tools used to collect and process the
evidence, the chain of custody statement, a list of the data sources, ● Seizure: Prior to actual examination, the digital media is seized. In
identified issues and vulnerabilities, and the next possible steps to criminal cases, this will be performed by law enforcement
take. All of this adds to the authenticity and viability of the personnel to preserve the chain of custody. The seizure process
evidence and makes it presentable to the court. includes:
1. Calculating hash value of the suspect storage media.
2. Creating digital fingerprints of the same at a system
on chip(SoC).
3. Calculating hash value of the forensic image as well.
Q8. What Are some issues that should be considered in Acquiring Q9. Why Is Forensic Duplication Necessary? (P4 - Appeared 1 Time)
Digital Evidence from the Cloud?
Ans: Forensic duplicate is a document file containing every bit of
Ans: Issues in acquiring digital evidence - there are many issues information obtained from the source in a raw bitstream format. The data
occurring in acquiring digital evidence. is stored as it is from the hard drive to forensic duplicate devices.
• Identify the target :– this is the biggest issue in acquiring digital
evidence from cloud computing. We know that in a cloud computing ● This file does not contain any extra data other than an error
environment it is difficult to identify the target means where the evidence message while reading the content from the original. After
will be present? Duplication process, forensic duplicates can be compressed.
• Jurisdiction problem :– if suppose that once the target has been ● In all cases, the computer/media is the main “crime scene.” It
identified. And suppose that resources exist out of the county then how is important that this crime scene is protected because once
can you investigate in the other country because we know that every the digital evidence is contaminated it cannot be
country has its own jurisdiction. So we can say that jurisdiction is the decontaminated.
biggest issue in acquiring digital evidence from cloud computing. ● The investigator should take care to not change the digital
evidence during any step of investigation. As most media are
• Collection the evidence :– when we talk about the collection of the “magnetic based” and the data is volatile, examining a live file
evidence from the cloud then there is no specific single source of system changes the state of the evidence
collecting the evidence.
• Legality of evidence :– as we know that digital evidence always ● Hence, the forensic duplication importance can be summarized as:
comes under doubt means is it legal? So the legality of digital 1. Working from a duplicate image provides following
evidence most of the time comes under challenge in the court of law. features-
a. Preserves the original digital evidence.
• Chain of custody :– another issue is chain of custody we know that in b. Prevents inadvertent alteration of original digital
digital forensic the concept of chain of custody is important. Who will evidence during examination.
be holding the evidence and who will be doing the analysis and in this c. Allows recreation of the duplicate image, if
concept the responsibilities also differentiate from level to level. Here a necessary.
document between the law enforcement agencies, which consist of the
information regarding the client and law enforcement? 2. Digital evidence can be duplicated with no degradation
from copy to copy-
• Third party issue :– we know that in cloud computing third parties are This is not the case with most other forms of evidence.
involved. And it works as a service provider. If investigators find the third
party resources which are involved in the crime then investigators take
the permission to collect the data. If third parties live outside means in
another country then investigators again face problem in the investigation
process.
• Privacy :– when we talk about the data and information then privacy
also occurs with it. If we put light on the definition of privacy then there
are no clear definitions which talk about privacy. Privacy differs from
person to person.
Ans: A computer worm is a standalone malware computer program that Ans: Malware analysis is a process that requires a few formulated
duplicates itself so that it can extend to other computers. Often, it uses a steps. These steps form a pyramid, and the complexity and skill
computer network to multiply itself, relying on security failures on the requirements increase as we approach the top of the pyramid. It
target computer to access it. includes:
Unlike a computer virus, it does not require to join itself to an 1. Fully Automated Analysis
accessible program. This is one of the easiest and quickest ways to assess suspicious files.
● Worms nearly at all times cause at least some harm to the This type of analysis is used to determine the potential effects of the
network, still only by consuming bandwidth, while viruses almost malware if it were to infiltrate the network and function. It also produces a
forever crook or change files on a targeted computer. detailed, easy-to-read report regarding the security teams' file activity,
● Many worms that have been formed are intended only to spread, network traffic, and registry keys. Fully automated analysis is considered
and do not make an effort to alter the system they go by. the best way to sift through large quantities of malware on network
● However, as the Morris worm and my doom showed, even infrastructure.
these "payload free" worms can cause significant interference
by rising network traffic and other unintentional effects. TOOLS:
● A "payload" is code in the worm formed to do more than multiply Cuckoo Sandbox is an open-source automated malware analysis
the worm it might delete files on a host system (e.g., the platform used to perform fully automated analysis. It can also be adjusted
ExploreZip worm), encrypt files in a crypto viral extortion attack, to run some custom scripts and also generate comprehensive reports. A
or send documents via email. few other tools that can be used for fully automated analysis are: Malheur
● A very ordinary payload for worms is to install a backdoor in the is used to analyze the data collected by behavioral sandboxes.
infected computer to permit the formation of a "zombie" PC
under power of the worm creator. 2. Static Properties Analysis
● Networks of such machinery are frequently known to be bonnets This is done to get a deeper look at the malware. The static properties of
and are very usually used by spam senders for transferring malware are examined like header details, metadata, malware code,
scrap email or to hide their website's address. hashes, and embedded resources. All this data is required to create IOCs
● Spammers are therefore thought to be a source of financial and can be easily collected as malware execution is not required to
support for the formation of such worms, and the worm writers capture the static properties. So the insights gathered during static
have been caught selling lists of IP addresses of infected properties analysis assists in deciding whether a deeper investigation
machines. Others try to blackmail companies with threatened DoS with more comprehensive techniques is required and helps determine
attacks. further steps.
TOOLS:
PeStudio is a tool used to automate static properties analysis that
flags suspicious artifacts within executable files and displays file
hashes that can be searched on malware repositories like TotalHash
or VirusTotal to analyze the malware further. It can also be used to
examine libraries, embedded strings, imports, or other IOCs.
IDA Pro is one of the best and most popular reverse engineering ● The event logs.
software tools and is an interactive disassembler with a built-in command
language that supports various executable formats as well as processors ● The printer spool
and operating systems. It has many plugins that extend the
disassembler's functionality like Hex-Rays Decompiler, Lighthouse, ● The registry, which you should think of as an enormous log file, etc
ClassInformer, BinDiff, and IDA-Function-Tagger.
Q3. What Is The Windows Recycle Bin Forensics?
Q2. Explain File Recovery in Digital Forensics. (P4 - Appeared 1 Time)
Ans: An icon on the Windows desktop represents a directory in which
(5-10 Marks) deleted files are temporarily stored. This enables you to retrieve files
that you may have accidentally deleted. From time to time, you’ll want
Ans: File recovery is a process that involves retrieving inaccessible to purge the recycle bin to free up space on your hard disk.
data files from damaged or corrupted storage storage systems or ● You can also configure Windows so that it doesn’t use the recycle
media files. bin at all, but then you won’t be able to retrieve accidentally
deleted files.
● Recovery of data, whether it is a whole file or some part of it, ● When a file is deleted in the Microsoft Windows operating system,
is becoming increasingly important as people’s dependence it doesn’t delete it permanently; it is stored in the recycle bin. If a
on technology becomes more prevalent. user wants to restore the deleted file from the recycle bin, it can be
● File recovery is an essential service and an integral part in done.
digital forensics, since it could be a great clue with respect to ● If the user holds the shift key at the time of deleting a file, then
forensic search. the file will be deleted permanently without being stored in the
recycle bin.
● As there is a lot of collective data that is included in a file, it is ● In this case, the file is moved to a hidden, system folder where it is
easy to find incident information. renamed and stored until further instructions are given as to what
● As the file also contains Data of creation, Information about is to happen to the file.
authors and editors, the forensic team could get a lot of help in ● From the forensic point of view, the recycle bin is a gold mine for
their research. gathering evidence, clues, etc. By analyzing the recycle bin, we
can recover useful data.
● Aside from failure or mistakes, Ransomware, a malware ● To understand how the information files are structured and how
program that often leads to unpaid ransom or paid ransoms with the naming convention works, there must first be an
no recovery, is becoming more prevalent and is targeting understanding of how the recycle bin works.
hospital systems for their secure data. In these cases, data ● When a user “deletes” a file in Windows, the file itself is not
backups are critical to recovering data. actually deleted. The file at this point is copied into the recycle
bin’s system folder, where it is held until the user gives further
instructions on what to do with the file.
● This location varies, depending on the version of Windows the
user is running.
5. NMAP: This is the most popular tool that is used to find open ports on
the target machine. Using this tool you can find the vulnerability of any
target to hack.
6. Network Miner: This tool is used as a passive network sniffer to Q11. Define Reviewing Pertinent Logs In Terms Of Forensics?
capture or to detect the operating systems ports, sessions, hostnames, (P4 - Appeared 1 Time) (5-10 Marks)
etc. Ans: The system log, application log, and security log are the three files
7. Autopsy: This is the GUI based tool that is used to analyze hard disks that Windows NT, 2000, and XP operating system maintains. You will be
and smartphones. able to obtain the following information by reviewing these logs:
8. Forensic Investigator: This is a Splunk toolkit which is used in HEX 1. Determine which users have been accessing specific files.
conversion, Base64 conversion, metascan lookups, and many more
other features that are essential in forensic analysis. 2. Determine who has been successfully logging on to a system.
9. HashMyFiles: This tool is used to calculate the SHA1 and MD5
hashes. It works on all the latest websites. 3. Determine who has been trying unsuccessfully to log on to
10. FAW (Forensic Acquisition of Websites): This tool is used to acquire a system.
web pages image, HTML, source code of the web page. This tool can be 4. Track usage of specific applications.
integrated with Wireshark.
5. Track alterations to the audit policy.
Ans: For decoding and exporting Cortana data, four custom python System log records System processes and device driver activities.
scripts have been developed to aid forensic investigations. Windows includes device drivers that fail to start properly; hardware
● A GUI tool has been introduced to extract and list Cortana failures; duplicate IP addresses; and the starting, pausing, and stopping
web searches. of services are audited by system events. The Application log is
● The forensic usefulness of Cortana artifacts is demonstrated populated by activities related to user programs and commercial off-the-
in terms of a timeline constructed over a period of time. shelf applications.
● Cortana, one of the new features introduced by Microsoft in
Windows 10 desktop operating systems, is a voice activated Application events that are audited by Windows include any errors or
personal digital assistant that can be used for searching stuff on information that an application wants to report. The number of failed log-
device or web, setting up reminders, tracking users' upcoming ons , amount of disk usage, and other important metrics can also be
flights, getting news tailored to users' interests, sending text included by Application log. In the Security log, we find System auditing
and emails, and more. and the security processes used by Windows. Auditing done by
● Being the platform relatively new, the forensic examination Windows for Security events include changes in user privileges, changes
of Cortana has been largely unexplored in the literature. in the audit policy, file and directory access, printer activity and system
● A GUI tool called CortanaDigger is developed for extracting and logons and logoffs.
listing web search strings, as well as timestamps of search made
by a user on Cortana box.
● Several experiments are conducted to track reminders (based
on time, place, and person) and detect anti-forensic attempts like
evidence modification and evidence destruction carried out on
Cortana artifacts.
Q12. How will Performing Keyword Searches? ● Search Intent :
After you have sorted your raw lists by search volumes, it’s then
Ans: Keyword research refers to the process of discovering what search time to review the intent for each keyword that you would like to
terms your target audience is entering in search engines to find target.
businesses and websites like yours and optimizing your content so you ● Topic Clusters :
appear in the search engine results. Grouping keywords into topic clusters is an advanced keyword
strategy that can help to strengthen the topic authority of a site.
How to do Keyword Research: To do this, you would start with a high-volume head keyword and
then research a series of keywords that supports that head term.
1. How To Find Keyword Ideas :- After creating pages of content that target each keyword, you
The first stage of keyword research is to brainstorm ideas for use internal linking to connect pages with the same topic.
seed keywords, and there are several ways to do this.
● Your Target Audience : 3. How To Choose Organic Keywords :-
Everything starts with your audience and what they want. Think After sorting the volumes, intent, and topics, you will need to
about their needs, wants, and especially their pain points and decide if you have a chance of ranking on a term by looking at how
problems. Start to compile your wide list of words, ideas, and much competition there is for each keyword.
topics that surround your niche or business. ● Keyword Difficulty:
● Think About Questions : Keyword difficulty is one of the most important keyword metrics
Question-based keyword queries are valuable as they can help when doing your research.
you to capture featured snippets and can be a way to jump rank
on highly competitive keywords. If a keyword is so competitive that you need hundreds of
thousands of dollars to rank, then you need to get strategic.
2. How To Analyze Keywo0rds :- The easiest way to calculate keyword difficulty is to use a
Once you have your raw list, it’s time to start to analyze and research tool that gives a score for each keyword.
sort by value and opportunity. ● Connecting To Your Objectives And Goals :
● Search Volume: Unless a keyword can actually deliver a result for you – do you
Search volume will tell you if anyone is actively searching for this want to target it?
term. For a first-stage strategy, you should aim for keywords with a
mid-range and long-tail volume for quick wins and then build up to As we said above, targeting head terms is not the best strategy as
approach more competitive terms with higher volumes. they will, at best, deliver browsing or drive-by visitors. Unless you
Head keywords with super high volumes (like ‘iPhone’) are not the are a big brand with a big budget that is aiming for brand
best keywords to focus on as they can be too ambiguous and awareness, This is not the best application of your resources and
rarely have a specific intent. budget. Choosing your keyword priority should start with what can
Also, the amount of work that is needed to rank can be too high give you the best return in the shortest time frame.
a barrier for entry unless you have an established domain of
significant authority.
Q13. What Is File Analysis In Digital Forensics? (P4 - Appeared 1 Time) Q14. Explain Identifying Unauthorized User Accounts or Groups in
Identifying Rogue Processes. -
(5-10 Marks)
Ans: Rogue devices are just plain malicious by nature. They exist for
Ans: Forensic analysis deals with files on media—deleted files, files in the sole purpose of stealing sensitive information like credit card
folders, files in other files, and all stored on or in some container. The numbers, passwords, and more.
goal of media analysis is to identify, extract, and analyze these files and ● They harm your network and, in the process, can harm your
the file systems they lie upon. company's reputation. In rare cases, rogue devices can even
permanently damage systems, if there is no rogue device
● Analysis is the process in which one applies intelligence to the detection tool in your company.
data set and ideally comes up with meaningful results. ● Wireless networks are inherently less secure than wired
● It focuses primarily on the concepts behind identifying and networks. With traditional (non-wireless) networks, data flows
extracting file system artifacts and information about files. over physical and continuously-monitored circuits.
● A file system abstraction model is used to describe the functions ● On the other hand, in wireless networks, data is transmitted
of file systems and the artifacts generated by these functions. using radio signals. Because your IP network is designed to
Timeline analysis is quite useful when performed properly. provide distributed access, it’s porous and intended to be
● In addition to file systems in volumes on physical media, one has accessible by many types of devices.
to deal with file systems in other containers. ● Therefore the objective of IT administrators should be to limit
● One example is the Macintosh-specific DMG container, and two access to only authorized devices. Controlling which devices
major containers that one is likely to encounter are Virtual can connect to your network is crucial for ensuring the privacy
Machine Disk Images and Forensic Containers. and integrity of corporate assets and data.
● Container formats geared toward forensic imaging have some ● For rogue network device detection, a network must have at least
functionality above and beyond a raw disk image. three things.:-
● This can include things such as internal consistency checking, 1. Periodic scanning: One popular method of rogue device prevention
case information management, compression, and encryption. from having unrestricted access to your network is to scan
● A good forensic imaging process generates an exact duplicate of your office for wireless devices on a daily, weekly, or monthly
the source media under investigation. basis.
2. Continuous monitoring: If you periodically scan your office, you
will probably find many wireless devices that belong to your
company, your neighbors, and your guests. Every time a scan is
done, new sets of devices will be found. Continuously monitoring
your network allows you to maintain a list of known devices so
that you can tell when a new one shows up.
3. Immediate alerting: If a new device is discovered in your network
or the status of a device changes suddenly, an IT engineer needs
to be informed immediately. This is why you need a
comprehensive alerting system in your network, especially if it
contains a large number of devices.
Q15. What Is The Security Risks Checking for Unauthorized Access Q16. Define AnalyzingTrust Relationships. (P4 - Appeared 1 Time) (5-10
Points. Marks)
● Active interception
In active interception, a rogue access point can also manipulate
your data. They can read the incoming user data, modify the
data however they want, and send the modified user data to the
destination endpoint.
For example, if a user visits a banking website and tries to
deposit money into an account, a rogue access point can redirect
the deposit to an attacker’s account.
Ans: SIM is a removable smart card for mobile phones that stores Ans: The development of our Semantic data Integration Middleware (SIM)
network specific information used to authenticate and identify is a complex issue since it requires the integration of distributed systems
subscribers on the network. with infrastructures that are not frequently encountered in more traditional
centralized systems.architecture for SIM composed of four layers: data
1. SIM is the smart card used in GSM and UMTS (as USIM) sources, Schematic Transformation, Syntactic-to-Semantic
networks to identify the subscribers. It has integrated secure Transformation, and ontology. The relationships between these layers are
storage and cryptographic functions. illustrated as follows:
2. A Subscriber Identity Module is a removable smart card for
mobile cellular telephony devices such as mobile computers and
mobile phones. SIM cards securely store the service-subscriber
key (IMSI) used to identify a GSM subscriber. The SIM card
allows users to change phones by simply removing the SIM card
from one mobile phone and inserting it into another mobile phone
or broadband telephony device.
● Data Sources (Y): The data sources define the scope of the
integration system, thus data source diversity provides a wider
integration range and data visibility. SIM can connect to B2B
traditional data source formats, such as structured (e.g. relational
databases), semi-structured (e.g. XML) and unstructured (e.g.
Web pages and plain text files), EDI (Electronic Data Interchange),
and Web services. The supported data source types can easily be
increased to support other formats
Q3. Explain Sender Policy Framework (SPF). Q4. Define Domain Key Identified Mail (DKIM).
Ans: The Sender Policy Framework (SPF) is an email authentication Ans: DKIM (Domain Keys Identified Mail) is an email authentication
protocol and part of email cybersecurity used to stop phishing attacks. technique that allows the receiver to check that an email was indeed
● It allows your company to specify who is allowed to send email on sent and authorized by the owner of that domain.
behalf of your domain. This is useful because in a typical phishing ● This is done by giving the email a digital signature. This DKIM
attack, the threat actor spoofs the sender address to look like an signature is a header that is added to the message and is
official business account or someone the victim may know. secured with encryption.
● SPF blocks spammers and other attackers from sending email ● Once the receiver (or receiving system) determines that an email
that appears to be from a legitimate organization. SMTP (Simple is signed with a valid DKIM signature, it’s certain that parts of the
Mail Transfer Protocol) does not place any restrictions on the email among which the message body and attachments haven’t
source address for emails, so SPF defines a process for the been modified.
domain owners to identify which IP addresses are authorized to ● Usually, DKIM signatures are not visible to end-users, the
forward email for their domains. validation is done on a server level.
● SPF defines a format for adding a record in the Domain Name ● Implementing the DKIM standard will improve email deliverability.
System (DNS) that indicates valid email servers. Receiving email If you use DKIM record together with DMARC (and even SPF)
servers that get email from an email service under SPF must you can also protect your domain against malicious emails sent
check the TXT records when they perform DNS lookup on the on behalf of your domains.
inbound email. ● Though, in practice these goals are achieved more effectively if
● The SPF policy framework is an authentication scheme and you use the DKIM record together with DMARC (and even SPF).
a machine-readable language. ● DMARC and DMARC Analyzer use both SPF and DKIM.
● Each participating domain declares attributes that uniquely Together they provide synergy and the best result for email
describe their mail, including authorized senders. This description security and deliverability.
is represented in an SPF record, which is published in DNS
records.
● An SPF client program performs a query searching for the
correct SPF record, in order to determine whether a message
comes from an authorized source.
● There are seven possible query results, including pass, which
means that the message meets the domain's definition for
legitimate messages; fail, which means that a message does not
meet that requirement; and further stipulations for mail that don't fit
either category, such as messages from domains that do not
publish SPF data.
● SPF and other authentication-based measures are designed to
redress a vulnerability in SMTP, the main protocol used in
sending email, which does not include an authentication
mechanism.
Q5. What is Domain based Message Authentication Reporting and Q7. What Are The Different Types of Reports Produced In Investigative
Confirmation (DMARC)? Forensics?
Ans:DMARC operates by checking that the domain in the message's Ans: The importance of ensuring the results of any digital forensic (DF)
From: field (also called "RFC5322") is "aligned" with other authenticated examination are effectively communicated cannot be understated. In
domain names. If either SPF or DKIM alignment checks pass, then the most cases, this communication will be done via written report, yet
DMARC alignment test passes. despite this there is arguably limited best practice guidance available
● Alignment may be specified as strict or relaxed. For strict which is specific for this field in regards to report construction.
alignment, the domain names must be identical. For relaxed There are many different ways to effectively document an investigation.
alignment, the top-level "Organizational Domain" must match. Whichever method is used, the investigator should take steps to ensure
● A DMARC policy allows a sender's domain to indicate that the reliability of the documentation.” Thus, an investigation may yield
their email messages are protected by SPF and/or DKIM, and different reports – an oral report, executive summary, or a full
tells a receiver what to do if neither of those authentication investigative report.
methods passes – such as to reject the message or ● Oral Report
quarantine it.
● Like SPF and DKIM, DMARC uses the concept of a domain Just as it sounds, an oral report involves the investigator
owner, the entity or entities that are authorized to make changes delivering the investigative findings verbally. It is commonly
to a given DNS domain. referred to as a “verbal report” or an “oral debrief.”
● SPF checks that the IP address of the sending server is authorized ● Executive Summary
by the owner of the domain that appears in the SMTP MAIL FROM
command. Executive summaries are the most adaptable of the written
● In addition to requiring that the SPF check passes, DMARC reports. They can range from simply setting forth the
checks that RFC5321.MailFrom aligns with 5322 investigative methodology and findings, to including all of the
investigator’s analysis, and anything in between. It allows the
Domain-Based Message Authentication, Reporting and Confirmation investigator to focus on the analysis without a comprehensive
(DMARC) is an email authentication policy that protects against bad recitation of the evidence or factual background.
actors using fake email addresses disguised to look like legitimate
emails from trusted sources. DMARC makes it easier for email senders ● Investigative Report
and receivers to determine whether or not an email legitimately
originated from the identified sender. Further, DMARC provides the user Finally, the investigative report. The investigative report
with instructions for handling the email if it is fraudulent. typically is an all-inclusive document. It includes everything
from the nature of the complaint, the investigative scope, the
DMARC is capable of producing two separate types of reports. investigator’s role and methodology, a full recitation of the
Aggregate reports are sent to the address specified following the rua. evidence gathered, and a detailed analysis supporting the
Forensic reports are emailed to the address following the ruf tag. These findings.
mail addresses must be specified in URI mailto format (e.g.
mailto:worker@example.net ). Multiple reporting addresses are valid and
must each be in full URI format, separated by a comma.
Q8. What Are Content Layouts of an Investigative Report? 7. Additional report subsections:In our computer forensic reports,
there are several additional subsections that we often include.
Ans: The content layouts of an investigative report consists of the Some of the subsections are as follows,these subsections are
following: useful in specific cases and not all. It depends on the needs and
1. Executive Summary: The contextual information of the state of wants of the end consumer.
affairs that brought about the essential for an investigation is the ● Attacker methodology
“executive summary” unit. This is the section that the senior ● User applications
management just might read; they will probably not read the ● Internet activity or Web browsing history
report. Therefore, the things that matter should be included in ● Recommendations
this section in short detail.
Q9. What Are The Guidelines for Writing a Good forensic Report?
2. Objectives: We use the objective section to outline all the tasks
that our investigation intended to accomplish. Prior to any forensic Ans: Following points are to be considered for writing a report:
analysis, this task list should be discussed and approved by
decision makers, legal counsel, and/or the client. 1. Document investigative steps immediately and clearly :-
It requires discipline and organization in documenting investigative
3. Computer evidence analyzed: The detailed information regarding steps immediately, but it is essential to be successful in report
the assignment of evidence tag numbers and media serial writing. Do not use shorthand or shortcuts. Unclear notations,
numbers, as well as descriptions of the evidence, is provided in incomplete scribbling, or unclear documentation will eventually
this section. lead to redundant efforts, forced translation of notes, confirmation
notes and a failure to comprehend notes by yourself or others.
4. Relevant findings: Summary of the findings of probative value is
provided in this section. It answers the question,”What relevant 2. Know the goals of your analysis :- Before beginning your analysis
items were found during the investigation?” The relevant for examination, know what the goals are. Every crime has
findings should be listed in order of importance, or relevance to elements of proof, for law enforcement examiners. Your report
the case. should unearth evidence that confirms and dispels these elements.
The bottom line is that the more focused your reports are, the
5. Supporting details: An in-depth look and analysis of the relative more effective they are.
findings is provided in this section. It outlines how we found or
arrived at the conclusion outlined in the “Relative Findings” 3. Organize your report :- Write “macro to micro”. Organize your
section. forensic report to start at the high level and have the complexity of
your report increase as your audience continues to read it. This
6. Investigative leads: In this section, we outline action items that way to get the essence of your conclusions, the executives need
could be performed to discover additional information pertinent to to read only the first page or so, and there is no need to
the investigation. If more time or additional resources were understand the low-level details that support your claims.
provided to the examiner or investigator, these are the
outstanding tasks that could be completed. To a law enforcement
officer, this section is more critical.
Q1. Define Digital Forensics.
4. Follow a template :-A standardized report template should be Q2. Define Digital Forensics Categories. Explain Database Forensics in
followed. This makes your report writing more scalable, Brief.
establishes a repeatable standard and saves time. Q3. What Is a Digital Forensic Incident? Define Computer Security
Incident.
5. Use consistent identifier: There can be confusion created in a Q4. Explain Goals of Incident Response.
report by referring to an item in different ways, such as referring to Q5. Define CSIRT.
the same computer as system, PC, box, web server,etc. Q6. What Is meant by Incident Response Methodology. Explain Steps of
Deve;oping a consistent, unwavering way of to reference each Incident Methodology.
item throughout your report is critical to eliminate such ambiguity Q7. What Is The Phase After Detection of an Incident In Computer
or confusion. Forensics?
Q8. Define Characteristics And Goals Of Digital Forensics.
6. Use attachments and appendices: To maintain the flow of your
report, use attachments or appendices. Right in the middle of Q1. Explain Digital Evidence In Brief.
your conclusions, you do not want to interrupt your forensics Q2. How many Types of Digital Evidence?
report with 15 pages of source code. Any information, files, and Q3. What Kind of Challenges are Faced By Digital Evidence Explain?
file fragments that you point out in your report over a page long Q4. What Are The Criteria for Admissibility of Evidence?
should be included as appendices or attachments. Q5. What Are Some Of The Challenges in Evidence Handling?
Q6. What Are The Components of Chain of Custody?
7. Have coworkers read your reports: To read your forensics reports, Q7. What Are The Digital Forensics Examination Process? Explain
employ other coworkers. This helps develop reports that are Process Of Seizure.
comprehensible to nontechnical personnel, who have an impact on Q8. What Are some issues that should be considered in Acquiring Digital
your incident response strategy and resolution. While writing a Evidence from the Cloud?
report, the consumer level,knowledge of your audience and Q9. Why Is Forensic Duplication Necessary?
technical capability should also be considered. Q10. Explain Forensic Image formats?
Q11. Define Forensic Duplication Techniques.
8. Use MD5 hashes:Whether it is an entire hard drive or specific Q12. Explain Acquiring Digital Evidence In Brief.
files, create and record the MD5 hashes of your proof. Q13. What Are The Best Forensic Image File Format? Explain Acquiring
Performing MD5 hashes for all evidence provides support to the Volatile Memory (Live Acquisition).
claim that you are diligent and attentive to the special Q14. What Are The Risks and Challenges of Hard Drive Imaging?
requirements of forensic examination. Q15. Define Network Acquisition.
9. Include metadata: Record and include the metadata for every file Q1. Why There is need to Analyze Hard Drive Forensic Images?
or file fragment cited in your report. This metadata includes the Q2. How Do You Analyze The Forensic Image ?
time/data stamps, full path of the file, the file size and the file’s Q3. Define Malware. What kinds of Malware used In digital Forensics?
MD5 sum. To increase computer confidence, this identifying data Q4. Explain Viruses In Brief.
will help to eliminate even the confusion. Q5. What Are The Essential Skills and Tools for Malware Analysis.
Q6. Define Worms.
Q7. Explain List of Malware Analysis Tools and Techniques.