ae sharadha@ne” DIGITAL FORENSICS Professional Elective - Vv, Common to CS, CSE, SE and WT M.Tech. II Year I Semester (NTU-Hyderabad) Contents Syllabus as per the Latest R19 Curriculum List of Important Questions with Key $.1-S3 Model Que: @ Model Paper -1 Lael S4-S5 Model Paper - 2 S.6-S.7 Model Paper - 3 S$.8-S.9 Unit Name and Topic Name Q.Nos. Page Nos. UNIT -1 DIGITAL FORENSICS SCIENCE @ Short Questions with Answers QI - Q20. 1.1-1.7 @ Essay Questions with Answers Q1 - Q20 1.8-1.14 1.1 Digital Forensics Sciene 1.1.1 Forensics Science Qi og 1.12 1.1.2 Computer Forensics a4 - Qu 1.22 1.1.3 Digital Forensics Qi2 - Qua 1.26 1.2 Compuiter Crime Qs, 1.27 1.2.1 Criminalistic as it relates to the Scanned with CamScannerInvestigation Process Q16 - QI7 1.29 1.2.2 Analysis of Cyber Criminalistics Area Qis 131 1.2.3 Holistic approach to Cyber Forensics Q19 - Q20 1.33 UNIT - 11 CYBER CRIME SCENE ANALYSIS 2.1-2.20 @ Short Questions withAnswers QI - Q20 2.1-2.7 @ Essay Questions with Answers QI - Q14 2.8-2.20 2.1 Cyber Crime Ql 28 2.2 Methods to search and Seizure Electronic Evidence Q@-Q 2.15 2.3 Retrieved and unretrieved Communications Q10 - QI3 2.18 2:4 _ Discuss the importance of Understanding what Court Ql4 2.20 document would be required for a Criminal Investigation UNIT - IITIEVIDENCE MANAGEMENT & PRESENTATION 3.1-3.20 @ Short Questions with Answers . Ql ~ Q20) 31-36 @ Essay Questions with Answers QI - Q16 3.7-3.20 3.1 _ Evidence Management & Presentation Ql - @ 38 3.2 Create and Manage Share folders using Operating system Q4 - Q8 3.14 3.3 Importance of Forensic Mindset 315° Q - Q10 Scanned with CamScannerDefine the workload of Law enforcement au Explain what the normal case would look like uz Define who should be notified of a Crime Q13 - Q14 Parts of Gathering evidence, Define and Apply Probable Cause QI5 - QI6 3.20 UNIT - 1V COMPUTER FORENSICS @ Short Questions with Answers QI - Q20 4.1-4.6 ¢@ Essay Questions with Answers Q7 - Q14 4.4-4.19 4.1.1 Prepare aCase Ql - Q2 48 4.1.2 Begin an Investigation Qs - 4.12 4.1.3 Understand Computer Forensics Workstations and Software q Conduct an Investigation, Complete a case, Critique a case 4.2 Netowrk Forensics 4.2.1 Open source security tools for Network forensic analysis Qi 4.2.2 Requirements for Preservation of Network Data‘Scanned with CamScanner‘Scanned with CamScanner‘Scanned with CamScannerera a ete tel S.1m gs a ___@ Digital Forensics FAQs AND IMPORTANT Questions WitH KEY UNIT - I ANSWERS Ql. Whats Forensic Science? (Unit-I, Q.No.1) Q2. Explain Forensic Evidence? (Unit-I, Q.No.2) Q3. What is Computer Forensics? (Unit-I, Q.No.4) Q4. What are Computer Forensic Services? (Unit-1, Q.No.7) Q5. What is Computer Forensic and its process. (Unit-I, Q.No.9) Q6. Rules of Computer Forensics? (Unit-I,,Q.No.11) Q7.” Explain Computer crime Investigation Process? (Unit-I, Q.No.16) Q8. Explain Cyber Crime data analysis? (Unit-I, Q.No.18) Q9. Explain a proposed holistic Cyber security implementation framework? (Unit-I, Q.No.19) UNIT - II Ql. Whats Cyber Crime? (Unit-II, Q.No.1) QZ. Whatare'the Rules of evidence? (Unit-II, Q.No.4) Q3. What is General procedure for Collecting and analysing evidence? (Unit-II, Q.No.7) Anyone found guilty is LIABLE to face LEGAL proceedings Scanned with CamScanner_ Digital Forensics @ Q4. Explain Data Back-up and Recovery? (Unit-I, QWNoty | Q5. What is Computer Crime investigation? (Unit-1, QWNo.tg) UNIT - tll What is Evidence Management? (Unit-I11, QNo.1) Explain in detail about evidence Handling? — (Unit-III, QNo.2) What is Forensic Science? Explain the Scope of Forensic Science? d (Unit-II, ~— Describe computer Forensics in Law Enforcement? (Unit-I, onal Explain about Conceptual understanding of crime? (Unit-II1, Q.No.13) Explain in details about gathering evidence? (Unit-III, Q.No.15) UNIT - Iv What is Computer Forensics? Explain in detail about computer f. ics as forensi How is critique a case?‘Scanned with CamScanner‘Scanned with CamScanner‘Scanned with CamScanner‘Scanned with CamScanner‘Scanned with CamScanner‘Scanned with CamScanner‘Scanned with CamScanner= -. @ Digital Forensics 1.18 UNIT DIGITAL FORENSICS SICENCE AND COMPUTER CRIME Ql. Give Definition to Forensic Science? Answer : Forensic Science‘involves the application of natural, physical and social sciences to matters of law. Most forensic scientist hold that investigation begins at the scene, regardless of their associated field. The proper investigation, collection and preservation of evidence are essential for fact finding and for ensuring, proper evaluation and interpretation of the evidence, whether the evidence is bloodstains, human remains, hard drivers, ledgers and files or medical re Q2. Write a short notes Forensic Evidence? Answer : Forensic scientists examine firearms, todmarks, controlled substances, deoxyribonuclic acid (DNA), fire debris, fingerprint and footwear patterns and bloodstain patterns Foresnsic evidence is collected, processed, afalyzed, interpreted and presented 1o provide information concerning the corpus delicff; reveal information about the modus operand, link or rule out the connection of a respect to a crime, crime scene or victims. Q3. Give some evidence classification schemes? Answer : Evidence Classification schemes include : S Physical evidence, tranfer evidence, trace evidence and pattern * Physical evidence includes objects that meaningfully contribute do —— - - Anyone found guilty is LIABLE to face LEGAL proceedings Scanned with CamScannerDigital Forensics @ B12 the undeerstanding of a cases. = Transfer evidence refers to evidence which is exchanged b/w two ne objects as s result of cor contact. x Tr lence is evidence that exists in sizes so small (i.e. dust, sojl, hair & fibers). Q4._ Write a short Notes on Rules of Evidence? Answer: Rules of evidence dictate the type of information that can be collected "from computers and related technolégies. These rules also prescribe the ways in which evidence should be collected in order to ensure its admissibility ina eo of law. Q5. Write a short notes on Branches of Forensic Science? Answer : There are several branches of foresnsic science fia Sa economics, forensic anthropology, forensic odontology, forensic doxicology, forensic entomology, forensic | accounting, forensic engineering and computer faecal —— Q6. What is Computer Forensics? Answer : Computer forensics is the process of methodically examining computer: media (hard disks, diskettes, tapes etc) for evidence. In other words, computer forensics is the collection, preservation, analysis and preserintag of computer related evidence. Computer forensics also referred to petcnnptten forensic analysis, electronic discovery, electronic evidence discovery, digital discovery, data recovery, data discovery, compuie* analysis and computer examinat Q7. Write a short notes on computer Forensics in la Scanned with CamScanneruss & Digital Forensics * * Tracing artifacts * Processing hidden files * Running a string - search for e-mail Q8. Give some ‘Computer Forensic Services? Answer : + Data seizure Data duplication / Preservation Cupeeey Data recovery Doctiment searches Media Conversion Expert witness services Computer evident service options aa eae The overall computer forensics process is sometimes viewed as comprising four stages: :Digital Forensics @ m14 * * * * Answers the questions : Who, what, when, where, How & Why. Gathering data in a forensically sound manner. Handle and analyze evidence Prepare the report. = Present admissible evidence in court. Q11. What are the uses of Computer Forensics? Answer: - More recently, commerical organisations have used computer forensics to their benefit in a variety of cases such as : * Intellectual property theft ~! Industrial espoionage * Employment disputes * Fraud in igations a * Bankrupty investigations * Inappropriate ‘email and internet use in the work place * Regulatory compliance. Q12. What is Computer Forensics Team? Answer: * ‘An organization should have enough capability to handle and solv the basic issues by their people. It is very hard for an organization t¢ determine fraud, illegal activities, policy, or n/w breach a even thes will find it hard to implement the cyber security rules in thé corge.rization. Here are the Key people that a Computer investigatior firm should have: _* Investigators * Photographer * Incident HandlersAicie &@ Digital Forensics Q13. What are the rules of Computer Forensics? Answer : There are certain rules and boundaries that should be keep in mind ee eee while conducting an investigation. Minizie or eliminate the chances to examining the original evidence. ty 2s Don't proceed if it is beyond your knowledge. sasaki ond your knowre 3. Follow the rules of evidence. 4. Create document 5. _ Getthe writtern permission and follow the local security policy. 6. Be ready to testify 7. Youraction should be repeatable udbene pen ae 8; Work fattoreduce data oss 9. Don't shut down before collecting evidence. 10. Don't run any program on the affected system. Q14. What is Digital Forensics? Answer : Digital Forensics, the art of recovery and analysing the contents found on digital devices such as desktops, notbooks/net books, tablets, smartphones etc was little known as few years ago. However with the growing incidnece of cyber crime and increased adoption of digital devices, this branch of forensics has gained significant important in the recent, ERT I ic RATAN ne ip A EEA ee Q15. What are the techniques of Digital Forensics? Answer: Anumber of techniques are used during investigation, = Cross drive analysis ~ s * Volatile data * Scanned with CamScanner‘Scanned with CamScanner758 & Digital Forensics 1 d. Website defacement e. _ Cyberterrorism f. Spoofing g. Skimming h. pharming 2. Crimes in which computer systems are used as tools / instruments: a. Financial Fraud b. _ Data modification c. _ Identify theft and it sissue Q19. Give Classification of Cyber Forensics? Answer : _ The branch of cyber forensics can be classificed into various sub branches. Some of these sub branches are * Disk Forensics oe n/w forensics = Wireless forensics ¢. Database forensics x Malware forensics Mobile device forensics ¥ E-mail Forensics i, Memory Forensics ‘ 2 Q20. What is Spamming? Answer : Spamming is the act of sending unsolicited messages to many use! ata time, possibly upto thousands, with the usual intention Af advertising products to potential customers. Categories of spamngeis Be Tae Lee 83 : *Hugsters | : / ee Anyone found guilty is LIABLE to face LEGAL proceedings‘Scanned with CamScanner1.98 @ Digital Forensics investigations to investigations that include scientific methodology and thinking. One critic of the experience - based approach lists the following pitfalls of limiting scene, and.an overall lack of understandings of the application of the scientific supervision and overright, lack of understandings of the application of the scientific method to develop hypotheses supported by the evidence. Another criticism is that some investigators will draw conclution and then obtain evidence to support their version of events while ignoring other types of evidence that do not suppose their version or seem to contradict their version. A Scene reconstruction is the process of putting the pieces of an investigatio er withthe objective of reaching an understanding of 2 that has resulted sequence of part events based on the physica evidence frofn_ the eventThe scientific method approach is the basis for crime scene reconstructions, which include a cycle of observation, congeture, hypothesis, testing and theory. The process of fecognizing, identifying, individualizing and evaluating physical evidence using forensic science méthods to aid in reconstructions is known as criminalistics. Furthermore, in forensic science, exclusion can be as ciitical as ion. Being able to compare maférials to determine origin may rule suspects or scenarios. ~~ ——__ Q2. Explain Forensic Evidence? Answer : Forensic Scientists examine firearms, tool marks, Controlled substances, deoxyribonucleic acid (DNA), fie debris, ignerprint and foot wear patterns and bloodsfain pattems: Forensic evidence is collected, processed, analyzed, inter sented to provde information. Coriceming the corpus delicti, reveal information about the modus operand, link or rule out the connection of a suspect to a crime, crime scene or victim, corrobrate the statements of suspect, Victims and Witnesses; identify the perpetrators and victims of crimes; and provide in 5. Scanned with CamScanners Digital Forensics @ @ 1.19 Weapons, ammunition, and controlled substances). Trangfer evidence refers to evidence which is exchanged b/w two objects a5 0 result of contract, Edmond Locard had formulated this exchange principle, stating that object and surfaces that come into contact will transfer material form one to another. Trace evidence is evidence that exists in sizes so small (i.¢., dust, _ soil, haiy ai ) that it can be transferred or: exchanged b/w wom without being noticed. Pattern evidence refers to evidence in which its distribution can be interpreted to ascertain its method of deposition as compared to evidence in which undergoing similar phenomeno. This type of evidence can include imprints, indentations, striations and distribution is concemed with thé analysis of trace and transfer include, but is not imited to, pattem evidence (fingerprints, fSotwear gunshot, residue), physiological fluids (blood, semen), arson and ex] % tesidues, drug identification and questioned documents examination. eres documents cama the elevation ‘and comparsion of handwriting inks, paper and mechanically produced ‘documents such as those from printers. Alternate classification schemes for evidence include : direct ” evidence, circumstantial evidence, hearsay evidence and testimonial evidence. Many of these terms can be used interchangeably for a given type of sample. : Direct evidence refers to evidence that proves or establishes a fact. Cricumstantial evidence is evidence that establishes a fact through inference, _ Hearsay evidence refers to an outof court statement that is introduced in - rt to prove or establish a fact. Depending on a countrys rules of evidence, type of evidence may or may not be le in coun Q3. What are the Branches of Forensic Science? ; Answer : } : } } There are several branches of forensic science including (but not limited to) : Forensic , forensic anthropology, forensic odontology, forensic pathology, forensic toxicology, forensic forensic psychology, forensic accduting, forensic peg ha Este "SS aa ats a Scanned with Cams__& Digital Forensics The field of forensic economic emerged when courts began allowing expert testimony by specialis a variety of different fields. Forensic economics is a branch of forensic science that applies economi theories and methods to matters of law. t) Forensic’ economists do not investigate illict activity, instead, hey apply economic theeries to understand incentives which inderlie criminal acts. Originally, forensic economics applies the discipline of economics to the detection and quantification of harm caused by a particular behavior that is the subject of litigation. Forensic economics has also been used in theGetection of behaviour that is essential to the functioning of the economy or that may harm the economy. 2) Forensic anthropology is a branch of science that applies physical or biological anthropolgy to legal matters. Particularly, itis concerned with the identification of individuals based on skeletal remains. Experts in this field examine human remains they are examining by evaluating the bones and any antemortemi, perimortem and sateen ae te Forensic odontology, sometimes referred to a forensic dennistry. is a branch of science that applies dental knowledge to legat matters. It is concerned with the identification of individuals based on dental knowledge to legal matters. It is concerned with the identification of individuals based on dentatremains and individual dentition. Forensic odontologist may also evaluate bit mark evidence in the course of their forensic endeavors. Forensic pat also referred to as forensic medicine, is concemed with the investigation of sudden, unnatural, enexplained, or violent deaths. Forensic pathologist conduct autopries to determine the cause, mechanism and manner ofa individuals death. Forensic toxicology is concerned with the recognition, analysis and evaluation of poisons and drugs in human tissues, organs and bodily fluids. Forensic entomology is a branch science that applies the study of insects to matters of law. Experts in this field are primarily used in death invetigations, for example to shed light on the time and cause of death. Specifically, the life cycle of insects is studied do provide investigatory leads and information about a crime. Forensic psycology involves the study coflaw and psychology and the interelationship b/w two disciplines. Forensic Anyone found guilty is LIABLE to face LEGAL ‘proceedings Scanned with CamScanners m1.12 » Digital Forensics @ ‘ence that applies accounting principles f illicit acitivites and analysis of financial 4 data in legal proceedings. Forensic engineering is concerned with the investigation of mechanical and structur lures using the science of engineering to evaluate safety and liability. Lastly, computer (or digital) forensics is a branch of forensic science that focuses on criminal procedure law and evidence as applied to computers and related devices” such as mobile phones, smartphones, portable media player. 1.1.2 ComPuTER FORENSICS Q4. What is Computer Forensics? Answer: Computer Forensics is the process of methodologically examining computer media (hard disks, diskettes, tapes etc). for evidence. " “Tother words, computer forensics is the collegtion, preservation, analysis and presentation of Computer related evidence. > Computer forensics also referred to as computer forensice analysis, “electronic discovery, electronic evidence discovery, digital discovery, data recovery, data discovery,.computer analysis and computer examination. accounting is a branch of forensic sci and techniques to the investigation o! Computer evidence can be useful in criminal cases, civil disputes and human resources employment proceedings, en ‘ Computer Forensics is the practice of collecti a ats 3 ec ; 4 reporting on digital data in a way that is legally ene ye 3 ine detection nd prevention of ine adn any depute where evidence is stored digitally. It is the use of speciali ni recovery, a lig specialized techniques for sees and analysis of electronic data when a case involves issues struction of computer usa, inati sidata. ey BDO ge; examination of. { authentication of data by, technical nalysis or eploneins aaaComputer forensics deals with the preservation, identification, extraction and documentation of computer evidence. Like may other forensic scionces, computer forensic involves the use of sophisticated technological tools and procedures that must be followed to guarantee the accuracy of preservation of evidence and the accuracy of results conceming computer evidence processing. The use of specialized technique for recovery authentication and analysis of es data, ‘Typically of data which sa leted and destro Q5. Evolution of Computer Pam Answer : Itis difficult to pinpoint the first “Computer Forensic” examination or the beginning of the field for that matter. But most experts agree that the field of computer forensics began to evolve more than so years ago. The field began in the United States, in large part, when law enforcement and military investigators started seeing Criminals get technical. Govemment personal chanrged with protecting important, confidential and d certainely secret information conducted forensic examinations in response to potential. security branches to not only investigae the particular breach, but to lea how fo present future potential branches, Ultimately the fields of information security, which focuses on protecting information and assets and computer forensics, Wich focuses on the responseto Hi-tech offenses started on (mtenwire.~ Cer fhe nen dee dt pein gasean ee a Government & Private organizations and corpora have followed Suit — &‘Scanned with CamScanner@ Digital Forensics investigation. In a business context there is the opportunity to actively collect potential evidence in the form of logfiles, emails, backup, disks, portable com puters, network traffic records and telephone, records, amongest others. The evidence may be collected in advance of a crime or dispute and may be used to the benefit of the collecting organisation if it becomes involved in a formal dispute or legal process. Goals of Forensic Readiness: * To gather admissible evidence legally and without interfering with business processes, To allow an investigation to proceed at a cost in Proportion to the incident. FT aaa ‘To minimize interruption to the business from any investigation. —— To ensure that evidence makes a positive impact on the outcome of any legal action. ee ae Benefits of Forensic Readiness: Evidence can be gathered to act in an organisations defence ifsubject toa lawsuit. Inthe event of a major incident, an efficient and rapid investgation can be conducted and actions taken with minimal disruption to the business. i : A systamatic approach to evidence storage can significantly reduce the costs and time of an intemal investigation. Itcan demonstrate that regulatory requirements have been met: It can imprave and facilitate the interface to law'enforcement if involved. Itcan improve the prospects fr a successful legal action. Itean mrp supe sanctions based on cligta| ii tie i Scanned with CamScanner‘Scanned with CamScanner1.178 & Digital Forensics’ 7. Computer Evidence service options : Computer forensics experts should after various levels of service, each designed to suit your individual investigative needs. Other miscelloneous Services: Computer froensics experts should also be able to provide extended services. These services include : Analysis of computer and data in criminal investigations. Onsite seizure of computer dated in criminal investigations Analysis of computers and data in civil litigation Reporting in a comprehensive and readily understandable manner. Q8._ Explain types of Law enforcement Computer Forensic technology? . * Answer : Computer Forensics tools and techniques have become important * resources for use in internal investigations, civil lawsuits and computer security risk management. Law of enforcement and military agencies have been involved in processing computer evidence for year. Computer Evidence processing procedures Processinsg) procedures and methodologies should confirm to fedeeral computer evidence processing standards. 1. Preservation of evidence: ! Computer evidence is fragile and susceptible to alteration on ensure by any number of occurences. TROJAN HORSE PROGRAMS : ‘el ‘ The computer forensic expert should able to demonstrate his or her ability to avoid destructive programs and traps that can be planted‘Scanned with CamScanner@ Digital Forensics Computer Forensics Process : Computer Forensics work procedure or work process can be divided into 5 major parts : The first process of computer forensics is to identify the scenario or to understand the case. At this stage, the investigator has to identify the purpose of investigation, type of incident, parties that involved in the incidence and the resources that are required to fulfill the nees of the case. Collection : The collection is one of the important steps because your entire case is based on the evidence collected from the crime scene. Examination : The aim of third process is to examine the collected data by following standard procedures techniques tools and methodology ae extract the meaningful information realted to the case. Analysis : Sjnce alll five processes are linked together, the analysis is the procedure to analyze the data acquired after examination process. Reporting : i ; This is the final but the most important step. Atthis step an investigator needs to document the process used to collect, Lacie analyse the data..‘Scanned with CamScanner‘Scanned with CamScannerFe | Digital Forensics & 1,22 | 10. we Explain Digital Forensic Evolution? Answer : occured on February 20, 2008, when the American Academy of Forensic _ Sciences (AAFS) created a new station devoted to Digital and i (DMS). The AAFS is one of the most. widely recognized investigation. It is very important because during the investigation you need to get occurs or need to make copies of the sensitive data, Be ready to testify: Since you are collecting the evidence than you should make yourself ready to testify it in the court, otherwise the collected evidence may become inadmissible. You action should be repeatable: Do not work on trial and error, else no one is goin to believe you and your investigation. Makesure to document every step taken. Work Fast to reduce data loss : Work fast to eliminate the chances of data loss, volatile data my ost if not collected in time. While automation can also be introduced to speed up the process do not create a rush situation. Dont Shut down before collecting evidence: | This is a rule of thumb, since the collection of data or evidence itself is important for an investigation: You should make sure not to shut down the system before you collect all the evidence. Don't run any program on the affected system: Collect all the evidence, copy them, create many duplicates and work on them. Do not run any program, otherwise you may trigger | something that you don't want to trigger One of the most important advances in the history of digital forens Scanned with CamScanner1.238 organizations for all the established forensic disciplines and this was the first new section of teh AAFS in 28 years. This development advances digital forensics as a scientific discipline and proivdes a common ground for the varied members of the forensic science community to share knowlede and address current challenges. Major challenges that members of the DMS section are working to address include standardization of practice and professionalization of digital forensics. The recent development of digital forensics as a profession and scientific discipline has its roots in the efforts of law enforcement to address the growth in computer - realted crime. In the late 1980s and early 1990s laws enforcement agencies in the United States began working together to develop training and build their capacity to feal with issue. These initiatives led to law enforcement training programs at centers such as. SEARCH, Federal law enforcement center (FLETC) and National white collar crime Centere (NW3C). The rapid development in technology and computer related crime have created a sifnificant demand for individuals who can collect, analyze and interpret digital evidence. Q13. What is Digital Forensics? Explain techniques of Digital Forensics? Answer : Digital forensics, the art of recovery and analysing the contents found on digital devices such as desktops, notbooks/netbooks, tablets, smartphones etc was little known a few years ago. However with the growing incidence of cyber crime, and increased adoption of digital devices, this branch of forensics has gained significant importance in the recent past, augmenting what was conventionally limited to the on conery and analysis of Wological and chemical evidence during criminal nvestiontoes. _ Techniques of Digital Forensics : A number of techniques are used during c computer forenenciss investigations and much has been writen on the many techniques used by law enforcement in particular. Fee Anyone found is B) fac Le Scanned with CamScannerj | \ ‘eo! Cross-drive analysis : ation found on multiple Ltrs ; a A forensic technique that correlates inform: hed can be used to identify tection. : ae hard drives the process still being resseare i social n/ws and to perform anomaly det eet Live Analysis: _* The examination of computers from within the operating system ’ using custom foernsics or existing sysadmin tools do extract evicence, * Volatile data_— switched off. e power is where it could store most n operation. lata that is lost if th mory space diately results of a Volatile data is a d Computer requries some me! frequently used data, interme * Recovery of Deleted files : nique used in computer forensics is the recovery of rensic software have their own tools for “i recovering a carving out deleted data most operating systems and file systems do not always erase physical file data allowing investigators to reconstruct it from the physical disk sectors. Acommon tec! deleted files. Modem fo 7 Stochastic Forensics : Amethod which uses stochastic properties of the g digital artifacts. computer system to investigate activites lackin: * Steganography: One of the techniques used to hide data is via stegnography, the ; process of hiding data inside of a picture or digital image. ; Q14, What are the principles of Digital Forensics? Give General | types of Digital Forensics? Answer : a Digital Forensic : : 3 0 Scanned with CamScanner_1.258 § Digital Forensics found on digital devices such as notebooks/ net books, desktops, tablets, smartphones etc was little known a few years ago. HOwever with the growing incidence if cyber crime and increased adoption of digital devices this branch of forensics has gained significant importance in the recent past, agumenting what was conventionally limited to the on covery and analysis of bilogical and chemical evidence during criminal investigation. Principles of Digital Forensics: When dealing with digital evidence, all of the general forensic and procedural principles must be applied upon seizing digital evidence, actions taken should not change that evidence. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. All the activity relating to the seizure access, storage or transfer of digital evidence must be fully documented, preserved and available for review. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compilance with theses principles. General Types of Digital Forensics: * : : Anyone found guilty is LIABLE to face LE Network analysis - Communication analysis - log analysis - Path tracing Media Analysis ci ZDigital Forensice@ ee - MAC time analysis - Content analysis - Slack space analysis ~ Steganography Code Analysis - Reverse engineering - Malicious code review - exploit review Q15-What is computer crime? and its categories? Answer : F ‘Computer Crime is also known as Cyber Crime: Cyber crime is defined as crimes committed on the internet using the computer as either a tool or a targeted victim. It is very difficult to dassify crimes in general into distinct groups as many crime eovive ona daily basis. Even in the real world, crimes like rape, murder or theft need not necessarily be seperate. However, all cybercrimes involve both the computer and the person behind it as victims, is just depends on which of the two is the main target. | hence the computer will be looked at as either a target or tool for simplicitys sake. For example, hacking involves attacking the 0 information and other resources. It is important to take note that overlapping occurs in many and it is impossible to have a perfect Classification prem. a Computer as a tool Whertthe individual is the main target of cybercrime, the co278 @ Digital Forensics 1 can be considered as the tool rather than the target. These crimes generally invovles less technical expertise as the damage done manifests itself in the real world. Human weaknesses are generally exploited. Computer as a target: These-crimes are committed by a selected group of criminals. Unlike crimes using the computer as a tool, these crimes requires the technical knowlede of the Perpetractoprs. The crimes are relatively new, having been in existence for only as long as computer have - which explains how unprepared society and the world in general is towards combating these crimes. There are numerous ctimes of this nature. Committed daily on the internet. Obvious Cybercrimes categories as observed in some cyber cafes: There are so many varieties of crimes that are committed on the internet daily, some are directed to the computer while others are directed tothe computer users. 1, Spamming: Spamming is the act of sending unsolicited messages to many users at a time, possibly up to thousands, with the usual intention of advertising products to | potential customers. Categories of spammers are Heuksters Fraudsters PRAACY Piracy involves the illegal reporduction and distribution of software applciations, games, movies and Ludo CDs. - = ; 4 Ungkilled & Inexperienced1.2.1 CRIMINALISTIC AS IT RELATES TO THE INVESTIGATION PROCESS Qi6. Explain Computer crime Investigation Process? Answer: The process of investigation is no exception and canbe effectively explained and learned in this panner. The following issues relates to the | process of investigation ar The distinction b/w investigative tasks a! tasks and investigative thinking Za The progression of the i wvestigative roca 3. The distinction biw tactical investigative and srsegi invest “ responses Recap a The concepts of event classification and offence recognition. 4. 5. The threat vs. action response dilemma 6. The distinction biw active eventand inactive events d. The connection of active events and level 1 prority rl toth power afforded under exigent circumstance. The response transition Matri (RTM) and the critical need to trat from tractical response to strategic response. “i Q17. What are computer crime types? Answer : There exists a constantly expanding lis of the forms computer and computer fraud can take. Fortunately these crime types overarching group of criminal actions. Many traditional crimes sv fraud, theft, organized crime rings, prostitution, stalking and. Poronogreply have been incorporated into the citial word, a allthis1.298 &§ Digital Forensics include fraud, theft harassment, and child pornography, Computer fraud consists of crimes such as online auction fraud, identity theft, financial and tele-communications fraud, credit card fraud and various other schemes. Computer Fraud : Computer fraud is one of the most rapidly increasing forms of computer crime. Computer fraud is also commonly ref s Internet fraud. Internet Fraud: One type of internet fraud is email fraud. In this particular crime the victim receives e-mail from an alleged son of a decased Nigerian head of stae, who happens to be the heir ‘to millions of dollars that are hidden in accounts all over the world. Phishing: The Anti phishing working group defines phishing as ‘from of onljne identity theft that uses spoofed emails designed to recipients to fraudulent © pe Rain websites which attempf to trick them into diviulging personal financial date such as credit card numbers. QU8--Explain Cyber crime data analysis? ¥ Answer :* Analyzing the evidence that is during the Acquire the Data phase of an internal investigation. * Analyze Network Data In many investigation itis not necessary to analyze network data. Instead, the investigations focus on and examine images of data. When n/w analysis is required use the following procedures, z 1. Examine n/w serives logs for any events of interest. Anyone found guilty is LIABLE to face LEGAL eed: Scanned with CamScannerDigital Forensics 2 Examine firewall, proxy server, intrustion detection system (IDS), 4 and remote access service log. 4 View any packet sniffer or nw monitor logs for data that might help you determine the activities that took place over the n/w. Analyze Host Data: Host data includes information about such components as the | operating system and applications. Use the following procedureto_ analyze the copy of the host data you obtained in Acquire Data Phase. Identify what are you looking for Examine the operating system data Examine the running applications processes and netwo -connections. * Analyse Storage Media The storage media you collected during the Acquire the Data p will coritain many files Identify files that are likely to be rele which you canf then analyze more closely. Use the follo i procedure to extract and analyze data from the storage media’ collected. Whenever possible, perform offline analyses on a bit wise the original evidence. Determine where a data excryption was used such as File system (EFS) in microsoft window. If necessary uncompress any compressed files and Create a diagram of the directory structure. Identify files of interest Scanned with CamScanner@ Digital Forensics 1.318 7, Search the contents of all gathered files to help identify files that may be of interest. 1.2.3 Houtstic APPROACH TO CyBER FORENSICS : Q19. Explain a proposed holistic Cyber security implementation framework? ae ge a, aso Answer : The Holistic Cyber security implementation framework (HCS - IF) that lays out the ground for an overarching approach to glen CSSs(Cyber Security Strategies). CSSs are usually developed based on reappraisal of the current information security status. The following substances will explore the framework development methodology and frameworks major components in more details. HCF - 1F development methodology: Developing a frame work for security implementation might be generally seen as : 7 an art : Security as a science 4 Social security * Engineering based approach HCS - 1F The HCS - 1F is intended to layout the ground for an overarching approach to implement CSSs. the HCD-1F should help an executing nation to achieve its cyber security objectives outlined in its national CSS. The HCS- 1F has the following majore core components : CSS, requirements elcitation, strategic moves, controls, security objectives and implementation tepository. Requirement Elicitation : en Requirement elicitation (RE) is a well known field in software _ engineering. In this concept is used as a component in.the HCS - 1F to help converting the CSS into a set of business and security requirements. Anyone found guilty is LIABLE to fac FOC Scanned with CamScannerDigital Forensicsm Cyber Security Strategic Moves: Cybersecurity strategic moves are actions taken to achieve one or more cyber security objectives. Strategic moves are prescriptive and purposeful, they identify exactly what has to be done and directly act to achieve the intended objectives Controls: C ® Controls are used to influence the behaviour of an organization as a means to facilitate cyber security implementations. f Q20. Explain a validating the proposed HCS-1F? Answer: Many security framework have been adopted to secure, cyberspace, most of them target a specific domain or being developed for specific entities. To our knowledge, there is no complete CSS implementation framework at the national level except for few ones, that are limited to specific domains. Comparison Criteria: Comprison is carried out against the list of featrues. These features are either extracted from literature review or suggested by this research. These suggested features enable the HCS-1F do overcome the limitations of the existing frameworks, infact most of the features were the original, ~ moves to this research from the first place. Each feature is subjectively tated against each framework. * Resilience: Means the ability of the framework to be agile, flexible and be able to deal with unseen changes in technology, environment, attack methods etc. ' 4 Measure Performance: Means the ability to measure performance of security y ii effectively at variousm organization levels. e =‘Scanned with CamScanner& Digital Forensics UNIT pe — CYBER CRIME SCENE ANALYSIS Qi. What is Cyber Crime? Answer + Computer crime or Cyber crime is any crime that involves a computer network. The computer may have been used in the Commission of a crime, or it may be the target. Cybercrime offences that are committed against individuals or groups of individuals with a criminal motive to internationally harm the reputation of the victim. Q2. What is Computer based crime? Answer : This is criminal activity that is conducted purely on computers. For example cyber'bulying or spam. As well as crimes new dfeined by the computing age it also includes tradition crime conducted purely on computers. Q3. What is Computer facilitated crime? Answer : Crime conducted in the “real world” but facilitated by the use of ‘computers, A calssic example of this sort of crime is fraud : Computers are commonly used to communicate with other fraudsters, to record /plan activites or to create fraudulent documents. Notall digital forensics investigations focus on criminal behaviour sometimes the techniques are used in corporate settings to recover lost information or to rebuild the acitivities of employee. Q4. What is evidence? Types of evidence? Answer : ¢ Digital evidence or electronic evidence is any probative information i= ; Anyone found gui Scanned with CamScannerpigital Forensics @ stored or transmitted in digital form that a party to a court may use at trial. Before accepting digital evidence a court wil | determine if the evidence is relevant, whether it is authentic, if ig hearing. Types of evidence: Real evidence Testimonial evidence Hearsay Q5. What are the rules of evidence? Answer : There are five rules of collecting electronic evidence. These relate to five properties that evidence must have to be useful. Admissible Authentic Complete Reliable 5. Believable Q6. What are the basic do's and dont's in the rules of evidence. Answer: : . ; Using the preceding five rules, you can derive some basic do's Minimize handling / corruption of original data Accout for any changes and keep detailed logs of your actions. Comply with the five rules of evidence Do not exceed your knolwedge Follow your local security policy Capute are accurate an image of the system as possible.‘Scanned with CamScannerDigital Forensics @ . Digital Forensics @___________a¢ Q9. What ae the steps to find the collection of evidence? Answer : { You know have enough information to build a step-by-step guide for the collection of the evidence. Once again this only a guide, you shoul customize it to your specific situation. You should perform the following collection steps : Find the evidence Find the relevant data Create on order of volatility Remove external avenues of change Collect the evidence Document everything Q10. Write a short notes on searching and Seizing? Answer : : As for evidence search seizure, some of these ideas already exists. However, the science of computer Forensics is an exact science. It is tedious and meticulous. It is very important for you to recognize that if you cannot to be perfect and error free, then you must be exact in your methodology and make sure that you prform your invstigation in check and to the _ standards you hvae developed. Q11. Define Data Recovery? Answer : one ON Data Recovery is the process in which highly trained engineers evaluate and extract data from damaged and return it in an intact format. Many people, even computer experts fail to recognize data recovery as an option during a data crisis. Yet it is possible to retrieve files that have been. deleted, passwords that have been forgotten, or to recover entire hard) drives that have been physical damaged. Q12. What back up obstacles? Explain any one of the backing application? ee Answer : The following are obstacles to backing up sapplicat@ Digital Forensics 2 ee eee * Back-up window * Network bandwidth * Systm throughput * Lack of resources System Throughput: There are three I/O bottlenecks commonly found in traditional back- up schemes, these are 1. The ability of the system being backed up to push data to the back: ws a a \r up server. cs The ability of the backup server to accept data from multiple systems simultaneously. 3. The available throughput of the tape device onto which the data is moved. . Q13. Write a shorts on Back-up server? Answer : The backup server is responsible for managing the policies, schedules, media catalogs, and indexes associated with the systems it is configured to ck up. The systems being backed up are called clients Traditionally all ged data in an enterprise that was being backed up had to be processed ough the back up server. Conversely all data needed to the ability of the ckup server to handle the I/O. load created by the back uy . 14. Write a short notes on Network Data path? swer : Centralization of a data management process such as bakcup and covery requires a robust and available network data pth. The movement management of hundreds or thousands of megabytes of data can put strain on even the best designed networks. 15. What is the role of backup in data recovery? There are many factors that effect back up. For example. fone found ilty is LIABLE to face LEGAL proceedi Scanned with CamScannerae he h < Digital Forensics @ m26 a Storage costs are decreasing 7 Systems have to be online continuously * __The Role of back up has changed. Q16. Write a short notes on assess the situation? Answer : Analyze the scope of investigation and the action to be taken. To assess the situtation, it uses five step process. 4 i, Notify decision makers and acquire authorization 2 Review policies and laws. 3. Identify investigation Team members 2 4. Conducta through assessment j 5. ~_ Prepare for evidence Acquisition Q17. Write a short notes on Acquire the Data? Answer: Gather protect and pressure the original evidence in acquire the + dta. Some computer investigation data is fragile, highly volatile and be easily modified or damaged. Therefore you need to ensure that { data is collected and preserved correctly prior to analysis use the steps for the acquire the data, 4 ds Build Computer investigaton Toolkit 2. Collect the data Store and archive. . Scanned with CamScanner‘Scanned with CamScanner2.1 Cyper CRIME Ql. What is Cyber crime? Answer : Cyber crime is defined as crimes egos on is sae using | the computer as either a tool or a targeted victim. "° © classify crimes in general in to distinct groups as many crimes evolve ona SO Sere eal world Crimelikexape. mi nof netéssarily be separate. However, all cybercrimes involve both the com] behind it as a victims, it just depend on which; the two is the main target. Hence the computer will be looked at as either | & target of tool for Simplicity sake. For example hacking involves atacng the and other resources. Tt is important to take note that overlapping occurs in many cases and it is impossible to havea | perfect classification system. Computer as a tool: When the individual is the main target of cybercrime, the cK can be considered as the tool rather than the target. These crimes * involves less technical expertise as the damage done manifets real world. Computer as a target: These crimes are committe’ of Crimes using the computer as a tool, these crimes requires the knowledge of the ators. These crimes are relative been in existence for only a8. long as computer have- wich exp unprepared society and world in general is towards combating Q2. Why toCollect Evidence? Answer: ftionic evidence can be very expensive ia ; ond sictexhaust ustive, the system affected may be una re are asd aia ta Scanned with CamScanner2.98 @ Digital Forensics poe) ictal eneice formed. So why bother collecting the evidence in the first place. There” a two simple reasons they are future prevention & responsibility. —- Future Prevention, Without knowing what happened, you have no hope of ever being able to stop Sorteone else fom dling T-agatn- I Would Ge arogousts not fixing the lock on you door after someone broke jn. Even though the ‘cost of collection can be High, the cost of repeatedly recovering from ‘compromises is much higher both in monetary and corporate image terms. Responsibility: There are two responsible parties after an attack, the attacker and the victim. The attacker is respon: clone and the only. way to bring them to justice is with adequate evidence to prove their &ctions. The victimon on other ‘hand, has a responsibility to the community. Inforamation gathered attacks. They may also have a legal obligation to perform an analysis of evidence collected, for instance if the attack on their system was part of a larger attack. Q3. Explain Types of Evidence? Answer : Before you start collecting evidence, it is important to know the. different types of evidence categories. Without taking these into consideration, you may find that the evidence you've spent several weeks and quite a bit of money collecting is useless. pucence, Real evidence is any evidence that speaks for itself without relying On anything else. In electronic terms, this can be alo luc by an audit function provided that the log can be shown to be free from ontamination. . J estimonial Evidence: j 4 mucolal Eine Testimonial evidence is any evidence supplied of evidence is subject to the perceived reliability 0 ong as the witness can be considered reliable, testimonial ev — @s Powerful as real evidence. Word pro oc_ : Digital Forensics "10 Hearsay: . * who was nota. Flearsay is any evidence presented bya person someone without direct wit word pr ents written ociadae ofthe incident is hearsay. Hearsay is generally inadmissiblein and should be avoided. Q4.~ What are the Rules of.evidence? — ctronic evidence. These relative Ther are five rules of collecting ele to five properties that evidence must have to be useful. Complete Reliable” Believable Teac id t be able to be issible i ic rule (the evidence must be able atc 0 ical ba ate to comply with this rule is , used) in court or o equivalent to not collecting the evidence in the first place, except the cost is higher. 2. - Authentic: : If you can't tie the evidence positively with the incident, you can't use it to prove anything. You must be able to show that the evidence: relates to the incident in a relevant way. _— 3. Complete: Its not enough to collect evidence that just shows one perspective of the incident. Not only should you collect that evidence that can prove the attacker's actions, but also evidence that could prove their innocence. For instance, if you can show the attacker was. logged in at the time of the incident, you also need to show who else was logged in, and why you think they didn’t do it. Thistalled | exculptory evidence and it is an important part of proving a - PO PONE t 4. Reliable: The evidence you collect must be reliable w eivdenc and analysis. Procedures must not cast doubt on the ev authenticity and veracity. - Scanned with CamScanner‘Scanned with CamScannerDigital Forensics & m 2.12 Often, important communications are committed to writing and such writings can make or break a case. The same is true about documents used to conduct financial transaction. The best evidence mules also work differently today, because copies of computer files ae as good as the original electronic document. Froma computer Foresnsics standpoint, this can be proven mathematically. There is no difference between the original and an exact copy. In addition, modem technology has created new types of documentary, evidence that previously did note exist. This is specially true for the creation of documents on a computer word processor. When electronic documents are created, bits and pieces of the drats leading upto the creation of the final document are ‘written in tempoerory computer files, the windows swap file, and file slack. Electronic document discovery is clearly changing the way lawyers and the courts do business when it comes to documents created with personal computers. From a computer forensics perspective, computer data is stored at multiple levels on computer storage media. Some levels are visible to the computer user and others are not. When computer files are deleted, the data is not really deleted. Also fragments of various drafts of documents and e-mail linger for months storage locations ‘on hard disk drives, floppy diskettes and zip disks. — Q7. What is General procedure for Collecting and analyzing evidence? Answer : When collecting and analying evidence, there is general four step procedure you should Follow. Note that this is very general outline. you should customize the details to suit your situation, hy Identification of Evidence : You must be able to distinguish b/w evidence and junk data. For this purpose, you should know what the data is, where it is locted, and how it is stored. Once this is done, you will be work way to retrieve and store any evidence you fee 2 oh! Preservation of Evidence : The evidence you find must be preserved as close as possible to its original state. Any changes mode during this phase must be documented 4 and justified. Wi : Xe of this book is a CRIMINAL Scanned with CamScanner2.13 s @ Digital Forensics Analysis of Evidence: : The stored evidence must then be analyzed to extract the relevant information and recreate the chain of events. Analysis require in depth knowledge of what you are looking for and how to get it. Always be sure that the person or people who are analyzing the evidence are fully qualified to do so. presentation of Evidence: Communicating the meaning of your evidence is vitally important. Otherwise you can't do anything with it. The manner of presentation is - important, and it must be undetstandable by a layman to be effective; It should remian technically correct and credible. A good presenter can help in this respect. Q8. Collection and archiving of evidence? Answer : . Once you've developed a plan of attack and identified the evidence that needs to be collected, its time to start the actual process of capturing the data. Storage of that data is also important as it can affect how the data is perceived. Logs and Logging: You should be running some kind of system logging function. It is important to keep these logs secure and to back them up periodically. Because logs are usually ‘automatically timestamped, a: simple copy st suffice, although you should digitally sign and encrypt any logs that are important to protect them from contaimination. Remember if the logs are kept locally on the compromised machine, they are susceptible to either alteration or deletion by an attacker. Having a remote system log server and toring logsin sticky directory can reduce ths risk, although itis sil Possible for an attacker to add decoy or junk entries into the logs. Monitoring: : Monitoring n/w traffic can be useful for many ¥e , you can cather datutce voatch out for regular acitvity and trace where an atta het Con a aete othoy are doing, Monitoring logs as they are Toate can oft, chew ows important information you might have Misses Tet f You seen thom seperately, This doesn'tmean you should ignore log> it may be whats missing from the logs that are suspicious. Tiyons found gallty > LIABLE fe face LEGAL proceedings Wis : Scanned with CamScannerm2. Digital Forensics @ 14 Q9. Explain step by step guide for collection of steps? - Answer : ; You now have enough information to build a step a aus for the collection of the evidence. Once again this is only age le ‘ould customize it to your specific situation. You should perform the following collection steps: Find the evidence — Find the relevant data Create an order of volatility ————— Remove external avenues of change Colléct the evidence a ~Documenteverything ae Find the Evidence: PAP Wr Detrmine where the evidence you are looking for is stored. Usea ~ checklist not only does it help you to collect evidence but it also can be used to double check that everything your are looking for is there. 2s Find the Relevant Data: Once you've found the evidence, you must figure out what part of itis relevant to the case. In general, you should on the side of over collection, but you must remember that you have to workfast, don't spend hours collecting information that is obviously useless. 3. Create an order of Volatility: tae Now that you know exactly wht to ithe: pa if se to gather it. The order ce Votan) for nea pi : gui "and ensures that you minimize loss of uncomipted : Remove external Avenues of change: Scanned with CamScanner2.158 @ Digital Forensics 5, Collect the evidence: You can now start to collect the evidence using the appropriate tools for the job. As you go reevaluate the evidence you've already collected. You many find that you missed something important. Now is the time to make sure you get it. 6. Document everying: Your collection procedures may be questioned later, so it is ee that you document everything that yo do, 3 RETRIEVED AND UNRETRIEVED COMMU! CATIONS: Q10. Explain Data Back-up and Recovery? Answer : 3 4 Soe We live in a world that is driven by the exchange of information.” Ownership of compete in todays global economy. Companies that can provide reliable‘and rapid access to their information are now the fastest growing organization in the wor. To remain competitive and succeed, they must protect their most valuable asset data. However there are obstacles to backing up applications. Lets look a few. | Back up Obstacles: The following are obstacles to backing up application: » , Backup window * Network bandwidth , * System throughput . Lack of resources Drerw, Backup window: : The back up window is the period of time when back ups canbe Tun, The back up window is generally timed to occur during non- omen Periods when n/w bandwidth | gar rank sila sini Scanned with CamScannerDigital Forensics & 62.16 LAN and WAN networks. If a network ing hundreds of gigabytes of ganization centralized back transported across existing cannot handle the impact of transport data over a short period of time, the o up strategy is not viable. . System Throughput: There are these I/O bottle back up schemes. These are 1. The ability of the system being backed up to push data to the back necks commonly found in traditional’ ‘up server. 2. Theabilty of the backup server to accept data from multiple systems simultaneously. 3, The available througput of the tape device onto wich the data is moved. Lack of Resources: ; Many companies fail to make appropriate investments in dai protection untiit is too late often, IT managers choose notto allécate fending for centralized data protection because of competing . demands resulting from emerging issues such as e-commerce Internet/Intranet applications and other new technologies. Q11. Explain the future of Data Back up? Answer : Successful data back up and recovery is composed of four key i elements: The backup server, the network, the backup window and the back up storae device. These components are highly dependent on one another, and the over all system can only operate as well as its weakest _ link. To help define how data backup is changing to accomax = described earlier, lets take a look at each element of a backup and recovery design and review thé improvements being made. i = "gy THE BACKUP SERVER rT ae i media catalogs and indexes asso ted with aging ae back up. The systems being backed up are callled ci S ‘ ——fit) @ Digital Forensics ver erwORK DATA PATH ORI E THENETW Centralization of a datamanagement process such as back up and jecovery requires a robust and available n/w data path. The movement spdmanaement of hundreds or thoudands of megabytes of data can put sarain on even best designed n/w. PPTL aT ahi. tHE BACK -UP WINDOW: Ofall the parameters that drive the design of a backup application, one remains an absolute constant and what is time. A back-up window defines how much time is available to back up n/w. However the backup software community has once again developed & way to overcome the element of ime by using incremental back-ups, block level back-ups, image back-ups nd data archiving. ea a aa BACK-UP STORAE DEVICES: In many cases the single most expensive item in a back up project is the backup storage device itself. Therefore, it is important that the technical specifications of the storage device provi lequate capacity and performance to accomodaie existing and planned data. Q12. Explain the Role of Back-up in Data Recovery? Answer : There are many factors that affect back-up. For example: * — Storate costs are decreasing * System have to be on line continuously * The role of back-up has changed. i Storage Costs are decreasing: The cost per MB of primary storage has fallen dramatically over the last several years and continues to do as disk drive technologies advance. This has a huge impact.on back-up. As users become accustomed to having immediate access to more and more ifonmation on ine the time required to restore data from secondary | media is found to be unacceptable. | Systems have to be online continuously: | ee An faut js LIABLE to face LEGAL proceedii an Scanned with CamScannerDigital Forensics @ 2.18 Q13. Explain the Data Recovery Solution? Answer: Shri i in many of Seven/twenty four operations have become the norm in ) todays business. The amount of data that has to be kept online sil and available, is very large many and constantly increasing. Higher and higher levels of fault tolerance for the primary data revo are growing requirement. Because systems must be baie é a online, the dilemma becomes that you can no longer line long enough to perform back up- The Role of Backup has changed: ! Itsnolonger just about restoring data. Operationally, ne ee data does not guard against data corruption an user error. role of backup is now taking on the rsponsibility for recovering user errors and ensuring that good data has been saved and can quickly be restored. ing Complexity: . “Increased availability is good, except for one fact. Many systems programmes DBAS and other mainframe experts are maturing. The complex systems that have evolved over the past 30 years must be monitored, managed, controlled, and optimized. Batch windows are shrinking down to almost nothing. » Budgets and Downtime: Business today simply cannot tolerate availability problems, no matter what the source of the problem. Systems must remain available to make money nd serve customers. Downtime is much | too expensive to be tolerated. You must balance you data - _ management budget against the cost of downtime. ” Think Before your Back up: One of the most data management tasks involves in Scanned with CamScannerBg6 SS 219 72.4 Disucss THE IMPORTANCE OF UNDERSTANDING WHAT COURT DOCUMENT WOULD BE REQUIRED FOR A CRIMINAL INVESTIGATION Qi4. What is Computer Crime investigation? Answer : : Computer forensics is “the preservation, identification, extraction, dogunentaion, and interpretation of computer media for evidentiary ane] ornot cause analysis”. The computer investigation m | shown in figure organizes the different computer forensics elernent into logical flow. Computer Investigation model [sess Reus] —inalize] [Repo] * Notify & *Buid * Analyee *Gatherand J acquite& — invesigation —_networkdata Organie authorization *Review toolkit *Anakze — *Writethe policies and * Collect hostdata report kus cela * Analyze *Mdentifyteam * Store meda members and archieve by * prepare for evidence investigati the The four investigation phase and accompanying processes in figure should be applied when working with digital evidence. The phases can be summarized as follows: pe Anyone found guilty is LIABLE to face LEGAL proceedings Scanned with CamScannerDigital Forensics @ 2.20 * Assess the situation : the scope of the Investigation and the action to be taken. * Acquire the data: Gather, protect and pressure the original evidence. oe eaten Analyze the dta : Examine and correlate di jital evidence with * events of interest that will help you ea : a Report the Investigation: Gather and organize Cole ee ea and write the final report. Before you begin each of the general investigation phases you should apply the initial decesion - making process as shown in fig. Initial Decision - Making Process Yes Should law Enforcement be involved? No w Continue internal Neon * End intemal investigation * Contact law enforcement agency * Provide assistance Fig. Initial decision making process You should determine whether or not to nvoleiw SOoeRon with the assistance of advisors. If you the law * enforcement is needed, then you need to continue the internal investigation anless law enforcement officials advise. Depending on the type of incident being investigated, the primary concern should be to prevent further damage to the organization by Scanned with CamScanner§ Digital Forensics NIT pe EVIDENCE MANAGEMENT & PRESENTATION Ql. Whatis evidence management? Answer : Forensic evidence management: From the crime scene to the court room provides best practices policies for forensic science entities and their employees to maintain chain of custody and evidence integrity throughout the course of evidence collection, storage, preservation and processin: Q2. What is evidence? Answer : Evidence refers to information or objects that may be admitted into court four judges and juries to consider when hearing a case. Evidence can come from genetic materials or trace chemicals to dental history or finger prints, Q3. What are the two types of evidence. Answer : The two types of evidences are Testimonial evidence and physical evidence. 1. Testimonial evidence: It is the evidence where statement made under oath. It is also called direct evidence. 2. Physical evidence: y Physical evidence refers to any material items that would be present at the crime scene, on the victims or found in a suspect possession. Q4. Define operating system forenscis? Answer : ere ti em Forensics is the process of retrieving useful ios eed Setncetag system (os) of the computer or mobile device in question. The aim of collecting this information js to acquire SMpricial evidence the. id Anyone found guill LIABLE to face LEGAL proceedings Scanned with CamScannerDigital Forensics & 3.2 Q5. What are the most popular OS? Answer: ; The most popular types of operating systems are windows, Linux, Moc, IOs and android. Q6. What are the examination steps in operating system Forensics? » Answer: ; ‘There are five basic steps necessary for the study of operating system forensics. These five steps are listed below: 1. Policies and procedure development 2. Executive Assessment 3. Evidence Acquisition. 4. Evidence Examination 5. Documenting and Reporting Q7. Write a short notes on Data Acquisition methods for operating System Forensic? Answer : There are four Data Acquisition methods for operating system. forensics that can be performed on both static Acquisition and live Acquisition. These methods are Disk-to - image file Disk-to-disk copy Disk-to-data file 4.__Thesparsecopyofafile 5 Q8. What are the Tools, mostly used Bites ly when conducting erie Answer : Many tools can be used to perform data arate on operating systems. The most common’tools are : Fone Scanned with CamScanner+ Helix + xway forensics @. Write a short notes on Data Analysis for operating system forensics? % Answer : Forensic examiners perform data analysis to examine artifacts left by perpetrators, hackers, viruses and spyware. They scan deleted entries swap or page files, spool files and RAM during this processes. These collected artifacts can provide a wealth of information with regard to how malicious actors tried to cover their tracks and what they were doing to a system. Q10. Give the names of scope of forensic science? Answer : * Forensic Biology/DNA. Forensic Odontology Forensic Toxicology * Forensic Anthropology Forensic Pathology ~-_Forensic Pathol eee ea QU1. Write a short notes on Trace Evidence? Answer : Evidence such as fibers, soil, hair, gunshot residue, wood, and pollen are some of the many examples of trace evidence. It derives its name from its tendency to be easily transferrable between objects, people or the environment during a crime. Trace evidence often plays a pivotal role in £stablishing a prime link between a suspect and the victim. Q12. What are the basic steps of criminal profiling? Answer : : The basic steps of criminal profiling include in depth analysis of the ctime scene, analyzing the incidence and drawing comparisons with similar °vents in the past, evaluation of the victim’s background and activities Sonsidering all possible motives and preparing a detailed description of the Suspects in order to compare it with previous cases. i a ee ea Anyone found guilty is LIABLE to face LEGAL proceedin, ; oo Scanned with CamScannerDigital Forensics & 34 DisiisiForeasia mM Q13. Definition of law enforcement? Answer : The department of people who enforce laws, investigate ees and fnake “arrests, Law enforcement is the activity of some members Sf government who act in an organized manner to enforce the ey o discovering, deterring, rehabilitating, or punishing people who violate The rules and norms: ing that society. Q14. What is crime? Elements of crime? Answer: Crime is a public wrong. It is an act of offense which violates the law of state and is strongly disapproved by the society. Crime i defined as acts or omissions forbidden by that can be punished by imprisonment or fine. Foran act of crime to be accomplished, the following four ‘elements are needed. 2 “1. Individual fe. Mens rea 3. Actus rea 4. Injury/hurt Q15. Give some causes of crime? Answer : No individual is a bom criminal, it is the situations and the conditions _ around the individual which make him act as a criminal. There are several causes which make an individual turn into a criminal. é | The main causes of crime are: social causes ve economic causes c. __ psychological causes d. Biological causes Geographical causes. Scanned with CamScanner8 Qi6. What are the types of crimes? Answer : Based on the medium which is being affected, crimes are of the following types: Personal crimes Property crimes Victimless crimes white collar crimes organized crimes computer crime violation of public safety. Q17. Name the rules of evidence? Answer : 1. Admissible: The evidence must be able to be used in court. Authentic: you must be able to show that the evidence relates to the incident in a relevant way. Complete : It’s not enough to collect evidence that just shows one perspective the incident. Reliable + Your evidence collection and analysis procedures must not om ois on. Bago authenticity and veracity.