CF - Unit 3
CF - Unit 3
CF - Unit 3
----------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------
4) What is digital evidence? State and explain general tasks that the investigators perform when working with
digital evidence.
ANS:
• Digital evidence can be any information stored or transmitted in digital form.
• U.S. courts accept digital evidence as physical evidence, which means that digital data is treated as a
tangible object, such as a weapon, paper document, or visible injury, that’s related to a criminal or civil
incident.
• Courts in other countries are still updating their laws to take digital evidence into account. Some require
that all digital evidence be printed out to be presented in court.
• Following are the general tasks investigators perform when working with digital evidence:
1. Identify digital information or artifacts that can be used as evidence.
2. Collect, preserve, and document evidence.
3. Analyze, identify, and organize evidence.
4. Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably.
• Collecting computers and processing a criminal or incident scene must be done systematically.
• To minimize confusion, reduce the risk of losing evidence, and avoid damaging evidence, only one person
should collect and catalog digital evidence at a crime scene or lab, if practical.
• If there’s too much evidence or too many systems to make it practical for one person to perform these
tasks, all examiners must follow the same established operating procedures, and a lead or managing
examiner should control collecting and cataloguing evidence.
• Also use standardized forms for tracking evidence to ensure that evidence is handle in a safe, secure
manner.
----------------------------------------------------------------------------------------------------------------------------------------------------------
6) Explain the legal process to conduct computer investigation for potential criminal violations of law.
ANS:
• When conducting a computer investigation for potential criminal violations of the law, the legal processes
we follow depend on local custom, legislative standards, and rules of evidence.
• In general, however, a criminal case follows three stages: the complaint, the investigation, and the
prosecution.
• Someone files a complaint; a specialist investigates the complaint and, with the help of a prosecutor,
collects evidence and builds a case. If a crime has been committed, the case is tried in court.
• A criminal investigation can begin only when someone finds evidence of an illegal act or witnesses an
illegal act.
• The witness or victim (often referred to as the “complainant”) makes an allegation to the police, an
accusation or supposition of fact that a crime has been committed.
• A police officer interviews the complainant and writes a report about the crime. The police department
processes the report, and management decides to start an investigation or log the information into a police
blotter.
• The police blotter provides a record of clues to crimes that have been committed previously.
• Criminals often repeat actions in their illegal activities, and these habits can be discovered by examining
police blotters. This historical knowledge is useful when conducting investigations, especially in high-
technology crimes.
• Blotters now are generally electronic files, often databases, so they can be searched more easily than the
old paper blotters.
• Not every police officer is a computer expert. Some are computer novices; others might be trained to
recognize what they can retrieve from a computer disk.
• To differentiate the training and experience officers have, CTIN has established three levels of law
enforcement expertise:
Level 1- Acquiring and seizing digital evidence, normally performed by a police officer on the scene.
Level 2- Managing high-tech investigations, teaching investigators what to ask for, and
understanding computer terminology and what can and can’t be retrieved from digital evidence. The
assigned detectives usually handle the case.
Level 3- Specialist training in retrieving digital evidence, normally conducted by a data recovery or
computer forensics expert, network forensics expert, or Internet fraud investigator. This person
might also be qualified to manage a case, depending on his or her background.
• In a criminal or public case, if we have enough information to support a search warrant, the prosecuting
attorney might direct to submit an affidavit.
• We must then have the affidavit notarized under sworn oath to verify that the information in the affidavit
is true.
• After a judge approves and signs a search warrant, it’s ready to be executed, meaning we can collect
evidence as defined by the warrant.
• After we collect the evidence, we process and analyse it to determine whether a crime actually occurred.
The evidence can then be presented in court in a hearing or trial.
----------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------
8) Explain the legal process to conduct computer investigation for potential criminal violations of law.
-----------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Importance of Consistency:
• Consistency is more important in the report to eliminate uncertainty and confusion.
• The sections in the report format must be adjusted in the same way.
Include metadata:
• Metadata is information about the file, including who created it and time and date stamps.
• Two types of file metadata can be used in the forensics investigations :-
1. System metadata: It can be used to identify the change in the file location.
2. Application metadata: It can be used to identify the change in document author, document version,
macros, email to, email from, subject, etc.
-----------------------------------------------------------------------------------------------------------------------------------------------------------
These features were updated in 2008 with the IT (Amendment) Act, which introduced new provisions such as
Section 66A, which criminalized the sending of offensive messages through electronic communication. However,
this section was struck down by the Supreme Court of India in 2015.
------------------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------
17) What are the steps to create image files of digital evidence?
(Refers Q.no. 3 for answer)
------------------------------------------------------------------------------------------------------------------------------------------------------
18) What is authorized requestor? Why should companies appoint them for computer investigations?
Ans:
• In a private-sector environment, the person who has the right to request an investigation, such as the chief
security officer or chief intelligence officer is called as an authorized requester.
• In addition to using warning banners that state a company’s rights of computer ownership, businesses are
advised to specify an authorized requester who has the power to initiate investigations.
• Executive management should define a policy to avoid conflicts from competing interests in organizations.
• In large organizations, competition for funding or management support can become so fierce that people
might create false allegations of misconduct to prevent competing departments from delivering a proposal for
the same source of funds.
• To avoid inappropriate investigations, executive management must also define and limit who’s authorized to
request a computer investigation and forensics analysis.
• Generally, the fewer groups with authority to request a computer investigation, the better.
• Examples of groups with authority to request computer investigations in a corporate environment include the
following:
Corporate security investigations
Corporate ethics office
Corporate equal employment opportunity office
Internal auditing
The general counsel or legal department
• All other groups, such as the Human Resources Department, should coordinate their requests through the
corporate security investigations group.
• This policy separates the investigative process from the process of employee discipline.
----------------------------------------------------------------------------------------------------------------------------------------------------------
• The Act was amended in 2008 to bring it in line with the changing technology and the growing incidence of
cybercrimes.
• The IT Act 2000 provides a legal framework for electronic transactions and creates provisions for the regulation
of digital signatures, electronic records, and other aspects of information technology. The Act defines various
cybercrimes such as hacking, unauthorized access, tampering with computer source code, and data theft, and
prescribes penalties for them.
• The Act also establishes the office of Controller of Certifying Authorities (CCA) to regulate the functioning of
Certifying Authorities (CAs) who issue digital certificates for electronic transactions. The Act also provides for the
establishment of an Adjudicating Officer to settle disputes related to electronic transactions.
• The IT Act 2000 is a comprehensive legislation that provides for the legal recognition of electronic transactions,
promotes e-commerce and e-governance, and provides for the protection of personal data and sensitive
information.
-----------------------------------------------------------------------------------------------------------------------------------------------------------
20) What is IT Act 2000 ? (Refers Q.no 19 for Answer). Write the features of IT ACT 2000 ? (Refers Q.no 15 for
Answer)
-----------------------------------------------------------------------------------------------------------------------------------------------------------