CF - Unit 3

Download as pdf or txt
Download as pdf or txt
You are on page 1of 10

Unit 3

1) List any five rules of evidence.


Ans:
1. The data you discover from a forensic examination falls under your state’s rules of evidence or the Federal
Rules of Evidence.
2.However, digital evidence is unlike other physical evidence because it can be changed more easily. The
only way to detect these changes is to compare the original data with a duplicate. Furthermore,
distinguishing a duplicate from the original electronically is impossible, so digital evidence requires special
legal consideration.
3. Most courts have interpreted computer records as hearsay evidence.
4. The rule against hearsay evidence is deceptively simple and full of exceptions.
5. Hearsay is any out-of-court statement presented in court to prove the truth of an assertion. In other
words, hearsay is evidence of a statement made other than by a witness while testifying at the hearing and
is offered to prove the truth of a statement.
6. The definition of hearsay isn’t difficult to understand, but it can become confusing when considering all
the exceptions to the general rule against hearsay.
7. Twenty-four exceptions in the federal rules don’t require proof that the person who made the statement
is unavailable.
The following are the ones most applicable to computer forensics practice:
• Business records, including those of a public agency.
• Certain public records and reports.
• Evidence of the absence of a business record or entry.
• Learned treatises used to question an expert witness.
• Statements of the absence of a public record or entry
. • The catchall rule, which doesn’t require that the declarant be unavailable to testify.
8. It does say that evidence of a hearsay statement not included in one of the other exceptions can be
admitted if it meets the following conditions:
• It has sound guarantees of trustworthiness.
• It is offered to help prove a material fact.
• It is more probative than other equivalent and reasonably obtainable evidence.
• Its admission would forward the cause of justice.
• The other parties have been notified that it will be offered into evidence.

----------------------------------------------------------------------------------------------------------------------------------------------------------

2) Explain the tasks to be completed before searching for evidence.


Ans:
• Preparing for a computer search and seizure is probably the most important step in computing
investigations.
• To perform these tasks, we might need to get answers from the victim (the complainant) and an
informant, who could be a police detective assigned to the case, a law enforcement witness, or a manager or
co-worker of the person of interest to the investigation.
1. Identifying the Nature of the Case:
• When we’re assigned a computing investigation case, we start by identifying the nature of the case,
including whether it involves the private or public sector.
• The nature of the case dictates how we proceed and what types of assets or resources we need to use
in the investigation.
2. Identifying the Type of Computing System:
• Next, determine the type of computing systems involved in the investigation.
• In this case, we must draw on our skills, creativity, and sources of knowledge, such as the Uniform
Crime Report to deal with the unknown.
• Also, determine which OSs and hardware might be involved and whether the evidence is located on a
Microsoft, Linux, UNIX, Macintosh, or mainframe computer.
3. Determining Whether we Can Seize a computer:
• Generally, the ideal situation for incident or crime scenes is seizing the computers and taking them to
our lab for further processing.
• However, the type of case and location of the evidence determine whether we can remove computers
from the scene.
• Law enforcement investigators need a warrant to remove computers from a crime scene and transport
them to a lab.
• An additional complication is files stored offsite that are accessed remotely. We must decide whether
the drives containing those files need to be examined.
4. Obtaining a Detailed Description of the Location:
• The more information we have about the location of a computer crime, the more efficiently we can
gather evidence from a crime scene.
• Environmental and safety issues are the primary concerns during this process.
• Before arriving at an incident or crime scene, we should identify potential hazards to our safety as well
as that of other examiners.
• Some computer cases involve dangerous settings. For these types of investigations, you must rely on
the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.
• We must be exact and articulate in our instructions. Ambiguous or incorrect instructions could destroy
evidence.
• Ideally, a computer forensics investigator trained in dealing with HAZMAT environments should
acquire drive images.
5. Determining Who Is in Charge:
• Corporate computing investigations usually require only one person to respond to an incident or crime
scene. Processing evidence involves acquiring an image of a subject’s drive.
• In law enforcement, however, many investigations require additional staff to collect all evidence
quickly.
• For large-scale investigations, a crime or incident scene leader should be designated.
• Anyone assigned to a large-scale investigation scene should cooperate with the designated leader to
ensure that the team addresses all details when collecting evidence.
6. Using Additional Technical Expertise:
• After we collect evidence data, we have to determine whether we need specialized help to process
the incident or crime scene.
• If we’re the leader of this investigation, we must identify the additional skills needed to process the
crime scene, such as enlisting help with a high-end server OS.
• When working at high-end computing facilities, identify the applications the suspect uses, such as
Oracle databases.
• We might need to recruit an Oracle specialist or site support staff to help extract data for the
investigation.
7. Determining the Tools to Need:
• To manage the tools, consider creating an initial-response field kit and an extensive response field kit.
• Using the right kit makes processing an incident or crime scene much easier and minimizes how much
we have to carry from our vehicle to the scene.
• The initial-response field kit should be lightweight and easy to transport. With this kit, we can arrive at
a scene, acquire the data we need, and return to the lab as quickly as possible.
• An extensive-response field kit should include all the tools we can afford to take to the field. When we
arrive at the scene, we should extract only those items we need to acquire evidence.
8. Preparing the Investigation Team:
• Before we initiate the search and seizure of digital evidence at an incident or crime scene, we must
review all the available facts, plans, and objectives with the investigation team we have assembled.
• The goal of scene processing is to collect and secure digital evidence successfully.
• The digital evidence is volatile. Develop the skills to assess the facts quickly, make your plan, gather the
needed resources, and collect data from the incident or crime scene.
• -----------------------------------------------------------------------------------------------------------------------------------------
3) What are the steps to create image files of digital evidence?
ANS:
• We must maintain the integrity of digital evidence in the lab. The first task is to preserve the disk data.
• When we done, be sure to make the suspect drive read-only, and document this step.
• If the disk has been copied with an imaging tool, we must preserve the image files. With most imaging
tools, we can create smaller, compressed volume sets to make archiving the data easier.
• Following are steps to create image files:
1. Copy all image files to a large drive. Most forensics labs have several machines set up with disk
imaging software and multiple hard drives that can be exchanged as needed for the cases. We can
use these resources to copy image files to large drives. Some might be equipped with large network
storage devices for ongoing cases.
2. Start your forensics tool to analyse the evidence.
3. Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash.
4. When we finish copying image files to a larger drive, secure the original media in an evidence
locker. Don’t work with the original media; it should be stored in a locker that has an evidence
custody form. Be sure to fill out the form and date it.

----------------------------------------------------------------------------------------------------------------------------------------------------------

4) What is digital evidence? State and explain general tasks that the investigators perform when working with
digital evidence.
ANS:
• Digital evidence can be any information stored or transmitted in digital form.
• U.S. courts accept digital evidence as physical evidence, which means that digital data is treated as a
tangible object, such as a weapon, paper document, or visible injury, that’s related to a criminal or civil
incident.
• Courts in other countries are still updating their laws to take digital evidence into account. Some require
that all digital evidence be printed out to be presented in court.
• Following are the general tasks investigators perform when working with digital evidence:
1. Identify digital information or artifacts that can be used as evidence.
2. Collect, preserve, and document evidence.
3. Analyze, identify, and organize evidence.
4. Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably.
• Collecting computers and processing a criminal or incident scene must be done systematically.
• To minimize confusion, reduce the risk of losing evidence, and avoid damaging evidence, only one person
should collect and catalog digital evidence at a crime scene or lab, if practical.
• If there’s too much evidence or too many systems to make it practical for one person to perform these
tasks, all examiners must follow the same established operating procedures, and a lead or managing
examiner should control collecting and cataloguing evidence.
• Also use standardized forms for tracking evidence to ensure that evidence is handle in a safe, secure
manner.

5) Write a short note on Corporate Investigations.


Ans:
• Private or corporate investigations involve private companies and lawyers who address company policy
violations and litigation disputes, such as wrongful termination.
• Corporate computer crimes can involve e-mail harassment, falsification of data, gender and age
discrimination, embezzlement, sabotage, and industrial espionage, which involves selling sensitive or
confidential company information to a competitor. Anyone with access to a computer can commit these
crimes.
• Embezzlement is a common computer crime, particularly in small firms. Typically, the owner is busy and
trusts one person, such as the office manager, to handle daily transactions.
• Collecting enough evidence to press charges might be beyond the owner’s capabilities.
• Corporate sabotage is most often committed by a disgruntled employee. For example, an employee
decides to take a job at a competitor’s firm and collects confidential files on a disk or USB drive before
leaving.
• This type of crime can also lead to industrial espionage, which increases every year.
• Investigators will soon be able to conduct digital investigations on site without a lab and without
interrupting employees’ work on a computer.
• Investigators can’t seize the evidence; instead, they acquire a disk image and any other pertinent
information and allow the system to go back online as quickly as possible.
• Organizations can help prevent and address these crimes by creating and distributing appropriate policies,
making employees aware of policies, and enforcing policies.
• The most important policies are those defining rules for using the company’s computers and networks; this
type of policy is commonly known as an “acceptable use policy.”
• Organizations should have all employees sign this acceptable use agreement.
• Published company policies also provide a line of authority for conducting internal investigations; it states
who has the legal right to initiate an investigation, who can take possession of evidence, and who can have
access to evidence.
• Another way a private or public organization can avoid litigation is to display a warning banner on
computer screens
• A warning banner asserts the right to conduct an investigation and notifies the user.

----------------------------------------------------------------------------------------------------------------------------------------------------------

6) Explain the legal process to conduct computer investigation for potential criminal violations of law.
ANS:
• When conducting a computer investigation for potential criminal violations of the law, the legal processes
we follow depend on local custom, legislative standards, and rules of evidence.
• In general, however, a criminal case follows three stages: the complaint, the investigation, and the
prosecution.
• Someone files a complaint; a specialist investigates the complaint and, with the help of a prosecutor,
collects evidence and builds a case. If a crime has been committed, the case is tried in court.
• A criminal investigation can begin only when someone finds evidence of an illegal act or witnesses an
illegal act.
• The witness or victim (often referred to as the “complainant”) makes an allegation to the police, an
accusation or supposition of fact that a crime has been committed.
• A police officer interviews the complainant and writes a report about the crime. The police department
processes the report, and management decides to start an investigation or log the information into a police
blotter.
• The police blotter provides a record of clues to crimes that have been committed previously.
• Criminals often repeat actions in their illegal activities, and these habits can be discovered by examining
police blotters. This historical knowledge is useful when conducting investigations, especially in high-
technology crimes.
• Blotters now are generally electronic files, often databases, so they can be searched more easily than the
old paper blotters.
• Not every police officer is a computer expert. Some are computer novices; others might be trained to
recognize what they can retrieve from a computer disk.
• To differentiate the training and experience officers have, CTIN has established three levels of law
enforcement expertise:
Level 1- Acquiring and seizing digital evidence, normally performed by a police officer on the scene.
Level 2- Managing high-tech investigations, teaching investigators what to ask for, and
understanding computer terminology and what can and can’t be retrieved from digital evidence. The
assigned detectives usually handle the case.
Level 3- Specialist training in retrieving digital evidence, normally conducted by a data recovery or
computer forensics expert, network forensics expert, or Internet fraud investigator. This person
might also be qualified to manage a case, depending on his or her background.
• In a criminal or public case, if we have enough information to support a search warrant, the prosecuting
attorney might direct to submit an affidavit.
• We must then have the affidavit notarized under sworn oath to verify that the information in the affidavit
is true.
• After a judge approves and signs a search warrant, it’s ready to be executed, meaning we can collect
evidence as defined by the warrant.
• After we collect the evidence, we process and analyse it to determine whether a crime actually occurred.
The evidence can then be presented in court in a hearing or trial.

----------------------------------------------------------------------------------------------------------------------------------------------------------

7) Explain Digital Signature and Electronic Signature


ANS: DIGITAL SIGNATURE AND ELECTRONIC SIGNATURE (amended vide ITAA 2008)
Authentication of Electronic Records
(1) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his
Digital Signature
(2) The authentication of the electronic record shall be effected by the use of asymmetric crypto system and
hash function which envelop and transform the initial electronic record into another electronic record.
Explanation –
For the purposes of this sub-section, "Hash function" means an algorithm mapping or translation of one
sequence of bits into another, generally smaller, set known as "Hash Result" such that an electronic record yields
the same hash result every time the algorithm is executed with the same electronic record as its input making it
computationally infeasible
(a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm;
(b) that two electronic records can produce the same hash result using the algorithm.
(3) Any person by the use of a public key of the subscriber can verify the electronic record.
(4) The private key and the public key are unique to the subscriber and constitute a functioning key pair.
3A Electronic Signature (Inserted vide ITAA 2006)
(1) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section
(2)A subscriber may authenticate any electronic record by such electronic signature or electronic authentication
technique which-
(a) is considered reliable; and
(b) may be specified in the Second Schedule
(2) For the purposes of this section any electronic signature or electronic authentication technique shall be
considered reliable if-
(a) the signature creation data or the authentication data are, within the context in which they are used, linked
to the signatory or, as the case may be, the authenticator and of no other person;
(b) the signature creation data or the authentication data were, at the time of signing, under the control of the
signatory or, as the case may be, the authenticator and of no other person;
(c) any alteration to the electronic signature made after affixing such signature is detectable
(d) any alteration to the information made after its authentication by electronic signature is detectable; and
(e) it fulfills such other conditions which may be prescribed.
(3) The Central Government may prescribe the procedure for the purpose of ascertaining whether electronic
signature is that of the person by whom it is purported to have been affixed or authenticated
(4) The Central Government may, by notification in the Official Gazette, add to or omit any electronic signature
or electronic authentication technique and the procedure for affixing such signature from the second schedule;
Provided that no electronic signature or authentication technique shall be specified in the Second Schedule
unless such signature or technique is reliable
(5) Every notification issued under sub-section (4) shall be laid before each House of Parliament.

----------------------------------------------------------------------------------------------------------------------------------------------------------

8) Explain the legal process to conduct computer investigation for potential criminal violations of law.

(Refer Q.no 6 for Answer)


-----------------------------------------------------------------------------------------------------------------------------------------------------------

9) Explain the tasks to be completed before searching for evidence.


(Refer Q.no 2 for Answer)

-----------------------------------------------------------------------------------------------------------------------------------------------------------

10) Explain various ways in which data integrity can be verified?


Ans:
• To verify data integrity, different methods of obtaining a unique identity for file data have been developed.
• One of the first methods, the Cyclic Redundancy Check (CRC) is a mathematical algorithm that determines
whether a file’s contents have changed. The most recent version is CRC-32. CRC, however, is not considered a
forensic hashing algorithm.
• The first algorithm for computer forensics use was Message Digest 5 (MD5).
• Like CRC, MD5 is a mathematical formula that translates a file into a hexadecimal code value, or a hash value. If
a bit or byte in the file changes, it alters the hash value, a unique hexadecimal value that identifies a file or drive.
(Before you process or analyze a file, you can use a software tool to calculate its hash value.)
• After you process the file, you produce another digital hash. If it’s the same as the original one, you can verify
the integrity of your digital evidence with mathematical proof that the file didn’t change.
• According to work done by Wang Xiaoyun and her associates from Beijing’s Tsinghua University and Shandong
University of Technology, there are three rules for forensic hashes:
• You can’t predict the hash value of a file or device.
• No two hash values can be the same.
• If anything changes in the file or device, the hash value must change.
• A newer hashing algorithm is Secure Hash Algorithm version 1 (SHA-1), developed by the National Institute of
Standards and Technology (NIST).
• SHA-1 is slowly replacing MD5 and CRC-32, although MD5 is still widely used.
• In both MD5 and SHA-1, collisions have occurred, meaning two different files have the same hash value.
Collisions are rare, however, and despite flaws in MD5 and SHA-1, both are still useful for validating digital
evidence collected from files and storage media.
• If a collision is suspected, you can do a byte-by-byte comparison to verify that all bytes are identical. Byte-by-
byte comparisons can be performed with the MS-DOS Comp command or the Linux/UNIX diff command.
• Most computer forensics hashing needs can be satisfied with a nonkeyed hash set, which is a unique hash
number generated by a software tool, such as the Linux md5sum command.
• The advantage of this type of hash is that it can identify known files, such as executable programs or viruses,
that hide themselves by changing their names.
• For example, many people who view or transmit pornographic material change filenames and extensions to
obscure the nature of the contents.
• However, even if a file’s name and extension change, the hash value doesn’t. The alternative to a nonkeyed
hash is a keyed hash set, which is created by an encryption utility’s secret key.
• You can use the secret key to create a unique hash value for a file.
• Although a keyed hash set can’t identify files as nonkeyed hash methods can, it can produce a unique hash set
for your digital evidence.

----------------------------------------------------------------------------------------------------------------------------------------------------------

11) How is digital evidence stored? Explain.


Ans:
• With digital evidence, we need to consider how and on what type of media to save it and what type of storage
device is recommended to secure it.
• The media we use to store digital evidence usually depends on how long we need to keep it.
• The ideal media on which to store digital data are CDRs or DVDs. These media have long lives, but copying data
to them takes a long time.
• However, don’t rely on one media storage method to preserve the evidence—be sure to make two copies of
every image to prevent data loss. Also, use different tools to create the two images.
Evidence Retention and Media Storage Needs:
• To help maintain the chain of custody for digital evidence so that it’s accepted in court or by arbitration,
restrict access to the lab and evidence storage area.
• When the lab is open for operations, authorized personnel must keep these areas under constant supervision.
• When the lab is closed, at least two security workers should guard evidence storage cabinets and lab facilities.
• Most labs use a manual log system that an authorized technician maintains when an evidence storage
container is opened and closed.
Documenting Evidence:
• To document evidence, create or use an evidence custody form.
• An evidence custody form serves the following functions:
1. Identifies the evidence
2. Identifies who has handled the evidence
3. Lists dates and times the evidence was handled
• After we have established these pieces of information, we can add others to the form, such as a section listing
MD5 and SHA-1 hash values.
• Evidence bags also include labels or evidence forms that can use to document the evidence.

-----------------------------------------------------------------------------------------------------------------------------------------------------------

12) How to collect evidence in Private Sector Incident Scenes ?


Ans:
•Private-sector organizations include businesses and government agencies that aren’t involved in law
enforcement.
• In the United States, these agencies must comply with state public disclosure and federal Freedom of
Information Act (FOIA) laws and make certain documents available as public records. State public disclosure laws
define state public records as open and available for inspection.
• Investigating and controlling computer incident scenes in the corporate environment is much easier than in the
criminal environment.
• In the private sector, the incident scene is often a workplace, such as a contained office or manufacturing area,
where a policy violation is being investigated.
• Everything from the computers used to violate a company policy to the surrounding facility is under a
controlled authority—that is, company management.
• Typically, businesses have inventory databases of computer hardware and software.
• Having access to this database and knowing what applications are on suspected computers help identify the
computer forensics tools needed to analyse a policy violation and the best way to conduct the analysis.
• To investigate employees suspected of improper use of company computing assets, a corporate policy
statement about misuse of computing assets allows corporate investigators to conduct covert surveillance with
little or no cause and access company computer systems without a warrant, which is an advantage for corporate
investigators.
• Law enforcement investigators cannot do the same, however, without sufficient reason for a warrant.
• However, if a company doesn’t display a warning banner or publish a policy stating that it reserves the right to
inspect computing assets at will, employees have an expectation of privacy.
• When an employee is being investigated, this expected privacy prevents the employer from legally conducting
an intrusive investigation.
• In addition to making sure a company has a policy statement or a warning banner, corporate investigators
should know under what circumstances they can examine an employee’s computer.
• If a corporate investigator finds that an employee is committing or has committed a crime, the employer can
file a criminal complaint with the police.
• If we discover evidence of a crime during a company policy investigation, first determine whether the incident
meets the elements of criminal law.
• Next, inform management of the incident; they might have other concerns, such as protecting confidential
business data that might be included with the criminal evidence (referred to as “commingled data”). • In this
case, coordinate with management and the corporate attorney to determine the best way to protect
commingled data.
• After we submit evidence containing sensitive information to the police, it becomes public record. • Public
record laws do include exceptions for protecting sensitive corporate information; ultimately, however, a judge
decides what to protect.
• After we discover illegal activity and document and report the crime, stop the investigation to make sure we
don’t violate Fourth Amendment restrictions on obtaining evidence.

-----------------------------------------------------------------------------------------------------------------------------------------------------------

13) List any five rules of evidence.


(Refers Q.no.1 for answer)

-----------------------------------------------------------------------------------------------------------------------------------------------------------

14) List various guidelines for writing reports.


Ans:
•The guidelines for writing reports are as follows:
Use of supporting material:
• Use figures, tables, data and equations as supporting material. Insert figures and tables after the paragraph
and give a proper numbering.
• Number figure and tables in the same order as they are introduced in in the report.

Importance of Consistency:
• Consistency is more important in the report to eliminate uncertainty and confusion.
• The sections in the report format must be adjusted in the same way.

Investigate report format:


• Get samples of already established report formats.
• Estimate objectivity and documents the findings in an unbiased and accurate manner.

Attachments and appendices:


• Use attachments and appendices as supplements to the reports.
• We can provide the references to attachments and appendices when the report has more content.
• Attachments and appendices can be used to further details my terminology, findings or recommendation
presented in the report.

Include metadata:
• Metadata is information about the file, including who created it and time and date stamps.
• Two types of file metadata can be used in the forensics investigations :-
1. System metadata: It can be used to identify the change in the file location.
2. Application metadata: It can be used to identify the change in document author, document version,
macros, email to, email from, subject, etc.

-----------------------------------------------------------------------------------------------------------------------------------------------------------

15) What are the features of IT ACT 2000 ?


Ans:
The Information Technology (IT) Act 2000 is an Indian law that governs the use of electronic communication and
digital transactions. The main features of the IT Act 2000 include:
1. Legal recognition of electronic documents: The Act provides legal recognition to electronic documents,
digital signatures, and electronic records. This means that electronic documents can be used as evidence in
court.
2. Data protection: The IT Act 2000 includes provisions for the protection of personal data and sensitive
information.
3. Cybercrimes and penalties: The Act defines various cybercrimes, such as hacking, data theft, and online
fraud, and prescribes penalties for them.
4. Establishment of Cyber Appellate Tribunal: The IT Act 2000 provides for the establishment of a Cyber
Appellate Tribunal to hear appeals against orders passed by Adjudicating Officers.
5. Network service providers' liability: The Act outlines the liability of network service providers for any illegal
activities committed on their networks.
6. Cyber regulations advisory committee: The Act provides for the formation of a Cyber Regulations Advisory
Committee to advise the Central Government and State Governments on issues relating to cybersecurity.
7. Establishment of Controller of Certifying Authorities: The Act established the office of Controller of Certifying
Authorities, responsible for licensing and regulating the functioning of Certifying Authorities.

These features were updated in 2008 with the IT (Amendment) Act, which introduced new provisions such as
Section 66A, which criminalized the sending of offensive messages through electronic communication. However,
this section was struck down by the Supreme Court of India in 2015.
------------------------------------------------------------------------------------------------------------------------------------------------------

16) What are the objectives of IT ACT 2000 ?


Ans:
The Information Technology (IT) Act 2000 was enacted in India with the objective of providing a legal framework
to facilitate electronic transactions and to protect the interests of individuals and businesses involved in such
transactions. Some of the key objectives of the IT Act 2000 are:
1. To provide legal recognition to electronic transactions: The Act aims to provide legal recognition to
electronic records and digital signatures, and to enable the use of electronic documents in legal proceedings.
2. To ensure confidentiality and security of electronic transactions: The Act seeks to ensure the confidentiality
and security of electronic transactions and the information contained in them.
3. To prevent cybercrime: The Act aims to prevent cybercrime and defines various offenses related to
unauthorized access, hacking, data theft, and other computer-related crimes.
4. To provide for the establishment of cyber appellate tribunal: The Act provides for the establishment of a
Cyber Appellate Tribunal to hear appeals against orders passed by Adjudicating Officers.
5. To regulate the functioning of Certifying Authorities: The Act establishes the office of Controller of Certifying
Authorities, responsible for licensing and regulating the functioning of Certifying Authorities.
6. To promote e-governance: The Act aims to promote e-governance and provide legal recognition to
electronic records and digital signatures in government transactions.
7. To provide for the protection of personal information: The Act seeks to protect the privacy and
confidentiality of personal information and sensitive data.
Overall, the IT Act 2000 aims to provide a legal framework for electronic transactions, facilitate e-commerce and
e-governance, and ensure the security and confidentiality of electronic transactions and data.

------------------------------------------------------------------------------------------------------------------------------------------------------

17) What are the steps to create image files of digital evidence?
(Refers Q.no. 3 for answer)

------------------------------------------------------------------------------------------------------------------------------------------------------

18) What is authorized requestor? Why should companies appoint them for computer investigations?
Ans:
• In a private-sector environment, the person who has the right to request an investigation, such as the chief
security officer or chief intelligence officer is called as an authorized requester.
• In addition to using warning banners that state a company’s rights of computer ownership, businesses are
advised to specify an authorized requester who has the power to initiate investigations.
• Executive management should define a policy to avoid conflicts from competing interests in organizations.
• In large organizations, competition for funding or management support can become so fierce that people
might create false allegations of misconduct to prevent competing departments from delivering a proposal for
the same source of funds.
• To avoid inappropriate investigations, executive management must also define and limit who’s authorized to
request a computer investigation and forensics analysis.
• Generally, the fewer groups with authority to request a computer investigation, the better.
• Examples of groups with authority to request computer investigations in a corporate environment include the
following:
Corporate security investigations
Corporate ethics office
Corporate equal employment opportunity office
Internal auditing
The general counsel or legal department
• All other groups, such as the Human Resources Department, should coordinate their requests through the
corporate security investigations group.
• This policy separates the investigative process from the process of employee discipline.

----------------------------------------------------------------------------------------------------------------------------------------------------------

19) what is information technology Act 2000?


Ans:
• The Information Technology (IT) Act 2000 is a legislation passed by the Indian Parliament on 17th October
2000, with the objective of providing a legal framework to regulate electronic transactions and to provide legal
recognition to digital signatures and electronic documents.

• The Act was amended in 2008 to bring it in line with the changing technology and the growing incidence of
cybercrimes.

• The IT Act 2000 provides a legal framework for electronic transactions and creates provisions for the regulation
of digital signatures, electronic records, and other aspects of information technology. The Act defines various
cybercrimes such as hacking, unauthorized access, tampering with computer source code, and data theft, and
prescribes penalties for them.

• The Act also establishes the office of Controller of Certifying Authorities (CCA) to regulate the functioning of
Certifying Authorities (CAs) who issue digital certificates for electronic transactions. The Act also provides for the
establishment of an Adjudicating Officer to settle disputes related to electronic transactions.

• The IT Act 2000 is a comprehensive legislation that provides for the legal recognition of electronic transactions,
promotes e-commerce and e-governance, and provides for the protection of personal data and sensitive
information.

-----------------------------------------------------------------------------------------------------------------------------------------------------------

20) What is IT Act 2000 ? (Refers Q.no 19 for Answer). Write the features of IT ACT 2000 ? (Refers Q.no 15 for
Answer)

-----------------------------------------------------------------------------------------------------------------------------------------------------------

You might also like