DIGITAL FORENSICS LONG QUESTIONS AND

ANSWERS

1. Explain the Locard's Exchange Principle and its significance in forensic science. Provide examples
to illustrate how this principle is applied in criminal investigations.

➔ This principle was stated by French scientist -Edmond Locard. Law of exchange states that, “As
soon as two things come in connection with each other, they mutually interchange the traces
between them.” Whenever criminal or his weapon/instrument made connection with the victim
or the things surrounding him he left some traces at crime scene and also picked up the traces
from the area or person he has been in contacted with.
Here are a few examples to illustrate how Locard's Exchange Principle is applied in criminal
investigations:
• Fiber Analysis
• DNA Evidence
• Fingerprint Analysis
• Gunshot Residue

2. Discuss the concept of jurisdiction in the context of cybercrimes. How do international boundaries
impact the investigation and prosecution of cybercriminals? Provide specific examples.

➔ Jurisdiction in the context of cybercrimes refers to the authority of a particular legal system to
investigate, prosecute, and adjudicate offenses that occur within its territory or involve its citizens
or entities. However, cybercrimes pose unique challenges to traditional notions of jurisdiction due
to their borderless nature. Here's how international boundaries impact the investigation and
prosecution of cybercriminals:
•Territorial Jurisdiction
•Jurisdictional Overlaps
•Extradition Issues
•Lack of Harmonization
•Anonymity and Obfuscation
•Cross-Border Infrastructure
3. Describe the key steps involved in a cyber forensics’ investigation. How does the process differ
from traditional forensic investigations, and what challenges may arise in collecting and
preserving digital evidence?

➔ Cyber forensics investigations involve the collection, preservation, analysis, and presentation of
digital evidence to uncover and understand cybercrimes. Here are the key steps involved in a
cyber forensics investigation:

• Identification
• Preservation
• Collection
• Analysis
• Interpretation
• Documentation
• Reporting
➔ The process of cyber forensics investigation differs from traditional forensics investigations in
several ways:
• Nature of Evidence
• Tools and Techniques
➔ Challenges in Digital Evidence Collection and preservation: - Collecting and preserving digital
evidence pose unique challenges due to the volatile nature of electronic data, the complexity of
digital storage systems, and the prevalence of encryption and anti-forensic techniques. Challenges
may arise in ensuring the integrity and authenticity of digital evidence, dealing with encrypted or
password-protected data, and overcoming legal and jurisdictional barriers in accessing evidence
stored on remote servers or in the cloud.

4. Analyze the significance of the IT Act 2000 in addressing cybercrimes in India. Highlight the
key provisions and penalties outlined in the Act and discuss any major amendments
introduced by the IT Amendment Act of 2008.

➔ The Information Technology (IT) Act, 2000 is a crucial legislation in India aimed at addressing
various aspects of cyberspace, including electronic transactions, digital signatures, cybercrimes,
and data protection.
The key provisions are:
• Legal Recognition of Electronic Records
• Cybercrimes and Offenses
• Penalties and compensation
• Regulatory Authorities such as CERT-In
• Data Protection and Privacy
➔ The IT Amendment Act 2008 introduced significant changes to the IT Act, 2000. The major
amendments made are: -
• Expansion of Cybercrimes
• Strengthening Penalties
• Enhanced Powers for Law Enforcement

5. Elaborate on the role of digital signature certificates in the legal framework of the IT Act 2000.
How do they contribute to the authenticity and integrity of electronic records, and what legal
implications arise in their use?

➔ Digital signature certificates play a crucial role in the legal framework of the Information
Technology Act, 2000 (IT Act 2000) by providing a means to authenticate electronic records and
ensuring their integrity. Here's how they contribute:
• Authentication: - Serve as a virtual equivalent of handwritten signatures in electronic
transactions. They are issued by certifying authorities after verifying identity of signatory.
• Integrity: - Digital signature certificates also ensure the integrity of electronic records by
preventing tampering or unauthorized alterations. When a digital signature is applied to a
document, it creates a unique digital fingerprint known as a hash.
The digital Signature usage implies some legal implications.
• Legal Recognition
• Admissibility by the court
• Liability and Accountability
• Compliance Requirements

6. Explain the concept of chain of custody in forensic science. Discuss its importance in maintaining
the integrity of evidence during the investigative process, and outline the potential consequences
of a compromised chain of custody.

➔ Chain of Custody refers to the chronological documentation or paper trail that records the
sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence.
It is a critical process in forensic science to ensure that evidence is handled in a secure and
documented manner from the crime scene to the courtroom.
Importance of Chain of Custody:
• Preventing Tampering and Contamination
• Accountability
• Court Requirements
• Reliability and Credibility
• Traceability

Consequences of a compromised chain of custody:

• Evidence Inadmissibility
• Case Dismissal
• Wrongful Convictions or Acquittals
• Loss of Public Trust
7. Discuss the challenges law enforcement faces in attributing cybercrimes to specific individuals or
entities. Explore the role of anonymity, encryption, and advanced hacking techniques in
complicating cybercrime investigations.

➔ Law enforcement agencies face significant challenges in attributing cybercrimes to specific

individuals or entities due to several factors:
➢ Anonymity:
• Proxies and VPNs: Hide real IP addresses.
• Dark Web: Ensures user anonymity.
➢ Encryption:
• Spoofing and IP Manipulation: Conceal true locations.
• Botnets: Disperse attacks across multiple devices.
• Malware and Ransomware: Utilize sophisticated evasion and encryption methods.

8. Evaluate the role of digital forensics in addressing corporate cyber incidents. Discuss how digital
forensics techniques can be employed to investigate data breaches, insider threats, and other
cyber incidents affecting organizations.

➔ Digital forensics plays a crucial role in addressing corporate cyber incidents by systematically
investigating and analysing digital evidence to understand, respond to, and mitigate cyber threats.
Digital Forensics Techniques in Investigating Cyber Incidents:
➢ Data Breaches:
• Incident Response: Immediate action to identify the breach source, extent, and
impact.
• Log Analysis: Examining system and network logs to trace unauthorized access and
activities.
• Malware Analysis: Identifying and dissecting malicious software used in the breach
to understand its behaviour and impact.
➢ Insider Threats:
• Access Control Audits: Reviewing access logs to identify unusual or unauthorized
data access by employees.
• Endpoint Forensics: Analysing devices used by the suspected insider to uncover
evidence of data theft or malicious activities.
• Email and Communication Analysis: Investigating internal communications for signs
of collusion or data exfiltration.
➢ Other Cyber incidents:

• Network Forensics: Monitoring network traffic to detect and analyze suspicious

activities, intrusions, or anomalies.
• Disk Forensics: Recovering and examining deleted or altered files to find hidden or
lost data.
• Memory Forensics: Analyzing volatile memory (RAM) to uncover running processes,
open network connections, and other transient data that can provide insights into
the attack.
9. Examine the legal provisions related to cyber defamation under the IT Act 2000 and its
amendments. Discuss the challenges in prosecuting and proving cyber defamation cases, and
suggest potential improvements to the legal framework.

➔ Information Technology Act 2000 and Amendments:

• Section 66A: Initially addressed offensive messages sent via communication services, but
was struck down by the Supreme Court in 2015 for being unconstitutional.
• Section 499 of the Indian Penal Code (IPC): Applies to cyber defamation, stating that
defamation can occur through words, signs, or visible representations published or
spoken, affecting a person's reputation.
• Section 500 of IPC: Prescribes punishment for defamation, including cyber defamation,
with imprisonment up to two years, a fine, or both.

➔ Challenges in Prosecuting and Proving Cyber Defamation:

➢ Anonymity:

• Difficult to trace the identity of the perpetrator due to the use of anonymous
accounts or pseudonyms.

➢ Jurisdictional Issues:

• Cyber defamation often transcends geographical boundaries, complicating legal

jurisdiction and enforcement.

➢ Evidence Collection:

• Gathering and preserving digital evidence is challenging due to its volatile nature
and the need for technical expertise.

10. Analyze the impact of the IT Amendment Act 2008 on enhancing cybersecurity measures in India.
Discuss the new offenses introduced and their implications for individuals, businesses, and law
enforcement agencies involved in the digital space.

➔ The IT Amendment Act 2008 significantly bolstered cybersecurity measures in India by

introducing critical new offenses and stringent penalties, thereby providing stronger protection
for individuals, businesses, and law enforcement in the digital space.

➢ Identity theft (Section 66C)

• Individuals: Greater protection against misuse of personal information.

• Business: Enhanced accountability for protecting customer data.
• Law Enforcement: Clear mandate to tackle identity-related cybercrimes.

➢ Cheating by Personation (Section 66D)

• Individuals: Safeguards against fraud and impersonation online.

• Business: Encourages robust verification processes to prevent fraud.
• Law Enforcement: Tools to address and prosecute online fraud cases effectively.
 ➢ Cyber Terrorism (Section 66F)

• Individuals: Protection from cyber activities intended to disrupt national security.

• Business: Responsibilities to report and mitigate cyber terrorism threats.
• Law Enforcement: Enhanced powers to prevent and respond to cyber terrorism.

➢ Obscenity and Pornography (Sections 67, 67A, 67B):

• Individuals: Protection from exposure to harmful and illegal content.

• Business: Obligations to monitor and remove obscene content.
• Law Enforcement: Framework to combat the spread of obscene material, especially
involving minors.

11. Explain the key phases of an incident response methodology in digital forensics. For each phase,
elaborate on the specific tasks and objectives that contribute to an effective incident response
strategy.

➔ The Key phases of Incident Response Methodology in Digital Forensics are:

➢ Preparation:

• Policy and Procedure Development

• Training and Awareness
• Tools and Resource allocation
• Communication Plan

➢ Identification:

• Detection and Alerting

• Initial Analysis
• Classification
• Documentation

➢ Containment:

• Short-Term Containment
• Long-Term Containment
• Preservation of Evidence

➢ Eradication:

• Root Cause Analysis

• Removing Malicious Components
• System Restoration.

➢ Recovery:

• System Validation
• Monitoring
• Remaining Operations
• Testing
12. Discuss the role and significance of a search warrant in the context of cybercrime scene analysis.
Explain the legal requirements for obtaining a search warrant and how it ensures the admissibility
of evidence in court.

➔ Search warrants are vital in cybercrime scene analysis as they ensure that evidence is collected
legally and ethically, thereby upholding privacy rights and increasing the likelihood of evidence
being admissible in court. The legal requirements for obtaining a search warrant—probable cause,
an affidavit, particularity, and judicial approval—serve to legitimize the investigation process,
maintain the integrity of evidence, and support the successful prosecution of cybercriminals.

Legal requirements for search warrant:

• Must Demonstrate the probable cause.

• An affidavit statement by law agency detailing the facts to be presented to a judge or a
magistrate.
• The warrant must specify the location to be searched and items to be seized.
• A judge or magistrate must review the affidavit.

Ensuring admissibility in the court.

• Compliance with Legal Procedures

• Chain of Custody
• Minimizing Suppression Motions
• Credibility and Reliability

13. Explore the concept of steganography in the realm of electronic evidence. Provide examples of
how steganography is used, and discuss the challenges it presents for digital forensic
investigators.

➔ Steganography poses significant challenges for digital forensic investigators due to its ability to
hide information within seemingly innocent files. Detecting and analyzing steganographic content
requires specialized tools, expertise, and significant resources. Despite these challenges,
understanding and addressing steganography is crucial in the fight against cybercrime and the
preservation of electronic evidence integrity.

Examples of steganography:

• Least Significant Bit Insertion in Image Files (JPG, PNG)

• Echo Hiding in Audio Files (MP3, WAV)
• Frame Alteration in Video Files (MP4, AVI)
• Whitespace Steganography in Text Files and Documents.

Challenges for steganography:

• Tool Limitations
• Legal and Evidential Challenges
• Large Volume of Data
• Detection Difficulty
14. What is hidden data extraction, and why is it important in digital forensics?

➔ Hidden data extraction is the process of identifying, recovering, and analysing data that is
deliberately concealed within a digital medium. This data may be hidden using various techniques
such as steganography, metadata manipulation, hidden partitions, or file system artifacts.

Hidden data extraction is vital in digital forensics for uncovering concealed evidence, ensuring
comprehensive analysis, counteracting obfuscation techniques, and supporting the legal
admissibility of digital evidence.

15. Explain the significance of network traffic analysis in cybersecurity.

➔ Network traffic analysis is a fundamental component of cybersecurity that involves monitoring

and examining data packets transmitted over a network. It plays a crucial role in identifying and
mitigating cyber threats, safeguarding network integrity, and ensuring the confidentiality,
integrity, and availability of digital assets. The significant features are:

• Threat Detection and Prevention

• Incident Response and Forensics
• Behavioural Analysis
• Threat Intelligence and Situational Awareness
• Security Policy Enforcement
• Anomaly Detection and Intrusion Detection Systems (IDS)

16. What is data storage hierarchy, and how does it impact data retrieval speed?

➔ The data storage hierarchy refers to the organization of different types of storage media based on
their speed, capacity, and cost. The common data storage layers are:

• Registers and Cache Memory

• Main Memory
• Secondary Storage
• Tertiary Storage

➔ Impact on data Retrieval speed.

• Access Time
• Latency
• Caching
• Data Movement Overhead
17. Describe the physical structure of a hard disk and how data is stored on it.

➔ Physical Structure: A hard disk drive (HDD) consists of one or more metal or glass platters coated
with a magnetic material. These platters are stacked on a spindle and spin at high speeds. Each
platter has read/write heads attached to an actuator arm, which float just above the platter
surfaces.

Data Storage: Data is stored on the hard disk in binary form as magnetic patterns on the platter's
surface. The platter surface is divided into tracks, which are further divided into sectors. Each
sector holds a fixed amount of data. The read/write heads access these sectors to read or write
data as the platters spin.

18. Compare NTFS and FAT32 file systems, highlighting their differences in tabular format.

NTFS FAT32

Maximum volume size is 16 TB to 16 EB Maximum volume size is 2 TB for Windows

and 8 TB for Mac/Linux

Compression is available in NTFS Compression is not available in FAT32

NTFS provides encryption FAT32 does not provides any encryption

System Recovery is possible in NTFS System Recovery is not possible in FAT32

NTFS is compatible only with Windows FAT32 is compatible with Windows as well
as MAC/Linux.

19. Explain the process of recovering deleted files from a storage device.

➔ The process of recovering deleted files from a storage device includes the following steps:

• Immediately stop using the device.

• Employ data recovery software to scan for and recover deleted files.
• Select and recover desired files to a separate storage location to avoid overwriting.
20. Discuss the ethical considerations surrounding password cracking in cybersecurity.

➔ Password cracking, the process of attempting to gain unauthorized access to a system or account
by systematically trying various password combinations, raises several ethical considerations in
cybersecurity:

• Legality and Authorization: Password cracking is generally illegal unless authorized by the
owner of the system or account being tested.
• Privacy and Consent: Attempting to crack passwords involves accessing sensitive
information and potentially breaching the privacy of individuals or organizations.
• Potential Harm and Damage: Unauthorized password cracking can lead to data breaches,
identity theft, financial loss, and other forms of harm to individuals or organizations.
• Responsible Disclosure: If vulnerabilities are discovered through password cracking, ethical
hackers should follow responsible disclosure practices.

21. Explain the process of evidence identification in a computer forensics investigation and why it is a
critical initial step.

➔ In computer forensics, evidence identification involves locating and documenting potential

sources of digital evidence. It's critical because it ensures that all relevant evidence is collected,
preserved, and analyzed thoroughly, laying the foundation for a successful investigation. This step
involves identifying devices, storage media, network logs, and other sources that may contain
pertinent information. Proper identification helps prevent evidence from being overlooked or
tampered with and ensures the integrity and admissibility of evidence in legal proceedings.

22. Describe the challenges associated with acquiring volatile data during a computer forensics
investigation. How can investigators overcome these challenges?

➔ Acquiring volatile data during a computer forensics investigation poses several challenges due to
the transient nature of this type of data. These challenges include:

• Data Volatility: - When system is powered off the data is not stored persistently and is lost.
• Data Overwriting: - Running system and processes continually overwrite portions of RAM.
• Time Sensitivity: - Delays in acquisition can result in loss of crucial evidence.

➔ Investigators can overcome these challenges by employing various strategies:

• Live System Forensics.

• Memory Imaging
• Use of Forensic Tools
• Documentation and chain of custody.
23. Compare and contrast the functionalities of FTK Imager and EnCase in computer forensics
investigations.

FTK Imager EnCase

Creates forensic images of disks and drives. Creates forensic images and snapshots.

Supports file hashing for integrity Includes hashing functionality.

verification.
User-friendly interface, easy to navigate. Intuitive interface with extensive features.

Free to use. Requires a commercial license.

No remote acquisition capabilities. Offers remote acquisition features.

24. Define social engineering and provide examples of social engineering attacks. How can
organizations defend against such attacks?

➔ Social engineering is a tactic used by malicious individuals to manipulate people into divulging
confidential information, performing actions, or providing access to restricted systems or data. It
relies on psychological manipulation rather than technical exploits to achieve its objectives. Social
engineering attacks exploit human vulnerabilities, such as trust, curiosity, fear, or authority, to
deceive individuals and gain unauthorized access to sensitive information or systems.

Examples of Social Engineering Attacks includes:

• Phishing
• Pretexting
• Baiting
• Impersonation
• Tailgating

To defend against Social Engineering attacks, the organisations must uptake the following
measures:

• Employee Training and Awareness.

• Strict Access Control.
• Security Policies and Procedures.
• Email Filtering and Security Awareness.
• Physical Security Measures.
• Incident Response Plan.
25.Discuss the role of intrusion detection systems (IDS) and intrusion prevention systems (IPS) in
network security. Provide examples of each.

➔ The IDS (Intrusion Detection System) monitor network traffic and system activity for signs of
potential security breaches or malicious activity. IDS generates a log when suspicious activities are
detected.

Examples: Signature-based IDS, Anomaly-based IDS.

➔ The IPS (Intrusion Prevention System) is a step further than IDS by actively blocking or mitigating
identified threats in real-time. Then can automatically take actions to stop or prevent malicious
activities from compromising a network.

Examples: Network-based IPS, Host-based IPS.

26. Explain the significance of packet sniffing in network forensics investigations. How does it aid in
the analysis of network traffic?

➔ The significance of Packet Sniffing is that it enables the real time monitoring and recording of
network communications, including data packets transmitted between devices on a network.

Packet Sniffing aids by capturing and analysing network traffic, packet sniffing helps investigators
identify suspicious or malicious activities, such as unauthorized access attempts, data exfiltration,
malware infections, or network reconnaissance.

27. Discuss the role of timestamps in network forensics investigation. Why are accurate timestamps
crucial for reconstructing events?

➔ Timestamps play a critical role in network forensics investigations as they provide temporal
context to network activities and help reconstruct events accurately.

Accurate timestamps are crucial for network forensics investigations because they provide
temporal context, enable sequence reconstruction, facilitate timeline analysis, support incident
response efforts, ensure compliance with legal and regulatory requirements, and enhance the
correlation of data from multiple sources.

28. Examine the challenges associated with encrypted network traffic in network forensics
investigations. How can investigators overcome these challenges?

➔ Encrypted network traffic presents significant challenges for network forensics investigations due
to the encryption mechanisms used to protect data confidentiality. Investigators can overcome
these challenges by leveraging decryption capabilities, deploying specialized monitoring solutions,
adhering to legal and privacy requirements, optimizing analysis workflows, and staying vigilant
against emerging evasion techniques.
29. Explain the concept of mobile forensics and why it is crucial in the field of digital investigations.

➔ Mobile forensics involves the examination and analysis of digital evidence stored on mobile
devices such as smartphones, tablets, and wearable technology. It encompasses a wide range of
investigative techniques and methodologies aimed at retrieving, preserving, analysing, and
presenting digital evidence from mobile devices for legal or investigative purposes.

Reasons for which Mobile Forensics are crucial:

• Proliferation of Mobile Devices.

• Rich Source of Evidence.
• Challenges of Mobile Devices.
• Legal and Ethical Considerations.

30. Describe the key components of a cellular network and their roles in enabling mobile
communication.

➔ The key components of a cellular network and their roles in enabling mobile communication
include:

• Mobile Devices: - End user devices such as smartphones, tablets or mobile routers that
communicate wirelessly with the cellular network.
• Base Transceiver Station (BTS): - Also known as the cell tower or the base station, equipped
with antennas that transmits and receive radio signals to and from mobile devices within
its coverage area known as cell.
• Mobile Switching Center (MSC): - A central Switching Hub that connects multiple BTSs and
manages the routing of voice calls and data transmissions within cellular network.
• Home Location Register (HLR): - Centralised database that stores subscriber information,
including subscriber identities, authentication keys, service profiles, and current location
information.
• Visitor Location Register (VLR): - Temporary database that stores subscriber information for
mobile devices currently located within the coverage area of a particular MSC.
• Authentication Center (AuC): - Responsible for authentication and encryption functions
within the cellular network.
• Equipment Identity Register (EIR): - A database that stores information about mobile
devices, including their unique identifiers (IMEI) and allowed services.
• Gateway Mobile Switching Center (GMSC): - Responsible for routing calls between the
cellular network and external networks, such as the PSTN or other mobile networks.
31. Differentiate between 3G and 4G cellular networks, highlighting the key technological
advancements in 4G.

3G (Third Generation) 4G (Fourth Generation)

200 kbps to a few Mbps data speeds 5Mbps to 100 Mbps data speeds

100-500 milliseconds latency 20-50 milliseconds latency

Limited Advanced Technologies MIMO, Carrier Aggregation, Advanced

Modulation (64-QAM)
Circuit-Switched Voice Calls Voie over LTE (VoLTE)

Circuit-Switched for voice and Packet- Voice and Data over IP

Switched for data

32. Explain the types of evidence that can be extracted from a cell phone in a forensic investigation.

➔ In a forensic investigation, various types of evidence can be extracted from a cell phone:

• Call Logs
• Text Messages
• Contacts
• Emails
• Photos and Videos
• Internet Browsing History
• App Data
• Location Data
• Calendar Entries
• Notes and Memos
• Chat Logs
• Documents
• Call Recordings
• Deleted Data
• System Logs

33. Discuss the techniques and tools commonly used in mobile forensics to retrieve and analyze data
from mobile devices.

➔ Techniques: - Manual Extraction, Logical Extraction, Physical Extraction, Chip-Off, Cloud Forensics
➔ Tools: - Cellebrite UFED, Magnet AXIOM, Autopsy, FTK Imager, Oxygen Forensics Detective, EnCase
34. Outline the challenges associated with mobile forensics, including those related to device
diversity and encryption.
➔ Mobile forensics faces several challenges that complicate the extraction and analysis of data
from mobile devices:
➢ Device Diversity:
• Variety Of Operating System.
• Model Variations.
• Proprietary Technologies.
➢ Encryption:

• Device Encryption.
• App-Level Encryption.
• Encryption Standards.

35. Discuss the role of the Home Location Register (HLR) in a cellular network and its significance in
mobile forensics.
➔ The Home Location Register (HLR) plays a crucial role in cellular networks, serving as a central
database that contains detailed information about each subscriber authorized to use the network.
Significance of Home Location Register in Digital Forensics.

• Locating Subscribers
• Subscriber Identity Verification
• Service Usage Details
• Roaming and Network Access
• Correlating with Other Evidence

36. Compare and contrast GSM (Global System for Mobile Communications) and CDMA (Code
Division Multiple Access) cellular network technologies.
GSM CDMA
Uses TDMA Technology Used Spread-Spectrum CDMA Technology

Requires SIM Cards Does not require SIM cards

Widely Adopted globally Primarily used in North America and parts of

Asia
Simpler and less expensive to deploy More complex and expensive to deploy

Good voice quality, decreases with distance High-quality voice, better spectrum efficiency,
and congestion robust.
37. Elaborate on the importance of preserving the integrity of cell phone evidence during a forensic
investigation.
➔ Preserving the integrity of a cell phone evidence during a forensic investigation is crucial for
several reasons:
• Legal Admissibility
• Accuracy and Reliability
• Reproducibility
• Maintaining Credibility
• Preventing Legal Challenges

38. Explain the role and significance of mobile forensic tools in the field of digital forensics. Provide
examples of specific mobile forensic tools and describe the types of data they can extract from
mobile devices.
➔ Significance of Mobile Forensic Tools:
• Efficiency and Accuracy

• Comprehensive Data Retrieval

• Legal Compliance
• Handling Encryption and Security
Examples of Mobile Forensic Tools:
• Cellebrite UFED: Call logs, text messages, emails, contacts, photos, videos, app data, etc.

• Oxygen Forensic Detective: Call History, SMS/MMS, emails, files, GPS data, GPS data, etc.
• Magnet AXIOM: Text Messages, call logs, media files, internet history, app data, cloud data
• EnCase Forensics: Emails, SMS, call records, photos, videos, documents, app data, etc.