FACULTY OF ENGINEERING & TECHNOLOGY

DEPARTMENT OF CSE

UNIVERSITY EXAMINATION

SUB. CODE: EMCF22001 SUB.NAME: Digital Forensics and cyber crime

investigation
DEGREE : M.TECH BRANCH: CFIS
YEAR/SEMESTER: I/II SEC A SECTIONS/COMMON TO:
MAX.MARKS: 100 DURATION: 3 Hrs
DATE: PORTION: All Units

PART-A (10x1 = 10) - ANSWER ALL QUESTIONS - MCQ

1. Computer forensics also be used in civil proceedings.
A. Yes
B. No
C. Can be yes or no
D. Can not say
2. A computer forensics professional does more than turn on a computer, make a directory listing, and
search through files. Your forensics professionals should be able to successfully perform complex
evidence recovery procedures with the skill and expertise that lends credibility to your case. For
example, they should be able to perform the following services, except:
A. Data seizure
B. Data duplication and preservation
C. Data recovery
D. Data dump
3. What is the use of IPDR?
A. To find the IP address of the mail received
B. To find the IP address of the network/site visited
C. To find the IP address of the VOIP caller
D. To find the IP address of the WhatsApp message received
4. Volatile data resides in?
A. registries
B. cache
C. RAM
D. All of the above

5. Which of the following techniques are used during computer forensics investigations?
A. Cross-drive analysis
B. Live analysis
C. Deleted files
D. All of the above
6. Deleted files is a common technique used in computer forensics is the recovery of deleted files.
A. TRUE
B. FALSE
C. Can be true or false
D. Can not say
7. law of evidence consists of
 A. ordinary rules of reasoning
B. legal rules of evidence
C. rules of logic
D. all the above
8. Facts which are necessary to explain or introduce relevant facts of place, name, date, relationship &
identity of parties are relevant
A. under section 8 of Evidence Act
B. under section 9 of Evidence Act
C. under section 10 of Evidence Act
D. under section 11 of Evidence Act
9. In the context of cybercrime investigations, what does "phishing" refer to?
A. The unauthorized access of computer systems.
B. The manipulation of search engine results.
C. The act of tricking individuals into revealing sensitive information.
D. The use of malware to disrupt computer networks.
10. Which of the following is an example of a cybercrime involving unauthorized access to computer
systems?
A. Identity theft.
B. Denial-of-service (DoS) attacks.
C. Phishing scams.
D. SQL injection attacks.

PART-B (5x6 = 30) - ANSWER ANY 5 QUESTIONS

11. What are the different types of digital forensic evidences?

12. What is Computer Crime? Give few examples.

13. What are computer components used in Digital Forensics. Explain few of them.

14. Describe the concept of memory organization in a computer system. Explain the different types of
memory, such as RAM and ROM , and their respective roles in storing and accessing data.

15. What are the different types of tools used in digital forensics?

16. What do computer forensic investigators do? What are their task and responsibilities?

17. What are some techniques and standards for the preservation of data in digital forensic
investigations?

18. Explain Anti-Forensics.

PART-C (5x12 = 60) - ANSWER ALL QUESTIONS

19. Discuss techniques used in digital forensics evidences.

or

20. Discuss legal aspects of digital forensics?

21. Explain the input and output devices used in digital forensics.

or
22. Explain Operating System Architecture in detail with diagrams.

23. Explain the Phases of Digital Forensics.

or

24. What are the principles of digital forensic acquisition?

25. Discuss OS and file system forensics, including techniques/tools for analyzing them for digital
evidence. Explain challenges and potential findings in this field.

or

26. Facts need not be proved under the Evidence Act 1872.

27. Explain common types of computer, network, and system attacks in digital forensics. Discuss their
characteristics, motivations, and potential impacts.

or

28. Discuss case studies related to web forensics. Analyze real-world scenarios involving web-based
attacks, digital evidence extraction from web servers, analysis of web application logs, or online
fraud investigations. Explain the investigative techniques employed and the outcomes of each case.
 Answer Key

Ques. Contents of the Answer * Allocation of Marks

No.

1 A 1

2 D 1

3 B 1

4 D 1

5 D 1

6 A 1

7 B 1

8 B 1

9 C 1

10 A 1

11 Digital forensic evidence can take various forms 6

depending on the nature of the investigation and the
types of digital devices involved. Here are some
common types of digital forensic evidence:

 Computer Files

 Emails

 Internet History

 Social Media Data

 Instant Messaging and Chat Logs

 Call Logs

 Metadata

 System Logs

12 Computer crime is an act performed by a 6

knowledgeable computer user, sometimes called a
"hacker," that illegally browses or steals a company's or
individual's private information. Sometimes, this person
or group of individuals may be malicious and destroy or
otherwise corrupt the computer or data files.

Examples of computer crimes

 Below is a list of the different types of computer crimes
today. Clicking any of the links gives further information
about each crime.

Child pornography -

Click fraud - Fraudulent clicks on Internet

advertisements.

Copyright violation - Stealing or using another person's

Copyrighted material without permission.

Cracking - Breaking or deciphering codes designed to

protect data.

Cyber terrorism - Hacking, threats, and blackmailing

towards a business or person.

Cyberbully or Cyberstalking - Harassing or stalking

others online.

Cybersquatting - Setting up a domain of another person

or company with the sole intention of selling it to them
later at a premium price.

Creating Malware - Writing, creating, or distributing

malware (e.g., viruses and spyware.)

13 In digital forensics, several computer components are 6

commonly used to conduct investigations and analyze
digital evidence. Here are some key components:

1. Forensic Workstations:

2. Write-Blockers:

3. Imaging Tools:

4. Hashing Tools:

14 Memory organization in a computer system refers to 6

the hierarchical structure and management of different
types of memory used for storing and accessing data. It
involves the allocation, retrieval, and utilization of
memory resources to facilitate efficient and fast data
processing.

There are several types of memory in a computer

system, including RAM (Random Access Memory) and
ROM (Read-Only Memory):

1. RAM (Random Access Memory):

2. ROM (Read-Only Memory):

15 Digital forensic tools are specialized software 6

 applications or hardware devices used by digital
forensic investigators to acquire, analyze, and interpret
digital evidence during investigations. These tools help
in the identification, preservation, and examination of
data from various digital sources, such as computers,
mobile devices, network traffic, and storage media.
Here are some commonly used digital forensic tools:

1. EnCase:

2. AccessData Forensic Toolkit (FTK):

3. Autopsy:

4. X-Ways Forensics:

5. Volatility:

6. Cellebrite UFED:

7. Wireshark:

8. Oxygen Forensic Suite:

9. Magnet AXIOM:

10. FTK Imager:

16 Computer forensic investigators help retrieve 6

information from computers and other digital storage
devices. The retrieved data can then be used in criminal
investigations or as evidence in cases of cyber crimes.
Learn whether this career at the intersection of
cybersecurity and law enforcement might be a good fit
for you and how to get started.

What do computer forensic investigators do?

Much like a forensic investigator captures evidence

from the scene of a crime, a computer forensic
investigator gathers evidence found on computers,
mobile phones, and other digital devices.

Tasks and responsibilities

 Retrieve data from virtual and physical devices

 Collect and analyze network intrusion artifacts

and evidence of malicious network activity

 Reconstruct the series of events leading to a

compromise or breach

 Collect, process, analyze, and preserve digital

evidence in criminal cases.
17 In digital forensic investigations, several techniques and 6
standards are employed for the preservation of data to
ensure its integrity and admissibility as evidence. Some
of these techniques and standards include:

1. Forensic Imaging:

2. Write Protection:

3. Chain of Custody:

4. Hashing:

5. Data Verification:

6. Documentation and Reporting:

7. Adherence to Standards:

18 Anti-forensics is a term that contradicts Cyber 6

Forensics. It attempts to negatively affect the existing
amount and quality of evidence from a crime scene or
make the analysis and examination of evidence difficult
or impossible to conduct.

Anti-forensic techniques are actions whose goal is to

prevent the proper investigation process or make it
much harder. These actions are aimed at reducing the
quality and quantity of digital evidence. These are
deliberate actions of not only computer users but also
of developers who write programs secured prior to the
methods of Cyber forensics.

For the anti-forensic techniques, we can include

activities such as the intentional deletion of data by
overwriting them with new data or protection tools
against forensics analysis. Anti-forensic techniques can
be used to increase security for example erasing and
overwriting data so that they cannot be read by
unauthorized persons. These techniques can be
misused by perpetrators of cybercrimes in order to
protect against disclosure of their actions.

19 Digital forensics involves creating copies of a 12

compromised device and then using various techniques
and tools to examine the information. Digital forensics
techniques help inspect unallocated disk space and
hidden folders for copies of encrypted, damaged, or
deleted files. Here are common techniques:

Reverse Steganography

0Stochastic Forensics
 Cross-drive Analysis

Live Analysis

Deleted File Recovery

Digital Forensic Tools

20 The field of digital forensics is closely intertwined with 12

legal aspects, as digital evidence plays a crucial role in
legal investigations and proceedings. Here are some key
legal aspects relevant to digital forensics:

1. Legal Authority and Jurisdiction:

2. Chain of Custody:

3. Privacy and Data Protection Laws:

4. Rules of Evidence:

5. Expert Testimony:

6. Legal Preservation and Retention:

7. Legal Challenges and Admissibility:

8. Cross-Border Investigations:

21 Input and output devices play a significant role in digital 12

forensics as they are used to interact with and analyze
digital systems. Here are some common input and
output devices used in digital forensics:

Input Devices:

1. Keyboards:

2. Mice and Pointing Devices:

3. Touchscreens:

4. Digital Cameras and Scanners:

5. Forensic Imaging Tools:

Output Devices:

1. Monitors and Screens:

2. Printers:

3. External Storage Devices:

4. Forensic Write-Blockers:

5. Projectors:
22 Operating System 12

Operating System is defined as the bundle of software

that acts as an interface between the user and the
hardware. It makes it easier for the user to work on the
complex hardware.

Here are some terms which will help us in

understanding the OS Architecture in a much better
way.

 Kernel:

 Shell:

These two are major components of an Operating

System.

Different Types of OS Architecture

The Operating System Architecture is of four types.

These types are mentioned below.

 Monolithic Architecture

 Layered Architecture

 Microkernel Architecture

 Hybrid Architecture

23 The Nine Phases of Digital Forensics 12

There are nine steps that digital forensic specialists

usually take while investigating digital evidence.

1. First Response

2. Search and Seizure

3. Evidence Collection

4. Securing of the Evidence

5. Data Acquisition

6. Data Analysis

7. Evidence Assessment

8. Documentation and Reporting

9. Expert Witness Testimony

24 The principles of digital forensic acquisition form the 12

foundation for acquiring and preserving digital
evidence in a forensically sound manner. These
 principles ensure that the integrity, authenticity, and
admissibility of the evidence are maintained
throughout the investigation. Here are the key
principles of digital forensic acquisition:

1. Legal Authority:

2. Volatility:

3. Documentation:

4. Preservation of Original Data:

5. Verification:

6. Chain of Custody:

7. Validation:

8. Transparency and Replicability:

9. Privacy Considerations:

10. Expertise and Training:

25 OS (Operating System) and file system forensics are 12

crucial aspects of digital forensics that focus on the
examination and analysis of operating systems and file
systems for the purpose of uncovering digital evidence.
These areas involve investigating the structures,
artifacts, and activities related to the operating system
and file system to gather valuable information during
forensic investigations.

Techniques and Tools for OS and File System Forensics:

1. Disk Imaging:

2. File Recovery:

3. File Metadata Analysis:

4. File System Analysis:

5. Registry Analysis

6. Log File Analysis:

7. User Account Analysis:

8. Malware Analysis:

Challenges and Potential Findings:

1. Encryption:

2. Anti-Forensic Techniques:
 3. Fragmentation:

4. Data Hiding:

5. User Artifacts:

6. Timestamp Analysis:

26 Facts need not be proved under the Evidence Act 1872 12

– discuss

Section 56 – Facts judicially noticeable need not be

proved;

Section 58 – Facts admitted need not be proved

Section 114 – Court may presume the existence of

certain facts – The Court may presume the existence of
any fact which it thinks likely to have happened, regard
being had to the common course of natural events,
human conduct, and public and private business, in
their relation to the facts of the particular case. For
example, a person may be presumed to be dead if his
whereabouts are not known for seven years. Such facts
need not be proved

27 Computer, network, and system attacks are prevalent 12

in the digital landscape, and understanding their
characteristics, motivations, and potential impacts is
essential for digital forensic investigations. Here are
different types of attacks commonly encountered:

1. Malware Attacks:

2. Network Attacks:

3. Social Engineering Attacks:

4. Web Application Attacks:

5. Insider Attacks:

28 Case Study 1: Web Server Breach and Data Theft 12

Case Study 2: Analysis of Web Application Logs in Fraud

Investigation

Case Study 3: Online Fraud Investigation and Digital

Evidence Extraction