CF Unit No: I

• What is Cyber forensics? Explain Need of it.

ANS:
Computer forensics is a field of technology that uses investigative techniques
to identify and store evidence from a computer device. Often, computer
forensics is used to uncover evidence that could be used in a court of law.
Computer forensics also encompasses areas outside of investigations.
Sometimes professionals in this field might be called upon to recover lost data
from drives that have failed, servers that have crashed or operating systems
that have been reformatted.
Cyber forensics is a process of extracting data as proof for a crime (that
involves electronic devices) while following proper investigation rules to
nab the culprit by presenting the evidence to the court. Cyber forensics is
also known as computer forensics. The main aim of cyber forensics is to
maintain the thread of evidence and documentation to find out who did the
crime digitally. Cyber forensics can do the following:
• It can recover deleted files, chat logs, emails, etc
• It can also get deleted SMS, Phone calls.
• It can get recorded audio of phone conversations.
• It can determine which user used which system and for how much
time.
• It can identify which user ran which program.

Need for CF:

Cyber Forensics is needed for the investigation of crime and law
enforcement. There are cases like hacking and denial of service (DOS)
attacks where the computer system is the crime scene. The proof of the
crime will be present in the computer system. The proofs can be browsing
history, emails, documents, etc. These proofs on the computer system alone
can be used as evidence in the court of law to sort out allegations or to
protect the innocent people from charges.

Why is cyber forensics important?

in todays technology driven generation, the importance of cyber forensics is
immense. Technology combined with forensic forensics paves the way for
quicker investigations and accurate results. Below are the points depicting
the importance of cyber forensics:
Cyber forensics helps in collecting important digital evidence to trace the
criminal.
Electronic equipment stores massive amounts of data that a normal person
fails to see. For example: in a smart house, for every word we speak, actions
performed by smart devices, collect huge data which is crucial in cyber
forensics.
It is also helpful for innocent people to prove their innocence via the
evidence collected online.
It is not only used to solve digital crimes but also used to solve real-world
crimes like theft cases, murder, etc.
Businesses are equally benefitted from cyber forensics in tracking system
breaches and finding the attackers.

• Write a note on Forensic Triad.

ANS:

• Explain Role of maintaining Professional Conduct in cybercrime

Investigation
ANS:
• State and Explain steps in Computer/Cyber Forensic Investigation
Process.
ANS:
• Explain procedures for private sector High-Tech Investigations as
an Investigator.
ANS:
Understanding Private-Sector Investigations:
Private-sector investigations involve private companies and lawyers who
address company policy violations and litigation disputes Example: wrongful
termination .
Businesses strive to minimize or eliminate litigation.
Private-sector crimes can involve:
E-mail harassment, falsification of data, gender and age discrimination,
embezzlement, sabotage, and industrial espionage.
Businesses can reduce the risk of litigation by publishing and maintaining
policies that employees find easy to read and follow.
Most important policies define rules for using the company’s computers and
networks Known as an “Acceptable use policy”.
Line of authority - states who has the legal right to initiate an investigation,
who can take possession of evidence, and who can have access to evidence.
Business can avoid litigation by displaying a warning banner on computer
screens
Informs end users that the organization reserves the right to inspect computer
systems and network traffic at will

Sample text that can be used in internal warning banners:

Use of this system and network is for official business only
Systems and networks are subject to monitoring at any time by the owner.
Using this system implies consent to monitoring by the owner
Unauthorized or illegal users of this system or network will be subject to
discipline or prosecution
Businesses are advised to specify an authorized requester who has the power
to initiate investigations
Examples of groups with authority
Corporate security investigations
Corporate ethics office
Corporate equal employment opportunity office
Internal auditing
The general counsel or legal department
During private investigations, you search for evidence to support allegations of
violations of a company’s rules or an attack on its assets
Three types of situations are common:
Abuse or misuse of computing assets
E-mail abuse
Internet abuse
A private-sector investigator’s job is to minimize risk to the company
The distinction between personal and company computer property can be
difficult with cell phones, smartphones, personal notebooks, and tablet
computers
Bring your own device (BYOD) environment
Some companies state that if you connect a personal device to the business
network, it falls under the same rules as company property

• How to set up your workstation for digital Forensics?

ANS:
Setting Up Your Workstation for Digital Forensics:
Basic requirements
A workstation running Windows XP or later
A write-blocker device
Digital forensics acquisition tool
Digital forensics analysis tool
Target drive to receive the source or suspect disk data
Spare PATA or SATA ports
USB ports
Additional useful items
Network interface card (NIC)
Extra USB ports
FireWire 400/800 ports
SCSI card
Disk editor tool
Text editor tool
Graphics viewer program
Other specialized viewing tools
• Write a note on Digital Evidence
ANS:
• Explain in detail the field of digital forensics.
ANS:

Digital forensics is the process of storing, analyzing, retrieving, and preserving

electronic data that may be useful in an investigation. It includes data from
hard drives in computers, mobile phones, smart appliances, vehicle navigation
systems, electronic door locks, and other digital devices. The process's goal of
digital forensics is to collect, analyze, and preserve evidence.
Steps of Digital Forensics
Now that you understand what is digital forensics, let’s look at its steps:

Identification
This is the initial stage in which the individuals or devices to be analyzed are
identified as likely sources of significant evidence.

Preservation
It focuses on safeguarding relevant electronically stored information (ESI) by
capturing and preserving the crime scene, documenting relevant information
such as visual images, and how it was obtained.

Analysis
It is a methodical examination of the evidence of the information gathered.
This examination produces data objects, including system and user-generated
files, and seeks specific answers and points of departure for conclusions.

Documentation
These are tried-and-true procedures for documenting the analysis's
conclusions, and they must allow other competent examiners to read through
and duplicate the results.

Presentation
The collection of digital information, which may entail removing electronic
devices from the crime/incident scene and copying or printing the device(s), is
critical to the investigation.

• Briefly explain how to prepare for computer investigations.

ANS:
Computer Forensics Investigations:
Policy and Procedure Development.
Evidence Assessment.
Evidence Acquisition.
Evidence Examination.
Documenting and Reporting.
Policy and Procedure Development
Whether related to malicious cyber activity, criminal conspiracy or the intent to
commit a crime, digital evidence can be delicate and highly sensitive. Cybersecurity
professionals understand the value of this information and respect the fact that it can
be easily compromised if not properly handled and protected. For this reason, it is
critical to establish and follow strict guidelines and procedures for activities related to
computer forensic investigations. Such procedures can include detailed instructions
about when computer forensics investigators are authorized to recover potential
digital evidence, how to properly prepare systems for evidence retrieval, where to
store any retrieved evidence, and how to document these activities to help ensure
the authenticity of the data.

Evidence Assessment
A key component of the investigative process involves the assessment of potential
evidence in a cyber crime. Central to the effective processing of evidence is a clear
understanding of the details of the case at hand and thus, the classification of cyber
crime in question. For instance, if an agency seeks to prove that an individual has
committed crimes related to identity theft, computer forensics investigators use
sophisticated methods to sift through hard drives, email accounts, social networking
sites, and other digital archives to retrieve and assess any information that can serve
as viable evidence of the crime. This is, of course, true for other crimes, such as
engaging in online criminal behavior like posting fake products on eBay or Craigslist
intended to lure victims into sharing credit card information. Prior to conducting an
investigation, the investigator must define the types of evidence sought (including
specific platforms and data formats) and have a clear understanding of how to
preserve pertinent data. The investigator must then determine the source and
integrity of such data before entering it into evidence.

Evidence Acquisition
Perhaps the most critical facet of successful computer forensic investigation is a
rigorous, detailed plan for acquiring evidence. Extensive documentation is needed
prior to, during, and after the acquisition process; detailed information must be
recorded and preserved, including all hardware and software specifications, any
systems used in the investigation process, and the systems being investigated. This
step is where policies related to preserving the integrity of potential evidence are
most applicable. General guidelines for preserving evidence include the physical
removal of storage devices, using controlled boot discs to retrieve sensitive data and
ensure functionality, and taking appropriate steps to copy and transfer evidence to
the investigator’s system.

Evidence Examination
In order to effectively investigate potential evidence, procedures must be in place for
retrieving, copying, and storing evidence within appropriate databases. Investigators
typically examine data from designated archives, using a variety of methods and
approaches to analyze information; these could include utilizing analysis software to
search massive archives of data for specific keywords or file types, as well as
procedures for retrieving files that have been recently deleted. Data tagged with
times and dates is particularly useful to investigators, as are suspicious files or
programs that have been encrypted or intentionally hidden.

Documenting and Reporting

In addition to fully documenting information related to hardware and software specs,
computer forensic investigators must keep an accurate record of all activity related to
the investigation, including all methods used for testing system functionality and
retrieving, copying, and storing data, as well as all actions taken to acquire, examine
and assess evidence. Not only does this demonstrate how the integrity of user data
has been preserved, but it also ensures proper policies and procedures have been
adhered to by all parties. As the purpose of the entire process is to acquire data that
can be presented as evidence in a court of law, an investigator’s failure to accurately
document his or her process could compromise the validity of that evidence and
ultimately, the case itself.
• Differentiate between public-sector and private-sector
investigations.
ANS:

Public Sector
The Public Sector consists of businesses that are owned and controlled by
the government of a country. The ownership and control of the central or
state governments in these organisations are either complete or partial.
But it still holds a majority stake and makes every single decision regarding
running the entity. These organisations include government agencies,
state-owned enterprises, municipalities, local government authorities and
other public service institutions.

Private Sector
The Private Sector enterprises are owned, controlled and managed either
by individuals or business entities. It can be small-scale, medium-scale or
even large-scale organisations. These get formed to earn a profit from
their business operations, and they can raise funding from individuals,
groups, and the general public.

Differences between Public and Private Sector

The main differences between Public and Private Sectors are as follows:
Public Sector Private Sector

Definition

Public sector organisations are Private sector organisations are owned,

owned, controlled and managed by controlled and managed by individuals,
the government or other state-run groups or business entities.
bodies.

Ownership

The ownership of the public sector The ownership of private sector units is by
units can be by central, state or individuals or entities with zero interference
local government bodies, and this from the government.
ownership is either full or partial.

Motive

The main motive of public sector The main motive of the private sector is to
organisations is to engage in earn profits from their business operations.
activities that serve the general
public.

Source of Capital

The capital for public sector The capital for private sector entities comes
undertakings comes from tax either from its owners or through loans,
collections, excise and other duties, issuing shares and debentures, etc.
bonds, treasury bills etc.

Employment Benefits

Public sector units provide several
employment benefits like job
security, housing facilities,
allowances and retirement benefits.
Private sector units offer benefits like higher
salary packages, better chances of
promotion and recognition, competitive
environment and greater incentives in terms
of bonus and other benefits.

Stability
 Jobs within the public sector are
very stable since the chances of
getting sacked due to non-
performance are very low.
Jobs within the private sector are not very
secure since non-performance can lead to
sacking. Companies can also fire people in
case of cost cutting or scaling down of
operations.

Promotions

The criteria for promotion in the The criteria for promotion in the private
public sector units is generally sector units is generally based on the merit
based on the seniority of the and job performance of the employee.
employee.

Areas

Some of the main areas that come
under the public sector are police,
military, mining, manufacturing,
healthcare, education, transport,
banking, etc.
Some of the main areas that come under the
private sector are information technology,
finance, fast moving consumer goods,
construction, hospitality, pharmaceuticals,
etc.

• Describe all the physical requirements for a digital forensics lab.

ANS:
• Explain the criteria for selecting a basic forensic workstation.
ANS:
• Describe the components used to build a business case for
developing a forensics lab.
ANS:
• List the digital evidence storage formats?
ANS:
Data in a forensics acquisition tool is stored as an image file
• Three formats
• Raw format
• Proprietary formats
• Advanced Forensics Format (AFF)
• Briefly explain how to use remote network acquisition tools.
ANS:
Recent improvements in computer forensics tools include the capability to
acquire disk data or data fragments (sparse or logical) remotely. With this
feature, you can connect to a suspect computer remotely via a network
connection and copy data from it. Remote acquisition tools vary in
configurations and capabilities. Some require manual intervention on remote
suspect computers to initiate the data copy. Others can acquire data
surreptitiously through an encrypted link by pushing a remote access program
to the suspect’s computer. From an investigation perspective, being able to
connect to a suspect’s computer remotely to perform an acquisition has
tremendous appeal. It saves time because you don’t have to go to a suspect’s
computer, and it minimizes the chances of a suspect discovering that an
investigation is taking place. Most remote acquisitions have to be done as live
acquisitions, not static acquisitions.
Remote Acquisition with pro discover:
Two versions of Pro Discover can perform remote acquisitions: Pro Discover
Investigator and Pro Discover Incident Response. When connected to a remote
computer, both tools use the same Pro Discover acquisition method described
previously. After the connection is established, the remote computer is
displayed in the Capture Image dialog box.
• List other forensics tools available for data acquisitions.
Ans:
• Explain the following terms:
1) Raw Format
2) Proprietary Format
3) Advance Forensic Format
ANS:
 CF Unit No: II

• Write a note on Identifying Digital Evidence.

ANS:
• Explain the steps involved in preparing for search and seizure of
computers or digital devices in digital investigations?
ANS:
• What are the best ways to determine the tools you need for
digital Investigation.
ANS:

• Write a note on Securing a Digital Incident or Crime scene.

ANS:
• Explain Processing incident or crime scene.
ANS:
• Write a note on Storing Digital Evidence.
ANS:
• How to Document the Evidence? What are the precautions
needs to take during Documenting Evidence.
ANS:

• Write a note on Determining what data to collect and analyse

during computer forensics analysis and Validation.
ANS:

• Explain different types of Computer forensic tools.

• Explain Types of Digital Forensics Tools.
ANS:
• Write a note on data hiding techniques in detail.
ANS:
• Write a note on recovering graphic files.
ANS:
• Explain implementation of steganography in graphics files.
ANS:
• Describe how to collect evidence at private-sector from incident
scenes.
ANS:
• What are the guidelines for processing law enforcement crime
scenes?
ANS:
• Describe how to secure a computer incident or crime scene.
ANS:

Here are the 5 steps that are essential to securing the Digital crime scene.

1. Take control of the crime scene - unauthorised personnel should

not be permitted access to the Digital crime scene or the Digital
evidence. Have proper warrants, court notices etc ready for this.

2. Identify, enumerate and isolate sources of Digital evidence.

Document the unique serial numbers, stick labels onto each piece of
evidence, identify all cable connections etc. Networked devices will
need to be disconnected from both wired and wireless networks to
prevent remote spoilage of evidential data. Any other possible
modes of spoilage will also need to be tackled at this point.

3. Document the crime scene - Photography of the crime scene is

essential. The layout, the connections of the computer, the external
devices attached etc. etc.

4. Document the computer date & time and correlate to the real world
to be able to cross-reference the date and times of data evidence in
the digital media.
 5. Create evidence seizure and chain of custody documentation, get
the bag and tag etc. accessories ready in preparation of the next
stage.

Once the Digital Crime Scene is secure, then and only then can you begin the
process of evidence seizure.

• Explain the necessary guidelines for seizing digital evidence at a

crime scene.
ANS:
• What are the procedures for storing digital evidence?
ANS: