Q).

What are the common examples of email crime & violations that may
necessitate investigation? Explain any one in detail? [9M] Ans:-
Common Examples of Email Crimes & Violations:

1. Phishing Attacks

2. Email Spoofing

3. Spamming

4. Malware Distribution

5. Harassment or Threatening Emails

6. Unauthorized Access to Email Accounts

7. Business Email Compromise (BEC)

Spamming
Spamming is the act of sending unsolicited bulk messages, typically
through email, instant messaging, or social media platforms.
1. Purpose:
o To advertise products, services, or scams.
o To spread malware or phishing links.
2. Types:
o Email spam: Unwanted promotional or fraudulent emails.
o SMS spam: Unsolicited text messages.
o Social media spam: Fake posts, comments, or messages.
3. Impact:
 o Wastes time and resources.
o Poses security risks like phishing and malware attacks.
4. Prevention:
o Use spam filters in email services.
o Avoid clicking on unknown links.
o Report spam to service providers.

Explanation of Phishing Attacks

• Definition: Phishing is a type of cybercrime where attackers send fake
emails pretending to be from trusted organizations like banks,
government agencies, or companies.
• Objective: The main goal is to trick the victim into sharing sensitive
information like passwords, credit card details, or login credentials.
• How it Works:

1. The attacker sends an email with a fake link or attachment.

2. The email appears real (e.g., uses logos or names of trusted

organizations).

3. When the victim clicks the link, it redirects them to a fake

website.

4. The victim enters personal information, which gets stolen.

• Example: An email pretending to be from a bank asking you to "verify
your account" by entering your bank credentials on a fake link.
Q). Explain any software tool using in computer forensics investigation and
its respective purpose . [9M]
Ans:- Software Tool Used in Computer Forensics Investigation
Tool Name: Autopsy

Purpose:
Autopsy is an open-source digital forensics tool used for analyzing digital
devices like computers, mobile phones, and storage drives during
investigations.

Uses of Autopsy:
1. File Recovery: Recovers deleted files, images, and documents.

2. Keyword Search: Helps find specific words or data in files and emails.

3. Timeline Analysis: Tracks the timeline of user activities on the

system.

4. Email Analysis: Examines emails for evidence.

5. Malware Detection: Identifies harmful files or viruses.

Why Autopsy is Used:

It is easy to use, fast, and free. Investigators use it to find hidden evidence
from devices during cybercrime cases.
Limitations of Autopsy:
1. Limited OS Support: Primarily works on Linux and Windows, may not
support all operating systems.

2. Requires Technical Knowledge: Not beginner-friendly; needs

expertise in digital forensics.

3. Limited Analysis for Encrypted Data: Struggles with analyzing

encrypted files without the decryption key.
 4. Slow for Large Data Sets: Can be slow when dealing with very large
drives or data volumes.

5. No Real-Time Analysis: Works on already collected data, not for live

investigations.
Use Cases of Autopsy:

1. Investigating Data Theft: Recover deleted files to check for stolen

information.

2. Cybercrime Investigations: Analyze computers or mobile devices to

find evidence of illegal activities.

3. Email Fraud Cases: Search emails for fraudulent activities or evidence

of phishing.

4. Incident Response: Help organizations detect and analyze a security

breach.

Q). Write short note (any two) [18M]

a) Computer forensics hardware tools
b) Validating & testing forensics software
c) e-mail investigation
d) Ans:- a). Computer forensics hardware tools :
Computer Forensics Hardware Tools
These tools help collect, preserve, and analyze digital evidence from
devices during investigations.
1. Write Blockers
o Prevent modification of data on storage devices while accessing
them.
 o Example: Tableau Write Blocker.
2. Forensic Duplicators
o Create exact copies (clones) of storage devices for analysis.
o Example: Logicube Forensic Falcon.
3. Digital Forensics Workstations
o High-performance computers designed for analyzing large
datasets.
o Example: FRED (Forensic Recovery of Evidence Device).
4. Portable Acquisition Kits
o Compact kits with all necessary tools for on-site evidence
collection.
o Includes write blockers, cables, and storage devices.
5. Disk Imagers
o Extract data from hard drives for further analysis.
o Example: Cellebrite Digital Collector.

b) Validating & Testing Forensics Software

Validation:
Validation ensures that forensic software works as intended and provides
accurate results. It involves checking the software against known datasets
and comparing results to confirm that it correctly identifies, collects, and
analyzes digital evidence.
• Purpose: To confirm the software’s functionality and reliability.
 • Example: Running a known data set through forensic software to
ensure that it identifies all relevant files correctly.
Testing:
Testing is done by forensic experts to evaluate the software under
realworld conditions. This includes checking for bugs, performance issues,
or limitations. Testing also involves ensuring that the software produces
repeatable results.
• Purpose: To assess how well the software works in practical
applications and under different conditions.
• Example: Testing software to analyze large datasets or handle
corrupted files.

c) Email Investigation
Email investigation is the process of analyzing email communications to
detect illegal activities or find evidence of cybercrimes, fraud, or other
malicious activities. It involves analyzing the email’s content, headers, and
attachments to determine its origin and any hidden threats.
Key Components:
• Email Headers: Analyzing the header of an email helps trace the
sender’s IP address, mail servers, and time stamps, which can help
identify if the email is fraudulent or malicious.
• Content Analysis: Investigators check for suspicious content like
phishing links, malware attachments, or threatening language.
• Attachment Examination: Attachments in emails are checked for
viruses or hidden malicious code.
• Purpose: To detect fraudulent emails, phishing attempts, or malware
and to trace the origins of potentially criminal activity.
 • Example: Investigating an email that appears to be from a bank
asking the recipient to click a link to "verify" their account, which is
actually a phishing attempt to steal personal information.

Q). State the features of any five computer forensic software tools [9M]
Ans:- These software tools assist forensic investigators in retrieving,
analyzing, and preserving digital evidence in a reliable and efficient
manner.
Features of Five Computer Forensic Software Tools:

1. EnCase
• Purpose: Used for forensic investigation of computers and mobile
devices.
• Features:
o Comprehensive evidence collection and analysis. o Can recover
deleted files and emails. o Supports analysis of various file
systems (FAT, NTFS, etc.).
o Provides hash verification to ensure evidence integrity.

2. FTK (Forensic Toolkit)

• Purpose: A digital investigation tool for data analysis and evidence
recovery.
• Features:
 o Fast data indexing for quick search of files and emails. o Allows
encrypted data decryption if the key is available. o Supports
multiple file formats for evidence extraction.
o Offers detailed reporting and evidence management.

3. Autopsy
• Purpose: Open-source tool used for analyzing hard drives and
smartphones.
• Features:
o Recovers deleted files and images. o Conducts keyword
searches for specific information. o Analyzes file systems and
examines web activity.
o Supports timeline analysis to track user actions.

4. X1 Social Discovery
• Purpose: For forensic investigation of social media and web data.
• Features:
o Searches and collects data from social media platforms
(Facebook, Twitter, etc.).
o Captures web activity, emails, and chat logs.
o Can retrieve deleted social media posts and communications.
o Provides a built-in viewer to analyze multimedia evidence.

5. Disk Drill
 • Purpose: A data recovery and analysis tool for forensic investigations.
• Features:
o Recovers lost or deleted files from various storage devices. o
Supports a wide range of file formats and devices.
o Offers disk imaging and data backup features.
o Can recover files from damaged or formatted drives.

Q). Write short notes on [9M]

i) Task performed by digital forensic tool
ii) Tools for email forensics
iii) Techniques for email forensic investigation
Ans:- These techniques help uncover the truth behind email
communications and detect criminal activity like phishing or data theft.
i) Task Performed by Digital Forensic Tools
Digital forensic tools help investigators analyze and recover digital
evidence. The key tasks they perform include:
• Data Acquisition: Collecting data from storage devices like hard
drives, mobile phones, or cloud storage.
• Data Recovery: Recovering deleted, corrupted, or hidden files.
• Data Analysis: Analyzing the collected data for patterns, documents,
emails, or images related to the investigation.
• Evidence Preservation: Ensuring that the original data is not altered
during the investigation process (using write blockers).
• Reporting: Generating reports that document the findings of the
analysis for use in legal proceedings.
ii) Tools for Email Forensics
Email forensics tools help investigate and analyze email communications
for fraud, cybercrime, or other illegal activities. Some popular tools
include:

1. FTK (Forensic Toolkit): Used to collect and analyze emails and recover
deleted messages.

2. X1 Social Discovery: Analyzes social media and email data, including

metadata and email headers.

3. MailXaminer: Specifically designed to analyze email files (like PST,

OST) and extract relevant data.

4. EnCase: Can recover and analyze email data from various email
platforms and file formats.
These tools help extract email evidence, detect phishing attempts, and
track malicious activity.

iii) Techniques for Email Forensic Investigation

Email forensic investigations involve various techniques to uncover illegal
activities or fraud:
• Email Header Analysis: Checking the sender's IP address, routing
path, and time stamps in the email header to trace the origin and
detect spoofing.
• Content Analysis: Examining the email body and attachments for
suspicious links, malicious code, or signs of phishing.
• Keyword Search: Searching email content for specific terms that may
indicate fraudulent or criminal activity.
• Attachment Examination: Checking email attachments for malware,
viruses, or hidden files.
 • Tracing IP Addresses: Using the IP address from the email header to
trace the physical location of the sender.

Q). State the features of any five computer forensic hardware tools. [9M]
Ans:- These forensic hardware tools are crucial for conducting proper
investigations and ensuring that digital evidence remains complete and
accurate for legal purposes.
Features of Five Computer Forensic Hardware Tools:

1. Write Blockers
• Purpose: Prevents modification of data on storage devices during
analysis.
• Features:
o Allows read-only access to hard drives or USBs. o Ensures
evidence is not tampered with. o Compatible with multiple
storage devices (HDD, SSD, USB). o Essential for preserving the
integrity of forensic evidence.

2. Forensic Duplicators
• Purpose: Creates an exact, bit-by-bit copy of storage devices for
analysis.
• Features:
o Ensures no data is lost or altered during duplication. o Creates
forensic images (exact copies) of hard drives or memory cards.
o Supports multiple device types (SATA, IDE, SSD).
 o Allows parallel duplication of multiple drives.

3. Disk Imagers
• Purpose: Used to create exact copies (images) of storage media.
• Features:
o Captures all sectors of a storage device, including deleted data.
o Ensures the original device is not altered during analysis. o
Supports compressed or encrypted images for security. o Can
be used for further investigation without touching the original
data.

4. Evidence Recovery Devices

• Purpose: Helps recover deleted or damaged data from storage
devices.
• Features:
o Recovers files that are deleted or hidden.
o Can access physically damaged or corrupted drives. o Provides
a secure method to extract evidence from multiple types of
devices.
o Works with various file systems (FAT, NTFS, HFS).

5. Forensic Power Supplies

• Purpose: Provides power to devices that are being examined,
especially if the original power source is unavailable.
• Features:
 o Can power storage devices or computers during analysis. o
Useful for working with devices that are damaged or without
power. o Ensures controlled and stable power supply to
prevent further damage. o Essential when recovering evidence
from devices without a functional power system.

Q). Write short notes on [9M]

i) Role of client and server in email
ii) Investigating Email crimes and investigations
iii) NIST standards for forensic technologies
Ans:-
i) Role of Client and Server in Email
• Client:
The email client is software used by the user to send, receive, and
manage emails. Examples include Outlook, Thunderbird, or
webbased clients like Gmail. It allows users to compose emails, view
inboxes, and organize messages.
• Server:
The email server handles the storage, sending, and receiving of
emails. It stores all emails in a centralized location and ensures they
are delivered to the recipient’s email client. Common types of servers
include:
o SMTP (Simple Mail Transfer Protocol): Used for sending emails.
o IMAP (Internet Message Access Protocol) and POP3 (Post Office
Protocol): Used for receiving and accessing emails.

ii) Investigating Email Crimes and Investigations

Email crimes include activities like phishing, spam, fraud, or harassment,
and investigations aim to uncover illegal activities.
• Steps in Email Investigation:
o Header Analysis: Examining the email's header helps trace the
origin of the email, including the sender's IP address.
o Content Review: Investigators analyze the email body and
attachments for malicious links, phishing attempts, or illegal
content.
o Recovering Deleted Emails: Forensic tools can recover deleted
emails to find evidence.
o Tracking IP Addresses: By tracing the IP address in the email
header, investigators can locate the physical location of the
sender.
iii) NIST Standards for Forensic Technologies
The National Institute of Standards and Technology (NIST) provides
guidelines and standards for forensic technologies to ensure accuracy and
consistency in digital investigations.
• Purpose:
NIST standards help ensure that forensic tools and methods are
reliable, repeatable, and legally admissible in court.
• Key Standards:
o Digital Evidence: Guidelines for the proper handling, storage,
and documentation of digital evidence.
o Forensic Tool Validation: Ensures forensic software and
hardware tools meet specific requirements and produce
accurate results.
 o Data Integrity: Methods to ensure data remains unchanged
during an investigation.

Q). How does email play a significant role in digital investigations? What
types of information can be obtain from email Header that may be relevant
in investigations? [9M]
Ans:- Role of Email in Digital Investigations
Emails play a significant role in digital investigations because they often
contain valuable evidence related to cybercrimes, fraud, harassment, or
other illegal activities. Investigators can use email data to track suspects,
identify fraudulent activities, or recover lost communications. Email
records are often admissible in court and can link individuals to criminal
activities.

Information Obtained from Email Headers

The email header contains crucial details about the email's origin, path,
and legitimacy. Some important information from the email header
includes:

1. Sender's Email Address:

o Helps identify who sent the email.

2. Recipient's Email Address:

o Shows who the email was sent to, which may help in
connecting individuals in the investigation.

3. Date and Time:

o Indicates when the email was sent, which can establish a
timeline of events.
4. IP Address:
 o Reveals the sender's IP address, helping track the geographical
location of the sender.

5. Message-ID:
o A unique identifier for the email, helping to track the email in
case of duplicates or forwarding.

6. Mail Servers:
o Shows the path the email took through various mail servers
before reaching the recipient, useful for detecting suspicious
activity like spoofing or relay attacks.

Q). What factors should be considered when evaluating computer forensics

tool needs for an investigations. Explain any two in detail? [9M]
Ans:- These factors help ensure that the chosen forensic tool will work
effectively and securely in an investigation, providing reliable results that
can be used in legal processes.
1. Compatibility with Various Devices and File Systems
• Explanation:
Forensics tools must be compatible with a wide range of devices
(computers, smartphones, storage drives, etc.) and file systems (like
FAT, NTFS, exFAT, HFS, etc.). This ensures that investigators can
retrieve data from all types of devices and file systems involved in
the case.
• Importance:
If a tool does not support the devices or file systems present in an
investigation, it may not be able to recover important evidence. A
versatile tool that supports multiple file systems and devices will be
more useful in different types of investigations.
2. Data Integrity and Preservation
• Explanation:
Ensuring that the tool can maintain the integrity of the data being
analyzed is crucial. The tool should not alter, modify, or damage the
original data during the investigation process. It should provide
methods like write-blocking to prevent changes to the evidence.
• Importance:
In legal cases, the integrity of digital evidence is paramount. If data is
altered during the investigation, it may not be admissible in court. A
tool that ensures data integrity helps preserve the original state of
the evidence for future analysis and court procedures.
3. Security
• Verify that the tool ensures secure handling of sensitive data to avoid
unauthorized access or leaks.
4. Performance and Speed
• Consider the tool’s efficiency in analyzing and processing large
datasets without significant delays.

Q). Write short note (any one) : [9M]

i) e-mail forensics tools.
ii) Computer forensics hardware tools
Ans:- hardware tools help maintain the integrity of digital evidence and
ensure that investigations are carried out accurately and legally.
1. Email Forensics Tools
Email forensics tools help investigate and analyze emails for legal and
security purposes. They assist in identifying fraud, phishing, spam, or
malicious activities.
Common Tools:
1. MailXaminer
o Analyzes email headers, attachments, and metadata.
o Supports multiple formats (PST, OST, MBOX, etc.).
2. Paraben Email Examiner
o Recovers deleted emails.
o Offers keyword search for investigations.
3. X-Ways Forensics
o Analyzes email content and attachments.
o Supports integration with other forensic tools.
4. Forensic Toolkit (FTK)
o Extracts, indexes, and reviews email evidence.
o Provides encryption and password-cracking features.
5. E3: Universal
o Specialized in analyzing large email datasets.
o Generates detailed reports for legal use.

ii) Computer Forensics Hardware Tools

Computer forensics hardware tools are specialized devices used to collect,
analyze, and preserve digital evidence during an investigation. These tools
ensure that evidence is not altered or damaged during the process.
Examples of Computer Forensics Hardware Tools:
1. Write Blockers:
 o Purpose: Prevent any modifications to the data on a storage
device (e.g., hard drive, USB).
o How it Works: It allows the investigator to read the data but
prevents any changes, ensuring the integrity of the evidence.
2. Forensic Duplicators:
o Purpose: Create an exact copy (bit-by-bit image) of the digital
storage media.
o How it Works: It copies all data from the device, including
deleted files, to ensure a backup is available for analysis.

3. Forensic Power Supplies:

o Purpose: Provides power to a device being analyzed, especially
when the original power source is unavailable or damaged.
o How it Works: It supplies the necessary power to storage
devices or computers for investigation without altering the
data.