21SCF44

SRINIVAS UNIVERSITY INSTITUTE OF ENGINEERING AND TECHNOLOGY

DEPARTMENT OF CYBER SECURITY AND CYBER FORENSIC
FOURTH SEMESTER
INTERNAL ASSESSMENT - 1
SUBJECT: INTRODUCTION TO DIGITAL FORENSICS-Schema of Valuation
Date: 30/05/2023
Time: 1hour 15 minutes Max. Marks: 40
Course Instructor: Dr. Krishna Prasad K
Note: Answer any ONE full descriptive question from each part.

Question Description Marks

No
1. a. What are the various processes involved in Computer Forensics? Explain Only listing 2
Evaluation: In this process of evaluation, computer forensics experts are marks
given instructions, clarification of those instructions if not clear, Explanation
guidelines for performing activities, and allocation of roles and resources. with listing
Such a process includes proper instructions on how to prepare systems for
10 marks
collecting evidence and where to store evidence. Instruction on
documentation is also given to help ensure the authenticity of the data.
The process of computer forensics needs proper steps to determine the
details of a case. It includes the proper reading of case briefs,
understanding every fact, and obtaining permissions to continue the case.
Collection: This process involves the labeling and bagging of evidence
from the crime scene. Secure and safe transportation of material is also
important. Data is transferred to the expert’s system. In this process, cyber
forensics experts visit the crime scene and collect evidence that is helpful
for the investigation of the crime. Documents are needed during and after
this process and include detailed information on the evidence. In this
process, copies of evidence are made so that no information is lost during
the investigation process.
Analysis: Computer forensics experts use a variety of methods and
approaches to examine the evidence. This can be done by using the
various types of available forensic software. In this process, deleted data,
sensitive data, recently used data, and all other important files, as well as
programs, are examined. Analysis of evidence must be accurate and must
be done within the allotted time; its details should be recorded properly.
Experts analyze the evidence twice to verify the correctness of the results.
Presentation: This process involves the proper documentation of
evidence and the examination process of evidence. It includes all the
methods used in the process, the techniques used, and coping. The
securing and transferring of evidence are also included. These tasks help
experts present the details of an investigation whenever asked when, how,
 and where the crime happened. It helps experts determine the validity of
the evidence. It also helps experts in solving crimes and supporting claims
with evidence in a court of law
1 b. List and explain the various steps involved in Investigation process Only listing 2
The person who is collecting evidence is known as a forensic investigator. marks
An investigator while collecting evidence should make sure that the Explanation
collected evidence is withstanding any legal proceedings. As we discussed with listing
earlier digital forensics is all about identifying, acquiring, preserving,
10 marks
analyzing and documenting of digital data. The following steps are
followed by the forensic investigators to collect evidence which can be
accomplished by the Court. Identifying: The first and foremost step in
collecting evidence is identification. The scope of the action must be
identified before beginning any form of examination in the area of digital
forensics. The process of searching and detecting digital evidence is done
here. This process also includes what evidence is presented along with
where and how it is stored. All the evidence used in the perpetration of
crime must be examined by the digital evidence first responder. In Krenar
Lusha case in the year 2009 in the UK, in the investigation process, it
came to know that Krenar has downloaded a manual of 4300gm to make
explosives. Acquiring: The process of collecting evidence is known as
acquisition. These evidences are collected from electronic media like
personal computers, PDAs, mobile phones etc., Investigators perform
acquisition of data through the following four methods, disk to disk copy,
disk to image file, logical disk to a disk file, sparse data copy of a file or
folder. Preservation: To prevent digital evidence from being changed or
altering, the data should be isolated and should be preserved in a secured
physical site. Preservation of digital evidence helps to reduce tampering
of evidence. Criminal cases should be examined through the law-imposed
personnel for the reason for the preservation of evidence. The company
officer performs this examination in civil cases. Analyzing: Numerous
reiterations of analysis takes place to support a crime theory. Based on the
evidence found by the investigators a conclusion will be derived by
reconstructing the events. Documenting: Documenting is the key concept
of digital forensics. Recreating of the crime scene is done in this process
by documenting the crime scene in proper documentation. Photography,
screen scene mapping and sketching can be done in documenting the
crime scene for better understanding. At last, the collected documentation
will be summarized and explained. Many cases have been solved with the
digital forensic process such as Matt baker case, larry Jo Thomas case,
Rose Comptown case, Mikayla Munn case etc., Cybercrime: Cybercrime
is a computer-related criminal activity. It also includes other digital
devices. Electronic evidence is defined as any information of probative
value in electronic form, computer evidence, digital audio and video, cell
phones, a digital fax machine that are stored or transmitted. The
cybercrime act is not only done by individuals, it is done through
 organizations too. Cybercrime includes theft of corporate data, financial
data, email or internet fraud, invasion of privacy, cyber extortion,
phishing, ransomware attacks, hacking, cyberespionage, spamming,
cyberstalking etc., These crimes are identified with the help of digital
forensics. Under the Information Technology Act, 4231 cybercrimes were
recorded according to the National Crimes Record Bureau between the
years 2009 to 2011. The Computer Crime and Intellectual Property
Section pursues three overarching goals: to deter and disrupt computer
and intellectual property crime by bringing and supporting key
investigations and prosecutions, to guide the proper collection of
electronic evidence by investigators and prosecutors, and to provide
technical and legal advice and assistance to agents and prosecutors in the
U.S. and around the world.
2 a. How law enforcement agency conducts Investigation? Explain Only listing 2
Law enforcement agency investigations in cyber forensics involve the marks
application of forensic techniques to collect, analyze, and preserve digital Explanation
evidence related to cybercrime. These investigations aim to identify and with listing
prosecute individuals or groups involved in illegal activities conducted
10 marks
through electronic devices or networks. Here's an overview of the key
aspects of such investigations Incident Response: When a cybercrime is
reported or detected, the law enforcement agency initiates an incident
response to mitigate the damage, secure the affected systems, and gather
preliminary information. This may involve isolating affected devices or
networks to prevent further compromise. Evidence Identification and
Collection: Investigators identify potential sources of digital evidence,
such as computers, mobile devices, servers, or network logs. They follow
strict protocols to ensure the preservation and integrity of the evidence.
This may involve seizing or obtaining search warrants to access and
collect data from relevant devices or network infrastructure. Digital
Forensic Analysis: Investigators employ various forensic tools and
techniques to examine the acquired digital evidence. They use specialized
software to extract and analyze data from devices, including deleted files,
metadata, internet browsing history, chat logs, and email communications.
The analysis aims to establish a timeline of events, identify the methods
used, and attribute the actions to specific individuals or entities. Malware
Analysis: If malware is involved, investigators may conduct in-depth
analysis to understand its behavior, functionality, and potential impact.
This helps determine how the malware was delivered, how it operated,
and whether it has connections to other known cyber threats or actors.
Network Forensics: In cases involving network intrusions or attacks,
investigators analyze network traffic logs, firewall data, and other network
artifacts to trace the attacker's entry points, communication channels, and
methods of operation. This information is crucial for understanding the
scope of the attack and identifying potential accomplices or collaborators.
Data Recovery and Reconstruction: Investigators may encounter
 situations where data has been intentionally deleted or encrypted by
perpetrators. They use specialized techniques to recover deleted files,
reconstruct data structures, or decrypt encrypted information. Chain of
Custody: Throughout the investigation, maintaining a strict chain of
custody is essential to ensure the admissibility and integrity of the digital
evidence in court. Investigators document every step taken to collect,
handle, and store evidence, including who accessed it and when.
Reporting and Expert Testimony: Investigators compile detailed reports
documenting their findings, analysis, and conclusions. They may be
required to present their findings in court as expert witnesses, explaining
the technical aspects of the case to help the judge and jury understand the
evidence and its implications.
It's important to note that law enforcement agencies may collaborate with
other organizations, such as computer emergency response teams
(CERTs), private sector cybersecurity firms, or international counterparts,
to gather intelligence, share expertise, and enhance the effectiveness of
their investigations in the rapidly evolving field of cyber forensics
2 b. How Corporate Investigation is done? Explain. Explanation
Corporate investigations in digital forensics involve the application of 10 Marks
forensic techniques to collect, analyze, and preserve digital evidence
within a corporate environment. These investigations aim to identify and
mitigate cyber threats, data breaches, insider threats, intellectual property
theft, or other digital crimes. Here are the key aspects of corporate
investigations in digital forensics: Incident Response: When a digital
security incident or breach is detected or reported within a corporate
environment, an incident response team is typically activated. This team
is responsible for containing the incident, minimizing damage, and
initiating the investigation process. They may isolate affected systems,
secure evidence, and take necessary steps to restore normal operations
Evidence Identification and Collection: Investigators identify potential
sources of digital evidence within the corporate infrastructure. This may
include servers, workstations, laptops, mobile devices, cloud storage,
email servers, network logs, and other digital assets. Strict protocols are
followed to ensure the preservation and integrity of the evidence. This
may involve making forensic copies or acquiring appropriate legal
authorization to access and collect data. Digital Forensic Analysis:
Investigators use specialized tools and techniques to analyze the acquired
digital evidence. They examine data from various sources, such as system
logs, network traffic, email communications, files, and metadata. The
analysis aims to establish a timeline of events, identify potential threats or
malicious activities, determine the scope of the incident, and attribute
actions to specific individuals or entities. Malware Analysis: If malware
or malicious software is involved in the incident, investigators conduct
malware analysis to understand its behavior, functionality, and impact.
This helps in identifying the methods used by attackers, the vulnerabilities
 exploited, and potential indicators of compromise. The analysis may
involve examining code, reverse engineering, and analyzing network
traffic associated with the malware. Data Recovery and Reconstruction:
Investigators may encounter situations where data has been intentionally
deleted, encrypted, or tampered with. They use specialized techniques to
recover deleted files, reconstruct data structures, or decrypt encrypted
information. This helps in recovering valuable evidence and
reconstructing the events leading up to the incident. Internal Threat
Investigations: Corporate investigations in digital forensics also focus on
identifying and investigating insider threats, including employees,
contractors, or other insiders who may have engaged in unauthorized or
malicious activities. Investigators may analyze employee access logs,
email communications, file transfers, and other digital footprints to detect
and attribute any unauthorized actions. Reporting and Remediation:
Investigators compile detailed reports documenting their findings,
analysis, and recommendations. These reports help stakeholders
understand the nature of the incident, the impact, and the steps required
for remediation and future prevention. The reports may also include
recommendations for enhancing security measures, improving incident
response capabilities, or updating corporate policies and procedures. It's
important to note that corporate investigations in digital forensics often
require close collaboration with IT teams, legal departments, and other
relevant stakeholders within the organization. Additionally, privacy and
data protection regulations must be carefully considered to ensure
compliance during the investigation process.
3a Explain various tools for Disk imaging. Only listing 2
There are several widely used tools for disk imaging in computer forensics marks
that help create forensic copies or images of storage devices. These tools Explanation
ensure the preservation of the original data while capturing a bit-by-bit with listing
copy for analysis and investigation purposes. Here are some commonly 10 marks
used disks imaging tools in computer forensics: FTK Imager: FTK
Imager, developed by Access Data, is a popular tool used for disk imaging
and data acquisition. It allows forensic investigators to create forensic
images of hard drives, SSDs, USB drives, and other storage media. FTK
Imager supports various imaging formats and offers options for verifying
the integrity of the acquired image. EnCase: EnCase, developed by
Guidance Software (now part of OpenText), is a comprehensive forensic
tool that includes disk imaging capabilities. It provides features for
creating forensic images, capturing live acquisitions, and maintaining the
integrity of the acquired data. EnCase supports a wide range of storage
devices and imaging formats. dd: dd is a command-line tool available in
various operating systems, including Linux, macOS, and Windows
(through third-party implementations). It is a versatile tool for disk
imaging and can create bitwise copies of storage devices. dd allows
investigators to specify the input and output files, block sizes, and other
 parameters for the imaging process. dcfldd: dcfldd is an enhanced version
of the dd command-line tool with additional features for forensic imaging.
It provides options for hashing, verifying, and logging during the imaging
process. dcfldd is particularly useful for forensic imaging tasks where data
integrity and verification are critical. Forensic Acquisition Utilities:
Various forensic acquisition utilities, such as Guymager, RawCopy, and
OSForensics, offer disk imaging capabilities. These tools often provide a
user friendly interface with options for imaging, verification, and integrity
checking. They support multiple imaging formats and allow investigators
to customize imaging parameters. AccessData Forensic Toolkit (FTK):
FTK, developed by AccessData, is a comprehensive forensic suite that
includes disk imaging capabilities. It offers a range of features for
acquisition, analysis, and reporting. FTK supports imaging of physical
and logical drives, as well as remote acquisition over the network.
ProDiscover: ProDiscover, developed by Technology Pathways, is a
forensic tool that includes disk imaging functionality. It enables
investigators to create forensic images of storage devices and supports
various imaging formats. ProDiscover offers features for analysis, file
recovery, and reporting as well. X-Ways Forensics: X-Ways Forensics is
a versatile forensic tool that includes powerful disk imaging capabilities.
It supports imaging of physical and logical drives, as well as virtual
machines. X-Ways Forensics offers features for imaging verification,
selective imaging, and advanced analysis of acquired images. These are
just a few examples of disk imaging tools used in computer forensics. The
selection of a specific tool depends on factors such as the investigator's
preference, the nature of the investigation, the type of storage media
involved, and the required features and capabilities.
3 b. How to access the vulnerability using various tools? Explain. Only listing 2
Vulnerability assessment tools are commonly used in digital marks
forensics to identify security weaknesses and potential Explanation
vulnerabilities in systems, networks, and applications. These tools
with listing
help forensic investigators assess the security posture of a digital
environment and uncover potential entry points for attackers. Here 10 marks
are some examples of widely used vulnerability assessment tools in
digital forensics:
Nessus: Nessus is a popular vulnerability scanning tool that
performs comprehensive assessments of networks, systems, and
applications. It scans for known vulnerabilities and provides
detailed reports on identified weaknesses, including
misconfigurations, outdated software, and potential security risks.
OpenVAS: OpenVAS (Open Vulnerability Assessment System) is
an open-source vulnerability scanner that helps identify security
flaws in networks and systems. It offers a range of scanning
capabilities, including remote scanning, discovery of hosts and
services, and vulnerability detection. OpenVAS provides detailed
reports and allows customization of scan policies.
 Nexpose: Nexpose, developed by Rapid7, is a vulnerability
management solution that combines vulnerability scanning and risk
assessment. It identifies vulnerabilities across networks, systems,
and web applications and provides actionable insights to prioritize
and remediate security weaknesses.
QualysGuard: QualysGuard is a cloud-based vulnerability
management platform that offers continuous monitoring and
assessment of network assets. It scans for vulnerabilities,
misconfigurations, and compliance issues across networks, servers,
and web applications. QualysGuard provides detailed reports and
integrates with other security tools.
Burp Suite: Burp Suite is a powerful web application security
testing tool that includes a vulnerability scanner. It scans web
applications for common security flaws such as SQL injection,
cross-site scripting (XSS), and insecure configurations. Burp Suite
offers a range of features for manual and automated vulnerability
assessment.
Acunetix: Acunetix is a web vulnerability scanner that helps
identify security weaknesses in web applications. It scans for
common vulnerabilities such as injection attacks, broken
authentication, and insecure direct object references. Acunetix
provides detailed reports and offers features for manual verification
and testing
Retina: Retina, developed by BeyondTrust, is a vulnerability
assessment tool that scans networks, systems, and applications for
security weaknesses. It identifies vulnerabilities, misconfigurations,
and compliance issues across various platforms. Retina offers
customizable scan policies and provides detailed reports.
OpenSCAP: OpenSCAP (Open Security Content Automation
Protocol) is an open-source vulnerability assessment framework
that provides automated scanning and compliance checking. It
scans systems and evaluates their security posture based on
predefined security policies and benchmarks.
These are just a few examples of vulnerability assessment tools used
in digital forensics. The selection of a specific tool depends on
factors such as the target environment, the scope of the assessment,
the required features, and the investigator's expertise. It's important
to keep in mind that vulnerability assessment is just one aspect of
digital forensics, and additional forensic techniques and tools may
be required for a comprehensive investigation.

4a. How Encase and FTK helps in imaging in Digital Forensics? Explain. Only listing 2
EnCase and FTK (Forensic Toolkit) are two widely recognized and marks
extensively used tools in the field of digital forensics. Both tools Explanation
provide comprehensive features for acquiring, analyzing, and with listing
reporting on digital evidence during investigations. Here's an
10 marks
overview of EnCase and FTK in digital forensics:
EnCase: EnCase Forensic, developed by OpenText (formerly
Guidance Software), is one of the most established and widely
adopted digital forensics tools. It offers a robust set of features for
data acquisition, analysis, and reporting. EnCase supports a wide
range of file systems, including Windows, macOS, Linux, and
mobile device platforms.
Data Acquisition: EnCase allows forensic investigators to acquire
forensic images of physical and logical drives, as well as perform
live acquisitions from running systems. It supports various imaging
formats and provides options for verification, hashing, and
encryption
Data Analysis: EnCase provides advanced search and analysis
capabilities to examine acquired data. It offers comprehensive file
system analysis, keyword searching, hash-based file recognition,
and email and chat message recovery. EnCase also includes features
for recovering deleted files, analyzing registry data, and parsing
various file formats.
Reporting and Presentation: EnCase allows investigators to
generate detailed reports to document their findings. It provides
customizable report templates, timeline analysis, and visual
presentation options. EnCase reports can include extracted
metadata, recovered artifacts, search results, and other relevant
forensic information.
FTK (Forensic Toolkit): FTK, developed by AccessData, is
another prominent digital forensics tool widely used by
investigators and forensic professionals. FTK offers a
comprehensive suite of features for data acquisition, analysis, and
reporting.
Data Acquisition: FTK enables forensic investigators to create
forensic images of physical and logical drives, as well as perform
live acquisitions from running systems. It supports multiple
imaging formats and provides options for imaging verification and
encryption.
Data Analysis: FTK includes powerful search and analysis
capabilities for examining acquired data. It offers keyword
searching, indexing, and advanced filters to quickly identify and
retrieve relevant information. FTK also provides tools for email and
chat analysis, file system examination, and recovering deleted files.
Reporting and Presentation: FTK allows investigators to generate
detailed reports to present their findings. It provides customizable
report templates, timeline analysis, and visual presentation options.
FTK reports can include extracted metadata, recovered artifacts,
search results, and other pertinent forensic details.
Both EnCase and FTK are well-regarded tools in the digital
forensics field, and their usage may vary depending on the
investigator's preferences, the specific requirements of the
investigation, and the nature of the evidence being examined. It's
worth noting that the digital forensics landscape is dynamic, and
newer versions or variations of these tools may be available with
additional features and enhancements.
4b How to handle the counter attack anti-forensics activities. Explain. Only listing 2
Anti-forensics refers to techniques and measures used to hinder or marks
defeat digital forensic investigations. Attackers and individuals Explanation
engaging in illicit activities may employ these techniques to avoid
with listing
detection, evidence recovery, or traceability. However, digital
forensic investigators are constantly evolving their methodologies 10 marks
and tools to counter these anti-forensic techniques. Here are some
probable counters used in digital forensics:
Data Carving: Anti-forensic techniques like file deletion or wiping
can be countered through data carving. Data carving involves the
identification and extraction of fragmented or deleted data from
unallocated disk space. Forensic tools use advanced algorithms to
reconstruct and recover data, even if attempts have been made to
hide or destroy it.
Timeline Analysis: Timeline analysis is a powerful counter to anti-
forensic techniques aimed at altering timestamps or system clock
settings. By analyzing the sequence of events and timestamps
within a system, investigators can reconstruct the chronological
order of activities and identify any tampering attempts.
Memory Forensics: Anti-forensic measures may include the use of
volatile memory-based attacks or malware. Memory forensics
allows investigators to extract valuable information from a system's
RAM, including running processes, open network connections, and
encryption keys. It helps uncover hidden malware or malicious
activities that may not leave traces on disk.
Network Traffic Analysis: Network traffic analysis can help
counter anti-forensic techniques that attempt to hide data transfers
or communications. By capturing and analyzing network traffic,
investigators can identify suspicious patterns, hidden connections,
and encrypted communication channels, aiding in the
reconstruction of activities.
Steganalysis: Steganography is a technique used to hide
information within seemingly innocuous files or media.
Steganalysis involves the detection and extraction of hidden
information. Forensic tools and techniques can analyze file
signatures, statistical anomalies, or metadata to identify and recover
hidden data.
Hash-based Integrity Checking: Anti-forensic techniques may
involve file alteration or tampering. Hash-based integrity checking
involves calculating and comparing cryptographic hash values of
files or disk images to verify their integrity. If any discrepancies are
found, it suggests potential tampering or manipulation.
Anomaly Detection: Anti-forensic techniques may involve the use
of obfuscation or encryption to hide malicious activities. Anomaly
detection techniques can identify deviations from normal system
behavior, network traffic patterns, or user activities. These
anomalies can be indicators of suspicious or malicious actions that
require further investigation.
Anti-Anti-Forensic Techniques: Digital forensic investigators
continually update their methodologies and tools to counter
emerging anti-forensic techniques. This includes staying updated
with the latest advancements, collaborating with the digital forensic
community, and actively researching and developing new
techniques to uncover and counter anti-forensic measures.
It's important to note that the effectiveness of these counters may
vary depending on the specific anti-forensic techniques used and the
skills and expertise of the digital forensic investigator. As
technology and attack methods evolve, digital forensic experts must
continuously adapt and enhance their tools and techniques to stay
ahead of anti-forensic measures.