Computer Forensics Syllabus - 5 Mark

Questions and Answers

Question 1:
What are the traditional problems associated with computer crime?

Answer:
Traditional problems associated with computer crime include the difficulty of tracing digital
evidence back to the perpetrator, the ease with which digital evidence can be manipulated
or destroyed, and the rapid evolution of technology which criminals often exploit faster
than law enforcement can adapt. Another issue is jurisdiction, as crimes committed over the
internet often involve multiple countries, complicating the process of investigation and
prosecution. Additionally, the anonymity provided by the internet makes it challenging to
identify criminals, and the sheer volume of data can make it difficult to sift through to find
relevant evidence.

Question 2:
Explain the concept of Identity Theft and Identity Fraud.

Answer:
Identity theft involves stealing someone’s personal information, such as Social Security
numbers, bank account details, or credit card information, with the intent to commit fraud.
Identity fraud, on the other hand, is the actual use of that stolen information to commit
financial crimes, such as opening bank accounts, taking loans, or making unauthorized
purchases. Identity theft is the first step in a broader process that leads to identity fraud,
and both are considered serious crimes that can have significant financial and emotional
impacts on victims.

Question 3:
What are the main steps involved in incident response methodology?

Answer:
Incident response methodology typically involves the following steps: (1) Preparation:
Developing and implementing policies, procedures, and tools to prevent incidents. (2)
Identification: Detecting and identifying security breaches. (3) Containment: Limiting the
impact of the breach by isolating the affected systems. (4) Eradication: Removing the cause
of the breach and any related threats. (5) Recovery: Restoring and validating system
functionality. (6) Lessons Learned: Analyzing the incident and improving the incident
response plan to prevent future occurrences.
Question 4:
What is forensic duplication and why is it important?

Answer:
Forensic duplication, also known as imaging, is the process of creating an exact, bit-for-bit
copy of a digital storage device, such as a hard drive, which includes all files, deleted data,
and file slack space. This is crucial in computer forensics as it allows investigators to work
on the copy rather than the original, preserving the integrity of the evidence. It ensures that
the original data is not altered during the investigation, which is critical for maintaining the
evidence's admissibility in court.

Question 5:
Describe the key elements required for preparation in incident response (IR).

Answer:
Preparation for incident response involves several key elements: (1) Developing an incident
response policy and plan that outlines the procedures to follow during a security breach. (2)
Creating an incident response toolkit that includes hardware and software necessary for
investigating and mitigating breaches. (3) Training an incident response team (IR team) to
effectively handle incidents. (4) Conducting regular drills and simulations to ensure
readiness. (5) Maintaining an inventory of assets and their criticality to prioritize responses.
(6) Establishing communication protocols to ensure clear and timely communication during
an incident.

Unit II: Cyber Forensics Technology

Question 6:
What are specialized forensics techniques used in military computer forensics?

Answer:
Specialized forensic techniques used in military computer forensics include methods such
as data carving, which involves recovering deleted files from unallocated disk space, and
memory forensics, which analyzes volatile memory (RAM) to extract critical information.
These techniques also involve the use of specialized software for decrypting encrypted files
and uncovering hidden data in systems. Moreover, military forensics often employ
advanced network forensics to monitor and analyze network traffic for detecting and
preventing unauthorized access or data exfiltration.

Question 7:
How do spyware and adware differ, and what is their significance in cyber forensics?

Answer:
Spyware is a type of malicious software designed to secretly monitor and gather
information about a user's activities, such as keystrokes, without their knowledge. Adware,
on the other hand, is software that displays unwanted advertisements to users, often as a
means of generating revenue for its creators. In cyber forensics, spyware is significant
because it can be used to capture sensitive data such as passwords and personal
information, which can be critical evidence in investigations. Adware, while less malicious,
can still be indicative of a compromised system and may provide forensic clues about the
origin of the infection.

Question 8:
Explain the importance of encryption methods in cyber forensics.

Answer:
Encryption methods play a dual role in cyber forensics. On one hand, they are used by
organizations to protect sensitive data from unauthorized access. On the other hand,
criminals often use encryption to conceal illicit activities, making it challenging for forensic
investigators to access critical evidence. Forensic experts need to understand various
encryption techniques to either decrypt the data legally or to demonstrate the presence of
encrypted data, which could indicate concealed evidence. Understanding these methods is
crucial for effectively gathering and analyzing digital evidence.

Question 9:
What are the challenges associated with Internet tracing methods?

Answer:
Internet tracing methods involve tracking the origin of online activities, which presents
several challenges. These include the use of proxy servers and Virtual Private Networks
(VPNs) by criminals to mask their IP addresses, the vast scale of the internet making it
difficult to pinpoint specific sources, and the dynamic nature of IP addresses. Additionally,
tracing methods are often complicated by jurisdictional issues when the activity spans
multiple countries. Another challenge is the potential for data encryption, which can
obscure the content of communications and make it harder to trace.

Question 10:
What are the key elements of biometric security systems, and how are they used in cyber
forensics?

Answer:
Biometric security systems use unique physical characteristics of individuals, such as
fingerprints, facial recognition, or iris patterns, to authenticate their identity. In cyber
forensics, these systems are valuable because they provide a reliable method of verifying
the identity of individuals accessing sensitive systems or data. They can also be used to
track and log access attempts, providing forensic investigators with evidence of who
accessed or attempted to access specific information. The key elements of these systems
include the biometric sensor, which captures the biometric data, and the matching
algorithm, which compares the captured data to stored templates to confirm identity.