notes

G H RAISONI
Department of Computer UNIVERSITY

Science and Engineering
(Established Under UGC (2f) and Madhya Pradesh Niji Vishwavidyalaya (Sthapana evam
Sanchalan) Adhiniyam Act No. 17 of 2007), Gram Dhoda Borgaon, Village-Saikheda,
Teh-Saunsar, Dist.-Chhindwara, (M.P.) – 480337
Tel: +91 9111104290/91, Web: www.ghru.edu.in, E-Mail: info@ghru.edu.in
School of Engineering & Technology CO
Q. Questions Mapped
No
01 What is Digital Forensics? Explain the steps of Digital Forensics. CO1
Steps:
1. dentification: The first step is to identify the digital devices that need to be
analyzed. This can include computers, smartphones, and other digital devices.
2. Collection: The next step is to collect the digital data from the identified
devices. This can involve seizing the devices, making copies of the data, and
analyzing the copies.
3. Preservation: Once the data has been collected, it needs to be preserved to
ensure that it is not altered or destroyed. This involves creating a forensic copy
of the data and storing it in a secure location.
4. Analysis: The data is then analyzed to identify any relevant information. This
can involve searching for specific keywords, analyzing metadata, and recovering
deleted files.
5. Reporting: The final step is to report the findings of the investigation. This can
involve presenting the evidence in court, providing a written report, or giving a
verbal testimony.
02 Enlist and explain the principles of Digital Forensics? CO1

Ans: Principle of Digital forensics:
03 Short Note: CO1

1. CyberCrime vs Traditional crime
G H RAISONI
School of Engineering & Technology
2. Objective of CyberCriminal
Ans: aim to disable, disrupt, destroy or control computer systems or to alter,
block, delete, manipulate or steal the data held within these systems.
04 What is the role and responsibility of Forensic Investigator? CO1
05 What are the benefits of Digital Forensics? CO1
Benefits of Digital Forensics
1. Preservation of Evidence: Digital forensics plays a crucial role in

preserving evidence that can be used in court. The process of collecting
and analyzing digital evidence is done in a way that ensures its integrity
and authenticity, making it admissible in court. This helps in building a
strong case and increases the chances of conviction.
2. Identification of Criminals: Digital forensics can be used to identify
the perpetrators of a crime. It can help in tracing the origin of a cyber-
attack, identifying the source of a leak, and linking a suspect to a crime
scene. This helps law enforcement agencies in their investigations and
brings criminals to justice.
3. Protection of Corporate Interests: Digital forensics can be used to
protect the interests of corporations and organizations. It can help in
G H RAISONI

identifying and preventing internal fraud, data breaches, and other cyber
threats. This helps organizations in maintaining the confidentiality of
their data and protecting their reputation.
4. Assisting in Cybercrime Investigations: Digital forensics plays a vital
role in investigating cybercrimes such as hacking, identity theft, and
online fraud. It can help in tracing the origin of a cyber-attack and
identifying the source of a leak. This helps law enforcement agencies in
their investigations and brings cybercriminals to justice.
5. Facilitating Legal Proceedings: Digital forensics can assist in legal
proceedings by providing evidence that can be used in court. It can help
in proving the authenticity of digital evidence and linking suspects to a
crime scene. This helps in building a strong case and increases the
chances of conviction.
06 List and explain the objective and goals of Digital forensics. CO2
objectives of using digital forensics:
 Evidence to Court: It recovers, analyzes, and preserves digital and

forensic evidence to help the department’s investigation to present the
evidence in court.
 Identifying the Culprit: It aims to cause the attacks and identify the
main culprit behind the crimes.
 Legal Procedures: To ensure the evidence found at a suspicious crime
scene is uncorrupted, we design the methods for collecting and
preserving the evidence.
 Data Redundancy: Recover the deleted files and subdivide them from
digital media to validate them.
 It also encourages you to find the evidence instantly and makes you
identify the impact of the culprit on the crime or the attacks.
 Storing the evidence or the proofs by the procedures in the way of legal
custody in the court of law.
 It aids in the recovery, analysis, and preservation of computers and
related materials for the investigating agency to present them as evidence
in a court of law
 It aids in determining the motive for the crime and the identity of the
primary perpetrator
 Creating procedures at a suspected crime scene to help ensure that the

digital evidence obtained is not tainted
 Data acquisition and duplication: The process of recovering deleted files

and partitions from digital media in order to extract and validate
evidence
G H RAISONI

 Assists you in quickly identifying evidence and estimating the potential
impact of malicious activity on the victim
 Creating a computer forensic report that provides comprehensive

information on the investigation process
 Keeping the evidence safe by adhering to the chain of custody
Digital forensic goals
The main object in the digital forensic analysis is the digital device related to the
security incident under investigation. The digital device was either used to
commit a crime, to target an attack, or is a source of information for the analyst.
The goals of the analysis phase in the digital forensics process differ from one
case to another. It can be used to support or refute assumptions against
individuals or entities, or it can be used to investigate information security
incidents locally on the system or over a network.
07 Explain the rules of collecting digital evidence. CO2
there are five general rules of evidence that apply to digital forensics and need
to be followed in order for evidence to be useful. Ignoring these rules makes
evidence inadmissible, and your case could be thrown out. These five rules are
—admissible, authentic, complete, reliable, and believable.
Admissible
This is the most basic rule and a measure of evidence validity and importance.
The evidence must be preserved and gathered in such a way that it can be used
in court or elsewhere. Many errors can be made that could cause a judge to rule
a piece of evidence as inadmissible. For example, evidence that is gathered
using illegal methods is commonly ruled inadmissible.
Authentic
The evidence must be tied to the incident in a relevant way to prove something.
The forensic examiner must be accountable for the origin of the evidence.
Complete
When evidence is presented, it must be clear and complete and should reflect the
whole story. It is not enough to collect evidence that just shows one perspective
of the incident. Presenting incomplete evidence is more dangerous than not
providing any evidence at all as it could lead to a different judgment.
Reliable
G H RAISONI

Evidence collected from the device must be reliable. This depends on the tools
and methodology used. The techniques used and evidence collected must not
cast doubt on the authenticity of the evidence. If the examiner used some
techniques that cannot be reproduced, the evidence is not considered unless they
were directed to do so. This would include possible destructive methods such as
chip-off extraction.
Believable
A forensic examiner must be able to explain, with clarity and conciseness, what
processes they used and the way the integrity of the evidence was preserved.
The evidence presented by the examiner must be clear, easy to understand, and
believable by jury.
08 Explain cyber investigation process in detail. CO2
09 What is Digital evidence ? explain with example. CO2

G H RAISONI
Process involved in Digital Evidence Collection:
The main processes involved in digital evidence collection are given below:
 Data collection: In this process data is identified and collected for
investigation.
 Examination: In the second step the collected data is examined carefully.
 Analysis: In this process, different tools and techniques are used and the
collected evidence is analyzed to reach some conclusion.
 Reporting: In this final step all the documentation, reports are compiled so
that they can be submitted in court.
Types of Evidence:
Collecting the shreds of evidence is really important in any investigation to
support the claims in court. Below are some major types of evidence.
 Real Evidence: These pieces of evidence involve physical or tangible
evidence such as flash drives, hard drives, documents, etc. an eyewitness
can also be considered as a shred of tangible evidence.
 Hearsay Evidence: These pieces of evidence are referred to as out-of-
court statements. These are made in courts to prove the truth of the matter.
 Original Evidence: These are the pieces of evidence of a statement that is
made by a person who is not a testifying witness. It is done in order to
prove that the statement was made rather than to prove its truth.
 Testimony: Testimony is when a witness takes oath in a court of law and
G H RAISONI

gives their statement in court. The shreds of evidence presented should be
authentic, accurate, reliable, and admissible as they can be challenged in
court.
Challenges Faced During Digital Evidence Collection:
 Evidence should be handled with utmost care as data is stored in electronic

media and it can get damaged easily.
 Collecting data from volatile storage.
 Recovering lost data.
 Ensuring the integrity of collected data.
10 What is computer forensics? Explain objectives of computer forensics.. CO2

Computer Forensics is a scientific method of investigation and analysis in
order to gather evidence from digital devices or computer networks and
components which is suitable for presentation in a court of law or legal body.
It involves performing a structured investigation while maintaining a
documented chain of evidence to find out exactly what happened on a
computer and who was responsible for it.
Advantages of Computer Forensics :

 To produce evidence in the court, which can lead to the punishment of the
culprit.
 It helps the companies gather important information on their computer
systems or networks potentially being compromised.
 Efficiently tracks down cyber criminals from anywhere in the world.
 Helps to protect the organization’s money and valuable time.
 Allows to extract, process, and interpret the factual evidence, so it proves
the cybercriminal action’s in the court.
G H RAISONI
Teacher Assessment Examination (TAE)

Q. No Questions CO
Map
ped
01 What are the phases of computer forensics investigation? CO3
Ans:
1. Access the situation

2. Acquire the data
3. analyse the data
4. report the investigation
02 Explain the Techniques of Email forensics? CO3
Ans: 1. Header analysis 2. Server investigation 3.network device investigation 4. Sender

mail fingerprint 5. Volatile memory analysis 6. Attachment analysis
Header Analysis
Email header analysis is the primary analytical technique. This involves
analyzing metadata in the email header. It is evident that analyzing
headers helps to identify the majority of email-related crimes. Email
spoofing, phishing, spam, scams and even internal data leakages can be
G H RAISONI

identified by analyzing the header.
Server Investigation
This involves investigating copies of delivered emails and server logs. In
some organizations they do provide separate email boxes for their
employees by having internal mail servers. In this case, investigation
involves the extraction of the entire email box related to the case and the
server logs.
Network Device Investigation
In some investigations, the investigator requires the logs maintained by
the network devices such as routers, firewalls and switches to
investigate the source of an email message. This is often a complex
situation where the primary evidence is not percent (when the ISP or
proxy does not maintain logs or lacks operation by ISP [2]).
Software Embedded Analysis
Some information about the sender of the email, attached files or
documents may be included with the message by the email software
used by the sender for composing the email [2]. This information may be
included in the form of custom headers or in the form of MIME content
as a Transport Neutral Encapsulation Format (TNEF)[2].
Sender Mail Fingerprints
The “Received” field includes tracking information generated by mail
servers that have previously handled a message, in reverse order. The
“X-Mailer” or “User-Agent” field helps to identify email software.
Analyzing these fields helps to understand the software, and the version
used by the sender.
03 What are the types of crime scene? CO4
Ans:-
G H RAISONI
1. Physical location of crime & evidence –a. primary crime scene b. Secondary crime
scene
2. Evidence and crime scene size:- a. microscopic b. Macroscopic
3. Location :- 1. Indoor 2. Outdoor 3. vehicular
04 Explain the process of mobile forensics ? What are the sources of mobile evidence? CO3
Ans:-
G H RAISONI

1. Seize –2.. acquisition- 3. analysis- 4. Examination
2.
05 Explain the process of email forensics? What is the role of email forensics investigator ? CO4
Ans:- The email forensics process involves an in-depth analysis of email

content, its metadata including headers, and various other artifacts like email
attachments, etc. to uncover the hidden evidence. This forensics process is
usually preferred in cases like intellectual property theft, data breaches,
tracking down criminals, etc.
Several steps are involved in the investigation. First, forensics examiners
acquire and preserve the email data. Second, they analyze the header
information and then examine the metadata. At last, they maintain
documents containing methods used, what evidence was uncovered, etc.
role of email investigator:

1. Examine
2. Preserve
3. Carve of evidence
4. Report
06 Explain SIM card Architecture ? also explain benefits of SIM card. CO4
G H RAISONI
Ans:
A SIM (Subscriber Identity Module) card is a plastic piece with

a circuit-embedded chip that stores identifying information on
a mobile device. This information helps mobile service
providers associate devices with individual customer accounts.
BENEFITS OF SIM CARDS
 Makes upgrading your phone easy.

 If your phone runs out of battery, you can borrow someone else’s and just remove
your SIM card and place it into their cell phone.
 Prepaid SIM cards are useful for travelers.
07 Explain the data format for storing the digital evidence? Explain the method of collecting CO3
the data.
Ans: Data format:
1. Raw format
2. Proprietary format
3. Advance forensics format(AFF)
G H RAISONI
Method for collecting the data;

G H RAISONI

1. Disk to image file
2. Disk to disk
3. Disk to data file
4. Sparse data copy of file
G H RAISONI
08 Difference between Static Data Acquisition vs Live Data acquisition . CO4
09 Explain the types of email crime? CO4
Ans:Types
G H RAISONI
1. Email spoofing
2. Email frauds
3. Email bombing
4. Defamatory mail
5. Threatening mail
10 Short Note: CO4
1. 3A’s
Ans: 1. Aquire
2. Analysis
3. Authentication
Locard Exchange Principle :- 'Locard's Exchange Principle' in forensic science holds
that the perpetrator of a crime will bring something to the crime scene and will leave with
something from it
2. Device handling & examination principles

Ans: principle;-
a. Don’t modify anything
b. If you have to risk modifying something make sure you know what you are doing
c. Record everything you do in right order
d. Someone must take responsibility for making sure everything that is legal and in
accordance with these principle
3. CDMA TDMA, FDMA

G H RAISONI
4. Levels of acquisitions .:
Ans:-
1. Micro read
2. Chip off
3. physical extraction
3. logical extraction
4. Manual extraction
Session 2023-24
Q. No Questions CO
G H RAISONI
Science and Engineering Mapped
01 Explain the goal of Investigation report writing? CO5
Ans:-1. Accurately describe the details
Tel: +91 9111104290/91, Web: of an incident
www.ghru.edu.in, E-Mail: info@ghru.edu.in
School
2. Be Understandable of Engineering
to decision makers & Technology
3. Be Unambiguous and not open to misinterpretation
4. contain all info required to explain your conclusion
5. report should be ready in time.
Offer valid conclusion ,opinion when needed.
02 Draw and explain the Layout of investigation report? CO5
Ans; An investigation report is a document that details the findings of an

investigation as soon as a formal complaint is filed or an incident occurs. This is
where investigators record the issues of the matter, analyze the evidence, and
formulate a conclusion. It is impartial and based on evidence, not on the opinions of
an investigator or the parties involved.
layout contains following:
Executive summary
Objective
Computer evidence analysed
Relevant document
Supporting details
Investigative leads
Addition report subsection
03 State the guideline of Investigation report writing? CO5
Ans:
 Document investigative steps immediately and clearly

 Know the goal of your analysis
 Organize your report(Macro to Micro)
 Follow the template
 Use consistent identifier
 Use attachment and appendix
 Have co-worker read your report
 Use MD5 hashes
G H RAISONI

Signature of Faculty

notes

Uploaded by

notes

Uploaded by

G H RAISONI

Department of Computer UNIVERSITY

School of Engineering & Technology CO

02 Enlist and explain the principles of Digital Forensics? CO1

03 Short Note: CO1

School of Engineering & Technology

05 What are the benefits of Digital Forensics? CO1

Benefits of Digital Forensics

1. Preservation of Evidence: Digital forensics plays a crucial role in

School of Engineering & Technology

 Evidence to Court: It recovers, analyzes, and preserves digital and

 Creating procedures at a suspected crime scene to help ensure that the

 Data acquisition and duplication: The process of recovering deleted files

School of Engineering & Technology

 Creating a computer forensic report that provides comprehensive

 Keeping the evidence safe by adhering to the chain of custody

Digital forensic goals

School of Engineering & Technology

08 Explain cyber investigation process in detail. CO2

09 What is Digital evidence ? explain with example. CO2

School of Engineering & Technology

Process involved in Digital Evidence Collection:

School of Engineering & Technology

 Evidence should be handled with utmost care as data is stored in electronic

10 What is computer forensics? Explain objectives of computer forensics.. CO2

Advantages of Computer Forensics :

School of Engineering & Technology

Teacher Assessment Examination (TAE)

1. Access the situation

Ans: 1. Header analysis 2. Server investigation 3.network device investigation 4. Sender

School of Engineering & Technology

03 What are the types of crime scene? CO4

School of Engineering & Technology

School of Engineering & Technology

Ans:- The email forensics process involves an in-depth analysis of email

role of email investigator:

School of Engineering & Technology

A SIM (Subscriber Identity Module) card is a plastic piece with

 Makes upgrading your phone easy.

School of Engineering & Technology

Method for collecting the data;

School of Engineering & Technology

School of Engineering & Technology

08 Difference between Static Data Acquisition vs Live Data acquisition . CO4

09 Explain the types of email crime? CO4

School of Engineering & Technology

2. Device handling & examination principles

3. CDMA TDMA, FDMA

School of Engineering & Technology

4. contain all info required to explain your conclusion

5. report should be ready in time.

Offer valid conclusion ,opinion when needed.

02 Draw and explain the Layout of investigation report? CO5

Ans; An investigation report is a document that details the findings of an

layout contains following:

Computer evidence analysed

Addition report subsection

03 State the guideline of Investigation report writing? CO5

 Document investigative steps immediately and clearly

School of Engineering & Technology

You might also like