Q.1 what is Computer Forensic and why computer forensic important.

 Computer forensics is the application of investigation and analysis techniques to gather and preserve
evidence from a particular computing device in a way that is suitable for presentation in a court of law.
The goal of computer forensics is to perform a structured investigation and maintain a documented chain
of evidence to find out exactly what happened on a computing device and who was responsible for it.
 As the world becomes more connected digitally, digital evidence for solving crimes is becoming more
relevant every day. A computer forensics investigator’s job is to collect, examine, and safeguard this
evidence to help solve cybercrimes and to recover important compromised data.
 Types of computer forensics
Computer forensics always involves gathering and analysing evidence from digital sources. Some common
types include:
1. Database forensics: Retrieval and analysis of data or metadata found in databases.
2. Email forensics: Retrieval and analysis of messages, contacts, calendars, and other information on an email
platform.
3. Mobile forensics: Retrieval and analysis of data like messages, photos, videos, audio files, and contacts
from mobile devices.
4. Memory forensics: Retrieval and analysis of data stored on a computer's RAM (random access memory)
and/or cache.
5. Network forensics: Use of tools to monitor network traffic like intrusion detection systems and firewalls.
6. Malware forensics: Analysis of code to identify malicious programs like viruses, ransom_ware, or Trojan
horses.

Importance of Computer forensics

 A few criminals are becoming smarter. So data hiding techniques which includes encryption and
steganography.
 The evidence of criminal activity is placed in such a way where traditional search method cannot able
to find it.
 Encryption -Encryption is a way of scrambling data in order that only authorized parties can
understand the data. Ex - Email message, so that it cannot be readable to the interceptor.
 Steganography - Steganography is that the practice of concealing a file, message, image, or video
within another file, message, image, or video. Steganography is that the technique of hiding secret
data within a typical, non-secret, file or message so as to avoid detection; the secret data is then
extracted at its destination.
 Computer forensics is not just about detective work but also searching for and trying to find out
information. computer forensics is also worried with:
1. Taking precautions to not nullify findings by corrupting data.
2. Cyber forensics can also help in recovering encrypted, deleted, or corrupted files.
3. Checking the integrity of the information
4. It staying within the regulation and guidelines of evidence
Q.2 Write a short note on computer forensic process.

Explain Systematic Approach of Investigation

Conduct a systematic approach to computer investigation; you can follow a structured methodology
such as the "Systematic Digital Forensic Investigation Model" (also known as the "Digital
Investigation Process Model"). This model provides a step-by-step framework for conducting
computer investigations. Here are the key phases of this systematic approach

1. Preparation
 Define the scope and objectives of the investigation.
 Identify the resources, tools, and personnel needed.
 Ensure legal authorization and compliance with relevant policies and regulations.
 Document initial information and create a case log.

2. Identification
 Gather all available information about the incident, including complaints, reports, or alerts.
 Conduct interviews with relevant stakeholders to gather initial details.
 Identify potential sources of evidence, such as systems, devices, networks, or logs.
 Create a list of potential evidence to be collected and analysed.

3. Preservation
 Take necessary measures to preserve the integrity of evidence. Secure and isolate affected
systems, devices, or networks.
 Create forensic images or copies of the evidence following appropriate methods.
 Document the chain of custody for all evidence collected.

4. Collection
 Collect the identified evidence based on the established plan.
 Use appropriate forensic techniques and tools to capture relevant data.
 Recover deleted or hidden files, analyse system logs, and capture network traffic.
 Ensure the preservation of volatile data by using appropriate live forensics techniques.

5. Examination
 Analyse the collected evidence systematically and thoroughly. Employ forensic tools and
techniques to extract, decode, and interpret data.
 Reconstruct events and timelines based on timestamps and other metadata.
 Identify potential indicators of compromise (IOCs) or signs of malicious activity.

6. Analysis
 Analyse the findings to understand the nature and extent of the incident.
 Identify patterns, trends, or anomalies that may provide insights. Use forensic and
investigative techniques to identify suspects or potential motives.
7. Documentation
  Document all investigative actions, findings, and analysis in a detailed and organized
manner.
 Maintain a proper chain of custody for evidence and record any changes or actions taken.
 Create clear and comprehensive reports that can be easily understood by both technical and
non-technical audiences.

8. Presentation
 Prepare a final report summarizing the investigation process, findings, and conclusions.
 Present the report to appropriate stakeholders, such as management, legal counsel, or law
enforcement.
 Clearly communicate the results, implications, and any recommendations for further actions.
 Be prepared to testify or present findings in legal proceedings, if required.

Q.3 Explain computer forensic team in detail

1. Investigators

 This is often a bunch of people (number depends on the scale of the firm) who handle and solve the
case. It's their job to use the forensic tools and techniques so as to search out the evidence against the
suspect.
 They will call the enforcement agencies, if required. Investigators are supposed to act immediately
after the occurrence of the event that's suspected of criminal activity.

2. Photographer

 To record the crime scene is as important as investigating it.

 The photographer's job is to require photographs of the crime scene (IT devices and other
equipment).

3. Incident Handlers (first responder)

 Every organization, despite type, should have incident handlers in their IT department.
 The responsibility of those people is to observe and act if any computer security incidence happen,
like breaching of network policy, code injection, server hijacking, or the other malicious code
installation.

4. IT Engineers & technicians (other support staff)

 This is often the group of people who run the daily operation of the firm. They are IT engineers and
technicians to maintain the forensics lab.
 This team should encompass network administrator, IT support, IT security engineers and desktop
support. The key role of this team is to form sure the graceful organizational functions, monitoring,
troubleshooting, data recovery and to maintain the specified backup.

5. Attorney: Since computer forensic directly affect investigation and to submit the case within the court, so
an attorney should be a district of this team.

Q.4 Describe Procedures for Corporate High-Tech Investigations.

Q. Explain computer investigation preparation
Q. How to conducting the investigation. Explain

Here are the general procedures involved in conducting such investigations:

1. Establish Investigation Scope and Objectives: Define the purpose and scope of the
investigation, including identifying the specific areas or systems to be examined, such as
email servers, workstations, servers, cloud storage, or mobile devices. Determine the
specific objectives, such as identifying data breaches, intellectual property theft, or
employee misconduct.

2. Assemble an Investigation Team: Form a team of qualified professionals, including

computer forensic specialists, IT staff, legal advisors, and relevant stakeholders. Each team
member should have expertise in different areas, such as forensic analysis, data recovery,
network security, and legal compliance.

3. Secure the Affected Systems: Isolate and secure the affected systems to prevent any
unauthorized access or tampering. If necessary, disconnect the affected systems from the
network, but do so in a way that preserves the system state and minimizes potential evidence
alteration.

4. Document the Chain of Custody: Establish a proper chain of custody for all digital
evidence collected during the investigation. This includes documenting the date, time,
location, and individuals involved in the handling of the evidence. Maintaining a reliable
chain of custody is essential to ensure the admissibility and integrity of the evidence in a
legal setting.

5. Forensic Imaging and Preservation: Create forensic images of relevant storage media,
such as hard drives, servers, or mobile devices. Forensic imaging is a bit-by-bit copy of the
original data, preserving the integrity of the evidence. Store the images securely and ensure
they are not altered or tampered with.

6. Evidence Collection and Analysis: Conduct a thorough examination of the collected data
to identify potential evidence. This includes analysing file systems, metadata, logs, network
traffic, and other relevant artifacts. Specialized computer forensics tools and techniques are
used to search for hidden or deleted data, recover deleted files, and identify patterns of
suspicious behaviour.

7. Data Recovery and Reconstruction: In cases where data has been intentionally or
accidentally deleted, employ appropriate data recovery techniques to retrieve and
reconstruct the lost information. This may involve the use of specialized software tools or
engaging forensic data recovery experts.

8. Analyse and Interpret Findings: Evaluate the collected evidence and interpret the findings
in the context of the investigation objectives. Identify any patterns, anomalies, or potential
indicators of misconduct. Collaboration between computer forensics experts and relevant
stakeholders, such as legal counsel and HR, is crucial at this stage.

9. Reporting and Documentation: Prepare a comprehensive report documenting the

investigation process, methodologies employed, evidence collected, and the findings. The
report should be clear, concise, and suitable for both technical and non-technical audiences.
 It should also address any legal or regulatory requirements and be prepared in consultation
with legal advisors.

10. Legal Considerations: Throughout the investigation, it is important to maintain compliance

with applicable laws, regulations, and privacy considerations. Consult legal advisors to
ensure that all investigative activities adhere to relevant legal requirements, including
obtaining necessary search warrants or consent, respecting employee privacy rights, and
protecting privileged information.

11. Follow-Up Actions: Based on the investigation findings, organizations may need to take
corrective actions, such as disciplinary measures, policy changes, or implementing
additional security controls. It is essential to address any identified vulnerabilities or
weaknesses to prevent similar incidents in the future.

1. Describe the investigative triad

(see lecture slides 1) and the
purpose of each of the elements in
it. [6]
The investigative triad in forensic
science consist of three groups
that are responsible for ensuring
and
maintaining a very a soundly
secure computing environment in
any organizational setup. The
three groups
represent each side of a triangle
and they usually work independent
of each other though they draw
and share
expertise in various areas of
interest.
1. Vulnerability assessment: This
group involves checking the
integrity of the server and the
system on which the
work is done. It involves the
checking the security of the
operating system and the
applications involved. People
who work in this group test for
known vulnerabilities of OSs and
applications used in the network.
2. Incident Response: This group
detects intruder attacks by using
automated tools and monitoring
network
firewall logs manually. When an
external attack is detected, the
response team tracks, locates, and
identifies the
intrusion method and denies
further access to the network.
3. Computer investigations:
manages investigations and
conducts forensic analysis of
systems suspected of
containing evidence related to an
incident or a crime. For complex
casework, the computer
investigations group
draws on resources from those
involved in vulnerability
assessment, risk management,
and network intrusion
detection and incident response.
Q.5 Describe the investigative triad

Investigators often work as a team to make computers and networks secure in an organization.
The computer investigations function is one of three in a triad that makes up computing security. In
an enterprise network environment, the triad consists of the following parts

1. Vulnerability assessment and risk management:

When you work in the vulnerability assessment and risk management group, you test and verify the
integrity of standalone workstations and network servers. This integrity check covers the physical
security of systems and the security of operating systems (OSS) and applications.
People who work in this group test for known vulnerabilities of OSS and applications used in the
network. This group also launches attacks on the network and its workstations and servers to assess
vulnerabilities. Typically, people performing this task have several years of experience in UNIX
and Windows administration.

2. Network intrusion detection and incident response:

Professionals in the vulnerability assessment and risk management group also need skills in
network intrusion detection and incident response. This group detects intruder attacks by using
automated tools and monitoring network firewall logs manually. When an external attack is
detected, the response team tracks, locates, and identifies the intrusion method and denies further
access to the network. If an intruder launches an attack that causes damage or potential damage, this
team collects the necessary evidence, which can be used for civil or criminal litigation against the
intruder. Litigation is the legal process of establishing criminal or civil liability in court.

3. Computer investigations:
The computer investigations group manages investigations and conducts forensic analysis of
systems suspected of containing evidence related to an incident or a crime. For complex casework,
the computer investigations group draws on resources from those involved in vulnerability
assessment, risk management, and network intrusion detection and incident response.
This group resolves or terminates all case investigations.

Q.6 what in evidence custody form? What information does it contain?

An evidence custody form, also called a chain-of-evidence form, which helps you document what has
and has not been done with the original evidence and forensic copies of the evidence.
Consider creating a single-evidence form (which lists each piece of evidence on a separate page) and
a multi evidence form, depending on the administrative needs of your investigation.

An evidence custody form usually contains the following information:

 Case number: Number the organization assigns when an investigation is initiated.
 Investigating organization: The name of the organization. In large corporations with global
facilities, several organizations might be conducting investigations in different geographic
areas.
 Investigator: The name of the investigator assigned to the case. If many investigators are
assigned, specify the lead investigator's name.
 Nature of case: A short description of the case. For example, in the corporate environment, it
might be "Data recovery for corporate litigation" or "Employee policy violation case."
 Location evidence was obtained: The exact location where the evidence was collected. If
we're using multi-evidence forms, a new form should be created for each location.
 Description of evidence: A list of the evidence items, such as "hard drive, 20 GB" or "one
USB drive. 128 MB." On a multi-evidence form, write a description for each item of evidence
we acquire.
 Vendor name: The name of the manufacturer of the computer evidence.
 Model number or serial number: List the model number or serial number (if available) of the
computer component. Many computer components, including hard drives, memory chips, and
expansion slot cards, have model numbers but not serial numbers.
 Evidence recovered by: The name of the investigator who recovered the evidence. The chain
of custody for evidence starts with this information. The person placing his or her name on
this line is responsible for preserving, transporting, and securing the evidence.
Q.7 Explain data recovery workstation and software in computer investigation

Data recovery workstations and software play a crucial role in computer investigations by helping
to retrieve lost or inaccessible data from various storage devices. These workstations and software
are specifically designed to handle the complex process of data recovery, ensuring that investigators
can access and analyse critical information.

Data Recovery Workstations: Data recovery workstations are specialized computer systems
equipped with advanced hardware and software components. They are designed to handle the
intricacies of data recovery, including dealing with damaged or corrupted storage media. Here are
some key components and features commonly found in data recovery workstations:

1. High-performance hardware: Data recovery workstations often feature powerful processors,

ample RAM, and high-speed storage devices to handle the intensive computational tasks involved
in data recovery.
2. Write-blocking technology: Workstations employ write-blocking devices or software to prevent
accidental modification or alteration of the original data during the recovery process. This ensures
the integrity and admissibility of the evidence.
3. Multiple storage device support: Workstations can connect to and support various storage
media, such as hard drives, solid-state drives (SSDs), RAID arrays, USB drives, memory cards, and
more. They may have multiple ports and adapters to accommodate different types of devices.
4. Imaging and cloning capabilities: Workstations can create bit-by-bit copies or disk images of
storage devices, ensuring that investigators have a complete and unaltered copy of the original data.
This is important for preserving evidence and conducting further analysis without affecting the
original source.
5. File system support: Workstations are equipped with software that can handle different file
systems, including popular ones like NTFS, FAT32, HFS+, APFS, and ext4. This allows
investigators to recover data from various operating systems and file system formats.

Data Recovery Software: Data recovery software is a critical component of computer

investigations, providing tools and algorithms to analyse and retrieve lost or deleted data. These
software solutions vary in terms of features, complexity, and capabilities. Here are some common
features found in data recovery software:

1. Scanning and searching: Data recovery software scans storage devices to locate lost or deleted
files. It can search based on file names, file types, file signatures, or even by analysing the file
system structures.
2. File preview and selection: Software allows investigators to preview recoverable files before
initiating the recovery process. This helps in selecting specific files or folders for recovery.
Reducing the time required for scanning and analysis.
3. File system reconstruction: In cases where the file system is damaged or corrupted, data
recovery software can reconstruct the file system structures to locate and retrieve files effectively.
4. Partition recovery: Software solutions can recover lost or deleted partitions, allowing
investigators to access and extract data from these partitions.
5. Deleted file recovery: Data recovery software employs algorithms to recover files that have been
deleted, even if they have been emptied from the Recycle Bin or Trash.
6. Comprehensive file format support: The software supports a wide range of file formats,
including documents, images, videos, audio files, databases, archives, and more. This ensures that
investigators can recover and analyse various types of data.

Q.8 Understanding Bit-stream Copies

 A bit-stream image is a bit-by-bit copy of a hard drive or any electronic media that preserves
all the data, including deleted files, hidden data, and free space.

 A bit-stream image is used for evidence preservation and analysis in digital forensics, as it
allows the investigator to examine the evidence without altering or damaging the original
media and ensures the admissibility of the evidence in court by preserving its original state.

 A bit-stream image is also known by different names, such as mirror image, exact-copy
image, disk duplicate and forensic image.

 To create a bit-stream image, a special software tool is used to read every bit from the
original media and write it to another media, such as a hard disk or a CD-ROM. The process
of creating a bit-stream image is called imaging. The software tool also verifies the integrity
of the image by comparing the hash values of the original and the copy. A hash value is a
unique identifier that is generated from a set of data using a mathematical function.

 A bit-stream image can reveal information that is not visible on the surface, such as deleted
files, hidden data, file fragments, and metadata. Metadata is data that describes other data,
such as the date and time of creation, modification, and access.

 A bit-stream image is different from a forensic clone, which is another type of copy that is
used for evidence analysis. A forensic clone is a logical copy that only includes the files and
folders that are visible on the original media.

 A forensic clone is faster and easier to create than a bit-stream image, but it does not capture
the deleted files, hidden data, and free space that may contain valuable information.

 A forensic clone is also more prone to contamination and alteration than a bit-stream image.
Therefore, a bit-stream image is preferred over a forensic clone for digital forensics
purposes.

Q.9Explain storage format for digital evidence

Q.12 Determine the Data Acquisition Format.

When it comes to data acquisition and storage formats for digital evidence, several common formats
are used in forensic investigations. These formats ensure the preservation and integrity of the
evidence. Here are some of the widely used storage formats:
1. Disk Images (Forensic Images): Disk imaging involves creating a bit- by-bit copy of the entire
storage media, including all sectors and data structures. The resulting disk image file can be stored
in various formats, such as:
 Raw Format (.dd, .img): A sector-by-sector copy of the original storage media.
 Advanced Forensic Format (AFF): A versatile format that supports compression, encryption,
and metadata storage.
 Encase Evidence File Format (.E01): A proprietary format used by Encase forensic
software.
 Logical Imaging Format (L01): A format used by logical forensic tools to capture file-level
data.

2. Portable Document Format (PDF): PDF files are widely used for storing digital evidence that
includes text, images, and other media. They provide a standardized format that can be easily
viewed on multiple platforms without altering the content. Password protection and digital
signatures can be applied to enhance security.

3. Image Files: Digital images are often stored in common formats such as JPEG, PNG, TIFF, or
BMP. These formats preserve the visual content and can be easily viewed and analysed using
various software tools. Metadata embedded in image files, such as EXIF data, can provide valuable
information for forensic analysis.

4. Video/Audio Files: Video and audio evidence can be stored in formats like AVI, MP4, MOV, or
WAV. These formats ensure the preservation of the multimedia content and can be played using
standard media players. Timestamps, metadata, and other relevant information should be retained
for analysis.
5. Database Files: In forensic investigations involving databases, data may be extracted and stored
in database-specific formats such as SQL dumps (e.g., .sql) or database backup files. These formats
preserve the structure and content of the database, allowing for further analysis and querying.

6. Archive Files: Compressed archive formats like ZIP, RAR, or TAR are used to store multiple
files or directories together while reducing their overall size. These formats can be password-
protected and are useful for organizing and transferring evidence.

Q.10 Explain Data acquisition and its type.

Data acquisition in cyber forensics refers to the process of collecting, preserving, and securing
digital information from various sources like computers, storage devices, or networks. It involves
gathering evidence in a way that maintains its integrity for analysis in legal or investigative
proceedings.

What is Data Acquisition?

The gathering and recovery of sensitive data during a digital forensic investigation is known as data
acquisition. Cybercrimes often involve the hacking or corruption of data. Digital forensic analysts
need to know how to access, recover, and restore that data as well as how to protect it for future
management. This involves producing a forensic image from digital devices and other computer
technologies.
There are generally three types of data acquisition in cyber forensics:

1. Live Data Acquisition: This involves collecting data from a running system or device, without
disrupting its normal operations. This may include capturing volatile data such as open applications,
system processes, network connections, and RAM contents. Live data acquisition is useful for
capturing evidence that may be lost if the system is shut down.

2. Dead Data Acquisition: This involves collecting data from a powered-off or unresponsive
system or device. This may include creating a bit-by-bit image of the storage media, including
deleted files and hidden data. Dead data acquisition is useful for preserving evidence in its original
state and preventing any further modification or deletion.

3. Remote Data Acquisition: This involves collecting data from a remote system or device over a
network connection. This may include accessing and retrieving data from cloud storage, remote
servers, or networked devices. Remote data acquisition is useful for investigating incidents that
involve distributed or cloud-based systems.

Q.11 Determining the Best Acquisition Method in detail

Determining the best data acquisition method depends on several factors, including the specific
requirements of your project, the type and volume of data you need to acquire, the resources
available to you, and the desired level of accuracy and efficiency. Here are some key considerations
and popular data acquisition methods to help you make an informed decision:

1. Purpose and Requirements: Start by clearly defining the purpose of your data acquisition and the
specific requirements you need to meet. Are you collecting data for research, monitoring, or
analysis? Do you need real-time or historical data? What is the desired level of accuracy and
precision?

2. Data Sources: Identify the sources of your data. Are you working with physical sensors, online
databases, APIs, social media platforms, web scraping, or user-generated content? Understanding
the data sources will help determine the appropriate acquisition method.

3. Sensor-based Data Acquisition: If you're working with physical sensors, you'll need to consider
the type of sensor, data transmission protocols, and connectivity options. Common sensor-based
acquisition methods include analog-to-digital converters (ADCs) for converting analog sensor
signals into digital data, and serial communication protocols like I2C, SPI, or UART for data
transmission.

4. Web Scraping: When dealing with web-based data sources, web scraping techniques can be
employed to extract data from websites. This involves writing code to scrape the required
information from HTML pages, using tools such as Beautiful Soup or Selenium.

5. APIS: Many online platforms provide Application Programming Interfaces (APIs) to access their
data programmatically. If the data source offers an API, this can be a reliable and efficient method
to acquire data. APIs provide structured and often real-time data access, allowing you to retrieve
specific information in a controlled and standardized manner.

6. Database Integration: If your data is stored in databases, you can use database integration
techniques to acquire the required information. This typically involves writing SQL queries or using
database connectors to extract data from relational databases or NoSQL databases like MongoDB or
Cassandra.
7. Data Purchase: In some cases, data acquisition may involve purchasing data from third-party
providers. This is common in industries like market research or finance, where specialized data sets
are required. Consider the cost, reliability, and compatibility of the purchased data before making a
decision.
8. Crowd sourcing: Another approach is to acquire data through crowd sourcing. This involves
collecting data from a large number of individuals or contributors. Crowd sourcing platforms or
applications can be used to gather data, such as surveys, image annotations, or user- generated
content.

Q.12 Advanced Forensic Format

Dr. Simson L. Garfinkel of Basis Technology Corporation recently developed a new open-source
acquisition format called Advanced Forensic Format (AFF). This format has the following design
goals:

Design goals

– Provide compressed or uncompressed image files

– No size restriction for disk-to-image files

– Provide space in the image file or segmented files for metadata

– Simple design with extensibility

– Open source for multiple platforms and Oss

– Internal consistency checks for self-authentication

– File extensions include .afd for segmented image files and .afm for AFF metadata

– AFF is open source

Q.13 contingency plan for image acquisitions:

Here are some key steps to consider when creating a contingency plan for image acquisitions:
1. Identify potential risks: Start by identifying the possible risks or challenges that could impact
image acquisition. These could include technical issues, equipment failures, weather conditions,
scheduling conflicts, or unforeseen obstacles.

2. Assess impact: Evaluate the potential impact of each identified risk on the image acquisition
process. Determine how severe the impact could be and prioritize risks based on their likelihood
and potential consequences.

3. Develop alternative plans: For each identified risk, develop alternative plans or workarounds that
can be implemented if the risk materializes. Consider different scenarios and develop specific action
plans for each one.

4. Equipment redundancy: Ensure you have redundancy in critical equipment. Have backup
cameras, lenses, memory cards, batteries, and all other essential gear readily available. This will
help mitigate the risk of equipment failure during image acquisition.

5. Data backup: Establish a robust data backup system to protect the acquired images. Make sure to
have multiple copies of the data, stored in different locations or on different media, to minimize the
risk of data loss.

6. Communication and coordination: Maintain clear communication channels with all stakeholders
involved in the image acquisition process. This includes photographers, technicians, organizers, and
any other relevant parties. Ensure that everyone understands their roles and responsibilities and
establish a communication plan to address any unforeseen circumstances.

7. Weather considerations: If outdoor photography is involved, closely monitor weather conditions

and have backup plans in place for adverse weather scenarios. plan alternate locations or
rescheduling options if necessary.

8. Contingency budget: Allocate a contingency budget to cover any unexpected expenses that may
arise during image acquisition. This can include costs associated with equipment repairs or
replacements, additional staffing, or alternative solutions for unforeseen challenges.

9. Review and update: Regularly review and update your contingency plan as necessary. As new
risks emerge or circumstances change, ensure that your plan remains relevant and effective.

10. Test and practice: Conduct mock scenarios or simulations to test your contingency plan. This
will help identify any gaps or areas for improvement and familiarize the team with the planned
actions, ensuring a smoother response during actual emergencies.
 UNIT-2
Q.1 what is Digital Evidence? Elaborate your answer to your answer.

Digital evidence refers to any information or data that is stored or transmitted in digital form and
can be used as evidence in legal proceedings or investigations.

1. Documents and Files: This includes electronic documents, spread_sheets, presentations, text
files, images, videos, audio recordings, and other digital media files.
2. Emails and Instant Messages: Communications exchanged via email platforms or instant
messaging apps are considered digital evidence. This includes email conversations, message
threads, attachments, and timestamps.
3. Social Media Data: Content and activities on social media platforms, such as posts,
comments, private messages, photos, videos, and user profiles, can be used as digital
evidence.
4. Internet and Web Data: Digital evidence can be found in web browsing history, internet
search logs, website access logs, cookies, cached web pages, and internet-based
communication platforms.
5. Databases and Data Records: Information stored in databases, such as customer records,
transaction logs, financial records, and user account information, can serve as digital
evidence.
6. Metadata: Metadata provides information about other data, such as the creation date,
modification date, file size, author information, and geolocation.
7. Mobile Device Data: Data extracted from smartphones, tablets, and other mobile devices
can include call logs, text messages, location information, app usage, photos, videos, and
device settings.
 8. Cloud and Online Storage: Data stored in cloud storage services, online backup systems, or
file-sharing platforms can be considered digital evidence.

GQ.2 Explain the Process of digital evidence.

GQ.2 how is digital evidence identifying?

Identifying digital evidence involves the process of recognizing and collecting information from
various digital sources that may be relevant to an investigation or legal matter. This evidence can be
found on computers, mobile devices, storage media, online platforms, and network logs. Here are
some key steps and considerations for identifying digital evidence:

1. Preservation: It's crucial to preserve the integrity of the digital evidence to prevent tampering or
loss. This involves creating a forensic copy (bit-by-bit image) of the original storage media or
device. The copy should be made using forensically sound methods and tools to ensure the
admissibility of the evidence in court.

2. Locating Relevant Data: Determine the potential sources of digital evidence based on the nature
of the investigation. This may include examining computers, smartphones, tablets, servers, cloud
storage, social media accounts, email accounts, messaging apps, and any other relevant digital
devices or platforms.

3. Keyword Searches: Utilize search techniques to identify files, documents, emails, or

communications containing specific keywords or phrases that are relevant to the investigation. This
can be done using search functions within operating systems, email clients, or forensic software
tools.

4. Metadata Analysis: Metadata provides valuable information about digital files, such as creation
dates, modification dates, and user account details

5. File Carving: In cases where files have been deleted or are hidden, file carving techniques can be
used to recover fragments or complete files from unallocated disk space or other data remnants.

6. Internet Artifacts: Investigate internet browsing history, cookies, cache files, and temporary
internet files to uncover online activities, visited websites, downloaded files, and potentially
incriminating or relevant information.

7. Communication Analysis: Analyse messaging apps, chat logs, social media communications,
email exchanges, and call records to identify conversations, contacts, and patterns that may be
pertinent to the investigation.

8. Cloud and Online Data: Collect evidence from cloud storage services, online platforms, and
social media accounts by requesting data preservation or utilizing legal processes to obtain relevant
information.

GQ.3 what are the 7 Rules for digital evidence?

When it comes to digital evidence, it is crucial to follow certain rules and guidelines to ensure its
integrity, admissibility, and reliability in legal proceedings. While specific rules may vary
depending on jurisdiction and the nature of the case, here are some common principles and
considerations:

1. Chain of custody: Maintain a clear and documented chain of custody for the digital
evidence. This includes documenting who has had access to the evidence, when and how it
was collected, stored, and transferred. The chain of custody ensures the evidence's integrity
and helps establish its authenticity.
2. Preservation: Preserve the original digital evidence in its original state as much as possible.
Avoid altering or modifying the evidence, and make sure it is stored securely to prevent
unauthorized access or tampering.
3. Documentation: Document all actions and procedures related to the collection, handling, and
analysis of digital evidence. This includes recording the date, time, and details of each step
taken, as well as the tools and techniques used.
4. Expertise: Digital evidence often requires specialized knowledge and expertise. Engage
trained professionals, such as digital forensics experts, who have the necessary skills to
collect, analyse, and interpret the evidence correctly. Their expertise adds credibility to the
evidence and enhances its admissibility in court.
5. Authentication: Establish the authenticity of the digital evidence. This involves ensuring that
the evidence can be traced back to its original source and that it has not been manipulated or
fabricated. Verification methods may include digital signatures, hashes, timestamps, or other
cryptographic techniques.
6. Privacy and data protection: Adhere to relevant privacy laws and regulations when
collecting and handling digital evidence. Protect personally identifiable information and
other sensitive data to ensure compliance with applicable privacy standards.
7. Admissibility: Understand the legal requirements for the admissibility relevant rules of
evidence, such as the Federal Rules of Evidence in the digital evidence in your jurisdiction.
Familiarize yourself with United States or similar guidelines in other jurisdictions.

Q.4.PREPARING FOR A SEARCH

GQ.7 Describe digital evidence collection

GQ. Describe gathering process of digital evidence.

Digital evidence collection refers to the process of gathering, preserving, and analyzing electronic
data as evidence in legal or investigative proceedings. Here are the general steps involved in digital
evidence collection:

When it comes to searching for digital evidence, there are several important considerations to keep
in mind. The process of conducting a digital evidence search can be complex and may require
specialized knowledge .Here is some general steps and techniques that can be helpful in conducting
a digital evidence search:

1. Define the scope: Determine the specific nature and scope of the investigation to identify what
kind of digital evidence is looking for. This could include documents, emails, chat logs, images,
videos, or other types of digital files.
2. Obtain legal authorization: Ensure that have the necessary legal authorization to conduct the
search. This may involve obtaining a search warrant or other lawful permission from the
appropriate authorities, depending on jurisdiction and the nature of the investigation.

3. Preserve the evidence: Take steps to preserve the integrity of the digital evidence. This includes
creating backups or images of the original data to prevent any changes or modifications during the
search process.

4. Identify potential sources: Determine the potential sources of digital evidence based on the nature
of the investigation. This could include computers, laptops, smartphones, tablets, servers, cloud
storage, social media accounts, or any other relevant devices or platforms.

5. Use specialized tools: Employ specialized digital forensic tools and software to assist in the
search and analysis of digital evidence. These tools can help to search for and recover deleted or
hidden files, analyse file metadata, and examine the contents of digital media.

6. Conduct keyword searches: Utilize keyword searches to identify relevant files or

communications. This involves using specific words or phrases related to the investigation to search
for relevant content within files, emails, chat logs, or other forms of digital communication.

7. Analyse metadata: Examine metadata associated with digital files, which can provide valuable
information such as creation dates, modification dates, authorship details, or geolocation data.
Metadata can be helpful in establishing timelines, verifying authenticity, or identifying potential
sources of evidence.

8. Follow chain of custody: Maintain a detailed record of the handling and transfer of the digital
evidence to ensure its integrity and admissibility in legal proceedings. This includes documenting
who accessed the evidence, when, and for what purpose.

9. Document findings: Record and document all findings, including relevant files, communications,
timestamps, and any other information that may be important for the investigation or legal
proceedings. Maintain a clear and organized record of the evidence for future reference.

10. Consult experts if needed: If you encounter technical challenges or require expertise in a
specific area, consider consulting with digital forensic experts or specialists who can provide
guidance and support.

G Q.5 How to secure a Computer Incident or Crime Scene?

G Q. Explain different guidelines for seizing digital evidence at the scene?

Securing a computer incident or crime scene in digital evidence is crucial to maintain the integrity
and admissibility of the evidence. It involves following proper procedures to ensure that the
evidence is not compromised or tampered with, allowing for accurate analysis and investigation.
Here are some steps to secure a computer incident or crime scene in digital evidence:
1. Identify the scope: Determine the boundaries of the incident or crime scene. This could involve a
single computer, a network, or multiple devices. Understand the nature of the incident and the
potential evidence that may be present.

2. Preserve the scene: Take immediate steps to preserve the scene preventing any further alteration
or damage. Ensure that no one except authorized personnel enters or interacts with the scene.
Physical access should be restricted, and precautions should be taken to prevent accidental or
intentional tampering.

3. Document the scene: Thoroughly document the entire scene before making any changes. Take
photographs or videos of the physical setup including the location of the computer(s), peripherals,
cables, and other relevant devices. Make detailed notes about the configuration, connections, and
any visible indications of tampering or unusual activity.

4. Secure the equipment: If the computer(s) are powered on, leave them as they are to preserve the
volatile memory. If they are powered off, do not turn them on. Isolate the computer(s) from the
network to prevent any remote access or tampering. If necessary, disconnect the computer(s) from
the power source to preserve their state.

5. Protect the evidence: Use anti-static bags or other suitable containers to protect the computer(s)
and storage media from electrostatic discharge (ESD) during transportation. Label and seal the
containers to maintain the chain of custody.

6. Establish a chain of custody: Document every person who comes into contact with the evidence
and record their actions. This ensures that there is a clear record of who handled the evidence and
when. Use tamper-evident seals and document their placement.

7. Engage digital forensics experts: If the incident or crime scene involves complex digital
evidence, it is advisable to involve digital forensics experts. They can assist in the proper
acquisition and analysis of the evidence, ensuring that it is handled according to industry standards.

8. Maintain backups: If data recovery or analysis is necessary, create forensically sound backups of
the original evidence before any analysis or recovery attempts are made. This preserves the original
evidence in case of any accidental changes or data loss during the investigation process.

9. Follow legal and organizational requirements: Adhere to any legal requirements and
organizational policies regarding the Handling and preservation of digital evidence. Consult with
legal professionals to ensure that proper procedures are followed throughout the investigation.

10. Document everything: Maintain a detailed record of every step taken during the securing and
handling of the evidence. This documentation will be vital when presenting the evidence in court or
during any legal proceedings.

G Q. 6what is used to secure a Computer Incident or crime scene?

Securing a computer incident or crime scene involves specific measures to protect digital evidence
and ensure the integrity of the investigation. Here are some tools and techniques commonly used to
secure a computer incident or crime scene:
1. Physical Security: Implement physical security measures to protect the physical components of
the computer incident or crime scene. This includes restricting access to the area through locked
doors, security guards, or surveillance systems.

2. Network Isolation: Isolate the affected systems or network from external connections to prevent
unauthorized access or further compromise. Disconnect network cables, disable wireless access
points, or implement firewalls to contain the incident and prevent data leakage.

3. Live Forensics Tools: Use live forensics tools to analyse and collect volatile data from running
systems without altering their state. These tools allow investigators to examine memory, network
connections, and other system activities while minimizing disruption to the on-going incident.

4. Write-Blockers: Deploy write-blockers to prevent any unintentional alteration or modification of

storage media. These hardware or software devices ensure that investigators can only read data
from the media without the risk of accidental writes.

5. Imaging and Cloning Tools: Create forensic images or clones of storage devices to preserve the
data in its original state. Use specialized tools to make a bit-for-bit copy of the original media for
analysis, while keeping the original evidence untouched.

6. Network Traffic Capture: Capture network traffic using tools like packet sniffers to examine
network communications and identify any suspicious or malicious activities. This helps
investigators understand the scope and nature of the incident.

7. Encryption and Password Protection: If encrypted data or password. Protected systems are
involved, secure the encryption keys or passwords and document the steps taken to access the
encrypted information. This ensures that the evidence remains intact while enabling authorized
access when necessary.

8. Timestamps and Logs: Preserve timestamps and system logs that may contain valuable
information about the incident. These records can help establish a timeline of events, identify
unauthorized access, or track the actions of potential perpetrators.

9. Forensic Software and Tools: Utilize specialized forensic software and tools for data recovery,
analysis, and investigation. These tools assist in identifying malware, recovering deleted files,
analysing system artifacts, and extracting relevant evidence.

10. Chain of Custody: Maintain a proper chain of custody for all digital evidence collected from the
computer incident or crime scene. Document each transfer of custody, record who had access to the
evidence, and ensure its integrity for admissibility in legal proceedings.

Q.7 Explain Forensic software.

Wireshark
Wireshark is the world’s most-used network protocol analysis tool, implemented by governments,
private corporations, and academic institutions worldwide.
Captured network data can be viewed on a graphical user interface on Windows, Linux and several
other operating systems. The data can be read from Ethernet Bluetooth, USB, and several others,
while the output can be exported to XML, PostScript, CSV, or plain text.
Wireshark’s applications remain primarily in cybersecurity, but there are digital forensics
investigation applications.

ExifTool
ExifTool is a platform-independent system for reading, writing, and editing metadata across various
file types. Of particular interest to the digital investigator is the reading of metadata, which can be
achieved through command-line processes or a simple GUI. For example, investigators can drag
and drop different files, such as a PDF, or a JPEG, and learn when and where the file was created—
a crucial component in establishing a chain of evidence.

EnCase
Encase is a popular commercial digital forensics tool that offers comprehensive capabilities for data
acquisition, analysis, and reporting. It offers a comprehensive software package, from triage to final
reports, streamlining the investigative process.

Forensic Toolkit Imager (FTK)

FTK Imager, a free tool, ensures the integrity of digital evidence by analysing drive images without
modifying their original state. It supports all operating systems, recovers deleted files, parses XFS
files, and generates file hashes for data integrity checks. Therefore, it is a crucial tool for forensic
investigations.

Autopsy
Autopsy is a modular and user-friendly digital forensics platform used by investigators to assess
computer and phone data. It offers timeline analysis, hash filtering, keyword search, web artifact
extraction, file recovery, and rapid identification of indicators of compromise. Background jobs run
in parallel, providing quick results for targeted keywords. Autopsy also allows for creating a
centralized repository and is an open-source solution. It is currently available for Windows only.

ProDiscover Forensic
ProDiscover Forensic is a computer security app that allows you to locate all the data on a computer
disk. It can protect evidence and create quality reports for the use of legal procedures. This tool
allows you to extract EXIF (Exchangeable Image File Format) information from JPEG files.

Volatility Framework
Volatility Framework is software for memory analysis and forensics. It is one of the best Forensic
imaging tools that helps you to test the runtime state of a system using the data found in RAM.

Q.8 Explain the needs of computer forensic tool

1. Data Preservation

 Purpose: Ensuring that the integrity of the digital evidence is maintained. Forensic tools
help create exact bit-for-bit copies of storage devices, preventing any alteration of the
original data.
 Example Tools: FTK Imager, Encase, dd.

2. Data Collection

 Purpose: Efficiently gathering all relevant data from a wide range of sources, including
computers, mobile devices, network logs, and more. These tools streamline the data
collection process, ensuring no critical data is missed.
 Example Tools: Cellebrite, Oxygen Forensic Suite.

3. Data Recovery

 Purpose: Recovering deleted, hidden, or encrypted files that are crucial to the investigation.
Forensic tools are equipped to handle various data recovery challenges, ensuring that all
potential evidence is retrieved.
 Example Tools: Recuva, R-Studio.

4. Data Analysis

 Purpose: Analysing the collected data to uncover patterns, anomalies, and insights relevant
to the investigation. This includes examining file metadata, user activity logs, and network
traffic.
 Example Tools: Autopsy, Sleuth Kit, Wireshark.

5. Reporting

 Purpose: Creating detailed and comprehensive reports that document the findings of the
investigation. These reports must be clear, precise, and admissible in legal proceedings.
 Example Tools: X-Ways Forensics, ProDiscover.

6. Legal Compliance

 Purpose: Ensuring that the methods used for data collection and analysis complies with
legal standards and regulations. Forensic tools are designed to meet these requirements,
making the evidence admissible in court.
 Example Tools: EnCase, AccessData FTK.

9. Write Blockers

Write blockers are devices used to prevent any write operations on the storage media being
investigated. They allow read-only access to the data, ensuring that no changes are made to the
original evidence during the acquisition process.

Write blockers are of utmost importance in the field of computer forensics for several critical
reasons:
Preservation of Evidence: Write blockers prevent any write operations to the original storage media,
ensuring that the data is not altered, deleted, or contaminated during the investigation process. This
preservation of evidence is crucial to maintain the integrity of the data, as any modifications could
compromise the reliability and admissibility of the evidence in a court of law.

Preventing Accidental Changes: In the high-stress environment of a digital forensics investigation,

it is easy for an investigator to inadvertently modify or delete data if write-blocking measures are
not in place. Write blockers act as a safeguard against accidental changes that can potentially
destroy essential evidence.

Protection from Malicious Code: During the examination of digital evidence, there is always a risk
of encountering malicious code, such as viruses, malware, or ransom ware. Write blockers protect
the investigator's system from being infected by malware that might be present on the target storage
media.

Speed and Efficiency: Write blockers are purpose-built to handle data acquisition tasks efficiently,
often offering high-speed data transfers. This ensures that the investigation process is conducted as
quickly as possible, minimizing disruption to the involved parties.

Write Protection: Forensic imaging devices incorporate write-blocking functionality to prevent any
write access to the source media during the imaging process. This ensures that the original evidence
remains unaltered.

2. Forensic Imaging Devices

These tools are used to create forensic images of hard drives, solid-state drives, memory cards, and
other storage media. Forensic images are exact replicas of the original media and are used for
analysis and preservation of evidence.

Features of Forensic Imaging Devices

Bit-by-Bit Imaging: Forensic imaging devices perform bit-by-bit imaging, capturing every sector of
the source media, including used and unused areas, as well as file system metadata. This ensures an
accurate representation of the original data.

Hash Verification: These devices calculate cryptographic hash values (e.g., MD5, SHA-256) for
both the source and destination media. After imaging, hash verification ensures the integrity and
authenticity of the acquired data.

Multiple Interface Support: They support a variety of storage interfaces, such as SATA, IDE, USB,
PCIe, SAS, and more, allowing investigators to handle various types of storage media.

3.Digital Forensics Field Kits

These portable kits contain various hardware tools, cables, and accessories necessary for on-site
data acquisition and analysis. They are particularly useful for collecting evidence from remote
locations.

Hardware-based digital forensics field kits are specialized portable kits that contain a selection of
hardware tools and devices for conducting on-site digital forensics investigations. These kits are
designed to be portable, rugged, and easy to carry, enabling forensic experts and investigators to
collect and analyse digital evidence efficiently in the field.

Forensic Imaging Hardware: This hardware allows investigators to create forensic images of digital
storage media such as hard drives, SSDs, USB drives, and memory cards. It ensures that data is
acquired without altering the original evidence.

Portable Forensic Workstations: These are specialized laptops or portable workstations equipped
with high-performance processors, sufficient RAM, and storage capabilities to run forensic software
and perform data analysis in the field.

Cables and Adapters: A variety of cables and adapters are included to facilitate connections to
different types of storage media and devices for data acquisition.

Portable Disk Duplicators: These devices allow investigators to quickly create multiple copies of
acquired forensic images or to duplicate suspect drives for backup purposes

Network Capture Devices: In cases involving network forensics, field kits may include network
capture devices to monitor and capture network traffic.

GQ10. Describe validating forensic data

Validating forensic data is a critical step in the computer forensics process to ensure the accuracy,
integrity, and reliability of the collected evidence. Proper validation helps establish the legitimacy
of the findings and increases the chances of the evidence being admissible in court. Here are some
key steps to validate forensic data:

Hashing: Hashing is a technique used in computer science and cryptography to convert data of
arbitrary size into fixed-size values, typically a sequence of characters or numbers, called hashes.
Calculate and verify hash values for forensic images and individual files. Hashing algorithms like
MD5, SHA-256, or SHA-1 can generate unique fixed- length strings based on the content of the
data. If the hash values match between original and duplicate data, it indicates the data integrity is
intact.

Digital signatures: Use digital signatures to verify the authenticity of forensic images and reports.
Digital signatures provide a means of ensuring that the data has not been tampered with since it was
signed. File system analysis: Analyze the file system structures to ensure consistency and
authenticity. Verify the metadata of files, such as creation and modification dates, file sizes, and
owner information.

Most computer forensic tools such as ProDiscover, X-Ways Forensics, FTK, and Encase provide
automated hashing of image files. For example, when ProDiscover loads an image file, it runs a
hash and compares that value to the original hash calculated when the image was first acquired. To
remember seeing this feature when the Auto Image Checksum Verification message box opens after
loading an image file in ProDiscover.

Using a hexadecimal editor is a more advanced and low-level approach to data validation, typically
employed for binary files or examining the raw contents of files. It involves inspecting and
modifying data at the byte level, represented in hexadecimal format (base-16), rather than the usual
text format (base-10).
Data validation with a hexadecimal editor can be useful in various scenarios, such as:

File Integrity Checks: Hexadecimal editors can help verify the integrity of files by calculating and
comparing checksums or hash values. A checksum or hash is a unique value derived from the
binary content of a file. If even a single byte is modified, the checksum/hash will change, indicating
potential data corruption or tampering.

Reverse Engineering and Debugging: Reverse engineering often requires analysing binary files to
understand their structure and behaviour. A hexadecimal editor allows researchers to examine the
raw data and understand how a file or program stores information.

File Format Validation: For specific file formats, hexadecimal editors can be used to check whether
the file adheres to the expected structure.

Data Recovery: In cases of data loss, hexadecimal editors can be used to recover data from
corrupted files by manually correcting the errors or extracting data from uncorrupted sections.

Q11Data-Hiding Techniques:

Encryption: Strong encryption algorithms can secure sensitive data. making it challenging for
unauthorized parties to access or modify the information. Combining encryption with data-hiding
techniques provides an extra layer of protection.

Digital Watermarking: Use digital watermarking to embed hidden and unique identifiers into digital
content. This helps track the source and ownership of data, especially useful in copyright protection
and preventing unauthorized distribution.

Steganalysis: Steganalysis is the process of detecting and analyzing hidden data within media files.
Various tools and algorithms can be used to detect inconsistencies in file statistics, pixel values, or
frequency distribution that may indicate the presence of hidden data.

Marking Bad Clusters: A data-hiding technique used in FAT file systems is placing sensitive or
incriminating data in free or slack space on disk partition clusters.

GQ. 12Explain Remote Acquisition?

GQ. Define the terms i) Sensor Networks ii) Satellite and Space-Based Remote Sensing.

Remote data acquisition refers to the process of collecting data from a remote location without the
need for physical presence. This can be done using various technologies and methods to capture,
transmit, and store data from distant or inaccessible places. Here are some common techniques used
in remote data acquisition.

 Sensor Networks: Deploying sensors in remote locations to monitor and collect data on
various parameters such as temperature, humidity, pressure, vibration, etc. These sensors
 can be connected through wired or wireless networks to transmit the collected data to a
central location.
 Satellite and Space-Based Remote Sensing: Using satellites and space-based platforms to
capture data about the Earth's surface, atmosphere, and oceans. Remote sensing
technologies, such as multispectral and hyper spectral imaging, LIDAR, and RADAR,
provide valuable information for agriculture, environmental monitoring, and disaster
management.
 Unmanned Aerial Vehicles (UAVs) or Drones: Drones equipped with sensors and cameras
can be flown over remote areas to capture data from the air. This is especially useful for
mapping and monitoring large areas or areas that are difficult to access by other means.
 Telemetry: transmitting data wirelessly from remote locations to a central data acquisition
system. This can be achieved using radio frequency (RF), cellular networks, satellite
communication, or other wireless technologies.
 Internet of Things (IoT): Utilizing IoT devices equipped with sensors to collect data from
remote locations and transmit it to a centralized server through the internet.
 Underwater Remote Data Acquisition: Using specialized sensors and equipment to gather
data from underwater environments, such as oceans, rivers, and lakes.

GQ.13 What is a Graphics file?

Graphics files are digital files that store visual information, such as images, illustrations, or
graphics. There are various formats for graphics files, each with its own characteristics and uses.
Some common graphics file formats, include:

JPEG (Joint Photographic Experts Group): A widely used format for photographs and images with
complex color gradations. It uses lossy compression, meaning some image quality may be
sacrificed to reduce file size.

PNG (Portable Network Graphics): Suitable for images with transparency and high-quality
graphics. It uses lossless compression, preserving image quality but resulting in larger file sizes
compared to JPEG.

GIF (Graphics Interchange Format): Primarily used for animated images, logos, and simple
graphics with limited color palettes. It supports animation and transparency.

BMP (Bitmap Image File): A basic format that stores images pixel by pixel without compression. It
results in large file sizes and is less commonly used on the web due to its inefficiency.

TIFF (Tagged Image File Format): Often used in professional environments and printing, TIFF
supports lossless compression and preserves high-quality images.

SVG (Scalable Vector Graphics): A vector-based format that defines graphics using mathematical
equations, allowing them to be scaled without loss of quality. SVG is ideal for logos, icons, and
illustrations on the web.

PSD (Photoshop Document): A proprietary format used by Adobe Photoshop, which preserves
layers and other editing features. PSD files are primarily used for working on images in Photoshop.
G Q.14How Locating and Recovering Graphics Files?

Locating and recovering graphics files can be achieved through various methods, depending on the
circumstances under which the files were lost or deleted. Here are some steps you can follow to
locate and recover graphics files:

Check the Recycle Bin or Trash: If you recently deleted the graphics files, they might still be in the
Recycle Bin (Windows) or Trash (macOS). Open the respective folder and look for the files there.
If you find them, you can restore them to their original location.

Use Backup or Cloud Storage: If you regularly back up your files or use cloud storage services like
Google Drive, Dropbox, or OneDrive, check those platforms to see if the graphics files are still
available there. You may be able to restore them from the backup.

Search for the Files: If you're unsure about the file's location or mistakenly moved it, can perform a
search on the computer using the file name or part of the file name to find the graphics files.

Utilize File Recovery Software: In case the graphics files were deleted, and can't find them in the
Recycle Bin or Trash, can try using file recovery software. There are various data recovery tools
available that can help to recover deleted files. Some popular options include Recuva, EaseUS Data
Recovery Wizard, and Disk Drill.

Check Temporary Files and Cache: Sometimes, graphics files are temporarily stored in temporary
folders or cache locations by software or web browsers. Check these locations for any files that
might match the graphics you are looking for.

Chapter-10

Q. Explain Cell Phone and Mobile Device Forensics.

Cell phone forensics, also known as mobile phone forensics, is the process of retrieving and
analysing data from mobile devices to investigate criminal activities reconstruct events and support
legal proceedings.
Mobile device forensics is a branch of digital forensics that deals with the examination and analysis
of mobile devices, such as smartphones, tablets, and other portable electronic devices, to recover
and preserve digital evidence.

This type of forensic investigation is crucial in solving criminal cases, gathering evidence for legal
proceedings, and understanding the activities of individuals involved in various digital interactions.
Cell phone or Mobile device forensics involves several steps and techniques, including:

Acquisition: The process of acquiring data from a mobile device without altering its content. This
can be done using various methods such as physical extraction or logical extraction.

Preservation: Ensuring the integrity and preservation of the acquired data to maintain its
admissibility in court. This involves creating a forensic image of the device, which is an exact
replica of the original data.

Analysis: Examining the acquired data to identify relevant information and evidence. This step
involves searching for text messages, call logs, emails, photos, videos, app data, browsing history,
social media interactions, and any other potentially relevant information.

Decoding and Interpretation: Mobile devices store data in various formats and often use encryption
to protect sensitive information. Forensic experts use specialized tools and techniques to decode
encrypted data and interpret the findings.

Reporting: Documenting the findings in a detailed and organized report that is admissible in court.
The report should include a summary of the investigation process, the evidence collected, the
analysis performed, and the conclusions drawn.

Q. Write any five importance of mobile phone forensic.

Here are some key reasons why mobile phone forensics is crucial:

1. Evidence Collection
Mobile phones often contain critical evidence such as call logs, text messages, emails, photos,
videos, and app data. Collecting this evidence can provide key insights into criminal activities,
relationships, and motives.

2. Location Tracking
GPS data and cell tower information on mobile phones can help track the movements and locations
of individuals. This information is vital in criminal investigations, missing persons cases, and
verifying alibis.

3. Data Recovery
Forensic tools can recover deleted data from mobile phones, such as text messages, call history, and
media files. This can be crucial in uncovering evidence that suspects have tried to erase.
4. Communication Analysis
Analysing communication patterns, such as who contacted whom and when, can uncover networks
of accomplices or establish timelines of events. This is especially useful in investigations of
organized crime and terrorism.

5. Digital Footprints
Mobile phones contain extensive digital footprints that can link suspects to specific activities or
locations. This includes browsing history, app usage, and social media interactions, providing a
comprehensive view of the user’s digital behaviour.

Q. writes a short note on SIM and its structure.

SIM cards are plastic cards with silicon chips on them, similar to those found
in credit cards and hotel key cards. These chips contain processor and
memory circuits that allow them to store up to 256 KB of digital information.
This sort of information includes a user’s type of network plan, contacts, text
messages and available device data.

There are two distinct technologies used; GSM (Global System for Mobile communication)
and CDMA (Code Division Multiple Access). GSM is the most widely adopted technology digital
mobile network. Network carriers such as AT&T and T-Mobile use GSM. If a carrier uses GSM,
users can remove their SIM card from a device and move it to another mobile device with all the
same data and contacts on it. The network carrier will still be able to identify the user as well.

CDMA enabled phones do not need a SIM card; instead, the mobile device will use an electronic
serial number (ESN). Users that have a phone with an ESN cannot switch between devices as easily
as users would need permission from their network carrier. Network carriers such as Sprint and
Verizon use CDMA.

Types of SIM cards

SIM cards have come in a variety of different sizes over time. Types of SIM cards include:

 Standard SIM cards measure 25x15mm and are used in older and basic phones.
 Micro SIM cards measure 15x12mm and are more likely to be found in phones from the 2010s
and later.
 Nano SIM cards measure 12.3x8.8mm and are used in newer smartphones.
 Embedded SIMs, or eSIMs, measure 6x5mm, and have the SIM card installed in the phone
already. ESIMs are activated remotely by the network carrier.
Q.1Describe the report writing for investigation
Writing a report for an investigation, especially in the context of digital forensics, requires a clear,
systematic, and detailed approach. Here’s a guide on how to structure and write an effective
investigation report:

1. Title Page
 Include: Title of the report, case or investigation number, names of investigators, date of the
report.

 Purpose: Provides a clear reference and basic information about the report.

2. Table of Contents
 Include: A list of sections and subsections with page numbers.

 Purpose: Helps readers navigate the report easily.

3. Executive Summary
 Include: A brief overview of the investigation, key findings, conclusions, and
recommendations.

 Purpose: Gives a high-level summary for readers who may not need to read the entire
report.

4. Introduction
 Include: Background information, objectives of the investigation, scope, and limitations.

 Purpose: Sets the context and explains the purpose and scope of the investigation.

5. Methodology
 Include: Detailed description of the methods and tools used during the investigation, such
as data collection techniques, forensic tools, and analysis procedures.

 Purpose: Provides transparency and allows others to replicate the investigation if needed.

6. Findings
 Include: Detailed account of the evidence collected, including descriptions, screenshots,
logs, and any other relevant data.

 Purpose: Documents what was discovered during the investigation in a clear and logical
manner.

7. Analysis
 Include: Interpretation of the findings, including timelines, correlations, and conclusions
drawn from the data.

 Purpose: Explains the significance of the findings and how they relate to the objectives of
the investigation.

8. Conclusion
 Include: Summary of the key findings and their implications.
  Purpose: Provides a concise wrap-up of the investigation and its outcomes.

9. Recommendations
 Include: Suggestions for actions based on the findings, such as security improvements,
further investigations, or preventive measures.

 Purpose: Offers practical advice to address the issues uncovered during the investigation.

10. Appendices
 Include: Supporting documents, raw data, logs, charts, and any additional material that
supports the findings and analysis.

 Purpose: Provides supplementary information that may be useful for a deeper

understanding but is not essential for the main body of the report.

Q.2 Important of Report Writing

Reports play a crucial role in various aspects of personal, academic, and professional life. Here’s a
detailed look at the importance of reports:

1. Communication
Reports communicate information clearly and systematically. They help convey complex
information in an organized manner, making it easier for the reader to understand the subject
matter.

2. Decision-Making:
In businesses, government agencies, and other organizations, reports are essential for making
strategic, operational, and tactical decisions.

3. Accountability
Reports hold individuals and organizations accountable by providing a clear record of activities and
outcomes, which can be reviewed and audited.

4. Record Keeping
Reports serve as historical documents that can be referred to in the future for compliance, legal, or
informational purposes.

5. Planning and Forecasting

They help organizations and individuals prepare for upcoming challenges and opportunities by
analysing past and present data.

Q.3Guidelines for report writing:

1. Understand the Purpose
 Guideline: Clearly understand the purpose of the report. Know what you are trying to
achieve or convey. This helps focus the content and structure of the report on delivering the
intended message.
2. Know Your Audience
 Guideline: Identify who will read the report and tailor the content to their needs and level of
understanding. Ensures the report is relevant and accessible to its readers, whether they are
experts or laypersons.

3. Structure the Report

 Guideline: Use a clear and logical structure, typically including sections like Title Page,
Table of Contents, Executive Summary, Introduction, Methodology, Findings, Analysis,
Conclusion, Recommendations, and Appendices. Helps readers navigate the report easily
and understand the flow of information.

4. Use Clear and Concise Language

 Guideline: Write in a clear and concise manner, avoiding jargon and complex language
unless necessary. Ensures the report is easy to read and understand.

5. Be Objective and Accurate

 Guideline: Present information and findings objectively, based on evidence and facts.
Avoid personal bias. Enhances the credibility and reliability of the report.

6. Be Consistent
 Guideline: Maintain consistency in formatting, terminology, and writing style throughout
the report. Provides a professional appearance and avoids confusion.

7. Edit and Proofread

 Guideline: Carefully edit and proofread the report to correct any errors in grammar,
spelling, and punctuation. Ensures the report is polished and error-free.

8. Use Visual Aids

 Guideline: Incorporate visual aids like charts, graphs, and tables to illustrate key points and
data. Enhances understanding and retention of information.

9. Include a Summary and Recommendations

 Guideline: Summarize key findings and provide actionable recommendations based on the
analysis. Helps readers quickly grasp the main points and understand the practical
implications.
• Test the design
Review the decisions
you’ve made and the
steps you’ve
completed. If you
have already copied
the original media,
a standard part of
testing the design
involves comparing
hash values to
ensure that you
copied the original
media
correctly.
• Analyze and recover
the digital evidence
Using the software
tools and other
resources you’ve
gathered, and making
sure you’ve addressed
any risks and
obstacles, examine
the disk to find digital
evidence.
• Investigate the data
you recover
View the
information
recovered from the
disk, including
existing files,
deleted files, e-
mail, and Web
history, and
organizes the files
to help find
information relevant
to the case.
• Complete the case
report
Write a complete
report detailing what
you did and what you
found.
• Critique the case
Self-evaluation and
peer review are
essential parts of
professional growth.
After you complete a
case, review it to
identify successful
decisions and actions
and determine how
you could have
improved your
performance