Q1.

Attempt any FOUR:

a) Define and classify Cybercrime

Cybercrime refers to illegal activities conducted using computers or the internet. It can
be classified into several categories:

1. Computer-Related Crimes: Includes hacking, phishing, and spreading malware.

2. Financial Crimes: Includes online fraud, identity theft, and credit card fraud.
3. Content-Related Crimes: Involves the distribution of illegal content, such as child
pornography or hate speech.
4. Cyber Terrorism: Involves using the internet to conduct acts of terrorism.

b) Comment on Windows OS Artifacts

Windows OS artifacts are remnants of user activity or system operations left on a
computer's storage. Examples include:

● Registry Entries: Stores configuration settings and options.

● Event Logs: Records system and application events.
● Prefetch Files: Stores data about the execution of programs to speed up the
launch process.
● Recycle Bin: Holds deleted files before permanent deletion.

c) Explain Principles of Digital Forensics

The principles of digital forensics include:

1. Preservation: Ensuring that digital evidence remains intact and unaltered.

2. Identification: Detecting and documenting potential digital evidence.
3. Extraction: Retrieving relevant data from various digital sources.
4. Analysis: Examining the extracted data to draw conclusions.
5. Documentation: Keeping detailed records of all forensic processes.
6. Presentation: Presenting findings in a clear and understandable manner.

d) Which are the Goals of Incident Response

The goals of incident response include:
 1. Rapid Detection: Quickly identifying security incidents.
2. Mitigation: Minimizing the impact of an incident.
3. Containment: Preventing the spread of the incident.
4. Eradication: Eliminating the root cause of the incident.
5. Recovery: Restoring affected systems to normal operation.
6. Documentation: Recording all actions taken and findings for future reference and
improvement.

e) How to Acquire Image over a Network

To acquire an image over a network, follow these steps:

1. Prepare the Acquisition System: Ensure the system used for acquisition is secure
and has necessary tools installed.
2. Connect to the Target System: Use secure protocols (e.g., SSH, FTK Imager) to
connect to the target system.
3. Create a Forensic Image: Use imaging tools to capture a bit-by-bit copy of the
target's storage.
4. Verification: Calculate and compare hash values (e.g., MD5, SHA-256) to verify
the integrity of the image.
5. Documentation: Record all steps, tools used, and hash values for documentation.

Q2.

a) Explain Digital Forensics and its lifecycle.

Definition:
Digital forensics involves the recovery and investigation of material found in digital
devices, often in relation to computer crime.

Lifecycle:

1. Identification: Recognizing potential digital evidence.

2. Preservation: Ensuring the integrity of evidence through imaging and securing
data.
3. Collection: Gathering the digital evidence in a forensically sound manner.
4. Examination: Detailed scrutiny of collected evidence.
 5. Analysis: Interpreting the data to understand the incident.
6. Reporting: Documenting the findings and the methods used.
7. Presentation: Presenting the findings in a format suitable for legal proceedings.

b) Explain in detail Incident Response Methodology

Incident response methodology involves the following steps:

1. Preparation: Establish and train an incident response team, and develop an

incident response plan.
2. Identification: Detect and identify the nature of the incident.
3. Containment: Implement measures to contain the incident and prevent further
damage.
4. Eradication: Remove the cause of the incident, such as malware or unauthorized
access.
5. Recovery: Restore and validate system functionality.
6. Lessons Learned: Conduct a post-incident review to improve future response
efforts.

Q3.

a) Describe Steps to prevent cybercrime and explain Hackers, Crackers, and Phreakers
Steps to Prevent Cybercrime:

1. Strong Passwords: Use complex passwords and change them regularly.

2. Multi-Factor Authentication: Add an extra layer of security.
3. Regular Software Updates: Ensure systems and applications are up-to-date.
4. Security Software: Use antivirus, anti-malware, and firewalls.
5. User Education: Train employees on security best practices.

Definitions:

● Hackers: Individuals who exploit system vulnerabilities for unauthorized access.

They can be ethical (white-hat) or malicious (black-hat).
● Crackers: Malicious hackers who break into systems to cause harm or steal data.
 ● Phreakers: Early hackers who manipulated telecommunications systems to make
free calls or exploit telecommunication networks.

b) Explain Forensic Investigation Report Writing in terms of Standards, Content, Style,

Formatting, and Organization
A forensic investigation report should:

1. Standards: Follow legal and professional guidelines to ensure admissibility in

court.
2. Content: Include an executive summary, methodology, findings, evidence
analysis, conclusions, and recommendations.
3. Style: Write in clear, concise, and objective language.
4. Formatting: Use consistent formatting with sections, headings, and bullet points
for readability.
5. Organization: Structure the report logically, with a table of contents and clearly
defined sections.

Q4.

a) Describe Digital Investigation Staircase Model

The Digital Investigation Staircase Model involves:

1. Readiness: Preparing for potential incidents with tools and training.

2. Deployment: Initiating the investigation and securing the scene.
3. Physical Crime Scene Investigation: Collecting physical evidence and securing
digital devices.
4. Digital Crime Scene Investigation: Acquiring and preserving digital evidence.
5. Review: Analyzing and interpreting the evidence collected.
6. Presentation: Reporting findings and presenting them in a court of law.

b) How to Acquire an Image with dd Tools and with Forensic Formats

Using dd Tools:
 1. Command: dd if=/dev/source of=/path/to/destination_image.img bs=4M
2. Verify: Use md5sum or sha256sum to create a hash of the image.

Forensic Formats:

1. E01 Format: Use tools like FTK Imager to create E01 images, which include
metadata and hash values.
2. AFF Format: Use afflib-tools to create AFF images, providing compression
and encryption options.

Q5.

a) Describe in details OS File Systems.

OS File Systems manage data storage and retrieval. Key file systems include:

1. NTFS (New Technology File System): Used by Windows, supports large files, and
includes security features.
2. FAT32 (File Allocation Table): Older file system with wide compatibility but limited
to 4GB file sizes.
3. EXT4 (Fourth Extended File System): Used by Linux, supports large files and
journaling.
4. HFS+ (Hierarchical File System Plus): Used by macOS, supports large files and
efficient storage management.

b) Explain Network-Based Evidence acquisition and its analyzing.

Acquisition Methods:

1. Packet Sniffing: Using tools like Wireshark to capture and analyze network traffic.
2. Log Analysis: Reviewing logs from firewalls, routers, and servers to identify
suspicious activity.
3. Network Forensic Appliances: Deploying devices that continuously monitor and
capture network traffic for forensic analysis.

Analyzing Network-Based Evidence:

 ● Examine captured data for patterns, anomalies, and indicators of compromise.
● Correlate with known attack signatures.
● Reconstruct the sequence of events leading to the incident.

Q6.

a) Explain Need and types of Computer Forensic Tools in detail.

Need for Forensic Tools:

1. Efficiency: Automate data analysis and evidence collection.

2. Accuracy: Ensure precise and reliable results.
3. Comprehensive Analysis: Handle various data types and formats.
4. Legal Compliance: Adhere to standards required for legal admissibility.

Types of Forensic Tools:

1. Disk Imaging Tools: e.g., FTK Imager, EnCase

2. Data Recovery Tools: e.g., Recuva, R-Studio
3. Network Forensics Tools: e.g., Wireshark, NetworkMiner
4. Mobile Forensics Tools: e.g., Cellebrite, Oxygen Forensic Suite
5. Analysis Tools: e.g., Autopsy, X-Ways Forensics

b) In Mobile Forensics explain Challenges, Evidence Extraction Process, Types of

Investigation, and Procedure for Handling an Android Device.
Challenges:

1. Diverse Operating Systems: Various platforms like iOS, Android.

2. Encryption: Data protection mechanisms.
3. Frequent Updates: Constantly evolving software.
4. Physical Damage: Impacting data retrieval.

Evidence Extraction Process:

 1. Logical Extraction: Accessing files through the OS without altering the data.
2. Physical Extraction: Creating a bit-by-bit copy of the device's storage.
3. File System Extraction: Extracting file system data including deleted files.

Types of Investigation:

1. Criminal Investigations: Examining devices for evidence of crimes.

2. Civil Investigations: Resolving disputes involving digital evidence.
3. Corporate Investigations: Internal investigations within an organization.

Procedure for Handling an Android Device:

1. Ensure Power: Keep the device powered on to prevent data loss.

2. Isolate from Network: Prevent remote access or data wiping.
3. Document the State: Record the device's condition and settings.
4. Use Forensic Tools: Employ tools like Cellebrite or Oxygen Forensic Suite for data
extraction.
5. Preserve Data Integrity: Create a forensic image and calculate hash values for
verification.

Module 1

1. Define Cybercrimes
Cybercrimes are criminal activities that involve the use of computers and networks,
particularly the internet. They can include hacking, identity theft, cyberstalking,
cyberbullying, and the distribution of illegal digital content.

2. What are the different types of cybercrimes?

● Hacking: Unauthorized access to computer systems.

● Phishing: Fraudulent attempts to obtain sensitive information by pretending to be
a trustworthy entity.
● Identity Theft: Stealing personal information to commit fraud.
● Cyberstalking: Using electronic communication to harass or intimidate someone.
 ● Cyberbullying: Bullying through digital means such as social media or email.
● Distribution of Child Pornography: Sharing illegal content involving minors.
● Ransomware: Malware that encrypts data and demands payment for decryption.

3. Distinguish between Viruses and Worms.

● Viruses: Malicious software that attaches itself to a legitimate program or file

and requires user interaction to spread.
● Worms: Self-replicating malware that spreads independently without requiring
user interaction, exploiting vulnerabilities in software.

4. Explain steps of hacking with examples.

1. Reconnaissance: Gathering information about the target (e.g., using social

engineering or tools like Nmap).
2. Scanning: Identifying open ports and services (e.g., using Nessus).
3. Gaining Access: Exploiting vulnerabilities to gain entry (e.g., using Metasploit).
4. Maintaining Access: Installing backdoors or rootkits to retain access (e.g., using
Netcat).
5. Covering Tracks: Deleting logs and hiding activities (e.g., using log cleaners).

5. What is a virus? What are the types of viruses?

A virus is a type of malicious software that attaches itself to a legitimate program or file
and spreads by human actions such as opening an email attachment.
Types of viruses:

● File Infectors: Attach to executable files.

● Macro Viruses: Target applications like Microsoft Word or Excel.
● Boot Sector Viruses: Infect the master boot record of storage devices.
● Polymorphic Viruses: Change their code to avoid detection.
● Multipartite Viruses: Infect both files and boot sectors.

6. What is a worm? What are the types of worms?

A worm is a self-replicating program that spreads across networks without user
intervention.
Types of worms:
 ● Email Worms: Spread through email attachments.
● Internet Worms: Exploit vulnerabilities in network services.
● File-Sharing Worms: Spread via peer-to-peer file sharing networks.
● Instant Messaging Worms: Spread through instant messaging platforms.

7. What are the steps to be followed to prevent cybercrimes?

● Use Strong Passwords: Create complex passwords and change them regularly.
● Enable Multi-Factor Authentication: Add an extra layer of security.
● Update Software Regularly: Ensure all systems and applications are up to date.
● Install Security Software: Use antivirus, anti-malware, and firewalls.
● Educate Users: Train employees on security best practices.

8. Define Hackers, Crackers, and Phreakers with examples.

● Hackers: Individuals who exploit system vulnerabilities to gain unauthorized

access. Example: Ethical hackers (white-hat hackers) who help secure systems.
● Crackers: Malicious hackers who break into systems to cause harm or steal data.
Example: Cybercriminals who steal sensitive information.
● Phreakers: Early hackers who manipulated telecommunications systems to make
free calls or exploit telecommunication networks. Example: John Draper, known
as "Captain Crunch," who discovered that a toy whistle could manipulate phone
systems.

9. Explain DoS Attacks.

Denial of Service (DoS) attacks aim to make a network service unavailable by
overwhelming it with a flood of illegitimate requests, causing the system to crash or
become unresponsive.

10. What is cyber terrorism?

Cyber terrorism involves the use of computer systems and networks to cause
disruption, fear, or harm to achieve political or ideological goals, such as hacking critical
infrastructure or spreading propaganda.

11. What is cyber stalking?

Cyberstalking is the use of electronic communication to harass, threaten, or intimidate
someone persistently. It includes activities like sending unwanted emails, messages, or
social media posts.
12. Explain the steps of hacking.

1. Reconnaissance: Information gathering about the target.

2. Scanning: Identifying open ports and services.
3. Gaining Access: Exploiting vulnerabilities to enter the system.
4. Maintaining Access: Installing backdoors or rootkits.
5. Covering Tracks: Deleting logs and hiding activities.

13. Explain how cyber crimes can be prevented.

● Implement Strong Password Policies: Use complex and unique passwords.

● Enable Multi-Factor Authentication: Add extra security layers.
● Regularly Update Systems: Keep software and systems updated.
● Use Security Software: Employ antivirus and anti-malware tools.
● Conduct Security Training: Educate users on recognizing and preventing cyber
threats.

14. Who is known as an ethical hacker?

An ethical hacker, also known as a white-hat hacker, is an individual who uses their
hacking skills to help organizations identify and fix security vulnerabilities to improve
their security posture.

Module 2

15. What is digital forensic? Explain the life cycle of digital forensic.
Digital Forensics is the process of identifying, preserving, analyzing, and presenting
digital evidence in a manner that is legally admissible.
Life Cycle:

1. Identification: Recognizing potential digital evidence.

2. Preservation: Ensuring the integrity of evidence through imaging and securing
data.
3. Collection: Gathering the digital evidence in a forensically sound manner.
4. Examination: Detailed scrutiny of collected evidence.
5. Analysis: Interpreting the data to understand the incident.
6. Reporting: Documenting the findings and the methods used.
 7. Presentation: Presenting the findings in a format suitable for legal proceedings.

16. Explain digital forensics principles in detail.

1. Preservation: Ensuring that the digital evidence remains unchanged and intact.
2. Identification: Detecting and documenting potential digital evidence.
3. Extraction: Retrieving relevant data from various digital sources.
4. Analysis: Interpreting the extracted data to draw meaningful conclusions.
5. Documentation: Keeping detailed records of all forensic processes.
6. Presentation: Presenting findings in a manner that is understandable and legally
acceptable.

17. Write a short note on Scientific Evidence.

Scientific Evidence: Evidence derived from scientific methods such as DNA testing,
fingerprint analysis, and digital forensics. It is admissible in court if it meets certain
standards of reliability and relevance.

18. Describe the process of presenting digital evidence.

1. Collection: Gathering evidence in a forensically sound manner.

2. Examination: Analyzing the evidence using specialized tools.
3. Documentation: Keeping detailed records of the analysis process.
4. Reporting: Preparing a comprehensive report on findings.
5. Presentation: Presenting the findings in court, including explaining the methods
used and ensuring the evidence's integrity.

19. Explain the digital investigation process models in detail.

Physical Models: Focus on the physical examination of devices and storage media.
Staircase Model: A step-by-step approach to digital investigation, including readiness,
deployment, physical crime scene investigation, digital crime scene investigation, and
review.
Evidence Flow Model: Describes the flow of digital evidence through various stages
from collection to presentation.

Module 3
20. Explain windows file system FAT32 and NTFS in detail.

● FAT32 (File Allocation Table): An older file system with wide compatibility but
limited to 4GB file sizes and lacking modern security features.
● NTFS (New Technology File System): A modern file system used by Windows
that supports large files, file compression, encryption, and detailed permissions.

21. Explain MAC file systems in detail.

HFS+ (Hierarchical File System Plus): Used by macOS, supports large files, journaling,
and efficient storage management.
APFS (Apple File System): A newer file system designed for macOS, offering improved
performance, security features, and better support for SSDs.

22. Explain memory forensic? What are the steps to follow to create a RAM memory
image.
Memory Forensic: The process of analyzing volatile data stored in RAM to uncover
malicious activity.
Steps to Create RAM Memory Image:

1. Preparation: Use tools like FTK Imager or Volatility.

2. Capture: Execute the memory acquisition tool.
3. Verify: Generate hash values for integrity.
4. Store: Save the memory image securely.
5. Analyze: Use forensic tools to analyze the memory dump.

23. What are the various tasks performed by computer forensic tools.

● Disk Imaging: Creating exact copies of storage media.

● Data Recovery: Retrieving deleted or corrupted files.
● File Analysis: Examining files for evidence.
● Network Forensics: Analyzing network traffic for suspicious activity.
● Memory Analysis: Investigating data stored in RAM.
● Report Generation: Documenting findings in a structured manner.

24. Explain the windows event flags in detail.

Windows event flags are markers in the event logs that indicate various system
activities and states, such as logon attempts, system errors, and application events.
They are critical for forensic analysis to understand system behavior and identify
security incidents.

25. Write short note on - The Sleuth Kit autopsy tool.

The Sleuth Kit Autopsy Tool: An open-source digital forensics platform used for
analyzing disk images and recovering digital evidence. It provides a graphical interface
for examining file systems, recovering deleted files, and analyzing artifacts.

Module 4

1. Define Incidence Response.

Incident response is a structured approach to handling and managing the aftermath of a
security breach or cyberattack, with the aim of limiting damage, reducing recovery time
and costs, and preventing future incidents.

2. What is the goal of incidence response?

The goal of incident response is to effectively manage and mitigate the impact of
security incidents by detecting, responding to, and recovering from cyber threats while
preserving evidence for further investigation and legal proceedings.

3. Define Initial Response.

Initial Response refers to the immediate actions taken upon the detection of a potential
security incident to contain and assess the situation, gather preliminary information,
and initiate the incident response process.

4. Define Investigation.
Investigation involves the systematic collection, analysis, and interpretation of evidence
to understand the nature, cause, and impact of a security incident, and to identify those
responsible.

5. Define Remediation.
Remediation encompasses the steps taken to eliminate the root cause of a security
incident, restore affected systems and data to normal operation, and implement
measures to prevent recurrence.
6. Explain Forensic Duplicates as Admissible Evidence.
Forensic duplicates are exact copies of digital evidence created using specialized tools
and methods that ensure the integrity and authenticity of the data. These duplicates are
admissible in court as they are considered reliable and unaltered representations of the
original evidence.

7. What is forensic duplication? Why is it needed?

Forensic duplication is the process of creating an exact bit-by-bit copy of digital
evidence, ensuring that the duplicate is identical to the original. It is needed to preserve
the integrity of the original evidence, allowing investigators to perform analysis without
risking alteration or damage to the original data.

8. What is a restored image?

A restored image is a copy of a forensic duplicate that has been reconstituted onto a
new storage device to allow for analysis and examination in an environment that mimics
the original system.

9. What is a mirror image?

A mirror image is a real-time, exact duplicate of a computer's storage media, created to
ensure data consistency and integrity during forensic analysis or disaster recovery
processes.

10. Explain the steps of creating forensic evidence.

1. Identification: Recognize potential digital evidence.

2. Preservation: Secure and protect the evidence to prevent tampering.
3. Collection: Gather the evidence in a forensically sound manner.
4. Examination: Analyze the evidence using forensic tools.
5. Analysis: Interpret the data to derive meaningful insights.
6. Documentation: Record all findings and methods used.
7. Presentation: Prepare the evidence for legal proceedings.

11. What is a Qualified forensic duplicate?

A qualified forensic duplicate is a verified copy of digital evidence that meets specific
legal and technical standards for admissibility in court. It ensures that the duplicate is
an exact and unaltered representation of the original data.
Module 5

12. Explain forensic image formats in detail.

● RAW: Uncompressed format capturing all data on a storage device.

● E01 (EnCase Evidence File): Compressed format with error detection and
metadata storage.
● AFF (Advanced Forensic Format): Open-source format supporting compression,
encryption, and metadata.
● DD: A simple bit-by-bit copy of a storage device without compression.

13. How to preserve digital evidence? Explain the same in detail.

Preservation involves:

1. Isolating the device: Prevent access and tampering.

2. Imaging: Create forensic duplicates.
3. Documenting: Record chain of custody and handling procedures.
4. Storing Securely: Use tamper-evident containers and secure storage facilities.

14. Explain the steps to acquire an image with DD tool.

1. Connect the device: Attach the storage device to a forensic workstation.

2. Run DD command: Use dd command to create an image (e.g., dd if=/dev/sda
of=/path/to/image.img bs=4M).
3. Verify integrity: Calculate hash values (e.g., MD5 or SHA-1) of the original and the
image.
4. Document the process: Record all steps taken during the acquisition.

15. Explain the goal of report writing.

The goal of report writing in digital forensics is to document the findings of the forensic
analysis clearly and accurately, providing a detailed account of the methods used,
evidence discovered, and conclusions drawn, which can be used in legal proceedings.

16. Explain various guidelines of report writing.

● Clarity: Use clear and concise language.

 ● Accuracy: Ensure all information is correct and verifiable.
● Completeness: Include all relevant findings and methods.
● Objectivity: Present facts without bias.
● Structure: Follow a logical format with sections like introduction, methodology,
findings, and conclusion.

Module 6

17. What is intrusion detection? Explain.

Intrusion detection is the process of monitoring and analyzing network or system
activities for signs of security breaches or malicious activities. It involves the use of
intrusion detection systems (IDS) that can be network-based (NIDS) or host-based
(HIDS) to identify and alert on potential threats.

18. Explain the steps in router investigation.

1. Initial Assessment: Determine the scope and nature of the investigation.

2. Log Analysis: Examine router logs for suspicious activities.
3. Configuration Review: Check the router's configuration for unauthorized changes.
4. Traffic Analysis: Monitor network traffic for anomalies.
5. Evidence Collection: Gather relevant logs and data for further analysis.
6. Reporting: Document findings and recommendations.

19. Write a short note on Internet Protocol Suite.

The Internet Protocol Suite, commonly known as TCP/IP, is the set of communication
protocols used for the internet and similar networks. It includes:

● Application Layer: Protocols like HTTP, FTP, SMTP.

● Transport Layer: TCP and UDP protocols for data transfer.
● Internet Layer: IP protocol for addressing and routing.
● Link Layer: Protocols for hardware addressing and media access.

20. Explain Android OS Architecture in Detail.

Android OS architecture consists of:
 ● Linux Kernel: Manages hardware and system resources.
● Libraries: Provide core functions like data storage, playback, and rendering.
● Android Runtime: Includes the Dalvik Virtual Machine (DVM) and core libraries.
● Application Framework: Manages application lifecycle and resources.
● Applications: User-facing apps built using the framework.

21. Explain mobile phone evidence extraction process.

1. Seizure: Secure the device and prevent remote access.

2. Isolation: Use Faraday bags or airplane mode to prevent network connections.
3. Imaging: Create a forensic image of the device's data.
4. Analysis: Use forensic tools to extract and analyze data.
5. Reporting: Document findings and ensure the integrity of the evidence.