CYBER

FORENSICS
B.Sc (Computer Science)
Semester 6
Mumbai University

By:
munotes.in
Revision 2023
 CYBER FORENSICS

Units Sr. Title Page

No No

I 1 Computer Forensics 2

I 2 Network Forensic 7

I 3 Cell Phone and Mobile Device Forensics 13

II 4 Internet Forensic 15

II 5 E-mail Forensics 21

II 6 Messenger Forensics 25

II 7 Social Media Forensics 26

II 8 Browser Forensics 27

III Investigation, Evidence presentation and Legal aspects of 32

9 Digital Forensics

III 10 Introduction to Legal aspects of Digital Forensics 38

 2

Unit I

Computer Forensics :
1. Introduction to Computer Forensics and standard procedure.
Ans:
· Computer forensics is the process of collecting, analyzing and preserving digital
evidence in a manner that is legally admissible.

· Standard procedures in computer forensics include:

· Securing the crime scene to prevent contamination or alteration of evidence
· Making a forensic copy of the digital data for analysis
· Analyzing the data using specialized software and techniques
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear and unbiased manner in a report or court
testimony

2. Incident Verification and System Identification

Ans:
1. Incident Verification:
· Verify the authenticity of the incident by checking the source of the incident
report and any supporting evidence.
· Gather information about the incident, including the time, location, and any
relevant details about the incident.
· Identify any potential witnesses or involved parties, and collect their
statements.
· Check for any security camera footage or other relevant video evidence.
· Check for any patterns or similar incidents that may be related to the incident
in question.

CYBER FORENSICS
 3

2. System Identification:
· Identify the specific systems or assets that were affected by the incident.
· Determine the extent of the impact on the affected systems or assets.
· Identify any vulnerabilities or weaknesses in the affected systems that may
have contributed to the incident.
· Determine the cause of the incident, including any human error or external
factors that may have played a role.
· Identify any potential risks or threats that may have led to the incident, and
assess the likelihood of similar incidents happening in the future.

3. Recovery of Erased and damaged data.

Ans:
1. Data recovery is the process of restoring lost or inaccessible data from a damaged
storage device or media.
2. Standard procedures for recovering erased or damaged data include:
· Identifying the type and cause of data loss.
· Making a forensic image or copy of the storage device for analysis.
· Using specialized software and techniques to recover the lost data.
· Verifying the integrity and authenticity of the recovered data.
· Documenting the entire process and preserving the chain of custody for
evidence.
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony.
· Following legal and ethical guidelines for handling digital evidence.
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in data recovery.

CYBER FORENSICS
 4

3. Some common causes of data loss include physical damage to the storage device,
logical corruption, malware or virus attacks, and accidental deletion.
4. Some specialized techniques used in data recovery include file carving, signature
analysis, and sector-by-sector recovery.
5. It's worth noting that the chances of successful data recovery decreases as time
passes and as the device is being used after the data loss.

4. Disk Imaging and Preservation.

Ans:
1. Disk imaging is the process of creating a bit-by-bit copy of a storage device, such
as a hard drive or a memory card.
2. Disk imaging is a critical step in computer forensics as it preserves the integrity of
the original data and creates a tamper-proof copy for analysis.
3. Standard procedures for disk imaging and preservation include:
· Securing the crime scene to prevent contamination or alteration of
evidence.
· Identifying the type and model of the storage device.
· Making a forensic image or copy of the storage device using specialized
software and hardware.
· Verifying the integrity and authenticity of the image using hash values and
other methods.
· Documenting the entire process and preserving the chain of custody for
evidence.
· Storing the image in a secure and tamper-proof manner.
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in disk imaging.
4. There are several types of disk imaging methods such as full disk imaging, logical
imaging and selective imaging.

CYBER FORENSICS
 5

5. Some popular software used for disk imaging are Encase, FTK Imager, X-Ways
Forensics, and dd.
6. It's worth noting that disk imaging requires a high level of technical expertise and
should be performed by trained and certified professionals.

5. Data Encryption and Compression, Automated Search Techniques

Ans:
1. Data encryption is the process of transforming plaintext data into unreadable
ciphertext using a mathematical algorithm and a secret key.
2. Data compression is the process of reducing the amount of data required to
represent a given set of information, thus reducing the storage and transmission
requirements.
3. Standard procedures for data encryption and compression include:
· Identifying the type and method of encryption or compression used on the
data.
· Using specialized software and techniques to decrypt or decompress the
data.
· Verifying the integrity and authenticity of the decrypted or decompressed
data.
· Documenting the entire process and preserving the chain of custody for
evidence.
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony.
· Following legal and ethical guidelines for handling digital evidence.
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in encryption and compression.
4. Automated search techniques are used to quickly and efficiently search through
large amounts of data.

CYBER FORENSICS
 6

5. Standard procedures for automated search include:

· Defining the search criteria and parameters.
· Using specialized software and techniques to search the data.
· Reviewing and verifying the results of the search.
· Documenting the entire process and preserving the chain of custody for
evidence.
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony.
· Following legal and ethical guidelines for handling digital evidence.
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in automated search techniques.
6. Some popular software used for data encryption are BitLocker, VeraCrypt, and
TrueCrypt.
7. Some popular software used for data compression are WinZip, 7-Zip, and WinRAR.
8. Some popular software used for Automated search techniques are grep, awk, and
regular expressions.

6. Forensics Software
Ans:
1. Forensics software is a specialized type of software used to collect, analyze, and
preserve digital evidence in a legally admissible manner.
2. Some standard features of forensics software include:
· Data acquisition and imaging capabilities to create a forensic copy of the
storage device.
· Data analysis and interpretation tools to identify and extract relevant data
from the image.
· Data search and filtering capabilities to quickly locate specific files or
information.

CYBER FORENSICS
 7

· Data visualization and presentation tools to display the results of the

analysis in a clear and easily understandable format.
· Data hashing and integrity verification capabilities to ensure the
authenticity and integrity of the data.
· Support for multiple file formats and file systems.
· Automated and manual data recovery capabilities for erased or damaged
data.
· Reporting and documentation tools to create a detailed and legally
admissible report of the analysis.
3. Some popular forensics software include EnCase, FTK Imager, X-Ways Forensics,
and Autopsy.
4. Some forensics software are built for specific purposes such as memory forensics,
mobile device forensics, and cloud forensics.
5. It's worth noting that forensics software requires a high level of technical expertise
and should be used by trained and certified professionals.

Network Forensic :
7. Introduction to Network Forensics and tracking network traffic.
Ans:
1. Network forensics is the process of collecting, analyzing, and preserving evidence
from a network in a legally admissible manner.
2. Standard procedures for network forensics include:
· Identifying and documenting the network infrastructure, including devices,
protocols, and configurations.
· Capturing and analyzing network traffic using specialized software and
techniques.
· Identifying and tracking malicious activity, such as hacking attempts,
malware infections, and unauthorized access.

CYBER FORENSICS
 8

· Reconstructing events and activities that occurred on the network to

provide context and understanding of the incident.
· Documenting the entire process and preserving the chain of custody for
evidence.
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony.
· Following legal and ethical guidelines for handling digital evidence.
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in network forensics.
3. Network traffic tracking refers to the process of monitoring and analyzing data
packets that are moving over a network.
4. Standard procedures for network traffic tracking include:
· Identifying and documenting the network infrastructure, including devices,
protocols, and configurations.
· Capturing network traffic using specialized software and hardware, such as
network taps or span ports.
· Analyzing network traffic using specialized software and techniques, such
as packet capture analysis, flow analysis, and protocol analysis.
· Identifying and tracking malicious activity, such as hacking attempts,
malware infections, and unauthorized access.
· Documenting the entire process and preserving the chain of custody for
evidence.
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony.
· Following legal and ethical guidelines for handling digital evidence.
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in network traffic tracking.
5. Some popular software used for network forensics include Wireshark,
NetworkMiner, and tcpdump.

CYBER FORENSICS
 9

6. It's worth noting that network forensics and traffic tracking requires a high level of
technical expertise and should be performed by trained and certified professionals.

8. Reviewing Network Logs.

Ans:

1. Reviewing network logs is the process of analyzing log files generated by network
devices and systems to identify and track network activity.
2. Standard procedures for reviewing network logs include:
· Identifying and documenting the network infrastructure, including devices,
protocols, and configurations.
· Collecting log files from various network devices and systems, such as
routers, switches, firewalls, and servers.
· Analyzing log files using specialized software and techniques to identify
patterns and anomalies.
· Correlating log data from different sources to provide a comprehensive
view of network activity.
· Identifying and tracking malicious activity, such as hacking attempts,
malware infections, and unauthorized access.
· Reconstructing events and activities that occurred on the network to
provide context and understanding of the incident.
· Documenting the entire process and preserving the chain of custody for
evidence.
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony.
· Following legal and ethical guidelines for handling digital evidence.
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in log analysis.

CYBER FORENSICS
 10

3. Network logs contain valuable information such as IP addresses, timestamps,

device names, and system events.
4. Some popular software used for log analysis include Syslog-ng, Splunk, and
LogRhythm.
5. It's worth noting that reviewing network logs requires a high level of technical
expertise and should be performed by trained and certified professionals.

9. Network Forensics Tools, Performing Live Acquisitions.

Ans:
1. Network forensics tools are specialized software and hardware that are used to
collect, analyze, and preserve digital evidence from a network in a legally
admissible manner.
2. Some common types of network forensics tools include:
· Packet capture tools, such as Wireshark, tcpdump, and NetworkMiner,
which capture and analyze network traffic.
· Log analysis tools, such as Syslog-ng, Splunk, and LogRhythm, which analyze
log files generated by network devices and systems.
· Network traffic analysis tools, such as Ntop and Flowalyzer, which provide
real-time visibility into network traffic and identify patterns and anomalies.
· Network security tools, such as Snort and Suricata, which detect and alert
on malicious activity.
· Incident response and forensic analysis tools, such as EnCase, FTK, and X-
Ways Forensics, that are used to investigate and analyze data from a
network incident.
3. Live acquisitions refer to the process of collecting evidence from a running system
or network without shutting it down.
4. Standard procedures for performing live acquisitions include:
· Identifying the type and model of the system or network.

CYBER FORENSICS
 11

· Making a forensic image or copy of the system or network using specialized

software and hardware.
· Verifying the integrity and authenticity of the image or copy using hash
values and other methods.
· Analyzing the image or copy using specialized software and techniques.
· Documenting the entire process and preserving the chain of custody for
evidence.
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony.
· Following legal and ethical guidelines for handling digital evidence.
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in live acquisitions.
5. It's worth noting that performing live acquisitions requires a high level of technical
expertise and should be performed by trained and certified professionals.

10.Order of Volatility.
Ans:
1. The order of volatility is a guideline used in digital forensics to prioritize the
collection and preservation of evidence based on its likelihood of being lost or
altered.
2. The order of volatility typically includes the following types of evidence:
· Volatile data: Evidence that exists in memory and is lost when the power is
turned off or the system is rebooted. Examples include RAM, cache, and
temporary files.
· Non-volatile data: Evidence that exists on storage devices and is not lost
when power is turned off. Examples include hard drives, flash drives, and
SD cards.

CYBER FORENSICS
 12

· Transient data: Evidence that exists temporarily on a network and may be

lost if not captured in a timely manner. Examples include network traffic,
system logs, and email.
3. The order of volatility is used to ensure that the most critical evidence is collected
and preserved first, while still allowing for the collection of less critical evidence.
4. The order of volatility is typically followed in the following order:
· Volatile data: Memory and cache, RAM, temporary files, and running
processes.
· Non-volatile data: Hard drives, flash drives, and other storage devices.
· Transient data: Network traffic, system logs, and email.
5. It's worth noting that the order of volatility can vary depending on the specific case
and the types of evidence involved, and should be adapted to the needs of the
investigation.

11.Standard Procedure.
Ans:
1. Standard procedures refer to a set of established protocols and guidelines that are
followed in a specific field or industry to ensure consistency and accuracy in the
processes carried out.
2. Standard procedures in digital forensics include:
· Securing the crime scene to prevent contamination or alteration of
evidence
· Identifying and preserving the relevant data in a forensically sound manner
· Making a forensic copy of the digital data for analysis
· Analyzing the data using specialized software and techniques
· Documenting the entire process and preserving the chain of custody for
evidence

CYBER FORENSICS
 13

· Presenting the findings in a clear, concise, and unbiased manner in a report

or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in the field.
3. Other standard procedures may include:
· Order of volatility: Prioritizing the collection and preservation of evidence
based on its likelihood of being lost or altered.
· Chain of custody: Maintaining a clear and unbroken record of the handling,
transport, and storage of evidence from the time of its seizure to the time
it is presented in court.
· Reporting and documentation: Creating a detailed and legally admissible
report of the analysis.
· Quality assurance: Checking the process and results of the investigation to
ensure accuracy and completeness.
4. It's worth noting that following standard procedures is critical in digital forensics
as it ensures that the evidence is collected, analyzed, and presented in a manner
that is legally admissible and can be used in court.

Cell Phone and Mobile Device Forensics:

12.Acquisition Procedures for Cell Phones and Mobile Devices.
Ans:
1. Acquisition procedures for cell phones and mobile devices refer to the process of
collecting and preserving digital evidence from a mobile device in a legally
admissible manner.
2. Standard procedures for acquiring evidence from cell phones and mobile devices
include:
· Securing the device to prevent contamination or alteration of evidence

CYBER FORENSICS
 14

· Identifying the type and model of the device and its operating system
· Making a forensic image or copy of the device's storage using specialized
software and hardware
· Extracting relevant data from the device, such as call logs, contacts, text
messages, and media files
· Analyzing the data using specialized software and techniques
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in mobile device forensics
3. Some other considerations when acquiring evidence from cell phones and mobile
devices include:
· Ensuring that the device is powered off and the battery is removed before
acquisition to prevent data alteration
· Extracting data from the device's SIM card and any external storage devices,
such as SD cards
· Making note of any security measures on the device, such as passcodes or
fingerprints, and taking appropriate steps to bypass them
· Following the order of volatility and other standard procedures in digital
forensics
4. It's worth noting that acquiring evidence from cell phones and mobile devices
requires a high level of technical expertise and should be performed by trained and
certified professionals.

CYBER FORENSICS
 15

Unit II
Internet Forensic :
13.Introduction to Internet Forensics.
Ans:
1. Internet forensics is the process of collecting, analyzing, and preserving digital
evidence from the internet in a legally admissible manner.
2. Standard procedures for internet forensics include:
· Identifying and documenting the internet infrastructure, including
websites, servers, and protocols.
· Collecting and analyzing digital evidence from the internet, such as web
pages, social media posts, and email messages.
· Identifying and tracking malicious activity, such as hacking attempts,
phishing scams, and online fraud.
· Reconstructing events and activities that occurred on the internet to
provide context and understanding of the incident.

CYBER FORENSICS
 16

· Documenting the entire process and preserving the chain of custody for
evidence.
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony.
· Following legal and ethical guidelines for handling digital evidence.
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in internet forensics.
3. Internet forensics involves the use of various tools and techniques to collect and
analyze digital evidence from the internet, such as web scraping, metadata
analysis, and geolocation analysis.
4. Internet forensics is becoming increasingly important as more and more criminal
activities are taking place on the internet.
5. It's worth noting that internet forensics requires a high level of technical expertise
and should be performed by trained and certified professionals.
6. It's also important to note that Internet Forensics is a complex task and multiple
legal jurisdiction issues may arise when collecting evidence from the internet as
the location of the server or the person committing the crime may be in different
countries.

14.World Wide Web Threats.

Ans:
1. The World Wide Web (WWW) is a vast network of interconnected documents and
other resources, linked by hyperlinks and URLs.
2. The World Wide Web can be a source of various types of threats and risks,
including:
· Phishing: Attempts to trick users into revealing sensitive information, such
as login credentials, personal data, or financial information.

CYBER FORENSICS
 17

· Malware: Malicious software, such as viruses, worms, and Trojans, that can
infect computers and mobile devices to steal data, spread malware, or
disrupt operations.
· Ransomware: Malware that encrypts a user's files and demands a ransom
payment to restore access to the data.
· Social engineering: Attempts to manipulate or deceive users into divulging
sensitive information or performing actions that are not in their best
interests.
· Distributed Denial of Service (DDoS) attacks: Attempts to overload a
website or network with traffic to make it unavailable to legitimate users.
· Advanced Persistent Threats (APT): Sophisticated, long-term cyber attacks
typically launched by state-sponsored actors or well-funded criminal
groups.
3. To protect against these World Wide Web threats, it's important to:
· Keep software and systems updated to fix security vulnerabilities
· Use anti-virus and anti-malware software and firewalls
· Use multi-factor authentication for sensitive accounts

15.Hacking and Illegal access.

Ans:
1. Hacking refers to the unauthorized access, use, disclosure, disruption,
modification, or destruction of computer systems, networks, or information.
2. Illegal access refers to the unauthorized access to a computer system or network,
which is a violation of the computer crime laws in many countries.
3. Standard procedures for identifying and investigating hacking and illegal access
include:
· Identifying and documenting the computer systems and networks involved

CYBER FORENSICS
 18

· Collecting and analyzing log files and other digital evidence to identify
patterns of suspicious activity
· Identifying the methods and techniques used to gain unauthorized access
· Reconstructing events and activities that occurred on the computer system
or network to provide context and understanding of the incident
· Identifying and tracking the individuals or groups responsible for the
hacking or illegal access
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in hacking and illegal access
4. It's worth noting that identifying and investigating hacking and illegal access
requires a high level of technical expertise and should be performed by trained and
certified professionals.

16.Obscene and Incident transmission.

Ans:
1. Obscene content refers to material that is considered offensive or indecent, such
as pornography, hate speech, or graphic violence.
2. Incident transmission refers to the transmission of illegal or harmful content, such
as child pornography, malware, or terrorist propaganda.
3. Standard procedures for identifying and investigating obscene and incident
transmission include:
· Identifying and documenting the source of the content, such as websites,
email addresses, or social media accounts

CYBER FORENSICS
 19

· Collecting and analyzing digital evidence to identify patterns of suspicious

activity
· Identifying the methods and techniques used to transmit the content
· Reconstructing events and activities that occurred on the network or
system to provide context and understanding of the incident
· Identifying and tracking the individuals or groups responsible for the
transmission of the content
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in incident transmission
4. It's worth noting that identifying and investigating obscene and incident
transmission requires a high level of technical expertise and should be performed
by trained and certified professionals.
5. It's also important to follow laws and regulations related to obscenity and incident
transmission, as the possession or distribution of illegal content can lead to severe
legal consequences.

17.Domain Name Ownership Investigation.

Ans:
1. Domain name ownership investigation refers to the process of identifying the
owner of a specific domain name and the associated website.
2. Standard procedures for domain name ownership investigation include:
· Identifying the domain name in question and the associated website

CYBER FORENSICS
 20

· Collecting and analyzing digital evidence, such as WHOIS records, DNS

records, and website content
· Identifying and tracking the individuals or groups responsible for the
website
· Reconstructing events and activities that occurred on the website to
provide context and understanding of the incident
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in domain name ownership investigation
3. WHOIS records are publicly available records that contain information about the
domain name registration, such as the registrant's name, contact information, and
the date of registration.
4. DNS records contain information about the servers that are responsible for
directing traffic to a specific domain name.
5. It's worth noting that domain name ownership investigation requires a high level
of technical expertise and should be performed by trained and certified
professionals.
6. It's also important to follow laws and regulations related to domain name
ownership and the use of domain names, as the use of a domain name in an
infringing or illegal manner can lead to severe legal consequences.

18.Reconstructing past internet activities and events.

Ans:
1. Reconstructing past internet activities and events refers to the process of analyzing
digital evidence to understand the context, causes, and consequences of specific
events that occurred on the internet.

CYBER FORENSICS
 21

2. Standard procedures for reconstructing past internet activities and events include:
· Identifying and documenting the internet infrastructure, including
websites, servers, and protocols
· Collecting and analyzing digital evidence, such as web pages, social media
posts, and email messages
· Identifying and tracking the individuals or groups responsible for the
activities or events
· Correlating data from different sources to provide a comprehensive view of
the activities or events
· Reconstructing the timeline of events and activities that occurred on the
internet
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in internet forensics
3. Reconstructing past internet activities and events can be used in various types of
investigations, such as cybercrime, fraud, intellectual property theft, and threat
intelligence.
4. It's worth noting that reconstructing past internet activities and events requires a
high level of technical expertise and should be performed by trained and certified
professionals.
5. It's also important to follow laws and regulations related to data privacy and digital
evidence, as the collection, analysis, and presentation of digital evidence must
comply with legal standards.

E-mail Forensics :
19.e-mail analysis.

CYBER FORENSICS
 22

Ans:
1. E-mail analysis refers to the process of collecting, analyzing, and preserving e-mail
messages in a legally admissible manner as part of an investigation or litigation.
2. Standard procedures for e-mail analysis include:
· Identifying and documenting the e-mail infrastructure, including servers,
protocols, and accounts
· Collecting and analyzing e-mail messages, including headers, body content,
attachments, and metadata
· Identifying and tracking the individuals or groups responsible for the e-mails
· Reconstructing the timeline of e-mails and their relationship to other events
or activities
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in e-mail analysis
3. E-mail analysis can be used in various types of investigations, such as cybercrime,
fraud, intellectual property theft, and e-discovery in civil litigation.
4. E-mail analysis requires a high level of technical expertise and should be performed
by trained and certified professionals.
5. It's also important to follow laws and regulations related to data privacy and digital
evidence, as the collection, analysis, and presentation of digital evidence must
comply with legal standards.
6. It's also important to keep in mind that e-mails can be tampered with or fabricated,
so it's important to validate the authenticity of the e-mails being analyzed.

CYBER FORENSICS
 23

20.e-mail headers and spoofing.

Ans:
1. E-mail headers are a part of an email message that contain information about the
routing, delivery, and origin of the message.
2. E-mail headers contain information such as the sender and recipient addresses,
the date and time the message was sent, and the path the message took from the
sender to the recipient.
3. Spoofing refers to the practice of disguising a sender's identity by altering e-mail
headers to make it appear as though the message came from a different source.
4. Spoofing can be used for various malicious purposes such as phishing, scams, and
spamming.
5. Standard procedures for identifying and investigating e-mail headers and spoofing
include:
· Collecting and analyzing e-mail headers to identify patterns of suspicious
activity
· Identifying the methods and techniques used to spoof e-mail headers
· Reconstructing events and activities that occurred on the network or
system to provide context and understanding of the incident
· Identifying and tracking the individuals or groups responsible for the
spoofing
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in e-mail headers and spoofing

CYBER FORENSICS
 24

6. It's worth noting that identifying and investigating e-mail headers and spoofing
requires a high level of technical expertise and should be performed by trained and
certified professionals.
7. It's also important to follow laws and regulations related to data privacy and digital
evidence, as the collection, analysis, and presentation of digital evidence must
comply with legal standards.

21.Laws against e-mail Crime.

Ans:
1. E-mail crime, also known as cybercrime, refers to illegal activities that are
committed using electronic means, such as e-mail.
2. Laws against e-mail crime vary by country, but generally include provisions against:
· Hacking and unauthorized access to computer systems and networks
· Phishing and identity theft
· Spamming and unsolicited e-mails
· Distribution of illegal or harmful content, such as child pornography or
malware
· Fraud and financial crimes committed using e-mail
· Harassment and cyberstalking
· Unlawful interception of electronic communications
· Computer-related offenses such as destruction of data and unauthorized
modification of data
3. Some countries have specific laws that address e-mail crime, such as the U.S.
Computer Fraud and Abuse Act and the U.K. Computer Misuse Act.
4. Other countries have more general laws that cover a wide range of cybercrimes,
such as the European Union's General Data Protection Regulation (GDPR)
5. It's worth noting that cybercrime laws are constantly evolving, and new laws and
regulations are being introduced to address emerging threats and technologies.

CYBER FORENSICS
 25

6. Additionally, it's important to keep in mind that cybercrime often transcends

national boundaries and international cooperation is needed to investigate and
prosecute cybercriminals.
7. It's also important to note that laws and regulations can be different depending on
the location of the crime and the location of the victim, and that extra care should
be taken when investigating cross-border cybercrime.

22.Messenger Forensics: Yahoo Messenger.

Ans:
1. Messenger forensics refers to the process of collecting, analyzing, and preserving
digital evidence from instant messaging systems, such as Yahoo Messenger.
2. Yahoo Messenger is a popular instant messaging service that allows users to
communicate in real-time through text, voice, and video.
3. Standard procedures for Yahoo Messenger forensics include:
· Identifying and documenting the Yahoo Messenger account and associated
devices
· Collecting and analyzing digital evidence, such as chat logs, voicemail, and
video messages
· Identifying and tracking the individuals or groups responsible for the
communication
· Reconstructing the timeline of messages and their relationship to other
events or activities
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in messenger forensics

CYBER FORENSICS
 26

4. Messenger forensics can be used in various types of investigations, such as

cybercrime, fraud, intellectual property theft, and e-discovery in civil litigation.
5. It's worth noting that messenger forensics requires a high level of technical
expertise and should be performed by trained and certified professionals.
6. It's also important to follow laws and regulations related to data privacy and digital
evidence, as the collection, analysis, and presentation of digital evidence must
comply with legal standards.
7. It's also important to keep in mind that messenger services can be encrypted and
conversations on them may not be stored in a readable format or stored for long
periods of time, so it's important to act quickly and gather evidence as soon as
possible.

Social Media Forensics:

23.Social Media Investigations.
Ans:
1. Social media investigations refer to the process of collecting, analyzing, and
preserving digital evidence from social media platforms as part of an investigation
or litigation.
2. Social media platforms include Facebook, Twitter, Instagram, LinkedIn, and many
others, that allow users to create profiles, share information, and interact with
others.
3. Standard procedures for social media investigations include:
· Identifying and documenting the social media accounts, groups, and pages
involved
· Collecting and analyzing digital evidence, such as posts, comments,
messages, photos, and videos
· Identifying and tracking the individuals or groups responsible for the
content

CYBER FORENSICS
 27

· Reconstructing the timeline of events and activities that occurred on the

social media platform
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in social media investigations
4. Social media investigations can be used in various types of investigations, such as
cybercrime, fraud, intellectual property theft, and e-discovery in civil litigation.
5. It's worth noting that social media investigations require a high level of technical
expertise and should be performed by trained and certified professionals.
6. It's also important to follow laws and regulations related to data privacy and digital
evidence, as the collection, analysis, and presentation of digital evidence must
comply with legal standards.
7. It's also important to keep in mind that social media platforms can change their
policies, terms of services and also delete data over time.

Browser Forensics:
24.Cookie Storage and Analysis.
Ans:
1. Cookies are small text files that are stored on a user's computer or mobile device
by a website to remember certain information, such as login credentials or
browsing preferences.
2. Cookie storage and analysis refers to the process of collecting, analyzing, and
preserving cookies as part of an investigation or litigation.
3. Standard procedures for cookie storage and analysis include:

CYBER FORENSICS
 28

· Identifying and documenting the websites and web pages that have set the
cookies
· Collecting and analyzing cookies, including their content, expiration date,
and source
· Identifying and tracking the individuals or groups responsible for setting the
cookies
· Reconstructing the timeline of events and activities that occurred on the
website
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in cookie storage and analysis
4. Cookie storage and analysis can be used in various types of investigations, such as
cybercrime, fraud, intellectual property theft, and e-discovery in civil litigation.
5. It's worth noting that cookie storage and analysis requires a high level of technical
expertise and should be performed by trained and certified professionals.
6. It's also important to follow laws and regulations related to data privacy and digital
evidence, as the collection, analysis, and presentation of digital evidence must
comply with legal standards.

25.Analyzing Cache and temporary internet files.

CYBER FORENSICS
 29

Ans:
1. Cache and temporary internet files are types of data that are stored on a computer
or mobile device by web browsers to speed up the loading of frequently visited
websites.
2. Analyzing cache and temporary internet files refers to the process of collecting,
analyzing, and preserving this type of data as part of an investigation or litigation.
3. Standard procedures for analyzing cache and temporary internet files include:
· Identifying and documenting the web browsers and devices that have
stored the data
· Collecting and analyzing cache and temporary internet files, including their
content, expiration date, and source
· Identifying and tracking the individuals or groups responsible for creating or
accessing the data
· Reconstructing the timeline of events and activities that occurred on the
device or computer
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in cache and temporary internet files analysis
4. Analyzing cache and temporary internet files can be used in various types of
investigations, such as cybercrime, fraud, intellectual property theft, and e-
discovery in civil litigation.
5. It's worth noting that analyzing cache and temporary internet files requires a high
level of technical expertise and should be performed by trained and certified
professionals.

CYBER FORENSICS
 30

6. It's also important to follow laws and regulations related to data privacy and digital
evidence, as the collection, analysis, and presentation of digital evidence must
comply with legal standards.
7. It's also important to keep in mind that cache and temporary internet files can be
deleted or overwritten by the user or the system, so it's important to act quickly
and gather evidence as soon as possible.

26.Web browsing activity reconstruction.

Ans:
1. Web browsing activity reconstruction refers to the process of analyzing digital
evidence to understand the context, causes, and consequences of specific events
that occurred while browsing the web.
2. Standard procedures for web browsing activity reconstruction include:
· Identifying and documenting the web browsers, devices, and infrastructure
used
· Collecting and analyzing digital evidence, such as web browsing history,
cache, and cookies
· Identifying and tracking the individuals or groups responsible for the
activities or events
· Correlating data from different sources to provide a comprehensive view of
the activities or events
· Reconstructing the timeline of events and activities that occurred while
browsing the web
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence

CYBER FORENSICS
 31

· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in web browsing activity reconstruction
3. Web browsing activity reconstruction can be used in various types of
investigations, such as cybercrime, fraud, intellectual property theft, and threat
intelligence.
4. It's worth noting that web browsing activity reconstruction requires a high level of
technical expertise and should be performed by trained and certified professionals.
5. It's also important to follow laws and regulations related to data privacy and digital
evidence, as the collection, analysis, and presentation of digital evidence must
comply with legal standards.
6. It's also important to keep in mind that web browsers can have different settings,
features and ways of storing data and that it's important to have knowledge of
those particularities when conducting the analysis.

CYBER FORENSICS
 32

Unit III
Investigation, Evidence presentation and Legal aspects of Digital
Forensics:

27.Authorization to collect the evidence.

Ans:
1. Authorization to collect evidence refers to the legal process of obtaining
permission to access, seize, and preserve digital evidence for use in an
investigation or litigation.
2. Standard procedures for obtaining authorization to collect evidence include:
· Identifying the type of evidence that needs to be collected and the purpose
of the collection
· Determining the legal basis for the collection, such as a warrant, subpoena,
or consent
· Preparing a detailed plan for the collection, including the scope, methods,
and resources required
· Notifying the relevant parties, such as the owner or custodian of the
evidence, and obtaining their consent or providing them with notice of the
collection
· Documenting the entire process and preserving the chain of custody for
evidence
· Following legal and ethical guidelines for handling digital evidence

CYBER FORENSICS
 33

· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in evidence collection
3. It's worth noting that obtaining authorization to collect evidence requires a high
level of technical expertise and should be performed by trained and certified
professionals.
4. It's also important to follow laws and regulations related to data privacy and digital
evidence, as the collection, analysis, and presentation of digital evidence must
comply with legal standards.
5. It's also important to keep in mind that different types of evidence may have
different legal requirements for collection, such as the requirement of a warrant,
and that it's important to be aware of those requirements to avoid any legal issues.
6. Also, it's important to keep in mind that the method of obtaining authorization to
collect evidence may vary depending on the jurisdiction.

28.Acquisition of Evidence, Authentication of the evidence.

Ans:
1. Acquisition of evidence refers to the process of collecting and preserving digital
evidence in a legally admissible manner.
2. Standard procedures for acquiring evidence include:
· Identifying and documenting the evidence to be collected
· Determining the legal basis for the collection, such as a warrant, subpoena,
or consent
· Preparing a detailed plan for the collection, including the scope, methods,
and resources required
· Collecting the evidence using appropriate methods and tools, such as disk
imaging and forensic duplication
· Documenting the entire process and preserving the chain of custody for
evidence
· Following legal and ethical guidelines for handling digital evidence

CYBER FORENSICS
 34

· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in evidence collection
3. Authentication of evidence refers to the process of verifying the integrity,
authenticity and reliability of digital evidence.
4. Standard procedures for authenticating evidence include:
· Identifying and documenting the evidence to be authenticated
· Determining the legal basis for the authentication
· Preparing a detailed plan for the authentication
· Examining the evidence for signs of tampering, alteration or forgery
· Comparing the evidence with known standards
· Verifying the origin and integrity of the evidence
· Documenting the entire process and preserving the chain of custody for
evidence
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in evidence authentication
5. It's worth noting that both, acquiring evidence and authenticating it, require a high
level of technical expertise and should be performed by trained and certified
professionals.

29.Analysis of the evidence.

Ans:
1. Analysis of evidence refers to the process of examining, interpreting and evaluating
digital evidence to determine its relevance and significance in an investigation or
litigation.
2. Standard procedures for analyzing evidence include:
· Identifying and documenting the evidence to be analyzed
· Determining the legal basis for the analysis

CYBER FORENSICS
 35

· Preparing a detailed plan for the analysis, including the scope, methods, and
resources required
· Applying appropriate analytical techniques and tools, such as forensic
software, to extract and interpret data
· Examining the evidence for signs of tampering, alteration or forgery
· Comparing the evidence with known standards
· Verifying the origin and integrity of the evidence
· Identifying and tracking individuals or groups involved in the activities or
events under investigation
· Reconstructing the timeline of events and activities
· Documenting the entire process and preserving the chain of custody for
evidence
· Presenting the findings in a clear, concise, and unbiased manner in a report
or court testimony
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in evidence analysis
3. It's worth noting that analysis of evidence requires a high level of technical
expertise and should be performed by trained and certified professionals.
4. It's also important to follow laws and regulations related to data privacy and digital
evidence, as the collection, analysis, and presentation of digital evidence must
comply with legal standards.
5. It's also important to keep in mind that different types of evidence may have
different legal requirements for analysis and that it's important to be aware of
those requirements to avoid any legal issues.
6. It's also important to keep in mind that the method of analysis may vary depending
on the type of evidence and the aim of the investigation.

CYBER FORENSICS
 36

30.Reporting on the findings.

Ans:
1. Reporting on the findings refers to the process of documenting and communicating
the results of an investigation or analysis of digital evidence.
2. Standard procedures for reporting on the findings include:
· Identifying and documenting the scope, purpose and findings of the
investigation or analysis
· Summarizing the key facts, evidence, and conclusions in a clear, concise,
and unbiased manner
· Presenting the findings in a logical and coherent format, such as a report or
court testimony
· Including relevant details, such as timelines, individuals involved, and other
contextual information
· Identifying any limitations or uncertainties in the findings
· Providing recommendations for further action or investigation
· Documenting the entire process and preserving the chain of custody for
evidence
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in evidence reporting
3. It's worth noting that reporting on the findings requires a high level of technical
expertise and should be performed by trained and certified professionals.
4. It's also important to follow laws and regulations related to data privacy and digital
evidence, as the collection, analysis, and presentation of digital evidence must
comply with legal standards.
5. It's also important to keep in mind that different types of investigations may have
different reporting requirements and that it's important to be aware of those
requirements to avoid any legal issues.

CYBER FORENSICS
 37

6. It's also important to keep in mind that the method of reporting may vary
depending on the aim of the investigation, such as a court case, internal
investigation or threat intelligence.

31.Testimony.
Ans:
1. Testimony refers to the process of giving oral or written evidence in a court of law
or other legal proceeding.
2. Standard procedures for testimony include:
· Preparing a detailed statement or report of the evidence and findings
· Reviewing and practicing the testimony with a lawyer or other
representative
· Being familiar with the facts, evidence, and applicable laws and regulations
· Being able to explain technical concepts and procedures in a clear and
understandable manner
· Being able to answer questions clearly and honestly
· Being able to remain impartial and unbiased
· Being able to respond to challenges or objections to the evidence or
testimony
· Being able to maintain the chain of custody and integrity of the evidence
· Following legal and ethical guidelines for handling digital evidence
· Continuously updating the knowledge and skills to keep up with the latest
technology and trends in forensic testimony

CYBER FORENSICS
 38

3. It's worth noting that giving testimony requires a high level of technical expertise
and should be performed by trained and certified professionals.
4. It's also important to follow laws and regulations related to data privacy and digital
evidence, as the collection, analysis, and presentation of digital evidence must
comply with legal standards.
5. It's also important to keep in mind that different types of legal proceedings may
have different requirements for testimony and that it's important to be aware of
those requirements to avoid any legal issues.
6. It's also important to keep in mind that the method of giving testimony may vary
depending on the jurisdiction and the type of legal proceeding.

Introduction to Legal aspects of Digital Forensics:

32. Laws & regulations.
Ans:
1. Laws and regulations refer to the legal framework that governs the collection,
analysis, and presentation of digital evidence in investigations and litigations.
2. Standard procedures for following laws and regulations include:
· Being familiar with the applicable laws and regulations, such as the Federal
Rules of Evidence (FRE) and the Federal Rules of Criminal Procedure (FRCP)
in the US
· Understanding the legal requirements for the collection, analysis, and
presentation of digital evidence, such as the requirement for a warrant or
subpoena
· Being aware of the legal standards for admissibility of digital evidence, such
as the best evidence rule and the authenticity requirement
· Understanding the legal protections for privacy and civil liberties, such as
the Fourth Amendment in the US
· Being aware of the legal requirements for expert testimony, such as the
Daubert standard in the US

CYBER FORENSICS
 39

· Following ethical guidelines for handling digital evidence, such as the

American Academy of Forensic Sciences (AAFS) and the International
Association of Computer Science and Information Technology (IACSIT)
· Continuously updating the knowledge and skills to keep up with the latest
laws and regulations related to digital evidence.
3. It's worth noting that following laws and regulations requires a high level of
technical expertise and should be performed by trained and certified professionals.
4. It's also important to be aware that laws and regulations may vary depending on
the jurisdiction and the type of investigation or litigation.
5. It's also important to note that laws and regulations related to digital evidence are
constantly evolving and changing, so staying up-to-date is crucial to ensure
compliance.

33. Information Technology Act.

Ans:
The Information Technology Act (IT Act) is a law in India that governs legal issues related
to digital technology and the internet. It was first enacted in 2000 and has been amended
several times to keep up with the rapidly changing digital landscape. Here are some key
points about the IT Act:
1. The IT Act defines legal framework for electronic transactions, digital signatures,
and certification authorities.
2. It criminalizes hacking, identity theft, and other cybercrimes, and sets out penalties
for such offenses.
3. It provides for the establishment of a Cyber Appellate Tribunal to hear appeals in
cases related to cybercrime.
4. It also provides for the establishment of a Cyber Regulation Advisory Committee
to advise the government on issues related to the Act.
5. The act also provides for the appointment of a Controller of Certifying Authorities
to regulate the issuance of digital certificates

CYBER FORENSICS
 40

6. The act also provides for the establishment of a Computer Emergency Response
Team (CERT-In) to respond to and handle cyber security incidents.
7. The IT Act also provides for the regulation of intermediaries, such as internet
service providers (ISPs) and social media platforms, to ensure compliance with the
Act and to protect the rights of users.
8. The act also regulates the collection, storage and handling of sensitive personal
data or information.
9. The IT Act is regularly amended to keep up with the latest trends and
developments in digital technology and the internet.
10. It's important to note that the IT Act is a dynamic and constantly evolving
legislation, and it's important to stay updated with the latest amendments and
regulations to ensure compliance.

34.Giving Evidence in court.

Ans:
Giving evidence in court refers to the process of presenting and testifying about digital
evidence in a legal proceeding. Here are some key points to consider when giving
evidence in court:
1. Familiarize yourself with the facts of the case and the relevant evidence that you
will be presenting.
2. Review the relevant laws and regulations, such as the Federal Rules of Evidence
(FRE) and the Federal Rules of Criminal Procedure (FRCP) in the US, to ensure that
your evidence is admissible and meets the legal requirements.
3. Prepare a detailed report or statement that clearly and concisely summarizes the
key facts, evidence, and conclusions of your investigation or analysis.
4. Practice your testimony with a lawyer or other representative to ensure that you
can explain technical concepts and procedures in a clear and understandable
manner.
5. Be prepared to answer questions from the judge, opposing counsel, and the jury
in a clear and honest manner.

CYBER FORENSICS
 41

6. Remain impartial and unbiased throughout your testimony.

7. Be prepared to respond to challenges or objections to the evidence or testimony
and to maintain the chain of custody and integrity of the evidence.
8. Follow legal and ethical guidelines for handling digital evidence and be aware of
the legal requirements for expert testimony, such as the Daubert standard in the
US.
9. Continuously update your knowledge and skills to keep up with the latest
technology and trends in forensic testimony.
10. Be aware that giving evidence in court may require a high level of technical
expertise and should be performed by trained and certified professionals.
11. Be prepared to explain and demonstrate your methods and techniques to the
court and be willing to admit if you don't know the answer to a question.
12. It's also important to keep in mind that the method of giving evidence in court may
vary depending on the jurisdiction and the type of legal proceeding.

35.Case Study – Cyber Crime cases.

Ans:
A case study is a detailed examination of a specific event, situation or incident. Here are
some key points to consider when analyzing a case study of a cybercrime case:
1. Understand the background and context of the case, including the individuals,
organizations, and technology involved.
2. Identify the specific cybercrime that was committed, such as hacking, identity
theft, or data breaches, and the relevant laws and regulations that were violated.
3. Analyze the methods and techniques used by the cybercriminals to commit the
crime, such as malware, phishing, or social engineering.
4. Assess the damage caused by the crime, including financial losses, reputation
damage, and personal harm.

CYBER FORENSICS
 42

5. Evaluate the effectiveness of the response and investigation, including the actions
taken by law enforcement and the measures implemented to prevent similar
crimes from happening in the future.
6. Identify the key lessons learned from the case and the best practices that can be
applied to prevent or respond to similar cybercrime cases.
7. Understand the factors that made the organization vulnerable to the attack and
what could have been done to prevent the attack.
8. Understand the legal requirements for handling digital evidence in cybercrime
cases and the process of collecting, analyzing and reporting the evidence.
9. Understand the legal and ethical guidelines for handling digital evidence, and the
legal requirements for expert testimony.
10. Continuously update your knowledge and skills to keep up with the latest
technology and trends in cybercrime and digital forensics.
11. Understand the importance of collaboration between different organizations and
agencies in dealing with cybercrime cases.
12. Understand the importance of public awareness and education in preventing
cybercrime.

CYBER FORENSICS