B.Sc.

-ANCS (Semester VI)

Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Study Material
(Digital Forensics – BNCSC602)
Table of Contents

Sl. Content Page No

No.
1. Module I: Forensics Science, Computer Forensics, Digital Forensics and Computer Crime 2-33

2. Module II: Incident- Response Methodology, Cybercrime Scene Analysis 34-54

3. Module III: Image Capturing and Authenticating Evidence 55-90

4. Module IV: Computer Forensics 91-112

5. Module V: Network Forensics 113-133

6. Module VI: Mobile Forensics 134-152

1
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

MODULE I: FORENSIC SCIENCE AND COMPUTER CRIME

Digital Forensics:
Computer forensics, now most commonly called “digital forensics,” has been a professional field for
many years, but most well-established experts in the field have been self-taught. The growth of the
Internet and the worldwide proliferation of computers have increased the need for digital investigations.
Computers can be used to commit crimes, and crimes can be recorded on computers, including company
policy violations, embezzlement, e-mail harassment, murder, leaks of proprietary information, and even
terrorism. Law enforcement, network administrators, attorneys, and private investigators now rely on
the skills of professional digital forensics experts to investigate criminal and civil cases.

Forensic Science:
Forensic science involves the application of the natural, physical, and social sciences to matters of law.
Forensic science refers to the application of natural, physical, and social sciences to matters of the law.
Most forensic scientists hold that investigation begins at the scene, regardless of their associated field.
The proper investigation, collection, and preservation of evidence are essential for fact-finding and for
ensuring proper evaluation and interpretation of the evidence, whether the evidence is bloodstains,
human remains, hard drives, ledgers, and files or medical records. Scene investigations are concerned
with the documentation, preservation, and evaluation of a location in which a criminal act may have
occurred and any associated evidence within the location for the purpose of reconstructing events using
the scientific method. The proper documentation of a scene and the subsequent collection, packaging,
and storage of evidence are paramount. Evidence must be collected in such a manner to maintain its
integrity and prevent loss, contamination, or deleterious change. Maintenance of the chain of custody of
the evidence from the scene to the laboratory or a storage facility is critical. A chain of custody refers to
the process whereby investigators preserve evidence throughout the life of a case. It includes information
about: who collected the evidence, the manner in which the evidence was collected, and all individuals
who took possession of the evidence after its collection and the date and time which such possession

2
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
took place. Significant attention has been brought to the joint scientific and investigative nature of scene
investigations. Proper crime scene investigation requires more than experience; it mandates analytical
and creative thinking as well as the correct application of science and the scientific method. There is a
growing movement toward a shift from solely experiential-based investigations to investigations that
include scientific methodology and thinking. One critic of the experience-based approach lists the
following pitfalls of limiting scene investigations to lay individuals and law enforcement personnel: lack
of scientific supervision and oversight, lack of understanding of the scientific tools employed and
technologies being used at the scene, and an overall lack of understanding of the application of the
scientific method to develop hypotheses supported by the evidence (Schaler 2012). Another criticism is
that some investigators (as well as attorneys) will draw conclusions and then obtain (or present) evidence
to support their version of events while ignoring other types of evidence that do not support their version
or seem to contradict their version (i.e., confirmation bias). Many advocates of the scientific-based
approach believe that having scientists at the scene will minimize bias and allow for more objective
interpretations and reconstructions of the events under investigation.

What is the History of Digital Forensics?

The history of digital forensics traces back to the pre-1970s era when cybercrimes were addressed under
existing laws. The first recognition of cybercrimes occurred in the 1978 Florida Computer Crimes Act,
which targeted unauthorized data modification or deletion. As computer crimes expanded, state and
federal laws were enacted globally, with Canada leading in 1983, followed by the United States in 1986,
Australia in 1989, and Britain in 1990.

In the 1980s and 1990s, the surge in cybercrime prompted the establishment of specialized national units
for technical investigations by law enforcement agencies, such as the FBI's Computer Analysis and
Response Team and the British Metropolitan Police's computer crime department. Notably, the pursuit
of hacker Markus Hess in 1986 marked one of the early practical applications of digital forensics by
Cliff Stoll.

3
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
The 1990s witnessed a growing demand for digital forensic resources, leading to the maturation of the
field from ad-hoc tools to a more structured discipline. By 1992, the term "computer forensics" appeared
in academic literature, though the discipline still faced challenges like a lack of standardization and
training.

The 2000s saw increased standardization efforts as law enforcement shifted to regional units, prompting
the creation of guidelines and groups like the British National Hi-Tech Crime Unit. The Scientific
Working Group on Digital Evidence (SWGDE) published Best Practices for Computer Forensics in
2002. The Convention on Cybercrime in 2004 aimed to harmonize global computer crime laws, and in
2005, an ISO standard for digital forensics (ISO 17025) was released.

However, the field encountered ongoing challenges, including biases in research favoring Windows
operating systems, the rise of internet crime, cyber warfare, and terrorism. In 2010, concerns were raised
about the increasing size of digital media, encryption, diverse operating systems, training issues, and
high entry costs in digital forensics. Despite these challenges, the field continued to evolve with
increased attention to training programs and standardization efforts.

Evolution of Digital Forensics:

Era Key Developments

1970s- Birth of 'Computer Forensics', Manual investigations with floppy disks and mainframes,
1980s Landmark cases: 414s hacking group, Morris’s worm attack

Specialization and dedicated tools for data acquisition, analysis, and reporting, Focus on evidence
1990s- admissibility and standardized methodologies (e.g., ACPO Guidelines), Expansion beyond crime
2000s to corporate investigations, data breaches, and e-discovery

4
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Challenges with cloud computing, mobile devices, and encrypted storage, Advanced threats and
2010s- Big Data: cybercrime, network forensics, incident response, Automation and AI for faster
2020s processing, evidence identification, and proactive threat detection

Emerging technologies: blockchain, cryptocurrency, IoT, Balancing digital investigation with

Future privacy and ethics

Laws and Principles of Forensic Science:

• Law of Individuality
• Law of Progressive change
• Principle of Comparison
• Principle of Analysis
• Principle of Exchange (Locard’s principle of Exchange)
• Law of Probability Law of Circumstantial facts.

5
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
1) Law of Individuality -
This law states that, “Every object whether natural or man-made has a distinctive quality or
characteristic in it which is not duplicated in any other object,” in other words, no two things in this
universe are alike. Most common example is the human fingerprints; they are unique, permanent and
prove individuality of a person. Even the twins did not have the same fingerprints. Consider grains of
sand, salt, seeds or man-made objects such as currency notes, laptop, typewriter, etc. they may look
similar but a unique characteristic is always present between them.
2) Law of Progressive Change –
This principle emphasizes that, “Everything changes with the passage of time and nothing remains
constant. “The changing frequency varies from sample to sample and on different objects. The crime
scene must be secured in time otherwise a change in weather (rain, heat, wind), presence of
animals/humans, etc. affects the crime scene. For example, a road accident on a busy highway may
lose all essential evidence if not properly secured on time.
3) Locard’s principle of Exchange (Law of exchange) –
This principle was stated by French scientist -Edmond Locard (a pioneer in criminology and forensic
science). Law of exchange states that, “As soon as two things come in connection with each other,
they mutually interchange the traces between them.” Whenever criminal or his weapon/instrument
made connection with the victim or the things surrounding him he left some traces at crime scene and
also picked up the traces from the area or person he has been in contacted with (mutual exchange of
matter). These traces are very helpful for investigation purposes as these traces are identified by the
expert and linked to its original source resulted in the decisive linkage of the criminal with the crime
scene and the victim. This law forms the basis of scientific crime investigation.
4) Principle of Comparison –
For laboratory Investigation this law is very important. The law state that “Only the likes can be
compared”. It highlights the requirement of providing like samples and specimens for evaluation with
the questioned items’

6
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
For example, if the murder is done by a firearm weapon, then it is useless to send a knife for
comparison. So, the important condition of this principle is to supply specimen/samples of like nature
for proper assessment with the questioned sample discovered from the crime scene.
5) Principle of Analysis –
This principle states that, “The quality of any analysis would be better by collection of correct samples
and its correct preservation in the prescribed manner”. This leads to better result and avoid tampering,
contamination and destruction of a sample. If you collect a hard disk in a paper bag, it can be damaged
when it falls within the range of a strong electromagnetic field resulted in poor results. Hence, always
appropriate and effective collection and packaging techniques must be used.
6) Law of Probability –
This law states that, “All identifications (definite or indefinite), made consciously or unconsciously
on the basis of probability.” The perpetrator blood group is also the blood group of various people is
high, but the probability of the same occurring in the case is low.
7) Law of Circumstantial facts -
According to this law, “Facts cannot be wrong, they cannot lie not wholly absent but men can and do.”
This law emphasizes the significance of circumstantial facts and supports that a statement given by a
human may or may not be accurate. In an investigation identified and discovered facts are more
accurate and reliable than any eyewitness.
Forensic science by these principles is used for recognition, identification; individualization of pieces
of evidence collected from the scene of crime and guides the criminal proceedings from the discovery
of a crime to the conviction of the accused, helping the process of investigation.

Some important Terminologies of Digital Forensics:

Digital forensics:
Digital forensics or digital forensic science is a branch of cybersecurity focused on the recovery and
investigation of material found in digital devices and cybercrimes. Digital forensics was originally

7
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
used as a synonym for computer forensics but has expanded to cover the investigation of all devices
that store digital data.
As society increases reliance on computer systems and cloud computing, digital forensics becomes a
crucial aspect of law enforcement agencies and businesses. Digital forensics is concerned with the
identification, preservation, examination and analysis of digital evidence, using scientifically accepted
and validated processes, to be used in and outside of a court of law. While its root stretch back to the
personal computing revolution in the late 1970s, digital forensics begun to take shape in the 1990s
and it wasn't until the early 21st century that countries like the United States begun rolling out nation-
wide policies. Today, the technical aspect of an investigation is divided into five branches that
encompass the seizure, forensic imaging and analysis of digital media.
Computer forensics:
Computer forensics is the process of methodically examining computer media (hard disks, diskettes,
tapes, etc.) for evidence. In other words, computer forensics is the collection, preservation, analysis,
and presentation of computer-related evidence. Computer forensics also referred to as computer
forensic analysis, electronic discovery, electronic evidence discovery, digital discovery, data
recovery, data discovery, computer analysis, and computer examination. Computer evidence can be
useful in criminal cases, civil disputes, and human resources/ employment proceedings.
Mobile forensics:
The National Institute of Standards and Technology (NIST) defines mobile forensics or cell phone
forensics as "the science of recovering digital evidence from a mobile phone under forensically sound
conditions using accepted methods." It is one of the specialties under digital forensics.
Network Forensics:
“Network forensics is a science that centers on the discovery and retrieval of information surrounding
a cybercrime within a networked environment. Common forensic activities include the capture,
recording and analysis of events that occurred on a network in order to establish the source of
cyberattacks.”

8
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Database Forensics:
Database forensics is a branch of digital forensics related to databases and their related metadata.
Cached information may also exist in a server's RAM requiring live analysis techniques. A forensic
examination of a database may relate to timestamps that apply to the update time of a row in a
relational database that is being inspected and tested for validity to verify the actions of a database
user. Alternatively, it may focus on identifying transactions within a database or application that
indicate evidence of wrongdoing, such as fraud.

Forensic image:
A forensic image (forensic copy) is a bit-by-bit, sector-by-sector direct copy of a physical storage
device, including all files, folders and unallocated, free and slack space.

Digital footprint:
A digital footprint – sometimes called a digital shadow or an electronic footprint – refers to the trail
of data you leave when using the internet. It includes websites you visit, emails you send, and
information you submit online.

What is the Purpose of Digital Forensics?

The most common use of digital forensics is to support or refute a hypothesis in a criminal or civil
court:
Criminal cases: Involve the alleged breaking of laws and law enforcement agencies and their
digital forensic examiners.
Civil cases: Involve the protection of rights and property of individuals or contractual disputes
between commercial entities where a form of digital forensics called electronic discovery
(eDiscovery) may be involved.

9
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Digital forensics experts are also hired by the private sector as part of cybersecurity and information
security teams to identify the cause of data breaches, data leaks, cyber-attacks and other cyber threats.
Digital forensic analysis may also be part of incident response to help recover or identify any sensitive
data or personally identifiable information (PII) that was lost or stolen in a cybercrime.

What are Digital Forensics Used For?

Digital forensics is used in both criminal and private investigations.
Traditionally, it is associated with criminal law where evidence is collected to support or negate a
hypothesis before the court. Collected evidence may be used as part of intelligence gathering or to
locate, identify or halt other crimes. As a result, data gathered may be held to a less strict standard
than traditional forensics.

What is the Digital Forensics Investigation Process?

There are a number of process models for digital forensics, which define how forensic examiners
should gather, process and analyze data. That said, digital forensics investigations commonly consist
of four stages:
1. Seizure: Prior to actual examination digital media is seized. In criminal cases, this will be performed
by law enforcement personnel to preserve the chain of custody.
2. Acquisition: Once exhibits are seized, a forensic duplicate of the data is created. Once created using
a hard drive duplicator or software imaging tool then the original drive is returned to a secure storage
to prevent tampering. The acquired image is verified with SHA1 or MD5 hash functions and will be
verified again throughout analysis to verify the evidence is still in its original state.
3. Analysis: After acquisition, files are analyzed to identify evidence to support or contradict a
hypothesis. The forensic analyst usually recovers evidence material using a number of methods (and
tools), often beginning with the recovery of deleted information.

10
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
The type of data analyzed varies but will generally include email, chat logs, images, internet history
and documents. The data can be recovered from accessible disk space, deleted space or from the
operating system cache.
4. Reporting: Once the investigation is complete, the information is collated into a report that is
accessible to non-technical individuals. It may include audit information or other meta documentation.

What Tools Do Digital Forensic Examiners Use?

In the 1980s, very few digital forensic tools existed forcing forensic investigators to perform live
analysis, using existing sysadmin tools to extract evidence. This carried the risk of modifying data on
the disk which led to claims of evidence tampering. The need for software to address this problem
was first recognized in 1989 at the Federal Law Enforcement Training Center and resulted in the
creation of IMDUMP and SafeBack.
DIBS, a hardware and software solution, was released commercially in 1991. These tools create an
exact copy of a piece of digital media to work on while leaving the original disk intact for verification.
By the end of the 1990s, the demand for digital evidence meant more advanced tools such as EnCase
and FTK were developed, allowing analysts to examine copies of media without live forensics. There
is now a trend towards live memory forensics using tools such as WindowsSCOPE and tools for
mobile devices.
Today, there are single-purpose open-source tools like Wireshark, a packet sniffer, and HashKeeper, a
tool to speed up examination of database files. As well as commercial platforms with multiple
functions and reporting capabilities like Encase or CAINE, an entire Linux distribution designed for
forensics programs.
In general tools can be broken down into the following ten categories:
1. Disk and data capture tools
2. File viewers
3. File analysis tools
4. Registry analysis tools

11
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
5. Internet analysis tools
6. Email analysis tools
7. Mobile devices analysis tools
8. Mac OS analysis tools
9. Network forensics tools
10. Database forensics tools
Some of the tools we use -
1. Autopsy
2. FTK image
3. Wireshark

COMPUTER CRIME:
Computer crime or alternatively referred to as cyber-crime, e-crime, electronic crime, or hi-tech crime.
Computer crime is an act performed by a knowledgeable computer user, sometimes referred to as a
hacker that illegally browses or steals a company's or individual's private information.
In some cases, this person or group of individuals may be malicious and destroy or otherwise corrupt
the computer or data files. Why do people commit computer crimes? In most cases, someone commits
a computer crime to obtain goods or money. Greed and desperation are powerful motivators for some
people to try stealing by way of computer crimes. Some people may also commit a computer crime
because they are pressured, or forced, to do so by another person. Some people also commit a
computer crime to prove they can do it. A person who can successfully execute a computer crime may
find great personal satisfaction in doing so. These types of people, sometimes called black hat hackers,
like to create chaos, wreak havoc on other people and companies. Another reason computer crimes
are sometimes committed is because people are bored. They want something to do and don't care if
they commit a crime.
Examples of computer crimes Below is a list of the different types of computer crimes today. Clicking
any of the links gives further information about each crime.
Child pornography - Making, distributing, storing, or viewing child pornography.

12
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Copyright violation - Stealing or using another person's Copyrighted material without permission.
Cracking - Breaking or deciphering codes designed to protect data.
Cyber terrorism - Hacking, threats, and blackmailing towards a business or person.
Cyberbully or Cyberstalking - Harassing or stalking others online.
Cybersquatting - Setting up a domain of another person or company with the sole intention of
selling it to them later at a premium price.
Creating Malware - Writing, creating, or distributing malware (e.g., viruses and spyware.)
Data diddling - Computer fraud involving the intentional falsification of numbers in data entry.
Denial of Service attack - Overloading a system with so many requests it cannot serve normal
requests.
Doxing - Releasing another person's personal information without their permission.
Espionage - Spying on a person or business.
Fraud - Manipulating data, e.g., changing banking records to transfer money to an account or
participating in credit card fraud.
Green Graffiti - A type of graffiti that uses projectors or lasers to project an image or message onto
a building. Harvesting - Collect account or account-related information on other people.
Human trafficking - Participating in the illegal act of buying or selling other humans. Identity
theft - Pretending to be someone you are not.
Illegal sales - Buying or selling illicit goods online, including drugs, guns, and psychotropic
substances.
Intellectual property theft - Stealing practical or conceptual information developed by another
person or company.
IPR violation - An intellectual property rights violation is any infringement of another's Copyright,
patent, or trademark.
Phishing or vishing - Deceiving individuals to gain private or personal information about that
person.
Ransomware - Infecting a computer or network with ransomware that holds data hostage until a
ransom is paid.
13
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Salami slicing - Stealing tiny amounts of money from each transaction.
Scam - Tricking people into believing something that is not true.
Slander - Posting libel or slander against another person or company.
Software piracy - Copying, distributing, or using software that was not purchased by the user of
the software. Spamming - Distributed unsolicited e-mail to dozens or hundreds of different
addresses.
Spoofing - Deceiving a system into thinking you are someone you're not.
Swatting - The act of calling in a false police report to someone else's home.
Theft - Stealing or taking anything (e.g., hardware, software, or information) that doesn't belong to
you.
Typosquatting - Setting up a domain that is a misspelling of another domain.
Unauthorized access - Gaining access to systems you have no permission to access.
Vandalism - Damaging any hardware, software, website, or other object.
Wiretapping - Connecting a device to a phone line to listen to conversations.

CRIMINALISTICS:
The criminal justice system in America is the overarching establishment through which crimes and
those who commit them are discovered, tried, and punished. This includes all of the institutions of
government aimed at upholding social order, deterring and mitigating crime, and sanctioning those
who violate the law, such as law enforcement and the court and jail systems.
Criminology and criminalistics are two subsets of the criminal justice system. Criminology relates to
studying and preventing crime—typically with behavioral sciences like sociology, psychology, and
anthropology. Criminalistics refers to a type of forensics—the analysis of physical evidence from a
crime scene. While criminology has preventative components, criminalistics comes into effect only
after a crime has been committed.
A criminalist applies scientific principles to the recognition, documentation, preservation, and analysis
of physical evidence from a crime scene. Criminalistics can also include crime scene investigations.

14
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
The Bureau of Labor Statistics (BLS) classifies criminalists as forensic science technicians. Most
professionals regard criminalistics as a specialty within the field of forensic science.

What do criminalists do?

Criminalists use their knowledge of physical and natural science to examine and analyze every piece
of evidence from a crime scene. They prepare written reports of their findings and may have to present
their conclusions in court. A criminalist is not involved in determining the guilt or innocence of an
accused individual. Their job, rather, is to present an objective analysis of the evidence.
Criminalistics has many fields of specialization. Specialties include, but are not limited to:
Alcohol and drugs
Arson
Blood and tissue spatter
Computer forensics
DNA
Explosions
Serology (examining and analyzing body fluids)
Toxicology
Firearms and tool marks
Trace evidence
Wildlife (analyzing evidence against poachers)
As long as crimes continue to be committed, there will always be work for criminalists. A criminal
will always leave evidence, no matter how small, according to forensic scientist and “Father of
Criminalistics” Paul L. Kirk.

15
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

CRIMINALISTICS IN POLICE INVESTIGATIONS:

A report from the National Institute of Justice outlined the role of criminalistics in police work.
Criminalists investigate a variety of crimes, including domestic and aggravated assaults, burglary,
robbery, sexual violence, and homicide.
Here are the basic functions completed by criminalists:
Establishing an element of the crime:
It’s important for criminalists to establish proof that a crime occurred and to determine the cause
and manner of death. Autopsies will help confirm the latter, while sending crime scene samples of
blood, drugs, or semen, for example, could help determine the crime itself.
Identification of a suspect or victim:
Fingerprint and DNA testing are two examples of forensic evidence that criminalists use to identify
an offender.
Associative evidence:
This type of scientific finding can help link the offender to the victim.
Examples of associative evidence include hair follicles, blood, semen, fingerprints left on an object,
foot impressions, and more.
Reconstruction:
Criminalists try to reconstruct how the crime happened using evidence from the crime scene.
For example, certain evidence on a gunshot victim can discern the distance between a victim and the
shooter.
Corroboration:
Physical evidence from a crime scene can corroborate or refute information that investigators collect
during interviews with witnesses, victims and suspects.

16
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

CRIMINALISTICS IN REAL TIME:

The FBI and U.S. Department of Justice distribute a guide for criminalist protocols when responding
to a crime scene. Here’s what the Justice Department recommends takes place.
Arrival/Initial Response:
Upon arriving on the scene, criminalists should attempt to preserve the crime scene with minimal
disturbance of the physical evidence.
Criminalists should make initial observations to assess the scene while ensuring officer safety and
security.
They should react with caution. Offenders could still be at the crime scene and criminalists should
remain alert and attentive until the crime scene is declared clear of danger.
Documentation and Evaluation:
The investigator(s) in charge should set responsibilities, share preliminary information and develop
investigative plans in compliance with department policy and local, state and federal laws.
Criminalists should speak with the first responders regarding observations from the crime scene
before evaluating safety issues at the scene, establishing a path of exit and entry, and initial scene
boundaries.
If multiple scenes exist, criminalists should establish and maintain communication with personnel
at those sites.
Processing the Scene:
Based on the type of incident and complexity of the crime scene, criminalists should determine
team composition on site.
Criminalists will assess the scene to determine which specialized resources are required. For
example, forensic examiners could be called to the scene, or a coroner to investigate a cadaver.
Completing and Recording the Crime Scene Investigation:
Criminalists should establish a crime scene debriefing team, which enables all law enforcement
bodies to share information about findings before the scene is released.

17
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Criminalists determine what evidence was collected, discuss the preliminary scene findings with
scene personnel, discuss potential forensic tests that will take place, and initiate any action required
to complete the crime scene investigation.

Analysis of Cyber Criminalistics Area:

Cyber criminalistics refers to the scientific examination, investigation, and analysis of cybercrimes,
employing various methodologies and technologies to uncover, prevent, and mitigate digital threats.
This field encompasses a broad range of activities aimed at understanding, investigating, and
combating cybercriminal activities.
Key Components:
• Digital Forensics: Involves the collection, preservation, and analysis of digital evidence from
computers, networks, and other digital devices. It aids in reconstructing events, identifying
culprits, and providing evidence in legal proceedings.
• Incident Response: Rapid and organized reaction to cyber incidents, aiming to minimize damage,
recover data, and restore normal operations. This involves identifying, analyzing, and mitigating
the impact of cyber threats.
• Malware Analysis: Study of malicious software to understand its functionality, behavior, and
impact. It involves reverse engineering to uncover the code and mechanisms used by malware
for malicious purposes.
• Cyber Threat Intelligence: Gathering and analyzing information about potential threats to
anticipate, prevent, and respond to cyber-attacks. This involves monitoring threat actors, their
tactics, techniques, and procedures.

Challenges and Techniques:

Encryption and Anonymity: Criminals leverage encryption and anonymity tools to hide their activities,
making it challenging for investigators to trace and attribute cybercrimes.

18
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
• Data Volume and Complexity: The sheer volume and complexity of digital data require
advanced tools and methodologies to process, analyze, and derive meaningful insights for
investigations.
• Attribution and Jurisdiction: Identifying and attributing cybercrimes to specific individuals or
groups across international borders poses significant challenges in terms of jurisdiction and legal
frameworks.
• Emerging Threats: Constantly evolving tactics of cybercriminals, including AI-based attacks,
ransomware, and supply chain vulnerabilities, demand ongoing research and adaptive strategies.

HOLISTIC APPROACH TO CYBER-FORENSICS:

A holistic approach to cyber-forensics involves comprehensive and integrated methodologies to
investigate, analyze, and respond to cyber incidents. It encompasses a wide spectrum of practices that
consider technical, legal, ethical, and procedural aspects to ensure a thorough and effective
investigation.
Key Elements:
• Integration of Disciplines: Combining diverse fields such as digital forensics, network security,
law enforcement, and legal expertise to address cyber incidents from multiple angles. This
interdisciplinary approach ensures a more complete understanding of the incident.
• End-to-End Investigation: Encompassing the entire lifecycle of an incident, starting from initial
detection and response through evidence collection, analysis, and legal proceedings. It involves
preserving the chain of custody and maintaining the integrity of digital evidence.
• Proactive Measures: Involves not only reactive investigation but also proactive measures to
prevent future incidents. This includes risk assessment, security audits, and the implementation
of robust security measures based on findings from past incidents.
• Continuous Learning and Improvement: Emphasizes ongoing learning and adaptation to keep
pace with evolving cyber threats. It involves staying updated with new forensic techniques, tools,
and emerging technologies.

19
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Approach and Methodologies:

• Preservation and Collection: Identifying, preserving, and collecting digital evidence while
ensuring its integrity and authenticity. This involves employing specialized tools and techniques
to extract and document evidence from various sources.
• Analysis and Reconstruction: Thoroughly examining and reconstructing events using forensic
tools and methodologies. This includes examining logs, memory dumps, network traffic, and
other digital artifacts to understand the sequence of activities.
• Correlation and Attribution: Connecting disparate pieces of evidence to establish a coherent
narrative and attribute actions to specific individuals or entities. This involves linking technical
evidence with contextual information.
• Reporting and Legal Compliance: Documenting findings in a clear and concise manner suitable
for legal proceedings. Adhering to legal and regulatory requirements while ensuring the
confidentiality, integrity, and availability of evidence.

Advantages and Future Directions:

• Comprehensive Risk Mitigation: A holistic approach enables organizations to identify
vulnerabilities across various aspects of their systems and operations, leading to more effective
risk mitigation strategies.
• Adaptive Security Posture: By understanding the entire incident lifecycle, organizations can
develop more adaptive security postures that respond to emerging threats in real-time.
• AI and Automation: Leveraging AI and automation to enhance the efficiency and effectiveness
of forensic investigations, allowing for faster analysis of vast amounts of data.
• Ethical Considerations: Incorporating ethical considerations into investigations, including
privacy protection, data handling, and maintaining a balance between security and individual
rights.

20
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
In conclusion, a holistic approach to cyber-forensics is essential in today's complex digital landscape.
It integrates technical, legal, and procedural aspects, enabling a comprehensive understanding of cyber
incidents and facilitating more robust responses to mitigate risks and protect digital assets.

How do criminalities relate to cybercrime?

Criminality, in a broad sense, refers to activities or behaviors that violate laws and norms established
by society. Cybercrime is a specific type of criminal activity that occurs in the digital realm, involving
computers, networks, or the internet. The relationship between criminality and cybercrime lies in the
fact that cybercriminals engage in unlawful activities within the digital sphere, often using technology
as a means to perpetrate various illegal actions.
Here's how criminality and cybercrime are related:
• Illegal Activities in Digital Space: Cybercriminals conduct unlawful activities using computers,
networks, or online platforms. These activities may include hacking, phishing, identity theft,
fraud, distribution of malware, cyberstalking, online harassment, and more.
• Violation of Laws and Regulations: Cybercrimes involve the violation of laws, regulations,
and ethical standards established to govern online behavior and protect individuals,
organizations, and governments from digital threats.
• Intent to Cause Harm or Gain: Like traditional criminal behavior, cybercriminals often have
motives that involve causing harm, financial gain, or personal satisfaction. They exploit
vulnerabilities in digital systems for personal or financial benefit, causing damage to individuals,
businesses, or governments.
• Cross-Border Nature: Cybercrime is often transnational, crossing geographical boundaries and
jurisdictions. Criminals can launch attacks from one country targeting individuals or entities
located in another, making it challenging to trace and prosecute offenders.
• Use of Technology for Criminal Purposes: Criminality in the digital space involves leveraging
technology and exploiting weaknesses in software, networks, or human behavior to commit

21
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
crimes. This dynamic nature allows cybercriminals to constantly adapt and evolve their tactics
to avoid detection.
• Impact on Society and Individuals: Cybercrime poses significant threats to individuals'
privacy, financial security, and personal safety, as well as to the stability of businesses and
critical
infrastructure. It can disrupt services, steal sensitive information, and undermine trust in digital
systems.

In summary, criminality and cybercrime are interconnected as cybercriminals engage in illegal

activities within the digital realm, exploiting technological vulnerabilities and using the internet as a
tool for various criminal purposes. Understanding this relationship is crucial in developing effective
measures to prevent, investigate, and combat cybercrimes in today's interconnected world.

Legal Aspects of Digital Forensics, IT Act 2000 and amendment of IT Act 2008:
The Information Technology (IT) Act, 2000 is a significant legislation in India that deals with various
aspects of electronic communication, digital records, and cybersecurity. Over the years, several
amendments have been made to the Act to address emerging challenges and technological
advancements. One of the key amendments was the Information Technology (Amendment) Act, 2008.
Information Technology Act, 2000:
Overview: The IT Act, 2000 was enacted to provide legal recognition for electronic records and
facilitate e-commerce, e-governance, and other online activities. It addresses issues related to digital
signatures, hacking, data protection, and electronic communication.
Key Provisions:
1. Digital Signatures: Recognizes digital signatures as legally valid and provides the framework for
their usage.
2. Cybercrimes and Offenses: Criminalizes unauthorized access, hacking, data theft, and computer-
related offenses.

22
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
3. Data Protection and Privacy: Addresses issues related to data protection, privacy, and confidentiality
of electronic information.
4. Role in Digital Forensics: The IT Act, 2000 plays a crucial role in digital forensics by providing
legal validity to electronic evidence and establishing procedures for its collection, preservation, and
presentation in courts.

Information Technology (Amendment) Act, 2008:

The Amendment Act of 2008 was introduced to enhance the scope and effectiveness of the IT Act,
2000. Some of the significant changes include:
1. Expansion of Offenses: The amendment expanded the scope of cybercrimes and introduced new
offenses such as cyber-terrorism, publishing sexually explicit material, and identity theft.
2. Strengthened Data Protection: The amendment emphasized the importance of data protection and
introduced provisions for the protection of sensitive personal information.
3. Increased Penalties: Higher penalties were introduced for various offenses to act as a deterrent and
to address the growing cybersecurity threats.
4. Intermediary Liability: It introduced provisions for intermediaries (entities facilitating online
communication or hosting content) to take down unlawful content upon receiving a notice or order
from authorities.
5. Establishment of Cyber Appellate Tribunal: The amendment established a Cyber Appellate Tribunal
to hear appeals against decisions of the Controller under the Act.

Legal Aspects of Digital Forensics under IT Act:

1. Electronic Evidence: The IT Act, along with its amendments, provides legal recognition to
electronic evidence, including digital records, emails, logs, and other digital artifacts, making them
admissible in court proceedings.
2. Investigative Powers: The Act empowers law enforcement agencies with the authority to investigate
cybercrimes and gather electronic evidence through legally sanctioned procedures.

23
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
3. Chain of Custody: It emphasizes maintaining the integrity and chain of custody of digital evidence
to ensure its admissibility in court, outlining proper procedures for its collection, preservation, and
presentation.
4. Penalties and Enforcement: The Act stipulates penalties for various cyber offenses, allowing law
enforcement agencies to take action against offenders and ensuring a legal framework for prosecuting
cybercriminals.
Understanding the legal aspects outlined in the IT Act and its subsequent amendments is crucial for
digital forensic practitioners, law enforcement personnel, and legal professionals involved in handling
electronic evidence and investigating cybercrimes.

MCQ Questions and Answers:

1. What is the primary goal of criminalistics?
- a) Crime prevention
- b) Criminal profiling
- c) Solving crimes through scientific analysis
- d) Legal representation

2. Which of the following is NOT a branch of criminalistics?

- a) Forensic toxicology
- b) Forensic anthropology
- c) Forensic linguistics
- d) Forensic psychology

3. Which type of evidence involves the examination of blood, hair, and bodily fluids?
- a) Trace evidence - b) Biological evidence
- c) Physical evidence - d) Digital evidence

24
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

4. What term refers to unauthorized access to computer systems with malicious intent?
- a) Hacking
- b) Phishing
- c) Spoofing
- d) Cyberbullying

5. What is ransomware?
- a) Malicious software that steals personal information
- b) Malware that encrypts files and demands payment for their release
- c) A type of computer virus
- d) Software used for ethical hacking

6. Which of the following is an example of a social engineering attack?

- a) DDoS attack
- b) SQL injection
- c) Spear phishing
- d) Cross-site scripting (XSS)

7. What is the primary goal of cyber forensics?

- a) Preventing cyber attacks
- b) Recovering and analyzing digital evidence
- c) Developing secure computer networks
- d) Training individuals in ethical hacking

8. Which of the following is a step in the cyber forensics process?

- a) Preparing the crime scene
- b) Conducting background interviews
25
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
- c) Collecting and preserving evidence
- d) All of the above

9. What is the purpose of hashing in digital forensics?

- a) Data encryption
- b) Data compression
- c) Data integrity verification
- d) Data authentication

10. The Information Technology (IT) Act of 2000 in India primarily deals with:
- a) Cybersecurity
- b) Digital forensics
- c) Intellectual property rights
- d) Cybercrimes and e-commerce

11. Which amendment in the IT Act 2000 expanded the definition of cybercafés and their
responsibilities?
- a) Amendment of 2006
- b) Amendment of 2008
- c) Amendment of 2010
- d) Amendment of 2012

12. According to the IT Act 2000, what does "unauthorized access" refer to?
- a) Accessing personal emails
- b) Accessing computer systems without permission
- c) Accessing social media profiles
- d) Accessing public domain information

26
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
13. What is the punishment for hacking under the IT Act 2000?
- a) Imprisonment up to 3 years and/or a fine
- b) Imprisonment up to 5 years and/or a fine
- c) Imprisonment up to 7 years and/or a fine
- d) Imprisonment up to 10 years and/or a fine

14. The IT Amendment Act of 2008 introduced a new offense related to:
- a) Cyberstalking
- b) Cyber terrorism
- c) Cyber espionage
- d) Cyber defamation

15. What is the term used in the IT Act 2000 for the person responsible for maintaining the electronic
record?
- a) Record Keeper
- b) Data Custodian
- c) System Administrator
- d) Certifying Authority

16. According to the IT Amendment Act 2008, what is the maximum punishment for sending
offensive messages through communication services?
- a) Imprisonment up to 3 years and/or a fine
- b) Imprisonment up to 5 years and/or a fine
- c) Imprisonment up to 7 years and/or a fine
- d) Imprisonment up to 10 years and/or a fine

17. What is the legal term for the process of validating and ensuring the integrity of digital evidence
in court?
27
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
- a) Digital authentication
- b) Chain of custody
- c) Legal preservation
- d) Digital admissibility

18. In the context of digital forensics, what does the term "chain of custody" refer to?
- a) A sequence of digital evidence
- b) A legal document describing the evidence
- c) The chronological documentation of evidence handling
- d) The physical security of digital devices

19. Which section of the IT Act 2000 deals with the punishment for publishing or transmitting obscene
material?
- a) Section 66A
- b) Section 67
- c) Section 69
- d) Section 70

20. According to the IT Amendment Act 2008, what is the punishment for identity theft?
- a) Imprisonment up to 3 years and/or a fine
- b) Imprisonment up to 5 years and/or a fine
- c) Imprisonment up to 7 years and/or a fine
- d) Imprisonment up to 10 years and/or a fine

21. The IT Amendment Act 2008 introduced the concept of "digital signature certificate" under which
section?
- a) Section 14
- b) Section 15
28
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
- c) Section 16
- d) Section 17

22. What is the primary purpose of digital signature certificates under the IT Act 2000?
- a) Ensuring data confidentiality
- b) Ensuring data availability
- c) Ensuring data integrity
- d) Ensuring data authenticity

23. In the context of the IT Act 2000, what does the term "intermediary" refer to?
- a) A software developer
- b) An internet service provider
- c) A computer hardware manufacturer
- d) A government agency

24. Which section of the IT Act 2000 deals with the punishment for breach of confidentiality and
privacy?
- a) Section 66
- b) Section 67
- c) Section 72
- d) Section 74

25. The IT Amendment Act 2008 inserted a new section dealing with:
- a) Cyber defamation
- b) Cyber terrorism
- c) Cyberstalking
- d) Cyber espionage

29
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
26. According to the IT Act 2000, which section deals with the power to investigate offenses?
- a) Section 65
- b) Section 66
- c) Section 67
- d) Section 68

27. What does the term "adjudicating officer" mean in the context of the IT Act 2000?
- a) A legal expert
- b) An officer appointed to resolve disputes and impose penalties
- c) A forensic analyst
- d) A law enforcement officer

28. Which section of the IT Act 2000 deals with the punishment for tampering with source code?
- a) Section 65
- b) Section 66
- c) Section 67A
- d) Section 69

29. What is the term used for the process of converting plaintext into an unreadable format to secure
information during transmission?
- a) Decryption
- b) Hashing
- c) Encryption
- d) Compression

30. Under the IT Amendment Act 2008, what is the punishment for attempting to commit an offense?
- a) Half of the punishment for the actual offense
- b) Same punishment as the actual offense
30
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

- c) Double the punishment for the actual offense

- d) No punishment for attempting
Answers:
1. c) Solving crimes through scientific analysis
2. c) Forensic linguistics
3. b) Biological evidence
4. a) Hacking
5. b) Malware that encrypts files and demands payment for their release
6. c) Spear phishing
7. b) Recovering and analyzing digital evidence
8. d) All of the above
9. c) Data integrity verification
10. d) Cybercrimes and e-commerce
11. b) Amendment of 2008
12. b) Accessing computer systems without permission
13. b) Imprisonment up to 5 years and/or a fine
14. a) Cyberstalking
15. d) Certifying Authority
16. a) Imprisonment up to 3 years and/or a fine
17. b) Chain of custody
18. c) The chronological documentation of evidence handling
19. b) Section 67
20. c) Imprisonment up to 7 years and/or a fine
21. d) Section 17
22. c) Ensuring data integrity
23. b) An internet service provider

31
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

24. c) Section 72
25. a) Cyber defamation
26. d) Section 68
27. b) An officer appointed to resolve disputes and impose penalties
28. c) Section 67A
29. c) Encryption
30. a) Half of the punishment for the actual offense

Short answer type questions (3 marks):

1. What is the definition of Cybercrime?
2. What are the motivations behind Cyber Attacks?
3. How does Cybercrime impact individuals and organizations?
4. What is the role of Cyber Forensics in investigations?
5. What are the challenges in Cyber Forensics?
6. What is the process of digital evidence collection?
7. Can you provide an overview of the IT Act 2000?
8. What are the significant changes in the IT Act 2008 Amendment?
9. Why are Digital Signatures important under the IT Act?

Long answer type questions (5 marks):

1. Explain the Locard's Exchange Principle and its significance in forensic science. Provide examples
to illustrate how this principle is applied in criminal investigations.

2. Discuss the concept of jurisdiction in the context of cybercrimes. How do international boundaries
impact the investigation and prosecution of cybercriminals? Provide specific examples.

3. Describe the key steps involved in a cyber forensics investigation. How does the process differ
from traditional forensic investigations, and what challenges may arise in collecting and preserving
digital evidence?
32
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

4. Analyze the significance of the IT Act 2000 in addressing cybercrimes in India. Highlight the key
provisions and penalties outlined in the Act and discuss any major amendments introduced by the IT
Amendment Act of 2008.

5. Elaborate on the role of digital signature certificates in the legal framework of the IT Act 2000.
How do they contribute to the authenticity and integrity of electronic records, and what legal
implications arise in their use?

6. Explain the concept of chain of custody in forensic science. Discuss its importance in maintaining
the integrity of evidence during the investigative process, and outline the potential consequences of a
compromised chain of custody.

7. Discuss the challenges law enforcement faces in attributing cybercrimes to specific individuals or
entities. Explore the role of anonymity, encryption, and advanced hacking techniques in complicating
cybercrime investigations.

8. Evaluate the role of digital forensics in addressing corporate cyber incidents. Discuss how digital
forensics techniques can be employed to investigate data breaches, insider threats, and other cyber
incidents affecting organizations.

9. Examine the legal provisions related to cyber defamation under the IT Act 2000 and its
amendments. Discuss the challenges in prosecuting and proving cyber defamation cases, and suggest
potential improvements to the legal framework.

10. Analyze the impact of the IT Amendment Act 2008 on enhancing cybersecurity measures in India.
Discuss the new offenses introduced and their implications for individuals, businesses, and law
enforcement agencies involved in the digital space.

33
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
MODULE II: INCIDENT-RESPONSE METHODOLOGY, CYBERCRIME
SCENE ANALYSIS
Incident response:
Incident response is a structured approach to addressing and managing the aftermath of a cybersecurity
incident or breach. The primary goal of incident response is to limit the damage and reduce recovery
time and costs. The process typically follows a well-defined methodology, which can be summarized
in the following phases:

1. Preparation:
- Establish an incident response team and define roles and responsibilities.
- Develop an incident response plan that includes procedures, communication strategies, and
escalation paths.
- Conduct regular training and drills to ensure the team is prepared to handle incidents effectively.

2. Identification:
- Detect and identify potential security incidents through monitoring, alerting systems, and other
security measures.
- Classify the incident based on severity and impact.
- Confirm whether an incident has occurred and gather initial information.

3. Containment:
- Isolate the affected systems to prevent further damage or unauthorized access.
- Implement temporary fixes or workarounds to minimize the impact.
- Determine the extent of the compromise and the affected assets.

4. Eradication:
- Identify and remove the root cause of the incident.

34
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

- Patch vulnerabilities and eliminate the threat actor's presence from the environment.
- Review and update security controls to prevent similar incidents in the future.

5. Determining tools:
- Determining the tools for cybercrime scene analysis is crucial for effective incident response.
Initially, identify tools for real-time monitoring, such as intrusion detection systems.
- For evidence collection and analysis, digital forensics tools like EnCase or Forensic Toolkit are
essential.
- Network analysis tools like Wireshark aid in understanding communication patterns. Additionally,
malware analysis tools, such as IDA Pro or VirusTotal, help dissect malicious code. Open-source tools
like volatility for memory analysis and log analysis tools like ELK Stack can also be invaluable.
- The selection should align with the incident type, ensuring a comprehensive approach to evidence
gathering and analysis throughout the cybercrime investigation process.

6. Recovery:
- Restore systems and data to a trusted state.
- Validate the integrity of restored systems.
- Monitor for any signs of continued malicious activity.

7. Lessons Learned:
- Conduct a post-incident analysis to understand the root causes and contributing factors.
- Document lessons learned and update incident response plans and procedures accordingly.
- Share insights with relevant stakeholders to improve overall security posture.

8. Communication:
- Maintain open and transparent communication with internal and external stakeholders.
- Notify relevant parties such as customers, regulatory bodies, and law enforcement, as required.
35
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
- Coordinate with public relations to manage the organization's public image.

9. Documentation:
- Document all actions taken during the incident response process.
- Keep a record of findings, remediation steps, and communication logs.
- This documentation aids in future incident investigations and improvements.

Adhering to a well-structured incident response methodology helps organizations respond to and

recover from security incidents in a systematic and effective manner, reducing the potential impact on
the business.

Cybercrime Scene Analysis:

Identifying digital evidence, collecting evidence in private-sector incident scenes, processing law
enforcement crime scenes, preparing for a search, securing a computer incident or crime scene, seizing
digital evidence at the scene.
Identifying digital evidence:
Digital evidence can be any information stored or transmitted in digital form. Because you can’t see
or touch digital data directly, it’s difficult to explain and describe. Is digital evidence real or virtual?
Does data on a disk or other storage medium physically exist, or does it merely represent real
information? U.S. courts accept digital evidence as physical evidence, which means that digital data
is treated as a tangible object, such as a weapon, paper document, or visible injury, that’s related to a
criminal or civil incident. Courts in other countries are still updating their laws to take digital evidence
into account. Some require that all digital evidence be printed out to be presented in court.
Groups such as the Scientific Working Group on Digital Evidence (SWGDE; www.swgde.org) and
the International Organization on Computer Evidence (IOCE; www.ioce.org) set standards for
recovering, preserving, and examining digital evidence. For more information on digital evidence,
visit www.ojp.usdoj.gov/nij/ pubs-sum/187736.htm and read “Electronic Crime Scene Investigation:

36
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

A Guide for First Responders,” which provides guidelines for U.S. law enforcement and other
responders who protect an electronic crime scene and search for, collect, and preserve electronic
evidence.
Following are the general tasks investigators perform when working with digital evidence:
• Identify digital information or artifacts that can be used as evidence.
• Collect, preserve, and document evidence.
• Analyze, identify, and organize evidence.
• Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably. Collecting
computers and processing a criminal or incident scene must be done systematically.

Understanding Rules of Evidence:

Consistent practices help verify your work and enhance your credibility, so you must handle all
evidence consistently. Apply the same security and accountability controls for evidence in a civil
lawsuit as in a major crime to comply with your state’s rules of evidence or with the Federal Rules of
Evidence. Also, keep in mind that evidence admitted in a criminal case might also be a part of your
professional growth, keep current on the latest rulings and directives on collecting, processing, storing,
and admitting digital evidence. The following sections discuss some key concepts of digital evidence.
You can find additional information at the U.S. Department of Justice Web site (www.usdoj.gov) and
by searching the Internet for “digital evidence”, “best evidence rule”, “hearsay” and other relevant
keywords. Consult with your prosecuting attorney, Crown attorney, corporate general counsel, or the
attorney who retained you to learn more about managing evidence for your investigation.

Collecting Evidence in Private-Sector Incident Scenes:

When dealing with incident response and digital forensics in private-sector settings, it's essential to
follow proper procedures to collect and preserve evidence effectively. The goal is to maintain the
integrity of the evidence while complying with legal and ethical standards. Here are some key
considerations for collecting evidence in private-sector incident scenes:
37
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Establish a Response Team:
Assemble a dedicated incident response team within the organization, comprising individuals with
expertise in digital forensics, IT security, legal affairs, and management.
Document the Incident:
Begin by documenting the incident details, including the date and time of discovery, a brief description
of the incident, and initial actions taken. Thorough documentation is crucial for legal and investigative
purposes.
Preserve the Scene:
Take immediate steps to preserve the integrity of the incident scene. Isolate affected systems and
networks to prevent further damage or compromise. Document physical and environmental
conditions.
Legal Considerations:
Understand and adhere to local and international laws governing the collection and handling of digital
evidence. Consult legal counsel to ensure that the investigation aligns with legal requirements.
Obtain Necessary Authorizations:
If applicable, obtain legal authorization to investigate and collect evidence. This may involve obtaining
search warrants, subpoenas, or other court orders, depending on the jurisdiction and the nature of the
incident.
Digital Forensic Tools:
Use specialized digital forensic tools to collect evidence from affected systems. Ensure that these tools
are up-to-date, forensically sound, and well-documented. Employ write-blocking devices to prevent
inadvertent data alterations.
Chain of Custody:
Establish and maintain a chain of custody for all collected evidence. Document every person who
handles the evidence, from the initial collection to its presentation in court. This documentation is
crucial for establishing the evidence's reliability.

38
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Volatility of Evidence:
Recognize the volatility of digital evidence. Collect volatile data first, such as network connections
and running processes, before proceeding to non-volatile data like file systems. Minimize the time
between discovery and collection.
Network Traffic Analysis:
Analyze network traffic logs and capture relevant data to understand the scope and nature of the
incident. Identify communication patterns, potential attack vectors, and affected systems.
Interviews and Statements:
Conduct interviews with individuals who may have information about the incident. Obtain statements
from relevant personnel and witnesses. This information can provide context and aid in the
investigation.
Evidence Documentation:
Document the collected evidence thoroughly, including details such as file paths, timestamps, and hash
values. Maintain a comprehensive record of findings, actions taken, and tools used during the
investigation.
Data Privacy and Confidentiality:
Respect data privacy and confidentiality concerns. Handle sensitive information with care and ensure
that the investigation complies with the organization's privacy policies and legal requirements.
Collaborate with Law Enforcement:
If necessary, collaborate with law enforcement agencies. Provide them with the required information
and evidence, and follow any legal procedures for cooperation.
Incident Report:
Prepare a detailed incident report summarizing the findings, actions taken, and lessons learned. This
report can be crucial for internal reviews, legal proceedings, and future incident response
improvements.
Post-Incident Analysis:
Conduct a post-incident analysis to identify vulnerabilities, weaknesses, or gaps in security. Use the
insights gained to enhance the organization's security posture.
39
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
By following these guidelines, organizations in the private sector can conduct effective and legally
compliant incident response and digital forensics activities, contributing to a thorough understanding
of security incidents and facilitating appropriate remediation measures.
Understanding the concepts and terms used in warrants:
It is crucial for legal professionals, law enforcement, and individuals involved in legal processes. Here
are some key concepts and terms related to warrants:
Warrant:
A legal document issued by a court or magistrate authorizing law enforcement to perform a specific
act, such as a search, seizure, or arrest.
Types: Search warrant, arrest warrant, bench warrant, etc.
Affidavit:
A written statement made under oath or affirmation, often by a law enforcement officer, used to support
the issuance of a warrant.
Purpose: Provides facts and evidence to establish probable cause.
Probable Cause:
A standard of evidence indicating that it is more likely than not that a crime has occurred or that
evidence of a crime can be found in a particular location.
Requirement: Necessary for the issuance of search and arrest warrants.
Particularity:
The requirement that a warrant must specify with particularity the place to be searched or the person
or things to be seized.
Purpose: Prevents general searches and ensures the focus is on specific evidence or individuals.
Execution of Warrant:
Carrying out the actions authorized by the warrant, such as conducting a search or making an arrest.
Guidelines: Law enforcement must follow the specified instructions in the warrant, respecting legal
limitations.
No-Knock Warrant:
A warrant that allows law enforcement to enter a property without announcing their presence.
40
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Conditions: Typically granted when announcing their presence could jeopardize officer safety or result
in the destruction of evidence.
Exclusionary Rule:
A legal principle that prohibits the use of evidence obtained in violation of a person's Fourth
Amendment rights.
Outcome: Evidence obtained through an illegal search or seizure is excluded from court proceedings.
Good Faith Exception:
An exception to the exclusionary rule that allows evidence to be admitted if law enforcement believed
in good faith that their actions were legal.
Conditions: Applies when officers reasonably relied on a warrant later found to be invalid.
Return of Warrant:
The documentation provided by law enforcement to the court after executing a warrant, detailing the
actions taken and items seized.
Purpose: Ensures transparency and accountability in the execution of the warrant.
Ride-Along Warrant:
A warrant that allows non-law enforcement personnel, such as journalists or observers, to accompany
officers during the execution of a warrant.
Conditions: May be subject to court approval and specific limitations.
Seal of the Warrant:
The court may order the warrant to be sealed, restricting public access to its contents for a certain
period.
Purpose: Protects ongoing investigations and sensitive information.
Anticipatory Warrant:
A warrant issued based on the anticipation that a crime will occur, usually contingent on specific
conditions being met.
Conditions: Often used in cases involving controlled deliveries or undercover operations.
Understanding these concepts and terms is essential for ensuring that the legal processes involving
warrants are carried out properly, with respect for individuals' rights and adherence to legal standards.
41
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Legal professionals and law enforcement personnel should be familiar with the nuances of warrant-
related terminology to navigate the legal landscape effectively.
Various court orders:
Court orders related to cybercrime scene analysis are legal directives issued by courts to gather
evidence and investigate cybercrime incidents. These orders are crucial for law enforcement agencies
and investigators to carry out forensic analysis, collect digital evidence, and identify and prosecute
cybercriminals.
Several types of court orders may be relevant to cybercrime scene analysis:
1. Search Warrant:
Purpose: Authorizes law enforcement to search specific premises for evidence related to a
cybercrime.
Application: Investigators must demonstrate probable cause to believe that evidence of a crime exists
at the specified location.
2. Seizure Warrant:
Purpose: Permits the seizure of specific items or assets related to a cybercrime.
Application: Similar to a search warrant, investigators must provide evidence of the need to seize
particular items.
3. Production Order:
Purpose: Compels an individual or entity to produce specific documents, records, or information
relevant to a cybercrime investigation.
Application: Investigators must convince the court that the requested information is essential to the
investigation.
4. Pen Register/Trap and Trace Order:
Purpose: Allows law enforcement to monitor and record incoming and outgoing electronic
communications (such as phone numbers dialed and IP addresses contacted) in real-time.
Application: Requires a demonstration of relevance to an ongoing investigation.

42
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
5. Surveillance Order:
Purpose: Grants permission for the interception and monitoring of electronic communications,
including emails, chat messages, and other forms of online communication.
Application: Requires a high level of justification and typically involves a high standard of proof.
6. Data Preservation Order:
Purpose: Directs individuals or entities to preserve and protect specific digital evidence from
alteration or destruction.
Application: Issued to prevent the loss of critical evidence before a formal investigation can take
place.
7. Ex Parte Order:
Purpose: Allows law enforcement to obtain a court order without notifying the subject of the
investigation.
Application: Used when notifying the subject might jeopardize the investigation or lead to evidence
destruction.
8. International Mutual Legal Assistance Treaty (MLAT) Requests:
Purpose: Enables law enforcement in one country to seek assistance from another country in obtaining
evidence for a cybercrime investigation.
Application: Follows international legal agreements and protocols for cross-border cooperation.

It's important to note that the specifics of these court orders can vary by jurisdiction, and legal
procedures must be followed diligently to ensure the admissibility of evidence in court. Additionally,
the legal landscape in the realm of cybercrime is continually evolving, and new regulations and court
decisions may impact the tools available to law enforcement for investigating and prosecuting
cybercriminal activities.

43
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Search and seizure of electronic evidence:

Search and seizure of electronic evidence involves the legal and systematic collection of digital
information for use in investigations and legal proceedings. The methods used for this purpose must
adhere to established legal procedures to ensure the evidence's admissibility in court. Here are key
methods employed in the search and seizure of electronic evidence:
1. Search Warrants:
Description: Law enforcement obtains a search warrant from a court, specifying the location to be
searched and the items to be seized.
Process: Investigators present evidence of probable cause to the court, demonstrating a reasonable
belief that evidence of a crime is present in the specified location.
Application: Relevant for physical premises where electronic devices are expected to be found.
2. Forensic Imaging:
Description: Creating a bit-for-bit copy or "image" of a digital storage device to preserve its current
state for analysis.
Process: Forensic tools are used to duplicate the contents of the storage device without altering the
original data.
Application: Preserves the integrity of evidence and allows investigators to work with a copy,
minimizing the risk of unintentional changes.
3. Chain of Custody:
Description: Establishing and documenting the chronological history of the evidence from collection
to presentation in court.
Process: Investigators carefully document every person who handles the evidence, ensuring its
integrity and admissibility.
Application: Critical for maintaining the reliability and credibility of electronic evidence.

44
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

4. Live Forensics:
Description: Analyzing a computer or device in real-time while it is still running.
Process: Skilled forensic examiners use specialized tools to collect volatile data without shutting down
the system.
Application: Useful when immediate analysis is necessary, but it requires expertise to avoid altering
the system's state.

5. Data Preservation Orders:

Description: Court orders directing individuals or entities to preserve and protect specific digital
evidence from alteration or destruction.
Process: Issued to prevent the loss of critical evidence before a formal investigation can take place.
Application: Ensures the preservation of evidence while legal proceedings are initiated.

6. Covert Online Operations:

Description: Undercover operations to gather electronic evidence without the subject's knowledge.
Process: Involves techniques such as monitoring online activities, conducting controlled purchases,
or infiltrating online forums.
Application: Used in cases where overt methods might compromise the investigation.

7. International Legal Cooperation:

Description: Collaborating with law enforcement agencies in different jurisdictions to obtain
electronic evidence.
Process: Involves mutual legal assistance treaties (MLATs) or other international agreements to
facilitate cooperation.
Application: Necessary for cases involving cross-border criminal activities.
It's crucial to note that these methods must comply with applicable laws, including privacy and Fourth
Amendment protections, to ensure the legality and admissibility of the collected electronic evidence
45
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
in court. Additionally, the involvement of trained digital forensics experts is essential to maintaining
the integrity of the evidence throughout the process.

Electronic evidence:
Electronic evidence is the lifeblood of cyber-crime scene analysis, offering crucial clues to reconstruct
events, identify perpetrators, and build a solid case. Analyzing these digital footprints requires
meticulous methodology and expertise to ensure their integrity and admissibility in court. Let's delve
into the different types of electronic evidence and their potential insights:

1. System and Application Data:

Operating System logs: These logs record system events like logins, file accesses, and network
connections, providing a timeline of activity.
Application logs: Specific applications also maintain logs detailing user interactions, document edits,
and program launches.
File metadata: Files contain hidden information like creation and modification timestamps, author
details, and revisions, offering valuable context.
Registry entries: The Windows registry stores configuration settings that can reveal installed
software, user preferences, and even hidden malware configurations.

2. User Activity:
Browser history and bookmarks: These reveals visited websites, searched keywords, and
downloaded files, painting a picture of the user's online activities.
Email records: Sent, received, and deleted emails can uncover communication exchanges, document
transfer, and potential evidence of phishing or spamming.
Chat logs and instant messages: Conversations on various platforms shed light on communication
with accomplices, victim interactions, and planning details.

46
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Document edits and revisions: Tracking changes made to documents within word processors,
spreadsheets, or presentations can expose hidden text, deleted information, and collaboration patterns.

3. Network Evidence:
Firewall logs: These logs track network traffic entering and leaving the device, potentially revealing
connections to malicious servers or suspicious IP addresses.
DNS records: Domain Name System records map website names to IP addresses, showing which
websites were accessed and when.
Network sniffing captures: Analyzing captured network traffic can uncover hidden data transfers,
malware communication, and even identify compromised devices on the network.

4. Mobile Device Evidence:

Call logs and text messages: Phone records and SMS history can provide communication timestamps,
contacts of interest, and potential alibis or incriminating messages.
GPS location data: Location tracking apps or embedded GPS coordinates can trace physical
movements, linking the device to specific locations at critical times.
App usage and data: Installed apps, usage statistics, and downloaded files on mobile devices can
reveal suspicious activities, hidden communications, and even financial transactions.
Analysis & Interpretation:
Interpreting electronic evidence requires piecing together these fragments like a puzzle. Experts
employ specialized forensic tools and techniques to:
• Metadata analysis: It plays a crucial role in cybercrime investigations, often acting as the hidden
storyteller behind digital evidence. It's like extracting whispers from the shadows, providing
cryptic clues that can unlock the bigger picture of a crime.
• Recover deleted data: Deleted files, messages, and even entire partitions can be recovered and
analyzed for hidden information.
• Analyze file hashes: Matching file hashes (unique digital fingerprints) can link malware samples,
compromise documents, or illegally transferred data across devices.
47
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
• Timeline construction: By correlating timestamps from various sources, analysts can establish a
chronological sequence of events, revealing crucial context and perpetrator actions.

Challenges & Considerations:

Cyber-crime scene analysis presents unique challenges, such as –
• Data volatility: Digital evidence can be easily altered or deleted, necessitating proper
preservation and chain of custody procedures.
• Encryption: Encrypted files require decryption keys or advanced techniques to unlock their
contents.
• Evolving technology: New software, apps, and malware variants necessitate constant adaptation
and skill development for forensic investigators.

Conclusion:
Electronic evidence, despite its complexities, offers invaluable insights into the digital footprints of
cybercrime. Through meticulous analysis and interpretation, these clues can illuminate the who, what,
where, and why of cyberattacks, contributing significantly to building successful investigations and
bringing perpetrators to justice.

MCQ Questions and Answers:

1. What is the primary goal of incident response in digital forensics?
- a. Data encryption
- b. System recovery
- c. Evidence destruction
- d. Network expansion

2. Which phase of incident response involves collecting and analyzing data to determine the scope and
impact of the incident?
- a. Preparation
- b. Identification
- c. Containment
- d. Eradication

48
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

3. What is the purpose of a digital forensic readiness plan?

- a. Preventing incidents
- b. Detecting incidents
- c. Responding to incidents
- d. All of the above

4. Which of the following is NOT a primary objective during the containment phase of incident
response?
- a. Limiting damage
- b. Restoring services
- c. Identifying the attacker
- d. Preventing further compromise

5. What is the first step in cybercrime scene analysis?

- a. Evidence collection
- b. Securing the scene
- c. Contacting law enforcement
- d. Analysis of electronic devices

6. Which of the following is a critical aspect of preserving the cybercrime scene integrity?
- a. Sharing information with the public
- b. Allowing unauthorized personnel access
- c. Documenting actions taken
- d. Ignoring potential witnesses

7. What is the purpose of a chain of custody in cybercrime investigations?

- a. Tracking the movement of evidence
- b. Identifying suspects
- c. Establishing motive
- d. Documenting crime scene details

8. During cybercrime scene analysis, what does the term "volatile data" refer to?
- a. Data that changes frequently
- b. Encrypted data
- c. Archived data
- d. Data stored in cloud servers

49
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

9. What legal instrument is often required for law enforcement to conduct a search and seizure in
digital investigations?
- a. Cybersecurity policy
- b. Search warrant
- c. Subpoena
- d. Arrest warrant

10. Which court order is used to compel a person to testify or produce evidence in a cybercrime
investigation?
- a. Search warrant
- b. Subpoena
- c. Arrest warrant
- d. Bench warrant

11. What is a National Security Letter (NSL) commonly used for in the context of cybercrime
investigations?
- a. Gaining access to classified information
- b. Requesting financial records
- c. Compelling disclosure of information without a warrant
- d. Conducting surveillance on suspects

12. In cybercrime investigations, what does a preservation order typically instruct the parties involved
to do?
- a. Destroy evidence
- b. Maintain and protect evidence
- c. Share evidence with the public
- d. Submit evidence to the court

13. What is the term for data that is stored on a computer or electronic device and can be used as
evidence in court?
- a. Analog data
- b. Electronic evidence
- c. Physical evidence
- d. Hearsay evidence

50
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

14. In digital forensics, what is metadata?

- a. Data that is encrypted
- b. Data about data
- c. Unrecoverable data
- d. Compressed data

15. Which of the following is an example of volatile electronic evidence?

- a. Hard drive
- b. RAM
- c. External storage device
- d. Optical disc

16. What is steganography used for in the context of electronic evidence?

- a. Encryption
- b. Data hiding
- c. Data recovery
- d. File compression

17. What is the role of a hash value in digital forensics?

- a. Encryption key
- b. Digital signature
- c. Integrity verification
- d. File compression

18. Which of the following is an example of non-repudiation in electronic evidence?

- a. Encrypted file
- b. Timestamped document
- c. Password-protected folder
- d. Biometric authentication log

19. In digital forensics, what is the purpose of a write blocker?

- a. Preventing unauthorized access
- b. Reading data from a storage device
- c. Protecting evidence from being altered
- d. Generating hash values

51
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

20. When conducting electronic evidence analysis, what is the significance of the term "file slack"?
- a. Unused space on a storage device
- b. Hidden files
- c. Encrypted files
- d. Compressed files
Answers:
1. b. System recovery
2. b. Identification
3. d. All of the above
4. c. Identifying the attacker
5. b. Securing the scene
6. c. Documenting actions taken
7. a. Tracking the movement of evidence
8. a. Data that changes frequently
9. b. Search warrant
10. b. Subpoena
11. c. Compelling disclosure of information without a warrant
12. b. Maintain and protect evidence
13. b. Electronic evidence
14. b. Data about data
15. b. RAM
16. b. Data hiding
17. c. Integrity verification
18. b. Timestamped document
19. c. Protecting evidence from being altered
20. a. Unused space on a storage device

52
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Short answer type questions (3 marks):

1. Explain the significance of the "Eradication" phase in incident response and its role in minimizing
the impact of a cybersecurity incident.

2. Describe three key elements that should be included in a comprehensive digital forensic readiness
plan to enhance an organization's ability to respond to incidents effectively.

3. In the context of cyber crime scene analysis, discuss the importance of preserving the integrity of
digital evidence and provide three practical steps investigators can take to achieve this goal.

4. Explain the term "volatile data" in the context of cyber crime scene analysis, and provide examples
of volatile data sources that investigators should prioritize during an examination.

5. Differentiate between a search warrant and a subpoena in the context of cyber crime investigations.
Provide examples of situations where each might be utilized.

6. Discuss the role of a National Security Letter (NSL) in cyber crime investigations, highlighting its
legal implications and the circumstances under which it might be issued.

7. Define metadata in the context of digital forensics, and explain its significance in analyzing
electronic evidence. Provide an example of how metadata can be crucial in an investigation.

8. Discuss the importance of maintaining a proper chain of custody for electronic evidence. Identify
three potential challenges investigators may face in preserving the chain of custody and suggest
strategies to overcome them.

53
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Long answer type questions (5 marks):

1. Explain the key phases of an incident response methodology in digital forensics. For each phase,
elaborate on the specific tasks and objectives that contribute to an effective incident response strategy.

2. Discuss the role and significance of a search warrant in the context of cyber crime scene analysis.
Explain the legal requirements for obtaining a search warrant and how it ensures the admissibility of
evidence in court.

3. Describe the concept of digital forensics and its role in analyzing electronic evidence. Provide
examples of electronic evidence types and explain the challenges associated with preserving and
analyzing such evidence.

4. Explain the significance of the chain of custody in handling electronic evidence. Discuss the
potential consequences of a poorly maintained chain of custody in the context of a digital forensic
investigation.

5. Explore the concept of steganography in the realm of electronic evidence. Provide examples of how
steganography is used, and discuss the challenges it presents for digital forensic investigators.

6. Discuss the legal implications of electronic evidence, focusing on issues such as authentication,
admissibility, and the role of expert witnesses in presenting electronic evidence in court.

54
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

MODULE III: IMAGE CAPTURING AND AUTHENTICATING EVIDENCE

Hidden Data Extraction:
Hidden data extraction typically refers to the process of uncovering or retrieving information that is
not readily visible or easily accessible. This can involve various techniques and tools depending on
the context. Here are a few scenarios where hidden data extraction might be relevant:
Steganography:
Steganography involves hiding information within other data in such a way that it's not easily
detectable. This could be done by embedding text or files within images, audio files, or other types of
media. Specialized tools may be required to extract the hidden information.
Steganography is practiced by those wishing to convey a secret message or code. While there are many
legitimate uses for steganography, some malware developers use steganography to obscure the
transmission of malicious code -- known as stegware.
In modern digital steganography, data is first encrypted or obfuscated, and then inserted using a
special algorithm into data that is part of a particular file format, such as a JPEG image, audio or video
file. The secret message can be embedded into ordinary data files in many ways. One technique is to
hide data in bits that represent the same color pixels repeated in a row in an image file. By applying
the encrypted data to this redundant data in an inconspicuous way, the result is an image file that
appears identical to the original image, but has noise patterns of regular, unencrypted data.
Steganography is distinct from cryptography. Using both together can help improve the security of the
protected information and prevent detection of the secret communication. If steganographically hidden
data is also encrypted, the data might still be safe from detection -- though the channel will no longer
be safe from detection. There are advantages to using steganography combined with encryption over
encryption-only communication.
The primary advantage of using steganography to hide data over cryptography is that it helps obscure
the fact that sensitive data is hidden in the file or other content carrying the hidden text. Whereas an

55
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
encrypted file, message or network packet payload is clearly marked and identifiable as such, using
steganographic techniques helps to obscure the presence of a secure channel.
Steganography software is used to perform a variety of functions, including the following:

• Hiding data, including encoding the data to prepare it to be hidden inside another file.

• Keeping track of which bits of the cover text file contain hidden data.

• Encrypting the data to be hidden.

• Extracting hidden data by its intended recipient.

Proprietary and open-source programs are available to do steganography. OpenStego is one open-source
steganography program. Other programs can be characterized by the types of data that can be hidden,
as well as what types of files that data can be hidden inside. Some online steganography software tools
include Xiao Steganography, used to hide secret files in BMP images or WAV files; Image
Steganography, a JavaScript tool that hides images inside other image files; and Crypture, a command-
line tool.

Metadata Extraction: Files often contain metadata, which is information about the file itself. This can
include details such as authorship, creation date, and editing history. Extracting metadata can provide
additional insights into a document.

Metadata extraction is a crucial aspect of digital forensics that involves retrieving hidden information,
known as metadata, from digital files. This information can be used to reconstruct events that occurred
on a device and can provide valuable insights into the activities of a suspect. One of the key techniques
in digital forensic investigations is the recovery of file system metadata, which can be used to recover
metadata when it is not possible to obtain metadata in a regular manner because the file system
structure is damaged due to an accident, disaster, or cyber terrorism.
In a recent study, researchers proposed a recovery method for records without fixed values in the
metadata file of the New Technology File System (NTFS), which is one of the most used file systems

56
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
at present. The proposed method was implemented as a tool and verified through comparative
experiments with existing forensic tools that recover LogFiledata. The experimental results showed
that the proposed recovery method was able to recover all the data that existing tools are unable to
recover in situations where the LogFile data were damaged.
There are several metadata extraction tools available that can help you uncover valuable data about
your digital files, such as the camera settings used, the location of the image, the creation date, and
more. Some of the popular metadata extraction tools include ExifTool, Daminion, and Forensic Toolkit
(FTK).

Network Traffic Analysis:

Hidden data might be transferred over a network in a way that is not immediately apparent. Analyzing
network traffic and packet data can reveal hidden patterns, communication channels, or even malicious
activities.
Network traffic analysis in digital forensics involves collecting and scrutinizing data from various
sources, such as routers and monitoring tools. This detailed examination includes packet inspection to
extract information on source/destination addresses, protocols, timestamps, and payload contents. The
analysis helps reconstruct communication sessions, identify abnormal patterns or suspicious activities,
and detect malware. Investigators leverage intrusion detection alerts, preserve evidence, and establish
timelines, ensuring adherence to legal and privacy considerations. Network traffic analysis plays a
pivotal role in incident response, threat detection, and the overall investigative process.
The rapid advancement of digital technology and the increasing interconnection of systems has
resulted in a complex network of digital activities. In this scene, examining organization traffic stream
has arisen as a vital device in computerized criminology. The objective of the study of network analysis
is to investigate the way in which traffic stream examination fills in as a strong procedure for
unraveling the multifaceted computerized effects left behind by clients, gadgets, and potential danger
entertainers. Forensic Data analysts acquire the ability to detect security breaches, data exfiltration, or
unauthorized access by closely examining examples of information transmission, source-objective
connections, and correspondence conventions within an organization. This analysis allows them to
57
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
identify both regular patterns and irregular deviations. Methodologies for capturing and recording
network packets, the role of flow data in summarizing complex interactions, and the use of intrusion
detection systems (IDS) and intrusion prevention systems (IPS) to monitor real-time network activities
are all examined in this paper. Also, the review dives into utilizing AI and man-made reasoning
methods for prescient investigation and inconsistency identification inside network traffic.

Text Analysis and Natural Language Processing (NLP):

Extracting information from text data might involve uncovering hidden patterns, sentiments, or
entities. NLP techniques can be used to analyze and extract meaningful information from large
volumes of text.
Natural Language Processing (NLP) is employed in digital forensics to analyze and extract meaningful
information from textual data. NLP techniques assist investigators in deciphering communication
patterns, sentiments, and entities within emails, chat logs, and other written content. This enables the
identification of relevant evidence, linguistic patterns associated with malicious activities, and the
reconstruction of communication sequences, enhancing the overall investigative process through
advanced text analysis.
Database Analysis:
Hidden data in databases might involve encrypted or obfuscated information. Database forensics and
analysis tools may be used to extract and decipher hidden data within a database.
Database analysis in digital forensics involves examining data repositories for evidence. Forensic
experts utilize specialized tools to uncover hidden or deleted information, decipher encrypted data,
and reconstruct database interactions. The process may include recovering deleted files, analyzing file
slack space, and scrutinizing unallocated disk space. Investigating database records provides insights
into cyber incidents, unauthorized access, or data manipulation, aiding in the reconstruction of events
for legal proceedings. Ethical and legal considerations guide the extraction of information from
databases, ensuring the integrity and admissibility of evidence.

58
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Digital Watermarking:
In some cases, data is intentionally hidden using digital watermarking techniques. Extracting this
hidden information requires specialized algorithms and tools.
Watermarking is a technique used in digital forensics to identify, trace and protect digital content. It
embeds a unique, hidden mark (usually an image, logo or text message) into a digital file or video.
These watermarks are difficult to detect but can be traced back to the original source of the file/video.
This technique plays an important role in digital forensics by providing an effective means of storing
evidence, determining the originator of a digital file and verifying its authenticity. Watermarking
systems are used in various fields, including security, copyright protection, media analytics and
forensic analysis.

Web Scraping:
Extracting data from websites might involve finding and retrieving information that is not visible on
the surface. This could include hidden tags, elements loaded dynamically through JavaScript, or data
embedded in the HTML source.
Web scraping is a data extraction technique where automated scripts or tools extract information from
websites, parsing HTML or other structured data formats. It involves analyzing the website's structure,
sending HTTP requests, and parsing the received HTML to retrieve specific data elements. Web
scraping is used for various purposes, including gathering business intelligence, monitoring prices,
and aggregating content. However, it raises ethical and legal considerations, and practitioners should
be mindful of terms of service and potential impacts on the target website.

59
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Data Storage:
Data Storage Overview:
Data storage refers to the retention of information in a persistent manner for future retrieval and use.
In computing, data can be stored in various forms, ranging from physical media like hard drives to
cloud-based storage solutions.
Types of Data Storage:
Primary Storage (RAM): Volatile and fast storage used by the computer's processor to store and access
data actively during operations.
Secondary Storage (Hard Drives, SSDs): Non-volatile storage for long-term data retention, typically
larger in capacity but slower than RAM.
Tertiary Storage (Tapes, Optical Drives): Used for archiving and backup purposes, offering high
capacity but slower access times.

Storage Devices:
Hard Disk Drives (HDDs): Use magnetic storage for data on spinning disks.
Solid State Drives (SSDs): Utilize flash memory for faster and more reliable data storage.
Optical Storage (CDs, DVDs, Blu-rays): Uses lasers to read/write data on optical discs.
Tape Drives: Sequential storage using magnetic tape for backup and archival purposes.

Storage Hierarchy:
Data storage is often organized into a hierarchy based on speed and cost. Faster and more expensive
storage is used for frequently accessed data, while slower and cheaper storage is employed for archival
purposes.

60
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

In this hierarchy all the storage devices are arranged according to speed and cost. The higher levels
are expensive, but they are fast. As we move down the hierarchy, the cost per bit generally decreases,
whereas the access time generally increases.
The storage systems above the electronic disk are Volatile, where as those below are Non-Volatile.
An Electronic disk can be either designed to be either Volatile or Non-Volatile. During normal
operation, the electronic disk stores data in a large DRAM array, which is Volatile. But many electronic
disk devices contain a hidden magnetic hard disk and a battery for backup power. If external power is
interrupted, the electronic disk controller copies the data from RAM to the magnetic disk. When
external power is restored, the controller copies the data back into the RAM.
Data Backup and Recovery:
Establishing regular data backup procedures ensures data integrity and provides recovery options in
case of data loss or system failures. Backup strategies include full, incremental, and differential
backups. Understanding data storage and its structures is fundamental to effective data management,
ensuring that information is stored securely, efficiently, and is readily accessible when needed.
61
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Storage Structure:
Hard disk is organized into two different ways like as physical structure and logical structure; below shown
each one in detail, you can check them:

Physical Structure of Hard Disk

The physical division of a hard disk refers to the way data is stored on the disk at a low level. Here are

the main parts of the physical structure of hard disk, including:

Platters: The disks that make up the hard disk drive. Each platter has an upper and lower oxide-coated
surface.
Read/Write Heads: The heads that float above the surface of the platters and read and write data as the
platters spin around. There is at least one head per surface.
Tracks: The concentric circles on the surface of the platters. Each track is divided into sectors.
Sectors: The smallest physical storage units on the disk. Sectors are the unit of information transfer and
are mapped with a logical block on the disk.
Cylinders: The set of tracks that have the same track value on all platters. A cylinder is made up of rings
on the upper and lower surfaces of all of the platters.

62
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Spindle: Help to connects all the platters and is connected to a motor. The motor of the spindle rotates
with a constant speed, causing the disk platter to spin at a constant speed.
Arm Assembly: It holds the read/write heads. The arm assembly is moved in or out to position a head
on a desired track.

Logical Structure of Hard Disk

The logical division of a hard disk refers to the way data is organized and stored on the disk. Here are
the main components of the logical structure of hard disk, as following them:
Master Boot Record (MBR): The MBR contains a small program to load and start the active (or
bootable) partition from the hard disk drive. The MBR contains information about all four primary
partitions on the hard disk drive such as the starting sector, ending sector, size of the partition, etc.
DOS Boot Record (DBR): The DBR is the first sector of a partition and contains the boot loader code
that is executed when the partition is booted.
File Allocation Table (FAT): The FAT is a table that keeps track of which clusters are free and which
are in use. It is used by the file system to locate files on the disk.
Root Directory: The root directory is the top-level directory on a disk. It contains all the files and
directories that are stored directly on the disk.
Clusters: A cluster is a group of sectors that are allocated to a file. Clusters are used by the file system
to read and write data.

NB:
Partitioning:
Storage devices can be partitioned into logical sections, each with its own file system. Partitions can
improve data organization, security, and management.
Formatting:
Formatting prepares a storage device for use by establishing a file system. Common file systems
include FAT32, NTFS, and exFAT in Windows, and ext4 in Linux.

63
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
File Systems:
File systems organize and store data on storage devices. They manage the hierarchy of files and
directories, providing a logical structure for data retrieval.
A file system gives an OS a road map to data on a disk. The type of file system an OS uses determines
how data is stored on the disk. When you need to access a suspect’s computer to acquire or inspect
data related to your investigation, you should be familiar with both the computer’s OS and file system
so that you can access and modify system settings when necessary.

NTFS (New Technology File System) and FAT32:

NTFS:
NTFS stands for New Technology File System is a proprietary file system developed by Microsoft,
started with the Windows NT 3.1 and many other such as Windows 2000, including Windows XP,
Windows Server 2003, Windows 7, Windows 8. NTFS file system has many technical benefits over
FAT (File Allocation Table) an improved version and HPFS (High Performance File System) an
improved support for metadata.
History:
NTFS was introduced in July 1993 with Windows NT 3.1. Microsoft creates a high-quality, high-
performance, reliable and secure operating system. In 1995 Windows NT 3.51, NTFS version was
introduced to Compressed files, named streams and access control lists and in 1996 Windows NT 4.0
NTFS version was introduced to Security descriptors. After that Windows 2000 in 2000 introduced to
Disk quotas, Encrypting File System and many more.

Characteristics of NTFS:
Compatibility –
It supports compression of files and directories to optimize storage space.
Scalability –
It introduced with improved performance, scalable in comparison to its precursor.

64
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Efficiency –
It utilizes the disk space efficiently by using smaller size of clusters.
Attributes –
NTFS’s attributes Read-only, hidden, system, archive, not content indexed, off-line, temporary,
compressed.

Advantages of NTFS:
Easily recovers file system and supports long file names.
Provides users with local security by protecting files and directories.
NTFS is a journaling file system.
It supports spanning volumes spread across several physical drives.
Support larger sized hard drives with increasing general performance of the drive.

Disadvantages of NTFS:
NTFS performance does not decrease as FAT does.
Removable devices such as Android smart phones, do not support NTFS.
Doesn’t include a system that guarantee file system performance.

FAT32:
File Allocation Table, abbreviated as FAT, is the straightforward file system endorsed by the Windows
Operating System. It is commonly employed with floppy disks, flash drives, and embedded devices,
although it is no longer the default file system for Microsoft Windows computers. The FAT file system
encompasses various variants, including FAT12, FAT16, and FAT32, each tailored to accommodate
different disk drive capacities.

65
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
While FAT32 is frequently utilized in some earlier versions of Windows, it is not the default choice
for the latest iterations. Serving as an enhancement to the FAT16 file system, FAT32 finds support in
Windows 95 OSR2, Windows 98, and Windows Me.
With a minimum cluster size of 4 KB, FAT32 is equipped to handle hard disk sizes exceeding 2
Gigabytes. Originating from Microsoft in 1996, the FAT32 file system made its debut in MS-DOS 7.1
and Windows 95 OSR2, addressing the volume size constraints inherent in FAT16.

Features of FAT32:
FAT32 has the following features that overcome the issues in previous versions of File systems:
It can support drive sizes up-to 2 terabytes.
It is space-efficient because it uses smaller clusters, which provides efficient use of available disk
space compared to FAT16 devices.
It does not contain any limit for the number of root folder entries on the drive. The root folder is a
simple cluster chain that can be placed anywhere within the drive.
The dynamic resizing of FAT32 partitions is possible.
It contains a robust nature because, in this, the folder can be relocated, and it can use the backup copy
of the FAT instead of the default copy.

Advantages of FAT32:
The FAT32 file system is compatible with various devices such as smartphones, digital cameras,
gaming consoles, USB drives, etc.
FAT32 uses only a small disk space for large partitions because the minimum cluster size of FAT32
always remains 4KB for partitions under 8GB.

Disadvantages of FAT32:
In FAT32, the maximum file size is about 4 GB only.
It can work with partitions with a maximum size of up to 8 TB.
If the user formats the drive with FAT32, data may be lost if a power loss occurs during formatting.
66
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Differences between FAT32, NTFS, and exFAT:

FAT32 NTFS exFAT

It is abbreviated as File Allocation It is abbreviated as New It is abbreviated as

Table32. Technology File System. Extended File Allocation
Table.

FAT32 is the oldest file system, NTFS is the modern or latest file It is the newer File system
which was released in the year system, used as the default file and introduced in the year
1996 to replace the FAT16 files system in Windows. 2006 by Microsoft.
system.

No encryption is provided in Encryption is provided in NTFS. Encryption is not

FAT32. provided in exFAT.

The performance is good. The performance is better than The performance is High.
FAT32.

The accessing speed is less The accessing speed is more The accessing speed is
compared to NTFS. compared to FAT32. less compared to NTFS.

There is no provision for file It supports file compression. It also does not support
compression. File Compression.

It supports a maximum file size of It supports a maximum file size of It supports a maximum
4 GB. 16TB. file size of up to 16EB (16
Exabyte).

It is compatible with the old It is compatible with the later It is compatible with all
version of the Windows Operating version of the Windows Operating versions of Windows and
system, such as Win system, such as the latest version of MAC
95/98/2K/2K3/XP. NT/2K/XP/Vista/7. OS.

It is best suitable for removable It is best suitable for the windows It is best suitable for flash
storage devices with a maximum system and internal drives of drives.
file size of 8TB. windows.

67
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
It does not have any built-in It contains a built-in security It also contains a built-in
security. feature. security feature.

Exploring Microsoft File Structures:

Because most PCs use Microsoft software products, you should understand Microsoft file systems so
that you know how Windows and DOS computers store files. In particular, you need to understand
clusters, File Allocation Table (FAT), and NT File System (NTFS). The method an OS uses to store
files determines where data can be hidden. When you examine a computer for forensic evidence, you
need to explore these hiding places to determine whether they contain files or parts of files that might
be evidence of a crime or policy violation. In Microsoft file structures, sectors are grouped to form
clusters, which are storage allocation units of one or more sectors. Clusters range from 512 bytes up to
32,000 bytes each. Combining sectors minimizes the overhead of writing or reading files to a disk. The
OS groups one or more sectors into a cluster. The number of sectors in a cluster varies according to the
disk size. For example, a double-sided floppy disk has one sector per cluster; a hard disk has four or
more sectors per cluster. Clusters are numbered sequentially, starting at 0 in NTFS and 2 in FAT. The
first sector of all disks contains a system area, the boot record, and a file structure database. The OS
assigns these cluster numbers, referred to as logical addresses. They point to relative cluster positions;
for example, cluster address 100 is 98 clusters from cluster address 2. Sector numbers, however, are
referred to as physical addresses because they reside at the hardware or firmware level and go from
address 0 (the first sector on the disk) to the last sector on the disk. Clusters and their addresses are
specific to a logical disk drive, which is a disk partition.

Disk Partitions:
Many hard disks are partitioned, or divided, into two or more sections. A partition is a logical drive.
Windows OSs can have three primary partitions followed by an extended partition that can contain one
or more logical drives. Someone who wants to hide data on a hard disk can create hidden partitions or
voids—large unused gaps between partitions on a disk drive. For example, partitions containing unused

68
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
space can be created between the primary partitions or logical partitions. This unused space between
partitions is called the partition gap. It’s possible to create a partition, add data to it, and then remove
references to the partition so that it can be hidden in Windows. If data is hidden in this partition gap, a
disk editor utility could be used to access it. Another technique is to hide incriminating digital evidence
at the end of a disk by declaring a smaller number of bytes than the actual drive size.
With disk-editing tools, however, you can access these hidden or empty areas of the disk. One way to
examine a partition’s physical level is to use a disk editor, such as WinHex or Hex Workshop. These
tools enable you to view file headers and other critical parts of a file. Both tasks involve analyzing the
key hexadecimal codes the OS uses to identify and maintain the file system.

Examining FAT disks:

Examining FAT (File Allocation Table) disks involves inspecting the file system structure,
understanding the allocation of files on the disk, and using specific tools for analysis. Here are some
general steps you can follow:
1. Choose a Forensic Tool:
There are several forensic tools available that can help you examine FAT disks. Some popular ones
include:
- Foremost: Foremost is a Linux-based forensic tool that can recover files based on their headers,
footers, and internal data structures.
- Autopsy: Autopsy is a graphical interface for The Sleuth Kit, a suite of forensic tools. It supports
various file systems, including FAT.
- AccessData FTK (Forensic Toolkit): FTK is a commercial forensic tool that supports FAT file
systems and offers a range of features for analysis.

2. Mount the Disk Read-Only:

Before examining the disk, ensure that you mount it as read-only to prevent any unintentional
modifications. This is crucial for preserving the integrity of the evidence.

69
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

3. Understand FAT File System Structure:

Learn about the structure of the FAT file system. FAT12, FAT16, and FAT32 are the most common
versions. Each has its own specifics regarding the size of clusters, the number of file allocation tables,
and other parameters.

4. Analyze the Boot Sector:

The boot sector contains vital information about the file system, such as the cluster size, the number of
reserved sectors, and the location of the file allocation tables. Examine this sector to gather important
details about the file system.

5. Examine the File Allocation Table (FAT):

The FAT is a key component that keeps track of the allocation status of each cluster on the disk.
Analyzing the FAT helps in understanding which clusters are used, free, or reserved. Tools often provide
features to visualize the FAT.

6. Explore Directory Entries:

Directory entries store information about files and directories, including file names, attributes,
creation/modification dates, and pointers to the starting cluster of the file. Examine these entries to
reconstruct the directory structure.

7. Recover Deleted Files:

Forensic tools often have features for recovering deleted files. Deleted files may still exist on the disk
until their clusters are overwritten. Tools can help recover these files and provide insights into the user's
activities.

70
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

8. Document Findings:
As you examine the disk, document your findings carefully. Note the file names, timestamps, and any
other relevant information. Proper documentation is crucial for forensic analysis and may be required if
the findings are to be used as evidence.
Remember, working with forensic tools and examining disks should be done carefully, especially when
dealing with evidence.

Examining NTFS disks:

Examining an NTFS (New Technology File System) disk involves similar principles to examining
FAT disks, but there are specific aspects unique to NTFS. Here are the steps to examine an NTFS disk:
1. Choose a Forensic Tool:
Select a forensic tool that supports NTFS file systems. Some commonly used tools include:
- Autopsy: As mentioned earlier, Autopsy is a graphical interface for The Sleuth Kit and supports
NTFS.
- AccessData FTK (Forensic Toolkit): FTK is a commercial forensic tool that supports NTFS and
offers advanced features.
- EnCase: EnCase is a widely used forensic tool that supports NTFS and provides comprehensive
analysis capabilities.
2. Mount the Disk Read-Only:
Always mount the NTFS disk as read-only to preserve the integrity of the evidence. This prevents any
accidental modifications to the data.

3. Understand NTFS File System Structure:

NTFS has a more complex structure compared to FAT. Learn about the Master File Table (MFT),
clusters, attributes, and other components that make up the NTFS file system.

71
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
4. Analyze the Master File Table (MFT):
The MFT is a critical component of NTFS that stores information about each file and directory on the
disk. Examine the MFT to understand the file system's layout and to retrieve details about files, such
as names, attributes, and data runs.

5. Examine File Attributes:

NTFS uses various file attributes to store information about files. These attributes include standard
information, file name, data, and security descriptors. Understanding these attributes is essential for
reconstructing the file system.

6. Investigate Alternate Data Streams (ADS):

NTFS supports alternate data streams, allowing multiple sets of data to be associated with a single file.
Forensic analysis should include checking for the presence of alternate data streams, as they may be
used to hide information.

7. Check File System Journal:

NTFS maintains a journal that records changes made to the file system. Analyzing the journal can
provide insights into file modifications, deletions, and other activities. Tools often allow you to review
and interpret the file system journal.

8. Recover Deleted Files:

Forensic tools for NTFS often include features for recovering deleted files. Deleted files may be
recoverable until their clusters are overwritten. Use these tools to recover deleted files and gather
information about the user's actions.

72
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
9. Document Findings:
As with examining FAT disks, carefully document your findings. Record file names, timestamps,
attributes, and any other relevant information. Proper documentation is crucial for forensic analysis
and may be required if the findings are used as evidence.

10. Handle NTFS Compression and Encryption:

Be aware that NTFS supports file compression and encryption. Forensic tools should have features to
handle compressed and encrypted files. Understanding these aspects is essential for a thorough
examination.

NTFS Alternate Data Streams:

Of particular interest when you’re examining NTFS disks are alternate data streams, which are ways
data can be appended to existing files. When you’re examining a disk, be aware that alternate data
streams can obscure valuable evidentiary data intentionally or by coincidence.
In NTFS, an alternate data stream becomes an additional file attribute and allows the file to be associated
with different applications. As a result, it remains one data unit. You can also store information about a
file in an alternate data stream. In its resource documentation Web page, Microsoft states: “For example,
a graphics program can store a thumbnail image of a bitmap in a named data stream within the NTFS
file containing the image.” At a command prompt in Windows NT and later, you can create an alternate
data stream with this DOS command:
C:\echo text_string > myfile.txt:stream_name
You can also use the following type command to redirect the contents of a small file to an alternate data
stream:
C:\type textfile.txt > myfile.txt:stream1
In these commands, the alternate data stream is defined in the MFT by the colon between the file
extension and the stream label. To display an alternate data stream’s content as a simple text string, use
this command:
C:\more > myfile.txt:stream1
73
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Recovery of deleted files:

The recovery of deleted files is a process that involves restoring files that have been intentionally or
accidentally deleted from a storage device. This process is crucial in various contexts, including data
restoration, digital forensics, and computer security. Here are some key aspects to consider when
discussing the recovery of deleted files:
1. Deletion Process:
When a file is deleted, the operating system typically marks the space it occupies as available for
reuse, but the actual data may remain on the storage medium until it gets overwritten by new data.
Files can be deleted through standard file management operations, such as using the delete key or
emptying the recycle bin/trash.
2. File Recovery Techniques:
File Carving: This technique involves searching for file signatures or headers to identify and recover
file fragments. It is commonly used in forensic analysis. Journaling and Log Files: Some file systems
maintain logs or journals that record changes. These logs can be valuable in recovering deleted files.
Free Space Analysis: Examining the unused space on a storage device may reveal traces of deleted
files that haven't been overwritten.
3. Forensic Tools:
Specialized forensic tools like EnCase, Autopsy, FTK Imager, R-studio, Sleuth Kit (Command Line
Tools) and Recuva are designed to recover deleted files. These tools often provide advanced features,
such as file signature analysis and the ability to reconstruct file systems.
4. Limitations and Challenges:
The effectiveness of file recovery depends on various factors, including how much new data has been
written to the storage device since the file deletion.
Overwritten data: If the space previously occupied by a deleted file has been overwritten, recovery
becomes significantly more challenging or impossible.
Fragmentation: Fragmented files may be more difficult to recover in their entirety.

74
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
5. File Systems Impact:
Different file systems handle file deletion differently. For example, in FAT file systems, deleting a file
typically involves marking its cluster as available, while in NTFS, the Master File Table (MFT) is
updated.

Windows RecycleBin Forensics:

The Recycle Bin is a functionality embedded in Microsoft Windows, enabling users to recover files
that have been deleted. When a file is deleted from the computer, it isn't immediately eliminated from
the hard drive; instead, it is transferred to the Recycle Bin. Serving as a temporary storage repository
for deleted files, the Recycle Bin allows users to restore these files as needed. This renders the Recycle
Bin a pivotal location for forensic examinations, as deleted files may contain crucial information
beneficial to an investigation. In this article, we will delve into the fundamentals of Windows Recycle
Bin forensics and furnish a step-by-step guide for undertaking a Recycle Bin forensics inquiry.
Introduction:
The Recycle Bin in Microsoft Windows operates as a concealed directory designed to store deleted
files and folders. Rather than instantaneously purging deleted files from the file system, Windows
moves them to the Recycle Bin, presenting an opportunity for forensic investigators to recover these
files, even post-deletion.
This lecture offers a comprehensive overview of the Recycle Bin, covering its structure, the nature of
files it holds, and the steps involved in conducting a forensic examination to recover deleted files.

Structure of the Recycle Bin:

The Recycle Bin functions as a hidden directory situated in %SystemRoot% (typically C:). In
Windows Vista and subsequent versions, the Recycle Bin is segmented into sub-directories, each
linked to a specific user's SID (Security Identifier). Within each user's sub-directory, two files per
deleted file exist: a $I file containing metadata, and a $R file housing the actual contents of the deleted
file, facilitating data recovery.

75
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Conducting a Forensic Examination of the Recycle Bin:

Forensic software is essential for scanning the Recycle Bin and recovering data from the $R files.
Prior to such an examination, considerations include the potential overwriting of information by other
deleted files and the possibility of altered or corrupted metadata during the deletion process.

To recover deleted files from the Recycle Bin, follow these steps:
1. Use forensic software to scan the Recycle Bin.
2. Validate the recovered data against other sources to ensure accuracy.
3. Extract the contents of the $R files to recover the deleted files.

Tools:
Several tools are available for Windows Recycle Bin forensics:
- RecBin.exe: A command-line tool by Harlan Carvey for parsing $I file contents.
The tool takes the path of the $I file as a command-line argument and provides information about the
associated deleted file, such as its filename, full path, size, and deletion date and time. The tool can be
useful for forensic investigations, as it provides an easy way to access and analyze the metadata of
deleted files in the Recycle Bin.

recbin.exe -f "%SystemRoot%\$Recycle.Bin\SID\$IVJDKEL.docx"

This example shows how to use the tool to parse a specific $I file located at
“C:$Recycle.Bin\SID$IVJDKEL.docx”. The “-f” option is used to specify the file to parse. Note that
you would need to replace “SID” with the actual SID of the user account associated with the deleted
file.
- FTK Imager: A forensic imaging tool for creating images of the Recycle Bin and extracting deleted
files.
76
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
- EnCase: A digital forensics tool for analyzing the Recycle Bin and recovering deleted files.
- Recuva: A free data recovery tool for retrieving files from the Recycle Bin.
- Disk Drill: A data recovery tool for the Recycle Bin and other storage devices.
- TestDisk: A free, open-source tool for recovering files from the Recycle Bin and other storage
devices.
- WinHex: A hex editor and disk editor for viewing and analyzing Recycle Bin contents.
- Autopsy: A free, open-source digital forensics platform with a Recycle Bin analysis module.
These tools cater to various forensic needs, ranging from advanced investigations to simpler data
recovery scenarios.
Live Machine:
In live Windows forensics, PowerShell can be utilized to gather Recycle Bin information:
1. Open PowerShell as an administrator.
2. Use the Get-ChildItem cmdlet to view Recycle Bin contents.
3. Use the Get-Content cmdlet to view $I and $R files and recover their contents.

Conclusion:
The Windows Recycle Bin serves as a valuable resource for forensic investigators, offering insights
into deleted files. However, the potential inaccuracies in Recycle Bin information underscore the need
for a meticulous examination using forensic software. By following the steps outlined in this guide,
investigators can successfully recover deleted files and leverage the retrieved data for forensic
analyses.

Password Cracking:
In the context of digital forensics, the term "cracking passwords" typically refers to attempting to gain
unauthorized access to a system or protected data by deciphering or bypassing password protection.
Password cracking is a common technique used by both attackers and forensic analysts for different
purposes. It's important to note that while digital forensics professionals may employ password

77
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
cracking techniques for legitimate reasons, any unauthorized attempts to crack passwords are illegal
and unethical.
Here are some key aspects to consider when discussing password cracking in digital forensics:
1. Legitimate Use in Digital Forensics:
Password Recovery: Forensic experts may need to recover passwords during an investigation to access
encrypted data or files. This is typically done with proper legal authorization.
2. Common Password Cracking Techniques:
Brute Force Attacks: Trying every possible combination of characters until the correct password is
found. This method is time-consuming and resource-intensive.
Dictionary Attacks: Using a list of known words, phrases, or commonly used passwords to attempt
to crack a password.
Rainbow Table Attacks: Precomputed tables of hash values for commonly used passwords are
compared against the hashed passwords in a system.
Hybrid Attacks: Combining dictionary words with numbers or symbols to increase the chances of
success.
3. Hashing and Password Storage: Passwords are often stored as cryptographic hash values in
databases rather than in plain text. Cracking the hashed password involves attempting to find a
plaintext value that, when hashed, matches the stored hash.

4. Legal and Ethical Considerations:

Unauthorized attempts to crack passwords are illegal and violate privacy and computer security laws.
Digital forensics professionals must operate within the bounds of the law, obtaining proper
authorization before attempting any password recovery.

5. Use of Forensic Tools:

Forensic tools like ‘John the Ripper’, ‘Hashcat’, and ‘Cain and Abel’ may be employed by digital
forensics professionals for legal and authorized password recovery.
These tools can use various cracking techniques and algorithms to attempt to decipher passwords.
78
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
In conclusion, password cracking in digital forensics can be a legitimate and necessary activity when
conducted with proper authorization and within legal and ethical boundaries. It plays a crucial role in
recovering critical information during investigations, but it must always be done in adherence to
applicable laws and regulations. Unauthorized password cracking is illegal and can result in severe
consequences.

Internet crime investigation:

Internet crime investigation, also known as cybercrime investigation, is a specialized field within
digital forensics that focuses on the detection, analysis, and prevention of criminal activities conducted
on the internet. With the increasing prevalence of online activities, the need for effective internet crime
investigation has become crucial in addressing a wide range of cybercrimes. Here are key aspects to
consider when discussing internet crime investigation:
1. Scope of Internet Crime:
- Fraud and Scams: Including phishing, identity theft, online fraud, and financial scams.
- Hacking and Cyber Attacks: Unauthorized access to computer systems, data breaches, and
distributed denial of service (DDoS) attacks.
- Online Harassment: Cyberbullying, stalking, and other forms of online harassment.
- Child Exploitation: Crimes involving the exploitation of minors, such as child pornography and
online grooming.
- Intellectual Property Theft: Unauthorized distribution and piracy of digital content.
- Cyber Espionage: Theft of sensitive information for political, economic, or military purposes.

- Dark Web Activities: Illegal transactions and activities conducted on the dark web.
2. Challenges in Internet Crime Investigation:
- Anonymity: Perpetrators often use techniques to conceal their identities, making it challenging to
trace and apprehend them.

79
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
- Jurisdictional Issues: Cybercrimes may span multiple jurisdictions, requiring coordination between
law enforcement agencies internationally.
- Rapid Evolution of Technology: Criminal tactics evolve quickly, necessitating continuous
adaptation of investigative techniques and tools.
3. Key Investigative Techniques:
- Digital Forensics: Examining electronic devices, networks, and digital evidence to uncover
information related to cybercrimes.
- Network Analysis: Tracing the flow of data and connections between devices and systems to
identify patterns and vulnerabilities.
- Open Source Intelligence (OSINT): Gathering information from publicly available sources on the
internet to aid investigations.
- Undercover Operations: Infiltrating online communities to gather intelligence on criminal
activities.
- Collaboration: Cooperation between law enforcement agencies, government bodies, private sector,
and international organizations to share information and resources.
4. Legal Framework and Legislation:
- Laws and regulations vary globally, and investigators must operate within the legal frameworks of
the jurisdictions involved.
- Countries may have specific legislation addressing cybercrimes and providing law enforcement
with the authority to investigate and prosecute.
5. International Cooperation:
- Cybercrimes often transcend borders, necessitating collaboration between countries and
international organizations to combat cyber threats effectively.
- Organizations like INTERPOL and Europol play essential roles in fostering international
cooperation.
6. Prevention and Cybersecurity Measures:
- Developing and promoting cybersecurity best practices to prevent individuals and organizations
from falling victim to cybercrimes.
80
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
- Educating the public on recognizing and reporting cyber threats.
7. Emerging Trends:
- Artificial Intelligence (AI) and Machine Learning: Both used by cybercriminals and investigators
to enhance their capabilities.
- Cryptocurrencies: Used in cybercrime transactions due to their pseudonymous nature, posing
challenges for investigators.
- Internet of Things (IoT) Security: With the increasing connectivity of devices, ensuring the security
of IoT networks becomes critical.
8. Public-Private Partnerships:
- Collaboration between law enforcement agencies, private sector companies, and academic
institutions to share threat intelligence and enhance collective cybersecurity efforts.
9. Education and Training:
- Continuous education and training for law enforcement professionals to keep up with evolving
cyber threats and investigative techniques.
10. Ethical Considerations:
- Balancing the need for effective investigations with the protection of individuals' privacy rights.
- Adhering to ethical standards in conducting investigations and handling digital evidence.

In conclusion, internet crime investigation is a dynamic and complex field that requires a multi-faceted
approach. It involves leveraging advanced technologies, international cooperation, legal frameworks,
and ongoing education to address the ever-evolving landscape of cybercrimes and ensure a secure
digital environment.

Web attack investigation:

Web attack investigation in the context of digital forensics involves the examination and analysis of
incidents where web-based systems, applications, or services have been compromised or exploited.
These attacks can take various forms, such as website defacement, SQL injection, cross-site scripting

81
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
(XSS), and other vulnerabilities that malicious actors exploit to compromise web assets. Here are key
aspects to consider when discussing web attack investigation in digital forensics:

1. Types of Web Attacks:

- SQL Injection: Exploiting vulnerabilities in web applications to execute unauthorized SQL queries.
- Cross-Site Scripting (XSS): Injecting malicious scripts into web pages viewed by other users.
- Cross-Site Request Forgery (CSRF): Forcing users to perform unwanted actions without their
consent.
- Phishing Attacks: Deceptive techniques to trick users into revealing sensitive information.
- Distributed Denial of Service (DDoS): Overloading web servers to make websites or services
unavailable.
- Brute Force Attacks: Repeatedly attempting to guess passwords to gain unauthorized access.
2. Incident Identification and Triage:
- Detecting signs of a web attack through system logs, network traffic analysis, and intrusion
detection systems.
- Prioritizing incidents based on severity and impact on web services.
3. Digital Forensic Tools and Techniques:
- Log Analysis: Examining web server logs, application logs, and network logs to reconstruct the
timeline of the attack.
- Memory Analysis: Analyzing volatile memory to identify running processes, injected code, and
artifacts related to the attack.
- Network Forensics: Capturing and analyzing network traffic to trace the origin and nature of the
attack.
- Disk Forensics: Investigating file systems for malicious files, backdoors, and evidence of
unauthorized access.
4. Preservation of Evidence:
- Taking steps to preserve the integrity of digital evidence to ensure its admissibility in legal
proceedings.
82
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
- Capturing images of affected systems and maintaining a chain of custody for evidence.
5. Attribution and Identification of Attackers:
- Tracing the origin of the attack, which may involve determining IP addresses, geolocation, and
potential threat actor groups.
- Establishing patterns and tactics used by attackers for future prevention.
6. Collaboration with Other Security Measures:
- Coordinating with intrusion detection and prevention systems, firewalls, and other security
measures to enhance the overall security posture.
7. Legal Considerations:
- Adhering to legal requirements when collecting and handling digital evidence.
- Cooperating with law enforcement agencies and legal authorities during investigations.
8. Mitigation and Remediation:
- Developing strategies to mitigate the impact of the attack and prevent further exploitation.
- Implementing security patches, updating software, and improving security configurations.
9. Post-Incident Analysis:
- Conducting a thorough analysis of the attack to understand the tactics, techniques, and procedures
(TTPs) employed by the attackers.
- Documenting lessons learned and implementing improvements to prevent similar attacks in the
future.
10. Training and Skill Development:
- Ensuring that digital forensic investigators are well-trained in the latest web attack techniques and
forensic tools.
- Staying updated on emerging threats and vulnerabilities in the web application landscape.

In conclusion, web attack investigation in digital forensics is a critical aspect of cybersecurity that
requires a systematic and comprehensive approach. It involves leveraging various forensic techniques
and tools to identify, analyze, and respond to web-based incidents, ultimately enhancing the resilience
of web services against malicious activities.
83
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

MCQ Questions and Answers:

1. What is steganography?
- A) Encryption technique
- B) Hidden data extraction method
- C) Compression algorithm
- D) File system format

2. In digital forensics, what is the purpose of extracting hidden data?

- A) To recover deleted files
- B) To uncover concealed information
- C) To analyze network traffic
- D) To decrypt encrypted files

3. Which of the following is an example of covert communication?

- A) Clear text messages
- B) Encrypted emails
- C) Steganographic images
- D) Publicly shared documents

4. What is the primary goal of network traffic analysis?

- A) To hide network activities
- B) To optimize network performance
- C) To monitor and detect suspicious activities
- D) To encrypt all network traffic

5. Which protocol is commonly used for secure communication over a network?

- A) FTP
- B) HTTP
- C) HTTPS
- D) Telnet

6. What is a packet sniffer used for in network traffic analysis?

- A) To create a firewall
- B) To analyze and capture network packets
- C) To establish secure connections
- D) To encrypt data

84
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

7. In the data storage hierarchy, which is the fastest storage medium?

- A) Hard disk drive
- B) Solid-state drive
- C) Magnetic tape
- D) Optical disc

8. What is the purpose of cache memory in the data storage hierarchy?

- A) Long-term data storage
- B) Temporary data storage for quick access
- C) Backup storage
- D) Offline data storage

9. Which storage medium is most suitable for archival purposes and long-term data retention?
- A) Hard disk drive
- B) Magnetic tape
- C) Optical disc
- D) USB flash drive

10. What is the role of the actuator arm in a hard disk drive?
- A) Reading and writing data on the platters
- B) Rotating the platters
- C) Controlling the power supply
- D) Cooling the hard disk

11. How is data stored on the platters of a hard disk?

- A) In binary code
- B) In alphabetical order
- C) In hexadecimal format
- D) Using compression algorithms

12. What is the purpose of the spindle in a hard disk drive?

- A) Reading data
- B) Writing data
- C) Rotating the platters
- D) Storing data

13. Which file system is commonly used in modern Windows operating systems?
- A) NTFS
- B) FAT32
- C) HFS+
85
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
- D) Ext4

14. What is a key advantage of NTFS over FAT32?

- A) Compatibility with various operating systems
- B) Support for large file sizes and volumes
- C) Faster file access speed
- D) Lower disk space requirements

15. Which file system is more suitable for removable storage devices like USB flash drives?
- A) NTFS
- B) FAT32
- C) exFAT
- D) Ext3

16. How can deleted files be potentially recovered in digital forensics?

- A) By rewriting the data on the disk
- B) By restoring from a backup
- C) By using file recovery tools
- D) By formatting the disk

17. What happens when a file is deleted from a storage device?

- A) The data is immediately erased
- B) The file system marks the space as available
- C) The file is moved to a hidden folder
- D) The file is encrypted

18. Which file attribute may be associated with a deleted file that can aid in its recovery?
- A) Read-only
- B) Hidden
- C) Archive
- D) Recycle Bin

19. What is a brute-force attack in the context of password cracking?

- A) A method of social engineering
- B) Attempting all possible password combinations
- C) Extracting passwords from a database
- D) Using rainbow tables

20. Which type of password is generally more secure?

- A) Short and simple
- B) Long and complex
86
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
- C) Easily memorable
- D) Common words

21. What is the purpose of salting passwords in a database?

- A) Adding flavor to passwords
- B) Increasing password strength
- C) Encrypting passwords
- D) Preventing password cracking

22. What is the main function of the Master File Table (MFT) in NTFS?
- A) File compression
- B) File allocation
- C) File indexing and metadata storage
- D) File encryption

23. Which forensic technique is used to validate the integrity of digital evidence?
- A) Hashing
- B) Encryption
- C) Compression
- D) Steganography

24. In the context of network traffic analysis, what is a honeypot?

- A) A trap set to detect and deflect hacking attempts
- B) A secure file storage location
- C) A type of encryption algorithm
- D) A backup server

25. What is the primary purpose of a rainbow table in password cracking?

- A) To store encrypted passwords
- B) To generate hash values
- C) To map hash values to plaintext passwords
- D) To analyze network traffic

26. Which part of a computer system is responsible for managing hardware resources and providing
services for computer programs?
- A) Central Processing Unit (CPU)
- B) Operating System
- C) Random Access Memory (RAM)
- D) Hard Disk Drive (HDD)

87
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

27. What is the purpose of a firewall in network security?

- A) To encrypt data transmissions
- B) To monitor network traffic
- C) To prevent unauthorized access
- D) To store backup data

28. Which of the following is a common method of securing wireless networks?

- A) Port forwarding
- B) MAC address filtering
- C) IP address masking
- D) DNS resolution

29. What does RAID stand for in the context of data storage?
- A) Random Access Integrated Disk
- B) Redundant Array of Independent Disks
- C) Remote Access and Intranet Data
- D) Rapid Application and Information Deployment

30. What is the primary purpose of an Intrusion Detection System (IDS)?

- A) To detect and prevent malware
- B) To monitor and alert on suspicious activities
- C) To encrypt communication channels
- D) To recover deleted files

Answers:
1. B. Hidden data extraction method
2. B. To uncover concealed information
3. C. Steganographic images
4. C. To monitor and detect suspicious activities
5. C. HTTPS
6. B. To analyze and capture network packets
7. B. Solid-state drive
8. B. Temporary data storage for quick access
9. B. Magnetic tape
10. A. Reading and writing data on the platters
88
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
11. A. In binary code
12. C. Rotating the platters
13. A. NTFS
14. B. Support for large file sizes and volumes
15. B. FAT32
16. C. By using file recovery tools
17. B. The file system marks the space as available
18. C. Archive
19. B. Attempting all possible password combinations
20. B. Long and complex
21. D. Preventing password cracking
22. C. File indexing and metadata storage
23. A. Hashing
24. A. A trap set to detect and deflect hacking attempts
25. C. To map hash values to plaintext passwords
26. B. Operating System
27. C. To prevent unauthorized access
28. B. MAC address filtering
29. B. Redundant Array of Independent Disks
30. B. To monitor and alert on suspicious activities
Short answer type questions (3 marks):
1. What is hidden data extraction?
2. Why is hidden data extraction important in digital forensics?
3. Provide an example of hidden data in a document.
4. What is network traffic analysis?
5. How does network traffic analysis contribute to cybersecurity?
6. Name one tool used for network traffic analysis.

89
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

7. Explain the concept of data storage hierarchy.

8. Give an example of a storage device in the lower tier of the hierarchy.
9. Why is data storage hierarchy important in computer systems?
10. What are platters in the physical structure of a hard disk?
11. Explain the role of read/write heads in a hard disk.
12. How is data organized on a hard disk?
13. What are NTFS and FAT32?
14. What is a key difference between NTFS and FAT32?
15. Why would you choose NTFS over FAT32 for a storage device?
16. How can deleted file recovery be achieved?
17. What is a common challenge in deleted file recovery?
18. Why is it important to act promptly in file recovery after deletion?
19. Define password cracking.
20. Name one common method used in password cracking.
21. How can users enhance password security to resist cracking attempts?

Long answer type questions (5 marks):

1. What is hidden data extraction, and why is it important in digital forensics?
2. Explain the significance of network traffic analysis in cybersecurity.
3. What is data storage hierarchy, and how does it impact data retrieval speed?
4. Describe the physical structure of a hard disk and how data is stored on it.
5. Compare NTFS and FAT32 file systems, highlighting their differences.
6. Explain the process of recovering deleted files from a storage device.
7. Discuss the ethical considerations surrounding password cracking in cybersecurity.

90
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

MODULE IV: COMPUTER FORENSICS

Preparing a Case in Computer Forensics:

Preparing a case in computer forensics involves meticulous planning, careful execution, and
meticulous documentation. Every step, from the initial intake to the final report, plays a crucial role in
ensuring the admissibility and effectiveness of your findings in court or any other legal setting.
1. Understanding the Scope and Objectives:
• Gather Details: Before diving into the digital haystack, begin by understanding the nature of
the case. What are the allegations? What type of evidence are you looking for? Are there
specific devices or data sources involved?
• Define Goals: Clearly define your investigative goals. Are you aiming to identify the
perpetrator, track stolen data, or reconstruct a timeline of events? Having a clear roadmap will
guide your investigation and prioritize evidence collection.
2. Securing the Scene and Evidence:
• Chain of Custody: Establish a meticulous chain of custody from the moment you encounter the
evidence. Document every step, from device seizure to analysis and reporting. This ensures the
evidence's integrity and admissibility in court.
• Preservation is Key: Employ forensic imaging techniques to create bit-for-bit copies of storage
devices. This preserves the original data state and avoids accidental or malicious alterations.
3. Conducting the Examination:
• Choosing the Right Tools: Utilize specialized forensic software for data carving, deleted file
recovery, and timeline analysis. Different tools cater to specific data types and investigation
needs.
• Exhaustive Analysis: Don't limit yourself to the obvious. Scrutinize logs, metadata, system
configurations, and even seemingly irrelevant files for hidden clues. Remember, the devil is
often in the details.
4. Documenting and Reporting:
• Detailed Records: Maintain thorough logs of your every action during the investigation.
Document the tools used, timestamps, and any observations made. This forms the backbone of
your report and strengthens your findings.

91
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
• Clear and Concise Reporting: Present your findings in a clear, concise, and objective manner.
Avoid technical jargon and focus on the facts and their interpretations. Tailor your report to
your audience, whether it's a judge, lawyer, or technical expert.
5. Be Prepared for the Road Ahead:
• Anticipate Challenges: Be prepared to face objections, technical hurdles, and potential data
loss. Having a contingency plan ensures you can adapt and overcome unforeseen obstacles.
• Expert Testimony: If necessary, prepare to testify in court and explain your findings to a non-
technical audience. Practice your explanations and anticipate potential questions from opposing
counsel.
Remember:
• Ethics and Legality: Always adhere to ethical and legal considerations throughout the
investigation. Obtain proper warrants and authorization before accessing data, and ensure your
methods comply with relevant laws and regulations.
• Continuous Learning: The field of computer forensics is constantly evolving. Stay updated on
the latest tools, techniques, and cyber threats to remain at the forefront of your profession.

Beginning an investigation in the context of Computer Forensics:

Initiating a computer forensics investigation requires meticulous planning and swift action. It's like
defusing a ticking time bomb of digital evidence, where every second counts in preserving crucial data
and piecing together the puzzle of events. Here's a breakdown of the initial steps involved in kicking
off a successful investigation:
1. Understanding the Landscape:
Gathering Context: Before diving into the digital abyss, grasp the bigger picture. What triggered the
investigation? What type of crime or incident are you dealing with? Understanding the context helps
define the scope and objectives of your investigation.
Identifying Stakeholders: Pinpoint the key players involved, such as potential suspects, victims, and
witnesses. This helps direct your initial data collection and analysis efforts.

92
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

2. Securing the Scene:

Preserving the Terrain: Treat the digital scene with utmost caution. Isolate the devices suspected of
containing evidence to prevent data alteration or tampering. Remember, even powering on a device
can generate new data that could compromise the investigation.
Chain of Custody: Establish a meticulous chain of custody from the moment you encounter the
evidence. Document every step, from device seizure to transportation and analysis. This ensures the
evidence's integrity and admissibility in court.
3. Initial Assessment and Triage:
Identifying Relevant Devices: Not all devices are created equal. Prioritize the devices most likely to
harbor relevant evidence based on the nature of the case and user activity. This helps optimize your
time and resources.
Preliminary Examination: Conduct a non-invasive preliminary examination to gather basic
information without altering the original data. This can involve identifying user accounts, recent
activity logs, and the overall health of the device.
4. Crafting a Strategic Plan:
Defining Objectives: Refine your investigative goals based on the initial assessment. Are you
searching for specific files, tracking deleted data, or reconstructing a timeline of events? Having clear
objectives guides your data collection and analysis efforts.
Choosing the Right Tools: Select the appropriate forensic software tools based on the types of data
you're targeting and the specific tasks you need to accomplish. Different tools cater to different needs,
from file recovery to malware analysis.
5. Taking the First Steps:
Data Acquisition: Depending on the chosen tools and devices, acquire forensic copies of the identified
storage media. Remember, always use write-blocked techniques to avoid altering the original data.

93
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Initial Analysis: Perform a preliminary analysis of the acquired data to identify potential leads and
areas requiring further investigation. This could involve searching for keywords, analyzing file
timestamps, and identifying suspicious activity.
Remember:
Act with Urgency: Digital evidence is volatile and can be easily overwritten or lost. The sooner you
begin the investigation, the higher the chances of preserving crucial data.
Document Everything: Maintain detailed logs of your every action during the investigation. This
includes the tools used, timestamps, observations made, and any decisions taken. Thorough
documentation strengthens your findings and ensures case transparency.
Seek Guidance when Needed: Don't hesitate to seek advice and assistance from experienced computer
forensics professionals, especially for complex cases or unfamiliar devices. Collaboration and
mentorship can be invaluable assets in navigating the intricacies of digital investigations.

An Overview of a Computer Crime:

Law enforcement officers often find computers and computer components as they’re investigating
crimes, gathering other evidence, or making arrests. Computers can contain information that helps law
enforcement officers determine the chain of events leading to a crime or information providing evidence
that’s more likely to lead to a conviction. As an example of a case in which computers were involved in
a crime, the police raided a suspected drug dealer’s home and found a computer, several floppy disks
and USB drives (also called keychain drives or memory sticks), a personal digital assistant (PDA), and
a cell phone in a bedroom (see Figure 2-1). The computer was “bagged and tagged,” meaning it was
placed in evidence bags along with the storage media and then labeled with tags as part of the search
and seizure.
The lead detective on the case wants you to examine the computer to find and organize data that could
be evidence of a crime, such as files containing names of the drug dealer’s contacts. The acquisitions
officer gives you documentation of items the investigating officers collected with the computer,
including a list of other storage media, such as removable disks and CDs. The acquisitions officer also
notes that the computer is a Windows XP system, and the machine was running when it was discovered.
94
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Before shutting down the computer, the acquisitions officer photographs all open windows on the
Windows desktop, including one showing Windows Explorer, and gives you the photos. (Before
shutting down the computer, a live acquisition should be done to capture RAM, too.)
As a computer forensics investigator, you’re grateful the officers followed proper procedure when
acquiring the evidence. With digital evidence, it’s important to realize how easily key data, such as the
last access date, can be altered by an overeager investigator who’s first on the scene. The U.S.
Department of Justice (DOJ) has a document you can download that reviews proper acquisition of
electronic evidence, including the search and seizure of computers
(www.usdoj.gov/criminal/cybercrime/s&smanual2002.html). If this link has changed because of site
updates, use the search feature. In your preliminary assessment, you assume that the hard disk and
storage media include intact files, such as e-mail messages, deleted files, and hidden files. A range of
software is available for use in your investigation; your office uses the tool Technology Pathways Pro
Discover After your preliminary assessment, you identify the potential challenges in this case.
Because drug dealers don’t usually make information about their accomplices available, the files on the
disks you received are probably password protected. You might need to acquire password-cracking
software or find an expert who can help you decrypt a file. Later, you perform the steps needed to
investigate the case, including how to address risks and obstacles. Then you can begin the actual
investigation and data retrieval.

An Overview of a Company Policy Violation:

Companies often establish policies for employee use of computers. Employees surfing the Internet,
sending personal e-mail, or using company computers for personal tasks during work hours can waste
company time. Because lost time can cost companies millions of dollars, computer forensics specialists
are often used to investigate policy violations. The following example describes a company policy
violation.
Manager Steve Billings has been receiving complaints from customers about the job performance of
one of his sales representatives, George Montgomery. George has worked as a representative for
several years. He’s been absent from work for two days but hasn’t called in sick or told anyone why
95
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
he wouldn’t be at work. Another employee, Martha, is also missing and hasn’t informed anyone of the
reason for her absence. Steve asks the IT Department to confiscate George’s hard drive and all storage
media in his work area. He wants to know whether there’s any information on George’s computer and
storage media that might offer a clue to George’s whereabouts and job performance concerns. To help
determine George and Martha’s whereabouts, you must take a systematic approach, described in the
following section, to examining and analyzing the data found on George’s desk.

Procedures for Corporate High-Tech Investigations:

As an investigator, you need to develop formal procedures and informal checklists to cover all issues
important to high-tech investigations. These procedures are necessary to ensure that correct techniques
are used in an investigation. Use informal checklists to be certain that all evidence is collected and
processed properly. This section lists some sample procedures that computing investigators commonly
use in corporate high-tech investigations.

Employee Termination Cases The majority of investigative work for termination cases involves
employee abuse of corporate assets. Incidents that create a hostile work environment, such as
viewing pornography in the workplace and sending inappropriate e-mail messages, are the predominant
types of cases investigated. The following sections describe key points for conducting an investigation
that might lead to an employee’s termination. Consulting with your organization’s general counsel and
Human Resources Department for specific directions on how to handle these investigations is
recommended. Your organization must have appropriate policies in place, asdescribed in Chapter 1.

Internet Abuse Investigations:

The information in this section applies to an organization’s internal private network, not a public ISP.
Consult with your organization’s general counsel after reviewing this list, and make changes according
to their directions to build your own procedures.
To conduct an investigation involving Internet abuse, you need the following:
• The organization’s Internet proxy server logs
96
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
• Suspect computer’s IP address obtained from your organization’s network administrator
• Suspect computer’s disk drive
• Your preferred computer forensics analysis tool (ProDiscover, Forensic Toolkit, EnCase, X-Ways
Forensics, and so forth)
The following steps outline the recommended processing of an Internet abuse case:
1. Use the standard forensic analysis techniques and procedures described in this book for the disk
drive examination.
2. Using tools such as DataLifter or Forensic Toolkit’s Internet keyword search option, extract all
Web page URL information.
3. Contact the network firewall administrator and request a proxy server log, if it’s available, of the
suspect computer’s network device name or IP address for the dates of interest. Consult with your
organization’s network administrator to confirm that these logs are maintained and how long the time
to live (TTL) is set for the network’s IP address assignments that use Dynamic Host Configuration
Protocol (DHCP).
4. Compare the data recovered from forensic analysis to the proxy server log data to confirm that they
match.
5. If the URL data matches the proxy server log and the forensic disk examination, continue analyzing
the suspect computer’s drive data, and collect any relevant downloaded inappropriate pictures or Web
pages that support the allegation. If there are no matches between the proxy server logs, and the
forensic examination shows no contributing evidence, report that the allegation is unsubstantiated.
Before investigating an Internet abuse case, research your state or country’s privacy laws. Many
countries have unique privacy laws that restrict the use of computer log data, such as proxy server
logs or disk drive cache files, for any type of investigation. Some state or federal laws might supersede
your organization’s employee policies. Always consult with your organization’s attorney. For
companies with international business operations, jurisdiction is a problem; what is legal in the United
States, such as examining and investigating a proxy server log, might not be legal in Germany, for
example. For investigations in which the proxy server log doesn’t match the forensic analysis that
found inappropriate data, continue the examination of the suspect computer’s disk drive. Determine
97
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
when inappropriate data was downloaded to the computer and whether it was through an
organization’s intranet connection to the Internet. Employees might have used their employer’s laptop
computers to connect to their own ISPs to download inappropriate Web content. For these situations,
you need to consult your organization’s employee policy guidelines for what’s considered appropriate
use of the organization’s computing assets.

E-mail Abuse Investigations:

E-mail investigations typically include spam, inappropriate and offensive message content, and
harassment or threats. E-mail is subject to the same restrictions as other computer evidence data, in
that an organization must have a defined policy, as described in Chapter 1. The following list is what
you need for an investigation involving e-mail abuse:
• An electronic copy of the offending e-mail that contains message header data; consult with your e-
mail server administrator
• If available, e-mail server log records; consult with your e-mail server administrator to see whether
they are available
• For e-mail systems that store users’ messages on a central server, access to the server; consult with
your e-mail server administrator
• For e-mail systems that store users’ messages on a computer as an Outlook .pst or .ost file, for
example, access to the computer so that you can perform a forensic analysis on it
• Your preferred computer forensics analysis tool, such as Forensic Toolkit or ProDiscover This is the
recommended procedure for e-mail investigations:
1. For computer-based e-mail data files, such as Outlook .pst or .ost files, use the standard forensic
analysis techniques and procedures described in this book for the drive examination.
2. For server-based e-mail data files, contact the e-mail server administrator and obtain an electronic
copy of the suspect and victim’s e-mail folder or data.
3. For Web-based e-mail investigations, such as Hotmail or Gmail, use tools such as Forensic
Toolkit’s Internet keyword search option to extract all related e-mail address information.

98
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Attorney-Client Privilege Investigations:
When conducting a computer forensics analysis under attorney-client privilege (ACP) rules for an
attorney, you must keep all findings confidential. The attorney you’re working for is the ultimate
authority over the investigation. For investigations of this nature, attorneys typically request that you
extract all data from drives. It’s your responsibility to comply with the attorney’s directions. Because
of the large quantities of data a drive can contain, the attorney will want to know about everything of
interest on the drives. Many attorneys like to have printouts of the data you have recovered, but
printouts can present problems when you have log files with several thousand pages of data or CAD
drawing programs that can be read only by proprietary programs. You need to persuade and educate
many attorneys on how digital evidence can be viewed electronically. In addition, learn how to teach
attorneys and paralegals to sort through files so that you can help them efficiently analyze the huge
amount of data a forensic examination produces.
You can also encounter problems if you find data in the form of binary files, such as CAD drawings.
Examining these files requires using the CAD program that created them. In addition, engineering
companies often have specialized drafting programs. Discovery demands for lawsuits involving a
product that caused injury or death requires extracting design plans for attorneys and expert witnesses
to review. You’re responsible for locating the programs for these design plans so that attorneys and
expert witnesses can view the evidence files.
The following list shows the basic steps for conducting an ACP case:
1. Request a memorandum from the attorney directing you to start the investigation. The
memorandum must state that the investigation is privileged communication and list your name and
any other associates’ names assigned to the case.
2. Request a list of keywords of interest to the investigation.
3. After you have received the memorandum, initiate the investigation and analysis. Any findings you
made before receiving the memorandum are subject to discovery by the opposing attorney.

(For drive examinations, make two bit-stream images (discussed later in this chapter) of the drive using
a different tool for each image, such as EnCase for the first and ProDiscover or SafeBack for the

99
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
second. If you have large enough storage drives, make each bit-stream image uncompressed so that
if it becomes corrupt, you can still examine uncorrupted areas with your preferred forensic analysis
tool.)
4. If possible, compare hash values on all files on the original and re-created disks. Typically,
attorneys want to view all data, even if it’s not relevant to the case. Many GUI forensics tools perform
this task during bit-stream imaging of the drive.
5.Methodically examine every portion of the drive (both allocated and unallocated data areas) and
extract all data.
6. Run keyword searches on allocated and unallocated disk space. Follow up the search results to
determine whether the search results contain information that supports the case.
7. For Windows OSs, use specialty tools to analyze and extract data from the Registry, such as
AccessData Registry Viewer or a Registry viewer program (discussed in more detail in Chapter 6).
Use the Edit, Find menu option in Registry Editor, for example, to search for keywords of interest to
the investigation.
8. For binary files such as CAD drawings, locate the correct program and, if possible, makeprintouts
of the binary file content. If the files are too large, load the specialty program on a separateworkstation
with the recovered binary files so that the attorney can view them.
9. For unallocated data (file slack space or free space, explained in Chapter 6) recovery, use a tool
that removes or replaces nonprintable data, such as X-Ways Forensics Specialist Gather Textfunction.
10. Consolidate all recovered data from the evidence bit-stream image into wellorganized folders and
subfolders. Store the recovered data output, using a logical and easy-to-follow storage method for the
attorney or paralegal.
Here are some other guidelines to remember for ACP cases:
• Minimize all written communication with the attorney; use the telephone when you need to ask
questions or provide information related to the case.
• Any documentation written to the attorney must contain a header stating that it’s “Privileged Legal
Communication—Confidential Work Product,” as defined under the attorney-work-product rule.
• Assist the attorney and paralegal in analyzing the data. If you have difficulty complying with the
100
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
directions or don’t understand the directives from the memorandum, contact the attorney andexplain
the problem. Always keep an open line of verbal communication with the attorney during these types
of investigations. If you’re communicating via e-mail, use encryption (such as PGP) or another secure
e-mail service for all messages.

Media Leak Investigations:

In the corporate environment, controlling sensitive data can be difficult. Disgruntled employees, for
example, might send an organization’s sensitive data to a news reporter. The reasons for media leaks
range from employees’ efforts to embarrass management to a rival conducting a power struggle
between other internal organizations. Another concern is the premature release of information about
new products, which can disrupt operations and cause market share loss for a business if the
information is made public too soon. Media leak investigations can be time consuming and resource
intensive. Because management wants to find who leaked information, scope creep during the
investigation is not uncommon. Consider the following guidelines for media leak investigations:
• Examine e-mail, both the organization’s e-mail servers and private e-mail accounts (Hotmail,
Yahoo!, Gmail, and so on), on company-owned computers. Examine Internet message boards, and
search the Internet for any information about the company or product. Use Internet search engines to
run keyword searches related to the company, product, or leaked information. For example, you might
search for “graphite-composite bicycle sprocket” for a bicycle manufacturer that was the victim of a
media leak about a new product in development.

Examine proxy server logs to check for log activities that might show use of free e-mail services,
such as Gmail. Track back to the specific workstations where these messages originated andperform
a forensic analysis on the drives to help determine what was communicated.
• Examine known suspects’ workstations, perform computer forensics examinations on persons of
interest, and develop other leads on possible associates.
• Examine all company phone records for any calls to known media organizations. The following list
outlines steps to take for media leaks:

101
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
1. Interview management privately to get a list of employees who have direct knowledge of the
sensitive data.
2. Identify the media source that published the information.
3. Review company phone records to see who might have had contact with the news service.
4. Obtain a list of keywords related to the media leak.
5. Perform keyword searches on proxy and e-mail servers.
6. Discreetly conduct forensic disk acquisitions and analysis of employees of interest.
7. From the forensic disk examinations, analyze all e-mail correspondence and trace any sensitive
messages to other people who haven’t been listed as having direct knowledge of the sensitive data.
Expand the discreet forensic disk acquisition and analysis for any new persons of interest.
8. Consolidate and review your findings periodically to see whether new clues can be discovered.
9. Report findings to management routinely, and discuss how much further to continue the
investigation. Industrial Espionage Investigations Industrial espionage cases, similar to media leaks,
can be time consuming and are subject to the same scope creep problems.
The following list includes staff you might need when planning an industrial espionage investigation.
This list isn’t exhaustive, so use your knowledge to improve on these recommendations:
• The computing investigator who is responsible for disk forensic examinations.
• The technology specialist who is knowledgeable about the suspected compromised technical data.
• The network specialist who can perform log analysis and set up network monitors to trap network
communication of possible suspects.
• The threat assessment specialist (typically an attorney) who is familiar with federal and state laws
and regulations related to ITAR or EAR and industrial espionage. In addition, consider the following
guidelines when initiating an international espionage investigation:
• Determine whether this investigation involves a possible industrial espionage incident, and then
determine whether it falls under ITAR or EAR.
• Consult with corporate attorneys and upper management if the investigations must be conducted
discreetly.
• Determine what information is needed to substantiate the allegation of industrial espionage.
102
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
• Generate a list of keywords for disk forensics and network monitoring.

• List and collect resources needed for the investigation. Determine the goal and scope of the
investigation; consult with management and the company’s attorneys on how much work you should
do.
• Initiate the investigation after approval from management, and make regular reports of your
activities and findings.
The following are planning considerations for industrial espionage investigations:
• Examine all e-mail of suspected employees, both company-provided e-mail and free Web-based
services.
• Search Internet newsgroups or message boards for any postings related to the incident.
• Initiate physical surveillance with cameras on people or things of interest to the investigation.
• If available, examine all facility physical access logs for sensitive areas, which might include
secure areas where smart badges or video surveillance recordings are used.
• If there’s a suspect, determine his or her location in relation to the vulnerable asset that was
compromised.
• Study the suspect’s work habits.
• Collect all incoming and outgoing phone logs to see whether any unique or unusual places were
called.
When conducting an industrial espionage case, follow these basic steps:
1. Gather all personnel assigned to the investigation and brief them on the plan and any concerns.
2. Gather the resources needed to conduct the investigation.
3. Start the investigation by placing surveillance systems, such as cameras and network monitors, at
key locations.
4. Discreetly gather any additional evidence, such as the suspect’s computer drive, and make a bit-
stream image for follow-up examination.
5. Collect all log data from networks and e-mail servers, and examine them for unique items that
might relate to the investigation.
6. Report regularly to management and corporate attorneys on your investigation’s status andcurrent
103
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
findings.
7. Review the investigation’s scope with management and corporate attorneys to determine whether
it needs to be expanded and more resources added.

Interviews and Interrogations in High-Tech Investigations:

Becoming a skilled interviewer and interrogator can take many years of experience. Typically, a
corporate computing investigator is a technical person acquiring the evidence for an investigation.
Many large organizations have full-time security investigators with years of training and experience
in criminal and civil investigations and interviewing techniques. Few of these investigators have any
computing or network technical skills, so you might be asked to assist in interviewing or interrogating
a suspect when you have performed a forensic disk analysis on that suspect’s machine. An
interrogation is different from an interview. An interview is usually conducted to collect information
from a witness or suspect about specific facts related to an investigation. An interrogation is the
process of trying to get a suspect to confess to a specific incident or crime. An investigator might
change from an interview to an interrogation when talking to a witness or suspect. The more
experience and training investigators have in the art of interviewing and interrogating, the more easily
they can determine whether a witness is credible and possibly a suspect.
Your role as a computing investigator is to instruct the investigator conducting the interview on what
questions to ask and what the answers should be. As you build rapport with the investigator, he or she
might ask you to question the suspect. Watching a skilled interrogator is a learning experience in
human relations skills. If you’re asked to assist in an interview or interrogation, prepare yourself by
answering the following questions:

• What questions do I need to ask the suspect to get the vital information about the case?
• Do I know what I’m talking about, or will I have to research the topic or technology
related to the investigation?
• Do I need additional questions to cover other indirect issues related to the
investigation?

104
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Common interview and interrogation errors include being unprepared for the interview or
interrogation and not having the right questions or enough questions to increase your depth of
knowledge. Make sure you don’t run out of conversation topics; you need to keep the conversation
friendly to gain the suspect’s confidence. Avoid doubting your own skills, which might show the
suspect you lack confidence in your ability. Ingredients for a successful interview or interrogation
require the following:
• Being patient throughout the session.
• Repeating or rephrasing questions to zero in on specific facts from a reluctant witness or suspect
being tenacious.

Unveiling the Digital Trail: A Deep Dive into Digital Forensic Investigations
Digital forensics has become an indispensable tool in today's world, where almost every aspect of our
lives leaves a digital footprint. From criminal investigations to corporate disputes, the ability to extract
and analyze data from electronic devices can be the key to unlocking the truth. But how exactly does a
digital forensic investigation unfold? Let's delve into the meticulous process and explore the essential
tools that aid in this digital detective work. The Stages of a Digital Forensic Investigation:
1. Identification and Preservation: The first step is to pinpoint the relevant devices and secure
them to prevent any data alteration. This could involve seizing computers, smartphones, external
drives, or even cloud storage accounts.
2. Acquisition and Imaging: Forensic copies of the digital evidence are acquired using
specialized tools to create an exact replica of the storage media's contents. This ensures the
integrity of the original data for potential legal proceedings.
3. Analysis and Examination: The acquired data is meticulously examined using various
software tools. This may involve keyword searches, file recovery, timeline reconstruction, and
examination of internet browsing history, emails, and chat logs.

105
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
4. Documentation and Reporting: A comprehensive report is generated, detailing the
methodology used, the findings of the analysis, and any conclusions drawn from the evidence.
This report serves as a crucial piece of evidence in court or for internal investigations.
N.B:
Critiquing the Case:
After you close the case and make your final report, you need to meet with your department or a group
of fellow investigators and critique the case in an effort to improve your work. Ask yourself assessment
questions such as the following:
• How could you improve your performance in the case?
• Did you expect the results you found? Did the case develop in ways you did not expect?
• Was the documentation as thorough as it could have been?
• What feedback has been received from the requesting source?
• Did you discover any new problems? If so, what are they?
• Did you use new techniques during the case or during research?
Make notes to yourself in your journal about techniques or processes that might need to be changed
or addressed in future investigations. Then store your journal in a secure place.

Essential Tools of the Trade:

• Forensic Imaging Tools: These tools create an exact replica of a storage device, ensuring the
integrity of the evidence. Examples include FTK Imager, EnCase Forensics Imager, and dd (CLI
tool).
• Data Carving Tools: These tools recover deleted or fragmented files from storage media.
Examples include PhotoRec, Recuva, and Scalpel.
• Disk Analysis Tools: These tools visualize and analyze disk usage, highlighting deleted files
and potential areas of interest. Examples include WinHex, XaraDisk, and VisiDisk.
• Registry Analysis Tools: These tools examine the Windows registry, which stores system
configurations and user activity logs. Examples include RegRipper, Registry Explorer, and
Autoruns.
106
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
• Timeline Reconstruction Tools: These tools create a chronological timeline of events based
on extracted timestamps from various data sources. Examples include Timeline Explorer,
Autopsy, and X-Ways Forensics.
• Network Traffic Analysis Tools: These tools capture and analyze network traffic to identify
malicious activity or communication patterns. Examples include Wireshark and tcpdump.
The Importance of Following a Chain of Custody:
Throughout the investigation, maintaining a strict chain of custody is crucial. This innebär documenting
every step taken with the evidence, from its seizure to its analysis and presentation in court. This ensures
the admissibility of the evidence and its credibility in legal proceedings.
Beyond the Tools: The Human Element
While powerful tools are indispensable, successful digital forensic investigations rely heavily on the
expertise and skills of the investigators. They must possess a deep understanding of digital technologies,
analytical thinking, and meticulous attention to detail. The ability to interpret complex data, draw
accurate conclusions, and present findings in a clear and concise manner is paramount.
In Conclusion:
Digital forensic investigations are intricate procedures that demand precision, meticulousness, and the
right tools. By understanding the stages involved and the essential tools employed, we gain a deeper
appreciation for the complex world of digital evidence and the critical role it plays in unraveling the
truth in the digital age.
Remember, this is just a glimpse into the fascinating world of digital forensics. As technology continues
to evolve, so too will the tools and techniques used in these investigations. The one constant remains the
unwavering pursuit of truth, extracted from the ever-expanding realm of digital footprints we leave
behind.

107
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

MCQ Questions and Answers:

1. What is the primary goal of computer forensics investigation?
a) System optimization
b) Data destruction
c) Evidence preservation and analysis
d) Software development

2. In computer forensics, what does the term "volatile data" refer to?
a) Data that is easily deleted
b) Data that is difficult to recover
c) Data that changes frequently
d) Encrypted data

3. Which of the following is NOT a potential source of digital evidence in a computer forensics
investigation?
a) Hard drives
b) Printers
c) CD-ROMs
d) Radio waves

4. What is steganography in the context of computer forensics?

a) Encrypting files with a password
b) Hiding data within other data
c) Deleting all traces of digital activity
d) Analyzing network traffic

5. Which of the following is a popular open-source computer forensics tool used for disk imaging?
a) Norton Ghost
b) FTK Imager
c) EnCase
d) Autopsy

6. What is Wireshark commonly used for in computer forensics?

a) Disk imaging
b) Network traffic analysis
c) File recovery
d) Password cracking

108
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

7. Which tool is widely used for memory analysis in computer forensics?

a) dd
b) Volatility
c) ProDiscover
d) Sleuth Kit

8. In computer forensic methodology, what is the first step in the process?

a) Analysis
b) Collection
c) Reporting
d) Identification

9. What does the acronym "ACPO" stand for in the context of computer forensic methodology?
a) Advanced Computer Processing Organization
b) Association of Certified Professional Observers
c) Association of Chief Police Officers
d) Advanced Cybersecurity Protocol Organization

10. What is the purpose of the "Preservation" phase in computer forensic methodology?
a) Analyzing evidence
b) Documenting findings
c) Ensuring the integrity of evidence
d) Reporting the investigation

11. What does "Chain of Custody" refer to in computer forensics?

a) A sequence of evidence collection steps
b) A secure log of evidence handling
c) A method of encryption
d) A type of computer virus

12. Who is responsible for maintaining the Chain of Custody in a computer forensics investigation?
a) Only the forensic analyst
b) Only the law enforcement agency
c) Both the forensic analyst and law enforcement agency
d) The suspect

13. What is the primary purpose of maintaining a Chain of Custody?

a) To hide evidence
b) To ensure the admissibility of evidence in court
c) To speed up the investigation process
109
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
d) To compromise the integrity of evidence

14. What can compromise the Chain of Custody in a computer forensics investigation?
a) Secure storage procedures
b) Detailed documentation
c) Mishandling or tampering with evidence
d) Regular backups

15. Which legal concept is closely associated with the Chain of Custody in computer forensics?
a) Habeas corpus
b) Exclusionary rule
c) Statute of limitations
d) Admissibility

Answers:
1. A. Evidence preservation and analysis
2. C. Data that changes frequently
3. D. Radio waves
4. B. Hiding data within other data
5. B. FTK Imager
6. B. Network traffic analysis
7. B. Volatility
8. D. Identification
9. C. Association of Chief Police Officers
10. C. Ensuring the integrity of evidence
11. B. A secure log of evidence handling
12. C. Both the forensic analyst and law enforcement agency
13. B. To ensure the admissibility of evidence in court
14. C. Mishandling or tampering with evidence
15. D. Admissibility

110
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Short answer type questions (3 marks):

1. What is the role of a forensic analyst in a computer forensics investigation?

2. Explain the importance of a forensic image in computer forensics.

3. What challenges may arise when dealing with volatile data in a computer forensics investigation?

4. Differentiate between software write-blocking and hardware write-blocking in the context of

forensic tools.

5. How does Wireshark aid in computer forensics investigations?

6. Briefly describe the purpose of memory analysis tools in computer forensics.

7. What role does the "Analysis" phase play in computer forensic methodology?

8. Why is documentation crucial in the Reporting phase of computer forensic methodology?

9. Explain the significance of the "Collection" phase in computer forensic methodology.

10. What potential consequences could a break in the Chain of Custody have on a computer forensic
investigation?

11. How does maintaining the Chain of Custody contribute to the credibility of digital evidence?

12. What steps can be taken to prevent mishandling or tampering with evidence in the Chain of
Custody?

111
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Long answer type questions (5 marks):

1. Explain the process of evidence identification in a computer forensics investigation and why it is a
critical initial step.

2. Describe the challenges associated with acquiring volatile data during a computer forensics
investigation. How can investigators overcome these challenges?

3. Compare and contrast the functionalities of FTK Imager and EnCase in computer forensics
investigations.

4. Examine the role of password cracking tools in computer forensics investigations. What ethical
considerations should investigators keep in mind when using such tools?

5. Discuss the significance of the Analysis phase in computer forensic methodology. What techniques
and tools are commonly employed during this phase?

6. Explain the purpose of the Reporting phase in computer forensic methodology. What elements
should be included in a comprehensive forensic report?

7. Define Chain of Custody in the context of computer forensics. Why is maintaining an unbroken
Chain of Custody crucial for the admissibility of evidence in court?

8. Identify potential vulnerabilities in the Chain of Custody process and discuss measures that can be
implemented to mitigate these vulnerabilities.

9. Examine the role of the forensic analyst and law enforcement agency in maintaining the Chain of
Custody. How can collaboration between these entities enhance the integrity of the investigative
process?

10. Discuss the potential consequences of a break in the Chain of Custody for a computer forensics
investigation. How might it impact the admissibility of evidence in court?

112
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

MODULE V: NETWORK FORENSICS

Introduction:
The word “forensics” means the use of science and technology to investigate and establish facts in
criminal or civil courts of law. Forensics is the procedure of applying scientific knowledge for the
purpose of analyzing the evidence and presenting them in court.
Network forensics is a subcategory of digital forensics that essentially deals with the examination of
the network and its traffic going across a network that is suspected to be involved in malicious
activities, and its investigation
Network intrusions are a growing threat: Companies and governments face constant attacks, with major
incidents like FIS' $13m prepaid credit card heist highlighting the severity.
This threat evolved from hacker subcultures: Driven by challenge and profit, cybercrime now involves
nation-states, criminals, and individuals, targeting critical infrastructure in finance, healthcare, and
national security.
Digital forensics plays a crucial role: It helps investigate these network intrusions, though unique
challenges exist compared to individual computer investigations.
Challenges include:
• Data distribution: Evidence may be scattered across multiple devices and locations.
• Data volume: The sheer amount of network data can be enormous.
• Attack sophistication: Hackers exploit technology vulnerabilities and human weaknesses like
weak passwords and social engineering.
The struggle is ongoing: Software patches address technical vulnerabilities, but human errors like weak
passwords and susceptibility to social engineering remain prevalent.
This introduction sets the stage for a deeper discussion on digital forensics and its role in tackling the
critical threat of network intrusions.

113
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

The Need for Network Forensics: Unmasking the Hidden Threat

In today's hyper-connected world, where every click leaves a digital trace, networks have become the
battleground for a new age of crime. And just like traditional crime scenes require forensic investigation,
so too do the intricate threads of digital interactions within these networks. This is where network
forensics takes center stage, playing a crucial role in combating cyber threats and safeguarding our
digital world.
Here's why network forensics is more than just a technical niche, but a necessity in the modern era:
1. Uncovering the Invisible: Unlike physical crimes, cyber attacks often leave no visible scars. Network
forensics unveils the hidden truth, providing investigators with the tools to analyze digital footprints,
reconstruct timelines, and identify the perpetrators lurking in the shadows. In the digital realm, data
itself becomes the witness, whispering clues about the attacker's motives, methods, and movements.
2. Protecting Critical Infrastructure: From power grids to financial systems, the backbone of our
society relies heavily on interconnected networks. When these networks fall victim to cyberattacks, the
consequences can be catastrophic. Network forensics acts as a vital defense mechanism, allowing us to
pinpoint vulnerabilities, understand how attacks unfolded, and implement effective countermeasures to
protect our most crucial infrastructure.
3. Deterring and Punishing Cybercrime: Just as fingerprints serve as a deterrent and bring criminals
to justice in the physical world, network forensics provides tangible evidence in the digital realm.
Analyzing network traffic and identifying the source of an attack allows for legal prosecution and holds
cybercriminals accountable for their actions. This sense of accountability acts as a deterrent,
discouraging future attacks and fostering a safer digital environment.
4. Improving Security Posture: Every breach is a learning opportunity. Network forensics enables us
to analyze past attacks, understand the attacker's tactics, and identify their entry points. This knowledge
empowers organizations to strengthen their security posture, close vulnerabilities, and implement
proactive measures to prevent future intrusions. By learning from past mistakes, we can build a more
robust and resilient digital ecosystem.

114
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
5. Ensuring Trust and Accountability: In a world where data breaches erode trust and create
uncertainty, network forensics provides a beacon of transparency. By providing verifiable evidence and
revealing the truth behind cyberattacks, network forensics strengthens public confidence in digital
systems and helps rebuild trust between businesses and their customers, and governments and their
citizens.

In conclusion, network forensics is not just a technical tool, but a crucial element in building a safer and
more secure digital future. By providing the means to investigate, understand, and respond to cyber
threats, network forensics empowers us to navigate the complex digital landscape with confidence,
knowing that the invisible threats lurking within can be brought to light and dealt with accordingly.

Challenges in Network Forensics:

• The biggest challenge is to manage the data generated during the process.
• Intrinsic anonymity of the IP.
• Address Spoofing.

Social engineering: Social engineering is the term used for a broad range of malicious activities
accomplished through human interactions. It uses psychological manipulation to trick users into making
security mistakes or giving away sensitive information. Social engineering attacks happen in one or
more steps. A perpetrator first investigates the intended victim to gather necessary background
information, such as potential points of entry and weak security protocols, needed to proceed with the
attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions
that break security practices, such as revealing sensitive information or granting access to critical
resources.

115
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
What makes social engineering especially dangerous is that it relies on human error, rather than
vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less
predictable, making them harder to identify and thwart than a malware-based intrusion.

Social Engineering Attack Lifecycle

Here are some common types of social engineering attacks:

Phishing: Emails or text messages disguised as legitimate entities, tricking you into clicking malicious
links or revealing personal information.

Pretexting: Fabricating a scenario to gain your trust and extract sensitive information. For example, an
attacker pretending to be from your bank calling to "verify your account."

Baiting: Offering something tempting, like free software or exclusive deals, to lure you into
downloading malware or exposing personal data.

Quid pro quo: Promising something in return for information or actions, like offering technical support
in exchange for remote access to your computer.

116
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Tailgating: Following someone into a restricted area by piggybacking on their access or claiming to be
forgotten colleagues.

Network Fundamentals:

Networking computers offers advantages such as resource sharing and collaboration. Essential
components of a network include a connection (physical or wireless) and a common language, or
protocol, like TCP/IP. Client/server networks are prevalent in commercial settings, with clients (end-
user machines) making requests, and servers storing and providing files and services. Servers, like file
or email servers, have more control. Another network type is peer-to-peer (P2P), where all machines
can function as both clients and servers. P2P is mainly used for file sharing but is associated with issues
like piracy and child pornography. Understanding these network configurations lays the foundation for
classifying and organizing networks.

Classful IP addressing:

Classful IP addressing was an addressing scheme used in the early days of the internet, where IP
addresses were divided into three main classes: Class A, Class B, and Class C. Each class had a specific
range of IP addresses and was designed to accommodate different sizes of networks. The classful system
has been largely replaced by classless addressing (CIDR), which allows for more flexibility in address
allocation. However, understanding classful addressing is still valuable for historical context.

117
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Here's a table summarizing the Classful IP Addressing scheme:

Note: The reserved addresses (network and broadcast) are subtracted from the total number of hosts per
network.

Classful addressing was inflexible because it did not allow for efficient utilization of IP addresses,
leading to the adoption of classless addressing (CIDR), which allows for variable-length subnet masks
and more efficient address allocation.

Network Security tools:

Network security tools play a crucial role in protecting computer networks from cyber threats,
monitoring activities, and responding to security incidents. There are various categories of network
security tools, each serving specific purposes. Here are some common types of network security tools:

118
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

1. Firewalls:

Purpose: Firewalls control and monitor incoming and outgoing network traffic based on predetermined
security rules.

Examples: Cisco ASA, pfSense, Check Point Firewall.

2. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS):

Purpose: IDS monitors network or system activities for malicious activities, while IPS takes action to
prevent or block those activities.

Examples: Snort (IDS), Cisco Firepower (IPS), Suricata.

3. Antivirus and Anti-malware Software:

Purpose: Detect and remove malicious software, viruses, and other types of malware.

Examples: McAfee, Symantec, Windows Defender.

4. Virtual Private Network (VPN) Solutions:

Purpose: Securely connect remote users or branch offices to a private network over the internet.

Examples: OpenVPN, Cisco AnyConnect, NordVPN.

5. Network Access Control (NAC) Systems:

Purpose: Control and manage access to the network by enforcing security policies.

Examples: Cisco ISE, Aruba ClearPass, ForeScout CounterACT.

119
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

6. Web Application Firewalls (WAF):

Purpose: Protect web applications from various security threats, including SQL injection and cross-site
scripting (XSS).

Examples: ModSecurity, Imperva WAF, F5 BIG-IP Application Security Manager.

7. Network Monitoring Tools:

Purpose: Monitor network performance, traffic, and detect anomalies or suspicious activities.

Examples: Wireshark, Nagios, SolarWinds.

8. Security Information and Event Management (SIEM) Systems:

Purpose: Collect, analyze, and correlate log data from various sources to provide a comprehensive view
of network security events.

Examples: Splunk, LogRhythm, IBM QRadar.

9. Network Scanners and Vulnerability Assessment Tools:

Purpose: Identify and assess vulnerabilities in network devices, systems, and applications.

Examples: Nessus, Nmap, OpenVAS.

10. Packet Filtering Tools:

Purpose: Filter and analyze individual packets of data based on predefined criteria.

Examples: tcpdump, NetFilter/Iptables, Microsoft Network Monitor.

120
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
11. Security Gateway Appliances:

Purpose: Combine multiple security functions, such as firewall, antivirus, and intrusion prevention, into
a single integrated device.

Examples: Barracuda Networks, Fortinet, Palo Alto Networks.

12. Authentication and Authorization Tools:

Purpose: Manage user access, authentication, and authorization to network resources.

Examples: RADIUS servers, TACACS+, Microsoft Active Directory.

13. Honeypots and Honeynets:

Purpose: Deceptive tools designed to attract and detect attackers by simulating vulnerable systems or
networks.

Examples: Honeyd, KFSensor, Modern Honey Network (MHN).

14. DNS Security Tools:

Purpose: Monitor and secure Domain Name System (DNS) infrastructure against threats like DNS
spoofing and cache poisoning.

Examples: DNSSEC, OpenDNS, Cisco Umbrella.

15. Encryption Tools:

Purpose: Secure data in transit by encrypting communications.

Examples: OpenSSL, Microsoft BitLocker, VeraCrypt.

121
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

16. Incident Response Platforms:

Purpose: Facilitate the coordination and automation of incident response activities.

Examples: TheHive, Demisto, Splunk Phantom.

These tools, when used together in a layered approach, help organizations build a robust network
security posture and mitigate the risks associated with cyber threats. The selection of tools depends on
the specific needs, size, and complexity of the network environment.

Network Forensics Investigation:

A network forensic investigation involves a systematic and methodical process to collect, analyze, and
interpret evidence related to network security incidents. Here's a step-by-step guide on how a network
forensic investigation is typically conducted:

1. Incident Identification and Preparation:

Objective: Identify and acknowledge the occurrence of a network security incident.

Actions:

Security Monitoring:

• Employ intrusion detection systems (IDS) and security information and event management
(SIEM) tools to monitor network activities.
• Set up alerts for suspicious behavior or known attack patterns.

122
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Incident Response Team:

• Assemble a dedicated incident response team comprising IT professionals, security experts, and
legal representatives.
• Define roles and responsibilities within the incident response team.

Preparation:

• Ensure incident response tools and software are readily available.

• Establish communication channels for the incident response team.

2. Evidence Identification:

Objective: Identify and document potential sources of digital evidence.

Actions:

Log Analysis:

• Examine system logs, firewall logs, and other relevant logs for indicators of compromise (IoCs).
• Look for anomalies, unauthorized access, or patterns indicative of a security incident.

Affected Systems:

• Identify the systems and devices that may have been compromised.
• Document the state of the systems, including configurations and software versions.

123
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
3. Evidence Collection:

Objective: Preserve and collect digital evidence without altering the original data.

Actions:

Packet-Level Data Collection:

• Use network monitoring tools to capture packet-level data.

• Document communication patterns and traffic flow.

Device Logs:

• Collect logs from routers, switches, firewalls, and other relevant network devices.
• Preserve timestamps and log entries to establish a timeline.

Disk Imaging:

• Create forensic images of affected systems using tools like dd or Forensic Imager.
• Use write-blocking tools to prevent alterations to the original data.

4. Chain of Custody:

Objective: Document the handling and transfer of evidence to maintain its integrity.

Actions:

Record Keeping:

• Document details of evidence collection, including the date, time, and individuals involved.
• Use standardized forms for recording chain of custody information.

124
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Secure Storage:

• Store collected evidence securely to prevent tampering.

• Implement access controls and authentication measures to protect the integrity of the evidence.

5. Timeline Analysis:

Objective: Establish a chronological timeline of events related to the incident.

Actions:

Log Review:

• Analyze logs to identify the sequence of events leading to the incident.

• Correlate timestamps across different logs to build a coherent timeline.

Artifact Analysis:

• Identify artifacts such as file creation times, system logs, and user activities.
• Establish cause-and-effect relationships between different events.

6. Traffic Analysis:

Objective: Examine network traffic to identify anomalies and patterns.

Actions:

Packet Inspection:

• Use packet analysis tools like Wireshark to inspect packet contents.

• Identify unusual or malicious activities within the network traffic.

125
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Anomaly Detection:

• Employ anomaly detection techniques to identify deviations from normal network behavior.
• Look for signs of network scanning, unauthorized access, or data exfiltration.

7. Pattern and Signature Analysis:

Objective: Use known attack patterns and signatures to identify malicious activities.

Actions:

Intrusion Detection Systems (IDS):

• Use IDS tools to detect known attack signatures.

• Compare network traffic against signature databases to identify potential threats.

Threat Intelligence Integration:

• Incorporate threat intelligence feeds to identify patterns associated with known threats.
• Enhance analysis by cross-referencing observed patterns with external threat databases.

8. Forensic Imaging and Preservation:

Objective: Preserve the state of affected systems for detailed offline analysis.

Actions:

Forensic Imaging:

• Create forensic images of storage devices using tools like FTK Imager or dd.
• Ensure the integrity of the forensic images by calculating and verifying hash values.

126
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Documentation:

• Document system configurations, hardware details, and installed software.

• Record information about user accounts and privileges.

9. Vulnerability Assessment:

Objective: Identify and assess vulnerabilities that may have been exploited.

Actions:

Vulnerability Scanning:

• Conduct vulnerability scans on affected systems using tools like Nessus or OpenVAS.
• Identify weaknesses in system configurations, software versions, or patch levels.

Configuration Analysis:

• Analyze system configurations to identify misconfigurations or insecure settings.

• Assess the impact of identified vulnerabilities on the incident.

10. Documentation and Reporting:

Objective: Document findings for further analysis and reporting.

Actions:

Forensic Reports:

• Prepare detailed forensic reports that include evidence, analysis, and recommendations.
• Clearly articulate the timeline of events and the methods used in the investigation.

127
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Legal Documentation:

• Include documentation necessary for legal proceedings.

• Ensure reports comply with legal and regulatory requirements.

11. Legal and Regulatory Considerations:

Objective: Ensure the investigation complies with legal and regulatory requirements.

Actions:

Legal Consultation:

• Collaborate with legal experts to ensure that the investigation follows proper legal procedures.
• Seek advice on handling sensitive information and privacy considerations.

Regulatory Reporting:

• Report incidents to relevant authorities if required by laws and regulations.

• Comply with data breach notification requirements.

12. Post-Incident Review:

Objective: Review the investigation process and identify areas for improvement.

Actions:

Incident Debriefing:

• Conduct a post-incident review with the incident response team.

• Evaluate the effectiveness of the response and identify lessons learned.

128
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material
Documentation Update:

• Update incident response plans and procedures based on insights from the review.
• Incorporate improvements to enhance future incident response capabilities.

Conducting a network forensic investigation requires a combination of technical expertise, adherence to

legal and regulatory standards, and effective collaboration among various stakeholders. The process
aims to uncover the scope and impact of security incidents, enabling organizations to respond effectively
and prevent future occurrences.

MCQ Questions and Answers:

1. What is network forensics?
- A. Physical security of networks
- B. Monitoring and analyzing computer network traffic
- C. Database management
- D. Software development

2. Why is network forensics important?

- A. To develop new software
- B. To identify and investigate security incidents
- C. For physical security only
- D. To manage databases

3. In network forensics, what does the term "packet sniffing" refer to?
- A. Capturing and analyzing network traffic
- B. Installing antivirus software
- C. Creating a virtual private network (VPN)
- D. Configuring firewalls

4. What is social engineering?

- A. A programming language
- B. A method of manipulating individuals to obtain confidential information
- C. Network hardware
- D. A type of encryption
129
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

5. Which of the following is an example of a social engineering attack?

- A. Firewall configuration
- B. Phishing
- C. IP addressing
- D. Network monitoring

6. What is pretexting in the context of social engineering?

- A. Unauthorized access to a network
- B. Creating a false scenario to obtain information
- C. Configuring firewalls
- D. Database management

7. What does IP stand for in IP addressing?

- A. Internet Protocol
- B. Information Processing
- C. Internal Programming
- D. Internet Provider

8. How many bits are there in an IPv4 address?

- A. 16 bits
- B. 32 bits
- C. 64 bits
- D. 128 bits

9. Which of the following is a private IP address range?

- A. 192.168.0.1
- B. 172.16.1.1
- C. 10.0.0.1
- D. All of the above

10. What is a firewall used for in network security?

- A. Monitoring network traffic
- B. Encrypting data
- C. Controlling incoming and outgoing network traffic
- D. Managing IP addresses
130
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

11. Which of the following is an intrusion detection system (IDS)?

- A. Antivirus software
- B. Firewall
- C. Snort
- D. VPN

12. What does a proxy server do in network security?

- A. Provides internet access
- B. Filters and forwards network traffic
- C. Encrypts data
- D. Configures IP addresses

13. In network forensics, what is the purpose of reconstructing network sessions?

- A. To create a virtual private network
- B. To analyze network traffic patterns
- C. To understand the sequence of events during an incident
- D. To configure firewalls

14. What is a hash value used for in network forensics?

- A. Encrypting data
- B. Identifying unique files or data
- C. Configuring routers
- D. Managing IP addresses

15. What is the role of a forensic analyst in network forensics?

- A. Monitoring network traffic
- B. Investigating security incidents and collecting evidence
- C. Configuring firewalls
- D. Developing software
Answers:
1. A. Monitoring and analyzing computer network traffic
2. B. To identify and investigate security incidents
3. A. Capturing and analyzing network traffic
4. B. A method of manipulating individuals to obtain confidential information
5. B. Phishing
131
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

6. B. Creating a false scenario to obtain information

7. A. Internet Protocol
8. B. 32 bits
9. D. All of the above
10. C. Controlling incoming and outgoing network traffic
11. C. Snort
12. B. Filters and forwards network traffic
13. C. To understand the sequence of events during an incident
14. B. Identifying unique files or data
15. B. Investigating security incidents and collecting evidence

Short answer type questions (3 marks):

1. Define social engineering and provide a brief example of a social engineering attack.
2. How does pretexting differ from phishing in the context of social engineering attacks?
3. Explain the importance of user awareness training in mitigating social engineering attacks.
4. What is the primary purpose of an IP address in networking?
5. Differentiate between IPv4 and IPv6 in terms of the length of their addresses.
6. Explain the concept of subnetting in IP addressing.
7. Define the role of a firewall in network security. How does it contribute to protecting a network?
8. What is the purpose of intrusion detection systems (IDS) in network security?
9. Briefly explain the function of a Virtual Private Network (VPN) in network security.
10. What role does packet sniffing play in network forensics investigations?
11. Explain the concept of network traffic analysis in the context of network forensics.
12. What is the significance of accurate timestamps in network forensics investigations?
13. How does network forensics differ from traditional computer forensics?

132
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester VI)
Digital Forensics (BNCSC602)
Sec A
Academic Session 2023-24

Study Material

Long answer type questions (5 marks):

1. Explain the concept of network forensics and why it is essential in cybersecurity investigations.

2. Define social engineering and provide examples of social engineering attacks. How can
organizations defend against such attacks?

3. Explain the purpose of IP addresses in networking. Differentiate between IPv4 and IPv6,
highlighting the advantages of IPv6.

4. Discuss the role of intrusion detection systems (IDS) and intrusion prevention systems (IPS) in
network security. Provide examples of each.

5. Describe the steps involved in a network forensics investigation. How does it differ from traditional
computer forensics?

6. Explain the significance of packet sniffing in network forensics investigations. How does it aid in
the analysis of network traffic?

7. Discuss the role of timestamps in network forensics investigation. Why are accurate timestamps
crucial for reconstructing events?

8. Examine the challenges associated with encrypted network traffic in network forensics
investigations. How can investigators overcome these challenges?

9. Describe the role of network logs in network forensics investigations. How can logs be used to
reconstruct events and identify security incidents?

10. Explain the concept of network traffic analysis and its importance in network forensics. Provide
examples of tools used for network traffic analysis.

133
Pratik Banerjee
Faculty of CST Dept.
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material
MODULE VI: MOBILE FORENSICS
Introduction to Mobile Forensics:
Mobile forensics is a specialized branch of digital forensics that focuses on the investigation and
analysis of electronic evidence stored on mobile devices. As an integral part of the broader field
of digital forensics, mobile forensics is concerned with extracting, preserving, and analyzing data
from smartphones, tablets, and other mobile devices to uncover and understand digital evidence
related to cybercrimes, security incidents, or legal investigations. The unique challenges posed by
the diversity of mobile devices, operating systems, and applications necessitate specialized
techniques and tools for the effective examination of mobile data. Mobile forensics plays a crucial
role in uncovering insights from call logs, text messages, application data, geolocation
information, and other artifacts, contributing significantly to criminal investigations,
cybersecurity, and ensuring the integrity of digital evidence in legal proceedings.

Cellular Networks:

Cellular networks, also known as mobile networks, are telecommunications systems that enable
wireless communication between mobile devices (such as smartphones, tablets, and IoT devices)
by dividing geographical areas into cells. Each cell is served by a base station or cell tower,
facilitating voice and data transmission. Cellular networks operate on various standards (e.g.,
GSM, CDMA, LTE) and provide widespread connectivity, allowing users to make calls, send
messages, and access the internet while moving within the network's coverage area. These
networks support seamless handovers between cells as users travel, ensuring continuous and
reliable communication services. The evolution of cellular technology, from 2G to 5G, has brought
improvements in data speeds, latency, and network capacity, shaping the landscape of modern
mobile communications.

Cellular network components: Cellular networks are complex systems that consist of various
components working together to provide wireless communication services. Here are the key
components of a typical cellular network:
134
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material

1. Mobile Devices:

Mobile devices, such as smartphones, tablets, and IoT devices, are the endpoints used by
individuals to access cellular network services.

Mobile devices communicate with the cellular network infrastructure to make calls, send
messages, and access data services.

2. Base Station (Cell Tower):

The base station, often referred to as a cell tower, is a fixed radio transmitter/receiver located within
a cell. It serves as a central point for communication with mobile devices in its coverage area.

The base station manages the wireless connection with mobile devices, handling tasks such as
signal transmission, reception, and handovers as devices move between cells.

3. Cell:

A cell is the basic geographic unit in a cellular network. It represents the coverage area served by
a single base station or cell tower.

Cells are designed to avoid interference and efficiently allocate resources. They are the building
blocks of cellular networks, providing coverage to specific geographical areas.

4. Mobile Switching Center (MSC):

The MSC is a central component in the network that connects calls and manages communications
between mobile devices within the network and with external networks.

The MSC handles call routing, call setup, and call termination, ensuring seamless communication
within the cellular network and facilitating connections to other networks.

135
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material

5. Home Location Register (HLR):

The HLR is a database that stores subscriber information, including user profiles, subscription
details, and current locations.

The HLR plays a crucial role in call routing and authenticating mobile devices within the network.
It is used to track the location of mobile subscribers.

The layout of a typical cellular network

6. Visitor Location Register (VLR):

The VLR is a temporary database that stores information about subscribers currently within the
coverage area of a particular MSC.

The VLR allows the MSC to quickly access subscriber information for devices currently present
in its coverage area, reducing the need to query the HLR for every call.

136
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material

7. Authentication Center (AuC):

The AuC is responsible for authenticating the identity of mobile devices connecting to the network,
ensuring secure access.

It generates and stores security parameters, such as encryption keys, to protect communication
between the mobile device and the network.

8. Equipment Identity Register (EIR):

The EIR is a database that stores information about mobile devices, including their unique
identifiers (IMEI numbers).

The EIR helps track stolen or unauthorized devices, allowing the network to take preventive
measures, such as blocking access or alerting authorities.

These components work together to establish and maintain cellular connections, ensuring the
efficient and secure operation of mobile communication services. The architecture and specific
components may vary based on the cellular network standard (e.g., GSM, CDMA, LTE) and the
generation of technology (2G, 3G, 4G, 5G).

Cellular network types: Cellular networks use different technologies to transmit data, and each
technology is associated with specific standards and protocols. Here are discussions on some of
the key cellular network types in terms of how they transmit data:

1. CDMA (Code Division Multiple Access):

CDMA is a digital cellular technology that allows multiple users to share the same frequency band
simultaneously through the use of unique codes. CDMA transmits data by assigning a unique code
to each conversation, allowing multiple users to communicate on the same frequency without
interference. CDMA is associated with technologies such as CDMA2000 and WCDMA
(Wideband CDMA).
137
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material

2. GSM (Global System for Mobile Communications):

GSM is a standard developed to facilitate global mobile communication, using a time-division

multiple access (TDMA) technique. GSM divides the frequency spectrum into time slots, allowing
multiple users to share the same frequency by transmitting their signals in designated time
intervals. GSM is widely used for 2G and 3G networks and is a foundational technology for mobile
communication.

3. LTE (Long-Term Evolution):

LTE is a 4G wireless communication standard designed to provide high-speed data transmission

and low-latency communication. LTE uses orthogonal frequency-division multiple access
(OFDMA) and multiple-input multiple-output (MIMO) technologies for efficient data
transmission, allowing multiple users to communicate simultaneously over different frequencies
and antennas. LTE is the precursor to 5G and is commonly used for high-speed mobile broadband.

4. 5G (Fifth Generation):

5G is the latest generation of wireless communication technology designed to provide faster data
speeds, lower latency, and support for a massive number of connected devices. 5G utilizes
technologies such as millimeter-wave frequencies, beamforming, and advanced modulation
schemes to enable high-capacity and low-latency data transmission. 5G represents the next
evolution in cellular networks, supporting applications like augmented reality, virtual reality, and
the Internet of Things (IoT).

5. iDEN (Integrated Digital Enhanced Network):

iDEN is a mobile telecommunications technology developed by Motorola that integrates multiple

communication services, including two-way radio, telephone, text messaging, and data
transmission. iDEN uses TDMA and time-division multiple access (TDMA) for voice and data

138
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material

transmission, allowing multiple services to coexist on the same network. While iDEN networks
have been largely phased out, they were historically used by Nextel in the United States.

6. UMTS (Universal Mobile Telecommunications System):

UMTS is a 3G mobile communication technology that builds upon GSM, offering higher data rates
and improved multimedia support. UMTS uses wideband CDMA (W-CDMA) for data
transmission, providing increased capacity and data speed compared to 2G GSM networks. UMTS
is a stepping stone between 2G and 4G technologies.

These cellular network types employ various access techniques and transmission technologies to
enable wireless communication, and their evolution reflects advancements in data speed, capacity,
and latency across different generations of mobile communication.

Operating Systems:

The forensic examination of a phone is significantly influenced by its operating system (OS),
dictating the creation and storage methods of digital artifacts. Modern mobile operating systems
encompass Symbian, Apple iOS, Windows CE, Windows Mobile, Google’s Android, and
Blackberry OS.

Originally, the Symbian OS emerged from a collaboration among Nokia, Ericsson, Motorola, and
Psion. Sony Ericsson introduced the first Symbian-powered phone in 2000, and in 2008, Nokia
acquired the OS rights, subsequently making it open source. Currently, Symbian is utilized in
Nokia and Sony Ericsson handsets (Barbara, 2010b).

Introduced in 1999 by Research In Motion (RIM), Blackberry phones are prevalent among
businesses and government entities. Known for synchronization capabilities with Novel’s
GroupWise and Microsoft’s Exchange, Blackberry OS supports multitasking and various

139
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material
applications. This proprietary OS has carrier-specific versions, differing between providers such
as Verizon and AT&T (Barbara, 2010b).

Android, an open-source OS, is developed by the Open Handset Alliance. Acquired by Google in
2005, Android has been continuously developed by the alliance since 2007. Comprising 84
technology and mobile companies, the Open Handset Alliance aims to enhance mobile innovation.
Android is featured on handsets produced by Motorola, Sony Ericsson, and HTC, with a multitude
of third-party apps available (Barbara, 2010b).

Apple's iOS, prominent on the iPhone, extends to other mobile devices like the iPad and iPod
touch. Derived from Apple's Mac OS X, iOS heavily relies on third-party apps obtainable from the
Apple App Store.

Microsoft’s Windows Mobile serves the smartphone and mobile device market. Similar to its
counterparts, Windows Mobile supports an extensive array of applications (Barbara, 2010b).

Cell phone evidence:

Now that we’ve looked at how cell phones and networks function, we can look at some of the
information they hold that may qualify as evidence. It’s important not to focus on one source, as
relevant evidence can be found in multiple locations within the handset and the network.

Lists some of the potential evidentiary items found in modern smartphones.

The Personal Identification Number (PIN) is used to secure the handset. Three consecutive,
unsuccessful attempts to enter the correct PIN will result in the user being locked out.

140
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material

The Personal Unlock Key (PUK) will be needed to unlock the SIM after this lockout has occurred.
Typically, a PUK can only be supplied by the provider of the SIM card.

Call Detail Records:

Call detail records (CDR) are normally used by the provider to troubleshoot and improve the
networks performance. The CDR is also valuable to examiners.

They can show us:

■ Date/time the call started and ended.

■ Who made the call and who was called.

■ How long the call lasted.

■ Whether the call was incoming or outgoing.

■ The originating and terminating towers.

Although the CDRs can tell you a lot, what they cannot tell you is who actually made the call. It
is important to understand the difference between the CDR and the subscriber information.
Subscriber information and the call detail records are not the same. Typical subscriber information
would include things such as the name, address, and telephone. Other items included with
subscriber information are account numbers, e-mail addresses, services, payment mechanisms, and
so on. Every service provider keeps all of these records for a predetermined period of time. The
time period is spelled out in their data retention policies.

Mobile Forensic Techniques:

1. Identification and Documentation:

- Identify the device, document make and model, and note its condition.

141
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material
- Document physical damage or signs of tampering.

- Record unique identifiers like IMEI and serial numbers.

2. Securing the Scene:

- Secure the physical location of the device.

- Restrict access to authorized personnel.

- Document the scene and device's location.

3. Powering Off the Device:

- Power off the device or place it in airplane mode.

- Avoid unnecessary interaction to prevent remote wiping.

4. Photographing and Documenting:

- Take photographs of the device from various angles.

- Document physical connections, ports, and buttons.

5. Chain of Custody:

- Record names of individuals handling the device.

- Document date, time, and purpose of each transfer.

- Use tamper-evident packaging for transport.

6. Seizing and Packaging:

- Use forensic tools for evidence collection.

- Place the device in a Faraday bag to prevent remote access.

- Seal evidence in an anti-static bag or container.

142
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material

7. Documentation of Accessories:

- Document accessories like chargers, cables, and memory cards.

- Check for additional storage media.

8. Data Preservation:

- Use write-blocking tools or cables to prevent write access.

- Ensure the device remains powered off or in airplane mode.

9. Transportation and Storage:

- Store evidence in a secure, controlled environment.

- Choose transportation methods minimizing physical stress on the device.

10. Forensic Imaging:

- Use specialized forensic tools for a bit-by-bit image.

- Verify integrity of the forensic image through hash values.

11. Analysis in a Controlled Environment:

- Conduct forensic analysis in a secure setting.

- Use dedicated forensic workstations.

- Follow standardized procedures and document all actions.

12. Documentation of Findings:

- Document call logs, messages, applications, and relevant data.

- Note any password protections or encryption measures.

143
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material

13. Legal and Ethical Considerations:

- Adhere to legal procedures and obtain necessary warrants.

- Respect privacy rights and legal limitations.

14. Expert Testimony:

- Train forensic experts for potential court appearances.

- Maintain detailed documentation for courtroom presentation.

15. Reporting:

- Summarize collected evidence.

- Present findings in a format suitable for legal proceedings.

16. Quality Assurance:

- Implement quality assurance measures in the forensic lab.

- Regularly update procedures based on industry standards.

Effective collection and handling of cell phone evidence demand technical expertise, adherence to
standardized procedures, and a deep understanding of legal and ethical considerations. Thorough
documentation at every step is essential for maintaining evidence integrity throughout the forensic
process.

Mobile Forensic Tools:

As you might suspect, there are many, many different tools available to forensically examine a
phone. These tools can come in the form of hardware or software. One of the realties is that not all
of these tools support all cell phones. To further complicate matters, two tools that actually support
a given phone may not read and recover the same information.
144
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material

What follows is a sampling of the available tools for cell phone forensics. A close examination of
the function and features shows that no single tool does it all. One glaring difference is the number
of phones that are supported. Budget permitting, most labs will have multiple tools available to
increase their capabilities.

BitPim is a robust open-source application that was not built for forensic purposes. It is designed
to work with CDMA phones that are produced by several vendors, including LG and Samsung
among others. BitPim can recover data such as the phonebook, calendar, wallpapers, ring tones,
and file system.

Oxygen Forensic Suite is a forensic program specifically designed for cell phones. It’s a tool that
supports more than twenty-three hundred devices. It extracts data such as phonebook, SIM card
data, contact lists, caller groups, call logs, standard and custom SMS/MMS/e-mail folders, deleted
SMS messages, calendars, photos, videos, JAVA applications, and GPS locations.

Paraben Corporation offers several hardware and software products targeted to mobile device
forensics. In addition to cell phones, their tools also support GPS devices such as those from
Garmin.

AccessData’s MPE+ supports over thirty-five hundred phones. It’s an on-scene, mobile forensic
recovery tool that can collect call history, messages, photos, voicemail, videos, calendars, and
events. It can analyze and correlate multiple phones and computers using the same interface.

The Cellebrite UFED (Universal Forensic Extraction Device) is a stand-alone, self-contained

hardware device used to extract Phonebook, images, videos, SMS, MMS, call history, and much
more. It supports over twenty-five hundred phones and is designed to extract information on scene.
It also has a SIM card reader and cloner. As an interesting aside, Cellebrite devices (the nonforensic
version) can be found in many cell phones stores. They’re used to transfer a customer’s data from
one device to another.

145
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material

EnCase Smartphone Examiner is an EnCase tool designed to review and collect data from
smartphones and tablet devices. It collects data from Blackberries, iTune backups, and SD cards.
Once the information is collected, it is easily imported into the EnCase Forensic suite for continued
investigation.

MCQ Questions and Answers:

1. What is mobile forensics?
A. Analyzing mobile apps
B. Investigating digital evidence on mobile devices
C. Mobile network optimization
D. Mobile software development

2. What is the purpose of mobile device imaging in forensics?

A. To optimize mobile networks
B. To create a backup of mobile apps
C. To capture and preserve the data on a mobile device
D. To develop mobile software

3. Which of the following is a volatile data source in mobile forensics?

A. SIM card
B. Hard drive
C. External SD card
D. Cloud storage

4. What is a Base Station in a cellular network?

A. Mobile device
B. Central server
C. Cell tower
D. Satellite

5. What role does the Mobile Switching Center (MSC) play in a cellular network?
A. Manages mobile applications
B. Routes calls and manages connections
C. Controls mobile devices

146
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material
D. Provides internet connectivity

6. What is the function of the Home Location Register (HLR) in a cellular network?
A. Stores subscriber information and location
B. Manages mobile apps
C. Controls network security
D. Provides internet services

7. What is 4G LTE in the context of cellular networks?

A. A mobile operating system
B. A network security protocol
C. A highspeed mobile data standard
D. A satellite communication system

8. What is the primary advantage of 5G over previous cellular generations?

A. Faster data transfer rates
B. Better call quality
C. Longer battery life
D. Enhanced GPS accuracy

9. Which cellular network type is characterized by its use of circuitswitched technology?

A. 3G
B. 4G LTE
C. 2G
D. 5G

10. What is call detail record (CDR) in mobile forensics?

A. Records of mobile app installations
B. Information about phone calls and text messages
C. Data stored in the cloud
D. Mobile device configuration settings

11. What type of evidence can be obtained from mobile location data?
A. Browser history
B. Call logs
C. Geographical movements of the device
D. App permissions

147
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material
12. What does SMS stand for in the context of mobile forensics?
A. Short Message Service
B. Subscriber Management System
C. Secure Mobile Storage
D. System Maintenance and Support

13. Which of the following is a commonly used mobile forensic tool?

A. Photoshop
B. FTK Imager
C. Microsoft Excel
D. Adobe Premiere Pro

14. What is the primary function of a mobile forensic tool like Cellebrite UFED?
A. Video editing
B. Data extraction and analysis from mobile devices
C. Network monitoring
D. Cloud storage management

15. What is ADB (Android Debug Bridge) used for in mobile forensics?
A. Mobile app development
B. Connecting to and communicating with Android devices
C. Satellite communication
D. Network optimization

16. What is "Jailbreaking" or "Rooting" in the context of mobile forensics?

A. Enhancing mobile network security
B. Unlocking a device to remove restrictions
C. Mobile app development
D. Optimizing battery life

17. In a cellular network, what is the purpose of the Visitor Location Register (VLR)?
A. Provides internet services
B. Stores subscriber information and location temporarily
C. Manages mobile apps
D. Controls network security

148
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material

18. Which of the following is a characteristic of 3G networks?

A. Highspeed mobile data
B. Circuitswitched technology
C. Enhanced GPS accuracy
D. Video calling support

19. What is the significance of IMSI (International Mobile Subscriber Identity) in mobile
forensics?
A. Device serial number
B. Subscriber's unique identification number
C. Mobile network encryption key
D. Mobile app permissions

20. Which mobile forensic tool is often used for logical analysis and extraction of data from iOS
devices?
A. Oxygen Forensic Detective
B. Magnet AXIOM
C. XRY
D. Elcomsoft Phone Breaker

21. What is the primary purpose of GrayKey in mobile forensics?

A. Mobile device imaging
B. SIM card analysis
C. Breaking iOS device passcodes
D. Cloud storage management

22. What is the role of geotagging in mobile forensics?

A. Enhancing mobile network security
B. Embedding location information in media files
C. Optimizing battery life
D. Managing mobile apps

23. What is the function of the Serving GPRS Support Node (SGSN) in a GPRS/EDGE
network?
A. Manages mobile apps
B. Routes calls and manages connections
C. Controls network security
149
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material
D. Handles packetswitched data services

24. What is WiMAX in the context of cellular networks?

A. A 4G LTE standard
B. A satellite communication system
C. A highspeed mobile data standard
D. A wireless broadband technology

25. What type of evidence can be extracted from mobile device call logs in forensic
investigations?
A. Deleted text messages
B. Browser history
C. Time and date of calls
D. App source code

Answers:
1. B. Investigating digital evidence on mobile devices
2. C. To capture and preserve the data on a mobile device
3. A. SIM card
4. C. Cell tower
5. B. Routes calls and manages connections
6. A. Stores subscriber information and location
7. C. A high-speed mobile data standard
8. A. Faster data transfer rates
9. C. 2G
10. B. Information about phone calls and text messages
11. C. Geographical movements of the device
12. A. Short Message Service
13. B. FTK Imager
14. B. Data extraction and analysis from mobile devices
15. B. Connecting to and communicating with Android devices
16. B. Unlocking a device to remove restrictions
17. B. Stores subscriber information and location temporarily
18. D. Video calling support
19. B. Subscriber's unique identification number
20. A. Oxygen Forensic Detective

150
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material

21. C. Breaking iOS device passcodes

22. B. Embedding location information in media files
23. D. Handles packet-switched data services
24. D. A wireless broadband technology
25. C. Time and date of calls

Short answer type questions (3 marks):

1. What is mobile forensics?
2. Why is mobile forensics important in criminal investigations?
3. What challenges are faced in mobile forensics compared to traditional computer forensics?
4. Name the major components of a cellular network.
5. What role does the Base Transceiver Station (BTS) play in a cellular network?
6. In cellular networks, what is the function of the Home Location Register (HLR)?
7. Differentiate between 3G and 4G cellular networks.
8. What is the significance of 5G in cellular networks?
9. Why is call detail record (CDR) analysis important in mobile forensics?
10. How can geolocation data from a cell phone be used as evidence in investigations?
11. Briefly explain the process of logical extraction in mobile forensics.
12. Name two popular mobile forensics tools and their functionalities.
13. How does mobile forensics deal with challenges related to device encryption?

Long answer type questions (5 marks):

1. Explain the concept of mobile forensics and why it is crucial in the field of digital
investigations.

2. Describe the key components of a cellular network and their roles in enabling mobile
communication.

3. Differentiate between 3G and 4G cellular networks, highlighting the key technological

advancements in 4G.
151
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata
B.Sc.-ANCS (Semester IV)
Digital Forensics (BNCSC401)
Sec A
Academic Session 2023-24

Study Material
4. Explain the types of evidence that can be extracted from a cell phone in a forensic
investigation.

5. Discuss the techniques and tools commonly used in mobile forensics to retrieve and analyze
data from mobile devices.

6. Outline the challenges associated with mobile forensics, including those related to device
diversity and encryption.

7. Discuss the role of the Home Location Register (HLR) in a cellular network and its
significance in mobile forensics.

8. Compare and contrast GSM (Global System for Mobile Communications) and CDMA (Code
Division Multiple Access) cellular network technologies.

9. Elaborate on the importance of preserving the integrity of cell phone evidence during a
forensic investigation.

10. Explain the role and significance of mobile forensic tools in the field of digital forensics.
Provide examples of specific mobile forensic tools and describe the types of data they can extract
from mobile devices.

11. Discuss some of the challenges and limitations associated with using mobile forensic tools.
How do these challenges impact the effectiveness of mobile forensic investigations, and what
strategies can be employed to overcome them?

12. Examine the legal and ethical considerations associated with mobile forensic investigations.
Discuss the importance of adhering to legal standards and ethical guidelines when conducting
examinations of mobile devices. Provide examples of cases where failure to uphold these
standards led to legal consequences.

152
Sasmit De
Assistant Prof. (CST)
Brainware University, Kolkata