DEPARTMENT OF COMPUTER ENGINEERING

Subject: ETI Subject Code:22618

Semester: 6th Semester Course: Computer Engineering

Laboratory No: Name of Subject Teacher: Prof. Vaishali

Malkar

Name of Student: Prathmesh Patil Roll Id: 22203B0065

Assignment No: 4 - Digital forensics

Problem 1: Evidence Handling and Chain of Custody

A digital forensic investigator is examining a smartphone suspected to contain evidence
of corporate espionage. During the investigation, the investigator identifies encrypted
files that could be critical to the case.

• Describe the steps the investigator should follow to authenticate and validate
these files as evidence.
• Explain how the chain of custody ensures the integrity of these files throughout
the investigation.
• Discuss potential challenges the investigator might face in handling volatile
evidence on the smartphone.
Ans:
1. Steps to Authenticate and Validate Encrypted Files as Evidence

To ensure the encrypted files are legally admissible and forensically sound, the investigator
must follow these steps:

a. Seizure and Documentation

• Seize the smartphone following legal procedures (e.g., search warrant).

• Take photographs of the phone, screen (if powered on), and its condition.

• Note time, date, and location of seizure.

b. Preservation

• Place the phone in a Faraday bag to prevent remote access or tampering.

• Power off the device safely if not actively in use, unless volatile data (e.g., decrypted
data in RAM) is present.

c. Imaging and Hashing

• Create a bit-by-bit image (logical and physical) of the smartphone’s internal storage
and SD card (if present).

• Calculate hash values (MD5, SHA-256) for the original and imaged data to verify
authenticity.

d. Decryption and Analysis

• Attempt to decrypt the files using known credentials, software tools, or brute-force
techniques, ensuring logs are maintained.

• Maintain detailed logs of all steps taken during decryption and analysis.

• Ensure the decrypted data is read-only and not altered during examination. e.

Authentication

• Use hash verification before and after analysis to confirm the files have not been
modified.

• Correlate encrypted files with metadata, timestamps, and communication logs to

establish authenticity.

2. Chain of Custody and Integrity of Evidence

The Chain of Custody (CoC) is a documented process that tracks the movement, handling, and
storage of evidence from collection to presentation in court.

Importance and Steps:

• Documentation: Every transfer of the evidence (who, when, why, how) is logged with
signatures and timestamps.

• Secure Storage: Evidence is stored in tamper-evident containers in a restricted-access

digital forensic lab.

• Minimal Handling: Limit access to only trained personnel to reduce risk of alteration or
contamination.

• Verification: Recalculate hash values each time the evidence is accessed or

transferred.

The CoC proves the integrity of the evidence and ensures it hasn’t been tampered with, making
it admissible in court.
3. Challenges in Handling Volatile Evidence on the Smartphone a.
Volatile Memory Loss

• RAM, open apps, temporary decrypted files, and unsaved data are lost once the phone
is powered off.

b. Remote Wipe or Auto-lock

• Devices connected to the internet may be remotely wiped or auto-encrypted after

inactivity.

c. Encryption and Passwords

• Strong encryption algorithms can make decryption extremely difficult without

credentials.

d. Anti-forensic Techniques

• Malicious software may be present that detects forensic tools and modifies or deletes
evidence.

e. Power Constraints

• Battery loss or automatic shutdown can result in data loss or trigger security protocols.

f. Legal and Privacy Concerns

• Accessing personal content without proper authorization can lead to legal issues.

Conclusion

In digital forensics, especially with smartphones, it is crucial to follow a forensically sound

process to authenticate, preserve, and validate evidence. Maintaining a strong chain of
custody and anticipating volatile evidence challenges are key to a successful investigation
and legal prosecution.

Problem 2: Applying Ethical Norms in Forensic Investigations

A company accuses a former employee of misusing their intellectual property. The
company's forensic team gains access to the employee's work computer to gather
evidence.

• Identify the ethical norms the team should adhere to during the investigation.
• Discuss possible ethical violations that could occur and their consequences.
• Apply Locard’s exchange principle to explain how the forensic team might
establish a connection between the employee's actions and the alleged misuse.
Ans:
1. Ethical Norms to Adhere to During the Investigation

A forensic investigation must be conducted with integrity, legality, and impartiality. Key
ethical norms include: a. Confidentiality

• Protect the privacy of the employee and the company.

• Only examine data relevant to the investigation—avoid personal files unless directly
related.

b. Integrity and Objectivity

• Maintain a neutral and unbiased stance.

• Avoid manipulating or fabricating evidence to favor the employer.

c. Authorization and Consent

• Ensure proper legal access to the device, either through written consent, company
policy, or a warrant.

d. Documentation and Transparency

• Keep a detailed log of all steps taken and findings made.

• Ensure all actions are traceable and reproducible.

e. Professional Competence

• Use proper forensic tools and techniques.

• Investigators must be trained and qualified.

2. Possible Ethical Violations and Consequences a. Invasion of

Privacy

• Accessing personal data without relevance to the case could violate the employee’s
privacy rights.

• Consequence: Legal action against the company or dismissal of evidence in court. b.

Fabrication or Tampering

• Modifying or planting data to strengthen the case is unethical and illegal.

• Consequence: Criminal charges against the investigators; damage to the company’s

reputation.

c. Lack of Consent or Legal Authority

• Accessing the computer without proper permission or legal backing.

• Consequence: Evidence may be declared inadmissible, and the investigation may be

ruled unlawful.
d. Bias or Conflict of Interest

• If investigators have ties to management or personal conflicts, they may not act
objectively.

• Consequence: Skewed findings and potential disciplinary actions.

3. Applying Locard’s Exchange Principle

Locard’s Exchange Principle: “Every contact leaves a trace.” Application

in This Case:

• When the employee allegedly accessed, copied, or transferred the company’s

intellectual property, traces would be left behind, such as: o File access logs
showing when sensitive documents were opened or copied.

o USB or external drive logs indicating data transfers. o Email or cloud

sync activity where files might have been shared externally.

o Browser history or deleted files related to uploading or downloading IP

content.

These digital traces serve as proof of interaction, helping the forensic team link the
employee's actions to the misuse of intellectual property, aligning directly with Locard’s
principle.

Conclusion

Ethical conduct is vital in forensic investigations to ensure fairness, legality, and admissibility
of evidence. Any deviation can result in severe legal, professional, and reputational damage. By
applying ethical norms and Locard’s Principle, the forensic team can build a solid,
responsible case against potential IP misuse.