1. Define Cyber Forensics.

Explain in detail different types

of forensics.
Definition:
Cyber Forensics, also known as Digital Forensics, is the application of investigative and
analytical techniques to collect, preserve, analyze, and present digital evidence in a way that is
admissible in court.
It focuses on recovering data from computers, networks, mobile devices, and other digital
sources to investigate crimes such as hacking, data theft, cyber fraud, and digital harassment.

Types of Forensics:

1. Computer Forensics
o Deals with desktops, laptops, hard drives, SSDs, and removable
media.
o Activities include recovering deleted files, analyzing logs, tracing
unauthorized access, and retrieving internet history.
o Example: Finding erased bank transaction details in fraud cases.

2. Network Forensics
o Involves monitoring, capturing, and analyzing network traffic.
o Used for detecting intrusions, tracing IP addresses of attackers,
and preventing further damage.
o Example: Analyzing packet captures to identify data exfiltration.

3. Mobile Device Forensics

o Focuses on smartphones, tablets, and portable devices.
o Extracts SMS, call logs, GPS data, multimedia files, and app data.
o Example: Using WhatsApp chat records as legal evidence.

4. Database Forensics
o Examines database content, schema, and logs for unauthorized
activity.
o Can identify who made changes, what was altered, and when.
o Example: Finding hidden entries in a corporate HR database.

5. Cloud Forensics
o Deals with evidence stored on cloud platforms.
o Requires remote access methods and coordination with service
providers.
o Example: Investigating cloud-stored stolen documents.
 6. Malware Forensics
o Analyzes malicious software to determine origin, behavior, and
impact.
o Often involves reverse engineering malware code.
o Example: Understanding ransomware encryption patterns.

2. Explain the procedure for corporate High-Tech

Investigations.
Corporate High-Tech Investigations involve detecting and resolving cyber incidents within an
organization while ensuring minimal disruption to business operations.

Procedure:

1. Planning the Investigation

o Define objectives (e.g., fraud detection, policy violation, data
breach).
o Assign investigation teams with clear roles and responsibilities.

2. Obtaining Legal Approval

o Secure authorization from management or legal departments.
o Ensure compliance with laws like IT Act or GDPR (if applicable).

3. Securing the Incident Scene

o Isolate affected systems to prevent further tampering.
o Disconnect from network if active attacks are suspected.

4. Evidence Identification & Collection

o Identify relevant devices (servers, PCs, mobile devices, network
logs).
o Use write blockers to ensure no data modification during
acquisition.

5. Preservation of Evidence
o Maintain chain of custody documents for every item collected.
o Use secure storage for physical and digital media.

6. Analysis
o Perform forensic imaging of drives.
 o Analyze logs, file systems, and suspicious files for malicious
activity.

7. Reporting
o Prepare detailed reports with findings, timelines, and
recommendations.
o Submit to legal team or management for further action.

3. How is Evidence presented in court?

Steps for Presenting Digital Evidence:

1. Legal Admissibility Check

o Ensure evidence was collected using approved forensic methods.
o Verify chain of custody and authenticity.

2. Expert Testimony
o Forensic experts explain methods used to collect and analyze
evidence.
o Provide interpretations in simple terms for judge and jury.

3. Demonstrative Aids
o Use charts, diagrams, timelines, or visualizations to explain
findings.
o Present original files along with hash values for integrity
verification.

4. Compliance with Rules of Evidence

o Must satisfy relevance, reliability, and authenticity.
o Avoid hearsay and ensure proper documentation.

5. Submission of Reports
o Submit written forensic reports with supporting data.
o Keep backup copies of evidence in original form.

4. Explain briefly about Remote Acquisition.

Definition:
Remote Acquisition is the process of collecting digital evidence from a remote location via a
network connection, without physically accessing the device.
Features:

 Useful for investigating cloud data, remote servers, or geographically

distant devices.
 Requires strong encryption and secure channels to avoid data
alteration.

Procedure:

1. Establish secure remote connection.

2. Authenticate the source system.
3. Use forensic tools to image data without altering original.
4. Save acquired data with hash verification.

Advantages:

 Saves time and travel cost.

 Allows investigation of live systems.

Challenges:

 Risk of network interruption.

 Legal jurisdiction issues if across borders.

5. Demonstrate the storage format of Digital Evidence.

Common Storage Formats:

1. Raw Format (.dd)

o Bit-by-bit copy of the original data.
o Uncompressed, exact replica.
o Supported by most forensic tools.

2. Proprietary Formats (E01, AFF)

o Created by forensic tools like EnCase.
o Supports compression and metadata storage.
o Includes hash values for verification.

3. Advanced Forensic Format (AFF)

o Open-source format with flexible metadata storage.
o Can be compressed or encrypted.

4. Logical vs Physical Formats

o Logical: Only active files and folders.
 o Physical: Complete drive including deleted and hidden data.

6. How is evidence from scene collected?

Steps in Evidence Collection:

1. Securing the Scene

o Restrict access to prevent tampering.
o Document who enters and leaves the area.

2. Documentation
o Photograph and video record the scene.
o Note system configurations and screen displays.

3. Identification of Evidence Sources

o Computers, external drives, mobile phones, servers.
o Also consider non-digital evidence like handwritten passwords.

4. Collection & Preservation

o Use write blockers for drives.
o Bag and tag all devices with unique IDs.

5. Chain of Custody Maintenance

o Record every transfer of evidence.
o Store securely until analysis.

7. Explain different types of acquisitions.

Types:

1. Static Acquisition
o System is powered off.
o Safe from alteration but may miss live data in RAM.

2. Live Acquisition
o Performed on running system.
o Captures volatile data like RAM, network connections.

3. Logical Acquisition
o Copies only visible files and folders.
o Faster but may miss deleted data.
 4. Physical Acquisition
o Bit-by-bit copy of entire drive.
o Includes deleted, hidden, and encrypted data.

8. Discuss about Email crimes and violations.

Common Email Crimes:

 Phishing – Fake emails to steal login credentials.

 Spoofing – Forged sender addresses.
 Spamming – Unsolicited bulk emails.
 Cyberstalking – Harassment through repeated emails.
 Business Email Compromise (BEC) – Impersonating executives to
trick employees.

Investigation Methods:

1. Analyze email headers for IP addresses and routing info.

2. Examine email server logs.
3. Recover deleted emails from backups.
4. Verify attachments for malware.

9. How to secure the crime scene?

Steps:

1. Initial Response
o First responder ensures safety and prevents evidence loss.
o Disconnect network cables if active attack is ongoing.

2. Access Control
o Only authorized personnel allowed.
o Maintain log of all entries and exits.

3. Documentation
o Photograph, label, and describe all devices.
o Record system states and open applications.

4. Evidence Protection
o Use Faraday bags for wireless devices.
o Store media in anti-static bags.