Suyash Shelake7946

CYBER FORENSICS ASSIGNMENT

1. A murder has occurred. The victim is identified to be the

national chief of defense. Not long afterwards, a security breach
in the IT systems of the department of defense is detected. The
suspected perpetrator appears to be an outside hacker. What
would be your hypothesis, and how would you investigate the
case?
Ans:
a] The case is of utmost importance as the victim is the national chief
of defence.
b] Here we need to understand that the breach has taken place in
the IT systems of the department of defence.
c] Hence, we can say that the murder of the personnel and the
security breach of the systems of the defence was being carried by
the people of same organisation for malicious purposes, here we can
say that it can be terrorism.
d] The IT systems of the department of the defence needs to be
sealed and because the hacker is an outside hacker so there is no
need of night oprations.
e] The possible hardware evidences should be collected there itself,
also some other objects also should be taken into observation. Image
aquisition of important evidences should be done. In the security
systems of the computers of the department of defence, there can
be traces of some forging, so it is better to check the firewall logs,
and many other gateway logs to find some malicious activity.
f] And lastly, as this case is of nationwide security issue, utmost
confidentiality should be maintained so as to find the culprit easily
and to prevent havoc.

CF assignment
Suyash Shelake7946

2. As part of a drug cartel case, you have been asked to seize all
digital devices from one of the potential drug dealers’ homes. The
“dealer” was caught sitting in the living room, and he was
brought to custody. What devices would you look for, and what
would you have to consider in order to obtain all evidence
relevant to the drug cartel case?
Ans:
a] The drug cartel case is a very intriguing case to be examined
because the reaches of the drug dealers are very far and wide, so the
forensic officer needs to be very rapid in his/her actions.
b] All the electronic devices such as laptops, computers, printers,
cameras should be collected; as well as the ones which are not
doubtful, such as bags, ceiling fans, clothes should be examined
thoroughly because the dealer may hide some of the SIM cards, or
other valuable evidences.
c] As the dealer must have been in contact with the drug supplier,
and the customers who consume the drugs, the phone of the dealer
should be tracked and traced so as to find all the suspicious contacts
which might be accessed.
d] The dates and timings of the call logs, messages, call recordings,
and other contacting information should be found so as to get the
hang of the other people involved in the act.

3. You are involved in the analysis phase of an investigation of a

cyberattack. All potentially relevant data objects have been
collected and examined. In order to proceed, what do you need to

CF assignment
Suyash Shelake7946

ensure with regard to the evidence integrity? How will you do

this, and why?
Ans:
a] The analysis phase of the forensics consists of interpreting the
collected data and deriving the results.
b] The collected data should be sorted on the basis of various factors
like correlation, timeline, events of interest, corroboration, etc.
c] The evidence can be made integral by making 2-3 copies of the
same so that the original data is preserved.
d] The analysis can be done on the images made, not on the original
evidence so as no data is being lost or manipulated from the original
evidence.
e] Also, for extra safety, if the case is very sensitive, then there is a
threat of theft of the evidence, hence the evidence should be neatly
preserved in the locker rooms so that no one except the forensic
officer should get access to it.

4. A bank has registered an incident, and it has been reported to a

national financial crime agency in which you are working.
Imagine that you, as a digital forensics investigator, are engaged
to investigate the online banking fraud case. Describe how you
would go about solving the case, finally presenting the evidence to
a court of law and to the bank executives.
Ans:
a] Online banking fraud is a very serious phenomenon because
money and savings of many people is at stake and all this can result
in riots.

CF assignment
Suyash Shelake7946

b] The case should be examined in the night timing as we do not the

suspected criminal, he/she might be working in IT department of the
banking company, hence the forensic operation should be made
confidential.
c] The live analysis should be performed on a case like that because
by taking down the website would be of no use.
d] If the website has some cookie settings, then the cookie's logs
should be observed to find any malicious user or personnel. The
packet tracer logs should be observed to find if any brute force
attacks are being done at the time of the crime. And other evidences
such as the user id's of those people who were transacting on the
website during the crime should be listed.
e] The presentation of the Case should be made very compactly and
accurately in front of the lawyer and ultimately in the front of the
judge so that the victim is being caught and the bank functioning is
back to normal.

5. A text message has been received on an encrypted mobile

phone. From the system view, in which layers of abstraction does
the message exist, and where is it readable? What can we say
about the trust we have to place in the system for each case?
What about the volatility of the data?
Ans:
a] The message which is being received on the mobile phone might
get stored on the memory of the system.
b] Although, the dependability on a message as an evidence is not
good because message can be erased and the evidence can be
destroyed premanantly.

CF assignment
Suyash Shelake7946

c] Also, in the case of messaging, various attacks like the Man-in-the-

middle attack is possible, hence the message data which we have got
might not be authentic.
d] The message data is volatile compared to other physical data
drives because the memory size is very less and it is very hard to
trace, and it can be destroyed very easily.

6. In a drug case, you suspect there has been communication

between two suspected ringleaders, as both know about the
delivery and pickup. The lawful interception has not seen any
direct communication between these suspects: no SMS, calls, or
direct data streams. You suspect they have used their
smartphones to communicate. What do you think you can find on
their phones? How would you start looking for their
communication? Anything you can do before the suspects are
brought in? How would you acquire the data from the phones?
And how would you search for traces?
Ans:
a] As the lawful interception says that there is no direct
comunication between the two ringleaders, then I suspect that there
are other people who are indirectly involved in the conversation of
those two people.
b] The smartphones of the suspects should be seized and all the
possible communication media in the phone should be traced and
analysed.
c] The social media platforms of both the suspects should be tapped
and the common contacts amongst both of them should be taken
into consideration.

CF assignment
Suyash Shelake7946

d] Possible conversation with the middle man by both the suspects

on various media platforms like Whatsapp, messaging can be useful
in the verification of the criminals.
e] Before the criminals are brought in, all the possible evidences
should be aquisited and preserved.
f] The files such as images, etc might be deleted by the criminals
hence, the data recovery should be done so as to find out the
possible evidences.
g] The cache file of the mobile device consists many repository files
which contains trash data, however this data can be very useful in
finding the traces of contact info, etc.

7. During an ordinary day, in which mobile or embedded systems

do you think you leave traces? How can this information be
collected? Can this information be used to strengthen or weaken
an alibi? What else can this information tell?
Ans:
a] Smartphones is the widely used mobile device which we all use in
our day to day life. Our daily transactions are nowadays are being
performed in the smartphones.
b] Hence, smartphones are a very vulnerable source of our personal
data, which can be tapped by anyone if he/she gets access to our
smartphone.
c] Also, other devices such as ipods, biometric scanners, smart
speakers are being used by us in a large scale. All those contain very
crucial personal information about oneself.

CF assignment
Suyash Shelake7946

d] This information can be very crucial for strengthening or weakning

any alibi because, it can tell the personalised pattern of the device
user and hence various suspections can be made out of this data.
e] All this personal information can tell a lot about the preferences of
a person, likes or dislikes, which can be further important in the
investigation of the case.

8. What are challenges in digital Forensics?

Digital forensics is a technique in the identification of computer based
crimes. But digital forensics faces a few major challenges when it
comes to conducting investigations.
Technical Challenges
With the vast development of the computer technologies within the
last decade, usage of technology has been defined as both good and
bad. While some people use technology to invent things to benefit
mankind, criminals also use technology to achieve their own targets.
One of the main problems is that as soon as a technology is developed
to identify and investigate criminals, there is another technique that
helps the criminals to hide themselves. This is a massive challenge
forensics officers face today.
Unlike many other sources of physical evidence, digital evidence is
easy to modify, remove or hide, possibly without leaving tracks that
might identify the criminal. So anti-forensics has become a major
challenge for digital forensics.
 Encryption

Encryption is process of scrambling information that can only

be decoded and read by someone who has the correct decoding
key. Encryption is used to hide or make the evidence unreadable
on the compromised system.

CF assignment
Suyash Shelake7946

Attackers use many different encryption methods and in order to

make the data usable, investigators have to decrypt the
encrypted data. It is time consuming and sometimes the
encrypted data cannot be decrypted.

 Steganography

Steganography is an encryption technique that can be used along

with cryptography as an extra-secure method in which to protect
data.
Steganography is a technique that is used to hide any
information inside a file carrier without modifying its outward
appearance. Attackers use this steganography to hide their
hidden data (payloads) inside the compromised system. When
investigating computer crimes, the investigator has to identify
these hidden data in order to reveal the information for further
reference.

CF assignment
Suyash Shelake7946

 Covert Channel
Covert channel in communication protocols allows attackers to
hide data over the network and possibly bypass intrusion
detection techniques. Typically, a network protocol is chosen
and its header is modified to leak messages between attackers,
exploiting the fact that few fields of the header are modified
during transmission.

Attackers use these covert channels in order to maintain a

hidden connection between the attacker and the compromised
system. It is less identifiable.

 Data hiding in storage space

Attackers hide some data inside storage areas and make them
invisible to the usual system commands and programs. It makes
the investigation more complex and more time consuming and
sometimes data can be corrupted too. Rootkit is one of the most
popular techniques used to hide data in storage space.

Malware designers use rootkits to hide malware inside victims’

PCs. It is very hard to identify rootkits and most computer users
do not know how to remove these rootkits.

 Residual Data Wiping

CF assignment
Suyash Shelake7946

When the attacker uses a computer for his goal, a few hidden
processes (e.g. temporary files, history of commands) are
running without the knowledge of the attacker. But an intelligent
attacker can avoid this risk by wiping out the tracks that were
made by his process and making the system work as if it has not
been used for such a purpose.

 Tail Obfuscation

The most common technique is the obfuscation of the source of

the attack. Here, the attacker uses some false information in
order to mislead the investigator (e.g. false email headers,
changing file extensions). Therefore sometimes the investigator
might miss some data that has forensic value.

Resource Challenges
Depending on the scenario, the volume of data involved in the case
might be large. In that case the investigator has to go through all the
collected data in order to gather evidence. It may take more time for
the investigation. Since time is a limiting factor, it becomes another
major challenge in the field of digital forensics.
In volatile memory forensics, since the data stored in the volatile
memory is ephemeral, user activities are overwritten in the volatile
memory. Therefore investigators can analyze only recent information
that is stored on the volatile memory. This reduces the forensic value
of the data for the investigation.
When collecting data from the source, an investigator must make sure
that none of the data is modified or missed during the investigation,
and the data must be well secured.
Data sources which are damaged cannot be easily used in
investigations. So it is a major issue when an investigator finds a
valuable source that is not usable.
Legal Challenges
Privacy is also important to any organization or victim. In many cases
it may be required that the computer forensics expert share the data or

CF assignment
Suyash Shelake7946

compromise privacy to get to the truth. A private company or an

individual user might generate lots of private information in their day
to day usage. So asking an investigator to examine their data might
risk their privacy being revealed.

9. Discuss investigation procedure in cloud forensics

Ans: The investigation procedure in cloud forensics acts according to
three dimensions.
A] Technical Dimension:
1] The Technical Dimension contains cloud forensics tools
which are required to carry out investigations in the Computing
environment.
2]This phase consists of data collection, evidence segregation,
live forensics, virtualized environments, and proactive measure.
B] Organizational Dimension:
1] To perform the cloud forensic investigation process in an
accurate way the service provider must communicate with third-
parties.
2] IT professionals who are experts in networks, security,
systems, ethical hacking, cloud security, and cloud architects must be
hired to assist investigators at the crime scenes. Incident Handlers
responds to data leakage and loss, denial of service attacks, breach
of confidentiality, insider attacks, and malicious code infections.
C] Legal dimension:
1] The development of regulations and agreement is required
in the Legal Dimension.
2] This is to ensure that the forensic activities do not break the
laws and regulations in the jurisdictions where data resides.

CF assignment
Suyash Shelake7946

10. Discuss any case related to IOT forensics.

IoT Forensics: The IOT Forensics is obtaining digital evidence from
the IoT devices for a legal purpose “Execute digital forensics
procedures in the IoT paradigm

Collection of Digital Evidence from IoT devices Since IoT devices

come in a variety of models, operating systems, file systems and
proprietary hardware and software there is no single standard
approach that can be followed in identifying and collecting data from
a given IoT device. The following are some methods for collecting
the data.
 Acquiring a Flash Memory Image
 Acquiring a memory dump using Linux dd command or netcat
 Extract Firmware data by using JTAG and UART techniques
Acquiring a Flash Memory Image:
• In this method, if an IoT device can be connected to a computer,
the internal storage of the device can be forensically imaged using
forensic imaging utilities such as FTK Imager X-ways forensics
ENCASE
• The collected forensic image can be analysed using the majority
of the digital forensic applications. Whenever possible, the flash
memory storage device such as NAND/NOR Flash chips,
SD/CF/MMC cards has to be imaged in a bit-stream/full physical
mode.
Acquiring a memory dump using Linux dd command:

CF assignment
Suyash Shelake7946

• For IoT devices with operating systems such as Linux or

embedded Linux, internal utilities such as Linux dd or netcat can
be used to acquire a forensic image of a selected drive or the device
memory.
• This requires booting into the device and a terminal access.
• The resultant forensic image can be analyzed to identify and
extract information relevant to the case/ incident.
• dd if=/dev/mtd of=forensic-image.dd bs=65536 conv=noerror,
sync
Firmware data extraction by JTAG:
 JTAG stands for Joint Test Action Group which was later
standardized as IEEE 1149.1 Standard Test Access Port.
 The port was initially designed for testing PCB (Printed Circuit
Boards).
 JTAG Forensics involves acquiring firmware data using standard
Test Access Ports (TAPs).
 The data is transferred in a raw format.

Firmware data extraction by UART UART is Universal

Asynchronous Receiver/Transmitter It is a computer hardware
device which is a part of Integrated circuitry and used for serial
communications over a computer or peripheral device serial port
Accessing the firmware via UART pins and extracting the data
requires specialized interfaces and it is also an invasive technique
which can reset the devices to factory settings resulting in loss of data.

CF assignment
Suyash Shelake7946

11. Discuss about digital data insurance

Definition:
The concept of “digital insurance” is an umbrella term that
encompasses the vast amount of new technologies that have changed
the way nearly every carrier operates. Another definition of digital
insurance is any company using a technology-first business model to
sell and manage insurance policies. Many insurance companies today,
though, have a digital insurance arm of their business in addition to
traditional insurance practices.
These providers generally differentiate themselves in a few key
ways:
 Offering a customer-first business approach.
 Omnichannel experiences – you can research, compare, and
purchase insurance online or through an app without having to
speak directly to an agent in person or over the phone.
 Pricing, risk evaluation, and/or claims handling rely on modern,
open software platforms connected to the insurtech ecosystem
(new insurance-specific technology).
 Coverage options are simplified to cater to individuals or
families with less robust insurance needs.
Tools & Applications:

CF assignment
Suyash Shelake7946

Artificial Intelligence: Digital insurance was developed with speed

and scalability in mind, and AI makes instantaneous calculations,
processing, and communication possible for insurance carriers. In its
application, AI in insurance will impact some of the primary functions
of the industry,
 UnderwritingClaims
 New Business
 Marketing
 Retention
Machine Learning: As Forbes put it, “machine learning is based on
the idea that we can build machines to process data and learn on their
own, without our constant supervision.”
Internet of Things: The proliferation of IoT-enabled devices is
expected to grow, with the Connected Insurance Report by Insurance
Nexus estimating that there will be 30 to 50 billion devices
connecting nearly facet of daily life by 2020. The widespread use of
smart devices, in the home, car, or even in medicine, is another
opportunity for carriers to leverage the capabilities of digital
insurance.
Big Data & Analytics: When applied, data is every insurer’s biggest
asset. To properly utilize this data, insurers need robust analytics
systems that paint a complete picture of their business and their
customers by pulling data from many disparate systems and
consolidating it into actionable insights.
SaaS Capabilities: To maximize the potential of all of the
aforementioned tools, most digital insurers use a SaaS-based solution
that provides the hosting, support, and resources for all digital
insurance tools and applications.
Benefits of Digital Insurance:
 Meeting & Exceeding Customer Expectations.
 Fraud Detection.

CF assignment
Suyash Shelake7946

 Cost Reduction
 Employee Experience
 Low-code Capabilities

CF assignment