FACULTY OF ENGINEERING & TECHNOLOGY

DEPARTMENT OF CSE

UNIVERSITY EXAMINATION

SUB. CODE: EMCF22001 SUB.NAME: Digital Forensics and cyber crime

investigation
DEGREE : M.TECH BRANCH: CFIS
YEAR/SEMESTER: I/II SEC A SECTIONS/COMMON TO:
MAX.MARKS: 100 DURATION: 3 Hrs
DATE: PORTION: All Units

PART-A (10x1 = 10) - ANSWER ALL QUESTIONS - MCQ

1. When handling computers for legal purposes, investigators increasingly are faced with four main
types of problems, except:
A. How to recover data from computers while preserving evidential integrity
B. How to keep your data and information safe from theft or accidental loss
C. How to securely store and handle recovered data
D. How to find the significant information in a large volume of data
2. CCFP stands for?
A. Cyber Certified Forensics Professional
B. Certified Cyber Forensics Professional
C. Certified Cyber Forensics Program
D. Certified Cyber Forensics Product
3. A device that connects network with different protocols
A. Switch
B. Hub
C. Gateway
D. All of these
4. Which program will be used to gain administrative rights on one's computer?
A. Bot
B. Trojan horse
C. Executive Android
D. Rootkit

5. In_____________ phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
A. Preservation phase
B. Survey phase
C. Documentation phase
D. Reconstruction phase
E. Presentation phase
6. To collect and analyze the digital evidence that was obtained from the physical investigation phase,
is the goal of which phase?
A. Physical crime investigation
B. Digital crime investigation
C. Review phase
 D. Deployment phase
7. Which digital forensic software is commonly used for mobile device forensics?
A. EnCase
B. Autopsy
C. Wireshark
D. Cellebrite
8. Which digital forensic software is commonly used for network forensics?
A. Autopsy
B. EnCase
C. Wireshark
D. Cellebrite
9. In network storage forensics, what does the term "packet sniffing" refer to?
A. The process of recovering deleted files from network storage devices.
B. The analysis of log files to identify network security incidents.
C. The capture and analysis of network traffic to intercept and inspect data packets.
D. The examination of file metadata to determine access permissions.
10. In web investigations, what does the term "IP address geolocation" refer to?
A. The process of identifying the web browser used to access a website.
B. The analysis of website content and structure for potential security vulnerabilities.
C. The identification of the physical location associated with an IP address.
D. The examination of web server logs to track user activities on a website.
PART-B (5x6 = 30) - ANSWER ANY 5 QUESTIONS
11. What are the different types of computer forensics and how do they contribute to digital
investigations?

12. What are the key needs and objectives of computer forensics? Discuss how computer forensics
plays a crucial role in modern-day investigations.

13. Difference between System Software and Operating System.

14. Difference between System Software and Application Software?

15. What Is Data Acquisition in Digital Forensics?

16. Discuss design systems with forensic needs in mind.

17. What Is Personal Jurisdiction?

18. What is a cyber-attack?

PART-C (5x12 = 60) - ANSWER ALL QUESTIONS

19. Describe the steps involved in the process of digital forensics. Discuss each step in detail,
highlighting the purpose and activities associated with each phase.

or

20. What are the computer forensic needs and fundamentals?

21. What is IP Address? Explain its types and classes.

or
22. Explain Network Topology and its types in detail with diagrams.

23. Give brief introduction to digital forensics tool.

or

24. Life of a digital forensics investor – outline.

25. Explain Network Forensics.

or

26. Explain Mobile Device Forensics.

27. What are the Steps in the file system forensics process.

or

28. What are the most common types of cyber attacks?

 Answer Key

Ques. Contents of the Answer * Allocation of Marks

No.

1 B 1

2 B 1

3 D 1

4 D 1

5 B 1

6 B 1

7 D 1

8 C 1

9 C 1

10 C 1

11 Computer Forensics is a scientific method of 6

investigation and analysis in order to gather evidence
from digital devices or computer networks and
components which is suitable for presentation in a
court of law or legal body. It involves performing a
structured investigation while maintaining a
documented chain of evidence to find out exactly
what happened on a computer and who was
responsible for it.

TYPES

Disk Forensics:

Network Forensics:

Database Forensics:

Malware Forensics:

Email Forensics:

Memory Forensics:

Mobile Phone Forensics:

12 The key needs and objectives of computer forensics 6

revolve around the identification, preservation,
extraction, analysis, and presentation of digital
 evidence for investigative purposes. Here are the main
needs and objectives of computer forensics:

1. Digital Evidence Identification:

2. Evidence Preservation:

3. Data Extraction and Recovery:

4. Evidence Analysis:

5. Reconstruction of Digital Events:

6. Identification of Perpetrators:

7. Support for Legal Proceedings:

13 System software and operating system are two 6

related concepts but are not the same thing. Here are
some of the main differences:

1. Scope:

2. Function:

3. Importance:

4. Complexity:

14 The main difference between System software and 6

Application Software is that System Software is used
for operating computer hardware whereas Application
software is used according to user applications.

15 The gathering and recovery of sensitive data during a 6

digital forensic investigation is known as data
acquisition. Cybercrimes often involve the hacking or
corruption of data. Digital forensic analysts need to
know how to access, recover, and restore that data as
well as how to protect it for future management. This
involves producing a forensic image from digital
devices and other computer technologies. Digital
forensic analysts must be fully trained in the process
of data acquisition. However, they are not the only
ones who should understand how data acquisition
works. Other IT positions that require knowledge of
data acquisition include data analyst, penetration
tester, and ethical hacker. Moreover, the entire
organization should understand the basics of how
cybercrime works, including the importance of not
intruding into hacked computer systems. Just as in a
real-life crime scene, a “civilian” who stumbles into a
digital crime scene can inadvertently destroy evidence
or otherwise corrupt the crime scene, impeding later
investigation. This speaks to the need to ensure that
 an entire business operation has cybersecurity training
that covers the basics of proper information
technology use, anti-phishing techniques, and
network security (EC-Council, 2020).

16 Design Systems with Forensic Needs in Mind Tools 6

that are designed for detecting malicious activity on
computer networks are rarely designed with evidence
collection in mind. Some organizations are attempting
to support their existing systems with forensics tools
in order to address authentication issues that arise in
court. Other organizations are implementing
additional systems specifically designed to secure
digital evidence, popularly called Network Forensic
Analysis Tools (NFATs). The purpose of design such
system is to enable Digital detectives from monitoring,
acquiring relative data that can be considered as
digital evidence from suspect system. Digital system
may be Computer, Network, Mobile device etc….., all
these equipment potentially has the ability to be used
as tools to run a digital attack against victims such as
denial of service or hacking other computers, on the
other hand they can be used for threating others such
as writing blackmail (Simple Definition of blackmail:
the crime of threatening to tell secret information
about someone unless the person being threatened
gives you money or does what you want) and so on.

For PCs, “for instance “ the data in RAM which reflect

the current process can be disappear when computer
powered off, in this scenario we believe that pre
installing forensics software tools on digital devises
can help collect such sensitive data in critical time.
Other digital system can be monitored using suitable
software, for example, Networks can be supplied with
IDS or WIRESHARK to monitor and record most
activities that can help track the suspect activity.
These tools when installed prior to the crime, it will
help detectives to gain a lot of information about the
crime and the attack. One if the Main benefits of
considering the design of any system to be forensically
minded is to collect evidence in a way that help digital
detectives to collect; identify and analyze the
electronic evidence in the best way to be inadmissible
in the court. But even so, the rules of electronic
evidence must be implemented to persuade the judge
to accept these evidence.

17 Personal jurisdiction refers to the jurisdiction exerted 6

by law, over a person in deciding a particular lawsuit.
It also operates along with the due procedure of law
established by the constitution of that country.
 Personal jurisdiction in cyberspace has evolved, one
case law at a time, like cyberspace itself. The
advancements are constant; hence it proposes a
challenge for the laws to keep up with it. Due to its
versatile and inconsistent nature, absence of physical
boundaries and dynamic space structures, containing
cyberspace in the bounds of a few specific laws and
assigning jurisdiction becomes quite a task. To break it
down, a “cyberspace” is created by a computer, and
this virtual space “holds” all information. All physical
transactions and all legal connotations attached to it
goes into overdrive in cyberspace. “A transaction in
cyberspace fundamentally involves three parties. The
user, the server host and the person with whom the
transaction is taking place with the need to be put
within one jurisdiction.” [2] In terms of personal
jurisdiction, to separate disputes into domestic or
international, in cyberspace, it is important to
distinguish disputes based on (i) what has happened?
(ii) where has it happened? (iii) why did it happen?
Hence, a resident shall inevitably be tried under
municipal laws, but there persists ambiguity while
dealing with non-residents. Traditionally, jurisdiction
is exerted by a court in specific matters by terms of
territory, subject matter, or the applicable law. Often
involving multiple countries in one single transaction
on cyberspace, it is challenging to dissect the disputes
arising into the laws of one particular country. One of
the ultimate recourses could be sought under Public
International Law, to eliminate jurisdictional clashes
between countries and conflicts of law arising out of
it, using the principles of “personal jurisdiction”.
Jurisdiction, under International Law is of three types:
(1) jurisdiction to prescribe; (2) jurisdiction to enforce;
and (3) jurisdiction to adjudicate. To replicate these
into cyberspace, one can consider the ‘law of the
server’, that is, the physical position of the server or
where the webpage is located and claim the
jurisdiction of that country. However, these principles
are of no use when the cyberspaces are used to
commit terrorist activities hence maintaining
anonymity of its servers.

18 A cyber attack is any attempt to gain unauthorized 6

access to a computer, computing system or computer
network with the intent to cause damage. Cyber
attacks aim to disable, disrupt, destroy or control
computer systems or to alter, block, delete,
manipulate or steal the data held within these
systems.

19 Digital forensics entails the following steps: 12

  Identification

 Preservation

 Analysis

 Documentation

 Presentation

20 Computer forensics is also known as digital or cyber 12

forensics. It is a branch of digital forensic science.
Using technology and investigative techniques,
computer forensics helps identify, collect, and store
evidence from an electronic device. Computer
forensics can be used by law enforcement agencies in
a court of law or by businesses and individuals to
recover lost or damaged data.

Identification:

Preservation:

Analysis:

Documentation:

Presentation:

21 An IP address is a numerical label assigned to the 12

devices connected to a computer network that uses
the IP for communication. IP address act as an
identifier for a specific machine on a particular
network. It also helps you to develop a virtual
connection between a destination and a source.

There are mainly four types of IP addresses:

 Public,

 Private,

 Static

 Dynamic

22 The arrangement of a network that comprises nodes 12

and connecting lines via sender and receiver is
referred to as network topology.

Tyes OF topology

Bus
 Ring

Star

Mesh

23 1. SIFT Workstation 12

2. Autopsy

3. FTK Imager

4. DEFT

5. Volatility

6. LastActivityView

7. HxD

8. CAINE

9. Redline

10. PlainSight

24 1. Preparation & Prioritization 12

2. Identification & Preservation

3. Analysis

4. Documentation

5. Presentation

25 Network forensics is a science that centers on the 12

discovery and retrieval of information surrounding a
cybercrime within a networked environment.
Common forensic activities include the capture,
recording and analysis of events that occurred on a
network in order to establish the source of
cyberattacks.

26 Mobile forensics, a subtype of digital forensics, is 12

concerned with retrieving data from an electronic
source. The recovery of evidence from mobile devices
such as smartphones and tablets is the focus of mobile
forensics. Because individuals rely on mobile devices
for so much of their data sending, receiving, and
searching, it is reasonable to assume that these
devices hold a significant quantity of evidence that
investigators may utilize.

27  Acquisition 12
  Validation and discrimination

 Extraction

 Reconstruction

 Reporting

28 Cyber attacks most commonly involve the following: 12

1. Malware

2. Phishing

3. SMiShing

4. Man-in-the-middle

5. DDoS

6. SQL injection

7. Zero-day exploit

8. Domain name system (DNS) tunneling

9. Drive-by

10. Credential-based attacks

11. Credential stuffing

12. Brute-force attack