Study Material for
MCA (SEM-V)
Subject: Cyber Security and Forensics (Elective-II)
Subject Code: 2650008
Unit 7: Understanding Computer Forensics
Q.1)What is meant by forensics?
Ans)
Forensics means characteristics of evidence that satisfies its suitability for admission as fact and its
ability to persuade based upon proof.
Q.2) Define digital forensics and computer forensics.
Ans)
1. Computer forensics is the lawful ethical seizure, acquisition, analysis, reporting and safeguarding
of data derived from digital devices which may contain info that is notable and of evidentiary
value in investigation.
2. Digital forensics is the use of scientifically derived and proven methods towards the
preservation, collection, validation, identification, analysis, interpretation, documentation and
presentation of digital evidence derived from the digital sources.
Q.3) What is the role of digital forensics? What scenarios are involved?
Ans)

The role of digital forensics is to :
1) Uncover and document evidence and leads.
2) Confirm evidence discovered.
3) Assist in showing pattern of events.
4) Connect attack and victim computers.
5)
Reveal an end to end path.
6) Extract data that may be hidden, deleted or not directly available.
1

Scenarios involved are:

Employee internet abuse

Data leak/breach

Industrial espionage

Damage assessment

Criminal fraud and deception cases

Copyright violation
Q.4)Explain the need for computer forensics.
Ans)









The modern high level of computing and advanced technology provides avenues for misuse as
well as opportunity for committing crime.
This has lead to new risks.
The opportunities for social harm have also increased.
Hackers use variety of tools and techniques to break into computers and cause havoc.
The widespread use of computer forensics is the result of two factors : increasing dependence
of law enforcement on digital evidence and ubiquity of computers that follows from
microcomputer revolution.
The media on which clues related to cybercrime reside vary.
Secondly the device the storage devices are becoming smaller in size with large storage capacity
so finding the relevant data from heaps of data is virtually impossible.
But there are good FTK available to find relevant data from irrelevant mass.
Evidence needs to handled carefully.
Q.5) Differentiate between computer forensics and computer security.
Ans)


Computer forensics is the lawful ethical seizure, acquisition, analysis, reporting and safeguarding
of data derived from digital devices which may contain info that is notable and of evidentiary
value in investigation.
The main focus of computer security is the prevention of unauthorized access to computer
systems as well as maintaining confidentiality, integrity and availability of computer systems.
Q.6) Explain chain of custody. How it can be applied to digital forensics? Give example.
2
Ans)







Chain of custody means the chronological documentation trail that indicates the seizure,
custody, control, transfer, analysis and disposition of evidence, physical or electronic.
The basics idea behind ensuring chain of custody is to ensure that the evidence is not tampered.
It is also important to establish that the alleged evidence is related to the alleged crime.
For a person to be considered as identifiable should always have the custody of the evidence.
It should be stored in safe place.
Everything should be documented.
Document should include conditions during evidence collection, identity of all who handled the
evidence, security condition, department name, case number, item description.
Steps involved :
Maintaining chain of custody-1:
 Collect-find, seize
 Preserve- copy, verify, secure
 Analyse- recover, search, correlate.
 Report- summarize, document
Maintaining chain of custody-2:






Source of evidence-where did it come from?
Who found it?
Where was it stored or locked up?
Who touched it/tampered it?
What did they do to it?
Human signature is always required
Example:
3
Q.6) Digital evidence(DE) is different from physical evidence. Explain.
Ans)
 DE is easy to manipulate.
 Perfect copies can be made without harming the original.
 It is easy to create a clone of device.
Q.7)Explain the rules of evidence.
Ans)











Evidence means and includes all statements which the court permits or requires to be made
before it by witnesses, in relation to matters of fact under inquiry, are called oral evidence.
All documents that are produced for the inspection of the court are called documentary
evidence.
Electronic evidence is a different breed.
Process used in case of digital evidence mimic the process that is used for paper evidence.
As each step requires the use of tools or knowledge, the process must be documented, reliable
and repeatable.
The process must be understandable by court.
The law specifies what can be seized, under what conditions, from whom and where.
Which piece of digital evidence is required to be examined.
Is the file on local hard-drive or server which is located in another jurisdiction.
There has to be a technical basis for obtaining the legal authority.
Contexts involved in identifying piece of evidence:
1)Physical: It should reside on a specific piece of media
2)Logical:It must be identifiable to its logical position.
3)Legal: We must place the evidence in the correct context.
Guidelines for collecting DE:
•
Evidence is collected from number of sources
•
Adhere to your sites security policy, engage law enforcement personnel.
•
Capture picture of system as accurately as possible.
•
Keep detailed notes with dates and time
•
Note the difference between system clock and Universal time.
•
Be prepared to testify.
4
•
Minimize changes to data as you are collecting it.
•
First collect then analyse.
•
Procedures should be feasible.
•
Divide the work among tem members.
•
Proceed from more volatile to less volatile media.
•
Make a bit level copy of media.
Q.8) Explain RFC2822.
Ans)








RFC2822 is the Internet Message Format.
According to internet specs there are several formats of valid email addresses like
joshi@[10.0.3.19],” Dhiraj Joshi”@host.net.
Many email address validators on the web fails to recognize some of those valid email
addresses.
Some examples of valid email addresses are as follows:
 joshi@box@host.net: Two @ signs are not allowed
 .joshi@host.net: leading dot (.) is not allowed
 joshi@-host.net: leading dash(-) is not allowed
 joshi@host.web: Web is not valid top level domain name
 joshi@[10.0.3.19]: Invalid IP address
It contains no spec of the info in the envelope.
It state that each email must have a globally unique identifier to be included into the header of
the email.
It also defines the syntax of Message-ID.
Message-id can appear in three header fields “Message-id header” “in reply to header” and
“references header”.
Q.9)Explain Forensics life cycle.
Ans)
5

The following phases are involved:
1)Preparing for evidence and identifying evidence
2)Collecting and recording digital evidence
3)Storing and transportation.
4)Examination/investigation
5)Analysis, interpretation and attribution
6)Reporting
7)Testifying
1)Preparing for evidence and identifying evidence:






Evidence must be identified as evidence.
There is enormous amount of potential evidence that might be available.
It might reside on a single computer or might be on different computers.
In networked environment it extends to networked devices.
Even a small timestamp can of importance.
If the evidence cannot be identified as relevant, it may never be collected or processed at all,
and it may not even continue to exist in digital form.
6
2)Collecting and recording digital evidence:




DE can be collected from several sources like computers, cell phones, digicams, hard drives etc.
Special care must be taken while handling such evidence as such evidence can be easily
tampered or manipulated.
Volatile evidence from RAM should be collected first if the machine is in on condition.
Data from non volatile storage media can be collected later.
3)Storing and transportation:







Image computer media using write-blocking tool to ensure that no data is added to the suspect
device.
Establish and maintain chain of custody.
Document everything.
Use only the trusted and reliable tools and techniques.
Evidence must be preserved till the trial gets over.
Original evidence should be preserved and working copies should be made.
Care should be taken in transportation to avoid spoliation.
4)Examination/investigation:






Forensic specialist should have legal authority to seize copy and maintain data.
Two types of analysis live and dead
Dead analysis is performed on data at rest for eg. Hard disk contents.
Performing analysis on live systems is called live analysis.
Exact duplicate copies of hard drive can be created by using tools like IXimager or Guymager.
Hashing techniques can be used to verify media.
5)Analysis, interpretation and attribution




All the DE must be analyzed to determine the type of info that is stored upon it.
For doing special forensics toolkits (FTK) are available.
Access Data FTK, Encase, Brian Carrier’s Sleuth Kit are some tried and tested FTKs.
Windows registry monitoring is to be done to look for suspect info, cracking passwords,
performing keyword searches for topics related to crime.
6)Reporting:


Reporting procedure must be up-to-date since the report will be seen by different authorities.
The elements to be covered in report are:
 Identity of reporting agency
7









Case identifier or submission number
Case investigator
Identity of submitter
Date of receipt
Date of report
Description of items including serial number, make and model
Identity and signature of examiner.
Description of steps taken during examination
Results/conclusion
7)Testifying:




Involves and presentation and cross examination of expert witnesses.
Depending on the country and legal frameworks in which case is registered certain standards
may apply with expert eyewitnesses.
Only expert witnesses can address issues based on scientific, technical or other specialized
knowledge.
Following principles apply:
 The testimony is based on sufficient facts and data.
 The testimony is product of reliable principles and methods.
 The witness has applied principles and methods reliably to the facts of the case.
Q.11)What precautions should be taken when collecting DE?
Ans)
8
9
10
Q.12)State the phases involved in computer forensics investigation.
Ans)
•
Secure the subject system
•
Take a copy of hard drive
•
Identify and recover all files.
•
Access/view/copy hidden protected and temp files.
•
Study special areas on the drive
•
Investigate the settings and any data from applications and programs used on the system
•
Consider general factors relating to the users computer and other activity in context of
investigation.
•
Create detailed and considered report.
•
Certain things like changing date/timestamps or changing data itself should be avoided during
investigation.
•
Certain things that should not be avoided is the NDA (non disclosure agrrement).
•
In this context of typical NDA customer means the person, firm or company ordering product or
services ; default means any breach by either party of its obligations or any act, omission,
negligence or statement by either party,its employees, agents or subcontractors arising out of or
in connection with a contract and in respect of which either party may be legally liable.
Q.13)Explain the elements addressed in forensics investigations engagement contract.
Q.14)Explain steps involved in solving computer forensics case.
Ans)
•
Prepare for forensics examination.
•
Talk to key people to find out what you are looking for and what the circumstances surrounding
the case are
•
If the case has sound foundation, start assembling tools to collect data in question.
•
Identify the target media and collect data from it. Create duplicate image of the device in
question.
11
•
Boot the computer under investigation.
•
Check email records as well. A lot of info can be obtained from it.
•
Examine the collected evidence on the image you have created.
•
Look into storage media, check registry, check emails, images, videos etc.
•
Report findings to client. Be sure the report should be clear, concise and proper.
Q.15) Explain the requirements for setting up the computer forensics lab.
Ans)

There are four broad types of requirements, namely physical space, the hardware equipments ,
the s/w tools and forensics procedures to be followed.
 First of all there is physical facility in which laboratory is setup. This is meant for secure
storage of evidentiary materials, for analysis of captured data, for operations of cloned
systems, for production of final evidence reports and place where experts will perform their
duties and work. A secured place where unauthorized access can be prevented.
 Second requirement is h/w items which includes number of computers, including a n/w
server with large storage capacity. Various h/w devices include Rimage DVD publishing
system, Disk readers, and printers. Beyond these there is a requirement for Portable
Forensic Kits which includes assortment forms, labels, tags, pens, tape, evidence bags,
camera, connectors, converters etc. Some forensics kits require physical dongles to work
which is a physical security device that allows s/w to be used only when the device is
present.
 Third requirement is that of tried and tested s/w some are freeware and some are to be
purchased. There are other s/w like LAN s/w , OS, administrative s/w graphics s/w.
 Lastly methods and procedures are an important part. Strict procedures should be designed
and followed regarding acquisition of evidence, handling evidence, chain of custody,
analysis and reporting process.
Q.16) What are rootkits? Explain.
Ans)
•
The term rootkits is used to describe the mechanisms and techniques whereby malware
including viruses, spyware and Trojans attempt to hide their presence from spyware blockers,
antivirus.
•
They are classified as persistent rootkits, memory based rootkits, user mode rootkits, kernel
mode rootkits.
•
A rootkit is a set of tools used after cracking a computer OS that hides logins, processes,
passwords etc. which would carefully hide any trace that those command normally display.
12
•
Rootkits are installed after an attacker has exploited system vulnerability and gained root
access.
•
They work only after system gets compromised.
•
Rootkits consists of tools that has three functions i)maintain root access to system ii) hide
presence of attacker iii)attack against other system
Functions:
1) Maintain root access to compromised system:
 Can happen via any communication channel from an easily detectable telnet shell to a
secure shell to secure shell.
2) Hide presence of an attacker:
 This is achieved by removing evidence of the compromise and taking measures to
misrepresent the system state.
 Various logs are cleaned and monitoring demons can be disabled.
 An attacker could replace commonly used system executables, re -route system calls.
3) Attack against other system:
 This usually means compromising host security, gathering packet traces on local n/w,
installing keyloggers, performing vulnerability scans.
Q.17)Explain binary rootkits.
Ans)








Binary rootkits take administrative utilities and modify them to hide specific connections,
processes and activities of specific users.
These utilities could also include tools to provide root access to a particular user or when
supplied with a particular argument.
For example an attacker can modify the “w” binary to hide his user account while logged on, the
“ps” command to hide any processes he is running and the “su” command to always allow the
root access whenever a specific password is supplied.
Even the source files can be modified by attackers.
If the source code is not examined a rebuilt binary that is assumed to be clean can be
compromised.
When the binary tools are deployed they are often placed inside of a hidden directory until the
administrative programs are fully compromised.
Some of the common locations include confusing or unsuspecting directory names, such as
/dev/etc/… or /dev/.lib.
Binary rootkits can be defeated through the use of file integrity scanners.
13
Q.18)Explain Information hiding.
Ans)
Q.19)Explain relevance of OSI 7 layer model to Computer forensics.
Ans)
Q.20)Explain forensics and social networking sites.
Ans)
Q.21)Explain technical and legal challenges in computer forensics.
Ans)
Q.22)Use of datamining used in cyberforensics.
Ans)
14