Dr B R Ambedkar National Institute of Technology
Jalandhar-144011, Punjab, India
Jan-May, 2023
Department of Computer Science & Engineering
Network Security and Cyber Forensics
(CSPC-306)
Submitted to: Submitted by:
Dr. Shveta Mahajan Baneet Singh
Department of Computer Roll No: 20103037
Science and Engineering Section- A Group-G2
Assignment 3
Q1: - Explain the Steps taken by Computer Forensics Specialist
Computer forensics is the process of collecting, analyzing, and preserving electronic data for
use as evidence in legal proceedings. Computer forensics specialists follow a standardized set
of steps to ensure that digital evidence is properly collected, analyzed, and preserved. These
steps include:
Identification: The first step in computer forensics is to identify the digital evidence that
needs to be collected and analyzed. This may involve identifying specific devices or systems
that are relevant to the investigation, such as computers, smartphones, or network servers.
Preservation: Once the digital evidence has been identified, the next step is to preserve it.
This involves taking steps to prevent any further changes or modifications to the data. This
may involve creating a forensically sound image of the digital media, which can be analyzed
without altering the original data.
Collection: After the digital evidence has been preserved, it is collected using forensically
sound methods. This may involve copying data from a computer or device to a separate
storage device or network location.
Analysis: Once the digital evidence has been collected, it is analyzed to identify relevant
information that can be used as evidence. This may involve using specialized software tools
to search for specific files, emails, or other data types that are relevant to the investigation.
Interpretation: After the digital evidence has been analyzed, it is interpreted to identify what
it means in the context of the investigation. This may involve identifying patterns or
connections between different pieces of data.
Documentation: Throughout the process, computer forensics specialists must document their
findings and the methods used to collect and analyze the data. This documentation must be
thorough and accurate to ensure that the evidence is admissible in court.
Reporting: Finally, computer forensics specialists must prepare a report that summarizes their
findings and conclusions. This report should be clear and concise and should provide
sufficient detail to support the evidence in court.
Overall, computer forensics specialists play a critical role in the legal system by helping to
collect and analyze digital evidence in a way that is forensically sound and legally
admissible.
Q2: - Explain the process of seizing of digital evidence at the scene?
Ans2: -The process of seizing digital evidence at a scene can be a critical step in a digital
forensics investigation. This process typically involves the following steps:
Identification of digital devices: The first step is to identify any digital devices that may
contain relevant evidence, such as computers, smartphones, tablets, or external hard drives.
Isolation of devices: Once digital devices have been identified, they should be isolated to
prevent further contamination or modification of the data. This may involve unplugging
network cables, removing batteries, or placing the device in airplane mode.
Documentation: Before seizing any digital devices, it is important to document their location,
condition, and any other relevant information. This documentation should include
photographs, video footage, or written notes.
Seizing the devices: Once the devices have been isolated and documented, they can be seized.
This involves carefully removing the devices from the scene and placing them in protective
containers or bags to prevent damage or loss of data.
Transporting the devices: Once the devices have been seized, they should be transported to a
secure location for further analysis. This may involve using specialized equipment, such as
Faraday bags, to prevent data from being lost or altered during transit.
Chain of custody: Throughout the process, it is important to maintain a chain of custody to
ensure that the digital evidence can be tracked and accounted for at all times. This typically
involves documenting who had custody of the devices, when they had custody, and any
actions taken while in custody.
Overall, the process of seizing digital evidence at a scene requires careful planning and
execution to ensure that the data is properly collected and preserved. By following a
standardized set of procedures, digital forensics investigators can help to ensure that the
evidence is admissible in court and can be used to support a legal case.
Q3: - What is computer forensics? Write three types of Computer Forensics
Technologies. Explain the use of computer forensics in law
enforcement?
Ans3: - Computer forensics refers to the process of collecting, analyzing, and preserving
electronic data to identify, prevent, and investigate cybercrime. It involves the application of
various scientific techniques and tools to recover digital evidence from computers, networks,
and other digital devices. The goal of computer forensics is to provide reliable and admissible
evidence that can be used in legal proceedings.
Here are three types of computer forensics technologies:
Disk Imaging: This technology involves creating an exact copy of a storage device such as a
hard drive or a USB stick. The image is then used to analyze the contents of the storage
device without altering the original data.
Data Recovery: This technology is used to recover lost or deleted data from a digital device.
It involves using specialized software and techniques to restore data that has been
accidentally or intentionally erased.
Network Forensics: This technology is used to investigate security incidents that occur on a
network. It involves analyzing network traffic to identify and track down the source of an
attack.
The use of computer forensics in law enforcement is widespread. It helps law enforcement
agencies to collect evidence and build a case against criminals who use technology to commit
crimes such as hacking, identity theft, and fraud. Computer forensics can be used to recover
deleted data, trace the origin of an attack, and identify suspects in cybercrime cases. It also
helps to establish a chain of custody for digital evidence to ensure that it is admissible in
court. Overall, computer forensics is an essential tool for law enforcement agencies in the
fight against cybercrime.
Q4: - Explain the complete legal Aspects of Collecting and Preserving Computer Forensic
Evidence.
Ans 4: -Collecting and preserving computer forensic evidence is a critical process that must
adhere to legal requirements to ensure that the evidence is admissible in court. Here are the
legal aspects of collecting and preserving computer forensic evidence:
Search and Seizure Laws: In most jurisdictions, law enforcement must obtain a search
warrant before collecting computer forensic evidence. The warrant must describe the location
to be searched and the items to be seized. Law enforcement must ensure that they adhere to
the terms of the warrant to avoid any issues regarding the legality of the evidence collected.
Chain of Custody: The chain of custody refers to the documentation of the movement of the
evidence from the time it is collected to the time it is presented in court. It is essential to
establish a clear chain of custody to demonstrate that the evidence was not tampered with or
altered in any way.
Authentication: The authenticity of the evidence must be established to ensure that it is
admissible in court. This involves demonstrating that the evidence collected is genuine and
has not been tampered with or altered.
Privacy Laws: Privacy laws protect individuals from unreasonable searches and seizures.
Law enforcement must ensure that they do not violate an individual's privacy rights when
collecting computer forensic evidence.
Admissibility: For computer forensic evidence to be admissible in court, it must meet the
legal requirements of relevance, authenticity, reliability, and credibility. The evidence must
also be presented in a manner that is understandable and convincing to the court.
In summary, collecting and preserving computer forensic evidence involves complying with
various legal requirements to ensure that the evidence is admissible in court. Law
enforcement must adhere to search and seizure laws, maintain a clear chain of custody,
establish the authenticity of the evidence, respect an individual's privacy rights, and ensure
that the evidence meets the legal requirements for admissibility.
Q5:- What is CFX-2000 and elaborate its role in detail?
Ans:- CFX-2000 is a forensic imaging device manufactured by Tableau, a company that
specializes in developing digital forensic hardware and software solutions. The CFX2000 is
designed to create forensic images of various digital storage media, such as
hard drives, solid-state drives (SSDs), USB drives, and memory cards.
The CFX-2000 features a high-speed USB 3.0 interface that enables it to perform
imaging operations quickly and efficiently. It also has a built-in write-blocking
mechanism that ensures the integrity of the original data by preventing any changes
to the data during the imaging process. The device supports various imaging modes
including bit-stream imaging, E01 imaging, and AFF imaging, which are commonly
used in digital forensics.
The CFX-2000 comes with a user-friendly interface that allows investigators to easily
navigate through the imaging process. It features a color touch screen display that
provides real-time information about the imaging process, such as imaging speed,
estimated time remaining, and error messages. The device also supports remote
imaging and can be controlled remotely using a web browser.
The CFX-2000 is a crucial tool for forensic investigators as it enables them to create
forensic images of digital storage media without altering or destroying the original
data. Forensic images can be used to analyze the data, recover deleted files, and
identify evidence that may be relevant to an investigation. Additionally, the CFX-2000
can create a complete image of the storage media, including hidden and protected
areas, such as the boot sector and the file system metadata. This enables
investigators to recover data that may have been deliberately hidden or deleted.
Overall, the CFX-2000 plays a vital role in digital forensics by providing investigators
with a reliable and efficient tool for creating forensic images of digital storage media.
Its high-speed performance, write-blocking mechanism, and user-friendly interface
make it a valuable asset for any forensic investigation.
Q6: - Explain in detail Computer Security Incident?
Ans 6: - A computer security incident refers to any event that can compromise the
confidentiality, integrity, or availability of a computer system, network, or data. Such
incidents can be intentional or accidental, caused by humans or natural disasters, and can
result in unauthorized access, theft, destruction, modification, or denial of service.
Computer security incidents can have severe consequences for organizations, including
financial losses, reputation damage, legal liabilities, and regulatory fines. Therefore, it is
crucial to have a comprehensive incident response plan in place to detect, contain, mitigate,
and recover from such incidents promptly.
The incident response plan should involve the following steps:
Preparation: This step involves establishing policies, procedures, and protocols to prevent and
respond to security incidents. It includes defining roles and responsibilities, identifying
critical assets and vulnerabilities, implementing security controls, and training employees on
security awareness and incident response.
Detection and analysis: This step involves monitoring and analyzing system logs, network
traffic, and other indicators of compromise to detect and investigate security incidents. It
includes assessing the scope and impact of the incident, identifying the source and method of
attack, and determining the severity and priority of the incident.
Containment and eradication: This step involves isolating and containing the affected
systems, removing the attacker's access, and restoring the system to a secure state. It includes
applying patches, updates, and fixes, restoring data from backups, and disabling
compromised accounts and services.
Recovery and lessons learned: This step involves restoring normal operations, evaluating the
effectiveness of the incident response plan, and documenting the incident for future reference.
It includes conducting a post-incident review to identify weaknesses in the plan, improving
security controls, and updating policies and procedures.
Q7. Explain about Types of Military Forensic Technology.
Ans 7: -Military forensic technology refers to the tools and techniques used by the military to
collect, analyze, and interpret physical evidence in support of military investigations,
operations, and legal proceedings. Military forensic technology encompasses a wide range of
disciplines, including forensic biology, chemistry, digital forensics, and firearms and
toolmark analysis. Here are some of the types of military forensic technology:
DNA analysis: DNA analysis is used to identify individuals based on their genetic material. It
is used in military investigations to identify human remains, establish kinship relationships,
and link suspects to crime scenes.
Ballistics analysis: Ballistics analysis involves the examination of firearms, bullets, and other
projectile evidence to determine their origin and link them to specific crimes or incidents. It is
used to link suspects to gun crimes and to identify weapons used in attacks.
Digital forensics: Digital forensics involves the recovery and analysis of electronic data from
computers, mobile devices, and other digital media. It is used to investigate cybercrimes,
recover deleted data, and analyze network traffic.
Chemical analysis: Chemical analysis involves the examination of materials for the presence
of specific substances or chemicals. It is used in military investigations to analyze explosives,
drugs, and other hazardous materials.
Trace evidence analysis: Trace evidence analysis involves the examination of small, often
microscopic, particles found at a crime scene, such as fibers, hairs, and paint chips. It is used
to link suspects to crime scenes and to identify the source of the evidence.
Facial recognition: Facial recognition technology uses algorithms to analyze facial features
and identify individuals. It is used in military operations to identify potential targets or
suspects.
Biometric identification: Biometric identification involves the use of unique physical or
behavioral characteristics, such as fingerprints, voiceprints, or iris scans, to identify
individuals. It is used in military operations to control access to secure areas and to verify the
identities of personnel.
Q8. Explain the following business computer forensics technology
i) Creating trackable electronic documents
ii) Forensic services available
i) Creating trackable electronic documents:
Ans 8: - Creating trackable electronic documents involves using technologies to monitor and
record the actions taken on electronic documents, such as changes made, access, and
distribution. It can be used in business computer forensics to track the movements of
sensitive or confidential documents, identify unauthorized access or changes, and trace the
origin of any potential leaks or breaches. Some examples of technologies that enable the
creation of trackable electronic documents include document management systems, digital
rights management software, and watermarking.
ii) Forensic services available:
Forensic services in business computer forensics refer to the specialized services provided by
experts to collect, analyze, and interpret electronic evidence related to business operations.
These services can be divided into two broad categories: reactive and proactive services.
Reactive services involve responding to a security incident or suspected misconduct, such as
a data breach, fraud, or employee misconduct. Reactive services may include forensic data
collection and analysis, incident response planning and management, digital evidence
preservation, and legal support.
Proactive services involve conducting ongoing assessments of the security posture of an
organization, identifying vulnerabilities and risks, and implementing measures to prevent
security incidents. Proactive services may include security assessments, penetration testing,
vulnerability assessments, security awareness training, and policy and procedure
development.
Q9. Explain the Process of Steganography to hide data
Ans 9:- Steganography is the practice of hiding data within another file, such as an image,
audio file, or text file, without leaving any visible signs of alteration. The process of
steganography involves the following steps:
Select the cover file: The first step in steganography is to select a cover file that will be used
to hide the secret data. The cover file can be any type of file, such as an image or audio file,
and should be large enough to accommodate the secret data without being noticeable.
Choose the encoding method: The next step is to choose an encoding method that will be
used to embed the secret data within the cover file. There are many different encoding
methods available, such as LSB (Least Significant Bit) encoding and Spread Spectrum
techniques.
Embed the secret data: Once the encoding method is selected, the secret data is embedded
within the cover file using the chosen encoding method. This is done by replacing certain bits
or bytes within the cover file with the secret data, in a way that does not significantly alter the
original file.
Encrypt the secret data: To ensure that the secret data is not easily accessible to unauthorized
users, it is usually encrypted before being embedded within the cover file. This ensures that
even if the cover file is discovered, the secret data cannot be easily deciphered.
Test and refine: Finally, the steganography process is tested to ensure that the secret data is
effectively hidden within the cover file and that the cover file remains usable. If necessary,
adjustments can be made to the encoding method or cover file to optimize the steganography
process.
Q10:- How to perform a forensic duplication of a hard drive?
Ans 10: - Forensic duplication of a hard drive involves creating an exact copy of the original
hard drive, including all data and metadata, while preserving the integrity of the original data.
This is a critical step in digital forensics investigations as it ensures that the original evidence
is not altered or modified during the investigation process. Here are the steps to perform a
forensic duplication of a hard drive:
Identify the source hard drive: The first step is to identify the source hard drive that needs to
be duplicated. This is typically the hard drive that is suspected to contain evidence related to
the investigation.
Select a destination hard drive: The next step is to select a destination hard drive that will be
used to store the forensic copy of the source hard drive. The destination hard drive should be
of the same or larger capacity as the source hard drive.
Choose a forensics duplication tool: There are several forensics duplication tools available,
both hardware-based and software-based. Choose a forensics duplication tool that is suitable
for your requirements and follow the manufacturer's instructions.
Connect the source and destination hard drives to the duplication tool: Connect the source
hard drive to the input port of the duplication tool and the destination hard drive to the output
port.
Configure the settings: Configure the settings of the duplication tool, such as the data transfer
rate, sector size, and verification options.
Start the duplication process: Once the settings are configured, start the duplication process.
The tool will read the data from the source hard drive and write it to the destination hard
drive.
Verify the duplication process: Once the duplication process is complete, verify that the data
on the destination hard drive is identical to the source hard drive. This can be done by
comparing the checksums of both hard drives or performing a sector-by-sector comparison.
Store the forensic copy: Once the verification process is complete, store the forensic copy of
the source hard drive in a secure location to prevent tampering or accidental modification.