diff options
Diffstat (limited to 'questionbank.typ')
| -rw-r--r-- | questionbank.typ | 449 |
1 files changed, 449 insertions, 0 deletions
diff --git a/questionbank.typ b/questionbank.typ new file mode 100644 index 0000000..fe0c1ab --- /dev/null +++ b/questionbank.typ @@ -0,0 +1,449 @@ +#let title = [ + Unit 1: Introduction to cloud computing +] +#set text(12pt) +#set page( + header: [ + #box()[ + Knowledge not shared, remains unknown. + ] + #h(1fr) + #box()[#title] + ], + numbering: "1 of 1", +) +#align(center, text(20pt)[ + *#title* +]) +#show table.cell.where(y: 0): strong +#outline() +#pagebreak() + += 1. Define cyber forensics with it's role and importance in investigating cyber crimes. +Cyber forensics is the application of investigative techniques to collect, analyze and present digital evidences for legal purposes. The key objectives are preserve evidence integrity, recover data and identify perpetrators. +\ Cyber forensics plays a crucial role in investigating cybercrimes by enabling investigators to recover deleted or hidden data, analyze system logs, trace malicious activities, and determine how an attack occurred. It helps identify the attacker by following digital footprints such as IP traces, malware signatures, and unauthorized access patterns. It also supports incident reconstruction, allowing investigators to understand the timeline and method of the crime. +\ The importance of cyber forensics lies in its ability to maintain a proper chain of custody and ensure that digital evidence remains authentic and untampered. It aids law enforcement and judicial authorities in prosecuting cybercriminals effectively. Furthermore, cyber forensics helps organizations strengthen their cybersecurity by revealing exploited vulnerabilities, preventing future attacks, and minimizing operational damage. Overall, cyber forensics is vital for uncovering truth in cyber incidents and ensuring justice in the digital world. += 2. Explain digital forensics and discuss it's scope and relevance in modern cyber ecosystem. +Digital forensics is a specialized branch of forensic science that involves the systematic identification, acquisition, preservation, examination, and analysis of digital evidence from electronic devices such as computers, mobile phones, storage media, networks, and cloud environments. It follows scientifically proven procedures to ensure that the collected evidence remains authentic, reliable, and admissible in a court of law. The primary objective of digital forensics is to reconstruct events related to cyber incidents and support investigations involving cybercrimes, data breaches, fraud, unauthorized access, or misuse of digital systems. +\ The scope of digital forensics is broad and spans multiple domains. It includes computer forensics, focusing on desktops, laptops, and servers; mobile forensics, involving smartphones and handheld devices; network forensics, which examines network traffic and communication logs; cloud forensics, which deals with distributed cloud environments; and malware forensics, which analyzes malicious software to understand its behavior and source. Additionally, it covers digital evidence handling, data recovery, incident response, and forensic readiness for organizations. +\ Digital forensics holds significant relevance in the modern cyber ecosystem due to the rising dependence on digital technologies and the increasing number of cyberattacks. As cybercrimes become more sophisticated, digital forensics provides the tools and methodologies to trace attackers, uncover data manipulation, and support law enforcement in prosecuting offenders. It also plays a crucial role in organizational cybersecurity by helping detect intrusions, analyze vulnerabilities, and implement preventive measures. In an era dominated by cloud computing, IoT, mobile devices, and widespread digital transactions, digital forensics has become essential for maintaining trust, ensuring accountability, and protecting sensitive information across the digital landscape. += 3. Types of cyber crimes with examples. +1. *Cyber-dependent crimes* +These are crimes that can only occur using computers, networks or the internet and have no offline version. These crimes directly target the confidentiality, integrity and availability of digital systems and require technical knowledge to execute.\ +Examples include: + - Hacking / Unauthorized access: Breaking into servers or databases to steal or alter information. + - Malware attacks: Viruses, worms, trojans and ransomware used to damage systems or encrypt data for ransom. + - DoS/DDoS attacks: Overloading a website or service to make it unavailable. + - Botnet creation: Infecting multiple devices and controlling them remotely for attacks. + - Cryptojacking: Secretly using a victim’s computer power to mine cryptocurrency. +2. *Cyber-enabled crimes* +These are traditional crimes that already existed but are expanded, accelerated or made easier using digital technology. These crimes use digital platforms to increase the scale, anonymity and speed of conventional criminal activities, making them harder to detect and control.\ +Examples include: + - Online fraud and phishing: Deceiving users through fake emails or websites to steal money or credentials. + - Identity theft: Misusing stolen personal or financial information for illegal transactions. + - Cyberbullying and harassment: Abusive behaviour carried out through social media or messaging apps. + - Online child exploitation: Sharing illegal content or grooming minors via hidden forums. + - Financial crimes: Money laundering or illegal transfers via digital wallets or cryptocurrencies. + - Piracy and IP theft: Uploading or distributing pirated movies, music or software through torrent sites. += 4. Classify cyber crimes and explain any three recent data breach cases. +1. *Cyber crimes against Individuals:* +These crimes target a person’s private, financial, health or identity information. +A recent example is the widespread phishing-based Aadhaar and PAN data theft incidents in India (2023-2024), where attackers used fake KYC update messages and links to steal citizens’ identity details, bank information, and OTPs. This led to large-scale financial fraud, identity misuse, and unauthorized digital transactions. The attacks specifically targeted individual users, exploiting their trust and lack of awareness. +2. *Cyber crimes against Organisations:* +These crimes are aimed at companies and institutions to steal customer data, disrupt operations, or demand ransom. +A major recent example is the Capita data breach (2023), where hackers infiltrated the UK-based outsourcing firm’s systems and accessed data belonging to millions of people, including confidential corporate information and special-category personal data (health and criminal record details). Although individuals were affected indirectly, the primary target was the organisation, which faced operational disruption, financial penalties, and loss of trust. +3. *Cyber crimes against Government:* +These target government agencies, national databases, or critical infrastructure, often putting entire populations at risk. +A notable recent example is the Bangladesh Government Birth & Death Registration breach (2023), where weaknesses in a government website exposed personal information of more than 50 million citizens. This incident highlighted how government systems, if poorly secured, can cause wide-scale identity threats, compromise national records, and undermine citizen trust in public digital services. += 5. Write a short note on cyber forensics model and phases involved. +A cyber forensics model is a structured framework that guides investigators in handling digital evidence in a scientific and legally acceptable manner. It ensures that every step of the investigation is performed systematically so that the evidence remains authentic, reliable, and admissible in court. The model helps forensic experts understand what happened during a cyber incident, how it happened, and who was involved. +1. *Identification:* +In this phase, investigators determine that an incident has occurred and identify the potential sources of digital evidence. This includes recognising compromised systems, logs, storage devices, network traces, or suspicious activities. Proper identification ensures that no critical evidence is overlooked. +2. *Preservation:* +Once the evidence is identified, it must be protected from alteration, damage, or loss. This involves isolating affected systems, creating bit-by-bit forensic images, maintaining a strict chain of custody, and preventing any changes to original data. Preservation ensures the integrity and authenticity of evidence for legal use. +3. *Collection:* +This phase involves systematically acquiring the digital evidence using forensic tools and procedures. Data such as logs, files, memory dumps, metadata, and network captures is collected in a controlled manner. The goal is to gather all relevant information without tampering with the original source. +4. *Analysis:* +Collected evidence is examined to reconstruct events, identify attack vectors, trace user activities, detect malware, or recover deleted data. Investigators correlate timelines, extract patterns, and interpret the technical findings to determine what happened, how it happened, and who was responsible. +5. *Reporting:* +The final phase involves documenting all observations, methods used, tools applied, and conclusions reached. The report must be clear, accurate, and legally admissible, presenting the evidence in a form understandable to non-technical stakeholders such as lawyers, judges, or organisational authorities. It may also include recommendations for prevention. += 6. Explain the concept of digital evidence and write the steps for evidence lifecycle from collection to management. +Digital evidence refers to any information stored or transmitted in digital form that can be used in legal or investigative processes. It is crucial in modern cases involving cybercrime, financial fraud, identity theft, intellectual property violation, and computer misuse. Digital evidence must be admissible, authentic, and maintain integrity. This requires proper procedures for collection, preservation, and maintaining chain of custody to prove that the evidence has not been tampered with. +Characteristics of Digital Evidence: +- *Intangible*: Exists electronically and requires specialised tools to view or extract. +- *Volatile*: Easily altered, deleted, or overwritten if not handled properly. +- *Replicable*: Can be copied without affecting the original. +- *Rich in Metadata*: Contains timestamps, user details, and access history useful during investigation. +Types of Digital Evidence: +- *Computer-based evidence*: files, documents, system logs, metadata, and user activity records. +- *Network-based evidence*: packet captures, firewall/router logs, IDS/IPS logs, proxy logs, and email headers. +- *Mobile-based evidence*: call logs, SMS/MMS, app data, GPS records, browser history, photos, and videos. +The evidence lifecycle ensures that digital evidence is handled securely and remains legally acceptable throughout the investigation. +1. *Collection*: Investigators gather evidence from computers, networks, mobile devices, or cloud sources using authorised forensic tools. Care is taken to avoid altering original data. +2. *Preservation*: Evidence is secured in its original state by making forensic images, isolating devices, sealing storage media, and maintaining a clear chain of custody. This protects the integrity of the evidence. +3. *Examination*: Preserved data is examined to identify relevant information using techniques like file system review, keyword searches, timeline reconstruction, and log analysis. +4. *Analysis*: The extracted information is studied in depth to understand how the incident occurred, what actions were taken, and who was involved. Investigators correlate logs, recover deleted data, trace user activity, and detect malware behaviour. +5. *Documentation and Reporting*: All steps and findings are recorded in a structured forensic report that explains methods used, evidence collected, timelines, and conclusions. This ensures clarity for legal or organisational authorities. +6. *Storage and Management*: After the case, evidence is securely stored with proper access control and archival procedures. It may be retained for future legal proceedings or audits. += 7. Write ethical, professional and legal issues for cyber forensic investigations. +Cyber forensic investigations involve the handling of sensitive digital evidence, and therefore investigators must follow strict ethical, professional, and legal standards. Any deviation can compromise the investigation, violate privacy, or make the evidence inadmissible in court. +== Ethical Issues: +Ethical concerns arise because digital evidence often contains personal, confidential, or sensitive information. +- *Privacy Violations*: Investigators may unintentionally access private files or data unrelated to the case, raising ethical dilemmas about confidentiality. +- *Misuse of Access*: Forensic tools provide deep system access, so unethical behaviour such as leaking information, snooping, or unauthorised data copying must be avoided. +- *Bias and Objectivity*: Investigators must remain neutral and avoid altering, exaggerating, or selectively presenting evidence to favour one party. +- *Data Minimisation*: Only relevant data should be examined; unnecessary exposure of personal content may be ethically inappropriate. +== Professional Issues: +Professionalism ensures that forensic work maintains accuracy, integrity, and trust. +- *Competence and Skill*: Investigators must have proper training, certifications, and technical knowledge. Incompetent handling can corrupt evidence. +- *Use of Standard Procedures*: Following recognised forensic models, maintaining chain of custody, and documenting every step are essential professional responsibilities. +- *Tool Reliability*: Forensic tools must be validated and updated; using outdated or unreliable tools can give inaccurate results. +- *Maintaining Confidentiality*: Professionals must protect all case-related information from unauthorised disclosure. +== Legal Issues: +Legal issues directly affect whether evidence is accepted in court and whether the investigation itself is lawful. +- *Search and Seizure Laws*: Investigators must follow proper legal authority (warrants, permissions) before accessing devices or networks; unauthorised search makes evidence inadmissible. +- *Chain of Custody Requirements*: Every transfer of evidence must be documented to prove it was not tampered with. +- *Admissibility Rules*: Evidence must meet standards of authenticity, integrity, and relevance. Improper handling or contamination may lead to rejection. +- *Jurisdictional Challenges*: Cybercrimes often cross national borders, creating legal conflicts regarding which country’s laws apply. +- *Data Protection Laws*: Investigators must comply with privacy and data protection regulations such as IT Act rules, GDPR, or local digital privacy laws. += 8. Write a note on ethical dilemmas and professional responsibilities of forensic expert in practice. +1. *Ethical Dilemmas:* + - *Privacy vs. Investigation Needs*: Digital evidence may contain private or unrelated personal data. The expert must decide how much information to access without violating privacy. + - *Bias and Objectivity*: Pressure from employers, clients, or law enforcement may influence findings. The expert must avoid bias and maintain neutrality even if results go against expected outcomes. + - *Handling Sensitive or Confidential Data*: Access to emails, chats, medical records, or financial information can tempt misuse. The dilemma arises between what is legally required and what is ethically appropriate to view. + - *Reporting Unfavourable Findings*: When evidence contradicts the client’s interests, experts may struggle between honesty and professional pressure. + - *Scope Creep*: Investigators may discover evidence unrelated to the case (e.g., personal files or unrelated crimes). Deciding whether to report or ignore such findings can create ethical conflicts. +2. *Professional Responsibilities:* + - *Objectivity and Impartiality*: Evidence must be examined without personal bias. Conclusions should be based solely on facts and scientific methods. + - *Competence and Skill*: The expert must possess up-to-date technical knowledge, use validated tools, and continuously improve skills to avoid errors. + - *Following Standard Procedures*: This includes proper evidence handling, chain-of-custody maintenance, forensic imaging, documentation, and compliance with investigation protocols. + - *Confidentiality*: Sensitive case information must be protected from unauthorised access or disclosure. Experts must respect the privacy of individuals involved. + - *Accurate Documentation and Testimony*: Reports must be clear, truthful, and technically correct. If called to court, the expert must present evidence honestly and explain methods transparently. + - *Integrity and Professional Conduct*: Forensic experts must avoid actions that could mislead the court, such as altering evidence, overstating expertise, or giving false testimony. += 9. Differentiate between FAT32 and NTFS +#table( + columns: (auto, auto, auto), + table.header([Feature], [FAT32], [NTFS]), + [Maximum file size], [Supports files upto 4GB], [Supports files larger than 4GB], + [Maximum partition size], [2TB], [16TB+], + [Security Features], [Very basic, no file level permissions, no encryption], [Supports file/folder permissions, access control lists and encryption], + [Reliability], [Less reliable, prone to fragmentation and corruption], [More reliable, supports journaling and self recovery], + [Performance], [Faster on small drives or simple devices], [Better performance on large volumes or modern systems], +) += 10.Working and structure of FAT and NTFS +1. *Working of FAT (File Allocation Table)* + FAT is a simple file system used mainly in USB drives, memory cards, and older Windows systems. Its working is based on a table used to keep track of where file data is stored. The following are the steps used by FAT: + 1. Disk is divided into clusters + - FAT breaks the disk into small equal units called clusters. + - Every file is stored by occupying one or more clusters. + 2. FAT Table is created at the beginning of the drive + - This table contains an entry for every cluster on the disk. + 3. A file is saved in multiple clusters + - If a file is large, it will be stored in many scattered clusters. + - File A is stored in clusters: 5 -> 6 -> 8 + 4. FAT Table stores pointers to the next cluster + - FAT entry looks like: +#table( + columns: (auto, auto), + table.header([Cluster Number], [ FAT Entry Meaning ]), + [5], [Next cluster is 6], + [6], [Next cluster is 8], + [8], [EOF] +) + 5. When a file is opened, the following things happen: + 1. The OS looks at the starting cluster of the file. + 2. It checks the FAT table to locate the next cluster. + 3. It continues following the chain from cluster to cluster. + 4. When it reaches EOF, the file is completly read. +#figure( + image("assets/fatstructure.png", width: 100%), +) +2. *Working of NTFS (New Technology File System)* + NTFS is used in modern Windows systems. It is more advanced than FAT and works like a database. Its core structure is the Master File Table (MFT). + NTFS Working – Step-by-Step Explanation + 1. NTFS creates the Master File Table (MFT) + - MFT contains an entry for every file and folder on the disk. + - Each MFT entry is 1 KB or 2 KB and stores all file details. + 2. Each file is stored as metadata (attributes) + - A file’s MFT entry contains: + 1. File name + 2. Created/modified dates + 3. Security permissions (ACL) + 4. Size and properties + 5. Data or data pointers + 3. Small files stored inside MFT (Resident data) + - If a file is very small (like 1 KB), + - It is stored directly inside the MFT entry. + - This makes NTFS very fast. + 4. Large files are stored in clusters + - When a file is big: + 1. MFT entry stores pointers (addresses) to clusters. + 2. These clusters contain the actual data. + - Unlike FAT, these pointers are not a chain but organized as extents, making NTFS faster. + 5. NTFS uses journaling + - Whenever you modify a file: + 1. NTFS writes the changes to a log file (\$LogFile). + 2. If the system crashes, NTFS uses this journal to recover. + - This makes NTFS more reliable. +#figure( + image("assets/ntfs_structure.png", width: 100%), +) +*Key differences* +#table( + columns: (auto, auto, auto), + table.header([Feature], [FAT Working], [NTFS Working]), + [Data structure], [Linked list chain of clusters], [Database-like MFT entries], + [File lookup], [Slow, must follow chain], [Fast, direct lookup in MFT], + [Reliability], [Poor, no journaling], [High, uses journaling], + [Small files], [Normal clusters], [Can be stored in MFT], + [Large files], [Fragment easily], [Managed as extents, less fragmentation] +) += 11. Importance of boot sector and windows registry +== Importance of the Boot Sector + The boot sector is the first sector of a storage device (HDD, SSD, USB) and contains essential information required to start the operating system. It plays a foundational role in the system startup process. + 1. *Contains Boot Loader Code*\ + The boot sector stores the initial boot program (MBR or VBR). When a computer starts, the BIOS/UEFI loads this code into memory to begin the operating system boot process. If this sector is corrupted, the system will fail to boot. + 2. *Stores File System Information*\ + - It contains details such as: + 1. File system type (FAT32, NTFS) + 2. Cluster and sector size + 3. Location of important file system structures + - This information helps the OS understand how data is organized on the disk. + 3. *First Point of Access for Disk Operations*\ + The OS uses the boot sector to locate and access other critical disk structures. Without this, the system cannot load system files. + 4. *Essential for System Recovery*\ + Recovery tools use the boot sector to rebuild damaged disks or restore partitions. Any corruption in this sector may render the disk unreadable. + 5. *Important in Cyber Forensics*\ + Forensic investigators examine the boot sector to detect: + - Partition tampering + - Hidden volumes + - Boot sector malware + It helps reconstruct the disk's structure and understand system startup behavior. + +== Importance of the Windows Registry + The Windows Registry is a centralized database that stores configuration data for the operating system, hardware, users, and installed applications. It is crucial for the functioning and stability of a Windows system. + 1. *Central Configuration System*\ + All critical OS settings, such as system parameters, installed programs, driver information, and user preferences, are stored in the registry. This allows Windows to operate consistently and efficiently. + 2. *Controls System Startup*\ + Registry keys store: + - Startup applications + - System services to be loaded + - Boot configuration settings + Any change to these keys directly affects how Windows starts and operates. + 3. *Stores Hardware Configuration*\ + The registry contains information about all connected hardware devices. Windows uses these entries to detect, configure, and manage devices such as printers, network adapters, and storage drives. + 4. *Application Management*\ + Applications store settings, license data, paths, and user preferences in the registry. This enables software to function smoothly and retain its configurations across sessions. + 5. *Critical for Troubleshooting*\ + Registry entries help diagnose: + - Startup problems + - Misconfigured applications + - Driver issues + Editing or restoring registry entries is a common method for fixing system errors. + 6. *High Forensic Value*\ + Forensic investigators use registry artifacts to identify: + - User login activity + - Recently opened files + - Connected USB devices + - Installed or removed software + - Network and system configurations + The registry is a key source of digital evidence. + 7. *Target for Malware*\ + Many malware programs modify registry keys to persist at startup, hide their presence, or disable security tools. This makes registry examination an essential part of incident response. += 12. Importance of understanding file system in identifying cyber crimes and forensic tracing. +Understanding file systems is a fundamental requirement in digital forensics because every action performed on a computer—saving a file, installing software, deleting data, or running a program—interacts with the file system. Cyber criminals often attempt to hide, modify, or destroy evidence, and only a deep understanding of the file system enables forensic investigators to uncover these traces. +1. *Recovering Deleted or Hidden Data*\ + File systems such as FAT32, NTFS, ext4, and APFS manage how files are stored, referenced, and deleted. Even when criminals delete files: + - File entries may remain in the file table. + - Data may still exist in clusters, slack space, or unallocated space. + - Metadata such as timestamps (created, accessed, modified) may remain intact. + Knowing file system behaviors helps investigators retrieve deleted logs, documents, malware, or communication records. +2. *Tracing User Activities Through Metadata*\ + File systems store extensive metadata about files, including: + - File creation and modification timestamps + - Ownership and access permissions + - File size and structure + - Alternate data streams (e.g., NTFS ADS) + This metadata helps reconstruct user actions, identify tampering, and build a timeline of events critical for cybercrime cases. +3. *Identifying File Tampering and Anti-Forensic Techniques*\ + Cyber criminals may use anti-forensic methods such as: + - Timestamp manipulation + - Alternate data streams to hide malicious code + - File signature spoofing + - Data obfuscation in slack/unallocated space + Understanding the file system architecture exposes such anomalies and reveals concealed evidence. +4. *Detecting Malware and Unauthorized Access*\ + Malware often interacts with file systems by: + - Creating hidden files + - Modifying system files + - Injecting code into unused sectors or ADS + - Storing payloads in unallocated space + Analysis of file system logs, directory structures, and allocation patterns helps investigators detect malware footprints. +5. *Reconstruction of System Events and User Behavior*\ + By analyzing file system artifacts, investigators can reconstruct sequences such as: + - Program execution history + - USB device usage + - File transfers and downloads + - Application installation logs + This reconstruction is essential for insider threat cases, fraud, intellectual property theft, and cyber espionage. +6. *Identifying Unauthorized Data Exfiltration*\ + File system traces help detect: + - Creation or deletion of suspicious archive files + - Sudden changes in file sizes + - Recently accessed files before exfiltration + - Evidence of copying to external drives + Such patterns are vital in data breach or corporate espionage investigations. +7. Validating Integrity and Authenticity of Evidence + File systems support mechanisms that help validate evidence: + - NTFS uses MFT entries and transaction logs + - Journaling file systems maintain historical snapshots + - Hashing ensures data integrity + Forensic experts use these features to prove evidence has not been tampered with. += 13. Explain data carving techniques and recovery of deleted graphic files with example scenarios. +== Whys this so big!! += 14. Process of forensic imaging using industrial data acquisition tools. +== Even this! +== Why are 13 and 14 2 pages long += 15. Process of file reconstruction and recovery += 23. Write challenges faced during mobile forensics +Mobile forensics involves extracting and analysing data from smartphones and handheld devices, but investigators face several challenges due to rapid technological changes, security features, and device diversity. +1. *Device Diversity:* +There are thousands of mobile models with different hardware, operating systems (Android, iOS), file systems, and chipsets. A single forensic tool cannot support all devices, making standardisation difficult. +2. *Strong Security and Encryption:* +Modern smartphones use advanced encryption (e.g., full-disk encryption, Secure Enclave on iPhones). Without the passcode, it becomes extremely difficult to extract data. +3. *Locked or Damaged Devices:* +If a device is password-protected, damaged, or has biometric locks (fingerprint, face unlock), accessing internal storage becomes challenging. +4. *Frequent OS Updates:* +Constant updates to Android and iOS introduce new security patches that may break existing forensic methods. Tools quickly become outdated. +5. *Cloud Storage and Syncing:* +Much user data is stored in the cloud (Google Drive, iCloud), not on the device. Accessing cloud data requires additional legal permissions and credentials, complicating evidence extraction. +6. *Volatile Data:* +Mobile devices store volatile data in RAM (running apps, chats, temp files) which may disappear when the phone powers off or restarts. Capturing such data requires immediate action. +7. *Third-Party Apps:* +Apps like WhatsApp, Telegram, Signal, and social media platforms use encryption and proprietary storage formats. Extracting chats or metadata is difficult and often restricted. +8. *Remote Wipe and Auto-Delete Features:* +Phones may be configured to wipe data after failed login attempts or allow remote wiping from linked accounts. This can destroy evidence before acquisition. +9. *Data Volume and Complexity:* +Modern devices store large amounts of data—photos, videos, app data, location history—requiring significant time and processing power for analysis. +10. *Legal and Privacy Restrictions:* +Accessing a mobile device may involve sensitive personal information. Investigators must follow strict legal procedures for search, seizure, and privacy laws to avoid violating rights. += 24. Explain the acquisition procedure for mobile device and sim card data. +Acquisition is the process of extracting data from a mobile device and its SIM card in a forensically sound manner so that the evidence remains authentic, complete, and legally acceptable. +1. Acquisition Procedure for Mobile Devices + 1. Securing and Documenting the Device: + The device is first isolated to prevent remote access, network syncing, or remote wiping. Airplane mode, Faraday bags, or disabling connectivity are used. The device condition, model, serial number, and screen state are documented. + 2. Maintaining Chain of Custody: + All handlers, timestamps, and actions performed on the device are recorded to ensure the evidence is admissible in court. + 3. Identifying Acquisition Method: + Depending on the device type, lock status, and OS version, investigators choose from + - Logical acquisition - extracts accessible files, contacts, messages, logs. + - File-system acquisition - obtains file system structure, databases, app data. + - Physical acquisition - bit-by-bit copy of flash memory, including deleted data. + - Manual acquisition - photographing the screen when other methods fail. + 4. Bypassing Locks or Permissions: + If needed, tools or legal permissions are used to bypass screen locks, password protection, or encryption. Techniques include recovery mode access, JTAG, chip-off, or vendor-specific forensic tools. + 5. Using Certified Forensic Tools: + Tools like Cellebrite UFED, XRY, Magnet AXIOM, or Oxygen Forensics extract data securely. These tools prevent modification of original data and create secure forensic images. + 6. Verification and Hashing: + The extracted data is hashed (MD5/SHA-1/SHA-256) to prove that the acquired copy is identical to the original content. + 7. Documentation: + Every step—methods used, tools, configurations, and extracted datasets—is documented for reporting and future reference. +2. Acquisition Procedure for SIM Card Data + 1. SIM Isolation and Documentation: + The SIM card is removed carefully and its identifiers (ICCID, IMSI, carrier name) are recorded. + 2. SIM Card Imaging: + A SIM card reader is used to connect the SIM to a forensic workstation. A bit-stream copy of the SIM is created to ensure non-destructive acquisition. + 3. Extracting Stored Data: + Forensic tools extract SIM data such as: + - Contacts stored in SIM memory + - SMS messages + - IMSI and authentication keys + - Location information (LAC, Cell IDs) + - Network information and service provider details + 4. Handling PIN/PUK Locks: + If the SIM is locked, investigators may use authorised unlocking procedures or PUK codes obtained legally from the service provider. + 5. Hashing and Validation: + Hash values are generated for the SIM image to ensure integrity and prove that no alteration has occurred. + 6. Proper Storage and Reporting: + The original SIM is sealed, stored securely, and all acquisition steps are documented clearly in the forensic report. += 25. Describe cyber law in India with respect to data privacy, investigation, and digital evidence. +Cyber law in India is primarily governed by the Information Technology Act, 2000 (IT Act) and its amendments. It provides the legal framework for regulating digital activities, protecting data, guiding cyber-crime investigations, and ensuring admissibility of electronic evidence. +1. *Data Privacy*\ + The IT Act along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 lays the foundation for data privacy in India. Overall, Indian cyber law aims to safeguard personal information and ensure responsible data handling. + - Organisations collecting personal data must follow lawful, fair, and informed practices. + - Sensitive data (passwords, financial info, health data, biometrics) must be protected using strong security measures. + - Section 43A holds companies liable for negligence if they fail to protect personal data, resulting in compensation to affected individuals. + - The Digital Personal Data Protection Act (DPDP Act), 2023 further strengthens privacy rights by introducing consent-based data processing, data-principal rights, and obligations for data fiduciaries. + +2. *Cyber-Crime Investigation*\ + The IT Act provides legal powers and procedures for investigating online offences. These provisions create a structured legal environment for investigating digital offences while ensuring accountability. + - Section 66 deals with various computer-related offences such as hacking, identity theft, impersonation, and data tampering. + - Section 69 empowers authorised agencies to intercept, monitor, or decrypt information in the interest of national security or crime prevention, but only with proper legal authorization. + - Law enforcement agencies can search and seize digital devices under Section 80, allowing police officers to enter premises and arrest suspects without a warrant in certain cyber-crime situations. + - Cyber Forensic Labs (CFLs), CERT-In, and specialised cyber-crime cells support technical analysis during investigations. + +3. *Digital Evidence*\ + Cyber law in India also recognises and regulates electronic evidence. Proper chain of custody, forensic imaging, and secure handling are essential to ensure that digital evidence is not altered or tampered with during investigation. + - Under the Indian Evidence Act, Section 65B, electronic records (emails, logs, documents, CCTV footage, call data, digital logs) are admissible in court only if accompanied by a Section 65B certificate. + - The certificate confirms the authenticity of the electronic record, the device used to produce it, and the integrity of the data. + - The IT Act also validates electronic signatures and digital signatures, enabling legally binding digital communication and transactions. += 26. Write a short note on provision of IT act 2000 ( ammended 2008 ) which deals with cyber investigation and digital evidence admisibility. +The Information Technology Act, 2000, along with its significant 2008 amendment, provides the legal framework in India for conducting cyber-crime investigations and ensuring the admissibility of electronic evidence in courts. These provisions support lawful access, investigation procedures, and validation of digital records. +1. *Cyber Investigation Provisions* + 1. Section 66 Series - Computer-Related Offences + - Sections 66, 66B, 66C, 66D, 66E deal with offences such as hacking, identity theft, cyber fraud, impersonation, and violation of privacy. + - These sections give investigators legal grounds to initiate cases and prosecute offenders. + 2. Section 69 - Interception, Monitoring and Decryption + - Authorises the government and law enforcement agencies to intercept or decrypt information for national security, investigation, and crime prevention. + - Requires proper written authorisation, ensuring checks and balances. + 3. Section 69A - Blocking of Websites/Content + - Allows the government to block online content for public order, investigation, or security purposes. + - Helps investigators curb illegal content during ongoing cases. + 4. Section 69B - Monitoring of Traffic Data + - Permits monitoring and collection of traffic data for cyber security and threat assessment. + - Useful for tracing attackers, analysing network intrusions, and reconstructing cyber-attacks. + 5. Section 80 - Search and Seizure Powers + - Allows police officers (Inspector rank and above) to enter premises, search, and arrest without warrant in certain cyber-crime scenarios. + - Enables quick seizure of digital devices to prevent evidence destruction. +2. *Provisions for Digital Evidence Admissibility* + 1. Section 65B of the Indian Evidence Act (linked to IT Act) + - Recognises electronic records (emails, logs, CCTV, documents, call records) as legally valid evidence. + - Requires a Section 65B certificate to prove authenticity, the device used, and that the data has not been altered. + - Ensures digital evidence is accepted in court with proper documentation. + 2. Section 3 & 4 - Legal Recognition of Digital Signatures and E-records + - Grants legal validity to electronic documents and digital signatures, allowing them to be treated like physical records. + 3. Section 7 - Retention of Electronic Records + - Allows electronic records to be stored and preserved as valid evidence for investigation and future reference. + 4. Section 79A - Establishment of Examiner of Electronic Evidence + - Introduced in the 2008 amendment. + - Recognises government-approved digital forensic labs as official experts whose reports and certifications hold high evidentiary value in court. += 27. Write a note on forensic report writing format. +This is in some experiment. I'll look into it later. += 28. Discuss how file time stamp metadata is used as evidence in legal proceedings with challenges. +File timestamp metadata includes Created, Modified, and Accessed times (often called MAC times). These timestamps are automatically generated by the operating system and record when a file was created, last edited, or last opened. In digital forensics and legal proceedings, timestamp metadata is a crucial source of evidence because it helps reconstruct user activity and establish timelines of events. +- *Use of Timestamp Metadata as Evidence* + 1. Establishing a Timeline of Events: + Timestamps allow investigators to determine when a file was created, modified, or accessed. This helps reconstruct the sequence of activities during a cybercrime, such as when malware was installed or when sensitive files were copied. + 2. Proving User Activity or Intent: + Metadata can show if a suspect accessed or changed a file at a specific time, supporting allegations of data theft, document forgery, unauthorised access, or destruction of evidence. + 3. Corroborating Evidence: + Timestamp information can be matched with logs, network records, CCTV, or email timestamps to strengthen the overall case and confirm the suspect’s presence or actions. + 4. Detecting Anti-Forensic Techniques: + If timestamps appear inconsistent (e.g., a file “created” after it was “modified”), investigators may identify attempts at tampering or the use of time-altering tools. + 5. Attributing Actions to Devices or Users: + Different users or systems may leave different timestamp patterns. This helps link specific actions to particular accounts or machines involved in an incident. +- *Challenges in Using Timestamp Metadata* + 1. Easily Altered: + Timestamps are not secure and can be changed intentionally using anti-forensic tools like "touch", timestomping malware, or system clock manipulation. This reduces their reliability as standalone evidence. + 2. System and Software Behaviour: + Operating systems automatically update timestamps during normal use—for example, opening a file may update the “Accessed” timestamp. These automatic changes can mislead investigations. + 3. Timezone and Clock Issues: + Incorrect system clocks, timezone differences, or daylight-saving adjustments can cause anomalies or conflicting timelines if not properly accounted for. + 4. Metadata Loss During Copying/Transfer: + Copying files between devices or downloading from the internet may change timestamps, making it difficult to determine the original time values. + 5. Different File Systems Handle Timestamps Differently: + FAT32, NTFS, ext4, APFS, and mobile OS file systems store timestamps differently. Some don’t store milliseconds or access times, leading to incomplete data. + 6. Volatility and Incomplete Records: + Some timestamps (especially Access Time) may be disabled for performance reasons, leaving gaps in the forensic record. Cache cleaning or OS housekeeping may also overwrite metadata. + 7. Need for Corroboration: + Timestamp metadata alone is rarely sufficient for conviction. Courts often require it to be supported by log files, system traces, or witness testimony. |