CCI IMPORTANT QUESTIONS (By MrDnobody)

1. Define computer crime.

Computer crime means any illegal activity done using a computer, mobile, or
internet to harm people, steal information, or damage systems. These crimes
can be done from anywhere in the world, making them difficult to trace.
Criminals use technology to hack accounts, spread viruses, cheat people online,
or steal sensitive data like passwords or bank details. Since many daily activities
such as banking, shopping, and communication happen online, computer
crimes have become very common today.
Example: Someone hacking into your email or stealing your credit card details
from a fake website.

2. Forms of cybercrime (Any four).

Cybercrime includes many types of online attacks.
1. Hacking: Breaking into someone’s account or computer without permission.
2. Phishing: Sending fake emails or messages to trick people into giving
passwords or OTPs.
3. Malware attacks: Installing viruses, worms, ransomware, or spyware to
damage systems or steal data.
4. Identity theft: Stealing someone’s personal information like Aadhar, PAN, or
bank details and misusing them.
Other forms include cyberstalking, online fraud, data breaches, and financial
scams.
Example: Receiving a fake SMS from a “bank” asking for your ATM PIN.

3. Who is a Forensics Expert? Responsibilities.

A forensics expert is a trained professional who investigates cybercrimes using
scientific methods. Their job is to study digital devices and find hidden or
deleted information that helps solve cases.
Responsibilities:
– Collect computers, phones, and storage devices safely.
– Preserve the evidence so it does not change during investigation.
– Analyze files, logs, browsing history, chats, and IP addresses.
– Recover deleted photos, messages, or documents.
– Prepare a clear forensic report with proofs.
– Explain findings in court if required.
These experts help identify criminals and understand exactly how the
cybercrime happened.

4. What is Chain of Custody?

Chain of custody is a documented record that tracks the complete handling of
digital evidence from the moment it is collected until it is presented in court. It
includes details like who collected the evidence, when it was collected, how it
was stored, who accessed it, and why. This process proves that the evidence
has not been changed, damaged, or tampered with. Maintaining chain of
custody is important because digital data can be easily altered. If this record is
missing, the court may reject the evidence.
Example: Hard disk seized → sealed → stored → sent to forensic lab →
returned.

5. Key features of the IT Act 2008 Amendment.

The IT Act 2008 Amendment strengthened India’s cyber laws to deal with
increasing online crimes. It introduced new offences such as identity theft,
cyber terrorism, online cheating, and misuse of personal data. It increased
punishments for hacking, data theft, and spreading harmful content. It made
digital signatures and electronic records legally acceptable. The amendment
also required companies to protect user data and follow security rules. Police
received more power to investigate cybercrimes quickly.
Example: Section 66C punishes anyone who steals or misuses someone else’s
identity details.

6. Define digital evidence.

Digital evidence is any information stored or transmitted using digital devices
that can help in investigating a cybercrime. It can come from computers,
mobile phones, CCTV systems, servers, pen drives, or online accounts. It
includes chats, emails, call logs, photos, browsing history, videos, login details,
deleted files, IP addresses, and system logs. Digital evidence is extremely
important because it shows what actions were performed and helps identify
the criminal.
Example: Recovery of deleted WhatsApp messages or checking IP logs to trace
a hacker.

7. What is initial response in computer investigation?

Initial response refers to the first steps taken immediately after discovering a
cyber incident. The aim is to protect important data before it gets deleted or
changed. Investigators secure the device, disconnect it from the internet, note
its current condition, capture screenshots, and collect live data such as running
programs, RAM content, or active network connections. They also ensure no
one touches the system until evidence is collected.
Example: When a network is hacked, the investigator quickly disconnects the
affected machine from Wi-Fi to stop further damage.

8. What is phishing?
Phishing is a cybercrime where attackers send fake emails, messages, or
websites that look real to trick people into sharing personal information. These
fake messages often pretend to be from banks, government services, or well-
known companies. When the victim enters their details, the attacker steals
them and uses them for fraud, money theft, or account takeover.
Example: A fake message saying, “Your KYC is expired. Click here to update
your details,” and the link steals your banking information.

9. Two examples of cyberstalking.

Cyberstalking means repeatedly disturbing, threatening, or monitoring
someone online without their permission.
Example 1: Sending abusive or unwanted messages every day to someone on
Instagram or WhatsApp.
Example 2: Using multiple fake accounts to constantly monitor a person’s
posts, stories, and location updates.
Cyberstalking creates fear, mental stress, and violates a person’s privacy. It is a
punishable offence under cyber laws.
10. What is evidence preservation?
Evidence preservation means keeping digital evidence safe and unchanged
throughout the investigation. Since digital data can be easily deleted or
modified, investigators use special methods like forensic imaging, write
blockers, sealed storage bags, and proper labeling. They make a copy of the
data and only work on the copy, while the original remains protected.
Preservation ensures the evidence stays valid and acceptable in court.
Example: Before analyzing a laptop, the investigator creates an exact forensic
image so the original data stays untouched.

UNIT 1 – 5-Mark Answers

1. Forms of Cyber Crime with Examples (Hacking, Malware, Phishing, Fraud,

Identity Theft)
Cybercrime refers to crimes done using computers or the internet. The main
forms are:
1. Hacking
• Unauthorized access into someone’s account or system.
• Hackers steal or change information.
• Example: Logging into someone’s Gmail without permission.
2. Malware Attacks
• Malware includes viruses, worms, Trojans, spyware, and ransomware.
• Used to damage files, steal data, or lock systems.
• Example: Ransomware encrypting your files and asking for money.
3. Phishing
• Fake messages, emails, or websites created to steal passwords or bank
details.
• Attackers pretend to be banks or companies.
 • Example: “Update your ATM PIN now, click here.”
4. Online Fraud
• Cheating people online using fake offers or websites.
• Example: Fake shopping sites that take money but never deliver.
5. Identity Theft
• Stealing someone’s personal details like Aadhar, PAN, photos, or bank
details.
• Example: Taking a loan using another person’s identity.

2. Computer Investigation Procedure (Step-by-Step)

A computer investigation must be done carefully to protect digital evidence.
1. Initial Response
• Secure the scene and stop further damage.
• Disconnect the device from the internet.
• Note the current system condition and take photos.
2. Evidence Collection
• Collect computers, mobiles, USB drives, hard disks, logs, and documents.
• Record serial numbers and details.
• Create a forensic image (exact copy) of each storage device.
3. Evidence Preservation
• Protect evidence from changes.
• Use write blockers and sealed bags.
• Store in secure rooms and maintain chain of custody.
4. Analysis
• Study files, logs, email history, browsing history, deleted data, and
malware.
• Identify IP addresses, suspicious activity, and how the crime happened.
5. Documentation and Reporting
• Write every step clearly with screenshots.
• Prepare a forensic report for police or court.

3. Role of a Forensics Expert in Cybercrime Investigation

A forensics expert is essential for solving digital crimes. Their responsibilities
include:
1. Collecting Evidence
• Gather laptops, mobiles, USBs, and logs from the crime scene.
• Ensure safe handling to avoid data change.
2. Preserving Evidence
• Create forensic copies and protect originals.
• Use write blockers, seals, and secure storage.
• Maintain chain of custody.
3. Analyzing Data
• Recover deleted files, study browsing history, check emails and logs.
• Analyze malware, IP addresses, and timestamps.
• Understand how the attack happened and who is responsible.
4. Documentation
• Note every tool used, every step taken, and all findings.
• Add screenshots and timestamps.
5. Reporting and Court Work
• Prepare a complete forensic report.
• Explain the findings in simple language in court.
• Support the police and legal teams with technical details.
4. Digital Evidence Handling Procedure (Collection, Preservation, Analysis)
Handling digital evidence requires a clear and safe method.
1. Collection
• Identify and collect all devices: laptops, phones, USBs, CCTV DVRs,
servers.
• Take photos of the device and environment.
• Label each item properly.
• Create forensic images to avoid altering original data.
2. Preservation
• Use write blockers to prevent data changes.
• Store evidence in sealed, tamper-proof bags.
• Calculate hash values (MD5/SHA) to prove data integrity.
• Keep evidence in secure storage rooms.
• Maintain chain of custody.
3. Analysis
• Study emails, chats, logs, browsing history, deleted files, and malware.
• Identify suspicious actions, login attempts, and IP addresses.
• Reconstruct the timeline of the crime.
• Compare findings with suspect information.
4. Documentation
• Record steps, tools used, and results in a clear format.
• Prepare a final report for legal use.
5. Chain of Custody and Its Legal Importance
1. Meaning
Chain of custody is a written record that tracks how digital evidence moves
from collection to court.
2. Information It Contains
• Who collected the evidence
• When it was collected
• How it was stored
• Who accessed it
• Why it was accessed
• All transfers and signatures
3. Purpose
• Ensures evidence stays original and is not tampered with.
• Builds trust in the investigation process.
4. Legal Importance
• Courts accept evidence only if chain of custody is complete.
• If missing, the evidence may be rejected even if it is genuine.
• Protects the case from claims of manipulation.
5. Example
Laptop seized → sealed → stored → sent to forensic lab → returned → taken to
court.
Every step is recorded and signed.
6. Key Provisions of the IT Act 2008 Amendment
1. New Cyber Offenses Added
• Identity theft (Section 66C)
• Cheating by impersonation (Section 66D)
• Cyber terrorism (Section 66F)
• Data theft and privacy violations
2. Stronger Punishments
• Higher fines and longer jail terms for cybercrimes.
• Strict action against hacking, fraud, and data misuse.
3. Legal Recognition of Digital Records
• Digital signatures and electronic documents are legally valid.
• E-contracts accepted.
4. Data Protection Rules
• Companies must protect customer data.
• Must report data leaks and follow security policies.
5. Faster Cybercrime Handling
• Police can investigate more cyber offences directly.
• Cybercrime police stations established.
6. Obscene Content Rules
• Publishing or sharing sexual or vulgar content online is punishable.
• Section 67 covers obscene material.
LONG ANSWER QUESTION
1. Cyber Crime Investigation Lifecycle
1. Detection of the Incident
The investigation begins when unusual activity is noticed, such as slow
performance, unknown logins, suspicious emails, or antivirus alerts. The
investigator checks logs and system behaviour to confirm it is a real
cybercrime and not an error. Early detection reduces damage and
prevents evidence loss.
2. Securing the Affected System
The system is immediately protected from further tampering. The device
is disconnected from the network so attackers cannot continue their
actions. Investigators take photos of the screen, note system status, and
prevent anyone from touching the device. This step ensures that no
evidence is disturbed.
3. Collecting Digital Evidence
All devices involved in the incident—computers, mobiles, hard disks,
USBs, CCTV DVRs—are collected carefully. Serial numbers, device
conditions, and timestamps are recorded. A forensic image (exact copy)
is created so the original device is not changed or damaged during
analysis.
4. Preserving Evidence Safely
Since digital data can be easily changed, evidence must be protected.
Write blockers are used to stop data modification. Devices are stored in
sealed, labelled bags and kept in secure storage. Hash values (digital
fingerprints) are calculated to prove the data remains original. Chain of
custody is maintained to track who handled the evidence.
5. Detailed Analysis of Evidence
Experts examine logs, emails, deleted files, browsing history, system
settings, and malware. They check network activity, IP addresses, and
timestamps to understand the attacker’s method. Analysis helps identify
what happened, how it happened, and the possible identity of the
attacker.
6. Documentation of All Steps
Every step of the investigation—collection, preservation, tools used,
 commands executed, and results found—is written clearly. Screenshots,
logs, notes, and dates are recorded. This documentation proves the
investigation was scientific and correct.
7. Final Reporting and Court Presentation
A detailed forensic report is prepared summarising findings, timelines,
and conclusions. The expert presents the report in court and explains the
technical details in simple language. After the judgment, the case is
closed and evidence is archived.

2. Incident-Specific Procedures
1. Identifying the Type of Incident
The investigator first identifies whether the issue is caused by a virus,
hacking, or someone misusing the system physically. Correct
identification is important because each incident requires a different
investigation method.
2. Handling Virus/Worm Incidents
When a virus or worm attack occurs, the infected system is identified
through antivirus warnings, strange pop-ups, or unknown files. The
device is disconnected from the network to stop the virus from
spreading. Investigators collect the malware sample and study how it
entered (email, USB, download) and what files it damaged.
3. Analyzing Malware Behaviour
The malware is examined in a controlled environment. Investigators
check file changes, registry modifications, and processes created by the
malware. This helps understand how dangerous it is and how to remove
it safely.
4. Handling Hacker Incidents
Hacking incidents are recognised through unauthorized logins, changed
passwords, unknown programs, or altered files. Investigators study
firewall logs, login history, and network traffic to trace the attacker’s
activities and find where they entered the system.
5. Tracing the Attacker’s Identity
IP addresses, timestamps, device fingerprints, and behavioural patterns
are analysed to trace the attacker. Weak passwords, outdated software,
 or open ports are checked to identify the security gap used by the
hacker.
6. Handling Social/Physical Incidents
Sometimes the attacker is not online but a person physically using the
system. Investigators talk to employees, check CCTV footage, and
examine entry logs. They also check if someone inserted a USB or used
another person’s password.
7. Preparing the Final Report and Prevention Plan
After analysing the incident, investigators prepare a report explaining
what happened, how it happened, and the damage caused. They suggest
ways to prevent similar incidents, such as stronger passwords, better
antivirus, updated systems, and physical security.

3. Forensic Report Writing

1. Introduction and Purpose
The report starts by explaining what cyber incident happened and why
the investigation was required. It mentions who requested the
investigation and the basic background of the case.
2. Case Details and Background
This section includes date of incident, time, type of attack, and a short
summary of how the problem was detected. It provides a clear picture of
what happened before the investigation started.
3. Evidence Collected
All digital evidence is listed, such as laptops, mobiles, hard disks, pen
drives, and logs. For each item, photos, serial numbers, location found,
and condition are mentioned. This makes the report complete and
trustworthy.
4. Tools and Methods Used
The report lists the forensic tools used—FTK Imager, EnCase, Autopsy,
Wireshark—and explains why each tool was chosen. This section shows
that the investigation followed scientific methods.
5. Steps Followed During Investigation
This includes how evidence was collected, preserved, and analysed. It
describes how forensic images were created, how write blockers were
 used, and how logs and files were examined. The entire procedure is
written clearly in order.
6. Findings and Results
This is the most important section. It includes the data recovered,
deleted files restored, suspicious IP addresses, malware activity, and the
exact timeline of the attacker’s actions. Screenshots and proof are added
here.
7. Conclusion and Recommendations
The report ends with a summary of how the cybercrime happened and
who is responsible (if found). Recommendations are given for preventing
similar incidents, such as improving passwords, updating software, or
training users. The expert signs the report and attaches the chain of
custody.

4. Case Study (ATM Skimming Fraud )

1. Introduction of the Case
The case involves an ATM skimming attack where a criminal installed a
small skimmer device on an ATM. This device secretly copied customers’
card numbers and PINs.
2. How the Crime Was Performed
When customers inserted their cards, the skimmer read the magnetic
strip. A small hidden camera or fake keypad captured the PIN. The
attacker later used this stolen data to create duplicate cards.
3. Victim Complaints and Start of Investigation
Many customers noticed money missing from their accounts even
though they had not used the ATM. The bank informed the cyber police,
and an investigation began.
4. Evidence Collected
Investigators collected the skimmer device from the ATM, CCTV footage,
ATM transaction logs, network logs, and sample cloned cards. The time
of installation was noted.
5. Analysis of Evidence
The skimmer contained many stolen card numbers. Fingerprints were
 lifted from the device. CCTV showed the suspect installing the device late
at night. ATM logs matched the timing of suspicious withdrawals.
6. Application of IT Act 2008
The attacker violated Section 66C (identity theft), Section 66D (cheating
by impersonation), and Section 43 (unauthorized access). These sections
apply for stealing card details and withdrawing money illegally.
7. Conclusion of the Case
Digital evidence clearly proved the suspect’s involvement. The
investigation showed the importance of regular ATM checks, strong CCTV
monitoring, and customer awareness about covering the keypad while
entering the PIN.
UNIT 1 – SHORT SUMMARY (Very Easy)

Cybercrime
Crime done using computers or the internet.
Examples: hacking, phishing, malware, online fraud, identity theft.

Digital Evidence
Any data from computers, mobiles, networks, or CCTV used to solve a case.

Cyber Forensics
Process of collecting, preserving, analysing, and presenting digital evidence.

Chain of Custody
Record of who handled evidence from start to end to prove it was not changed.

Investigation Steps (Lifecycle) – Short

1. Detect the incident

2. Secure the device

3. Collect evidence

4. Preserve safely

5. Analyse data

6. Document steps

7. Prepare report & present in court

Incident Types – Short

• Virus/Worm: isolate → analyse → remove

• Hacker attack: check logs → trace IP → fix entry point
• Social/physical: talk to users → check CCTV → find misuse

Forensic Report (Short)

Intro → Evidence → Tools → Steps → Findings → Conclusion → Chain of Custody

IT Act 2008 (Important)

• 66C: Identity theft

• 66D: Online cheating
• 66F: Cyber terrorism
• 43: Unauthorized access
• 67: Obscene content
UNIT 2 – 2-MARK ANSWERS

1. Define Computer Forensics.

Computer forensics is the process of finding proof from computers and digital
devices to solve cybercrimes. It works like digital detective work. Experts look
into computers, phones, or networks to see what happened, who did it, and
how it was done. They recover deleted files, check internet history, study logs,
and find hidden data. The main aim is to collect evidence without changing it.
Everything is recorded properly so it can be shown in court. Computer forensics
helps catch hackers, fraudsters, and anyone misusing technology.

2. What are the categories of computer forensics?

Computer forensics has many branches. Disk forensics deals with recovering
deleted files from hard disks and pen drives. Network forensics focuses on
internet activity, packet data, and IP addresses to trace attackers. Mobile
forensics extracts useful data from smartphones like chats, photos, calls, and
locations. Memory forensics studies RAM to capture running programs and live
malware. Cloud forensics investigates data stored online like emails, cloud
backups, and online accounts. These categories help investigators understand
different parts of a cybercrime. Each branch plays an important role in finding
digital evidence.

3. What is disk forensics?

Disk forensics is the study of data stored on devices like hard disks, SSDs,
memory cards, and USB drives. It helps find deleted files, hidden folders, old
documents, and information that a criminal tried to remove. Investigators
create an exact copy of the disk to protect the original data. They study file
systems like NTFS or FAT to understand how and when files were created,
changed, or deleted. Disk forensics helps solve most cybercrimes because
criminals often store or delete information on storage devices.

4. What is network forensics?

Network forensics finds proof from the internet or network activity. It checks
how data travelled between computers, what websites were visited, and
whether hackers attacked the system. Investigators capture and study packets,
check IP addresses, analyse logs, and watch traffic patterns. Tools like
Wireshark help see what happened in the network. Network forensics can
show how a hacker entered, what data they took, and from where they
connected. It is mainly used for online crimes such as hacking, malware
communication, and data theft.

5. Define mobile forensics.

Mobile forensics is the process of finding evidence from mobile phones. Today
people use phones for calls, messages, WhatsApp, photos, banking, and
browsing, so phones contain a lot of information. Investigators recover deleted
messages, chats, photos, videos, contacts, call logs, and location history. They
also analyse installed apps and cloud backups. Special tools are used to unlock
phones and safely extract data. Mobile forensics helps solve many cases like
fraud, harassment, identity theft, cheating, and online abuse.

6. What is a file system artifact (Windows)?

A Windows file system artifact is a small trace left behind when a user or
system performs any activity. These traces help investigators understand what
happened on the computer. Examples include registry entries (settings), event
logs (login and system events), prefetch files (recently used applications),
browser history, and recycle bin data. Even if a user deletes files, many artifacts
still remain. These artifacts show when a program was opened, when a file was
deleted, or what websites were visited. They are very important in digital
forensics.

7. What is log analysis in Linux forensics?

Linux forensics uses log analysis to understand what happened inside a Linux
system. Linux stores many logs in the /var/log folder. Important logs include
[Link] (login attempts), syslog (system messages), and dmesg (hardware
messages). Investigators check these logs to see failed logins, suspicious
actions, user activities, errors, or attacks. Logs help in finding when a hacker
tried to break in, which user logged in, and what commands were used. Log
analysis is useful because Linux is commonly used in servers and logs record
almost everything.

8. What is packet analysis?

Packet analysis means studying small pieces of data (packets) that travel
through a network. Each packet contains information like the sender’s IP
address, receiver’s IP address, and the data being sent. Investigators capture
packets using tools like Wireshark and check if anything suspicious is inside.
Packet analysis helps find malware communication, stolen data, hacker activity,
or unusual traffic patterns. It is used to solve online cybercrimes and
understand exactly what happened on a network.

9. Define IDS (Intrusion Detection System).

An IDS is a security system that watches the network or a device and alerts
when suspicious or harmful activity happens. It helps detect hacking attempts,
malware traffic, unusual logins, or strange behaviour. IDS does not stop the
attack but warns early so action can be taken quickly. There are two types:
Network-based IDS monitors the whole network, and Host-based IDS monitors
a single computer. IDS is important because it helps organisations find
cyberattacks early and reduce damage.

10. What is statistical flow analysis?

Statistical flow analysis checks large amounts of network traffic using numbers,
patterns, and flow records. Instead of looking at each packet, it studies big
patterns like how many connections happened, how much data was
transferred, and how frequently a device communicated. If something unusual
appears—like sudden high traffic or unknown connections—it may indicate an
attack. This method is useful for large networks because it helps quickly detect
hidden threats like malware, data theft, or botnet activity. It gives a quick
overview of overall network health.
5 MARKS
1. Importance of Computer Forensics in Law Enforcement and Organizations .
Computer forensics is important because most crimes today involve digital
devices like phones, computers, or the internet. For law enforcement,
computer forensics helps recover deleted data, read logs, check browsing
history, and trace hackers. This allows police to understand how a crime
happened and who is responsible. It also provides strong digital evidence that
can be shown in court.
For organizations, computer forensics helps find the cause of security incidents
such as hacking, data theft, malware, and employee misuse. It helps companies
protect their networks, recover lost data, identify weak points, and prevent
future attacks. Forensics also helps during internal investigations like fraud,
policy violation, or misuse of company systems.
Overall, computer forensics ensures that digital crimes are solved scientifically
and that evidence remains original, reliable, and acceptable in court.

2. Methodology of Computer Forensics (Analysis, Documentation,

Presentation)
The methodology of computer forensics follows a clear and structured process.
First is analysis, where investigators study collected evidence like logs, deleted
files, browsing history, malware, and network activity. They use forensic tools
to understand what happened, how the system was attacked, and what data
was accessed or modified.
Next is documentation, where every action taken during the investigation is
recorded. This includes tools used, steps followed, screenshots, dates, and
findings. Proper documentation is important because it proves the
investigation was done correctly and helps present evidence in court.
The final step is presentation, where the results are written in a clear forensic
report. The report explains the incident, evidence collected, analysis results,
and conclusions. It must be easy to understand, even for non-technical people.
Investigators may also present this report in court and answer questions.
These three steps ensure the investigation is scientific, trustworthy, and legally
valid.
3. Windows Forensics vs Linux Forensics .
Windows and Linux forensics both help investigators understand what
happened inside a system, but they use different sources of evidence.
Windows forensics mainly depends on artifacts like registry, event logs,
prefetch files, browser history, and the recycle bin. The registry stores system
settings and user activities. Prefetch files show which programs were recently
opened. Event logs contain login information, errors, and system changes.
These artifacts help reconstruct user behaviour easily.
Linux forensics focuses on log files stored in /var/log ([Link], syslog,
messages), command history, permissions, and cron jobs. Linux logs record
almost everything happening on the system, making it useful for server
investigations.
Windows is more user-friendly but leaves many small traces. Linux is
command-based, more secure, and mostly used on servers. Both are
important, and investigators choose methods depending on the operating
system involved.

4. Network Forensics Approaches and Investigation Strategies .

Network forensics focuses on studying network activity to detect and
investigate cyberattacks. The first approach is packet analysis, where
investigators capture data packets using tools like Wireshark. They study source
and destination IPs, protocols, and contents to identify suspicious
communication.
Another approach is log analysis, where logs from firewalls, routers, IDS/IPS
systems, and servers are checked to trace attacker movements. Logs help
identify failed logins, port scanning, or data theft attempts.
Flow analysis is also important. It studies overall traffic patterns to detect
abnormal behaviour such as large data transfers, unusual connections, or
repeated communication with unknown IPs.
Strategies include creating network baselines, monitoring real-time traffic,
enabling alerts, and blocking suspicious connections. Network forensics helps
identify hackers, understand attack methods, and strengthen network security
by revealing weak points.

5. Mobile Forensics Workflow and Challenges .

The mobile forensics workflow begins with seizing the device safely by
switching it to airplane mode or shutting it down to prevent remote wiping.
Next, investigators preserve the device by documenting its condition, taking
photos, and storing it safely.
Then comes extraction, where tools are used to take data such as messages,
call logs, photos, videos, WhatsApp chats, app data, and location information.
After extraction, the data is analysed to understand user activity and identify
evidence connected to the crime.
The final step is reporting, where all findings are written clearly for legal use.
Mobile forensics faces challenges like locked phones, encryption, secure apps,
constantly updating operating systems, cloud backups, and fast-changing data.
Despite these challenges, mobile forensics is crucial because most cybercrimes
involve smartphones today.
6. Event Log Analysis in Network Forensics
1. Records All Activities
Event logs store every important action done in a system or network,
such as logins, errors, and updates. This helps investigators see what
happened before and during an attack.
2. Detects Suspicious Behaviour
Logs show failed logins, unauthorized access attempts, unusual traffic, or
malware connections. This helps identify possible attackers.
3. Creates Timeline of Attack
Logs contain date, time, username, and IP address for each event. This
information helps investigators build the exact sequence of events.
4. Supports Network Devices
Firewall logs, router logs, IDS/IPS logs show blocked attacks, port scans,
and suspicious network behaviour. This helps identify how the attacker
entered the system.
 5. Provides Strong Evidence
Logs cannot be easily changed and are accepted as digital evidence in
court. They help prove what activity happened and who was involved.

10 MARKS – Methodology of Computer Forensics

1. Preparation
Investigators gather tools, software, legal permissions, and create a plan
for the investigation. This ensures they are ready for any cyber incident.
2. Identification of Incident
The cybercrime is confirmed by checking alerts, user complaints, or
unusual system behaviour. This step helps understand what type of
attack occurred.
3. Collection of Evidence
Devices like laptops, mobiles, hard disks, and network logs are collected.
Each item is labelled, photographed, and documented to avoid mistakes.
4. Preservation of Evidence
Forensic imaging, write blockers, sealed bags, and hash values are used
to stop evidence from being changed. This keeps it legally acceptable.
5. Analysis of Data
Investigators study logs, deleted files, malware, IP addresses, browsing
history, and timelines. This helps find how the attack happened.
6. Documentation
Every action, tool, screenshot, finding, and timestamp is recorded. This
creates a clear record of the investigation.
7. Presentation & Report
A final forensic report is prepared and explained in court. It contains
findings, conclusions, and evidence to support the case.

10 MARKS – Windows Forensics & Tools

1. Registry Analysis
The Windows registry stores user settings, system configuration, and
 program details. Investigators check registry keys to see installed
software, user accounts, and activity traces.
2. Event Log Examination
Windows event logs record logins, shutdowns, system errors, and
security changes. They help identify failed logins, attacks, and user
behaviour.
3. Prefetch File Study
Prefetch files show recently opened programs. They help determine
which applications were run by a user or an attacker.
4. File System Analysis (NTFS/FAT)
Investigators check file timestamps—created, modified, accessed—to
build a timeline of activity. Deleted or hidden files can be recovered.
5. Browser Artifacts
Browser history, cookies, and cache show visited websites, downloads,
and online behaviour.
6. Tools Used
Tools like FTK Imager, EnCase, Autopsy, Volatility, Registry Explorer are
used to analyse Windows systems.
7. Reconstructing Activity
By combining artifacts, investigators can see user actions such as
program execution, file deletion, malware installation, and unauthorized
access.

10 MARKS – Network Forensics in Depth

1. Packet Capture
Investigators capture packets using tools like Wireshark. Each packet
contains IP addresses, ports, protocols, and data, which help track
attacks.
2. Packet Analysis
Packet contents are examined to detect malware communication, data
theft, or suspicious connections.
3. Flow Analysis
Instead of single packets, flow analysis studies traffic patterns such as
 large data transfers or repeated connections. This helps spot hidden
attacks.
4. Log Analysis
Firewall, router, IDS/IPS, and server logs show attack attempts, blocked
traffic, login failures, and suspicious behaviour.
5. Tracing Attackers
IP tracing, timestamps, and connection patterns reveal the attacker’s
location or device.
6. Wireless Forensics
Wi-Fi traffic is analysed to detect unauthorized access points, rogue
devices, and wireless attacks.
7. Recreating Attack Timeline
By combining packet, flow, and log data, investigators rebuild the entire
attack path and understand how the criminal entered the network.

10 MARKS – Case Studies in Computer Forensics

1. Case Type Identified
Common cases include hacking, fraud, identity theft, malware attacks,
insider threats, or data leakage.
2. Evidence Collection
Devices like computers, mobiles, USBs, CCTV footage, logs, and emails
are collected. Each item is documented.
3. Disk & File Analysis
Investigators recover deleted files, study timestamps, analyse document
changes, and check program usage to understand user actions.
4. Network Evidence
IP addresses, packet logs, and login reports help track attacker
movement across the network.
5. Malware Investigation
In malware cases, the infected machine is analysed to check virus
behaviour and source of infection.
 6. User Behaviour Study
Browser history, chat logs, emails, and system activity help identify a
suspect’s intentions and actions.
7. Legal Application
The investigation results are linked to IT Act sections such as 66C, 66D,
43, etc., and presented in a forensic report for court.

UNIT 2 – SUMMARY (Very Easy English)

1. What is Computer Forensics?

Computer forensics is the process of collecting, preserving, analysing, and presenting digital evidence
to investigate cybercrimes. It works like digital detective work.

2. Categories of Computer Forensics

• Disk Forensics: Recover deleted data from storage devices.

• Network Forensics: Analyse network traffic and IP addresses.
• Mobile Forensics: Extract chats, calls, photos, and location from phones.
• Memory Forensics: Analyse RAM to catch running malware.
• Cloud Forensics: Investigate cloud accounts and online storage.

3. Key Windows Artifacts

Registry, event logs, prefetch files, recycle bin, and browser history.
These show user activity and system behaviour.

4. Linux Forensics

Uses logs in /var/log ([Link], syslog) to detect intruders, failed logins, and system events.

5. Network Forensics Concepts

Packet analysis, flow analysis, IP tracing, and IDS alerts help find hackers and understand how attacks
happened.

6. Mobile Forensics Workflow

Seize device → preserve data → extract data → analyse → report.

Challenges: lock screens, encryption, app security, cloud sync.

7. Forensic Methodology

Collect → Preserve → Analyse → Document → Present in court.

UNIT 3 – 2 MARK ANSWERS

1. What is the National Cybersecurity Policy?

The National Cybersecurity Policy is a policy created by the Indian government
to protect the country’s computers, networks, and digital information from
cyberattacks. Its goal is to improve national security by reducing risks,
increasing awareness, and training people in cybersecurity. The policy ensures
that government departments, companies, and individuals follow safe online
practices. It promotes setting up secure networks, protecting critical systems,
and improving quick response to cyber incidents. It also encourages research,
new technologies, and cooperation between government and private sectors
to keep India safe from cybercrime and online threats.

2. What is DSCI Security Framework?

The DSCI (Data Security Council of India) Security Framework is a set of
guidelines that helps companies protect their data and maintain strong
security. It explains how an organisation should manage privacy, security
policies, risk management, access control, and data protection. It also gives
best practices for handling customer information, preventing data leaks, and
responding to cyber incidents. The framework helps organisations follow legal
rules and maintain trust with users. It improves security by focusing on people,
processes, and technology together. Many industries in India use the DSCI
framework to keep their information safe.

3. Define data privacy attack.

A data privacy attack happens when someone gains access to a person’s private
or sensitive information without permission. This information can include
names, addresses, passwords, photos, bank details, or personal messages.
Attackers may use this stolen data for identity theft, fraud, blackmail, or misuse
on social media. Examples of data privacy attacks include phishing, spying on
someone’s online activity, stealing data from websites, or hacking personal
accounts. These attacks are harmful because they expose personal information
and break a person’s right to privacy. Protecting data with strong passwords
and safe browsing helps reduce such attacks.
4. What is profiling in data analytics?
Profiling in data analytics means collecting and analysing someone’s data to
understand their behaviour, interests, habits, or personality. Websites, apps,
and companies create profiles of users based on browsing history, likes,
purchases, searches, and location. The main purpose is to show personalised
ads, improve services, or predict future actions. Although profiling is useful, it
can also become a privacy risk because too much data is collected about a
person. If misused, it can lead to discrimination, manipulation, or targeted
fraud. Therefore, profiling must be done carefully and with proper privacy
protection.

5. What is email spoofing?

Email spoofing is a cyberattack where someone sends an email that looks like it
came from a trusted person or company, but it is actually fake. Attackers
change the sender’s name or address to trick the receiver. The goal is usually to
steal personal information, spread malware, or make the person click harmful
links. Spoofed emails can look very real—like bank messages, company notices,
or friend requests. People may get fooled easily because the email appears
genuine. Email spoofing is a major part of phishing attacks and can lead to
financial fraud or identity theft.

6. List two privacy risks in social media.

Two common privacy risks in social media are oversharing and identity theft.
Oversharing happens when users post personal details like location, phone
number, school, or photos. This information can be misused by stalkers,
scammers, or strangers. Identity theft occurs when someone copies your
personal details or photos to create a fake account. This fake profile can be
used for scams or harassment. Other risks include cyberstalking, data leaks,
online bullying, and misuse of private chats. Social media platforms also collect
user data for advertising, which can reduce privacy. Using strict privacy settings
helps reduce these risks.
7. What is IoT privacy threat?
IoT privacy threats come from smart devices like smartwatches, cameras,
speakers, or home appliances that collect personal data. These devices are
always connected to the internet and record information such as location,
voice, habits, and daily routines. If attackers hack these devices, they can
access this private information or monitor people secretly. Many IoT devices
have weak security, making them easy targets. Even companies storing this
data may face data leaks. Because IoT devices know so much about a person’s
life, privacy threats become serious if the data is misused or stolen.

8. Define data linking.

Data linking means connecting information from different sources to create a
complete profile of a person. For example, linking social media data with
shopping records, location history, and browsing activity. Even if each piece of
data looks harmless, when combined, it can reveal sensitive details like habits,
interests, friends, income, or health. Companies use data linking to personalise
ads, while hackers use it for stalking or fraud. The danger is that a person may
not know how much information is being connected. Without consent or
protection, data linking becomes a major privacy risk.

9. What is web tracking?

Web tracking is the process of monitoring what a user does on the internet.
Websites track activities like visited pages, clicks, searches, location, and time
spent online. This is done using cookies, browser fingerprinting, and trackers.
Companies use this data to show personalised ads or improve their services.
However, web tracking becomes a privacy issue when users are watched
without their knowledge. Attackers can also use tracking data for spying or
targeted scams. Web tracking reveals personal behaviour patterns, which can
be misused if not protected properly. Using private browsing and disabling
cookies helps reduce tracking.

10. What are emerging technology privacy issues?

Emerging technologies like IoT, Cloud, AI, Big Data, and Social Media create
new privacy problems. IoT devices collect personal data 24/7. Cloud storage
keeps huge amounts of sensitive data that can be hacked. AI systems may
misuse personal data or show biased decisions. Big Data collects information
from different sources and creates detailed user profiles without consent.
Social media exposes private information, making people targets for fraud or
harassment. These technologies are useful, but they increase the risk of data
leaks, identity theft, tracking, and loss of personal control over information.

5 MARKS
1. Key Provisions of the National Cybersecurity Policy
1. Protect Critical Infrastructure
The policy focuses on securing important systems like banking, power,
telecom, and government networks from cyberattacks.
2. Early Detection & Response
It promotes setting up Cyber Emergency Response Teams (CERT-In) to
detect attacks quickly and respond immediately.
3. Security Standards & Guidelines
Organisations must follow security rules, best practices, and
international standards to stay safe from cyber threats.
4. Skill Development & Training
The policy encourages training students, professionals, and government
employees in cybersecurity skills.
5. Public Awareness & Cyber Hygiene
It supports awareness programs to teach safe online habits, strong
passwords, and protection against scams.

2. DSCI Framework Components and Best Practices

1. Security Governance
Organisations must create clear security policies, assign responsibilities,
and manage risks properly.
 2. Access Control & Identity Management
Only authorized users should access sensitive information, using
passwords, biometrics, or multi-factor authentication.
3. Data Protection Measures
It promotes data encryption, secure storage, backup plans, and safe data
sharing methods.
4. Incident Management
Companies should have processes to detect, report, and respond to
cyber incidents quickly.
5. Compliance & Audits
Regular security checks ensure companies follow laws and improve their
cybersecurity posture.

3. Data Privacy Attacks with Examples

1. Phishing Attacks
Attackers send fake emails or messages to steal passwords or bank
details.
Example: Fake bank SMS asking for OTP.
2. Identity Theft
Criminals steal personal information like Aadhaar number or mobile
number to misuse it.
Example: Opening accounts using someone else’s identity.
3. Social Engineering
Attackers manipulate users into revealing private information.
Example: Fake tech support call asking for login details.
4. Account Hacking
Breaking into social media or email accounts to steal private chats or
photos.
5. Data Leakage
Personal data is exposed due to weak security in apps or websites.
4. Privacy Threats on the Web & Safeguards
1. Tracking & Monitoring
Websites track browsing habits, searches, and clicks without user
knowledge.
2. Cookies & Browser Fingerprinting
Websites store user data and identify devices, reducing privacy.
3. Phishing & Fake Websites
Users are tricked into sharing personal information.
4. Malicious Advertisements
Ads may contain malware or lead to harmful websites.
5. Safeguards
Use strong passwords, VPN, antivirus, private browsing, and avoid
unsecured websites.

5. Email Security Vulnerabilities & Protection

1. Phishing Emails
Fake emails ask users to click harmful links or share passwords.
2. Email Spoofing
Attackers send emails pretending to be trusted people.
3. Malware Attachments
Emails contain harmful files that infect devices when opened.
4. Weak Passwords
Easy passwords make email accounts vulnerable to hacking.
5. Protection Measures
Use strong passwords, avoid unknown attachments, enable two-factor
authentication, and check sender details carefully.

6. Privacy Impacts of Emerging Technologies

1. IoT Risks
Smart devices collect personal data like location, voice, and habits.
 2. Cloud Vulnerabilities
Data stored online may be hacked if security is weak.
3. AI Misuse
AI systems collect large amounts of personal data and may use it unfairly.
4. Social Media Exposure
People share personal information that attackers can misuse.
5. Big Data Profiling
Companies combine data from many sources to create detailed user
profiles, reducing privacy.

10 MARKS
1. National Cybersecurity Policy – Objectives, Framework, Challenges (200
words)
1. Protect National Digital Infrastructure
The policy aims to secure banks, power plants, government networks,
and telecom systems from cyberattacks so that the country functions
safely.
2. Early Detection & Quick Response
It supports setting up CERT-In and other response teams to identify cyber
threats quickly and control damage before it spreads.
3. Security Standards for Organisations
The policy asks companies to follow strong security guidelines, use
firewalls, encryption, and proper access control to reduce risks.
4. Skill Development & Manpower
It promotes training students, professionals, and government staff in
cybersecurity to create a strong workforce.
5. Public Awareness Programs
The policy encourages awareness campaigns so citizens learn safe
internet habits, strong passwords, and scam prevention.
6. Promote Research & Technology
It supports new tools, security solutions, and collaboration between
government and private industry.
 7. Implementation Challenges
Challenges include lack of skilled experts, slow adoption of security
practices, low public awareness, outdated systems, and increasing cyber
threats.

2. DSCI Security Framework – Components & Applications .

1. Security Governance
Organisations must establish strong security policies, assign roles, and
ensure continuous monitoring to control risks.
2. Risk Management
The framework guides companies to identify risks, analyse their impact,
and apply controls to prevent data misuse or leaks.
3. Access Control
Only authorised users should access sensitive data. Multi-factor
authentication, passwords, and biometrics are recommended.
4. Data Protection Techniques
It promotes encryption, secure backups, data masking, and controlled
data sharing to maintain confidentiality.
5. Security Operations
Continuous monitoring, threat detection, vulnerability scanning, and
patching are included to keep systems updated and safe.
6. Incident Response
The framework explains how to detect, report, analyse, and recover from
a cyber incident quickly and systematically.
7. Compliance & Audits
Regular audits ensure the organisation follows IT laws and maintains
strong security practices. Industries like banking, IT, and telecom widely
use DSCI guidelines.

3. Data Privacy Attacks, Data Linking & Profiling

1. Data Privacy Attacks
These attacks happen when personal information like names, passwords,
 chats, bank details, or photos is accessed without permission. Examples
include phishing, identity theft, social engineering, and account hacking.
Attackers misuse the stolen data for fraud, blackmail, financial theft, or
impersonation.
2. Data Linking
Data linking means combining information from different sources—social
media, shopping sites, location data, browsing history—to create a
complete profile of a person. Even small pieces of data become
dangerous when linked because they reveal habits, routines, interests,
and relationships.
3. Profiling
Profiling analyses a person’s behaviour using their online activity,
purchases, searches, and interactions. It is used for personalised ads,
recommendations, and prediction of user behaviour. However, profiling
can invade privacy if data is misused or collected without consent.
4. Privacy Concerns
When attackers or companies collect too much data, it can lead to
discrimination, targeted scams, and loss of personal freedom. Strong
privacy laws and user awareness are necessary to reduce risks.

4. Privacy Impacts of Emerging Technologies (IoT, Cloud, AI, Big Data, Social
Media)
1. IoT Devices
Smart devices like cameras, speakers, and wearables collect sensitive
information such as voice, location, and daily habits. Weak security in IoT
makes them easy targets for hackers.
2. Cloud Computing
Large amounts of personal data stored in the cloud may be exposed if
the provider has weak security. Data leaks, poor encryption, and
unauthorised access are major risks.
3. Artificial Intelligence (AI)
AI systems analyse huge amounts of personal data. If misused, AI can
 lead to biased decisions, facial recognition misuse, or privacy invasion
through behaviour tracking.
4. Big Data
Big Data collects information from many sources and creates extremely
detailed user profiles. This can reveal private details even if data is
anonymised.
5. Social Media
Users share photos, locations, and personal information that attackers
can misuse for stalking, identity theft, or manipulation. Platforms also
track user behaviour for advertising.
6. Overall Impact
All these technologies increase convenience but reduce control over
personal information. Strong laws, encryption, user awareness, and
security standards are needed to protect privacy.

5. Evidence Handling & Recovery (Live Data, Dead Data, Host

Identification)
1. Live Data Collection
Live data is collected while the system is running. It includes RAM data,
running processes, open network connections, active sessions, and
system time. This data is volatile and disappears if the device is turned
off. Tools like FTK Imager Lite or Volatility are used.
2. Dead Data Collection
Dead data is collected when the system is powered off. Investigators
create a forensic image of the hard disk to preserve original data. Dead
data includes deleted files, logs, documents, browsing history, and
system artifacts.
3. Preservation Techniques
Write blockers, sealed evidence bags, labels, and hash values ensure
data remains unchanged. Chain of custody records every handler of
evidence.
4. Host Identification
Investigators identify the host system using MAC address, IP address,
 hostname, hardware serial numbers, and system logs. This helps confirm
which device was used in the cybercrime.
5. Recovery Process
Deleted files, formatted partitions, damaged data, and hidden
information are recovered using tools like Autopsy, EnCase, and Magnet
Axiom. All findings are documented and added to the forensic report.

⭐ UNIT 3 – SUMMARY
1. National Cybersecurity Policy
A policy by the Indian government to protect the country’s networks,
data, and critical systems from cyberattacks. It focuses on awareness,
training, early detection, and strong cyber response teams.
2. DSCI Security Framework
A guideline created by the Data Security Council of India to help
organisations protect data. It includes risk management, access control,
incident response, audits, and data protection best practices.
3. Data Privacy Attacks
Attacks where personal information is stolen or misused. Examples:
phishing, identity theft, data leaks, and account hacking.
4. Profiling & Data Linking
Profiling means analysing user behaviour.
Data linking means combining data from different sources to reveal
personal details.
Both can cause serious privacy risks.
5. Email Spoofing & Social Media Privacy Risks
Fake emails that appear real.
Social media risks include oversharing, stalking, fake accounts, and data
misuse.
6. IoT, Cloud, AI & Big Data Privacy Issues
IoT devices collect personal data, cloud stores sensitive information, AI
analyses behaviour, and big data creates detailed profiles—leading to
privacy concerns.
7. Web Tracking
Websites track browsing activity using cookies and scripts, reducing user
privacy.