Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

Data Acquisition:
In digital forensics, data acquisition is the process of creating a forensically sound copy
of digital evidence from a suspect's storage media for the purpose of investigation. This
process is designed to ensure that the original evidence remains unaltered while providing
a bit-for-bit replica that can be analysed by investigators.
Understanding Storage Formats
In digital forensics, a storage format is a specific method used to package and store the
"bit-stream" data (an exact bit-for-bit copy) of an evidence drive. There are three primary
formats used in the industry: Raw, Proprietary, and Advanced Forensics Format (AFF).
1. Raw Format
The raw format is a basic, bit-by-bit copy of the original drive to a single file. It is most
famously created using the Linux dd ("data dump") command.
• Advantages: It is extremely fast, can ignore minor data read errors on the source
drive, and is compatible with almost all forensic analysis tools.
• Disadvantages: It requires exactly as much storage space as the original disk.
Furthermore, it does not include metadata (investigator info, timestamps), and its
validation hashes (MD5 or SHA-1) must be stored in a separate text file.
• Example: An investigator uses a Linux boot CD to run the dd command on a
suspect's 500GB hard drive. The result is a 500GB file on the investigator's drive
that is a "mirror" of the original, but the investigator must manually calculate and
save the MD5 hash in a notepad file to prove the data hasn't changed later.
2. Proprietary Formats
Proprietary formats are created by commercial forensic software vendors and offer
advanced features that raw images lack. The Expert Witness format (with file extensions
like .E01, .E02) is the unofficial industry standard, used by major tools like EnCase and
FTK.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

• Features: These formats can compress image files (often by 50% or more) and split
large images into smaller segments (like 650MB for CDs or 2GB for DVDs).
Crucially, they integrate metadata—such as the investigator's name, case number,
and hash values—directly into the image file itself.
• Disadvantages: It can be difficult to share these image files between different
forensic tools, and there are often size limitations for segmented volumes.
• Example: An investigator uses ProDiscover Basic to acquire an image. They
choose the proprietary format, which automatically splits the massive drive into
650MB segments with an .eve extension, saves a log file, and embeds the
investigator's "Joe Friday" name and case notes directly into the file's header.
3. Advanced Forensics Format (AFF)
AFF is an open-source storage format developed by Dr. Simson L. Garfinkel to provide
the benefits of proprietary formats without being tied to a specific commercial tool.
• Design Goals: It supports both compressed and uncompressed files, has no size
restrictions, and provides space for extensive metadata. It also includes internal
consistency checks for self-authentication.
• File Extensions: It typically uses .afd for segmented image files and .afm for
metadata.
• Example: A lab working on multiple operating systems (Linux, Windows, etc.)
uses AFF because it is open-source and compatible across different platforms. They
can image a multi-terabyte RAID system into a single AFF container, knowing that
the format's internal checks will notify them if any part of the data becomes
corrupted.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

Determining the best acquisition method

Determining the best acquisition method in digital forensics involves evaluating the state
of the suspect system, the size of the data, and the specific requirements of the legal case.
The sources identify two primary categories and four specific methods to consider.
1. Primary Acquisition Categories
The first step is deciding between a static or live approach based on the system's power
state and potential encryption:
• Static Acquisition: This involves copying a hard drive from a powered-off system.
It is the traditional standard because it is repeatable and does not alter the original
data.
• Live Acquisition: This involves copying data from a running computer. It is now
often the preferred method because it can capture encrypted hard drives (like those
using Windows BitLocker or TrueCrypt) in their decrypted state while the machine
is on. It also allows for the collection of volatile RAM data.
2. Four Specific Acquisition Methods
Once the category is chosen, investigators select one of these four technical methods:
• Bit-stream Disk-to-Image File: This is the most common method. It creates a bit-
for-bit replication of the original drive into one or more files.
• It is highly flexible and can be read by most forensics tools like ProDiscover,
EnCase, and FTK.
• Bit-stream Disk-to-Disk: This method is used when a disk-to-image copy is not
possible due to hardware or software errors, which is a common issue with older
drives. It adjusts the target disk's geometry to match the suspect's drive.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

• Logical Acquisition: This is used when time is limited or the evidence disk is
excessively large. It captures only specific files of interest to the case, such as
Outlook .pst or .ost email files.
• Sparse Acquisition: Also used for large drives under time pressure, this method
collects only selected portions of the data.
3. Key Decision Factors
The sources highlight several strategic considerations for choosing a method:
• Data Size and Time: If the disk is massive and time is short, logical or sparse
acquisitions are preferred. For extremely large data sets where size is the only
concern, tape backup systems can be an alternative, though they are slow.
• Legal Requirements: In civil litigation, a discovery order may require the return of
the original disk immediately after imaging. Because you often only have one
chance to get it right, it is critical to consult with a supervisor or attorney to
determine if a full bit-stream or just a logical copy is required.
• RAID Systems: If a RAID system is too large for static acquisition, investigators
should retrieve only relevant data using the sparse or logical method.
4. Contingency Planning and Best Practices
To ensure the integrity of the acquisition, investigators should follow these best practices:
• Redundancy: Always create a duplicate copy of the evidence image file and strive
to make at least two images using different tools or techniques.
• Hidden Data: Ensure you copy the host protected area (HPA) of a drive, which
may require specialized hardware tools that access the drive at the BIOS level.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

• Validation: Regardless of the method, always use a hashing algorithm (like MD5
or SHA-1) to verify that the image is an exact match of the original.
Practical Examples
Based on the guidelines in the sources, here are examples of how an investigator would
determine the best method:
Example 1: The Encrypted Laptop (Live Acquisition) An investigator arrives at a scene
where a laptop is powered on and uses Whole Disk Encryption.
• Method: The investigator performs a Live Acquisition.
• Reasoning: If they were to power it off for a static copy, they would need a
passphrase or recovery key to access the data later. By acquiring it live, they
capture the decrypted hard drive and volatile RAM data, which is becoming
increasingly important for investigations.
Example 2: The Large Corporate RAID (Logical/Sparse) An investigator is tasked with
collecting evidence from a company's RAID system that contains several terabytes of
data.
• Method: The investigator chooses a Logical Acquisition using a tool like
ProDiscover or EnCase.
• Reasoning: The system is too large for a full static bit-stream copy within the
allowed timeframe. Instead, they retrieve only the data relevant to the investigation,
such as specific employee email archives.
Example 3: The Aging Legacy Drive (Disk-to-Disk) An investigator is working with an
old computer from the 1990s that has a failing hard drive.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

• Method: They use a Bit-stream disk-to-disk method with a tool like SafeBack.
• Reasoning: Standard modern imaging tools fail to read the drive due to hardware
errors and geometry incompatibilities. SafeBack can adjust the target disk’s
geometry to match the suspect's drive, ensuring a successful copy where other
methods would fail.
Data acquisition tools and validation are the cornerstones of digital forensics,
ensuring that evidence is captured accurately and remains untampered for legal
proceedings.
Acquisition Tools
Forensic tools are categorized by their operating environment and specific
capabilities.
Windows-Based Tools:
o AccessData FTK Imager: A widely used tool that creates bit-stream images at both
the logical and physical drive levels. It requires a hardware write-blocker to
prevent the Windows OS from altering the suspect drive.
o ProDiscover Basic: This tool uses a proprietary format (.eve) that splits images into
650MB segments and integrates metadata like investigator name and case notes
directly into the file.
o EnCase Enterprise: A more advanced tool used for remote network acquisitions,
capable of capturing RAM and supporting a wide variety of file systems and RAID
configurations.
• Linux-Based Tools:
o dd (Data Dump): A standard Linux command that creates raw, bit-by-bit copies.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
While fast, it lacks forensic-specific features like progress bars or built-in hashing.
o dcfldd: A forensics-enhanced version of dd that can log errors, show progress in
bytes, and calculate multiple hashes simultaneously during the acquisition process.
o Forensic Live CDs: Distributions like Helix or Penguin Sleuth are used to boot a
suspect machine. They are designed to mount all drives as read-only, eliminating
the need for a hardware write-blocker.
• Specialised Hardware/Software:
o NTI SafeBack: An older but reliable MS-DOS tool that fits on a floppy disk and
performs an SHA-256 calculation for every sector copied.
o DIBS USA RAID: A portable hardware system specifically designed for forensic
disk-to-disk imaging.
How Acquisition Tools Work
o The mechanics of these tools center on two primary requirements: data preservation
and data replication.
o Write-Protection: When using Windows-based tools, it is mandatory to use a
hardware write-blocking device. Without this, the Windows OS will automatically
write data to the suspect drive (such as NTFS Journal or Recycle Bin entries) upon
booting, which corrupts the evidence. Forensic Linux Live CDs (like Helix) work
differently; they are configured to mount all drives as read-only by default, which
eliminates the need for a hardware write-blocker.
o Imaging Formats: Tools package the copied data into various formats. Raw format
(created by the Linux dd command) is a simple bit-stream copy. Proprietary formats
(like those used by ProDiscover or EnCase) allow for compression, file splitting
(e.g., into 650MB segments), and the integration of metadata such as the
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
investigator's name and case hash directly into the file.
o Validation (Hashing): Most tools calculate a unique digital fingerprint, or hash
(MD5 or SHA-1), for both the original drive and the new copy. If the two hashes
match exactly, the acquisition is validated as an authentic copy.

o Key Acquisition Tools

o Tool Type o Examples o Key Functions
o Windows-Based o FTK Imager, o Convenient interfaces; can image at
ProDiscover Basic the logical partition or physical drive
level.
o Linux-Based o dd, dcfldd o dcfldd is forensics-specific; it logs
errors, shows progress in bytes, and
can verify the image against the
original medium.
Specialized NTI SafeBack, DIBS SafeBack is an MS-DOS tool that fits on
USA RAID a floppy and does SHA-256 hashing per
sector. DIBS is a portable system for disk-
to-disk imaging.
o Remote/Network o EnCase Enterprise, o Connects to suspect computers over a
ProDiscover network to copy RAM or perform
Investigator live acquisitions (known as a
"smear").
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
Real-Time Experiment Example
To understand how these tools and methods interconnect, consider an investigator
performing a static acquisition of a suspect's desktop computer.
1. Preparation: The investigator documents the chain of evidence and removes the hard
drive from the suspect's computer.
2. Hardware Connection: They connect the suspect's drive to their forensic workstation
using a USB write-blocker.
3. Software Execution (FTK Imager):
o The investigator boots their workstation into Windows and starts FTK Imager.
o They select "Create Disk Image" and choose the "Physical Drive" option to
ensure they capture deleted files and unallocated space.
o They choose the Expert Witness (.E01) format to compress the data and enter
case metadata (e.g., Case #123, Investigator: Joe Friday).
4. Verification: Once the tool finishes the bit-stream copy, it automatically performs an
MD5 or SHA-1 hash of both the original drive and the resulting image file. The
investigator confirms the hashes match, ensuring the evidence is sound for court.
5. Contingency: Following best practices, the investigator creates a duplicate copy of
the evidence image file to serve as a backup
Validating data acquisitions
It is considered the most critical aspect of computer forensics because it ensures
that the evidence copy is an exact, bit-for-bit match of the original source. This
process relies on hashing algorithms, which create a unique numerical
"fingerprint" of the data.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

Detailed Explanation of Validation

• The Role of Hashing Algorithms: A hashing utility processes the data to produce
a specific value. If even a single bit of the data is altered, the resulting hash value
will change completely.
• Common Techniques:
o CRC-32 (Cyclic Redundancy Check): A basic integrity check.
o MD5 (Message Digest 5): Widely used, though it has known "collisions"
(where two different sets of data produce the same hash).
o SHA-1 to SHA-512 (Secure Hash Algorithm): SHA-1 is generally
considered better than MD5, though it also has some collisions; higher
versions like SHA-256 or SHA-512 provide much greater security.
• Operating System Differences:
o Linux: Offers built-in utilities like md5sum or sha1sum that should be run on
all suspect disks and segmented volumes. Advanced tools like dcfldd provide
integrated validation options such as hashlog (saves the hash to a text file) and
vf (verify file), which compares the image file directly to the original medium.
o Windows: Does not have built-in forensic hashing tools, so investigators must
use third-party utilities or the built-in validation features found in commercial
software.
• Raw vs. Proprietary Validation: While proprietary formats (like .E01) often
integrate hash data into the image file, raw format image files do not contain
metadata. Therefore, a separate manual validation is highly recommended for all
raw acquisitions to prove their integrity.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

Real-World Forensic Example

Scenario: An investigator is using a Forensic Linux Live CD to acquire a 500GB
hard drive from a suspect's laptop.
1. Acquisition with Built-in Hashing: The investigator uses the dcfldd command:
o dcfldd if=/dev/sda hash=sha256 hashlog=evidence_hash.txt
of=/media/target/suspect_drive.img.
o This command copies the source drive (if=/dev/sda), calculates a SHA-256
hash simultaneously, and saves that hash value into a text file
(evidence_hash.txt).
2. Immediate Verification: After the copy is finished, the investigator uses the vf
(verify file) option in dcfldd:
o dcfldd if=/dev/sda vf=/media/target/suspect_drive.img.
o The tool reads the original drive and the new image file side-by-side to ensure
every bit is identical.
3. Documentation for Court: The investigator takes the 64-character SHA-256 string
from evidence_hash.txt and records it in the case notes. Later, in a lab or in court,
anyone can re-hash the suspect_drive.img file. If the new hash matches the one in
the investigator's notes, it proves the evidence has not been tampered with since
the moment it was acquired.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
Performing RAID data acquisitions
Performing RAID data acquisitions involves unique challenges compared to
standard drive imaging, primarily due to the complexity of how data is distributed
across multiple disks. RAID (Redundant Array of Independent Disks) is a
computer configuration involving two or more disks originally developed as a data-
redundancy measure.
Steps for Performing RAID Acquisitions
The sources outline several critical steps and considerations for a successful
acquisition:
1. Identify the RAID Type and Size: Determine which RAID level is in use and the
total storage capacity, as RAID systems now frequently contain terabytes of data.
2. Select a Compatible Forensic Tool: Choose a tool that can reconstruct the specific
RAID configuration. Vendors providing RAID functions include ProDiscover,
EnCase, X-Ways Forensics, and Runtime Software.
3. Evaluate Tool Capabilities: Ensure the tool can read a forensically copied RAID
image and handle split data saves from each individual RAID disk.
4. Determine Acquisition Method: If the system is too large for a full static
acquisition, investigators should use the sparse or logical acquisition method to
retrieve only the data relevant to the investigation.

RAID Levels and Diagrams

The sources describe several RAID levels, each with a corresponding visual
representation of how files are distributed:
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
• RAID 0 (Striped): This level provides rapid access and increased storage but lacks

redundancy Figure shows a 128 KB file being split into two 64 KB segments
distributed across Disk 1 and Disk 2.
• RAID 1 (Mirrored): Specifically designed for data recovery, it is more expensive
than RAID 0. Figure illustrates a 128 KB file being copied in its entirety to both
Disk 1 and Disk 2 simultaneously.

•
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

• RAID 2: Data is written at the bit level; it offers better integrity checking than
RAID 0 but is slower. Figure 4-11 depicts files being striped across three disks at
the bit level with a fourth disk dedicated to parity.

• RAID 3: This level utilizes data striping across the disks and employs a dedicated
parity disk for error recovery.
• RAID 4: In this configuration, data is written in blocks rather than at the bit level.
• RAID 5 (Block-level Striping with Distributed Parity): This level places parity
recovery data on each disk in the array. Figure 4-14 shows how file segments and
their corresponding parity blocks are rotated across four different disks.
Other mentioned levels include RAID 3 (striping with dedicated parity), RAID 4
(block-level writing), RAID 6 (redundant parity), and RAID 10 (a combination of
mirroring and striping).
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

• RAID 6: This level is designed for higher reliability by placing redundant parity
on each disk within the array.
• RAID 10 (Mirrored Striping): Also known as RAID 1+0, this is a combination
of RAID 1 and RAID 0, providing both the speed of striping and the redundancy
of mirroring.

Differences Between RAID and Other Storage

While RAID refers to the physical or logical configuration of multiple hard drives
to act as a single unit for speed or redundancy, other storage concepts discussed in
the sources refer to file formats used to save acquired evidence.
• Structure: Unlike a single drive, RAID requires the investigator to understand the
striping or mirroring pattern to reconstruct the data.
• Storage Formats: Once a RAID is acquired, the resulting evidence file is typically
saved in a Raw, Proprietary (like Expert Witness), or AFF format, similar to a
standard drive acquisition.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
Limitations and Concerns
Acquiring RAID disks presents several specific limitations:
• Data Size: The massive amount of data (often terabytes) is the biggest concern,
making full images time-consuming and storage-heavy.
• Technical Challenges: Older hardware-firmware RAID systems can be
particularly difficult to image correctly.
• Tool Dependency: Investigators must verify if their forensic tool can accurately
read split data saves and reconstruct the specific RAID level used by the suspect.
• Static Acquisition Limits: Occasionally, a RAID system is simply too large for a
static acquisition, forcing the investigator to rely on less-comprehensive logical or
sparse methods.
Remote network acquisition tools
It is allow investigators to connect to a suspect’s computer over a network to
preview, search, and copy data without needing to be physically present at the
device. This method is particularly useful for corporate investigations or incident
response scenarios.
How it Works
Remote acquisition generally functions through a client-server model involving the
investigator’s workstation and the suspect’s computer:
• The Remote Agent: A specialized utility, such as the PDServer Remote Agent,
must be loaded onto the suspect’s computer. This can be done via a "Trusted CD,"
by IT pre-installation, or by "pushing" the agent out to the machine remotely over
the network.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
• Stealth Mode: To avoid alerting a suspect, these agents often feature a stealth
mode where they can change their process name to appear as a standard operating
system function.
• Encrypted Connection: Once the agent is active, the investigator establishes a
secure, encrypted connection to the suspect machine to perform the data collection.
• Live Acquisition ("Smear"): Because the suspect machine is running, the data
being copied is slightly altered during the process. This is often referred to as a
"smear" acquisition.
Key Tools and Their Capabilities
• ProDiscover Investigator: This tool allows for remote previews of drives while
they are in use, live acquisitions, and the ability to copy the suspect computer’s
RAM.
• ProDiscover Incident Response: This version adds advanced forensics
capabilities, such as capturing the volatile system state, analyzing currently
running processes, viewing active IP ports, and running hash comparisons to find
Trojans or rootkits.
• EnCase Enterprise: A robust tool that can remotely acquire media and RAM from
multiple systems simultaneously. It integrates with Intrusion Detection Systems
(IDS) and supports complex configurations like hardware or software RAID.
• Runtime Software: Provides shareware utilities like HDHOST to access network
computer drives and create raw or segmented image files.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

Security and Challenges

To ensure the integrity and privacy of the investigation, these tools use security
features like password protection, encrypted communications, and digital
signatures.
However, investigators face several drawbacks:
• Network Constraints: LAN speeds, heavy traffic, and routing table conflicts can
cause errors or delays.
• Access Barriers: Gaining permissions for secure subnets can be difficult.
• Software Interference: The remote agent may be flagged or blocked by antivirus
software on the suspect's machine.
Real-Time Practical Example
Imagine a cybersecurity investigator at a large firm needs to investigate a potential
data breach on a server located in a different branch office.
Instead of traveling to the site, the investigator remotely "pushes" the PDServer
agent to the server. Using ProDiscover Incident Response, the investigator
establishes an encrypted link to the server and begins analyzing current running
processes and active IP ports to look for suspicious connections. They perform a
live acquisition of the RAM to capture volatile data that might contain a hacker's
commands. Finally, they run a remote hash comparison against a known database
of malware to identify any rootkits hidden on the system—all while the server
continues to operate for the branch office.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
Other Forensics Acquisition Tools
Several other specialized tools exist for specific needs:
• NTI SafeBack: A reliable MS-DOS tool that performs SHA-256 calculations for
every sector copied.
• DIBS USA RAID: A portable system designed specifically for forensic disk-to-
disk imaging.
• ASRData SMART: A Linux-based tool capable of robustly reading data from
drives with bad sectors.
• PyFlag: A network forensics tool that can create Expert Witness image files.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

rom any network connection. This prevents remote access, malware execution, or automatic system updates that could
modify the data.
Another important step is creating a forensic image, which is an exact bit-by-bit copy of the original storage device. This
copy includes all data, including deleted files, hidden files, and unused disk space. Investigators perform their analysis
on this copy instead of the original device to prevent any accidental modification.
To verify that the copied data is identical to the original, investigators generate hash values using algorithms such as
MD5 or SHA-256. If the hash value of the forensic copy matches the original, it confirms that the data has not been
altered.
A key concept in preservation is the Chain of Custody. This is a documented record that tracks every person who handled
the evidence, the time it was collected, how it was stored, and how it was transferred. Maintaining chain of custody
ensures transparency and integrity of evidence throughout the investigation.

3. Collection (Acquisition)
The Collection or Acquisition phase involves gathering digital evidence from identified sources andcreating forensic
copies for examination. This stage must be performed carefully because improper collection can damage or alter
evidence.
Digital evidence can be collected from many sources such as:
• Hard disk drives and solid-state drives
• USB flash drives and memory cards
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
• Smartphones and tablets
• Network devices and servers
• Cloud storage services
• System memory (RAM)
There are two main methods of acquiring digital evidence.
The first method is Live Acquisition. This method is used when the system is still running. Investigators collect volatile
data that would be lost if the system is turned off. Examples of volatile data include RAM contents, running processes,

open network connections, logged-in users, and encryption keys. Live acquisition is often used in cases involving
malware attacks, hacking incidents, and system intrusions.
The second method is Dead Acquisition. In this method, the device is powered off and investigators collect data directly
from the storage media. This approach is safer because it reduces the risk of altering data during the acquisition process.
During this stage, investigators use specialized digital forensic tools such as disk imaging tools, memory capture tools,
and mobile forensic tools to collect evidence. All collected evidence is properly labeled, documented, and stored in
secure containers to maintain its integrity.

4. Examination
The Examination phase involves processing the collected data to identify and extract relevant information related to
the investigation. Digital storage devices can contain millions of files, so investigators use forensic tools and techniques
to filter and organize the data.
During the examination stage, investigators perform tasks such as recovering deleted files, extracting
hidden data, analyzing file systems, and examining metadata. Deleted files are often recoverable because when a file
is deleted, the operating system usually removes the file reference but does not immediately erase the data from the disk.
Another important technique used in this stage is file carving, which involves recovering files based on known file
signatures even when the file system structure is damaged or missing. Investigators may also analyze email messages,
chat logs, browser history, registry files, and application logs to identify suspicious activities.
The examination process often includes keyword searches, where investigators search the entire data set for specific
words, phrases, or file names related to the case. This helps narrow down the evidence to relevant information.
The main objective of this phase is to extract useful evidence from a large volume of raw data.

5. Analysis
The Analysis phase is where investigators interpret the extracted data to understand the events that occurred during the
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
incident. The goal is to reconstruct the sequence of actions and determine how the crime was committed.
During this stage, investigators correlate evidence from multiple sources to answer important questions such as:
• Who performed the action?
• What activity occurred?
• When did the event happen?
• Where did the attack originate?
• How was the system compromised?

• Why did the incident occur?

One common technique used in analysis is timeline reconstruction. Investigators arrange digital events in chronological
order based on timestamps found in files, logs, and system records. This helps create a clear picture of what happened
before, during, and after the incident.
Investigators may also analyze malware samples, suspicious programs, and network traffic to determine how attackers
gained access to the system. They examine login records, file access logs, and communication records to identify the
actions performed by the suspect.
The analysis phase transforms raw data into meaningful evidence that explains the incident.

6. Documentation
Documentation is an essential part of every stage of the digital forensics investigation process. Investigators must
carefully record every action performed during the investigation to ensure transparency and accountability.
Proper documentation includes:
• Details of the investigation process
• Description of the devices examined
• Tools and software used during analysis
• Methods used to collect evidence
• Hash values and verification results
• Observations and findings
Documentation must be clear, accurate, and detailed so that another investigator could repeat the process and obtain
the same results. Good documentation also helps maintain the chain of custody and legal credibility of the investigation.

7. Presentation (Reporting)
The Presentation or Reporting phase is the final stage of the digital forensics investigation process. In this stage,
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
investigators present their findings in a clear and understandable format.
A digital forensic report typically includes:
• Introduction and background of the case
• Objectives of the investigation
• Methods and tools used
• Description of evidence collected
• Detailed analysis and findings

• Conclusions and recommendations

• Supporting screenshots, logs, and charts
The report must be written in a simple and logical manner so that even non-technical individuals such as judges, lawyers,
or company executives can understand it.
In legal cases, investigators may also be required to testify in court as expert witnesses, explaining the methods used
during the investigation and validating the authenticity of the digital evidence.

Computer Forensics vs. Related Disciplines

Forensic science is the overarching application of natural, physical, and social sciences to matters of law, focusing on
the recognition, identification, and evaluation of physical evidence.
Criminalistics is a specialty within this field that specifically refers to the analysis of physical evidence from a crime
scene, such as fingerprints, DNA, and trace evidence.
Digital forensics is a branch of cybersecurity that has expanded from computer forensics (the methodical examination
of computer media like hard disks and tapes) to include all devices capable of storing digital data, such as tablets,
smartphones, and cloud storage. Other specialized branches include,
Network forensics which involves monitoring and analysing network traffic for information gathering or intrusion
detection.
Mobile forensics which focuses on recovering evidence from mobile devices using forensically sound methods.

Comparison Table: Computer Forensics vs Other Related Disciplines

 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
Aspect Computer Forensics Cybersecurity Network Forensics Information Security

Definition The process of The practice of A branch of digital The discipline of

investigating digital protecting forensics that protecting
devices and computer focuses on capturing information from
collecting systems, and analyzing unauthorized
electronic evidence networks, and network traffic to access,
related to data from cyber detect attacks. modification, or
cybercrimes. attacks. destruction.

Main To investigate cyber To prevent cyber To analyze network To ensure protection

Objective incidents and attacks and communications and of information
gather digital secure systems. identify malicious assets.
evidence. activities.

Focus Area Digital evidence on Security of systems, Data packets, network Protection of data and
devices such as applications, and logs, and information
computers, mobile networks. communication regardless of
phones, and between devices. where it is stored.
storage media.

When It Is After a cybercrime or Before and during During or after a Continuously to

Used security incident cyber attacks to network attack to protect
occurs. prevent them. analyze traffic. information
assets.

Main Evidence collection, Installing firewalls, Capturing packets, Implementing policies,

Activities data recovery, log antivirus, analyzing traffic, encryption, access
analysis, timeline intrusion detecting intrusions, control, and risk
reconstruction, and detection and tracing management.
reporting. systems, and attackers.
monitoring
networks.

Types of Data Hard drives, deleted System Network packets, IP Confidential

Analyzed files, emails, vulnerabilities, addresses, documents,
documents, system security communication logs, databases, user
logs, browser configurations, protocols. credentials, and
history. threat intelligence sensitive
data. information.
Key Goal Find out who did the Stop attacks and Detect and analyze Protect
attack, how it protect systems suspicious network confidentiality,
happened, and from hackers. activity. integrity, and
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
what evidence availability of data.
exists.
Example Investigating a hacked Installing a firewall Analyzing network Encrypting company
Scenario computer to and antivirus to packets to detect a data and
recover deleted prevent Distributed Denial- controlling access
files and identify unauthorized of-Service (DDoS) to sensitive
the attacker. access. attack. information.

Brief History of Computer Forensics (Detailed Explanation):

Computer Forensics, also called Digital Forensics, developed as a response to the rapid growth of computers and digital
technologies. As computers began to be used widely in businesses, government organizations, and personal
environments, criminals also started using them for illegal activities such as data theft, fraud, hacking, and unauthorized
system access. This created the need for specialized techniques to investigate digital crimes and collect electronic
evidence.
The history of computer forensics can be understood through several important milestones that contributed to the
development of this field.

1. Late 1970s – Beginning of Computer Crime Awareness

During the late 1970s, personal computers started becoming more common in businesses and government organizations.
As a result, new types of crimes began to appear, such as unauthorized access to computer systems, data manipulation,
and software piracy.
At this time, law enforcement agencies did not yet have specialized methods to investigate computer-related crimes.
Traditional investigative techniques were not suitable for dealing with digital evidence, because digital data could easily
be copied, altered, or deleted.
This period marked the early awareness of cybercrime, which later led to the development of computer forensics as a
separate discipline.

2. 1978 – The Florida Computer Crimes Act

In 1978, the state of Florida in the United States introduced the Florida Computer Crimes Act, which was the first law
specifically created to address computer-related crimes.
This law recognized that computers could be used to commit criminal activities and defined several illegal actions,
including:
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

• Unauthorized access to computer systems

• Unauthorized modification of data
• Destruction or theft of digital information
The Florida Computer Crimes Act was an important milestone because it was one of the first legal frameworks to
acknowledge cybercrime as a serious issue. It also encouraged other states and countries to begin developing their own
computer crime laws.

3. 1984 – FBI Computer Analysis and Response Team (CART)

In 1984, the Federal Bureau of Investigation (FBI) established the Computer Analysis and Response Team (CART). This
was one of the first specialized units dedicated to analyzing digital evidence and supporting investigations involving
computers.
The main responsibilities of the CART team included:
• Examining computer systems involved in criminal investigations
• Recovering deleted or hidden digital data
• Providing technical expertise to law enforcement agencies
• Supporting legal cases involving digital evidence
The creation of this team marked the beginning of organized digital forensic investigations in law enforcement.

4. 1986 – Federal Computer Crime Laws in the United States

In 1986, the United States government passed important legislation to address computer-related crimes. One of the most
significant laws was the Computer Fraud and Abuse Act (CFAA).
This law made several computer-related activities illegal, including:
• Unauthorized access to computer systems
• Theft of sensitive information
• Damage to computer systems and networks
• Fraud using computers
The introduction of these laws helped establish a legal foundation for prosecuting cybercriminals and highlighted the
importance of collecting reliable digital evidence. As a result, the need for computer forensic techniques became more
evident.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

5. 1992 – First Use of the Term "Computer Forensics"

In 1992, the term "computer forensics" appeared for the first time in academic literature and professional discussions.
This marked an important step in recognizing computer forensics as a distinct scientific discipline.
During the early 1990s, researchers and investigators began developing specialized tools and methodologies for analyzing
digital evidence. Universities and research institutions started studying computer forensics as part of computer science
and cybersecurity programs.
This period also saw the development of early forensic software tools that allowed investigators to examine digital storage
devices more effectively.

6. 2000s – International Standardization and Global Cooperation

During the 2000s, computer forensics became more advanced and internationally recognized. As cybercrime began to
cross national boundaries, governments and organizations realized the need for global cooperation and standardized
forensic practices.
Two major developments occurred during this time.
2004 – Convention on Cybercrime (Budapest Convention)
In 2004, the Convention on Cybercrime, also known as the Budapest Convention, was introduced. This was the first
international treaty aimed at combating cybercrime.
The treaty focused on:
• Improving international cooperation in cybercrime investigations
• Establishing legal frameworks for digital evidence
• Harmonizing cybercrime laws across countries
This convention helped many countries adopt modern laws related to cybercrime investigation and digital evidence
handling.
2005 – ISO 17025 Standards for Forensic Laboratories
In 2005, the ISO/IEC 17025 standard was introduced for forensic laboratories. This standard defined quality and
competence requirements for laboratories conducting forensic analysis, including digital forensic investigations.
The standard ensures that forensic laboratories:
• Use reliable and validated methods
• Maintain proper documentation
• Follow strict quality control procedures
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

• Produce accurate and reliable results

The adoption of international standards helped improve the credibility and reliability of digital forensic investigations
worldwide.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
Example: Numeric Operations

Sample program demonstrates basic arithmetic operations:

 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

Sample program demonstrates real-life scenarios such as shopping, discounts, splitting bills, currency
notes, and interest calculation.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

Output:

The round() function is used to format the decimal value in the last statement.

1. Operator Precedence
Operator precedence determines the order in which different operations are performed in a
mathematical expression. When an expression contains multiple operators, Python follows a set of rules
to decide which operation to perform first. Operators with higher precedence are evaluated before those
with lower precedence.
For example, in the expression:

Multiplication (*) has a higher precedence than addition (+), so Python first calculates 2 * 3 = 6 and then
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
adds 5, giving the final result as 11.
Precedence Table (Highest to Lowest):

Rules of Operator Precedence

1. Parentheses () have the highest precedence – any expression inside parentheses is evaluated
first.
2. Exponentiation ** is evaluated next – raising a number to a power happens before
multiplication or division.
3. Multiplication *, Division /, Floor Division //, and Modulus % are processed from left to right.
4. Addition + and Subtraction - are evaluated last, also from left to right.
Example: Operator Precedence
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

2. String Manipulation in Python

A string in Python is a sequence of characters enclosed in single quotes (' ') or double quotes (" "). Strings
are used to represent text-based data such as names, sentences, and special characters. Python also
allows triple quotes (''' ''' or """ """) for multi-line strings.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
Characteristics of Strings:
1. Immutable: Once a string is created, it cannot be changed (modified). Any operation that alters a
string creates a new string instead.
2. Indexing: Each character in a string has a position (index), starting from 0 for the first character
and -1 for the last character when using negative indexing.
3. Slicing: A substring can be extracted using slicing (string[start:end]), where start is the beginning
index (inclusive) and end is the stopping index (exclusive).
4. Concatenation: Strings can be combined using the + operator.
5. Repetition: A string can be repeated multiple times using the * operator.
6. Escape Characters: Special characters like \n (newline) and \t (tab) can be used inside strings to
format text properly
Examples of String Representation:

String Indexing in Python

Strings in Python are indexed sequences of characters, meaning each character in a string has a specific
position, allowing us to access and manipulate individual characters easily. Python supports two types of
indexing: positive indexing (left to right) and negative indexing (right to left).
1. Positive Indexing (Left to Right)
• In positive indexing, the index starts from 0 for the first character and increases sequentially.
• The last character of the string has an index of length - 1.
Example of Positive Indexing:
For the string "Python", the indexes are:
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

2. Negative Indexing (Right to Left)

• In negative indexing, the index starts from -1 for the last character and decreases as we move
left.
• This allows accessing characters from the end without needing to calculate the string length.
Example of Negative Indexing:
For the string "Python", the negative indexes are:

String Indexing:
• Out-of-range indexes will cause an error. Trying to access text[6] in "Python" will result in an
IndexError.
• Both positive and negative indexing can be used interchangeably. For example, text[0] and
text[-6] both refer to 'P'.
• Indexing is useful for accessing single characters, while slicing (using :) helps extract substrings
efficiently.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
String Slicing in Python
String slicing is a technique used to extract a portion (substring) of a string. It follows the syntax:

• start → The starting index (inclusive) of the substring.

• end → The ending index (exclusive) of the substring.
• The slicing operation extracts characters from the start index up to (but not including) the end
index.
1. Basic String Slicing

• text[0:3] extracts characters from index 0 to 2 ('Ben'), excluding index 3.

• text[2:6] extracts characters from index 2 to 5 ('ngal'), excluding index 6.

2. Omitting start or end Index

• If start is omitted, slicing starts from the beginning of the string.
• If end is omitted, slicing continues until the end of the string.

3. Negative Indexing in Slicing

Negative indexes allow slicing from the end of the string.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
• text[-4:] extracts characters from index -4 ('s') to the end.
• text[:-3] extracts characters from the start up to index -3 ('Mys'), excluding -3.

4. Slicing with Step (start:end:step)

We can provide an additional parameter, step, to control the interval of slicing.

The step value 2 means every second character is taken ('Ceni').

We can also reverse a string using -1 as the step value:

• Slicing works on both positive and negative indexes.

• The end index is always excluded.
• By using step values, we can control the slicing behavior (skip characters, reverse strings, etc.).
• If start and end are omitted, text[:] returns the entire string

String Concatenation in Python:

String concatenation is the process of joining two or more strings together to form a single string. Python
provides different ways to concatenate strings, primarily using the + operator and join() method.
Python provides multiple ways to concatenate strings, including:
1. Using the + operator
2. Using the += operator
3. Using the join() method
4. Using formatted strings (.format() and f-strings)
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
1. Using the + Operator
The + operator is the simplest way to join two or more strings.
Syntax:

This method joins the given strings without adding any extra spaces. If a space is required, it must be
explicitly added.
Example:

Here, " " (space) is added between first_name and last_name to maintain proper formatting.
2. Using the += Operator (Concatenation with Assignment)
The += operator appends a string to an existing string variable.
Example:

Here, " to Bangalore!" is appended to "Welcome", modifying the original message variable.

3. Using the join() Method

The join() method is useful when concatenating multiple strings stored in a list or tuple. It is more
efficient than using + in a loop.
Syntax:

• separator → The string that separates the elements.

• iterable → A list or tuple of strings to be concatenated.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

Here, " ".join(words) joins all elements in the list with a space (" ") between them.

4. Using .format() and f-strings (Formatted Strings)

Formatted strings provide a more readable and efficient way to concatenate strings.
Using .format() Method

Using f-strings (Recommended for Python 3.6+)

f-strings are the most efficient and readable way to concatenate strings.

Handling Numbers in Concatenation

Python does not allow direct concatenation of a string with an integer or float. We must convert
numbers to strings using str().
Example:

Trying name + " scored " + score would result in a TypeError because score is an integer.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
Examples of String Concatenation
Creating an Email Template

Displaying Flight Ticket Details

3. String Formatting
String formatting in Python allows us to create well-structured and readable text by dynamically inserting
values into strings. Instead of manually concatenating strings and variables, formatting provides a cleaner
and more efficient way to include variables within a string. Python offers multiple ways to format strings,
including the .format() method and f-strings (formatted string literals). f-strings (introduced in Python
3.6) are the most preferred method due to their simplicity and performance. String formatting is widely
used in output messages, reports, and dynamic text generation
1. Using .format()
Using .format() for String Concatenation
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
The .format() method in Python is a versatile way to insert values into a string. It is useful for
concatenating strings, formatting numbers, and creating structured outputs dynamically.
Basic Syntax

Curly brackets {} act as placeholders, and the .format() method replaces them with specified values.
1. Basic Example

2. Using Multiple Placeholders

We can insert multiple values in a string using several {} placeholders.

3. Using Positional Arguments

Instead of relying on order, we can explicitly specify positions inside {}.

Here:
• {2} → "large one"
• {0} → "bigger"
• {1} → "small one"

4. Using Named Arguments

We can use keyword arguments inside .format() for better readability.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology

5. Formatting Numbers (Decimals, Currency)

The .format() method supports number formatting, which is useful for displaying prices, percentages,
and decimal values.

6. Aligning Text for Reports & Tables

The .format() method allows text alignment using special format specifiers.

• {:<10} → Left-aligns "Laptop" within 10 spaces.

• {:>8} → Right-aligns "55000" within 8 spaces
Examples Using .format()
Example 1: Generating an Invoice
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
Example 2: Student Grade Report

• The .format() method is flexible and readable.

• It supports positional, keyword, and mixed arguments.
• It is useful for text alignment, number formatting, and real-time applications.
• Ideal for reports, invoices, and formatted output generation.
For modern Python versions (3.6+), f-strings (f"{value}") are a better alternative, but .format() remains
useful for older versions and dynamic string formatting

2. Using f-strings (Recommended)

f-strings (formatted string literals) were introduced in Python 3.6 and are the recommended way to
format strings because they are faster, more readable, and easier to use than .format().
Basic Syntax
An f-string is created by prefixing a string with f or F and placing variables inside {} directly within the
string.

1. Using Expressions Inside f-strings

We can perform calculations and function calls inside {}.
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
2. Formatting Numbers with f-strings
(a) Formatting Decimal Places

Example 1: Invoice Generation

Example 2: Flight Ticket

 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
Example 3: Student Grade Report

• f-strings are faster, cleaner, and more readable than .format().

• They allow expressions, calculations, and function calls inside {}.
• Support number formatting, text alignment, and multi-line formatting.
• Ideal for reports, invoices, and formatted text outputs.
• f-strings are the best practice for string formatting in modern Python (3.6+).

CO
Questions
Level
Define a variable in Python and give an example. 1
List any four data types available in Python. 1
Identify the output of print(10 / 3) and print(10 // 3). 1
Recall the order of operations in Python for +, -, *, /, //, %, **. 1
Describe what string indexing is and how negative indexing works in Python. 1
State the difference between string concatenation and string slicing with examples. 1
Recall how .format() is used for string formatting with an example. 1
Identify the output of name = "Amit"; print(f"My name is {[Link]()}"). 1
Explain how f-strings work and why they are preferred over .format(). 1
Define a variable in Python and give an example. 1
Explain the difference between integer and float data types in Python with an example. 2

Illustrate how Python handles operator precedence with a sample expression. 2

 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
Discuss the concept of string indexing and demonstrate accessing individual characters 2
using positive and negative indices.
Describe how string slicing works in Python and provide an example. 2
Show how string concatenation is performed in Python and explain it with a real-time 2
example.
Compare .format() and f-strings for string formatting with suitable examples.
Implement a Python program to declare variables of different data types (integer, float, 3
string) and print their values.
Construct an expression using different arithmetic operators and explain the order of 3
execution based on operator precedence.
Develop a Python program to perform all arithmetic operations (+, -, *, /, //, %, **) on two 3
given numbers.
Use string indexing to extract and print the first, middle, and last character from the given 3
string: "Bangalore"
Apply string slicing to extract and print only the domain name from the email 3
"[Link]@[Link]".
Modify a given string "Hello World" to "Hello Python" using string concatenation. 3
Write a program using .format() to display a formatted bill receipt containing product 3
name, quantity, and total price.
Construct a Python script using f-strings to generate a personalized greeting message based 3
on user input.
Implement a program that takes a user's full name and prints their first and last name 3
separately using string slicing.
Apply f-string formatting to display a formatted student grade report with name, subject, 3
and marks scored.
Examine how Python dynamically handles different data types when assigning values to 4
variables.
Compare the behaviour of integer and float division in Python, and determine in which 4
 Srishyla Education Trust ®

GM UNIVERSITY
(Established under the Karnataka State Act No. 19 of 2023)
Post Box no-4, PB Road, Davangere-577006
FACULTY OF ENGINEERING AND TECHNOLOGY
School of Computer Science and Technology
scenarios floor division is preferable.
Differentiate between operator precedence and associativity in Python arithmetic 4
expressions, using an example.
Investigate how string indexing works with both positive and negative indices, and explain 4
the advantages of using negative indexing.
Examine how slicing a string in Python differs from indexing, and evaluate its impact on 4
memory efficiency.
Compare string concatenation methods in Python, and determine which method is optimal 4
in terms of performance and readability.
Analyze the output of the given Python expression using operator precedence: 10 + 2 * 3 ** 4
2 // 4 - 5.
Investigate how .format() and f-strings handle string formatting differently, and justify why 4
f-strings are considered more efficient.
Examine a real-time example where f-strings provide better readability and maintainability 4
over traditional concatenation.
Analyze the importance of using explicit data type conversion in numeric operations and 4
identify potential errors that may occur without it.