Appendix B: Questions and Answers

Chapter 1: Introduction to Computer Crimes and Ethical Hacking

1. What is cybercrime? Compare traditional criminal activity with cybercrime.
Answer: When net was developed, the instauration fathers of net hardly had any inkling that net may
even be victimized for criminal activities. Today, there are so many things happening in computer
network. Cybercrime refers to any or all the activities that are done with criminal intent in a computer
network. These may either be criminal activities within the standard sense or activities that have evolved
with the expansion of the new medium.

Figure Comparison between traditional criminal activities with cybercrime.

Appendix_B.indd 255 12/10/2018 6:49:55 PM

 256 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

Cybercrimes clearly refer to crimes implemented using computer. Traditionally, cybercrime is defined
as a crime that involves a computer and a network.
Although there is no single universal definition for cybercrime, law enforcement usually makes a
distinction between two main categories of internet-related crimes:
1. Advanced cybercrime/high-tech crime: Refined attacks against computer hardware and software.
2. Cyber-enabled crime: Numerous ‘traditional’ crimes have taken a new turn with the arrival of the
internet, such as crimes against youngsters, monetary crimes, and even acts of terrorism.
Cybercrimes have an adverse effect on governments, businesses, and even ordinary people.
For example, Botnet is a network of internet-connected computers that are infected by viruses and
controlled as a group.
If an individual wants to prevent cybercrime, he/she has to adopt digital forensic tools to reduce
the vulnerability score. To protect our confidential data or any kind of personal data, the hard drive
should be cleansed using a solution. As the crimes related to computer are increasing day by day, the
tools required to fight against the same are being developed faster.
2. Do we have any one definition of cybercrime?
Answer: There is no one definition of cybercrime. However, any activities/actions which basically
offend human sensibilities can also be included in cybercrime. Erotica (child pornography) on the web
constitutes one serious law-breaking offense. Similarly, online paedophiles that lead minor youngsters
into sex are a unit that amounts to cybercrimes.
3. What are the various categories of cybercrimes?
Answer: Cybercrimes can be broadly divided into 3 major categories: cybercrimes against persons,
property, and government.
4. Explain the category “cybercrimes against persons”.
Answer: Cybercrimes can be broadly divided into three major categories

Cybercrimes

Crimes Crimes against Crimes

against individual against
persons property government

Computer
Cyber-stalking,
vandalism, Cyber
email spoofing, etc.
transmitting terrorism
viruses, etc.

Cybercrimes against People: Cybercrimes committed against people include crimes such as cyber
porn, transmission of child pornography, harassment of an individual through email, false legal

Appendix_B.indd 256 12/10/2018 6:49:56 PM

 Appendix B: Questions and Answers • 257

agreement scams, etc. The trafficking, distribution, posting, and dissemination of obscene material,
together with pornography and misdemeanour, constitute important cybercrimes committed against
people. The potential impact of such a criminal offense to humanity can hardly be explained. Cyber
harassment could be a distinct cybercrime. Various harassments can and do occur in internet, or
through the use of internet. This includes sexual, racial, religious, or other harassments. People perpet-
uating such harassments are guilty of cybercrimes.
Cybercrimes against Property: Cybercrime against all forms of property is the second category of
cybercrime. Crimes in this category include computer devilry, meaning destruction of others prop-
erty and transmission of harmful viruses, worms, or programs. An Indian-based upstart engineering
company lost its money and repute when the rival company, an associate degree business major, scarfed
the technical catalogue from their computers with the assistance of a company cyber spy software.
Cybercrimes against Government: Cybercrimes against Government is the third type of cybercrime.
Cyber terrorism is a distinct crime in this category. The spread of internet has shown that this medium
is used by people and teams to threaten the international governments conjointly to terrorize the voters
of a rustic. This crime manifests itself into an act of terrorism once a private ‘cracks’ into a government
or military maintained website
5. Is hacking a cybercrime? Justify.
Answer: Hacking and cracking are among the gravest cybercrimes till date. It is a dreadful feeling
to realize that an unknown has broken into your pc systems without your knowledge or consent
and tampered with precious confidential data. Not to mention, the reality is that no automatic data
processing system within the world is crack-proof. Any and each system within the world can be
cracked. The recent denial of service attacks seen over the favored business sites such as E-bay, Yahoo,
Amazon etc. are a replacement class of cybercrimes that are slowly rising as being very dangerous.
Misuse of one’s own programming talents with malicious intent to achieve unauthorized access to
a laptop or network are terribly serious crimes. Similarly, the creation and dissemination of harmful
laptop programs that do irreparable harm to laptop systems is another crime. Computer code piracy
is another distinct quite crime that is perpetuated by many of us online who distribute unlawful and
unauthorized pirated copies of computer code.
6. Is there any comprehensive law on cybercrime today?
Answer: Cybercrime is a newly specialized field in which a lot of development has to take place in terms
of putting into place the relevant legal mechanism or laws for controlling and preventing cybercrime.
As of now, there is completely no comprehensive law on law-breaking anywhere within the world. This
could be the reason why investigation agencies such as FBI are finding the internet to be a very trou-
blesome piece of ground. These varied cybercrimes fall under that gray area of net law that is neither
absolutely nor partly coated by the present laws.
7. What are the different roles of computer with respect to cybercrime?
Answer: Computers can play a vital role in crimes as shown in the figure. They can extract evidences,
instrumentality, illegal imports, or the fruit of a crime.
1. They can act as a communication tool.
2. They can be the target of the attacker for criminal activity.
3. They can also be tangential to crime.

Appendix_B.indd 257 12/10/2018 6:49:56 PM

 258 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

Computers as storage Computers as

Computers as targets communications
devices
tools

using the computer to crimes that are

store stolen password committed online, such
involves an attack on lists, credit card or as fraud, gambling,
data integrity, system calling card numbers, child pornography, and
integrity, data proprietary corporate the illegal sale of
confidentiality, privacy, information, prescription drugs,
or availaility pornographic image controlled substances,
files, or pirated alcohol, or guns
commercial software

Figure Roles of computer in crimes.

Following are some instances where computers are used in crime scenarios:
1. Witnesses can view the suspect’s picture on the screen through the use of computers.
2. DNA testing can be performed using computers. Using DNA testing, criminals can be identified
from past crimes and booked.
3. Mini computers and laptops are used in police vehicles to determine the criminal records. The po-
lice cars are installed with wireless internet connections that are linked with satellites to perform the
work with greater efficiency and in an easier manner.
4. Fingerprints can be taken using a computer and it can be used to determine whether the person is
linked to any case in the past.
5. A computer can also determine how a fire was caused and what accelerant was used in the fire. This
can be done using the computer investigation device.
6. Computers are also used at traffic junctions to find the vehicle identification number (VIN), wheth-
er the car is stolen, etc. In case of a crime, the person can be arrested immediately.
7. The databases of criminals are maintained in computers. With just a push of button, we can obtain
all the information about the criminal. Also, a list can be maintained of all citizens with prior tick-
ets, bad behaviour, and felonies.
8. Simulations can be created by the use of computers
8. What is difference between virus and worms?
Answer: Worms and viruses are malicious programs that can cause harm to our workstation, but both
are different.
Virus: Virus (vital information resources under siege) is a code designed to duplicate itself, and this is
often done by replicating itself into varied programs that square measure hold on within the laptop.
Computer virus attaches itself to a program or a file, spreads from one digital computer to another,
exploits infections as it travels.
A computer virus can range in harshness for example some may cause slightly irritating effects, or
some can damage hardware/software/files.

Appendix_B.indd 258 12/10/2018 6:49:57 PM

 Appendix B: Questions and Answers • 259

Virus can enter in our system using .EXE files (Executable files ) which means, a virus cannot affect
our computer unless and until we run or release the malicious program. It is significant to make a note
that a virus cannot spread without a human action for example running the infected program(.exe file).

Alter
Data

Can Self
Mutate Replicate

Virus
Passive Steal
Transmission Information

Software Delete
Code Data

Figure Virus.

Alter
Data

Can Self
Mutate Replicate

Worm
Active Steal
Transmission Information

Self-
Contained Delete
Software Data

Figure Worm.

Appendix_B.indd 259 12/10/2018 6:49:58 PM

 260 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

Worm: A worm (write once read many) is similar to a computer virus by design. It is considered to
be a secondary category of virus. A worm spreads from computer to computer, but unlike virus it
has the capability to travel without any human action. The main threat with a worm is the capability
to replicate itself on our system. So rather than our computer sending a single worm, it could send
hundreds or thousands of copies of itself and cause a huge devastating effect. For example, a worm
sending out a copy of itself to everyone listed in the address book, then the worm replicates itself to
each of the receiver’s address book and it manifests itself. Since the worm copies itself and also travels
across networks, it consumes more system memory and network bandwidth, causing web servers and
individual computers to stop responding.
9. What is Hacking ? Who is a hacker?
Answer: There are various security breaches and the art of exploring such various security breaches is
termed as hacking. From so many years, computer hackers are around us. We have started to hear more
and more about hacking, as the internet is becoming the main part of our life, and it is being used up
widely throughout the world. There are very few hackers which are well known such as Kevin Mitnick.
The digital world has many different types of hackers. It is hard to outline an exact profile, since hackers
are also human like the rest of us are and they are unique individuals. It is necessary to note that all
hackers are not equal. Each hacker has different motives, methods and skills. It is not necessary that all
the hackers are antisocial or teenagers. They are mostly sharp minded and curious to know new things
and brave enough to take steps.
It is a term which has two meanings:
1. Traditionally, the ones who like to play with software or electronic systems are termed as hackers.
They find excitement and happiness in exploring and learning that how computer system operates.
For working electronically in new ways, they try to discover new things.
2. Recently, it has termed hacker as the one who maliciously breaks the system for personal gain.
Technically theses hackers are criminal hackers and also known as crackers. Crackers intentions are
to break into system maliciously. Crackers do this for revenge, profit, fame or for personal gain. The
make people’s life miserable by modifying, deleting and by stealing critical information.
Hacking is a special art as well as skill. The guys who are engaged in hacking activities are said to be
criminals as they are associated in breaking laws of hacking. Actually, hacking is more about performing
the steps within the limits and following the laws. There are two types of hacker: good guy and bad guy.
Good guy is also called as ‘White-hat’ and bad guy is called as ‘Black-hat’. Hackers which are also said
as bad guys try to compromise your computers, while ethical hackers said as good guys try to protect
your computers against illicit entry. As many malicious hackers claim that they don’t cause harm to
system just by helping others are none other than electronic thieves. The hacker status increases in
hacker circles by hacking anyone’s system which is well protected system.
9. What is the difference between a Hacker and a Cracker?
Answer: The real word is cracker, but media has given the word as hacker. The public thinks that the
hacker is related to someone who breaks the computer system, which is actually false. This untrue
statement is an insult to a hacker.
Hacker definition: The one who is interested in the working of any computer operating system is
called as a hacker. Very often, the hackers are good programmers. Hackers have very good and advanced
knowledge of operating system and programming languages. They have information about various
security holes within systems and the reasons for such holes. Hackers constantly try to attempt the

Appendix_B.indd 260 12/10/2018 6:49:58 PM

 Appendix B: Questions and Answers • 261

advanced knowledge and shares what they have discovered. Hackers never have bad intention such as
damaging or stealing data.
Cracker definition: A person who breaks other people system with malicious intentions are crackers.
Cracker causes problem to targets of people system by an unauthorized access, destroying important
data, stopping services provided by the server etc. By their malicious actions, crackers can be easily
identified.
Hackers try to do constructive work while crackers do nothing and jut destroy system.
Hackers are professional while crackers are criminal.

Hacker Cracker
Lots of knowledge and Lots of knowledge and
Experience Experience
Good guy Bad guy
Strong ethics Poor ethics
No crime Commits crime
Fights criminals. Is the criminal

HACKER ñ CRACKER

Hacker versus cracker

10. List and explain various types of Cybertheft.
Answer: As Internet usage is growing daily the world is coming closer. The World Wide Web sounds
like a vast phenomenon but surprisingly one of its qualities is bringing the world closer making it a
smaller place to live in for its users. However, it has also managed to create another problem for people
who spend long hours browsing the Cyber World – which is cybercrimes. While law enforcement
agencies are trying to tackle this problem, it is growing steadily, and many people have become victims
of hacking, theft, identity theft and malicious software. One of the best ways to avoid being a victim of
cybercrimes and protecting your sensitive information is by making use of impenetrable security that
uses a unified system of software and hardware to authenticate any information that is sent or accessed
over the Internet. However, before you can understand more about this system, let us find out more
about cybercrimes.
Types of Cyber Crimes: When any crime is committed over the Internet it is referred to as a
cybercrime. There are many types of cybercrimes and the most common ones are explained as follows:
1. Hacking
2. Theft
3. Cyber Stalking
4. Identity Theft.
5. Malicious Software
6. Child soliciting and Abuse
11. Who are Phreakers?
Answer: Phreaker is the one who gains illegal access to the telephone system as shown in the figure.

Appendix_B.indd 261 12/10/2018 6:49:59 PM

 262 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

Phreakers are considered the

original computer hackers and
they are those who break into
the telephone network illegally,
typically to make free longdistance
phone calls or to tap phone lines.

Figure Phreakers.

Phreakers are people who specialize in attacks on the telephone system. The word, which became
popular in the mid-1980s, is probably a combination of the words phone and freak. (Phreakers are also
known as “phreaks” or “phone phreaks.”) In the early days, phreakers whistled or used an instrument
to mimic the tones the phone system then used to route calls and identify payment, especially as a way
to avoid paying for an expensive call. Modern phreaking involves breaking into and manipulating the
phone company’s computer system, making it a specialized kind of hacking.
Recent Examples of Phreaker from the Web:
In fact, the friends’ first business venture together was marketing blue boxes to aspiring phreakers.
—Laura Yan, Popular Mechanics, “An Early Hacker Used a Cereal Box Whistle to Take Over
Phone Lines,” 20 May 2018
12. What is the difference between Hacking and Ethical hacking?
Answer:
Hacking Ethical hacking

Computer Hacking refers to breaking into Ethical Hacking refers to the methodology
someone’s system for personal or commercial adopted to find loopholes in Information
gains. Hackers also called Pirates, use various systems.
tools to cause damage to information and assets.

Same tools are used by both hackers and Ethical

Hackers. The only difference is that hackers use
tools to steal or destroy information whereas
Ethical Hackers use same tools to safeguard
systems from “hackers with malicious intent”.
Ethical Hacking is legal, and hacking is done with
permission from the client.

Appendix_B.indd 262 12/10/2018 6:49:59 PM

 Appendix B: Questions and Answers • 263

13. Explain five steps performed by a hacker.

Answer: Like all good projects, ethical hacking too has a set of distinct phases. It helps hackers to make
a structured ethical hacking attack. Even same process use for attacking the systems in illegal way.
Different security training manuals explain the process of ethical hacking in different ways, but the
entire process can be categorized into the following five phases as shown in the figure:

Reconnaissance is nothing more In the gaining access phase, true In the final phase, attackers
than the steps taken to gather attacks are leveled against the attempt to conceal their success

2 4
evidence and information on the targets enumerated in the second and avoid detection by security
targets you want to attack. phase. professionals.

Reconnaissance Gaining Access Covering tracks

Scanning and
Enumeration Maintaining Access

1 Take the information you gathered

in recon and actively apply tools
and techniques to gather more
3 In the fourth phase, hackers
attempt to ensure they have a way
back into the machine or system 5
in-depth information on the targets. they’ve already compromised.

(Read Chapter 1 Section 1.14 for complete Details)

Chapter 2: Introduction to Digital Forensics and Digital

Evidences
1. Define the terms Digital Forensic and Digital Forensic Investigation.
Answer: Digital forensics can be defined as follows:
Digital Forensics is a specific, predefined and accepted steps applied to digital media or digitally
stored data by applying scientific proven and derived techniques, based on a solid legal/law foundation,
to extract after-the-fact digital evidence with the goal of deriving the set of events or actions indi-
cating a crime, where reconstruction of possible events can be used to validate the scientifically derived
conclusions.
Digital forensics Investigation can be defined as follows:
Digital forensic investigation or DFI is a special type of investigation where the scientific proce-
dures and techniques used will be allowed to view the results -digital evidence - to be admissible in a
court of law.
2. What are ethical issues which are involved in Digital Forensic?
Answer: “Ethics” is derived from the ancient Greek word ethikos, meaning “moral, showing moral
character” .Ethics in digital forensics field can be defined as a set of moral principles that regulate the
use of computers; some common drawbacks of computer forensics include Intellect property resources,
Privacy Concerns and the impact of computers on society. In order to effectively spot ethical problems,
an examiner must therefore be familiar with the law and professional norms governing the cyber foren-
sics discipline and this familiarity is one of several presumptions incorporated into the code of ethics.
With this perspective in mind, ethical decision-making in digital forensics work comprises of one
or more of the following:

Appendix_B.indd 263 12/10/2018 6:50:00 PM

 264 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

1. Honesty towards the investigation

2. Prudence means carefully handling the digital evidences and
3. Compliance with the law and professional norms.
Ethics Norms for investigator in Digital Forensic Field: Computer forensics is an integral part of
the widely expanding field of digital forensics, as with any investigative field there comes a time when
ethical issues will arise. During the research in the digital forensic field ethics or rights comes first.
Hence before starting the investigation in digital forensic field the investigator should satisfy the
following points as mentioned below. The investigator:
1. Should contribute to society and human being.
2. Should avoid harm to others.
3. Should be honest and trustworthy.
4. Should be fair and take action not to discriminate.
5. Should honor property rights including copyrights and patents.
6. Gives proper credit for intellectual property.
7. Should respect the privacy of others.
8. Should honor confidentiality.
Unethical norms for Digital Forensic Investigation: The investigator should not:
1. Uphold any relevant evidence.
2. Declare any confidential matters or knowledge learned in an investigation without an order from a
court of competent jurisdiction or without the client’s consent.
3. Express an opinion on the guilt or innocence belonging to any party
4. Engage or involve in any kind of unethical or illegal conduct
5. Deliberately or knowingly undertake an assignment beyond his or her capability
6. Distort or falsify education, training or credentials
7. Display bias or prejudice in findings or observations
8. Exceed or outpace authorization in conducting examinations
3. What are various goals of digital forensic investigation?
Answer: The main motive of a computer forensic investigation is to examine digital evidences and to
ensure that they have not been adulterated in any such manner. To achieve the goal, a computer foren-
sics investigation must handle with the obstacles of the forensic investigator. Some of the obstacles are:
1. Generally, there are huge number of files stored in computer system. From these systems only cer-
tain amount of data are valid evidences. If the computer forensics professionals do not know where
to find them, it could probably take ample of time to locate.
2. It is viable that the information has been deleted; in such situation searching inside the file is worth-
less.
3. If the files are secured by some passwords, the investigators must find a way to read protected data
in an unauthorized manner.
4. The data may be stored in a damaged device but by presumption the investigator searches the data
in the working devices.
5. The major obstacle is that, each and every case is different; to identify the techniques and tools it
will take more time.
6. The digital data found should be protected from being modified. It is very tedious to prove that the
data under examination is unaltered.

Appendix_B.indd 264 12/10/2018 6:50:00 PM

 Appendix B: Questions and Answers • 265

7. These obstacles recommend that a common procedure of investigation is desired, as well as standard
techniques for collecting and preserving digital evidences.
Any investigation conducted has some result, or very peculiar purpose. An investigation is generally
initiated with the purpose in order to establish facts about an event that has taken place earlier. As per
Kruse, forensics is conducted to determine the main cause of an event or incident. The primary goal to
establish the root cause is to confirm that the investigation is conducted in a manner to withstand legal
investigation. However, any investigation should be conducted in a methodical manner. The conduct
of the examiner should be such that the validity of the produced evidences should not be questionable.
It can be notice that collecting digital evidence helps the investigator. The user usage profile,
chronological timeline activity, Internet usages are contained in the evidence triage comprises. The
particular user evidences can be found in home directories and folders, the registry and properties of
file. The evidences obtained will guide an investigator to find possible evidence, if other traces have
probably been detached varying on the type of investigation conducted.
The fundamental point of kick-off for any investigation is to answer basic questions about the clue.
In addition to understanding what happened, there is a need to know who is responsible to such a
situation. In every investigation process there is a need to ask six key questions by the investigator. The
necessary questions asked by an investigator are what, why, how, who, where and when:
1. What is determined by the data attributes or metadata?
2. Why refers to the need?
3. How is the procedure followed to mark the incident or isolate the necessary evidence?
4. Who refers to the people involved in the crime?
5. Where refers to the location and when refers to the time?
The following paragraphs give some clarification on some of the questions. Finding the person who
was supposed to perform an action is critical. As soon as the person has been identified, a much faster
venue is opened to finding the rest of the pieces of evidence. An interview can also be conducted to ask
pressing questions about motive behind. In a civil claim, the petitioner and respondent or other legal
person might be crucial. An aspect to be considered here is that the investigator must never be alleged
of fabricating the evidence and the person it can be attributed to as being the author.
The need of devising a DFI is highlighted in this section in order to find potential evidences to
support a legal conclusion.
4. Explain various points which should be considered during digital evidence-handling procedure.
Answer: During Evidence handling procedure following points should be consider is :
1. Record the information about the computer system under examination which are currently placed
within a computer while examining the contents of hard drive.
2. Media that is being duplicated, digital photographs of the original system should be taken.
3. The evidence tag for the original media or for the duplication of forensic must be filled out. ( the
hard drive which will act as a best evidence should be stored in your evidence safe)
4. Media should be appropriately labeled with an evidence label.
5. The best evidence copy of the evidence media must be stored in your evidence safe.
6. An evidence custodian is recorded for the best evidence into the evidence log. There will be corre-
sponding entry in the evidence log foe each piece of best evidence.
7. Working copy is where all the examination are performed on a forensic copy of the best evidence.
8. The backup copies of the best evidence are created or not is ensured by an evidence custodian. Once
the principal investigator for the case states that the data will be no longer be need in an expeditious
manner, then the evidence custodian will create the tap backups.

Appendix_B.indd 265 12/10/2018 6:50:00 PM

 266 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

9. It is responsibility of evidence custodian to make sure that all the disposition dates are met. The
principal investigator assigns the date of evidence disposition.
10. To ensure all of the best evidence is present properly, properly stored and labeled, an evidence cus-
todian performs a monthly audit.
5. Define digital evidence and its types of digital evidences.
Answer: Digital evidence is any information or data of value to an investigation that is stored on,
received by, or transmitted by an electronic device. Text messages, emails, pictures and videos, and
internet searches are some of the most common types of digital evidence.
Evidence can be stated as any information that can be confident or trusted and which proves some-
thing related to case in a trial i.e. indicating that a certain substance or condition is present.
Types of Evidences: There are many types of evidence, each with their own specific or unique charac-
teristics. Some of the several major types are as follows:
1. Illustrative evidence
2. Electronic evidence
3. Documented evidence
4. Explainable
5. Substantial evidence
6. Testimonial
Illustrative Evidence: It is also called as demonstrative evidence. It is generally a representation of an
object which is a common form of proof. Example: photographs, videos, sound recordings, X-rays,
maps, drawing, graphs, charts, simulations, sculptures and models.
Electronic Evidence: Electronic evidence is nothing but the digital evidence. As we know the use of
digital evidence in trials has greatly increased. The evidences or proof that can be obtained from an elec-
tronic source is called as digital evidence. Example: emails, hard drives, word processing documents,
instant message logs, ATM transactions, cell phone logs and so forth.
Documented Evidence: It is similar to demonstrative, but in documentary the proof is presented in
writing (contracts, wills, invoices, etc.) It can include any number of media. Such documentation can
be recorded and stored (photographs, recordings, films, printed emails etc.)
Explainable Evidence (Exculpatory): This type of evidence is typically used in criminal cases in which
it supports the dependent, either partially or totally removing their guilt in the case. It is also said as
exculpatory evidence.
Substantial Evidence: A proof introduced in form of a physical object, whether whole or in part. It
is also called as physical evidence. Such evidence might consist of dried blood, fingerprints, and DNA
samples, casts of footprints or tires at the scene of crime.
Testimonial: It is a kind of evidence spoken by a spectator under oath, or written evidence given under
oath by an official declaration i.e. Affidavit. This is one of the common forms of evidence in system.
6. What is original evidence and what are the various rules of digital evidence?
Answer: The Best Evidence Rule
The best evidence rule is that the original or true writing or recording must be confessed in court
to prove its contents without any expectations. In best evidence rule an original copy of document is
considered as superior evidence. One of the rules says, if an evidence is readable by sight or reflect the
data accurately such as any printout or data stored in a computer or similar devices or any other output
is considered as ‘original’. It states that multiple copies of electronic files may be a part or equivalent

Appendix_B.indd 266 12/10/2018 6:50:00 PM

 Appendix B: Questions and Answers • 267

to ‘original’. Electronic evidence collected is mostly transferred to different media so many computer
security professionals are heavily dependable on this rule.
At my organization, we define best evidence as the most complete copy or a copy which includes all
necessary parts of evidence which is closely related to the original evidence. One of the best evidences
is having the original evidence media. Let say a client has a copy of the original evidence media, then
it is considered as best evidence. We treat our forensic duplication by considering it as best evidence.
Therefore, when we say “best evidence” it is nothing, but we refer to the evidence we have in our power.
Original Evidence: Sometimes the procedure adopted to deal with a situation or case takes it outside
the control of client/ victim. We also assume that a case with proper diligence or a case with persistent
work will end up in a judicial proceeding, and we will handle the evidences accordingly. If criminal
or civil proceedings(proceedings rather than criminal proceeding in a court) are a possibility, then we
often persistently push the client/victim to allow us to hand over all the original evidences, since we
have evidence handling procedures in place.
For our purposes, we define original evidence as the truth or real(original) copy of the evidence
media which is given by a client/victim. We define best incidence as the most complete copy which
include all necessary parts of evidence which is closely related to the original evidence. It is also called
as duplication of evidence media. There should be an evidence protector which will store either the best
evidence or original evidence for every investigation case in the evidence safe.
Rules of Digital Evidence: Rule of evidence is also called as law of evidence. It surrounds the rules and
legal principles that governs all the proof of facts. These rules help us to determine what evidence must
or must not be considered by Trier of fact. The rule of evidence is also concerned with the amount,
quality and type of proof which helps to prove in litigation. The rules may vary according to the crim-
inal court, civil court, etc. The rules must be
Admissible: This means that evidence must be able to be used in court.
Authentic: Evidence should act positively to an incident.
Complete: A proof that cover all perspectives.
Reliable: There ought to be no doubt about reality of the specialist’s decision.
Believable: It should be understandable and believable to jury.
7. What are the steps involved in computer evidence handling? Explain in detail.
Answer: Computer evidence is fragile by its very nature and the problem is compounded with the
potential of destructive programs and hidden data. Even the normal operation of the computer can
destroy computer evidence that might be lurking in unallocated space, file slack, or in the Windows
swap file. There really are no strict rules that must be followed regarding the processing of computer
evidence. Every case is different and flexibility on the part of the computer investigator is important.
With that in mind, the following general computer evidence processing guidelines or steps have
been provided. Please remember that these do not represent the only true way of processing computer
evidence. They are general guidelines provided as food for thought:
1. Shut down the computer
2. Document the hardware configuration of the system
3. Transport the computer system to a secure location
4. Make bit stream back-ups of hard disks and floppy disks
5. Mathematically authenticate data on all storage devices
6. Document the system date and time
7. Make a list of key search words
8. Evaluate the Windows swap file

Appendix_B.indd 267 12/10/2018 6:50:00 PM

 268 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

9. Evaluate file slack

10. Evaluate unallocated space (erased files)
11. Search files, file slack, and unallocated space for key words
12. Document file names, dates, and times
13. Identify file, program, and storage anomalies
14. Evaluate program functionality
15. Document your findings
16. Retain copies of software used
8. What are different ethical issues involve in digital evidences?
Answer:
Ethical Issues/Legal Principles of Digital Evidence: This area shortly specifies some features that an
investigator should take into consideration when performing a digital forensic investigation.
Culley defines that courts, tribunals and numerous other committees progressively needs digital
evidence. The logic catered is the fact that many facets of our lives have become reliant on computers.
Thus, it is necessary for the investigator to be conscious of the legal requirements that are normally
accepted within the legal support. Neglecting the legal operations as these mentioned here will mostly
result in evidence being inappropriate.
Circumstantial and Hearsay Nature of Digital Evidence: Digital evidence is coincidental and hearsay
in essence. Within the legal background, these features must be studied by the investigator. Direct
evidence develops a fact, where circumstantial proof may propose a fact. Circumstance is also normally
addressed to as context in the literature. The hearsay description of digital evidence can be described
by the following explanation. An eyewitness can normally support a fact. The investigator explores the
traces of the actual event, but does not see the actual event. The investigator can only form the proof
found and a probable explanation. A definite reproduction of activities to develop the digital evidence
may be impossible. The author or developer of the digital evidence may be absent in court. In such
cases the proof is hearsay in nature and the original is not reproduce able.
The context in which the digital evidence is traced will also facilitate the investigator to make
certain conclusions. Digital evidence is seen as a concept of some incident if the context is eliminated.
Cohen develops the following two rules regarding the digital evidence where the background cannot
be determined :
1. An investigator cannot place an individual at a particular location in time and place to verify that
something took place in the physical world; and
2. The traces of digital evidence depicts that some sequence of events are rational with certain traces
resulting from a particular sequence of events.
Cohen’s second rule acts as a test to the investigator. The test is that different sequences of events
can lead to a particular state on a device. A simulated order of incidents might not be identical as the
actual list of events that induced the state being inspected. Authorization and authenticity of digital
evidence is important in a rewardful digital forensic investigation.

Chapter 3: Incidence Response Process

1. Explain incident response methodology.
Answer: For the right thanks to organize a method we are continuously on a research. To outline
phases of the method we tend to explore for the correct manner and additionally explore for bright-line

Appendix_B.indd 268 12/10/2018 6:50:00 PM

 Appendix B: Questions and Answers • 269

separation of phases to avoid murky areas. For example, the process we tend to attempt to create the
right flow sheet and organize the phases therefore the process may be applied to the widest vary of
potential situations. It’s quite a challenge to form a straightforward image of the process whereas main-
taining a helpful level of accuracy as a result of the incident response process will involve numerous
variables and factors that may have an effect on its flow. However, we tend to feel that we’ve developed
an event response method that’s each straight-forward, correct and actual.
Computer security incidents are mostly complicated, multifaceted problems. We use a “black box”
approaches with any complex engineering problem to solve it. We distribute the larger problem of
incident resolution into components and survey the inputs and outputs of each component. Diagram
illustrates our approach to incident response. In incident response methodology, there are seven major
components of incident response:

Incident occurs: Point-in-time or ongoing

Investigate the incident

Detection Formulate
Pre-incident Initial Data Data
of incidents response Reporting
preparation response collection analysis
strategy

Resolution
Recovery
Implement security measures

Figure Incidence response methodology.

1. Pre-incident preparation: Before an incident occur stake up necessary actions to prepare the organ-
ization and the Computer Security Incident Response Team.
2. Detection of incidents: Recognizing a probable computer security incident.
3. Initial response: By recording the basic particulars of neighboring the incident, collecting the inci-
dent response team, and informing the individuals who need to know about the incident, performs
an initial investigation.
4. Formulate response strategy: Regulate the best response and gain the management approval based
on the outcomes of all the known facts. On the basis of conclusions try to regulate the civil, crimi-
nal, administrative, or other actions which are suitable to take drawn from the examination.

Appendix_B.indd 269 12/10/2018 6:50:01 PM

 270 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

5. Investigate the incident: Perform a comprehensive collection of data. To determine what happened,
when it happened, who did it, and how it can be prevented in the future review the data collected.
6. Reporting: Flawlessly report information about the investigation in such a manner that it becomes
useful to decision makers.
7. Resolution: Various resolutions must be taken such as employing security measures and procedural
changes, recording of lessons learned and development of long-term fixes for any problems identi-
fied.
(Read Chapter 3 Section 3.4 for Details )
2. What is incident and what are the goals of incident response?
Answer:
Incident: In info technology, an occurrence (attack) is an event wherever a service or element fails to
produce a feature or service that it had been designed to deliver.
Goals: We emphasize the goals of corporate security professionals with legitimate business concerns in
our incident response methodology. In addition, we also take into consideration the concerns of law
enforcement officials. Therefore, we have developed a procedure that promotes a coordinated, cohesive
response and achieves the following:
1. Prevention of a disjoint and non-cohesive response.(which could be disastrous)
2. Occurrence of incident is confirmed or dispelled.
3. Promotes collection of accurate information
4. For proper retrieval and handling of evidence establishment is controlled.
5. Protection of privacy rights established by law and policy.
6. Minimization of disruption to business and network operations.
7. Allowance for criminal or civil action against culprit.
8. Accurate reports and useful recommendations are provided.
9. Rapid detection and containment is provided.
10. Minimization to exposure and compromise proprietary data.
11. Tries to protect your organization’s reputation and assets.
12. Educates senior administration.
13. Promotion of rapid detection and/or prevention of such incidents in the future (via lessons learned,
policy changes, and so on).

Chapter 4: Live Data Collection

1. How to save information obtained at the time of initial response?
Answer: You must choose where to save information retrieved at the time of initial response, when you
respond to an event. The storage options are as follows:
1. Save the data on local hard drive.
2. Save the data on external devices such as USB or tape drives.
3. Record the information manually i.e. by hand.
4. To transfer the retrieved data to the forensic workstations, use netcat or cryptcat.
When possible, saving the data on local drives should be avoided. The information you save on the
local hard drive will destroy the deleted data that was in not allotted space that may be of investigative
value when data recovery or forensic analysis is required.

Appendix_B.indd 270 12/10/2018 6:50:01 PM

 Appendix B: Questions and Answers • 271

Newer versions of Linux support USB drive connections but they are so useful for information
collection by direct physical connection. But there is solution for this limitation and that is, use of
netcat to transfer the data over a network to forensic workstation. Use of Linux in forensic workstation
provide a faster response. This helps to overcome the limitation of storage space. To transfer the infor-
mation over the network, netcat is used. Netcat steam is piped through des to encrypt the data transfer.
Encrypted TCP channel is provided by cryptcat command in a single step.
The best time to respond should be considered after selecting how to retrieve information from the
target system. There should be a need of determining the network connectivity of the target system.
After determining the network connectivity, you can now respond at the console of the target system.
2. Who all are involved in data collection techniques?
Answer: A person other than specialist in computer forensic, should not even touch the system. The
care has to be taken to protect the computers from alteration and damage. The criminals who plant
Trojan horses or other similar types of attacks, usually make their systems ready in such a way that
all the evidences automatically get destroyed after rebooting or shutting down the systems by anyone
except themselves.
There are several people involved in evidence collection techniques. Such as, first respondent
(usually an officer or a security person), investigators (usually a senior investigator) and the crime scene
technicians (usually a person who is expert in computer forensic). These people have been assigned
with some specific roles.
Different roles of different people are described in following section.
Role of first respondent: The first respondent is a person who first appear in crime locations such as
officer or a security person. As shutting down or rebooting the system may destroy some important
information or even an evidence, first respondent should not power off or restart the system. Nor he
should access the system to seek the evidence.
He should follow the process explained below:
1. Identifying the crime location: The one arrives first to the crime place (usually officer) should
be able to identify depth of the crime and restrict the access to the crime location. This location
can be wide as room, can consist of several rooms or even multiple buildings. Constructing a list
of computer systems that might have been involved in the crime scene is one the main task a first
respondent should be able to do.
2. Protecting the crime scene: All the devices including non-functional computers, mobile phones,
notebooks, PDAs or other portable devices are considered as a part of crime scene. First respondent
should freeze the condition of all the devices and wait for IT incident response team or investigator
in-charge to decide any equipment can be excluded.
3. Preserving temporary and tampered evidences: An evidence that could be vanished or destroyed
before the arrival of investigation team, should be preserved and maintained by first respondent. If
there is a surveillance (cctv) available, then it is easier to take record of what was done. But if there
is no surveillance, then identifying crime scene is a challenge for investigators.
Role of investigators: IT incident response team has authority of collecting evidences before any law
enforcement team arrives. To handle all the activities at the location of crime is generally the responsi-
bility of an investigator. He/she will be responsible for:
1. A chain of order: An investigator should make sure that each and every person available at crime
place is aware of chain of order. Chain of order refers to the flow investigation process. All the
systems and other equipment at the crime scene should not be touches, replaced, accessed or un-

Appendix_B.indd 271 12/10/2018 6:50:01 PM

 272 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

plugged without the permission of any senior investigator. The role of investigator is to control and
manage the investigation.
In case, if senior investigator has to leave the location of crime, he/she should assign a person
with similar designation as him/her and stay in contact with that person until all the facts and
evidences has been collected and shifted to secure and secretive storage area.
2. Conducting the crime scene search: Officers should seek all the systems, written documents and
notes, manuals, log files related to crime. It involves mobile phones, printers, scanners, external
devices such as flash drives, hard disks, CD/DVD, tapes etc.
3. Preserving integrity of the facts or evidences: Criminals always tend to vanish all the evidences.
This is the reason to preserve all the evidences in order to take actions against offender. Investigation
should make exact copy of all the evidences, if possible. He/she should also be able to suggest any
considerations on the basis of the nature of suspect or suspects.
Role of crime scene technicians: These are the people who are specialists or experts in computer
forensic. They must have strong background in the field of computer and its technology with all the
computer related terms like working of file systems, structure of disks, and location of files where
data is stored known to them.
Usually crime scene experts are responsible for the following:
Preserving temporal evidences to replicating disks: Temporal data is sometimes known as volatile
data which is in computer’s memory such as random-access memory. The disk containing evidences
should be replicated or copied before shutting down the system because there might be the possibility
of disappearance of evidence after shutting down or rebooting the system.
Shutting down the computer system for transport: To preserve the integrity of original evidence,
proper shutting down of the systems is important. All the running programs or applications should be
properly closed in order to avoid corruption of files.
One school of thought says after making sure that there is no fragmentation or disk checking programs
is running, power off the system and also unplug the power cable to prevent running of self-destruct
programs that have planned to run after shut down.
But in UNIX, system should not be shut down in such abrupt manner because it may damage the data
files. Some experts in forensic suggest to change the account by ‘su’ command or use ‘sync; sync; halt’
command to power off the system but this can only be done if root password of the system is available.
Marking and recording the evidence: All the evidences should be noted or marked with time and date
of evidence collected, initials of investigator, case identification number, and other related information.
All these tagged or noted evidences should recorded in evidence log files.
Packaging of the evidence: All the digital evidences such as hand-held, computer, laptops, PDAs, hard
disks should be properly packed in artistic bags for transport.
Written documents such as notes, manuals, and books should be placed in plastic bags in order to
protect them from damage.
Transporting evidence: All the data should be securely transported directly to the secure secrete
evidence locker or room. The evidence should not come directly in contact with magnetic fields during
transport, nor left in direct contact with sun light or any other place where temperature increases up
to 75 Fahrenheit.
Processing the evidence: The disc image can be reconstructed when the copy of the disk is brought
back to the lab. Special tools are used to analyse the data.
3. How to create Response toolkit explain with steps?
Answer: We need to plan make a policy to retrieve all the information without messing up with strong
evidence. We have to be careful about not destroying or altering the evidence and to do this we need
to create a response toolkit.

Appendix_B.indd 272 12/10/2018 6:50:01 PM

 Appendix B: Questions and Answers • 273

Don’t belittle the significance of creating response toolkit. There should be an experienced and
trusted person to collect files and burn them into CDs. The toolkit that we will use should be in proper
working condition. Testing toolkit for the first time in ‘Live investigation’ will be the biggest risk in the
process of investigation.
Collecting the tools: It is critical to use trusted commands, in all incident responses, irrespective of
type of incident. An investigator should maintain a CD or a floppy that involves a minimum of the
tools described as in the following table:

Table Response toolkit tools

Tool Description Source
[Link] The command prompt for Windows NT and Built in
Windows 2000
PsLoggedOn A utility that shows all users connected [Link]
locally and remotely
rasusers A command that shows which users have NT Resource Kit (NTRK)
remote-access privileges on the target system
netstat A system tool that enumerates all listening Built in
ports and all current connections to those
ports
Fport A utility that enumerates all processes that [Link]
opened ant TCP/IP ports on a Windows
NT/2000 system
PsList A utility that enumerates all running [Link]
processes on the target system
ListDLLs A utility that lists all running processes, [Link]
their command-line arguments, and the
dynamically linked libraries (DLLs) on which
each process depends
nbstat A system tool that lists the recent NetBIOS Built in
connections for approximately the last 10
minutes
Arp A system tool that shows the MAC addresses Built in
of systems that the target system has been
communicating with, within the last minute
Kill A command that terminates a process NTRK
md5sum A utility that creates MD5 hashes for a given [Link]
file
rmtshare A command that displays the shares NTRK
accessible on a remote machine
(Continued)

Appendix_B.indd 273 12/10/2018 6:50:02 PM

 274 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

Tool Description Source

netcat A utility used to create a communication [Link]/research/tools/
channel between two different system network_utilities
cryptcat A utility used to create an encrypted channel [Link]
of communications cryptcat
PsLogList A utility used to dump the contents of the [Link]
event logs
ipconfig A system tool that displays interface Built in
configuration information
PsInfo A utility that collects information about the [Link]
local system build
PsFile A utility that shows files that are opened [Link]
remotely
PsService A utility that shows information about [Link]
current processes and threads
auditpol A utility used to display the current security NTRK
audit settings
doskey A system tool that displays command history Built in
for open [Link] shell
There are two types of applications available in windows:
1. Based on GUI(Graphical User Interface)
2. Based on CUI(Control User Interface)
GUI involves pull down menus and usually works in background or we can say ‘behind the scene’
interactions. Rather experts advised to avoid GUI for investigation.
The above table contains only CUI tools.
Preparing the Response Toolkit: We must assure about the toolkit that it will work exactly as intended
and it should not alter the target system. There are several stages to prepare toolkit for initial response:
1. Tag a response toolkit media: Documenting the collection itself is the first step in evidence collec-
tion process. CD or floppies should be tagged to identify that this is your part of investigation. The
tag may contain information such as case identification number, time and date of the investigation,
name of the investigator who created response media and name of the investigator who used that
response media.
2. Check the dependencies: It is necessary to identify which files the response tool is depend on. Film
on can be used to determine all the files used and affected by each of the utility in the toolkit.
There should not a tool which will alter a lot of information of the target system, although
knowing which tool changes the access time on files of the target system.

Appendix_B.indd 274 12/10/2018 6:50:02 PM

 Appendix B: Questions and Answers • 275

3. Creating checksum for the response toolkit: There is always a file which contains the checksum
of all the commands. This file is usually a text file.
The following snapshot shows the md5sum commands used to generate
the text file (named [Link]).

Figure Md5sum to create a checksum for the response toolkit.

Chapter 5: Forensic Duplication

1. Why forensic duplication is required ?
Answer: We have seen how volatile data is collected from windows and UNIX in previous sections.
Now the next step is to create a forensic duplicate. In this section we will see how forensic duplicate is
created and what the need of creating forensic duplicate is.
Forensic duplicate is a document file containing every single bit of information obtained from the
source in a raw bit-stream format. The data is stored as it is from hard drive to forensic duplicate. For
example, 4GB of hard drive would results in 4GB of forensic duplicate.
This file do not contain any extra data other than error message while reading the content from the
original. After duplication process, forensic duplicate can be compressed.
In all cases the computer/media is the main “crime scene”, which should be protected from para-
mount because once the digital evidence is contaminated it cannot be decontaminated. The investi-
gator should take care to not to change the digital evidence during any step of investigation. As most
media are “magnetic based” and the data is volatile so examining a live file system changes the state of
the evidence (MAC times).
Hence the Forensic duplication importance can be summarized as:
1. Working from a duplicate image provides following features
• Preserves the original digital evidences.

Appendix_B.indd 275 12/10/2018 6:50:02 PM

 276 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

• Prevents inadvertent alteration of original digital evidence during examination

• Allows recreation of the duplicate image if necessary.
2. Digital evidence can be duplicated with no degradation from copy to copy
• This is not the case with most other forms of evidence
2. Write short note on the following:
• Forensic Duplicate
• Restored Image
• Mirror Image
• Qualified Forensic Duplicate
Answer:
Forensic duplicate stores every bit of information from source in a raw bit-stream format. In a process
of forensic duplication, 5GB of drive would results in 5GB of forensic data. Except the situation in
which errors occurred in a read operation from the original, no extra data is stored in the file. When
this situation arises, a placeholder is put where the data would have been. After a duplication process
a forensic duplicate may be compressed. Two tools can be used to create a true forensic duplicate and
those are Unix dd command and computer forensic lab version of dd command that is dcfldd. The tool
called ODD or Open Data Duplicator can also be used to create a true forensic duplicate.
Qualified Forensic Duplicate: The file that stores every bit of information from the source but in the
altered format is referred as qualified forensic duplicate. In-band hashes and empty sector compression
are the example of two altered forms. In some tools, it may read a number of sectors from the source.
After reading a number of sectors, it will create a hash from that group of sectors and write the sector
group followed by hash value to the output file. If something goes wrong during the duplication, this
method will work very well. For reducing the size of the output file, empty sector compression can be
used. SafeBack and EnCase can be used to generate qualified forensic duplicate. Sometimes you may
need to use proprietary software to restore qualified forensic duplicate files.
(A qualified bit-stream duplicate is defined to be a duplicate except in identified areas of the
bit-stream.) The identified areas are replaced by values specified by the tool’s documentation.
Restored Image: Restoration of a forensic duplicate or qualified forensic duplicate to another storage
media results in restored image. It is a complicated process. The partition tables are updated with
the new values as the forensic duplicate is restored to the destination hard drive. Restored image
may involve some modifications in original image. To create a qualified forensic duplicate, tools like
SafeBack, EnCase or dd can be used. EnCase and dd may sometimes doesn’t require to be restored.
Mirror Image: A hardware that does a bit-for-bit copy from one HDD to another is used to generate
a mirror image. Generating mirror image presents extra step in forensic investigation process. You can
easily make working copies if your organization has the capability to keep the original drive detained
from computer system being examined. The analyst will be obligatory to generate a working copy
of the mirror image for study if the original is returned. Hardware copiers like Logicube’s forensic
SF-5000 and intellectual computer answers image MASSter Solo-2 professional plus are simple set up
and operate.
3. Explain how to create Qualified Duplication with SafeBack tool.
Answer: New Technology Inc. (NTI) offers SafeBack. It is used to make qualified forensic duplication
of any hard drive. You need to have a clear environment ready on the floppy for SafeBack application
because it runs from DOS boot floppy.

Appendix_B.indd 276 12/10/2018 6:50:02 PM

 Appendix B: Questions and Answers • 277

Figure The first location of string SPACE in IO system.

Figure changing [Link] to [Link].

Using SafeBack is quite simple for creating a duplicate of computer system. Figure 5.18 in Chapter
5 shows the start-up window for SafeBack. There are four modes of applications offered by SafeBack:
1. Backup functions generate image file of the source media.
2. Restore function stores forensically sound image.
3. Verify functions used to verify the check-sum within image file.
4. Copy function used to restore and backup all the operations in one action.

Appendix_B.indd 277 12/10/2018 6:50:03 PM

 278 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

Figure Safeback start-up screen.

Next screen in the figure shows driver selection for SafeBack screen. It lists the physical as well as
logical drives detected by SafeBack. As the main goal of forensic duplication is to obtain exact duplicate
of original media, logical drives are completely ignored. Drive specifications should be matched with
the recovered information from the system BIOS and physical drive itself. The conflicts that occur.
SafeBack should be able to address the complete hard drive.

Figure Safeback drive selection.

The verify option is used to ensure that the created evidence file as a proper representation of the
content of the media and that file can be restored successfully. Before leaving the site, use verify option.
Verify option of EnCase in the windows interface will verify the contents of image file without referring
to the original drive.

Appendix_B.indd 278 12/10/2018 6:50:03 PM

 Appendix B: Questions and Answers • 279

4. Explain how to create a qualified forensic duplicate of a Hard Drive.

Answer: Never boot from the original drive is one of the most important things a beginner examiner
should do. Starting from the moment the BIOS executes the book block on the hard drive, many items
on the evidence media can be altered. In a matter of seconds, file access, time-stamps, partition infor-
mation, registry, configuration files may be changed at the time of initial boot process.
Creating a Boot Disk: Clean operating environment is required for imaging a system. You must create
an MS DOS boot disk when imaging drives using DOS applications such as SafeBack or EnCase.
Following command will format and copy the system files to a floppy using MS DOS 6.22 or windows
95/98:

There should be four files in the root directory of the floppy that contains the code to get the
computer running a minimal operating system.

Computer [Link] processed the first file. The content of [Link] contains the code in [Link]
and starts to initialize device drivers, tests and reset the hardware and loads the command interpreter
[Link]. If a disk, connected to a machine, uses the compression software at the time of
loading device drivers such as DriveSpace or DoubleSpace, [Link] loads the [Link] driver
file. This should be happening while performing a forensic duplication. The driver will mount the
compressed volume and present the operating system with an uncompressed view of the file system, as
it loads. During the mounting process of compressed volume, it will change the time/date stamps on
the compressed file, which will be considered as the alteration of an evidence.
You should ensure that the loading of the [Link] driver file fails, when you boot from
your clean boot disk. It can be also done by simply removing the file, but [Link] checks the root
directories of all active partitions of the file. To stop the loading of [Link], load [Link] into
a hex editor and alter the strings manually. Norton’s disk editor can also be used to do the file editing.
Load the file in hex editor and perform a string search for the keyword SPACE. The following figure
shows the first-string search hit located at hex offset 7D93.
You need to change the name of the file to a value that it should not fine on the file system in order
to fail the DOS when it tries to load this file. In the following figure, the file name has been changed
to [Link]. Observe that the time in the file name is not represented in the executable file.
Continue to search a file for string SPACE. The four instances in [Link] will need to be changed, after
finishing, save the file and close the hex editor and remove the [Link] file from the floppy
too. Copy over any DOS mode drivers that you will need to access the hard drives on the computer
system under investigation, after creating the clean boot floppy. The web site for each hardware manu-
facturer, rather than on the driver CD that ships with the product is the best source for DOS driver.
Except for drives that are purely IEEE 1394, most hardware that provide storage will work. DOS
drivers for IEEE 1394 does not exist.

Appendix_B.indd 279 12/10/2018 6:50:03 PM

 280 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

Chapter 6: Disk and File System Analysis

1. Write short notes on the following:
• FAT file system
• NTFS file System
Answers:
FAT file system: The simplest file systems found in common operating systems is File Allocation
Table or FAT. The primary systems of windows 9x and windows DOS is FAT file system. FAT systems
are supported by some UNIX and all windows operating systems and will be encountered by inves-
tigators even if it is not the default file system of the desktop windows system. FAT is usually used in
Digi-cams and USB thumb drives.
Because of the small number of data structure types, FAT file system is considered as simple. But
there have been some modifications over the years in order to give it a new feature. The file allocation
table and the directories are two important data structures of the FAT file system that serves multiple
purposes and belong to multiple categories of the model. The data that falls into the application cate-
gory should not be contained in the FAT file system.

Directory entry structures Clusters FAT Structure

Cluster 34
[Link] 4,000 bytes Cluster 34

35
EOF

Cluster 35

Figure: Relationship between the directory entry structure, clusters and FAT systems.

Every file and directory in the FAT file system is allocated a data structure called a directory entry
which contains the name, size, content and other Meta data of the file. File and directory content is
stored in the data units is called as clusters. The clusters are found by using a structure called as FAT, if
the file or directory has located more than one cluster.
The allocation status and the cluster in the file is used by some file structure. This structure is used
in both content and the Meta data category. There are 3 version available of FAT file system, FAT12,
FAT16 and FAT 32. The size of the entries in the FAT structure is the major difference between three
of them. The relationship between these data structure is shown in the figure.
There are three physical sections in the layout of the of FAT file system. The first section is the
reserved area. It is the area which includes data in the file system category. This area is typically of 1

Appendix_B.indd 280 12/10/2018 6:50:04 PM

 Appendix B: Questions and Answers • 281

sector size in FAT12 and FAT 16. This size is defined in the boot sector. The second section is FAT area
which contains the primary and backup FAT structures. This section starts following the reserved area.
The size of this section is calculated based on the size of FAT structure. Data area is the third section in
the sector that includes the clusters allocated to store file and directory content.
Reserved FAT Data
area area area

Figure: Physical layout of FAT file system.

The file system category of data in FAT file system can be found in boot sector data structure. The
boot sector is located in the first section of the layout. It is a part of reserved area in the file system.
In Microsoft, some of the data in the first sector belongs to the BIOS parameter block i.e. BPB often
known as boot sector. The data contained in the boot sector belongs to all categories in the model.
The boot sector of FAT 32 contains additional data such a sector address of a backup copy of the
boot sector and the major and minor version numbers. If the version in sector 0 becomes corrupt, then
the backup copy of boot sector can be used.
NTFS file System: NTFS shorts for New Technology File System. It provides great combination
of reliability, performance, and compatibility that are not found in the FAT file systems. It performs
standard operation such as read, write and search very quickly. It also provides a quick file system
recovery on very large hard disks. Several system files and Master File Table is created while formatting
a volume with NTFS. Theses system files and MFT contains information about all the files and folders
on the NTFS volume.
NTFS also includes the first sector as a boot sector which starts at sector 0 ranging to 16 sectors.
The following figure shows the layout of disk organization of NTFS system.

Partition boot Master Files Tables (MFT) System files File area
sector
Figure layout of NTFS volume.

Partition boot sector: The following table describes the boot sector of NTFS system. First 16
sectors are allocated for boot sector and bootstrap code, when the NTFS volume is formatted.

Table: boot sector of NTFS system.

Byte offset Field length Field name
0×00 3 bytes Jump Instruction
0×03 LONGLONG OEM ID
0×0B 25 bytes BPB
0×24 48 bytes Extended BPB
0×54 426 bytes Bootstrap Code
0×01FE WORD End of Sector Marker

Appendix_B.indd 281 12/10/2018 6:50:04 PM

 282 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

The data field that follow the BPB form extended BPB on NTFS volume. To find the Master File
Table during the start-up, the data in BPB filed enables NTLDR (NT Loader Program). As on FAT 16
and FAT 32, the MFT is not located in predefined sectors in NTFS volume.
Due to this reason, if there is a bad sector in its normal location, the MFT can be moved. However,
windows NT/2000 assumes that the volume has not been formatted if the data is corrupted or MFT
is not located.
The following figure shows BPB and extended BPB fields on NTFS volume:
BPB and Extended BPB Fields on NTFS Volumes

Byte offset Field length Sample value Field name and definition

0×0B 2 bytes 00 02 Bytes Per Sector. The size of a hardware

sector. For most disks used in the United
States, the value of this field is 512.

0×0D 1 byte 08 Sectors Per Cluster. The number of sectors

in a cluster.

0×0E 2 bytes 00 00 Reserved Sectors. Always 0 because NTFS

places the boot sector at the beginning of the
partition. If the value is not 0, NTFS fails to
mount the volume.

0×10 3 bytes 00 00 00 Value must be 0 or NTFS fails to mount the

volume.

0×13 2 bytes 00 00 Value must be 0 or NTFS fails to mount the

volume

0×15 1 byte F8 Media Descriptor. Provides information

about the media being used. A value of F8
indicates a hard disk and FO indicates a
high-density 3.5-inch floppy disk. Media
descriptor entries are a legacy of MS-DOS
FAT 16 disks and are not used in Windows
Server 2003.

0×16 2 bytes 00 00 Value must be 0 or NTFS fails to mount the

volume.

0×18 2 bytes 3F 00 Not used or checked by NTFS.

0×1A 2 bytes FF 00 Not used or checked by NTFS.

0×1C 4 bytes 3F 00 00 00 Not used or checked by NTFS.

Figure: BPB and extended BPB fields on NTFS volume.

Appendix_B.indd 282 12/10/2018 6:50:04 PM

 Appendix B: Questions and Answers • 283

It is highly recommended to run disk scanning tools as the functioning system depends on the
boot sector to access a volume. In order to avoid data loss and to backups all the files on regular basis,
running chkdsk can be useful.
Master File Table (MFT): There a special file table called Master File Table or simply MFT to repre-
sent each file on NTFS volume. First 16 records of the table are reserved by NTFS to store special
information. The firs record is MFT itself i.e. the copy of default MFT.
If the default MFT is lost or corrupted, NTFS reads the second record which is the copy of MFT.
This copy contains exactly similar records as default MFT. For both MFT and MFT copy file, the
locations of data segment is recorded in boot sector. The logical centre of a disk contains the duplicate
of boot sector. The log file usually used for file recovery purpose is the third record of the MFT. The
following figure shows the simplified illustration of MFT structure:

Extent

Master fie table

Extent
MFT

Log file record

Extent

...

Extent 1
Small file record

Extent 2
Large file record

Extent 3

Small directory record

Figure MFT structure.

MFT assigns specific amount of space for each file record. The attributes of files are entered in
the allocated space of MFT. Small file and directories with approximately 1500 bytes or less can be
completely included in MFT record.
System files: Several system files are included by NTFS which are hidden from view on NTFS volume.
System files are generally used to store file system’s meta-data and to implement the file system. These
system files are placed by format utility.
The following figure shows the metadata stored in MFT.

Appendix_B.indd 283 12/10/2018 6:50:05 PM

 284 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

System File File Name MFT Ently Purpose of the File

Master file table $Mft 0 Contains one base file record for each file
and directory on an NTFS volume. If
the allocation information for a file or
directory is too larqe to fit within a sinqle
record, other file records are allocated as
well.
Master file table 2 $MftMirr 1 A duplicate image of the first four records
of the MFT. This file guarantees
access to the MFT in case of a single-
sector failure.
Log file $LogFile 2 Contains a list of transaction steps used
for NTFS recoverability. Log file size
depends upon the volume size.
Volume $Volume 3 Contains information about the volume.
such as the volume label and the volume
version.
Attribute definitions $AttrDef 4 A table of attribute names, numbers, and
descriptions.
Root file name index $ 5 The root directory.
Cluster bitmap $Bitmap 6 A representation of the volume showing
which clusters are in use.
Boot sector $Boot 7 Includes the bootstrap for the volume if it
is a bootable volume.
Bad cluster file $BadClus 8 Contains bad clusters for the volume.
Security file $Secure 9 Contains unique security descriptors for
all files within a volume.
Upcase table $Upcase 10 Converts lowercase characters to matching
Unicode uppercase characters.
NTFS extension file $Extend 11 Used for various optional extensions such
as quotas, reparse point data, and object
identifiers.

Figure system files stored in MFT.

Data area: By using standard transaction logging and recovery techniques, the consistency of the
volume is maintained by [Link] case of disk failure, NTFS restores consistency by executing a
recovery procedure that access information stored in the log file.
NTFS recovery procedure ensures the guarantee of restoring the volume to a consistent state. The
overhead required by transaction logging is very less. NTFS performs automatic disk recovery opera-

Appendix_B.indd 284 12/10/2018 6:50:06 PM

 Appendix B: Questions and Answers • 285

tions in order to maintain the integrity. A technique called cluster remapping is also used by NTFS to
reduce the effects of bad sectors.
2. What is meant by terms such as data transfer rate and seek time in relation to hard disks?
Answer: These are ways to measure the performance of a hard disk. The data transfer rate refers to the
number of bytes per second (bps) that the disk drive is able to transfer to the processor. This is typi-
cally restrained for today’s disks in mbps, and rates between 5 and 40 are common. The higher this
number, the better the disk performance. Seek time refers to the time interval between the time that the
processor makes a request for a file from disk and the time at which the first byte of that file is received
by the processor. This time is measured in milliseconds (typically between 7 and 20), and the lower this
number, the better the performance.

Chapter 7: Data Analysis

1. What is hacker? Explain hacker tools concept.
Answer: During investigations of computer crime, particularly computer intrusions, you will encounter
rogue files with an unknown purpose. The rogue file is doing something that the attacker wants, but all
we have is a binary file and perhaps a few theories about what that file does.
If attackers left their source code behind Tool analysis would be much simpler
Goals of Tool Analysis: The hacker tools will have filenames that give enormous clues about their
function, if you are lucky enough. A file called sniffer or esniff is likely to be a sniffer tool. There is a
great possibility that the attackers have renamed their code to some innocuous system filename such
as xterm or d.1. AQ1
How Files Are Compiled: An entire program written in a high-level language, such as C or Pascal, and
converts it to object code, which is often called machine code, binary code, or executable code compiler, by
a such as the GNU C compiler. Think of compilers as programs that translate human readable source
code into the machine language that a system understands. System’s processor can directly execute
Machine language. There are many ways for attackers to compile their source code. Some methods of
compilation make tool analysis easier than others
Static Analysis of a Hacker Tool: Without any need of executing the rogue code Static analysis is tool
to performed analysis. You can perform static analysis on any operating system, regardless of the type of
object code, because you do not intend to execute the rogue code during static analysis. For example,
you can use the Solaris operating system to perform static analysis of a Win32 application.
The general approach to static analysis involves the following steps:
1. Determine the type of file you are examining.
2. Review the ASCII and Unicode strings contained within the binary file.
3. Perform online research to determine if the tool is publicly available on computer security or hacker
sites. Compare any online tools identified with the tool you are analyzing.
4. Perform source code review if you either have the source code or believe you have identified the
source code via online research.
Dynamic Analysis of a Hacker Tool: Your next step is to determine how the executable files were
compiled, as well as their native operating system and architecture. Once you have identified the
executable files that require tool analysis. you may encounter many different types of executable files
including the following common types:

Appendix_B.indd 285 12/10/2018 6:50:06 PM

 286 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

1. Windows 95/98/NT/2000/XP executable or dynamically linked library (DLL)

2. Linux [Link]/elf/script
3. Solaris [Link]/elf/script
4. DOS 32-bit COFF
5. DOS 16-bit .com file
6. DOS 16-bit executable
7. Atari ST/TT
Fortunately, the needed information can be retrieved from both Unix and Windows.
2. Write short note on steps of Unix system investigation.
Answer: The UNIX is powerful, flexible, and extremely functional. It has become essential for both
UNIX users and forensic investigators, to investigate a compromised UNIX system and the ability to
respond to a computer security incident. UNIX does not have good reputation for reliability or security.
Although UNIX does offer some effective security features such as login and user accounts which
are saved in the /etc/passwd file, access control with a granularity of owner, cumentgroup, and world,
and keep log files-usr/adm/lastlog, /var/adm/utmp, /var/adm/wtmp/, /var/adm/acct. UNIX systems
directly connected to the Internet are often subject to hacking attempts.
AQ2 Method for UNIX Investigation
1. Reviewing Pertinent Logs
2. Performing Keyword Searches
3. Reviewing Relevant Files
4. Identifying Unauthorized User Accounts or Groups
5. Identifying Rogue Processes
6. Checking for Unauthorized Access Points
7. Analysing Trust Relationships
8. Detecting Trojan Loadable Kernel Modules
These steps are not listed in order of importance or chronologically. For every incident, you may
need not to take all of the steps. Your approach depends on the specific incident and the goals of your
response. Anything can happen, so be aware that, in the event of root compromise as you conduct your
investigation,
3. Explain the steps for investing live windows system.
Answer: You are ready to conduct your investigation, once you’re set up your forensic workstation with
proper tools and recorded the low-level partition data from target image. For a formal examination of
target system, following investigative steps are required:-
1. Review all pertinent logs.
2. Perform keyword searches.
3. Review relevant files.
4. Identify unauthorized user accounts or groups.
5. Identify rogue processes and services.
6. Look for unusual or hidden files/directories.
7. Check for unauthorized access points.
8. Examine jobs run by the Scheduler service.

Appendix_B.indd 286 12/10/2018 6:50:06 PM

 Appendix B: Questions and Answers • 287

9. Analyze trust relationships.

10. Review security identifiers.
These steps are not ordered chronologically or in order of importance. You may need to perform
each of these steps or just a few of them. Your approach depends on your response plan and the circum-
stances of the incident.
4. Where evidence resides on Windows systems?
Answer: It is important to know where we plan to look for evidence, before you dive into forensic anal-
ysis. The location will depend on specific case but in general, evidence can be found in following area:
1. Volatile data in kernel structures
2. Slack space, where you can obtain information from previously deleted files that are unrecoverable
3. Free or unallocated space, where you can obtain previously deleted files, including damaged or
inaccessible clusters
4. The logical file system
5. The event logs
6. The Registry, which you should think of as an enormous log file
7. Application logs not managed by the Windows Event Log Service
8. The printer spool
9. Sent or received email, such as the .pst files for Outlook mail
5. Explain the process of restoring the forensic duplication.
Answer: It can be tricky to restore forensic duplication. It is necessary that one should have a Hard Disk
of greater capacity than the actual driver. Hard Drive duplication is most important part of data acqui-
sition process. Extracting of files directly from a potential failing media is dangerous because media can
stop working at any instance of time. It is more preferable that the drive should be of equal capacity,
but it is also necessary that the drive are from same manufactures. Due to this, the operator can transfer
data quickly and easily from original hard disk too backup hard disk.
The Atola Insight Forensic is the industry’s most efficient system for imaging Hard disk, SSDs and
USB mass storage media quickly and safely. The maximum imaging speed of system is MB/s.
6. What do you mean by data analysis?
Answer: An accepted best practice in digital evidence collection - modified to incorporate live volatile
data collection. Effectively Live forensics provides for the collection of digital evidence in an order of
collection that is actually based on the life expectancy of the evidence in question. Simply put in all
likelihood perhaps the most important evidence to be gathered in digital evidence collection today and
for the foreseeable future exists only in the form of the volatile data contained within the computers
RAM.
Order of volatility of digital evidence
1. CPU, cache and register content
2. Routing table, ARP cache, process table, kernel statistics
3. Memory
4. Temporary file system / swap space
5. Data on hard disk
6. Remotely logged data
7. Data contained on archival media

Appendix_B.indd 287 12/10/2018 6:50:06 PM

 288 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

Chapter 8: Network Forensic

1. What is intrusion detection? Explain.
Answer: The network intruder or attacker has traditionally been able to boast of a certain amount of
skill, unlike the cyber scam artist who needs to know only enough about computers to send mass e-mail-
ings, or the child pornographer whose technical knowhow is limited to uploading and downloading files.

Internet

Monitor servers: The

IDS devices notify the
Intrusion Detection System (IDS) monitor servers of any
change in the network.

Firewall

Internal IDS
Switch
Monitor servers

Workstations

As discussed in earlier chapters, all kinds of cybercriminals committed many different types of
cybercrime, some of whom have very little technical knowledge or skill. Included in this narrow defi-
nition are malicious attacks designed to crash computers and congest networks, even when no actual
“illegal entry” takes place.
Even though intruders and attackers need not necessarily understand the technicalities of what they’re
doing, it is important for cybercrime investigators who build cases charging unauthorized access or breach
of network integrity to understand the basics of how intrusion techniques and system attacks work.
Intrusion Detection Systems help information systems prepare for, and deal with attacks. They
accomplish this by collecting information from a variety of systems and network sources, and then
analysing the information for possible security problems.
Intrusion detection provides the following:
1. Monitoring and analysis of user and system activity
2. Auditing of system configurations and vulnerabilities
3. Assessing the integrity of critical system and data files
4. Statistical analysis of activity patterns based on the matching to known attacks
5. Abnormal activity analysis
6. Operating system audit
2. What Intrusion Detection System CAN and CANNOT provide?
Answer: The IDS will offer the following:
1. Add a superior degree of integrity to the remainder of your infrastructure

Appendix_B.indd 288 12/10/2018 6:50:06 PM

 Appendix B: Questions and Answers • 289

2. Recognize and report modifications to knowledge

3. Trace user action from purpose of entry to purpose of impact
4. Automate a task of observation the net finding out the most recent attacks
5. Notice mistakes in your system configuration
6. Sense once your system is under fire
7. Make the protection management of your system potential by non-expert employees
8. Guide system supervisor within the important step of building a policy for your computing assets
The IDS cannot offer the following:
1. Conduct investigations of attacks while not human intervention
2. Compensate for a weak identification and authentication mechanisms
3. Deal with a number of the trendy network hardware and options
4. Compensate for flaws in network protocols
5. Always alter complications involving packet-level attacks
6. Compensate for issues within the excellence or integrity of knowledge the system offers
7. Analyse all the traffic on a busy network
3. Explain steps for investigating routers
Answer: During various incidents routers play many different roles. Routers can be tools used by inves-
tigators as they can be targets of attack, stepping-stones for attackers. To allow investigators to resolve
complex network incidents, routers can provide valuable information and evidence.
Routers lack the data storage and functionality of many of the other technologies we have exam-
ined in previous chapters, and thus they are less likely to be the ultimate target of attacks. During
network penetrations Routers are more likely to be springboards for attackers. The information stored
on routers such as passwords, routing tables, and network block information makes routers a valuable
first step for attackers bent on penetrating internal networks.
Obtaining Volatile data prior to powering down: We always begin the response process by obtaining
the most volatile data first. That information in memory is most volatile, while information stored
on the hard drive or in nonvolatile RAM (NVRAM) is relatively stable; this is the order of volatility
states. The information must be saved before powering down or altering the state of the operational
router if any of the in fore siding in memory is important to the investigation because routers have
little data-storage capability, the information in memory is almost always important with routers. The
system state information in memory—such as current routing tables, listening services, and current
passwords—will be lost if the router is powered down or rebooted.
Establishing a Router Connection: You’ll have to establish a connection to the router, before you do
anything. The console port is the best way to access the router from. You are less likely to tipoff any
attacker who still has access to the network, by connecting directly to the router. An attacker with a
network sniffer can potentially see your traffic and learn that an investigation is being conducted, if
you telnet to the router. A dialup connection or an encrypted protocol such as Secure Shell (SSH) is a
better choice than telnet, if console access is unavailable.
Make sure to log the entire session when you are establishing a connection to the router. With
HyperTerminal, simply select the Transfer | Capture Text option to log the session. The multiple modes
which Cisco Internetwork Operating System (IOS) command language consists are initial setup, login
prompt, basic command, enable, configuration, and interface configuration. The mode, which allows
you to display configuration settings, is basic mode and by default, you are in that mode. You must
enter enable mode, by entering >enable to modify configuration settings and save them to NVRAM.
There is an enable password associated with privileged level access.

Appendix_B.indd 289 12/10/2018 6:50:07 PM

 290 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

Saving the Router Configuration: Router configurations are generally straightforward. In a single
configuration file all configuration information for Cisco routers is stored. This configuration rules
all aspects of the router’s behavior, and it is stored in NVRAM. When router boots it uses this stored
configuration. However, the configuration of the router can be changed without modifying the config-
uration file stored in NVRAM. Instead, the changes to the configuration are made in RAM, and they
are saved to NVRAM only by an administrative command. Thus, you should save the configuration
that is in RAM as well as the configuration in NVRAM.
You must have enabled (privileged) level access to the router. Use the show running- config
command or the equivalent (but older) write terminal command to view the configuration currently
loaded on the router.
cisco_router#show running-config
Use the show start-up-config or equivalent show config command to view the configuration saved
in NVRAM.
cisco_router#show startup-config
Finding the proof: What’s the next step? Once you’ve saved most of the evidence you need. The next
step depends on the type of incident suspected, based on your initial investigation. Here, we will look
how to identify corroborating evidence including responses for several incident types involving routers.
We categorize the types of incidents that involve routers as follows:
1. Direct compromise
2. Routing table manipulation
3. Theft of information
4. Denial of service
4. What are the differences between network-based IDS and host-based IDS?
Answer:
Network-based IDS Host-based IDS
• Broad in scope • Narrow in scope, monitor specific activates
• Examine packet headers and entire packet • Does not see packet headers
• Near real-time response • Respond after a suspicious entry
• Host independent • Host dependent
• Bandwidth dependent • Bandwidth independent
• No overload • Overload
• Slow down the networks that have IDs clients • Slow down the hosts that have IDS clients
installed installed
• Detects network attacks, as payload is • Detects local attacks before they hit the
analysed network
• Not suitable for encrypted and switches • Well-suited for encrypted and switches
network environment
• Does not perform normally detection of • Powerful tool for analysing a possible attack
complex attacks because of relevant information in database
• High false positives rate • Low false positive rate
• Lower cost of ownership • Require no additional hardware
• Better for detecting attacks from outside and • Better for detecting attacks from inside and
detect attacks that host-based IDS would miss detect attacks that network-based IDS would
miss

Appendix_B.indd 290 12/10/2018 6:50:07 PM

 Appendix B: Questions and Answers • 291

5. What is Address Spoofing explain it types?

Answer:
Address Spoofing: Spoofing is a sort of trick where an invader tries to obtain illegal access to your
system or information by acting to be the genuine user. The chief purpose is to trick the user into
declaring confidential information in order to obtain access to any individual’s computer system, bank
account, or to snip personal information, like passwords, e-mail ID, etc. Hackers use spoofed addresses
to fool other computers and double cross them into thinking a message instigated from a different
machine. There are various types of spoofing such as-
1. IP Spoofing
2. ARP Spoofing
3. DNS Spoofing
IP Spoofing: The simple procedure for sending data over the Internet and many other computer
networks is the Internet Protocol. It also contains the usage of a reliable IP address that can be used by
network invaders to overcome network security measures, like authentication based on IP addresses.
To insist on, that it came from an IP address other than the genuine source IP spoofing deals with
varying the packet headers of a message. In essence, the directing computer mimics another machine
thus tricking the receiver to accept its messages. The current firewalls defend against IP spoofing, if
configured properly.
For one machine to imitate another, Spoofing is used whenever it is helpful. It is frequently used in
combination with one of the other types of attacks. For example, in Ping of Death, Teardrop, and other
attacks a tricked address is used to hide the true IP address of the invader. The next step is to find out
the address of a reliable host, after deciding on the targeted victim. Genuine communications between
the reliable host and the target can be captured and inspected.
Against the reliable host to prevent it from communicating on the network, hackers often use a
DoS attack. The requirement of properly predicting the series number of the reliable machine is one
of the most difficult part of IP spoofing. This process is made easy for the attacker by the numerous
spoofing tools that are available on the Web.
ARP Spoofing: The ARP cache is preserved and maintained by The Address Resolution Protocol
(ARP). This is a table that maps IP addresses to MAC (physical) addresses of computers on the network.
The MAC address is used at the physical level to locate the destination computer to which a message
should be delivered; this is the reason why this cache is necessary. A broadcast message sent by ARP to
all the computers on the subnet, if there is no cache entry for a particular IP address requesting that
the machine with the
IP address in question respond with its MAC address. This mapping then gets added to the ARP
cache. The method of sending forged replies that result in incorrect entries in the cache is also called
ARP poisoning or ARP spoofing. This results in subsequent messages being sent to the wrong computer
(the machine whose MAC address is incorrectly matched with the IP address).
DNS Spoofing: DNS spoofing, also called as DNS cache poisoning. It is a form of hacking in which
unethical Domain Name System data is familiarized into a DNS resolver’s cache, triggering the name
server to yield an incorrect IP address, distracting the traffic to the invader’s computer. Spoofing attacks
can cause severe safety difficulties for DNS servers susceptible to such attacks. For example, instigating
users to be focused to wrong Internet websites or e-mail being directed to unauthorized mail servers.
Without being observed, a spoofing attack can continue for a long period.

Appendix_B.indd 291 12/10/2018 6:50:07 PM

 292 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

DNS spoofing discusses to two methods of instigating a DNS server to direct users inaccurately:
1. Poisoning of the DNS cache of name resolution servers which results in directing users to the wrong
websites or e-mail being sent to the wrong mail servers.
2. Using the recursive mechanism of DNS to expect the request that a DNS server will send and re-
sponding with counterfeit information.
This technique can even be used to fraud the victim into providing personal information through
Web forms. Either of these methods allows the attacker to capture the victim’s mail or to set up fooled
web pages that give users imprecise information.
6. How to collect network-based evidence log files?
Answer: When you collect the evidences make sure that you are overlooking the potential sources of
evidence when you respond to an incident. It happens that the most network traffic leaves an audit trial
somewhere along the path it travelled. Some examples are given here:
1. Routers, firewalls, servers, IDS sensors, and other network devices may preserve logs that record
network-based events.
2. DHCP servers record network access when a PC requests an IP lease.
3. Modern firewalls permits the administrators an extensive amount of granularity when creating in-
spection logs.
4. IDS sensors may catch a quota of an attack due to a signature recognition or irregularity uncovering
filter.
5. Host-based sensors may sense the modification of a system library or the addition of a file in a subtle
location.
6. System log files three time zones away on the primary domain; controller may display an unsuccess-
ful authentication during a logon attempt.
When all the existing segments of the network-based evidence are combined then they reconstruct
a particular network event like file transfer, a buffer overflow attack and a stolen user account and pass-
word being used on your network.
All the investigative clues have some unique challenges for the investigator. That challenges are:
1. The network-based logs are stored in many formats.
2. These logs may originate from several different operating systems.
3. These logs may require special software to access and read.
4. These logs are geographically dispersed and sometimes use an inaccurate current time.
The main challenge for investigators is in tracing all these logs and associating them. This is very
time-consuming and also resource-demanding to obtain geographically discrete logs from many
different systems, preserve a chain of custody for each of them, and reconstruct a network-based event.
Many times, the proper grouping of all these logs still paints a horrible, imperfect picture.
7. What is the difference between Firewall and IDS?
Answer: A firewall may be a hardware and/or software system that functions during networked
surroundings to dam unauthorized access whereas allowing licensed communications. Firewall may be
a device and/or a software that stands between an area network and therefore the net, and filters traffic
that may be harmful.
An Intrusion Detection System (IDS) may be a software system or hardware device put in on the
network (NIDS) or host (HIDS) to notice and report intrusion makes an attempt to the network.

Appendix_B.indd 292 12/10/2018 6:50:07 PM

 Appendix B: Questions and Answers • 293

We can assume a firewall as security personnel at the gate and an IDS device may be a security
camera once the gate. A firewall will block affiliation, whereas an Intrusion Detection System (IDS)
cannot block affiliation. An Intrusion Detection System (IDS) alert any intrusion makes an attempt to
the protection administrator.
However, an Intrusion Detection and hindrance System (IDPS) will block connections if it finds
the connections is an intrusion try.

Chapter 9: Report Writing

1. For the following case study/incidence, prepare an incidence response report.
Case Study: Behavioral Problem: An administrator calls the corporate director of safety/security over
the worry of a representative. The administrator shows that the employee had inquired as to whether
their neighbors had called. When asked why, the representative had related an anecdote about his
neighbors who have a machine that can read his brain. The worker had told the administrator that this
matter should be accounted for because only the FBI is approved to have such a machine.
Answer:
1. Incidence Response: The assistant general manager, department head, corporate director of safety/
security, corporate counsel, and director of human resources reviewed the certainties in regard to
the circumstance and built up a game plan. The incident response team inferred that the employee
ought to be sent to his own doctor and ought to return with a letter from his doctor expressing that
the representative is not a threat to themselves or another person. After some time, the employee
came back to work with a letter from the specialist. The letter stated that it was the specialist’s sup-
position that coming back to work would be good treatment for the worker. The organization did
not have an Employee Assistance Program (EAP), which made it hard to handle.
2. Examination: While meeting the representative, it was found that the worker had thrown rocks
at the neighbors’ home destroying windows and rooftop. The representative clarified this was an
endeavor to stop them from utilizing the brain-perusing machine. The representative seemed con-
fused. He demonstrated that he was seeing a state chiropractor, who suggested that he move as a
result of the neighbors, which he did.
3. Conclusion: The representative returned to work under close supervision and is doing well.
4. Lesson learned:
(a) Workers ought to be approached with deference at all times.
(b) At the point when managing this sort of circumstance, the individual can be unpredictable. It is
critical that prepared staff handle such matters and counsel with a specialist in human conduct
and risk assessment.
(c) It is likewise imperative to consider infringement of company approach as well as infringement
of criminal laws. Not taking appropriate activity to rectify behavioral issues is actually giving
consent to proceed with the activities.
(d) It is imperative to distinguish who is on the incident response team and to contact the incident
response team when a potential danger is recognized.
2. Explain guidelines for incidence report writing.
Answer: Following points are to be considered for writing a report:
Document investigative steps immediately and clearly: Through our experience of writing a vast
number of forensic reports, we have developed some report writing guidelines. We used these reports

Appendix_B.indd 293 12/10/2018 6:50:07 PM

 294 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

to refresh our recollections during criminal trials and training numerous employees new to the field of
computer forensics. These represent general principles that should be followed to ensure your organi-
zation can exceed expectations with your investigative reports
It requires discipline and organization in documenting investigative steps immediately, but it is
essential to be successful in report writing. Do not use shorthand or shortcuts—write down everything
in a fashion that is understandable to you and others. Unclear notations, incomplete scribbling, or
unclear documentation will eventually lead to redundant efforts, forced translation of notes, confirma-
tion of notes, and a failure to comprehend notes by yourself or others.
Writing something clearly and concisely the moment you discover evidence saves time and promotes
accuracy. At any moment, it also ensures that the details of the investigation can be communicated
more clearly to others, which is critical should new personnel become involved or assigned to lead the
investigation.
Know the goals of your analysis: Before you begin your analysis for examination, know what the goals
are. Every crime has elements of proof, for law enforcement examiners. Your report should unearth
evidence that confirms or dispels these elements. The bottom line is that the more focused your reports
are, the more effective they are.
You should also address the following issues, while hashing out the objectives of your forensic
examination:
(a) D oes the client/consumer of your report want a single forensics report for each piece of media
examined or a report of the investigation that encompasses all media analyzed?
(b) How does the client/consumer wish you to communicate your findings: verbally or in written
form?
(c) How often does the client/consumer want a status report of your forensic examination?
(d) Should the interim status reports be verbal or written?
(e) Which examiner should sign as the provider or author of the forensic report?
While attempting to scope the objectives of our examination, we address these issues. By doing this
it saves a lot of headaches in the long run.
Organize your report: Write “macro to micro.” Organize your forensic report to start at the high level,
and have the complexity of your report increase as your audience continues to read it. This way, to get
the essence of your conclusions, the executives need to read only the first page or so, and there is no
need to understand the low-level details that support your claims.
For longer reports, include a table of contents. The table of contents enforces a logical approach to
documenting your findings, and it helps the reader understand what your report accomplishes.
Follow a template: A standardized report template should be followed. This makes your report writing
scalable, establishes a repeatable standard, and saves time. In practice, you can organize your report in
many different fashions, but it needs to make sense.
Use consistent identifier: There can be confusion created in a report by referring to an item in different
ways, such as referring to the same computer as a system, PC, box, web server, victim system, and so
on. Developing a consistent, unwavering way to reference each item throughout your report is critical
to eliminate such ambiguity or confusion. For your report, it is a good idea to create a unique identifier
or reference tag for each person, place, and thing, which is referred repeatedly. For the remainder of the
report, the label will identify the corresponding item.
Use attachments and appendices: To maintain the flow of your report, use attachments or appen-
dices. Right in the middle of your conclusions, you do not want to interrupt your forensic report

Appendix_B.indd 294 12/10/2018 6:50:07 PM

 Appendix B: Questions and Answers • 295

with 15 pages of source code. Any information, files, and file fragments that you point out in your
report over a page long should be included as appendices or attachments. In your report, you can also
include a brief reference to the appendix. For example, you might say, “A printout of the information is
included as Appendix A.” Sometimes, it is unwieldy or difficult to produce large database files, lengthy
source code files, and spreadsheets in printed form. For this type of reference, we provide an electronic
copy instead of the printed copy and call it eAppendix.
Have coworkers read your reports: To read your forensic reports employ other coworkers. This helps
develop reports that are comprehensible to nontechnical personnel, who have an impact on your inci-
dent response strategy and resolution. While writing the report, the consumer level should also be
considered. Knowledge of your audience and technical capability should also be taken into consider-
ation. For example, it is a good idea to provide a glossary of terms tailored specifically for that report
instance, if you are providing a computer forensics report to a nontechnical lawyer.
Use MD5 Hashes: Whether it is an entire hard drive or specific files, create and record the MD5
hashes of your evidence. Performing MD5 hashes for all evidence provides support to the claim that
you are diligent and attentive to the special requirements of forensic examination. The MD5 hashes
calculated for a given set of data will always remain the same, if your evidence is handled properly and
remains tamperproof. Your audience becomes confident that you are handling the data in the appro-
priate manner by recording these MD5 values
Include metadata: Record and include the metadata for every file or file fragment cited in your report.
This metadata includes the time/date stamps, full path of the file, the file size, and the file’s MD5 sum.
To increase consumer confidence, this identifying data will help to eliminate even the confusion. About
which files you reference during testimony, those audience that read your report appreciate that you
include all the details, and you will likely need the details to remove any ambiguity.

Chapter 10: Computer Forensics Tools

1. Explain the tasks Performed by Computer Forensics Tools.
Answer: All computer forensics tools, both hardware and software, execute specific functions. These
functions are clustered into five major categories, each with sub-functions for further refining data
analysis and recovery:
1. Acquisition
2. Validation and discrimination
3. Extraction
4. Reconstruction
5. Reporting
In the following sections, you will learn how these five functions and associated subfunctions apply
to computing research.
Acquisition: Acquisition, the first task in computer forensics investigations, is making a copy of the
original drive. Subfunctions in the acquisition category comprises of the following:
1. Physical data copy
2. Logical data copy
3. Data acquisition format

Appendix_B.indd 295 12/10/2018 6:50:07 PM

 296 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

4. Command-line acquisition
5. GUI acquisition
6. Remote acquisition
7. Verification
Some computer forensics software suites, like AccessData FTK and EnCase, provide discrete tools
for obtaining an image. Nevertheless, some investigators opt to use hardware devices, like the Logicube
Talon, VOOM HardCopy 3, or ImageMASSter Solo III Forensic unit from Intelligent Computer
Solutions, Inc., for obtaining an image. These hardware devices have their own built-in software for
data acquisition. No other device or program is needed to make a duplicate drive. But, you still need
forensics software to analyze the data disk acquisitions.
Validation and Discrimination: Two concerns in dealing with computer evidence are critical. First is
guaranteeing the integrity of data being copied i.e. the validation process. Second is the discrimination
of data, which includes sorting and searching through all analysis and research data. The process of
authenticating data is what allows discrimination of data. Many forensics software vendors offer three
methods for discriminating data values. These are the subfunctions of the validation and discrimination
function:
1. Hashing
2. Filtering
3. Analyzing file headers
Validating data is done by obtaining hash values. As a standard feature, most forensics tools and
many disk editors have one or more types of data hashing. How data hashing is used depends on the
investigation, but using a hashing algorithm on the entire suspect drive and all its files is a good idea.
This method produces a unique hexadecimal value for data, used to make sure the original data has
not changed. This unique value has other potential uses. For example, in the corporate environment,
you could create a known good hash value list of a fresh installation of an OS, all applications, and all
known good images and documents. With this information, a detective could ignore all files on this
known good list and focus on other files on the disk that are not on this list. This process is called
filtering. Filtering can also be used to find data for evidence in criminal investigations or to build a case
for firing an employee.
The primary purpose of data discrimination is to take away good data from suspicious data. Good
data consists of known files, like OS files and common programs like Microsoft Word.
Extraction: The extraction function is referred as the recovery task in a computing investigation and
is the most stimulating of all tasks to master. Recovering data is the first step in analyzing an investiga-
tion’s data. The following subfunctions of extraction are used in investigations:
1. Data viewing
2. Keyword searching
3. Decompressing
4. Carving
5. Decrypting
Bookmarking: Many computer forensics tools comprises of a data-viewing mechanism for digital
evidence. How data is viewed is to be determined by the tool. Tools such as ProDiscover, X-Ways
Forensics, FTK, EnCase, SMART, ILook, and others offer numerous methods to view data, together
with logical drive structures, like folders and files. These tools also show allocated file data and unallo-

Appendix_B.indd 296 12/10/2018 6:50:07 PM

 Appendix B: Questions and Answers • 297

cated disk areas with special file and disk viewers. Being able to view this data in its normal form makes
examining and accumulating hints for the examination easier.
Reconstruction: The purpose of having a reconstruction feature in a forensics tool is to re-create a
suspect drive to display what happened during a crime or an incident. Another reason for replicating a
suspect drive is to create a copy for other computer detectives, who might need a fully functional copy
of the drive so that they can achieve their own procurement, test, and study of the evidence. These are
the subfunctions of reconstruction:
1. Disk-to-disk copy
2. Image-to-disk copy
3. Partition-to-partition copy
4. Image-to-partition copy
There are several ways to re-create an image of a suspect drive. Under ideal conditions, the best
and most reliable method is obtaining the same make and model drive as the suspect drive, if the
suspect drive has been manufactured recently, tracing an identical drive is fairly easy. Nevertheless,
since computer manufacturers use just-in-time delivery systems for inventory supplies, a drive manu-
factured three months ago might be out of production and unavailable for sale, which makes tracing
matching older drives more challenging. The naivest method of duplicating a drive is using a tool that
makes a direct disk-to-disk copy from the suspect drive to the target drive. Many tools can perform
this task. One free tool is the UNIX/Linux dd command, but it has a major disadvantage: The target
drive being written to must be matching to the original (suspect) drive, with the same cylinder, sector,
and track count. If a matching drive is not available, manipulating the drive’s cylinders, sectors, and
tracks to match the original drive might be possible through your terminal’s BIOS. Be alert, that other
issues might prevent this technique from working correctly because of the target drive’s firmware. To
address the difficulty of matching a suspect drive, several vendors have developed tools that can force a
geometry change from a suspect drive to a target drive.
For most forensics disk duplication tools, the target drive must be one and the same in size to
or larger than the suspect drive. For a disk-to-disk copy, both hardware and software duplicators are
available; hardware duplicators are the fastest way to copy data from one disk to another. Hardware
duplicators, like Logicube Talon, Logicube Forensic MD5, and ImageMASSter Solo III Forensics Hard
Drive Duplicator, adjust the target drive’s geometry to match the suspect drive’s cylinder, sectors, and
tracks. Software duplicators, which are slower than hardware duplicators, includes SnapBack, SafeBack,
EnCase, and X-Ways Forensics.
For image-to-disk and image-to-partition copies, many more tools are available, but they are signifi-
cantly slower in transferring data. The following are some tools that perform an image-to-disk copy:
1. SafeBack
2. SnapBack
3. EnCase
4. FTK Imager
5. ProDiscover
6. X-Ways Forensics
All these tools have trademarked and copyrighted formats that can be restored only by the same
application that created them. For example, a ProDiscover image (.eve format) can be restored only by
using ProDiscover.

Appendix_B.indd 297 12/10/2018 6:50:07 PM

 298 • D i g i ta l F o r e n s i c – T h e Fa s c i n at i n g w o r l d o f D i g i ta l E v i d e n c e s

When you must demonstrate in court how criminal activity was carried out on a suspect’s computer,
you need a product that shadows the suspect drive. This shadowing technique requires a hardware
device like Voom Technologies Shadow Drive. This device connects the suspect drive to a read-only
IDE port and another drive to a read-write port. The read-write port drive is referred to as a shadow
drive. When the Voom device with drives is connected to a computer, you can access and run applica-
tions on the suspect drive. All data that would typically be written to the suspect drive is passed on to
the shadow drive.
This tool saves time and helps solve problems you might encounter when trying to make a working
duplicate of a suspect drive.
Reporting: To complete a forensics disk analysis and examination, you need to create a report. Before
Windows forensics tools were available, this process requires copying data from a suspect drive and
extracting the digital evidence yourself. The detective then copied the evidence to a separate program,
like a word processor, to create a report. File data that could not be read in a word processor are data-
bases, spreadsheets, and graphics, which made it challenging to insert nonprintable characters, like
binary data, into a report. Characteristically, these reports were not warehoused electronically, since
investigators had to collect printouts from several different applications to combine everything into
one large paper report.
Newer Windows forensics tools can generate electronic reports in a variety of formats, like word
processing documents, HTML Web pages, or Acrobat PDF files. These are the subfunctions of the
reporting function:
1. Log reports
2. Report generator
As part of the validation process, often you need to document the steps you took to obtain data
from a suspect drive. Many forensics tools, like FTK, ILook, and X-Ways Forensics, can generate a
log report that records activities performed by the detective. Then a built-in report generator is used
to create a report in a variety of formats. The following tools are some that offer report generators
displaying bookmarked evidence:
1. EnCase
2. FTK
3. ILook
4. X-Ways Forensics
5. ProDiscover
The log report can be added to your final report as additional documentation of the steps you took
during the examination, which can be useful if repeating the examination is necessary. For a case that
requires peer review, log reports confirm what activities were performed and what results were found in
the original analysis and examination.
2. Write a short note on Software forensic tool and hardware forensic tool.
Answer:
Hardware Forensic Tool: Technology changes speedily, and hardware manufacturers have designed
most computer components to last about 18 months between let-downs. Hardware is hardware;
whether it’s a rack-mounted server or a forensic workstation, ultimately it fails. For this reason, you
should plan equipment replacements periodically preferably, every 18 months if you use the hardware
fulltime. Most computer forensics operations use a workstation 24 hours a day for a week or longer
between complete shutdowns.

Appendix_B.indd 298 12/10/2018 6:50:07 PM

 Appendix B: Questions and Answers • 299

You should plan your hardware needs carefully, especially if you have budget limitations. Include
the amount of time you expect the forensic workstation to be running, how often you expect hardware
failures, consultant and vendor fees to support the hardware, and how often to anticipate replacing
forensic workstations. The longer you expect the forensic workstation to be running, the more you
need to anticipate physical equipment failure and the expense of replacement equipment.
Software Forensic Tool: Software forensics tools are clustered into command-line applications
and GUI applications. Some tools are dedicated to perform one task, like SafeBack, a command-
line disk acquisition tool from New Technologies, Inc. (NTI). Other tools are intended to perform
many different tasks. For example, Technology Pathways Pro- Discover, X-Ways Forensics, Guidance
Software EnCase, and AccessData FTK are GUI tools intended to perform most computer forensics
acquisition and investigation functions. Software forensics tools are normally used to copy data from a
suspect’s drive to an image file. Many GUI acquisition tools can read all structures in an image file as
though the image were the original drive. Many analysis tools, like ProDiscover, EnCase, FTK, X-Ways
Forensics, ILook, and others, have the ability to examine and investigate image files.

Appendix_B.indd 299 12/10/2018 6:50:08 PM

 Author Queries:
AQ1: Kindly check “esniff ” for correctness
AQ2: Kindly check “cumentgroup” for correctness.

Appendix_B.indd 300 12/10/2018 6:50:08 PM