Digital forensics IA-1 QUESTION BANK (By Siddhant Thorve)

1. Explain the challenges in acquiring Digital Evidences?

Challenges in Acquiring Digital Evidence

• Access Protection: Computers protected by passwords, access cards, or dongles can prevent immediate access to the
data.

• Steganography: Using digital steganography to hide evidence-gathering material from plain view and in plain sight
within photos, movies, audio files, and file systems (e.g., within MS Word documents).

• Data Obscuration: Methods used to obfuscate information and render it unintelligible without the specific password.

• Full Disk Encryption: Encryption of the entire disc, including the system partition, using tools like BitLocker drive
encryption.

• Complex Passwords: Secure system or volume passwords that are difficult to guess, which can consume significant
time and resources for the investigation.

• File Renaming and Extension Alteration: Changing file names and altering their extensions—such as changing a .DOCX
file into a .DLL—to hide them as known system files.

• Evidence Wiping: Attempts to erase evidence by employing various software tools and methods to safely and
permanently wipe the hard disc.

• Logging and History Deletion: Turning off system or application logging and clearing web browser history before
closing applications to remove the digital trail.

• Physical Damage: Digital media that has sustained physical harm; for example, being unable to recover erased
contents from a failing HDD before it is physically repaired.

• Environmental Sensitivity: Digital evidence is sensitive and can be ruined by heat, cold, dampness, magnetic fields, or
simple physical drops if not handled appropriately.

• Evidence Volatility: The ease with which digital evidence can be changed. This requires specific protocols, such as
leaving a computer ON if found ON to acquire volatile memory, or leaving it OFF if found OFF to prevent data
modification.

2. Discuss are the goals of digital forensics?

 3. Define Data Carving. Module 4

Core Definition

• Extraction from Raw Data: Carving is the process of extracting data or files from undifferentiated "chunks" of raw data.

• Independence from File Systems: It allows investigators to extract data from a storage device without using the
original file system that created the file.

• Format-Specific Analysis: The process identifies and recovers files based solely on their structure, content, and format-
specific properties (such as the file header and footer) rather than metadata.

How Data Carving Works

• Recovery from Unallocated Space: It is most commonly used to retrieve files from unallocated space—the portion of a
disk that no longer contains file information (like the file table) but still holds the actual data because the system did
not "zero-out" the information upon deletion.

• Rebuilding Files: Investigators rebuild files from raw disc data by inspecting a file's header (the first few bytes) and
footer (the last few bytes) to determine where a file starts and ends.

• Locating Hidden Data: It is a vital technique for locating hidden or deleted data that cannot be accessed through
normal operating system methods.

Tools Used for Data Carving

While file carving can be performed manually using a Hex editor, several specialized tools automate the process:

1. Foremost

2. Scalpel

3. Jpegcarver

4. Explain what is digital evidence? Explain the various types of digital evidence.

What is Digital Evidence?

Digital evidence is any information that is stored or transmitted in a format that a machine can read. For it to be useful in a
legal case, it must maintain enough integrity and legitimacy to be used in a court of law.

Unlike traditional evidence (such as DNA, fingerprints, or physical weapons), digital evidence is often invisible to the naked eye
and requires special tools to uncover.

Key Characteristics

• Fragile and Changeable: Digital evidence is very sensitive. It can be easily altered, damaged, or lost if not handled with
extreme care.

• Volatile: Some evidence exists only while a device is powered on. For example, if a computer is found ON, investigators
often leave it ON to capture temporary memory; if it is OFF, they leave it OFF to prevent data from being changed
during start-up.

• Environmental Sensitivity: It can be ruined by physical factors like heat, cold, dampness, magnetic fields, or being
dropped.

Types of Digital Evidence

Visible Data Types

Visible data refers to files and information that are generally accessible through standard file explorers or applications.

1. Logs
Logs act as a digital diary of activities across various systems:

• OS Logs: Record system access, security alerts, login durations, and shutdowns.

• Database Logs: Show specific changes made to databases; useful for debugging or tracking unauthorized edits.

• Email Logs: Reveal sender/receiver details, timestamps, and delivery status, often stored in the email header.

• Software Logs: Document actions performed by a program, including errors and crashes.

• Network Logs: Contain clues about internet activity, such as visited websites and message content.

2. Video Footage and Images

This category includes CCTV, mobile recordings, and digital photos. While visible, they often require specialized forensic tools
to bypass proprietary file formats and preserve the chain of custody for court admissibility.

3. Archives

Files like .zip or .rar act as "wildcards" because they can contain various other formats like images, documents, or source code.
They are often used for backups but can be challenging if they are password-protected or corrupted.

4. Active Data

This refers to temporary files created by applications (like Microsoft Word or email clients) while a user is working. Criminals
may delete original files but often forget to wipe these temporary traces.

Invisible Data Types

Invisible data requires specialized software or technical processes to be viewed or recovered.

5. Metadata

Metadata is "data about data" hidden within a file. For example, EXIF data in a photo can reveal the exact time, date, GPS
location, and the specific camera model used, helping link an individual to a crime.

6. Residual Data

This is data that has been deleted or overwritten. When a file is deleted, it remains on the storage media but is "unlinked" from
the file structure. It can be recovered using forensic tools as long as it hasn't been completely overwritten by new data.

7. Volatile Data

This data exists only in the device's RAM (memory) and is lost once the power is turned off. Some malware resides only in the
RAM to avoid detection. Investigators must act swiftly to perform "RAM imaging" before the device is shut down.

8. Replicant Data

These are temporary backup files or directories automatically created by software (like Photoshop or web browsers) to prevent
data loss. Examples include web cache and cookies, which can reveal a suspect's recent activities even if they tried to hide their
tracks.

5. List Malware Analysis tools and Techniques

Malware Analysis Techniques

Malware analysis is generally divided into two main processes:

• Static Analysis: The process of analyzing a file's functionality or source code without actually running it. It often
involves using a decompiler to view the code structure.

• Dynamic Analysis: This involves running the executable to observe its behavior in real-time. Because this can be
dangerous, it is often done in virtual machines, though sophisticated malware may hide its behavior if it detects a
virtual environment.
Malware Analysis Tools

The following tools are essential for extracting information from malicious executables like .EXE and .DLL files:

1. Dependency Walker: Identifies the imported and exported functions within an executable. These functions reveal
how a malicious program interacts with the operating system.

2. PEview: Used to inspect the Portable Executable (PE) file structure. It allows analysts to view headers and sections
that contain metadata used by the Windows loader.

3. W32dasm: A disassembler that extracts detailed information about modules (DLLs) and functions used by a program,
helping analysts understand the code at a deeper level.

4. OllyDbg: A debugger used for reverse engineering. It allows investigators to trace registers, the stack, and the heap
while recognizing API calls and loops in real-time.

5. Wireshark: A network protocol analyzer that monitors network traffic. It captures real-time data packets to see what
information a malware is sending or receiving.

6. ConvertShellCode: A tool used to analyze shellcode (assembly code written in hex). It helps investigators understand
how a remote attacker might be controlling a compromised system.

Essential Skills for Analysts

To use these tools effectively, an analyst must understand:

• Programming: Knowledge of C/C++ (specifically pointers, stacks, and heaps) and assembly language.

• File Structures: Understanding how PE and COFF files are organized.

• Vulnerability Research: Knowing how shellcode works and how exploits target system vulnerabilities.

• Monitoring: Using process, file, and registry monitors to track system changes.

6. List out different forensic image formats and list out forensic duplication tool.

Forensic Image Formats

Investigators primarily generate and analyze three types of forensic images:

 • Complete Disk Image: The most preferred and thorough method. It replicates every accessible allocation unit on the
storage medium, including free space, management blocks, and partially erased data.

• Partition Image: A subset of a complete disk image that captures all allocation units from a single drive partition. It
includes unallocated space and file slack only within that specific partition.

• Logical Image: A basic duplicate that captures only "active" files visible to the user. It typically does not recover deleted
items or file fragments and is used when legal or technical constraints prevent a full disk acquisition.

Forensic Duplication Tools

The following tools are used to create forensic duplicates (bit-by-bit exact copies):

From the provided images:

1. Unix dd command: A standard utility used for low-level copying and conversion.

2. dcfldd: An enhanced version of the dd command developed by the U.S. Department of Defense (DoD) Computer
Forensics Lab.

3. FTK Imager: An open-source Open Data Duplicator (ODD) tool used for creating forensic images without modifying the
original evidence.

Additional industry-standard tools:

4. EnCase: A widely used professional forensic platform that can create evidence containers for logical and physical files.

5. Guymager: A free, open-source graphical forensic imager for media acquisition, commonly found in Linux distributions like
Kali or CAINE.

6. Belkasoft Evidence Center: An all-in-one forensic solution capable of acquiring images from hard drives, mobile devices, and
cloud sources.

7. Define digital forensics and enlist categories of digital forensics.

Digital forensics is a specialized branch of forensic science focused on the systematic collection, analysis, documentation, and
presentation of digital evidence related to computer crimes. Its primary objective is to determine exactly what occurred during
an incident, when it happened, and identify the responsible parties for use in a court of law.
 8. Discuss chain of custody.

Definition

Chain of custody refers to the rigorous documentation that identifies every change in the control, handling, custody, and
ownership of a piece of digital evidence. It ensures the evidence is stored in a tamper-proof manner and remains inaccessible
to unauthorized persons.

Key Principles

• Traceability: Investigators must be able to trace the location of evidence from the exact moment of collection until it is
presented in a judicial court.

• Tamper-Proof Storage: Evidence is typically stored in a secure area known as an "evidence safe," where access is
strictly limited to appointed custodians.

• Continuous Documentation: Experts and officers are required to check evidence out for review and back in every time
it is returned to storage to maintain a complete record.

The Chain of Custody Process

The process must extend through the entire investigative lifecycle to avoid any suggestion of evidence tampering.

1. Data Collection: This first step involves identifying, labeling, and recording data from all relevant sources while
maintaining the integrity of the original media.

2. Examination: Forensic procedures are documented in detail here. Investigators take screenshots of their tasks to
demonstrate exactly what has been completed and what evidence was discovered.

3. Analysis: In this stage, examiners use legally justifiable methods and techniques to turn raw data into useful
information that answers the specific questions of the case.
4. Reporting: This final documentation phase summarizes the findings. It includes statements about the chain of custody,
descriptions of tools and analysis methods used, and identified vulnerabilities or issues.

9. Write the goals of Incident Response?

 10. Explain various types of malwares.

Types of Malware

Here are the types of Malware

• Viruses - A Virus is a malicious executable code attached to another executable file. The virus spreads when an infected
file is passed from system to system. Viruses can be harmless or they can modify or delete data. Opening a file can
trigger a virus. Once a program virus is active, it will infect other programs on the computer.

• Worms - Worms replicate themselves on the system, attaching themselves to different files and looking for pathways
between computers, such as computer network that shares common file storage areas. Worms usually slow down
networks. A virus needs a host program to run but worms can run by themselves. After a worm affects a host, it is able
to spread very quickly over the network.

• Trojan horse - A Trojan horse is malware that carries out malicious operations under the appearance of a desired
operation such as playing an online game. A Trojan horse varies from a virus because the Trojan binds itself to non-
executable files, such as image files, and audio files.

• Ransomware - Ransomware grasps a computer system or the data it contains until the victim makes a
payment. Ransomware encrypts data in the computer with a key that is unknown to the user. The user has to pay a
ransom (price) to the criminals to retrieve data. Once the amount is paid the victim can resume using his/her system.

• Adware - It displays unwanted ads and pop-ups on the computer. It comes along with software downloads and
packages. It generates revenue for the software distributer by displaying ads.

• Spyware - Its purpose is to steal private information from a computer system for a third party. Spyware collects
information and sends it to the hacker.

• Logic Bombs - A logic bomb is a malicious program that uses a trigger to activate the malicious code. The logic bomb
remains non-functioning until that trigger event happens. Once triggered, a logic bomb implements a malicious code
that causes harm to a computer. Cybersecurity specialists recently discovered logic bombs that attack and destroy the
hardware components in a workstation or server including the cooling fans, hard drives, and power supplies. The logic
bomb overdrives these devices until they overheat or fail.

• Rootkits - A rootkit modifies the OS to make a backdoor. Attackers then use the backdoor to access the computer
distantly. Most rootkits take advantage of software vulnerabilities to modify system files.

• Backdoors - A backdoor bypasses the usual authentication used to access a system. The purpose of the backdoor is to
grant cyber criminals future access to the system even if the organization fixes the original vulnerability used to attack
the system.

• Keyloggers - Keylogger records everything the user types on his/her computer system to obtain passwords and other
sensitive information and send them to the source of the keylogging program.
 11. List out different forensic image formats.

Forensic Image Formats

Investigators primarily generate and analyze three types of forensic images:

• Complete Disk Image: The most preferred and thorough method. It replicates every accessible allocation unit on the
storage medium, including free space, management blocks, and partially erased data.

• Partition Image: A subset of a complete disk image that captures all allocation units from a single drive partition. It
includes unallocated space and file slack only within that specific partition.

Logical Image: A basic duplicate that captures only "active" files visible to the user. It typically does not recover deleted items
or file fragments and is used when legal or technical constraints prevent a full disk acquisition.

12. Examine the various hard drive analysis techniques?

Not Sure but: -

2.11.1 Hard Drive Acquisition Considerations

Before choosing a method, investigators must consider:

1. Drive Size: Large drives need more storage space and take longer to process.

2. Timeframe: If time is limited, a full copy might not be possible.

3. Location: Can the drive be taken to a lab, or must it be handled at the scene?

4. Machine Status: Can the computer be shut down? (e.g., shutting down a server might cause huge financial loss).

2.11.1(A) Physical Acquisition

This creates a bit-by-bit (exact) copy of the entire drive. It captures everything: the operating system, deleted files, and hidden
data. A write blocker is required to ensure the original drive isn't altered.

• Bit-stream disk-to-image file: Saves the copy as a file. This is the most common method because it allows you to make
multiple copies without damaging the original.

• Bit-stream disk-to-disk: Copies data directly from the old drive to a new, similar drive. This is less common but useful in
specific hardware situations.
2.11.1(B) Logical Acquisition

This method only captures visible "active" data (files you can see and open).

• What it misses: It does not capture deleted files, unallocated space, or hidden system data.

• When to use: Use this when the drive is too large (like a RAID server) or when time is too short for a full physical copy.
It is also used in legal cases (e-discovery) to target specific things like emails or photos.

2.11.1(C) Sparse Acquisition

This is similar to logical acquisition but includes a bit more.

• The Difference: While it still targets specific files, it also collects deleted data and fragments related to those files.

• When to use: It is often used on large RAID systems or when dealing with suspects who haven't used advanced
techniques to hide their tracks.

Note: The text mentions FTK Imager as a popular, free tool used to perform these acquisitions.

13. Explain the process of conducting a static acquisition of digital evidence from a storage device.

Conducting a static acquisition involves capturing a digital copy of non-volatile memory (like hard drives or flash drives) while
the device is not in use.

The Preparation Process

1. Selection of Tools: Choose a forensic tool such as FTK Imager, EnCase, or X-Ways Forensics.

2. Write-Protection: You must use a hardware or software write blocker before connecting the device. This ensures the
original evidence is not altered during the process.

3. Assessment: Before starting, consider the size of the drive, the available time, and whether the acquisition must
happen at a crime scene or in a lab.

Choosing an Acquisition Method

Depending on the needs of the case, you will use one of these three primary methods:

1. Physical Acquisition (The Full Copy)

• What it does: Creates an exact bit-by-bit replica of the entire disk.

• What it captures: Everything, including files, metadata, deleted fragments, and unallocated space.

• Storage: Usually saved as a bit-stream image file for investigation.

2. Logical Acquisition (The Specific Copy)

• What it does: Captures only a subset of active data (files visible to the user).

• When to use: Used when the drive is massive (like a RAID system) or when you only need specific items like emails or
photos for a civil case.

• What it misses: It does not capture deleted files or unallocated space.

3. Sparse Acquisition (The Hybrid Copy)

• What it does: Similar to logical acquisition but also includes deleted data and fragments.

• When to use: Useful for large systems where the suspect hasn't used advanced technical measures to hide data.
Final Step: Validation

Once the acquisition is complete, tools like FTK Imager are used to verify the integrity of the forensic image to ensure it is a
perfect match of the original source.

Would you like me to explain how to use a specific tool like FTK Imager for this process?

14. Describe Digital Forensic Process.

 15. Explain the role of admissibility of an evidence.

Not Found

16. Describe Computer Viruses? Explain its types.

What is a Computer Virus?

A computer virus is a type of harmful program. When it runs, it makes copies of itself and adds its code to other programs and
files on your computer. These viruses come in different types, and each type can affect your device differently. Simply put, a
computer virus changes how your computer works and aims to spread to other computers. It does this by attaching itself to
normal programs or documents that can run code, known as macros.

What Does a Computer Virus Do?

A virus can harm or destroy data, slow down system resources, and log keystrokes, among other things. A virus can have
unexpected or harmful outcomes during this procedure, such as destroying system software by corrupting data. Some viruses
are made to mess things up by deleting files, messing up programs, or even wiping out your hard drive completely. Even if
they're not super harmful, viruses can still slow down your computer a lot, using up memory and making it crash often. Others
might just make copies of themselves or send so much stuff over the internet that it's hard to do anything online.

Different Types of Computer Virus

Each type has a unique way of infecting and damaging computers. Here are a few examples:

Type of Virus Description

Attacks the part of the computer that starts up when you turn it on. Boot Sector Virus can also spread
Boot Sector Virus
through devices like floppy disks. Often called a memory virus.

File Virus Attaches to the end of a file and modifies how a program starts to run the virus's code first.

Hides in email messages and activates by clicking a link, opening an attachment, or interacting with
Email Virus
the email.

Polymorphic
Changes its form every time it installs to avoid detection by antivirus software.
Virus

Activates by running a program capable of executing macros, often found in documents like
Macro Virus
spreadsheets.

Multipartite
Infects the computer’s boot sector, memory, and files, making it difficult to detect and remove.
Virus

Uses encryption to hide from antivirus software, includes a decryption algorithm to run before
Encrypted Virus
executing.
Type of Virus Description

Stealth Virus Modifies detection code, making it very difficult to detect.

Resident Virus Saves itself in the computer's memory and can infect other files even after the original program stops.

Direct Action Tied to an executable file, it activates when the file is opened but does not delete files or affect
Virus system speed; blocks file access.

Browser Hijacker
Changes browser settings without permission, can redirect to malicious sites.
Virus

17. Explain Incident Response Methodology.

18. Illustrate the various router investigation steps?
 19. Explain malware analysis and describe the Importance of malware analysis.

What is Malware Analysis?

Malware is malicious code designed to perform unauthorized actions on a computer or network (like stealing data) without
the user's consent. Common types include viruses, worms, and backdoors.

Malware Analysis is the process of studying a specific malware sample to determine its purpose and how it functions. By
analyzing it, experts can understand how it infects a system, what data it targets, and how it spreads.

Importance of Malware Analysis

Malware analysis is a critical part of modern digital forensics. Here are the key reasons why it is important, broken down
simply:

• Developing Better Defenses

o Explanation: By understanding how new and evolving malware works, security experts can develop more
effective tools and techniques to block future attacks.

• Restoring Infected Systems

o Explanation: Analysis helps identify the damage done to a system, which leads to better solutions for restoring
lost data and getting services back online.

• Understanding Infiltration Methods

o Explanation: It helps experts identify how malware gets into a system—whether through spam emails, infected
USB drives, or software vulnerabilities—so those "holes" can be plugged.

• Investigating Forensic Incidents

 o Explanation: Since malware is frequently found on hacked systems, analyzing it is essential for forensic
investigators to piece together how a security breach happened and who might be at risk.

• Combating Constant Evolution

o Explanation: Malware like ransomware (which locks your data for money) is always changing. Analysis is the
only way to keep up with these "inventive techniques" used by attackers.

20. Discover the potential risks involved in hard drive imaging during digital forensic investigation?