AKTU QUESTIONS

1. Explain the importance of chain of custody in digital forensic investigation AKTU 2024-25
2. Describe the different method used for network forensic AKTU 2024-25
3. Explain the different stages of digital forensic life cycle AKTU 2024-25/23-24
4. What is chain of custody in forensic AKTU 2024-25
5. What are privacy threats? What are the challenge faced AKTU 2023-24
6. What is Email? Explain how email forensic can be done AKTU 2023-24
7. What is digital evidence AKTU 2023-24
8. What are the technical challenges by computer forensics professionals AKTU 2023-24
9. How does investigator capture and analysis the network traffic during AKTU 2023-24
network forensic investigations?
10. What is digital forensic how it differ from tradition forensic science AKTU 2023-24
 What is Digital Role of digital forensic
Forensics? Role Description
Digital Forensics is a branch 1.Crime Helps investigate cybercrimes like
of forensic science that deals Investigation hacking, identity theft, cyberstalking.
with the identification, Recovers lost, deleted, or encrypted
2.Data Recovery
files during criminal investigations.
preservation, analysis, and
3.Evidence Ensures data is not tampered with and
presentation of evidence
Preservation is valid in court.
found on digital devices like 4.Incident Identifies source and method of attack
computers, mobile phones, Response in a security breach.

hard drives, USBs, cloud Provides expert testimony and digital

5.Legal Support
evidence in court proceedings.
storage, and networks.
6.Corporate Detects employee misconduct, policy
Investigations violations, and insider threats.
Aspect Traditional Forensics Digital Forensics
Investigation of physical crimes using physical Investigation of cybercrimes
Definition
evidence using digital evidence
Emails, files, logs, hard drives,
Evidence Type Blood, fingerprints, weapons, documents
mobile data
Digital environments like
Crime Scene Physical locations like homes, offices, crime spots
computers, networks
Forensic software like EnCase, FTK,
Tools Used Microscopes, fingerprint kits, DNA analyzers
Autopsy
Data Nature Tangible and visible Intangible, stored in binary format
Investigation Faster if tools and data access are
Often slower due to lab testing
Time available
Expertise Computer science, cybersecurity,
Biology, chemistry, physical evidence handling
Needed data recovery
Tampering Easier to alter or delete digital
Harder to alter physical evidence
Evidence evidence
Chain of Involves hashing and secure digital
Documented physical transfer
Custody storage
 Example Activities digital What is Computer Forensics?
forensic
Computer Forensics is a branch of digital forensics
➢ Imaging a suspect’s hard disk
that focuses specifically on investigating computers
without changing the original
and digital storage devices to find evidence of
data.
criminal or unauthorized activity.
➢ Analyzing browser history to
trace illegal activity.
➢ Recovering deleted emails or
messages.
➢ Tracing IP addresses in
cybercrime.
 Things to Avoid During a Computer Forensic Investigation
What to Avoid Why

1. Powering on the
It may alter or destroy volatile evidence like RAM data.
system
2. Accessing files
Opens risk of modifying timestamps or data accidentally.
directly
3. Using original data for
Can corrupt or overwrite evidence. Always use a forensic copy.
analysis
4. Not documenting
Weakens the case in court; chain of custody breaks.
actions
5. Using non-forensic
May alter metadata or fail to recover deleted/hidden data.
tools
6. Ignoring volatile
Important live data like passwords or processes can be lost if ignored.
memory (RAM)
7. Lack of legal
Accessing or analyzing systems without proper authority is illegal.
permission
 Things That Cannot Be Avoided
What Cannot Be
Why
Avoided
1. Proper
Ensures evidence is credible and admissible in court.
Documentation
2. Creating a forensic
Needed to preserve original data safely for analysis.
image
3. Maintaining chain
Protects the integrity and authenticity of the evidence.
of custody
4. Use of forensic
Specialized tools are required to extract and analyze data safely.
tools
5. Following legal
Ensures investigation is lawful and ethically sound.
procedures
 Technical Challenges Faced by Computer Forensics Professionals
Challenge Description

1. Data Encryption Encrypted files or drives are hard to access without passwords or keys.

2. Huge Volume of Data Modern devices store terabytes of data, making analysis time-consuming.

3. Deleted or Hidden Data Data may be intentionally deleted or hidden using steganography or rootkits.

4. Use of Anti-Forensic Tools Attackers use tools to erase, corrupt, or mislead forensic traces.

5. Cloud Storage Evidence may be stored remotely, outside legal or physical reach.

6. Volatile Memory Analysis RAM data (passwords, sessions) disappears if not captured before shutdown.

7. Variety of Devices and OS Need to handle Windows, Linux, Android, iOS, IoT devices, etc.

8. Frequent Technology
Constant updates in software and hardware require ongoing learning.
Changes
9. Legal and Jurisdiction Cloud data or emails may be hosted in another country, creating legal
Issues barriers.
 Legal Challenges Associated with Computer Forensics
Computer forensic investigations must follow legal rules to ensure the evidence is
valid and admissible in court
Legal Challenge Description
1. Privacy Laws Accessing personal or corporate data may violate privacy rights or data laws.
2. Jurisdiction Issues Cybercrimes often cross borders, laws differ between countries or states.
3. Improper Search & Seizure Evidence collected without proper warrants can be ruled inadmissible.
4. Chain of Custody Breaks If the handling of evidence isn't properly documented, it can be questioned.

5. Admissibility in Court Digital evidence must meet legal standards (authenticity, relevance, integrity).
6. Lack of Legal Authorization Investigating without consent or a court order may result in legal penalties.
7. Data Retention Laws Organizations may be required to keep or delete data , forensics must comply.
8. Cloud and Third-party Accessing data on cloud servers owned by others may involve complex legal
Storage steps.
9. Use of Anti-Forensics by Suspects may delete or alter data, raising legal questions about intent and
Accused obstruction.
 PHASES INVOLVED IN COMPUTER FORENSIC

Phase Description

Locate potential sources of digital evidence (computers, phones, drives,

1. Identification
etc.)

2. Preservation Secure and isolate the device to prevent data loss or tampering.

3. Collection Acquire digital evidence using forensic tools (e.g., disk imaging).
4. Examination Analyze data to find hidden, deleted, or suspicious files.
Interpret the evidence to understand what happened, when, and who was
5. Analysis
involved.

6. Documentation Record all steps taken and findings (needed for legal presentation).

7. Presentation Present the evidence and expert opinion in court or investigation reports.
 Why Computer Forensics is needed What is Chain of Custody?
Purpose
Chain of Custody is a documented
Crime
To detect and trace criminal activities like
Investigatio process that tracks the collection,
hacking, fraud, or cyberbullying.
n
handling, transfer, storage, and
Data To retrieve deleted, lost, or encrypted files
Recovery during legal or security investigations. preservation of evidence ,especially
Legal To collect and present digital evidence in digital evidence from the moment it is
Evidence court in a valid and acceptable format.
found until it is presented in court.
To analyze how systems were Key Components:
Cybersecuri
compromised and prevent future attacks.
ty
➢ Who collected the evidence
Internal
To identify employee misuse, data theft, ➢ When and where it was collected
Investigatio
or policy violations within organizations.
ns
➢ How it was stored or transferred
National To detect terrorist activities or digital
Security espionage through computer systems. ➢ Who accessed or analyzed it
 Importance of chain custody What is Digital Evidence?
Digital Evidence is any information or
Reason Explanation data stored or transmitted in digital

Ensures the evidence is accepted in form that can be used in a court of law.
1. Legal Validity court by proving it was not Examples of Digital Evidence:
tampered with. ➢ Emails or chat messages
2. Evidence Maintains the originality and ➢ Browser history
Integrity reliability of digital evidence.
➢ Social media posts
Tracks everyone who handled the
3.Accountability evidence ➢ CCTV footage
no one can deny their involvement.
➢ Files or images on a hard drive
Transparency in Builds trust in the investigation
➢ Call logs or SMS from a mobile phone
Investigation process and its findings.
 Feature Digital Evidence Physical Evidence

Form Electronic data (files, logs, emails) Tangible items (weapons, fingerprints)

Stored in computers, mobile phones,

Storage Found at crime scene (floor, clothes, etc.)
USB drives

Needs special tools/software to

Handling Can be seen and handled physically
access safely
Easily
Yes, can be edited or deleted Harder to change without detection
Changed?
Copied Easily? Yes, can be copied exactly No, copies may differ

Needs chain of custody and digital

Preservation Needs secure packing and storage
tools

Analysis Tools Forensic software ( EnCase, FTK) Lab tools ( fingerprint kits, DNA test)
 Best Practice for handling
S.No. Explanation
digital evidence
Keep full record of who handled the evidence, when, and
1 Maintain Chain of Custody
where.
Never open or change the original file/device
2 Do Not Alter Original Data
work on a copy only.

3 Use Forensic Tools Use trusted tools (FTK, EnCase) to avoid damaging the data.

Store safely using anti-static bags; keep away from heat or

4 Protect from Damage
water.
Booting can change data
5 Avoid Booting Suspect Device
use write-blockers to prevent changes.
Write down every step, take photos, and record what you find
6 Document Everything
and do.
7 Restrict Access Only trained experts should handle the evidence.
Always get proper permission (like a warrant) to collect
8 Follow Legal Rules
evidence.
 What is the Rule of Evidence?
The Rule of Evidence refers to legal principles that govern how evidence is collected, presented,
and accepted in a court of law.
To ensure that only relevant, reliable, and lawful evidence is used in legal proceedings.
Key Rules of
Explanation
Evidence

Relevance Evidence must be related to the case.

Admissibility Evidence must be legally acceptable (not illegally obtained).

Authenticity Evidence must be genuine and verifiable.

Best Evidence Rule Original documents are preferred over copies.

Hearsay Rule Second-hand statements are usually not allowed unless exceptions apply.

Proper documentation of who handled the evidence to ensure it wasn’t tampered

Chain of Custody
with.
 What is Network Forensics?
Network forensics is the process of capturing, recording, and analyzing network traffic to detect and
investigate unauthorized access, cyberattacks, or data breach
Method used for
Description
capturing network traffic
Tools like Wireshark or tcpdump capture real-time data packets on a
Packet Sniffing
network.
Network Taps or Port Devices or switch configurations are used to mirror traffic to forensic
Mirroring tools.
Log Collection Collect logs from firewalls, routers, IDS/IPS, or servers for investigation.
Flow Data
Captures metadata like IPs, ports, duration — not full packet content.
(NetFlow/IPFIX)
Cloud Traffic Monitoring Use cloud-native tools ( AWS VPC Flow Logs) for cloud-based forensics.
Method for network
Description
traffic analysis
Identify suspicious protocols or abnormal usage ( HTTP over unusual
Protocol Analysis
ports).
Content Inspection Examine packet contents for malware, commands, or data exfiltration.

Traffic Pattern Analysis Detect spikes, unusual timings, or large file transfers.
Match captured data with logs ( login attempts, alerts) to reconstruct
Correlation with Logs
events.
Timeline Reconstruction Rebuild sequence of events during the attack using timestamps.
 Important Elements in a Forensic Investigation Engagement Contract
An engagement contract outlines the scope, responsibilities, and legal terms between a
forensic investigator (or firm) and the client. Key elements include
Element Description

1. Scope of Work Defines what will be investigated (data breach, fraud, digital theft).

2. Objectives What the client wants to achieve (evidence collection, root cause).

3. Legal Authorization Confirms the investigator has permission to access systems and data.

4. Confidentiality Clause Ensures all sensitive information remains private and protected.
5. Chain of Custody
Describes how evidence will be handled, stored, and documented.
Procedures
6. Tools and Methods
Lists forensic tools/methodologies to be applied in the investigation.
Used
 Important Elements in a Forensic Investigation Engagement Contract
Element Description

7. Roles and Responsibilities Defines who will do what ( client vs. investigator.)

8. Deliverables Specifies reports, evidence logs, or expert opinions to be provided.

9. Timeframe Sets deadlines for investigation phases and final report submission.

10. Fees and Payment Terms Agreed costs, billing methods, and payment schedule.

11. Liability Limitations Defines the extent of responsibility in case of data loss or legal issues.

12. Dispute Resolution Outlines how conflicts will be resolved

13. Termination Clause Conditions under which the contract can be ended early.
 What are Privacy Threats?
Privacy threats are risks that compromise a person's or organization's private information.
These threats can expose personal data, such as name, address, passwords, health records,
financial details, etc., without permission.
Type of Privacy Threat Explanation Example

Phishing Fake messages to steal personal info Fake email asking for bank details

Data Breaches Unauthorized access to data Hackers stealing user info from a company

Spyware Software that secretly collects data Apps tracking your activity without consent

Social Engineering Manipulating people to give up info Impersonating IT staff to get passwords

Tracking & Profiling Online behavior is monitored Websites tracking browsing habits

Cloud
Improper cloud settings expose data Public cloud files without access control
Misconfigurations
 What is a Social Networking Site?
A social networking site is an online platform that allows people to create profiles, connect with
others, share content, and communicate.
Examples Facebook, Instagram, Twitter ,LinkedIn, Snapchat
Security Threats from Social Networking Sites
Threat Explanation Example
Criminals gather your personal Using your photos and details to create
Identity Theft
info to impersonate you. fake accounts.
Fake links or messages trick users A message saying “click here to win an
Phishing Attacks
into giving up data. iPhone” leading to a fake login page.
Harmful links or apps are shared Clicking on a video link that downloads
Malware Spread
through posts or DMs. spyware.
Attackers use info from your “Hi, I’m your cousin, can you send me
Social Engineering
profile to manipulate you. money?”
 Security Threats from Social Networking Sites
Threat Explanation Example
Stalking & Posting your location publicly and
Strangers misuse personal details.
Harassment someone shows up there.
Scammers create false accounts to
Fake Profiles Fake job recruiter asking for bank details.
scam or trick others.
Users reveal too much info Posting birthdate, school, and pet
Oversharing
unintentionally. name—all hints to passwords.
 What is Email? What is Email Forensics?
Email (Electronic Mail) is a method of Email Forensics is the process of investigating email
exchanging digital messages over the messages to collect digital evidence, mainly for
internet between people using cybercrime investigations (like phishing, fraud,
electronic devices (like computers, threats, etc.).
phones). It uses standard protocols
like SMTP (sending), POP3 or IMAP
(receiving).
 How Email Forensics is Done
Step Explanation

1. Collection Securely collect the email from server, client, or backup without tampering.

2. Header Analysis Examine the email header (metadata) to trace source IP, route, and sender info.

3. Body Analysis Analyze message content for threats, malicious links, or spam.

4. Attachment Analysis Scan attachments for malware, hidden scripts, or trojans.

5. Keyword Search Use tools to find suspicious keywords or phrases in emails.

6. Timestamp
Check email date/time stamps to detect tampering.
Verification
7. Metadata Analysis Extract hidden info (software used, file history).
8. Trace Email Path Reconstruct the path ,the email took across networks.

9. Reporting Document findings in a legal report for court or investigation.

 What is an Email Message Header?
An email header is the part of the email that contains technical details about the email's journey. It
is not usually visible to the user but is used in email forensics to trace the source and path of the
email.
Field Meaning
From: Email address of the sender
To: Email address of the receiver
Subject: The topic/title of the email
Date: When the email was sent
Return-Path: Address to which undeliverable emails should go
Received: Shows each server the email passed through (used to trace email path)
Message-ID: A unique ID given to the email by the sender's system
Content-Type: Format of the email content (text, HTML, attachment, etc.)
MIME-Version: Version of the MIME protocol (for handling attachments and formats)
SPF/DKIM/DMARC: Email authentication results (used to detect spoofing or spam)
 Explain the different stages of digital forensic life cycle
Stage Description Detailed Example
Detection of the Incident: This stage is
An IT team notices unusual outbound
1. about recognizing that a security breach or
network traffic and multiple failed login
Identificatio digital crime has occurred. It involves
attempts on a company server. They
n monitoring systems and detecting
suspect unauthorized access is taking place.
anomalies.
Securing the Evidence: Once an incident is The forensic team isolates the affected
2. identified, the priority is to secure the server from the network to stop further
Preservatio digital evidence in its original state to activity. They then create a bit-for-bit image
n prevent any tampering or accidental (exact copy) of the hard drive to work on,
modification. keeping the original intact.
Gathering Digital Data: In this phase, all
The team collects data from the
3. relevant digital data from multiple sources
compromised server, including system logs,
Collection (devices, logs, emails, etc.) is systematically
application logs, and network logs etc
collected.
 Explain the different stages of digital forensic life cycle
Stage Description Detailed Example

Detailed Analysis of the Data: Specialized Using forensic software like Autopsy or FTK,
forensic tools are used to sift through the investigators analyze the disk image of the server
4.
collected data. This includes recovering deleted to recover deleted files, review login histories,
Examination
files, analyzing file metadata, and checking and inspect file timestamps to establish a
system artifacts. timeline.
Analysts correlate recovered files, network logs,
Interpreting the Evidence: The data is
and user activity. They determine that the
interpreted and correlated to understand the
5. Analysis intruder exploited a software vulnerability to
nature, scope, and methodology of the incident.
gain access, then used stolen credentials to
Patterns, anomalies, and timelines are built here.
move laterally within the network.
Recording Findings: Every step taken during the Investigators keep a detailed log describing when
6. investigation is meticulously documented to and how the evidence was collected, the tools
Documentati maintain a clear chain of custody. This used, the steps taken during the examination,
on documentation is vital for legal and reporting and notes on all findings to ensure transparency
purposes. in the investigation process.
 Explain the different stages of digital forensic life cycle
Stage Description Detailed Example

A final report is drafted that outlines the

Reporting the Outcome: The results of the
timeline of the attack, the methods used by
7. investigation are compiled into a
the attacker, all evidence collected, and
Presentatio comprehensive report. The findings are
recommendations for improving security.
n presented in a format suitable for technical
This report may be presented in court or to
teams, management, and legal entities.
management to support further action.
After the case is closed, a debrief is held.
Post-Investigation Reflection: The process The team reviews how quickly and
is reviewed to identify strengths and accurately the threat was identified,
8. Review weaknesses in the investigation. Lessons preserved, and analyzed, suggesting
learned are used to refine future security improvements such as enhanced
and forensic procedures. monitoring tools and updated incident
response protocols.
 AKTU QUESTIONS
1. Explain the importance of chain of custody in digital forensic investigation AKTU 2024-25
2. Describe the different method used for network forensic AKTU 2024-25
3. Explain the different stages of digital forensic life cycle AKTU 2024-25/23-24
4. What is chain of custody in forensic AKTU 2024-25
5. What are privacy threats? What are the challenge faced AKTU 2023-24
6. What is Email? Explain how email forensic can be done AKTU 2023-24
7. What is digital evidence AKTU 2023-24
8. What are the technical challenges by computer forensics professionals AKTU 2023-24
9. How does investigator capture and analysis the network traffic during AKTU 2023-24
network forensic investigations?
10. What is digital forensic how it differ from tradition forensic science AKTU 2023-24