Assignment Questions with Answers

Cyber Crime Investigation

Assignment Questions

Q1. What is the process of collection and seizure of suspected computer and magnetic media?

Q2. Write a note on protocols to be taken at the crime scene?

Q3. Detailed note on extraction of information from the hard disk.

Q4. Detailed note on Data recovery from the storage media.

Q5. Explain Cyber forensic and its steps.

Q6. What is the role of cyber expert/ computer forensic expert in the investigation?

Q7. Write a detailed note on Creating bitstream of the original media.

Q8. What are the Legal and privacy issues in cybercrime investigation?

Q9. What is Cryptography? Types of Cryptography?

Q10. Detailed note on Steganography.

Answers:

Q1. What is the process of collection and seizure of suspected computer and magnetic media?

The collection and seizure of digital evidence must be done carefully because even a small mistake can alter or destroy evidence. The steps include:

1. Scene Security & Initial Assessment

• Secure the crime scene and restrict unauthorized access.

• Note running devices, network connections, open applications, USB drives, etc.

• Photograph everything (device setup, cables, screens).

2. Documentation

Record:

• Device type, model, serial number

• Location found

• Condition (powered ON/OFF)

• Persons handling evidence This establishes the chain of custody.

3. Handling Powered-ON Devices

If the computer is ON:

• Do NOT shut it down immediately.

• Collect volatile data first (RAM image, network connections, running processes) because it will be lost after power-off.(Referenced from your file: volatile data must be preserved before shutdown CSI GE Unit 4 and 5 notes)

4. Seizure of Devices

• If OFF, do NOT power ON.

• Disconnect power safely.

• Label all devices, storage media, and cables.

• Pack in anti-static evidence bags.

5. Transport & Storage

• Transport devices securely avoiding heat, magnetic exposure, moisture.

• Store in secure evidence lockers.

6. Chain of Custody

• Maintain a signed log documenting every transfer of evidence.

• Crucial for court admissibility.

Q2. Write a note on protocols to be taken at the crime scene.

Crime scene protocols ensure that no digital evidence is altered or destroyed.

1. Securing the Scene

• Restrict access only to authorized investigators.

• Prevent suspects from touching or shutting down devices.

2. Observation & Documentation

• Photograph everything: screens, wiring, external devices, router connections.

• Make detailed notes about the environment (running machines, open files, timestamps).

3. Handling Digital Devices

• Do not unplug devices without documenting their state.

• If the device is ON:

  • Capture volatile data.

  • Use live response tools.

• If the device is OFF:

  • Do not power it ON.

4. Protection of Evidence

• Use Faraday bags for mobile devices to block incoming signals.

• Use write-blockers for storage media.

5. Chain of Custody

• Proper labeling, signatures, timestamps for every piece of evidence.

6. Avoid Contamination

• Investigators must avoid:

  • Browsing through files manually.

  • Installing software.

  • Altering data inadvertently.

Q3. Detailed note on extraction of information from the hard disk.

Your notes already provide a deep step-by-step method which I’m combining here with external sources (NIST, DOJ guidelines).

1. Planning & Preparation

• Define objectives and get legal authorization.

• Prepare tools: write-blocker, imaging software, storage drive.

2. Documenting and Securing the Scene

• Photograph the system and its connections.

• Note disk details (model, capacity, serial number).

3. Preserving Volatile Data

If system is ON:

• Capture RAM image (contains keys, malware, processes).

• Capture logged-in sessions, network connections.

4. Removing or Accessing the Hard Disk

• If required, remove HDD/SSD carefully.

• Label and store in anti-static bag.

5. Create a Bit-by-Bit Forensic Image

This is the core step:

• Use write-blocker to prevent modification.

• Tools: FTK Imager, EnCase, dd, Guymager.

• Create raw (.dd), .img, or .E01 forensic image

6. Hashing for Integrity

• Generate SHA-256/MD5 hash values.

• Hash must match throughout the analysis.

7. Analyze the Image (Read-Only Mode)

Use forensic suites:

• Autopsy/Sleuth Kit

• X-Ways

• FTK

• Magnet AXIOM

8. Extracting Evidence

Investigators extract:

• File system metadata

• Partition information

• Deleted files

• Logs, registry entries

• Browser artifacts

• System event logs

• Email databases

• Hidden/encrypted volumes

9. Timeline Creation

Reconstruct events using timestamps, logs, and user actions.

10. Reporting

Create a clear report with screenshots, timestamps, tools used, and hashes.

Q4. Detailed note on Data recovery from the storage media.

1. Meaning

Data recovery extracts deleted, corrupted, formatted, or inaccessible data from storage devices like HDD, SSD, pen drives, memory cards, etc.

2. Why Data Gets Lost

• Accidental deletion

• Formatting

• Malware attacks

• File system corruption

• Physical damage

• Intentional deletion to hide evidence

3. Types of Data Recovery

A. Logical Recovery

• Drive is physically fine; file system damaged or files deleted.

• Tools: Recuva, R-Studio, PhotoRec, Autopsy.

B. Physical Recovery

• Drive has mechanical or electronic damage.

• Requires clean-room environment and hardware tools like PC-3000.

4. Steps in Data Recovery

Step 1: Securing Evidence

• Use write-blockers.

• Create a forensic image first.

Step 2: Identifying the Problem

• Logical vs physical damage assessment.

Step 3: Forensic Imaging

• Use FTK Imager, dd, Guymager.

Step 4: File System Analysis

• Study structures like FAT, NTFS, ext4.

Step 5: Deleted File Recovery & File Carving

• Recover files from unallocated space using signatures (e.g., JPEG FFD8–FFD9).

Step 6: Partition Recovery

• Tools like TestDisk rebuild lost partitions.

Step 7: Verification

• Hash recovered files to confirm integrity.

Step 8: Documentation

• Record tools, processes, results.

Q5. Explain Cyber Forensics and its steps.

Definition

Cyber Forensics is the scientific process of identifying, collecting, preserving, analyzing, and presenting digital evidence in a legally acceptable manner.

Steps (Digital Forensic Process)

Based on your notes + international standards:

1. Identification Locate potential sources of evidence.

2. Seizure Secure devices ensuring no modification.

3. Acquisition Create a bitstream forensic image.

4. Authentication Use hashing to verify integrity.

5. Analysis / Examination Recover files, analyze logs, malware, browsing history.

6. Documentation & Presentation Prepare forensic report for court.

7. Preservation Store original media and forensic images securely.

Q6. Role of Cyber Expert / Computer Forensic Expert in Investigation

1. Evidence Identification

Locate computers, mobiles, servers, cloud accounts containing evidence.

2. Secure Collection & Imaging

• Seize devices legally.

• Create forensic images using write-blockers.

3. Recovery of Digital Evidence

• Recover deleted, hidden, formatted, encrypted data.

4. Detailed Forensic Analysis

Includes:

• Log analysis

• File signature verification

• Browser/email analysis

• Malware analysis

5. Maintain Chain of Custody

Ensure every evidence transfer is documented.

6. Prepare Forensic Reports

Clear, precise, legally admissible documentation.

7. Court Testimony

Act as an expert witness to explain technical findings to judges/lawyers.

Q7. Detailed note on Creating bitstream of the original media.

A bitstream image (bit-by-bit copy) is an exact replica of a storage device.

1. Purpose

• Preserve original media.

• Include deleted, hidden, and slack space data.

• Prevent inadvertent modification of original evidence.

2. Requirements

• Write-blocker

• Forensic imaging tools (FTK Imager, EnCase, dd, Guymager)

3. Steps to Create Bitstream Image

1. Connect Device via Write-Blocker

Prevents any write operations.

2. Select Imaging Tool

For example, using dd:

dd if=/dev/sdb of=/mnt/evidence/disk_image.dd bs=4M conv=noerror,sync

3. Choose Output Format

• RAW (.dd / .img)

• E01 (compressed, widely used in forensics)

4. Generate Hash Values

Compute SHA-256/MD5 for:

• Original media

• Forensic image

5. Verify Hash Match

Ensures image integrity.

6. Store Image Securely

Preserve both original device and copy.

Q8. What are the Legal and Privacy issues in cybercrime investigation?

1. Legal Issues

• Search Warrants: Investigators must have proper authorization.

• Chain of Custody: Poor documentation may render evidence inadmissible.

• Jurisdiction Issues: Cybercrimes often span multiple countries.

• E-Evidence Standards: Courts require validated forensic tools and procedures.

• Admissibility: If evidence is altered, it may be rejected.

2. Privacy Issues

• User Privacy Rights: Investigators must avoid accessing irrelevant personal data.

• Data Protection Laws: GDPR, IT Act 2000, privacy regulations protect user data.

• Over-collection: Taking unnecessary data violates privacy laws.

• Cloud Privacy: Cloud storage may contain third-party data not related to investigation.

3. Ethical Issues

• Avoiding bias

• Maintaining confidentiality

• Preventing misuse of recovered personal information

Q9. What is Cryptography? Types of Cryptography?

Definition

Cryptography is the technique of protecting information by transforming it into unreadable form so that only authorized parties can read it.

Types of Cryptography

1. Symmetric Key Cryptography

• Same key used for encryption & decryption.

• Fast and efficient.

• Examples: AES, DES, Blowfish.

2. Asymmetric Key Cryptography

• Uses a public key for encryption and a private key for decryption.

• Used in digital signatures, SSL.

• Examples: RSA, ECC.

3. Hash Functions

• One-way transformation.

• No decryption possible.

• Used for password storage, data integrity.

• Examples: SHA-256, MD5.

4. Hybrid Cryptography

• Combination of symmetric + asymmetric.

• Used in modern systems (e.g., HTTPS).

Q10. Detailed note on Steganography.

Definition

Steganography is the technique of hiding secret information inside another ordinary file such as an image, audio, video, or text so that the existence of hidden data is concealed.

1. Purpose

• Secret communication

• Covert data exchange

• Used by cybercriminals to hide malware or stolen data

2. How Steganography Works

1. Least Significant Bit (LSB) Technique

• Hide message bits inside image pixel LSBs.

• Most common method.

2. Audio Steganography

• Modify frequency components or echo patterns.

3. Video Steganography

• Use frames or motion vectors.

4. Text Steganography

• Manipulate spacing, font changes, punctuation.

3. Steganalysis (Detecting Hidden Data)

• Statistical analysis

• Pixel comparison

• Hash mismatch detection

• Machine learning based detection

4. Difference between Steganography & Cryptography

5. Applications

• Digital watermarking

• Secure communication

• Malware hiding (used by attackers)

Q1. Process of collection and seizure of suspected computer & magnetic media (Short Points)

• Secure the scene → Stop anyone from touching devices.

• Document everything → Photos of devices, cables, screens, timestamps.

• Check device state → If ON, do not turn OFF; if OFF, do not turn ON.

• Collect volatile data → RAM, running apps, network info (if system is ON).

• Disconnect safely → Remove power, label devices properly.

• Use evidence bags → Anti-static packing for safety.

• Maintain chain of custody → Record who handled evidence and when.

Q2. Protocols at the crime scene (Short Points)

• Restrict access → Only investigators allowed.

• Observe and photograph → Document exact setup before touching.

• Handle with care → Avoid changing any data.

• Don’t shut down devices suddenly → Volatile data may be lost.

• Use proper tools → Faraday bags, write-blockers, gloves.

• Label and log evidence → Proper tagging for court use.

• Prevent contamination → No browsing or clicking inside computers.

Q3. Extraction of information from hard disk (Short Points)

• Plan the examination → What data is needed and why.

• Document physical details → Model, serial number, condition.

• Capture RAM (if ON) → Memory contains crucial evidence.

• Use write-blocker → Prevent modifying original disk.

• Create bit-by-bit forensic image → Exact copy for analysis.

• Hashing → Proves image is identical to original.

• Analyze the image → Recover deleted files, logs, browsing history.

• Create timeline → When files were created, modified, or accessed.

• Prepare report → Clear explanation of findings.

Q4. Data recovery from storage media (Short Points)

• Secure evidence → Handle device carefully and avoid data changes.

• Check damage type → Logical or physical.

• Make forensic image → Work on the copy, never on original.

• Analyze file system → FAT/NTFS/ext4 structures.

• Recover deleted files → From unallocated space.

• File carving → Recover files based on signatures.

• Partition recovery → Reconstruct missing partitions.

• Verify results → Use hashing to confirm accuracy.

• Document all steps → Needed for court acceptance.

Q5. Cyber forensics and its steps (Short Points)

Cyber Forensics → Collecting and analyzing digital evidence legally.

Steps:

1. Identification → Detect where evidence exists.

2. Seizure → Secure devices physically.

3. Acquisition → Create forensic image.

4. Authentication → Use hashing to verify integrity.

5. Analysis → Recover and examine digital evidence.

6. Presentation → Make report for court.

7. Preservation → Store originals securely.

Q6. Role of cyber forensic expert (Short Points)

• Identify and collect evidence → Locate all digital sources.

• Create forensic images → Safe copies for analysis.

• Recover data → Deleted, encrypted, or hidden data.

• Analyze systems → Logs, emails, browsing, malware.

• Maintain chain of custody → Track evidence movement.

• Write forensic reports → Clear & factual.

• Testify in court → Explain technical findings.

Q7. Creating bitstream of original media (Short Points)

• Use write-blocker → Prevent any write operations.

• Choose imaging tool → FTK, EnCase, dd, Guymager.

• Create raw image → Exact sector-by-sector copy.

• Generate hash values → MD5/SHA-256 for integrity.

• Verify hash match → Ensures no data was altered.

• Store image safely → Keep both copy and original secure.

Q8. Legal and privacy issues in cybercrime investigation (Short Points)

Legal Issues

• Need proper authorization → Search warrant required.

• Chain of custody → Missing logs = evidence thrown out.

• Jurisdiction problems → Cross-country investigations.

• Admissibility standards → Use certified tools.

• Avoid altering data → Evidence must remain original.

Privacy Issues

• User privacy → Avoid unnecessary personal data.

• Data protection laws → IT Act, GDPR, PDPA.

• Cloud privacy → Third-party data must be protected.

• Ensure confidentiality → Sensitive info must not leak.

Q9. Cryptography & Types (Short Points)

Cryptography

• Science of protecting information by converting it into unreadable form.

Types

1. Symmetric Key

   • Same key for encryption & decryption (e.g., AES).

2. Asymmetric Key

   • Public key encrypts, private key decrypts (e.g., RSA).

3. Hash Functions

   • One-way, irreversible (e.g., SHA-256).

4. Hybrid Cryptography

   • Mix of symmetric and asymmetric (used in HTTPS).

Q10. Steganography (Short Points)

• Hiding data inside another file (image, audio, video).

• Goal → Conceal existence of message.

• Methods → LSB in images, audio frequency changes, hidden text formatting.

• Steganalysis → Detecting hidden info through statistical tests.

• Difference from cryptography → Crypto hides meaning; steganography hides existence.

• Used for → Watermarking, covert communication, hiding malware.