IA2

2 Marks Questions (Module 4,5)

1. Describe the various challenges in mobile forensics?

Challenges in mobile forensics:
1. Platforms
The term “mobile device” includes a variety of devices, including: Smartphones, Tablets,
Smartwatches, Cameras, MP3-players, Navigation devices, Drones and many more…
Dealing with different devices constitutes a challenge for the mobile forensics examiner, as he needs to
know the specialties of each device to successfully extract as much data from it as possible.
2 Manufacturers
• The first step in the investigational process of a mobile device is the identification of the phone.
That is not as easy as it sounds, as there are hundreds of device manufacturers, each one
introducing on average 15 new versions of mobile devices per year.
• Mobile phones can sometimes be identified by removing the device´s battery, but that also
indicates the risk of forcing a user lock or losing data of volatile memory.
3 Connectors
• To connect a phone successfully, an expert must choose the appropriate plug.
• The next step is to find the appropriate driver to establish a connection to the computer.
• If the USB connection doesn’t work, there’s also the possibility of using wireless connection
like Bluetooth to retrieve data from a mobile device.
4 Operating systems
• Smartphone OS receive frequent major updates nearly every month. New security policies, new
features, or changes in data storage of the OS constitute immense challenges for mobile forensics
experts.

2. Discuss any two tools used in mobile forensics?

• Chip-off The chip-off technique allows the examiners to extract data directly from the flash
memory of the cellular device. They remove the phone’s memory chip and create its binary
image.

• The Cellebrite UFED (Universal Forensic Extraction Device) is a stand-alone, self-contained

hardware device used to extract Phonebook, images, videos, SMS, MMS, call history, and
much more. It supports over twenty-five hundred phones and is designed to extract information
on scene. It also has a SIM card reader and cloner.

3. Describe the acquisition techniques in mobile forensics?

Logical acquisition
• Logical acquisition implies a bit-by-bit copy of logical storage objects (e.g., directories and
files) that reside on a logical storage (e.g., a file system partition).
 • Logical extraction acquires information from the device using the original equipment
manufacturer application programming interface for synchronizing the phone's contents with a
personal computer.
File system acquisition
• File system extraction is useful for understanding the file structure, web browsing history, or
app usage, as well as providing the examiner with the ability to perform an analysis with
traditional computer forensic tools.
Physical acquisition
• Physical acquisition implies a bit-for-bit copy of an entire physical store (flash ); therefore, it
is the method most similar to the examination of a personal computer.
Brute force acquisition
This technique uses trial and error in an attempt to create the correct combination of password or PIN
to authenticate access to the mobile device.

4. Discuss the forensic in cellular networks?

Forensic analysis of cellular networks involves the investigation and analysis of call records and
network data for the purpose of identifying and tracking criminal activity, such as terrorism, fraud, and
other illegal activities. Cellular network forensic analysis typically involves the following steps:

• Data Acquisition: The first step in cellular network forensic analysis is to acquire the call
records and network data from the cellular service provider.
• Data Analysis: Once the data has been acquired, the next step is to analyze it for patterns and
anomalies that may indicate criminal activity. analysis, and social network analysis.
• Interpretation and Reporting: The final step in cellular network forensic analysis is to interpret
the findings and prepare a report that can be used as evidence in legal proceedings. The report
should clearly state the methods used, the findings, and any conclusions drawn from the
analysis.

5. Describe the information gathering for smart phones in forensics?

1. Information gathering for smartphones in forensics involves the collection and analysis of
digital data from smartphones for the purpose of investigation and evidence gathering. The
following are some of the types of data that can be collected and analyzed from smartphones in
forensic investigations:
2. Call Logs: Call logs provide information on incoming, outgoing, and missed calls, as well as
call duration and the date and time of the calls. This information can be used to determine who
the user communicated with and when.
3. Text Messages: Text messages provide information on who the user communicated with, the
content of the messages, and the date and time of the messages. Text messages can be
particularly important in investigations involving harassment, threats, or other types of criminal
activity.
4. Emails: Emails can provide information on who the user communicated with, the content of the
emails, and the date and time of the emails. Emails can be particularly important in
investigations involving fraud, corporate espionage, or other types of white-collar crime.

6. Explain the process for analyzing network traffic and collecting network-
based evidence.
 Analyzing network traffic and collecting network-based evidence is an important part of digital
forensics investigations. The process typically involves the following steps:
1. Identification of the Network: The first step in analyzing network traffic and collecting
network-based evidence is to identify the network in question. This may involve identifying
the network topology, the devices connected to the network, and the network protocols in
use.
2. Data Collection: Once the network has been identified, the next step is to collect data from
the network. This can be done using a variety of tools, including network sniffers, network
analyzers, and packet capture tools. The data collected may include network logs, network
traffic data, and network packet data.
3. Data Analysis: The next step in the process is to analyze the data that has been collected.
This may involve using specialized forensic tools to extract and interpret the data, such as
network flow analysis tools, intrusion detection systems, or malware analysis tools. The
analysis may also involve identifying patterns or anomalies in the data that may indicate
criminal activity.
4. Evidence Preservation: Once the data has been analyzed, the next step is to preserve the
evidence. This may involve creating backup copies of the data and storing it in a secure
location to prevent tampering or alteration.
5. Reporting: The final step in the process is to prepare a report that summarizes the findings
of the investigation. The report should include details of the network topology, the data that
was collected and analyzed, and any conclusions or recommendations that can be drawn
from the analysis.

7. Explain types of IDS in detail

1. Active IDS
It is also called Intrusion Detection and Prevention System (IDPS).
Systems that are configured to automatically block mistrusted attacks in progress without any
interference required by an operator are called active IDS.
IDPS has the advantage of providing real-time corrective action in reaction to an attack, but has
many disadvantages also.
2. Passive IDS
The system that is configured only to observe and analyze network traffic activity and alert an
operator to potential vulnerabilities and attacks is called passive IDS.
It cannot perform any protective or corrective functions on its own. It only detects and alerts the
user about it.
It only detects and alerts the user about it.

8. What is intrusion detection? Explain.

Intrusion detection is a process of monitoring computer networks, systems, and applications to
identify unauthorized access, misuse, or abuse of resources. The goal of intrusion detection is to
detect and respond to potential security breaches in a timely manner, before significant damage can
occur.
Intrusion detection can be performed using different techniques and tools, including:
1) Signature-based detection: This technique involves comparing network traffic or system
logs against known patterns of malicious activity, or signatures, to identify potential
intrusions. Signature-based detection is effective for detecting known threats but may miss
new or unknown threats.
 2) Behavior-based detection: This technique involves analyzing the behavior of users or
systems to detect anomalies or deviations from normal activity. Behavior-based detection
is effective for detecting unknown threats but can also produce false positives if legitimate
activity is misinterpreted as an attack.
3) Anomaly detection: This technique involves establishing a baseline of normal network or
system behavior and then identifying any activity that deviates significantly from that
baseline. Anomaly detection can be effective for detecting previously unknown threats but
can also produce false positives if the baseline is not accurately established.

Intrusion detection systems (IDS) are tools that automate the process of intrusion detection by
monitoring network traffic or system activity for signs of malicious activity or policy violations.
IDS can be deployed as network-based IDS, host-based IDS, or a combination of both.

9. Explain steps for investigating routers

1) Obtaining Volatile Data Prior to Powering Down
• Establishing a Router Connection
• Saving the Router Configuration
Finding the Proof
2) We categorize the types of incidents that involve routers as:
• Direct compromise
• Routing table manipulation
• Theft of information
• Denial of service

10. What is Address Spoofing explaining its types?

Address spoofing is a technique used by attackers to falsify the source or destination address of
network traffic, typically with the goal of hiding their identity or impersonating another system or
user. There are two main types of address spoofing:
1. IP Spoofing: IP spoofing involves falsifying the source IP address of network packets to
make it appear as though they are originating from a trusted system or network. This
technique can be used to launch various types of attacks, such as denial-of-service (DoS)
attacks, where large amounts of traffic with spoofed IP addresses are sent to a target system,
overwhelming its resources and rendering it unavailable to legitimate users.
2. MAC Spoofing: MAC spoofing involves changing the physical (MAC) address of a network
adapter to impersonate another system or device on the network. This technique can be used
to bypass MAC address filtering or to gain unauthorized access to a network by
impersonating an authorized user or system.

11. How to collect network-based evidence log files?

Collecting network-based evidence log files involves a few steps:
• Identify the relevant network devices: The first step is to identify the network
devices that may contain the log files you need to collect. This may include routers,
switches, firewalls, or other network appliances that handle traffic on the network.
• Determine the logging settings: Once you have identified the relevant network
devices, you need to determine whether logging is enabled on these devices and
 what logging settings are in place. This may include the types of events that are
being logged, the level of detail being recorded, and how long the logs are retained.
• Collect the log files: Once you have identified the relevant devices and logging
settings, you can begin collecting the log files. This may involve connecting to the
devices directly and downloading the logs or using a tool that can remotely access
the logs.
• Analyze the log files: After you have collected the log files, you can begin analyzing
them to identify any relevant evidence. This may involve searching for specific
keywords or patterns of activity that could indicate malicious behavior.

12. Define mobile forensics.

Mobile forensics is the process of collecting, analyzing, and interpreting data from mobile devices,
such as smartphones, tablets, and other portable electronic devices, in order to investigate and
uncover evidence related to a legal or criminal case. Mobile forensics involves using specialized
techniques and tools to recover data from mobile devices, including deleted or hidden data, and
analyzing that data to support an investigation or legal case.

13. What is physical analysis in mobile forensics?

Physical analysis in mobile forensics refers to the process of analyzing the physical storage media
of a mobile device, such as the NAND flash memory chip, to recover data that has been deleted or
is otherwise inaccessible through traditional forensic techniques. Physical analysis can be a highly
effective way to recover data from a mobile device, as it can uncover data that has been intentionally
or unintentionally deleted, overwritten, or hidden by the device's operating system.

14. What is logical analysis in mobile forensics?

Logical analysis in mobile forensics refers to the process of extracting data from a mobile device
using the device's standard interfaces, such as USB or Wi-Fi, without altering the physical storage
media of the device. Logical analysis is typically the first step in a mobile forensic investigation, as
it is less intrusive than physical analysis and can often recover a significant amount of data from
the device.
5 Marks Questions (Module 6)

Q1. Which are the guidelines we consider for incident report writing.
Following points are to be considered for writing a report:
1. Document investigative steps immediately and clearly:
Through our experience of writing a vast number of forensic reports, we have developed some
report writing guidelines.
2. Know the goals of your analysis:
Before you begin your analysis for examination, know what the goals are. Every crime has
elements of proof, for law enforcement examiners.
3. Organize your report:
Write “macro to micro.” Organize your forensic report to start at the high level and have the
complexity of your report increase as your audience continues to read it.
4. Follow a template:
A standardized report template should be followed. This makes your report writing scalable,
establishes a repeatable standard, and saves time.
5. Use consistent identifier:
There can be confusion created in a report by referring to an item in different ways, such as
referring to the same computer as a system, PC, box, web server, victim system, and so on.
6. Use attachments and appendices:
To maintain the flow of your report, use attachments or appendices. Right in the middle of your
conclusions, you do not want to interrupt your forensic report with 15 pages of source code.
7. Have coworkers read your reports:
To read your forensic reports, employ other coworkers. This helps develop reports that are
comprehensible to nontechnical personnel, who have an impact on your incident response strategy and
resolution.
8. Use MD5 hashes:
Whether it is an entire hard drive or specific files, create and record the MD5 hashes of your proof.
Performing MD5 hashes for all evidence provides support to the claim that you are diligent and attentive
to the special requirements of forensic examination.
9. Include metadata:
Record and include the metadata for every file or file fragment cited in your report. This metadata
includes the time/date stamps, full path of the file, the file size, and the file’s MD5 sum.
Q2. Discuss goal of computer forensic reports writing in short.
Your computer forensic reports should achieve the following goals :
1. Accurately describe the details of an incident.
2. Be understandable to decision makers.
3. Be able to withstand a barrage of legal scrutiny.
4. Be unambiguous and not open to misinterpretation.
5. Be easily referenced (using paragraph numbers for the report and Bates’ numbers for attached
documents).
6. Contain all information required to explain your conclusions.
7. Offer valid conclusions, opinions, or recommendations when needed.
8. Report should be ready in time.
Q3. Describe the Layout of an Investigative Report
1. Executive summary: The contextual information of the state of affairs that brought about
the essential for an investigation is the “executive summary” unit.
2. Objectives: Sometimes, there could be a sudden requirement to perform hard drive forensic
examination. The goals of your forensic examination can be related to virtually any subject,
since any type of case/action can take place.
3. Computer evidence analyzed: The detailed information regarding the assignment of
evidence tag numbers and media serial numbers, as well as descriptions of the evidence, is
provided in this section.
4. Relevant findings: Summary of the findings of probative value is provided in this section.
It answers the question, “What relevant items were found during the investigation?” The
relevant findings should be listed in order of importance, or relevance to the case.
5. Supporting details: An in-depth look and analysis of the relative findings is provided in
this section. It outlines how we found or arrived at the conclusions outlined in the “Relative
Findings” section.
6. Investigative leads: In this section, we outline action items that could be performed to
discover additional information pertinent to the investigation. If more time or additional
resources were provided to the examiner or investigator, these are the outstanding tasks that
could be completed.
7. Additional report subsections: In our computer forensic reports, there are several
additional subsections that we often include. We have found the following subsections to be
useful in specific cases, but not every case. It depends on the needs and wants of the end
consumer.

Q4. Discuss any sample example for writing a forensic report (refer ppt case
study)
Q5. Explain General Structure of a Forensic Report
Case study Example from ppt
Case Study: Behavioral Problem: An administrator calls the corporate director of safety/security over
the worry of a representative. The administrator shows that the employee had inquired as to whether
their neighbors had called. When asked why, the representative had related an anecdote about his
neighbors who have a machine that can read his brain. The worker had told the administrator that this
matter should be accounted for because only the FBI is approved to have such a machine.

Q. Explain General Structure of a Forensic Report

Ans. Title of the Examination report- It means whether it is toxicological/handwriting opinion/ballistics
etc. with proper legal section of the evidence act of that particular country or region.
Name and address of the laboratory with contact information like telephone, mobile, fax, email.
Affiliation of the laboratory showing its legal entity and accreditation status. In case you are a
freelancer, your all credentials with your expertise and experience must be mentioned on the letter head
of the report or at the end of the report.
Unique ID No. of the report with date (if applicable)
Name of the customer (client/attorney/individual) with reference letter number and date (assignment
letter)
Case Enquiry/ DD/ FIR no. ………date ………….u/s… Police Station, under which court
(if applicable)
Mode of receipt of material (evidences/specimens) : Through messenger or by post / by mail Sampling
Method; How the sampling done by the IO/ Investigator/ Forensic Expert
Reference to the Test Method(s); Reference to lab procedure manual/ books/published standard method-
used in the examination, or sometimes to the previous cases solved or convicted.

Condition of Parcels/Test samples and seals; eg. Received. One sealed/ unsealed ..parcel. The seals
were intact and tallied with the specimen seal as per forwarding authority letter.
Description of Specimens/Parcels/Samples/Exhibits etc. Methodology of Examination

Result of Examination & Opinion

Signature or examining officer along with seal.