1. What is Data Acquisition?

• Data acquisition is the process of collecting digital evidence from various

devices.

• Types: Live Acquisition (data from powered-on systems) and Dead Acquisition
(from powered-off systems).

• Goals: Ensure evidence integrity and preservation for analysis.

• Forensic Image: Exact replica of the original evidence.

• Hashing: Used to verify data integrity (e.g., MD5, SHA1).

• Tools: Common tools include FTK Imager, EnCase, and dd.

• Types of Storage Formats: Examples include ISO, DD, and E01.

• Chain of Custody: Document who handled the evidence, when, and why.

• Verification: Ensure that acquired data is identical to the original by comparing

hashes.

• Legal Considerations: Acquired data must be admissible in court.

2. What is an Expert Witness and Criteria for Reports?

• An Expert Witness provides specialized knowledge in legal cases.

• They testify on matters beyond the average person's understanding.

• Qualifications: Expertise in the relevant forensic discipline (e.g., computer

forensics).

• Clarity: Reports must be clear and understandable to non-experts.

• Accuracy: The facts and methods used must be precise.

• Objectivity: Expert testimony must be impartial, not biased.

• Reliability: The methods used should be widely accepted and proven.

• Documentation: Detailed notes and evidence that support conclusions.

• Presentation: Evidence and analysis should be presented in a structured way.

• Court Role: Assist the court in understanding technical details relevant to the
case.
3. Explain Digital and Electronic Signatures under IT Act

• Digital Signature: A cryptographic method for verifying data authenticity.

• Electronic Signature: Any electronic symbol that signifies agreement (e.g.,

typed name in an email).

• Legal Status: Both are legally recognized under the IT Act 2000.

• Private Key: Used in Digital Signatures to encrypt data and ensure its integrity.

• Public Key: Used by recipients to verify Digital Signatures.

• Digital Signature ensures non-repudiation (the sender cannot deny sending the
data).

• Electronic Signature can be simpler and not necessarily require encryption.

• Uses: Used for secure transactions, documents, and online agreements.

• Non-repudiation: Prevents parties from denying their involvement in a

transaction.

• Verification: The process to confirm the legitimacy of the signature.

4. What is Network Forensics?

• Network forensics involves monitoring and analyzing network traffic to

investigate cybercrimes.

• Tools like Wireshark and tcpdump help in capturing network packets.

• Packet Capture: Collecting raw data packets sent over a network.

• Analysis: Examines packet data for evidence of unauthorized activities or

attacks.

• Traffic Analysis: Helps identify suspicious patterns or intrusions.

• Logs: Network logs can be used as evidence for forensic investigations.

• Network Evidence: Can include DNS queries, traffic patterns, or IP addresses.

• Modes of Protection: Include Prevention, Detection, and Response in the

Defense-in-Depth (DiD) Strategy.

• Intrusion Detection: Systems monitor network for signs of malicious activity.

• Investigation: Network forensics helps track cybercriminals, including

identifying unauthorized data access.
5. What is a Deposition in Forensics?

• Deposition is sworn testimony given outside of court, used for legal purposes.

• Types: Oral (spoken) or written testimony.

• Purpose: To gather facts under oath before trial.

• Guidelines:

1. Be truthful and consistent.

2. Only answer questions directly asked.

3. Avoid speculation or assumptions.

4. Maintain composure and remain professional.

5. Stay focused on facts and avoid opinions.

6. Document everything related to the evidence.

7. Ensure accuracy in statements.

8. Review previous statements for consistency.

9. Clarify misunderstandings immediately.

10. Avoid discussing the case outside the deposition.

• Deposition transcripts are admissible in court if necessary.

6. What is the Chain of Custody?

• The Chain of Custody tracks the handling of evidence to ensure its integrity.

• Begins with the collection of evidence and ends when it's presented in court.

• Documentation: Record every individual who handled the evidence.

• Transfer Logs: Log who took possession, when, and why.

• Prevents contamination or tampering with evidence.

• Ensures that the evidence presented in court is the same as originally collected.

• Authentication: Evidence can be authenticated by checking the chain of

custody records.

• Challenges: Gaps in the chain can render evidence inadmissible.

 • Legal Requirement: Proper documentation is required for evidence to be
accepted in court.

• Essential for maintaining the admissibility of digital evidence.

7. What are Web Server Logs?

• Web server logs capture data about requests made to a web server.

• Fields: Include timestamps, IP addresses, request methods, status codes.

• Used to track user activity and diagnose website issues.

• Help identify unauthorized access, intrusions, or other malicious activities.

• Provide valuable data for network forensics.

• Log Types: Error logs, access logs, and security logs.

• Can record HTTP headers, cookies, and user agents.

• Used in cybercrime investigations to trace activities back to specific users or

actions.

• Logs may reveal sources of attacks, such as DDoS.

• Can be analyzed for patterns of suspicious behavior.

8. Explain Social Media Evidence Collection

• Social media platforms provide a wealth of evidence, such as posts, messages,

and media.

• Evidence types include posts, comments, messages, and images/videos.

• Personal Information can be used to identify individuals in investigations.

• Metadata such as location data can provide critical evidence.

• Geo-tagging: Identifies locations where photos/videos were taken.

• Evidence must be collected while maintaining the Chain of Custody.

• Ensure legal compliance when obtaining social media evidence (subpoena may
be required).

• Social media companies often maintain logs, IP addresses, and other data.

• Can be used in criminal cases like cyberstalking or harassment.

 • Ensure thorough documentation when collecting evidence to preserve its
integrity.

9. What is an Authorized Requestor?

• An Authorized Requestor is a person legally or organizationally allowed to

access digital evidence.

• Role: Ensure the proper handling of digital evidence in investigations.

• Prevents unauthorized access or tampering with evidence.

• Organizations appoint authorized requestors to control who can request data.

• Helps maintain confidentiality during investigations.

• Ensures compliance with legal protocols during digital evidence collection.

• Responsibilities: May include overseeing evidence handling and

documentation.

• Protects the integrity and admissibility of evidence.

• Often designated by roles such as IT Security Officer or Legal Counsel.

• Plays a key role in maintaining proper Chain of Custody.

10. How to Create Image Files of Digital Evidence?

• Forensic Tools: Use tools like FTK Imager or EnCase to create image files.

• Verify the Evidence: Check that the storage device is not tampered with.

• Create an Exact Copy: The forensic image should be a bit-for-bit copy of the
original data.

• Hashing: Use MD5 or SHA1 to generate hashes before and after the acquisition.

• Image Formats: Common formats include ISO, DD, and E01.

• Storage: Store the image securely and document its creation.

• Chain of Custody: Log every person who handles the evidence.

• Integrity Check: Verify the image is identical to the original using hashing.

• Forensic Preservation: Ensure the image is an exact copy to preserve evidence

integrity.
• Used to preserve evidence for further analysis in forensic investigations.