Q). What are various options available for collecting digital evidences?

Explain in detail? [8M]

Ans:- Digital evidence refers to any information stored or transmitted in
digital form that can be used in court.
Digital evidence refers to any information stored or transmitted in digital
form that can be used in court. Below are the methods for collecting digital
evidence, explained simply:

1. Computer Devices o Collect data from hard drives, SSDs, and

USB drives.
o Examples: Emails, documents, and logs of user activity.

2. Mobile Devices o Extract data from smartphones, tablets, or

smartwatches.
o Examples: Call logs, messages, GPS locations, and photos.

3. Network Data o Capture information transmitted over

networks. o Examples: IP addresses, packets (using tools like
Wireshark), or server logs.

4. Cloud Storage o Access data stored in online services.

o Examples: Files saved on Google Drive, OneDrive, or iCloud.

5. Internet Activity
o Gather evidence from websites, social media, or browsing
history.
o Examples: Chat messages, posts, or downloads.
 6. IoT Devices o Collect data from smart home devices or
wearables. o Examples: Security camera logs, smart
assistants' activity, or fitness trackers.

7. Email and Messaging Services o Retrieve evidence from

emails or chat applications.
o Examples: Email headers, attachments, and chat history.

8. Forensic Tools o Use specialized software for evidence

extraction.
o Examples: FTK Imager, EnCase, or Cellebrite for mobile devices.

Q). Explain the essential steps in processing digital evidence from the crime
scene? [9M]
Ans:- Processing digital evidence involves several key steps to ensure its
integrity and admissibility in court. Here’s a simple explanation:

1. Secure the Crime Scene o Restrict access to the area to prevent

tampering. o Identify and secure all potential digital evidence
sources (computers, phones, USB drives, etc.).
2. Document the Scene
o Take photos and videos of the crime scene and devices in their
original state. o Record details such as device types, positions,
and visible data on screens.
3. Seize and Preserve Evidence
o Carefully collect digital devices using anti-static bags to avoid
damage.
o Use write blockers to protect the integrity of storage media.
 4. Create Forensic Copies o Make exact copies (clones or images) of
the data for analysis.
o Ensure the original data remains untouched.

5. Analyze the Evidence

o Use forensic tools like FTK Imager, EnCase, or Cellebrite to
examine the data.
o Look for relevant files, logs, emails, or deleted data.

6. Document the Findings o Record every step taken during analysis. o

Prepare a detailed report with evidence, methods used, and
results.

7. Maintain Chain of Custody o Keep a detailed log of who accessed

the evidence and when.
o Ensure the evidence can be traced back to the crime scene.

Q). What is the volatile evidence in the context of computer forensics, and
why is it important to collect in quickly? [8M]
Ans:- Volatile evidence refers to data that is temporarily stored in a
computer and can be lost when the system is turned off or restarted.
Examples of Volatile Evidence:
• RAM (Random Access Memory) data
• Active network connections
• Running processes
• Logged-in users
• Temporary files
Importance of Collecting Volatile Evidence Quickly:

1. Easily Lost: Volatile data disappears when the device is powered off
or rebooted.

2. Critical Information: It may contain key evidence like encryption keys,

malware in memory, or live attack traces.

3. Time-Sensitive: Delays in collection can result in the loss of vital

information, making it harder to trace cybercrimes.
Tools like FTK Imager or Volatility Framework are used.

Q). What are the hypical steps involve in the collection of digital evidence
[9M]
Ans:- 1. Identify Evidence
• Locate all potential sources of digital evidence, such as computers,
mobile devices, USB drives, or network logs.
2 Secure the Scene
• Protect the crime scene to prevent tampering or data loss.
• Restrict access to unauthorized individuals.
3. Document Evidence • Record details like device type, condition, and
location using photos, videos, or notes.
• Label each item for identification.
4. Seize Devices
• Carefully collect the devices and store them securely.
• Use anti-static bags and follow legal procedures for seizure.
5. Preserve Evidence
• Use tools like write blockers to prevent modification of original data.
 • Ensure devices are kept powered on if necessary to capture volatile
data.
6. Forensic Imaging
• Create exact copies (clones or images) of digital storage for analysis.
• Keep the original devices intact.
7. Analyze Data
• Examine the forensic images using specialized tools like EnCase or
FTK Imager.
• Search for relevant files, logs, or deleted data.
8. Maintain Chain of Custody
• Track every person and step involved in handling the evidence.
• Ensure evidence integrity for court use.

Q). What is chain custody? How we can control the contamination of digital
evidence? [9M]
Ans:- Chain of custody refers to the detailed record of how digital evidence
is collected, stored, and transferred. It ensures that the evidence remains
authentic and unaltered during the investigation. Controlling
Contamination of Digital Evidence
1. Use Write Blockers: Prevent changes to original data during
collection.
2. Document Handling: Record every person who accesses or transfers
the evidence.

3. Secure Storage: Store evidence in tamper-proof containers or

devices.
 4. Limit Access: Allow only authorized personnel to handle evidence.

5. Create Forensic Copies: Analyze copies instead of the original

evidence.
Q). What are various methods of collecting digital evidence ?Enlist the
various digital collection steps. [9M]

Ans:- Methods of Collecting Digital Evidence

1. Physical Collection: Seizing devices like computers, phones, and USB

drives.

2. Live Collection: Capturing volatile data (e.g., RAM, active processes)

from powered-on devices.

3. Network Collection: Monitoring and recording network traffic or logs.

4. Cloud Collection: Accessing data stored in online storage systems.

Steps for Digital Evidence Collection

1. Identify Evidence: Locate potential digital evidence sources.

2. Secure the Scene: Prevent tampering and unauthorized access.

3. Document Evidence: Record details like location, condition, and

device state.

4. Seize Devices: Collect and secure devices legally and carefully.

5. Preserve Evidence: Use write blockers and proper storage to prevent

data alteration.

6. Create Forensic Copies: Make exact copies for analysis.

7. Analyze Data: Use forensic tools to examine the collected evidence.

8. Maintain Chain of Custody: Keep records of evidence handling to

ensure authenticity.
Q). Discuss the various legal aspects of collecting and storing digital
evidence. [9M]
Ans:- Legal Aspects of Collecting and Storing Digital Evidence

1. Authorization
o Evidence must be collected with proper legal permissions, such
as search warrants. o Unauthorized collection may make
evidence inadmissible in court.
2. Admissibility
o Evidence should comply with legal standards to be accepted in
court.
o It must be relevant, authentic, and unaltered.

3. Privacy Laws
o Respect privacy laws while collecting data, especially from
personal devices or online accounts.
4. Chain of Custody
o Maintain a detailed log of who handled the evidence to prove it
was not tampered with.

5. Data Integrity
o Use tools like write blockers to ensure the original data remains
unmodified.
o Preserve the authenticity of evidence.
6. Storage Security o Store evidence in secure, tamper-proof locations to
prevent loss or alteration.
o Limit access to authorized personnel.

7. Documentation
 o Properly document every step of the collection and storage
process for legal transparency.

8. Jurisdictional Issues
o Follow the laws of the country or region where the evidence is
collected to avoid legal conflicts.
9. Expert Handling
o Digital evidence should be collected and analyzed by trained
professionals to ensure legality and reliability.]

Q). What are different computer evidence processing steps? [9M]

Ans:- 1. Secure the Scene
• Protect the area to prevent tampering and loss of evidence.
2. Document the Evidence
• Take photos and notes about the devices, their state, and location.
3. Seize the Evidence
• Carefully collect devices like computers, storage media, and
peripherals.
4. Preserve the Evidence
• Use write blockers and tamper-proof bags to maintain data integrity.
5. Forensic Imaging
• Create exact copies of the data for analysis without altering the
original.
6. Analyze the Data
• Use forensic tools to identify relevant information like files, logs, or
deleted data.
7. Report Findings
• Document the analysis, findings, and methods used.
8. Maintain Chain of Custody
• Keep records of who handled the evidence to ensure it remains
authentic.
9. Restore and Review Data
• Recover any deleted or hidden data using forensic tools and
techniques.
• Review the data for any relevant information that could support the
investigation.
Q). What method & techniques are commonly used to verify &
authenticate computer images. explain any two in detail [9M]
Ans:- Methods and Techniques to Verify & Authenticate Computer
Images

1. Hashing
o Definition: Hashing is a process that generates a unique string of
characters (hash value) for a file or image.
o Process: When an image is created, a hash (like MD5 or
SHA256) is generated. If the image is modified, even slightly,
the hash value will change.
o Use: Hashing helps verify if the image has been tampered with.
If the hash of the received image matches the original hash, the
image is authentic and unaltered.

2. Digital Signatures o Definition: A digital signature is a cryptographic

technique used to verify the authenticity and integrity of digital
content.
 o Process: The image is signed with a private key, generating a
unique signature. The recipient can verify the signature using a
public key. If the image is altered, the signature will not match.
o Use: Digital signatures ensure that the image is from a trusted
source and has not been changed.
3. Steganalysis:
• Detect hidden data (steganography) within the image to identify
potential tampering.
4. Watermark Verification:
• Confirm authenticity by checking for embedded watermarks in the
image.

Q). Explain the different types of digital evidence that can be collected
in computer forensics? [8M]
Ans:- 1. File System Evidence o Description: Includes files, folders,
and metadata stored on hard drives or other storage devices.
o Example: Documents, images, emails, and timestamps showing
when files were created, accessed, or modified.
2. Volatile Evidence o Description: Data that exists temporarily in the
computer's memory (RAM) and can be lost when the device is
powered off.
o Example: Active processes, open files, encryption keys, or
network connections.

3. Network Evidence o Description: Information from network

devices or logs that shows how devices communicate over a
network.
 o Example: Internet history, IP addresses, or logs from routers
and firewalls.
4. Mobile Device Evidence o Description: Data collected from mobile
devices like smartphones or tablets.
o Example: Call logs, text messages, photos, app data, or GPS
location data.

5. Cloud Evidence o Description: Data stored on remote servers or

cloud platforms.
o Example: Emails, documents, and photos stored on platforms
like Google Drive, iCloud, or Dropbox.

6. Email Evidence o Description: Emails and email headers that can

provide information on communication between individuals.
o Example: Sent and received emails, timestamps, attachments,
and IP addresses.
7. Database Evidence o Description: Information stored in
databases, which may contain valuable evidence related to
criminal activities.
o Example: Logs, transaction records, or data entries related to
financial or illegal activities.

8. Application Evidence o Description: Evidence from applications

that may show user actions or logs.
o Example: Web browser history, chat logs, or data from social
media applications.
Q). What is the primary purpose of collecting evidence in digital
forensics? Explain in detail [9M]
Ans:- The main purpose of collecting evidence in digital forensics is to
investigate, analyze, and support legal proceedings in cases involving
digital crimes or activities.
Key Goals:

1. Identify Criminal Activity

o Evidence helps identify illegal actions like hacking, fraud, or
cyberbullying.

2. Preserve Evidence Integrity

o Proper collection ensures the data is unaltered, maintaining its
integrity for use in court.
3. Support Legal Action
o Digital evidence can be used to prove innocence or guilt in
court, helping to resolve legal disputes or criminal cases.

4. Reconstruct Events
o Forensics helps reconstruct the timeline of events leading to a
crime, offering insights into how it occurred and who was
involved.

5. Prevent Further Crimes

o Understanding how the crime was committed can help prevent
similar crimes in the future.
6. Establish Connections
• Digital evidence helps link people, devices, or places to a crime,
showing how they are connected to the incident.
7. Recover Deleted Data
 • Even if data is deleted or hidden, forensic tools can often recover it,
revealing important information that wasn’t visible at first.
8. Document Chain of Events
• By collecting evidence, investigators can create a timeline that shows
what happened, when it happened, and who was involved, helping
to understand the sequence of events.
9. Provide Expert Statement
• Forensic experts can explain the digital evidence in court, making it
easier for judges and juries to understand complex information about
the case.
Q). What are the typical steps involved in the collection of digital
evidences? [8M]
Ans:- 1. Securing the Scene
• Ensure the area is safe and prevent tampering with the evidence.
2. Documenting the Evidence
• Take notes and photographs of the devices, their setup, and the
surrounding environment.
3. Seizing the Devices
• Carefully collect devices such as computers, phones, or storage media
for further analysis.
4. Preserving the Evidence
• Use proper methods (like write blockers) to avoid modifying the data
on the devices.
5.Imaging the Data
• Create exact copies (forensic images) of the data from the devices to
work with, without altering the original.
6. Analyzing the Data
• Use forensic tools to analyze the copied data and identify relevant
information.
7.Maintaining Chain of Custody
• Record and track the handling of the evidence to ensure it remains
authentic and unaltered.
8. Reporting Findings
• Document and summarize the analysis and findings in a clear,
detailed report.
SUMMERY TABLE