Cyber Security Level III Question Bank

Cyber Security Level III Notes
Q1)What is cyber crime?

Cybercrime is defined as a crime in which a computer is the object of the crime
(hacking, phishing, spamming) or is used as a tool to commit an offense (child
pornography, hate crimes). Cybercriminals may use computer technology to access
personal information, business trade secrets or use the internet for exploitative or
malicious purposes. Criminals can also use computers for communication and
document or data storage. Criminals who perform these illegal activities are often
referred to as hackers.
Cybercrime may also be referred to as computer crime.
Q2)Write a short note on computing viruses?

A computer virus is a malicious program that self-replicates by copying itself to another program.
In other words, the computer virus spreads by itself into other executable code or documents.
The purpose of creating a computer virus is to infect vulnerable systems, gain admin control and
steal user sensitive data. Hackers design computer viruses with malicious intent and prey on
online users by tricking them.
One of the ideal methods by which viruses spread is through emails – opening the attachment in
the email, visiting an infected website, clicking on an executable file, or viewing an infected
advertisement can cause the virus to spread to your system. Besides that, infections also spread
while connecting with already infected removable storage devices, such as USB drives.
It is quite easy and simple for the viruses to sneak into a computer by dodging the defense
systems. A successful breach can cause serious issues for the user such as infecting other
resources or system software, modifying or deleting key functions or applications and
copy/delete or encrypt data.
Q3) Write a short note on Identity theft?
Identity theft, also known as identity fraud, is a crime in which an imposter

obtains key pieces of personally identifiable information, such as Social
Security or driver's license numbers, in order to impersonate someone else.
The information can be used to obtain credit, merchandise and services in

the name of the victim, or to provide the thief with false credentials. In
addition to running up debt, in rare cases, an imposter might provide false
identification to police, creating a criminal record or leaving outstanding
arrest warrants for the person whose identity has been stolen.
Q4)Write a short note on Malware?

Malware (short for “malicious software”) is a file or code, typically delivered over
a network, that infects, explores, steals or conducts virtually any behavior an
By: Redhwan Faez Baghawitah Page 1

attacker wants. Though varied in type and capabilities, malware usually has one
of the following objectives:
 Provide remote control for an attacker to use an infected machine.

 Send spam from the infected machine to unsuspecting targets.
 Investigate the infected user’s local network.
 Steal sensitive data.
Malware is an inclusive term for all types of malicious software.
Q5)What types of questions you should ask to the client will make the
initial contact?

Q6) List the six investigative techniques in order, used by the FBI?
1) Check records, logs and documentation.
2) Interview Personnel.
3) Conduct Surveillance.
4) Prepare search warrant.
5) Search the suspect’s premises if necessary.
6) Seize evidence if necessary.
Q7)How efficient Information Technology Act 2000?
Q8) Write a short note on Computer Evidence Analyzed?

Q9) Write a short note on Data Protection?
Data protection is the process of safeguarding important information from

corruption, compromise or loss.
The importance of data protection increases as the amount of data created

and stored continues to grow at unprecedented rates. There is also little
tolerance for downtime that can make it impossible to access important
information.
Consequently, a large part of a data protection strategy is ensuring that

data can be restored quickly after any corruption or loss. Protecting data
from compromise and ensuring data privacy are other key components of
data protection.
The term data protection is used to describe both the operational backup of
data and business continuity/disaster recovery (BC/DR). Data protection
strategies are evolving along two lines: data availability and data
management.
Q10) Write a short note on types of attacks by hackers?

Computer Viruses:
Phishing:

Spoofing:
Phone Phishing:
Internet Pharming:
Risk posed on banks and other institutions:
Publishing pornographic materials in electronic form:

Investment newsletter:
Credit card fraud:
Q11)Explain the process of reporting internet frauds?

Q12) What is digital evidence?
Digital evidence is defined as information and data of value to an investigation

that is stored on, received or transmitted by an electronic device1. This
evidence can be acquired when electronic devices are seized and secured for
examination. Digital evidence:
 Is latent (hidden), like fingerprints or DNA evidence
 Crosses jurisdictional borders quickly and easily
 Can be altered, damaged or destroyed with little effort
 Can be time sensitive
Q13) Explain Desktop Forgery?
The ability to forge documents is no longer an art, but simply a matter of

having the appropriate equipment. Using a relatively inexpensive personal
computer, a laser printer, an optical scanner, and an appropriate graphics
design software, forgers can now create replicas of almost any document,
from checks to birth certificates.
The would-be forger uses the optical scanner to copy a document, for
instance a check, into the memory of a personal computer. The graphics
program alters the image in any way desired, such as changing the name of

the payee or the dollar amount. The document is then printed on standard
check "safety" paper, also readily available.
The forger usually targets a corporate account that has a large volume of
checks and that has a large enough balance to let the forged check clear.
The odds are that a bogus check will not be discovered until the company
reconciles its bank statement, by which time the forger will be long gone.
And what if the person who reconciles the bank account is the forger? In a
closely held business the possibility must be recognized.
Under the Uniform Commercial Code, the bank that accepts the forged
check as a deposit must bear the loss.
Q14)Explain Cyberstalking?
Cyberstalking is a crime in which the attacker harasses a victim using

electronic communication, such as e-mail or instant messaging (IM), or
messages posted to a Web site or a discussion group. A cyberstalker relies
upon the anonymity afforded by the Internet to allow them to stalk their
victim without being detected. Cyberstalking messages differ from
ordinary spam in that a cyberstalker targets a specific victim with often
threatening messages, while the spammer targets a multitude of recipients
with simply annoying messages.
WHOA (Working to Halt Online Abuse), an online organization dedicated to

the cyberstalking problem, reported that in 2001 58% of cyberstalkers were
male and 32% female (presumably in some cases the perpetrator's gender
is unknown). In a variation known as corporate cyberstalking, an
organization stalks an individual. Corporate cyberstalking (which is not the
same thing as corporate monitoring of e-mail) is usually initiated by a high-
ranking company official with a grudge, but may be conducted by any
number of employees within the organization. Less frequently, corporate
cyberstalking involves an individual stalking a corporation.
There are a number of simple ways to guard against cyberstalking. One of

the most useful precautions is to stay anonymous yourself, rather than
having an identifiable online presence: Use your primary e-mail account
only for communicating with people you trust and set up an anonymous e-
mail account, such as Yahoo or Hotmail, to use for all your other
communications. Set your e-mail program's filtering options to prevent
delivery of unwanted messages. When choosing an online name, make it
different from your name and gender-neutral. Don't put any identifying
details in online profiles.
Q15) Write a short note on Collection of digital evidence?
Q16)Write a short note on How spoofing work?

Q17)What is database forensics?

Database servers store sensitive information. Database forensics refers to the branch of digital
forensic science specifically related to the study of databases and the data they keep.
Database forensics look at who access the database and what actions are performed. Large
data security breaches are a large problem, and criminal investigators search for related
information.
Modern criminal investigations often involve database forensics as investigators search for
motive and method and try to identify suspects. Database forensics can also be used to verify
commercial agreements, such as a recent legal dispute between two large companies
regarding whether database software had accurately calculated the residual value of a fleet of
45,000 leased cars.
A forensic examination of a database may investigate the timestamps relating to the update
time of a row in a relational table in order to verify the actions of a database user. Another
database forensics case might examine all transactions within a database system or
application over a specific period of time in order to identify any fraudulent transactions.
Experts in database forensics need to be well-versed in almost all aspects of database
development and use, as they have to preserve, authenticate, analyze and output data from
large, custom-built databases that cannot just be copied and taken back to the office for
further investigation.
Stroz Friedberg highlight that enterprise database forensics typically requires investigators to
"leverage the infrastructure of the database itself, using a combination of disabling archive
and deletion features, preserving backup tapes, and/or preserving existing reports."
Investigators and DBAs can leverage books and tools to better understand database forensics.
The book SQL Server Forensic Analysis by Kevvie Fowler defines and documents methods
and techniques for SQL server forensics. It remains the go to database forensics textbook
specifically for SQL servers.
Q18)What is network forensics?
Network forensics is the capture, recording, and analysis of network events

in order to discover the source of security attacks or other problem
incidents. (The term, attributed to firewall expert Marcus Ranum, is
borrowed from the legal and criminology fields where forensics pertains to
the investigation of crimes.) According to Simson Garfinkel, author of
several books on security, network forensics systems can be one of two
kinds:
 "Catch-it-as-you-can" systems, in which all packets passing through a

certain traffic point are captured and written to storage with analysis

being done subsequently in batch mode. This approach requires large

amounts of storage, usually involving a RAID system.
 "Stop, look and listen" systems, in which each packet is analyzed in a

rudimentary way in memory and only certain information saved for
future analysis. This approach requires less storage but may require a
faster processor to keep up with incoming traffic.
Both approaches require significant storage and the need for occasional
erasing of old data to make room for new. The open
source programs tcpdump and windump as well as a number of
commercial programs can be used for data capture and analysis.
One concern with the "catch-it-as-you-can" approach is one of privacy

since all packet information (including user data) is captured. Internet
service providers (ISPs) are expressly forbidden by the Electronic
Communications Privacy Act (ECPA) from eavesdropping or disclosing
intercepted contents except with user permission, for limited operations
monitoring, or under a court order. The U.S. FBI's Carnivore is a
controversial example of a network forensics tool.
Network forensics products are sometimes known as Network Forensic

Analysis Tools (NFATs).
Q19)Explain in detail firewall forensics?

Q20)What are the important aspects for which mobile evidence is being
presently used?
Q21) Write a short note on Handset based techniques?

Q22) Write a short note on Hybrid based techniques?
Q23)Explain the steps invoked in finding out the lost or stolen mobile
phones?

Q24)What is Data Forensics?
Q25)What do you mean by imaging electronics device?
Q26)What is disk imaging?

Q27)What is data recovery?
Data recovery is the process of restoring data that has been lost,
accidentally deleted, corrupted or made inaccessible.
In enterprise IT, data recovery typically refers to the restoration of data to a

desktop, laptop, server or external storage system from a backup.
Most data loss is caused by human error, rather than malicious attacks,
according to U.K. statistics released in 2016. In fact, human error
accounted for almost two-thirds of the incidents reported to the U.K.
Information Commissioner's Office. The most common type of breach
occurred when someone sent data to the wrong person.
The data recovery process varies, depending on the circumstances of the

data loss, the data recovery software used to create the backup and the

backup target media. For example, many desktop and laptop backup
software platforms allow users to restore lost files themselves, while
restoration of a corrupted database from a tape backup is a more
complicated process that requires IT intervention. Data recovery services
can also be used to retrieve files that were not backed up and accidentally
deleted from a computer's file system, but still remain on the hard disk in
fragments.
Data recovery is possible because a file and the information about that file
are stored in different places. For example, the Windows operating
system uses a file allocation table to track which files are on the hard drive
and where they are stored. The allocation table is like a book's table of
contents, while the actual files on the hard drive are like the pages in the
book.
Q28)What is event viewer?

Event Viewer is a component of Microsoft's Windows NT line of operating systems that lets
administrators and users view the event logs on a local or remote machine. In Windows Vista,
Microsoft overhauled the event system.[1]
Due to the Event Viewer's routine reporting of minor start-up and processing errors (which do not
in fact harm or damage the computer), the software is frequently used by technical support
scammers to convince users unfamiliar with Event Viewer that their computer contains critical
errors requiring immediate technical support. An example is the "Administrative Events" field
under "Custom Views" which can have over a thousand errors or warnings logged over a month's
time.
Q29)What is the use of broken links in operating system forensics?

Q30)What is the use of swapfile in operating system forensics?
Q31)Write a short note on IIS Logs?

Q32) Write a short note on DOS attacks?

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or
network, making it inaccessible to its intended users. DoS attacks accomplish this
by flooding the target with traffic, or sending it information that triggers a crash. In
both instances, the DoS attack deprives legitimate users (i.e. employees,
members, or account holders) of the service or resource they expected.
Victims of DoS attacks often target web servers of high-profile organizations such
as banking, commerce, and media companies, or government and trade
organizations. Though DoS attacks do not typically result in the theft or loss of
significant information or other assets, they can cost the victim a great deal of
time and money to handle.

There are two general methods of DoS attacks: flooding services or crashing
services. Flood attacks occur when the system receives too much traffic for the
server to buffer, causing them to slow down and eventually stop. Popular flood
attacks include:
 Buffer overflow attacks – the most common DoS attack. The concept is
to send more traffic to a network address than the programmers have built
the system to handle. It includes the attacks listed below, in addition to
others that are designed to exploit bugs specific to certain applications or
networks
 ICMP flood – leverages misconfigured network devices by sending
spoofed packets that ping every computer on the targeted network, instead
of just one specific machine. The network is then triggered to amplify the
traffic. This attack is also known as the smurf attack or ping of death.
 SYN flood – sends a request to connect to a server, but never completes
the handshake. Continues until all open ports are saturated with requests
and none are available for legitimate users to connect to.
Other DoS attacks simply exploit vulnerabilities that cause the target system or
service to crash. In these attacks, input is sent that takes advantage of bugs in
the target that subsequently crash or severely destabilize the system, so that it
can’t be accessed or used.
An additional type of DoS attack is the Distributed Denial of Service (DDoS)
attack. A DDoS attack occurs when multiple systems orchestrate a synchronized
DoS attack to a single target. The essential difference is that instead of being
attacked from one location, the target is attacked from many locations at once.
The distribution of hosts that defines a DDoS provide the attacker multiple
advantages:
 He can leverage the greater volume of machine to execute a seriously

disruptive attack
 The location of the attack is difficult to detect due to the random distribution
of attacking systems (often worldwide)
 It is more difficult to shut down multiple machines than one
 The true attacking party is very difficult to identify, as they are disguised
behind many (mostly compromised) systems
Q34)Explain in details specific computer crimes?



Q35)Explain the five basic ways computer criminal use to get information
of the companies they attack?
Q36)Explain the role of private cyber crime investigator or consultant in

investigation?

Q37)What type of info you will gather when you will arrive at client site?
• Was it normal for these persons to have been on the system during the past 24 hours?
• Who was the last person on the system?
• Does this person normally work these hours?
• Do any of your personnel have a habit of working on weekends, arriving very early,
or staying very late?
• What are the work patterns of these personnel?
• At what time(s) did the incident occur?
• What was on the computer screen?
• When the system was last backed up?
• How long have these persons been with the organization?
• Have any of these persons behaved in a strange manner? Do any have unusual habits
or an adverse relationship with other employees?
• Have there been any other unusual network occurrences during the past 30 days?
• Can you provide me with an overview of what has happened here?
• What programs/contracts were the compromised systems involved with? What

personnel work on these programs/contracts?
• Is there anything different about the area where the systems reside? Does anything
look out of place?

• What level of access (clearance) does each of the individuals have for the
compromised system and the area where it resides?
• Are any of the personnel associated with the systems not United States citizens?
• Are any cameras or microphones in the area that could track personnel movements at
or near the compromised system area?
• Are there access logs into/out of the building and area?
• Do people share passwords or user IDs?
• Does the organization have any financial problems or critical schedule slippages?
• Have any personnel taken extended vacations, had unexplained absences, or visited
foreign countries for business/pleasure during the past 90 days?
• Have any personnel been reprimanded in the past for system abuse or any other issues?
• Are any personnel having financial or marital hardships? Are any having intimate
relations with any fellow employee or contractor?
• Are any personnel contractors/part-time or not full-time employees?
• Who else had access to the area that was compromised?
• What are the educational levels and computer expertise levels of each of the personnel
involved with the system?
• What type of work is this organization involved with (current and past)?
• Who first noticed the incident? Who first reported the incident? When?
• Did the person who noticed the incident touch anything besides the telephone?
• Does anyone else in the company know of this?
• Based on records from Physical Security, what time did each of the personnel arrive
in the building today?
• Based on records from Physical Security, if any personnel arrived early, was anyone
else already in the building? Was this normal for them?
• For the past 30 days, provide me with a listing of everyone who was on the
compromised system, along with their dates/times of access.
• What was the purpose of that specific system?
• Has the employment of anyone in the organization been terminated during the past 90
days?

• Can you give me a copy of the organization’s security policy/procedures.
• Why do you think there was a break-in? (Try to get people to talk.)
• Obtain any records available for the compromised system, such as purchasing records
(see original configuration of box) and service records (modifications, problems the
box had, etc.).
• Obtain a diagram of the network architecture (if you have not already obtained one).
• Verify that any experts associated with the system are present. Obtain their names and
contact information.
• Briefly spell out the evidence collection procedure you will be following to those in
the pre-briefing.
• Have you received the backup tape requested for the compromised system? If not, are
backups done on a regularly scheduled basis?
• Was the system serviced recently? By whom?
• Were any new applications recently added to the compromised systems?
• Were any patches or operating system upgrades recently done on the compromised
system?
• Were any suspicious personnel in the area of the compromised systems during the
past 30 days?
• Were any abnormal access rights given to any personnel in the past 90 days who are
not normally associated with the system?
• Are there any known disgruntled employees, contractors, etc.?
• Were any new contractors, employees, etc. hired in the past month?
• Are there any human resources, union, or specific organizational policies or

regulations that I need to abide by while conducting this investigation?
Q38)What are the six steps in order that a computer crime investigator will
normally follow?
• Secure the crime scene (if attacker still online, initiate backtrace). Note that
a backtrace (also called a traceback) is an attempt to obtain the
geographical location(s) of the attacker(s) using specialized software tools.
• Collect evidence (assume it will go to court).

• Interview witnesses.
• Plant sniffers (if no IDS [Intrusion Detection System] is in place).
• Obtain laboratory analysis of collected evidence.
• Turn findings and recommendations over to the proper authority.
Q39)Explain cyber law in Indian prospective?
Information Technology solutions have paved a way to a new world of Internet,

Business Networking and e-banking, budding as a solution to reduce costs,
change the sophisticated economic affairs to more easier, speedy, efficient, and
time saving method of transactions. Internet has emerged as a blessing for the
present pace of life but at the same time also resulted in various threats to the
consumers and other institutions for which it’s proved to be the most beneficial
Communication resource.
QQ40)Explain types of techniques used by crackers/cyber terrorists?

 Computer Viruses:
 Phishing:
 Spoofing:
 Phone Phishing:
 Internet Pharming:
 Risk Posed On Banks And Other Institutions:
 Publishing Pornographic Material In Electronic Form:
 Investment Newsletter:
 Credit Card Fraud:
Q41)What are different measures to curb cyber crimes?
• Do not give personal information to anyone or to any company you’ve

never heard of before. This includes your full name, your address, your
phone number, credit card number, social security numbers, or
information about the people in your household.
• Do not pay attention to get rich quick schemes. If they seem too good to
be true, they absolutely are.

• Do not open emails from strangers. Install anti-viral software and spam
blocking programs on your computer and your email program.
• Don’t download attachments from people you don’t know.
• Teach your children about safe communication on the Internet to protect

them from Internet predators.
• Don’t keep passwords on your computer, and do not use common

passwords like the names of your kids, birthdays, or other guessable
words. Never give your password to someone else.
Q42)Explain in details the process of reporting internet frauds?

 Encryption:
 Synchronized Passwords:
 Firewalls:
 Digital Signature:
Digital evidence is fragile and can easily be lost. For example
• It can be maliciously and deliberately destroyed or altered. It can be altered due to

improper handling and storage.
• For these reasons, evidence should be carefully retrieved and preserved. Also consider
that for investigating offences involving the Internet, time, date, and time zone
information may prove to be very important.
There are two situations complainant may face
• Crime is likely to be committed.
• Crime is already committed.
In the first case, the information may be informed to the local police of your
jurisdiction or it may be informed to the Cyber Crime Cell in so that incident may be averted.
In the second case, most of the financial frauds are dealt in IPC only hence the
complaint may be given either in the Local police station or in the CCS.
Q43)What is computer forensics report?

• During an investigation into the cause of a computer security incident, you will
commonly review the contents of a computer for evidence that supports your case.
For example, if you are responding to an allegation that an employee named Jeff

Kelly is stealing your organization’s intellectual property and providing it to a

competitor, you will likely review the contents of his system to see if Mr. Kelly:
• Possesses the intellectual property or trade secrets
• Disseminated the intellectual property or trade secrets to the competitor
• Communicated with competitors via email, Internet Relay Chat (IRC), or some other
mode of communication
• Documented his evil intentions anywhere on his system
Q44)What is an expert report?

• Law enforcement examiners are generally trained to create forensic reports that offer
no opinions; they merely state the findings. This type of report does not meet the legal
definition of an expert report. A report that does not offer an opinion is not an expert
report. When working with law firms, corporate/private sector examiners are usually
requested to offer an opinion, which suggests that the examiner writing the report will
eventually qualify as an expert and offer this opinion in court (hence, be an expert
witness). When a client does not express whether our opinion is desired, we usually
provide it (perhaps verbally). In most cases, your professional opinion about a case is
the most useful item to your client.
Q45)Explain in details the process of writing the expert report?
Q46) Write a short note on Executive Summery?
Q47) Write a short note on Computer Evidence Analyzed?
Q48) Write a short note on Supporting details?
Q49) Write a short note on Investigative Leads?
Q50) Write a short note on Data Protection?
Q51) What is digital Evidence? Explain Different types of digital evidence?
• Digital Evidence or Electronic Evidence is any probative information

stored or transmitted in digital form that a party to a court case may use at
trial. Digital evidence is information of probative value that is stored or
transmitted in a binary form. This field includes not only computers in the
traditional sense but also includes digital audio and video. It includes all
facets of crime where evidence may be found in a digital or binary form.

Perhaps the most common computer crime in the news is child

pornography, but computers are also instrumental in crimes ranging from
check fraud to conspiracy to commit murder.
Q52)Explain in details the five basic steps involved in computer forensics?
 Preparation (of the investigator, not the data)
 Collection (the data)
 Examination
 Analysis
 Reporting
Q53) Write a short note on Imaging Electronic Media?
The process of creating an exact duplicate of the original evidentiary media is

often called Imaging. Using a standalone hard-drive duplicator or software
imaging tools such as DCFLdd, IXimager or Guymager, the entire hard drive is
completely duplicated. This is usually done at the sector level, making a bit-
stream copy of every part of the user-accessible areas of the hard drive which
can physically store data, rather than duplicating the filesystem.
The imaging process is verified by using the SHA-1 message digest algorithm
(with a program such as sha1sum) or other still viable algorithms such as MD5.
At critical points throughout the analysis, the media is verified again, known as
"hashing", to ensure that the evidence is still in its original state.
Q54) Write a short note on Examination of Digital evidence?

When conducting evidence examination, consider using the following steps:
Step 1. Preparation:
Prepare working directory/directories on separate media to which evidentiary files and data can be
recovered and/or extracted. Step 2. Extraction Discussed below are two different types of extraction,
physical and logical. The physical extraction phase identifies and recovers data across the entire
physical drive without regard to file system. The logical extraction phase identifies and recovers files
and data based on the installed operating system(s), file system(s), and/or application(s).
Physical extraction:

During this stage the extraction of the data from the drive occurs at the physical level regardless of
file systems present on the drive. This may include the following methods: keyword searching, file
carving, and extraction of the partition table and unused space on the physical drive.
Logical extraction:
During this stage the extraction of the data from the drive is based on the file system(s) present on
the drive and may include data from such areas as active files, deleted files, file slack, and
unallocated file space.
Step 3. Analysis of extracted data :
Analysis is the process of interpreting the extracted data to determine their significance to the case.
Some examples of analysis that may be performed include timeframe, data hiding, application and
file, and ownership and possession. Analysis may require a review of the request for service, legal
authority for the search of the digital evidence, investigative leads, and/or analytical leads.
Step 4. Conclusion:
In and of themselves, results obtained from any one of these steps may not be sufficient to draw a
conclusion. When viewed as a whole, however, associations between individual results may provide
a more complete picture. As a final step in the examination process, be sure to consider the results
of the extraction and analysis in their entirety.
Q55) Write a short note on how spoofing works?
Q56) Write a short note on Mail Relay?
Mail relay is often referred to as an e-mail server, a device and/or program that routes an e-mail to the correct
destination. Mail relays are typically used within local networks to transmit e-mails among local users, for
example, all of the student and faculty e-mail of a college campus.
Mail relays are particularly useful in e-mail aliasing where multiple e-mail addresses are used but the mail relay
forwards all messages to the specified e-mail addresses to one single address. A mail relay is different than
an open relay, where an e-mail server processes a mail message that that neither originates or ends with a user
that is within the server's local domain (i.e., local IP range).
Q57)Explain the process of collecting the volatile data?
If the machine is still active, any intelligence which can be gained by

examining the applications currently open is recorded. If the machine is
suspected of being used for illegal communications, such as terrorist traffic, not
all of this information may be stored on the hard drive. If information stored
solely in RAM is not recovered before powering down it may be lost. This

results in the need to collect volatile data from the computer at the onset of the
response.
Q58)Write down the procedure to prepare report of search and seizing

data?
Searching and Seizing the Digital Evidence
• The first successful step in searching and seizing the digital evidence is to
know and understand that what should be searched and seized. Secondly,
Cyber Crime Investigators and the Law Enforcement officers must have a
warrant to search, which covers the location and description of the system.
Thirdly, the digital evidence shall be well seized when it is located.
• When speaking about searching or seizing computers, we usually do not

refer to the CPU (Central Processing Unit) only; computer is useless
without the devices that allow for input (e.g., the Keyboard or the mouse)
and output (e.g., a monitor or printer) of Information. These devices are
known as "peripherals,"' and they are an integral part of any "computer
system. It means "the input/output units and auxiliary storage units of a
computer system, attached by cables to the central processing unit.
• Thus, searching and seizing the Digital Evidence in computers will often
refer to the hardware, software, and data contained in the main unit.
Printers, external modems (attached by cable to the main unit), monitors,
and other external attachments will be referred to collectively as
"peripherals" and discussed individually where appropriate. When we are
referring to both the computer and all attached peripherals as one huge
package, we will use the term "computer system." "Information" refers to
all the information on a computer system, including both software
applications and data.
• Software is the term used to describe all of the programs we use when we
employ the computer for some task; it is usually delivered to us on either
one or more small magnetic disks or CD-ROMs. There are two basic
categories of software: system software and application software. System
software consists of the programs that manage our operation of the
computer; while application software consists of the programs that allow
us to work on higher-level tasks. They all compose the evidence searched.

• Hardware searches are not conceptually difficult. Like searching for

weapons, the items sought are tangible. They occupy physical space and
can be moved in familiar ways. Searches for data and software are far
more complex. For purposes of clarity, these types of searches must be
examined in two distinct groups: (1) searches where the information
sought is on the computer at the search scene and (2) searches where the
information sought has been stored off-site, and the computer at the
search scene is used to access this off-site location.
• When investigators are dealing with smaller networks, desktops PC and

workstations an attempt to justify the taking of the whole system should
be based on the following criteria. When an entire organization is
pervasively involved in an ongoing criminal scheme, with little legitimate
business, (in non-essential services) and evidence of the crime is clearly
present throughout the network, an entire system seizure might be proper.
Q59)What is firewall? How it is useful in digital forensics?

A firewall is software used to maintain the security of a private network. Firewalls
block unauthorized access to or from private networks and are often employed to
prevent unauthorized Web users or illicit software from gaining access to private
networks connected to the Internet. A firewall may be implemented using hardware,
software, or a combination of both.
You will need to conduct a forensics analysis using your firewall logs at some
point. The underlying objective of a forensic analysis is trying to determine
what happened and to establish facts that can be used in court. If you have never
reviewed the firewall logs previously, this can be a costly and almost
insurmountable process because you do not necessarily have any idea what may
or may not be a normal event for the firewall.
Q60)Write down the procedure to secure the firewall?
• An important result of performing a forensic analysis is to use that

information to determine what needs to be done in the future to secure the
firewall. As you identify what transpired and how the incident occurred,
use that information to identify flaws in both the written security policy
of the organization as well as the actual firewall policy and ruleset. For

example, if an attacker was able to compromise a resource on a DMZ

segment and then use that resource to gain access to the firewall, that is
probably a good indication that access to the firewall from that resource
(or from the entire DMZ for that matter) should probably not be permitted.
Q61)What is database forensics?
Through our experience of writing a vast number of forensic reports,

using these reports to refresh our recollections during criminal trials, and
training numerous employees new to the field of computer forensics, we have
developed some report writing guidelines. These embody general principals that
should be followed to ensure your organization can exceed expectations with
your investigative reports.
Q62)Explain the process of vulnerability assessments against the database?
Database security is the system, processes, and procedures that protect a

database from unintended activity. Unintended activity can be categorized as
authenticated misuse, malicious attacks or inadvertent mistakes made by
authorized individuals or processes. Database security is also a specialty within
the broader discipline of computer security.
Databases provide many layers and types of information security,

typically specified in the data dictionary, including:
• Access control
• Auditing
• Authentication
• Encryption
• Integrity controls
Q63)Explain the process of testing SQL injection vulnerabilities?
• SQL Injection attacks pose tremendous risks to web applications that

depend upon a database backend to generate dynamic content. In this type
of attack, hackers manipulate a web application in an attempt to inject
their own SQL commands into those issued by the database. For an

example, see the article SQL Injection Attacks on Databases. In this

article, we take a look at several ways you can test your web applications
to determine whether they're vulnerable to SQL Injection attacks.
• Automated SQL Injection Scanning
• Manual SQL Injection Tests
• Evaluating the Results
• Internal Server Error
Q64)Explain in detail all types of digital frauds?
• Digital Fraud or Computer crime refers to a criminal activity where a

computer, laptop, network or other such digital device is utilized for any
criminal purposes. A digital device such as a computer or cell phone can
be a significant source of evidence, even if it was not used directly for a
criminal activity. In some ways a computer is like constantly running
video camera – an experienced computer forensics investigator can
extract digital evidence which shows emails, pictures, deleted files,
instant messages and much more all with time and date history.
Q66)Explain Desktop Forgery?
Q67)Explain Misuse of computer time?
Q68)Explain spoofing in mobile frauds?

Q69)Explain in detail the process of cell phone tracking?
• Mobile phone tracking tracks the current position of a mobile phone even
on the move. To locate the phone, it must emit at least the roaming signal
to contact the next nearby antenna tower, but the process does not require
an active call. GSM localization is then done by multilateration based on
the signal strength to nearby antenna masts.
• Mobile positioning, i.e. location based service that discloses the actual
coordinates of a mobile phone bearer, is a technology used by
telecommunication companies to approximate where a mobile phone, and
thereby also its user (bearer), temporarily resides. The more properly
applied term locating refers to the purpose rather than a positioning
process. Such service is offered as an option of the class of location-based
services (LBS).
Q70) Write a short note on Network based techniques?
Network-based techniques utilize the service provider's network infrastructure

to identify the location of the handset. The advantage of network-based
techniques is that they can be implemented non-intrusively, without affecting
the handsets.
Q71)Explain the process of recovering your stolen mobile using IMEI

number?
Your cell phone operator or the police can help you to find it if only you
provide them the IMEI number of your Mobile Phone. The IMEI (international
mobile equipment identity) is your handset's fingerprint that helps track down
your lost phone. Here's how you can find the IMEI number of your cell phone:
Just punch in *#06#, and the phone will display a 15-digit number. Note this
number.
The IMEI number gets logged on to the SIM card and a cellular operator
can locate the area from where a call is made, says Jagdish Kini, CEO, Bharati
Mobile Services.
Q72)Explain the steps involved in finding out the lost or stolen mobile
phone?
Here are steps on how to find a stolen or lost phone.

• Call the number of the phone. If the person who has the phone answers it,
explain to them that you know the phone was stolen and that you know
their name and address and will report them to the police if the cell phone
is not returned. (Do this even if you do not know the crook's name and
address).
• Call your cell phone company and let them know your cell phone has
been stolen. They will be able to cut off service and will be able to track
calls and other actions performed on the phone.
• Contact the police and report the cell phone has been stolen.
• Hire a Cyber Security Professional/ Independent Security Consultant to

help you finding your stolen cell phone. There are people who have skills
and techniques for finding lost or stolen cell phones.
• Program your email to receive messages when the SIM card has been
changed or when any other changes have been made to the phone. You
can do this when you first buy the cell phone. Therefore, when the crook
tries to make changes to your phone, you will be identified via email.
• Use a GPS tracking system with your phone.
Q73) Write a short note on dos and donts for mobile no?
• Don’ts:
• Do not take photographs of anybody without his/her permission by using

your mobile phones because you could invade the privacy.
• Do not send obscene/pornographic text, images through SMS or MMS.
• Do not receive or reply to any SMS/MMS of strangers.
• Do not transmit obscene/ pornographic material, as it is an offence under

Section-67 of IT Act –2000 for which the Punishment/ penalty is 5 yrs
imprisonment and Fine up to 1 Lakh rupees.
• Don’ts:
• Do not call to any unknown phone/mobile numbers that you get while
chatting or exhibited on various profiles on Internet. If you do you may
be causing harassment on behalf of other person.

• Do not keep your Blue tooth option SWITCHED ON every time,

because you may receive unwanted Viruses, Obscene/Pornographic Text
and Images etc.
• Do not give your mobile numbers while chatting on INTERNET to any

stranger in order to avoid “CYBER STALKING”.
• DO not Sell and Buy your mobile phone from any unauthorized dealer.
• Do’s
• Always keep your IMEI number with you.
• Never purchase any Mobile Handset without IMEI number.
• Put some Security pin code in your Mobile Handset to avoid misuse of
your mobile phones by anybody.
• SMS/ MMS received should be checked properly before opening.
• Delete obscene/pornographic text, images. SMS/MMS from your mobile

phones.
• Always use updated Anti-virus softwares in the mobile phone.
Q74)Explain the process of how to take a Complaint from victim?
Law & Order
• These are the steps mentioned below which are involved in taking the
complaint from a victim in any Police station in case of Lost or Stolen
Mobile Phone ;
• Should take the Name of the Mobile Phone Owner.
• Should take the Residential Address of the Victim.
• Should take the address or the location from where the Mobile was lost or
Stolen.
• Should take the IMEI Number of the Mobile phone.
• Should take the Name & Phone Number of the Lost or Stolen Mobile
phone service Provider like, Airtel, Vodafone, Idea, Aircel, etc.
• Should note the Handset Model along with the last specifications like
color, any mark or anything of the Mobile that helps in investigation.
• Should send the request to take support from Service Provider in order
track or Block the Mobile or its services.
• Should send the request to take support from Mobile Phone Manufactures
of that country by dialing their Customer Service Numbers in order to
block and track the Handset.
Q75)Explain in detail the four general areas of the disk where evidence
might hide?
• Slack space
• Unallocated, or free, space
• Swap files
• Cache files
All four of these areas are subject to contamination if proper procedures

are not followed. As a general rule, there are four specific criteria for forensic
analysis:
• The tools you use to collect the evidence
• The techniques you use to collect the evidence
• The tools you use to analyze the evidence
• The techniques you use to analyze the evidence
Additionally, there are some specific criteria for the selection of your
forensic tool kit:
• They must not alter the data as a side effect of the collection process.
• They must collect all of the data we want, and only the data we want.
• We must be able to establish that they worked properly, e.g., as

advertised.
• They must be generally accepted by the computer forensic investigative

community.

• The results produced must be repeatable.
Q76)Explain the process of marking digital evidence?
Q77) Write a short note on CRCMD5?
Q78) Write a short note on Sealing evidence?
Q79)Explain the four modes of operation on SafeBack?
Q80)How data is recovered after physical damage?
Q81)What is data carving?

File carving is a well known computer forensics term used to describe the identification and
extraction of file types from unallocated clusters using file signatures. A file signature, also
commonly referred to as a magic number, is a constant numerical or text value used to identify a
file format. The object of carving is to identify and extract (carve) the file based on this signature
information alone.
Q82)Where does evidence reside on windows system?
Evidence can be found in the following areas:
• Volatile data in kernel structures
 Slack space, where you can obtain information from previously

deleted files that are unrecoverable
 Free or unallocated space, where you can obtain previously deleted

files, including damaged or inaccessible clusters
 The logical file system
 The event logs
 The Registry, which you should think of as an enormous log file
 Application logs not managed by the Windows Event Log Service
 The swap files, which harbor information that was recently located
in system RAM (named pagefile.sys on the active partition)
 Special application-level files, such as Internet Explorer’s Internet

history files (index.dat), Netscape’s fat.db, the history.hst file, and
the browser cache.

 Temporary files created by many applications
 The Recycle Bin (a hidden, logical file structure where recently

deleted items can be found)
 The printer spool
 Sent or received email, such as the .pst files for Outlook mail
Q83)Explain in detail different log types of event viewer?
Q86)What are the event log drawback?
• The default Security event log settings for Windows are to log nothing at
all. This means that, by default, Windows systems do not log successful
logons, files accesses, shutdowns, and many other important events. This
can make investigating Windows systems a challenge. One of the
difficulties with Windows logging is that Event Viewer allows you to
view only a single record at a time. This often makes reviewing Windows
system logs rather time-consuming and difficult.
• Another more perplexing and serious drawback is that these logs only
record the source NetBIOS name, rather than the IP address of the remote
system. This makes conclusive identification of remote connections to
Windows systems impossible using only event logs!
• The default settings for Windows event logs restrict each log file to a
maximum size of 512KB and a time length of seven days. When the fixed
size is reached, the log file is closed, and it must be cleared before you
are able to begin logging to that log file again. You can change these
options in the Log Settings menu, but remember that the size and time
length of each log (Security, Application, and System) need to be set
individually.
• One of the drawbacks of reviewing system logs offline is that the logs
populate the Description field by using values from various dynamically
linked library (DLL) files. This should not affect offline review of the
Security log, since its messages are standard, but the Application log may
contain entries that do not have the proper description text messages that
correspond to the event ID an application generated. Unless the forensic

workstation you use has the exact applications installed as the evidence
system, you will be missing much of the explanatory data in the
Application log, as shown Below.
Q87)Explain the procedure of reviewing IIS logs with example?
Q88)Explain in detail the four ways to recover deleted data?
Q89)What are administrative shares?
• Windows uses the term share to refer to any file or folder that is
accessible over a network through Windows networking. A user can
share a directory with any other user who has the authority to connect to
that user’s system. Choosing to share a folder with remote systems is
simple: just select a directory you wish to share, right-click it, and choose
Sharing from the pop-up menu. If you see an icon of a hand underneath a
folder that means that the directory is shared with remote users who have
the proper credentials to log on to that share.
• It would seem a user who decides not to share a folder is not creating an
access point for attackers. However, this is not the case. Windows
systems have administrative shares, which are shares that are
automatically offered to remote users after each boot process. These
administrative shares are considered hidden shares, and they all have the
$ character appended to their names. The idea that they are hidden
provides a false sense of security; realistically, attackers know what the
hidden shares are. The most exploited share seems to be IPC$, but each
logical drive also becomes an administrative share.
• To remove these administrative shares permanently, a user would need to

do Registry surgery, which the vast majority of users are unarmed and
unprepared to do. Thus, many attackers will scan for port 139 on a system
and then attempt to connect to administrative shares on that system.
Remember that if a remote user can authenticate and access any of the
administrative shares, she will be able to access all the files on that
logical drive.
• Unless the user has installed the NTFS file system and selected to audit
File and Object Access events for the particular share, Windows will not
log when files are accessed by a remote user.


Cyber Security Level III Question Bank

Uploaded by

Copyright:

Available Formats

Cyber Security Level III Question Bank

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Security Level III Question Bank

Uploaded by

Copyright:

Available Formats

Cyber Security Level III Notes

Q1)What is cyber crime?

Q2)Write a short note on computing viruses?

Q3) Write a short note on Identity theft?

Identity theft, also known as identity fraud, is a crime in which an imposter

The information can be used to obtain credit, merchandise and services in

Q4)Write a short note on Malware?

By: Redhwan Faez Baghawitah Page 1

 Provide remote control for an attacker to use an infected machine.

Malware is an inclusive term for all types of malicious software.

By: Redhwan Faez Baghawitah Page 2

Q7)How efficient Information Technology Act 2000?

Q8) Write a short note on Computer Evidence Analyzed?

By: Redhwan Faez Baghawitah Page 3

Q9) Write a short note on Data Protection?

Data protection is the process of safeguarding important information from

The importance of data protection increases as the amount of data created

Consequently, a large part of a data protection strategy is ensuring that

Q10) Write a short note on types of attacks by hackers?

By: Redhwan Faez Baghawitah Page 4

Risk posed on banks and other institutions:

Publishing pornographic materials in electronic form:

By: Redhwan Faez Baghawitah Page 5

Credit card fraud:

Q11)Explain the process of reporting internet frauds?

By: Redhwan Faez Baghawitah Page 6

Q12) What is digital evidence?

Digital evidence is defined as information and data of value to an investigation

Q13) Explain Desktop Forgery?

The ability to forge documents is no longer an art, but simply a matter of

By: Redhwan Faez Baghawitah Page 7

Cyberstalking is a crime in which the attacker harasses a victim using

WHOA (Working to Halt Online Abuse), an online organization dedicated to

There are a number of simple ways to guard against cyberstalking. One of

Q15) Write a short note on Collection of digital evidence?

Q16)Write a short note on How spoofing work?

By: Redhwan Faez Baghawitah Page 9

Q17)What is database forensics?

Q18)What is network forensics?

Network forensics is the capture, recording, and analysis of network events

 "Catch-it-as-you-can" systems, in which all packets passing through a

By: Redhwan Faez Baghawitah Page 10

being done subsequently in batch mode. This approach requires large

 "Stop, look and listen" systems, in which each packet is analyzed in a

One concern with the "catch-it-as-you-can" approach is one of privacy

Network forensics products are sometimes known as Network Forensic

Q19)Explain in detail firewall forensics?

By: Redhwan Faez Baghawitah Page 11

Q21) Write a short note on Handset based techniques?

By: Redhwan Faez Baghawitah Page 12

Q22) Write a short note on Hybrid based techniques?

By: Redhwan Faez Baghawitah Page 13

Q24)What is Data Forensics?

Q25)What do you mean by imaging electronics device?

Q26)What is disk imaging?

By: Redhwan Faez Baghawitah Page 14

Q27)What is data recovery?

In enterprise IT, data recovery typically refers to the restoration of data to a

The data recovery process varies, depending on the circumstances of the

By: Redhwan Faez Baghawitah Page 15