INTRODUCTION OF Marketed by

PART-A
SHORT QUESTIONS WITH SOLUTIONS
QI. Write a short note on cyber crime.

Answer : Model Paper-Il', QI(a)

The advent of internet connection across the global scale has enable millions of user to connect via computer. Many users
may misuse the network by performing illegal activity on the computer and targets the security of the system and data. Such
activity is termed as cyber crime.
A cyber crime can be defined as a criminal activity doing using computer. They make use of computer technology inorder
to steal the personal information of the user, business trade secrets or other malicious purpose. They obtain these information 1»
hacking, spamming and phishing. Apart from this, the illegal person also use computers for communication, document or data
storage purpose.

Q2. Define the term hacking.

Answer :
The term "hacking" refers to a process of entering into the computer system or the network by breaking the authentication

with some unauthorized techniques. The people who perform hacking are known as hackers. Hackers are sometimes called crack
ers because, they illegally gain the access rights over the computer(s) in a network without the owner's consent. These hackers
can reconfigure or reprogram a system, can insert viruses, steal data, destroy the database or completely vandalize a system. The
h
ackers and the hacking techniques evolved over the tilne with respect to the growth in electronic media. Such criminals can gain
entry into any system from anywhere provided that the targeted system connected to Internet.
Q3. Write in brief about virus.
Model Paper-I, QI(a)
Answer :

A virus is a software program that replicates itself and infects another computer without the knowledge of the user.
computer virus gets its name from biological virus. For replicating itself, a virus must execute code and should be written to the
memory. For this reason, many viruses attach themselves to executable files that are part of authentic program.
A virus propagates by transm itting ilselfacross network and bypassing security system. Viruses arc otherwise said to be in
dormant phase (idle) until certain events cause their code to be executed. Virus also propagates from one system to another when
it's host is taken to an uninfected system. They are transmitted as attachments in an e-mail message or in a downloaded file.

Q4. List some of the examples of how computers are helpful in crime scenarios.
Model Paper-Il, QI(O)
Answer :
Some of the examples of how computers are helpful in crime scenarios are as follows,
The witness of the crime can view the suspects image on the screen by means of computers.

2, Finger prints ofa person can be taken with the help of computers to check whether the person is related to past crimes
3. By using computers; simulations or duplications can be performed.

Scanned with CamScanner

 COMPUTER FORENSICS
4.
In traffic junctions, computers are used to identify the Vehicle Identification Number (VIN), whether the car is
stolen, etc.,
so in such cases, the person can be arrested immediately.

SPECTRUM RLL-IN-ONE JOURNRL FOR ENGINEERING STUDENTS SIA GROUP

[JNTU-HYDERAB'
1.2
Q5. Discuss the preparation stage of incident response.
Model
Paper-111, Answer :
In preparation stage. the teams role is to create formal incident response capability. In doing so, they
develop an incic response process which represents the organiz%ltional structure. It shows thc roles and
responsibilities for developing procedl with detailed guidance so as to address the incident appropriately.
This is made possible by selecting right and skillful nersons. These persons holds the capability to define the
criteria declaring the incident. In addition to this, they also select proper tools to managing the incident.
Subsequently, they also defil the generated report and the point ofcontact like whom (o approach for the discussion.
More importantly, this step is fundamen and crucial one where the team assures that each and every actions are
known and well coordinated. Apart from this, teams go preparation can extensively, minimize the potential damage
by facilitating quick and effective actions.

Q6. List the seven major components of incident response methodology.

Model Paper-I, QI
Answer :
The following are the seven major components or incident response methodology.

l. Pre-incident preparation
2. Detection of incidents

3. Initial response

4. Formulate response storategy

5. Investigate the incident

6. Reporting

7. Resolution.

Q7. List the considerations of organizations for the preparation of incident detection.

Answer :
A typical preparation or
organization include, (i) Employ host-
based security actions.
(ii) Employ network-bascu security procedures.

(iii) Conduct training for eventual users.

(iv) Ensure that the intrusion detection system is functional.

Scanned with CamScanner

 Introduction of Cybercrime, Digital Forensics and Incident

PART-B
(v) Developing strong access control.
(vi) Carrying out timely weakness assessments.

(vii) Secure the backup to be used on regular basis.

28. Discuss the data collection phase of incident investigation.

nswer : Model Paper-Il, QI(b) The process ofgathering facts and clues that are required during your

forensic analysis is referred as data collection. This phase involves various forensic challenges which are
as follows,

The electronic data must be gathered in a forensically sound way.

The storage capacity of computer cannot be increased.

The collected data must be handled in such a way that it secure integrity of data.
ESSAY QUESTIONS WITH SOLUTIONS
1.1 INTRODUCTION OF CYBERCRIME: TYPES

Q9. Define cyber crime. Explain the categories of it.

Answer :
Model Paper-I, Q2(.)

Cyber Crime

The advent of internet connection across the global scale has enable millions of user to connect via computer. Many users
may misuse the network by performing illegal activity on the computer and targets the security of the system and data.
Such

activity is termed as cyber cnme.

A cyber crime can be defined as a criminal activity doing using computer. They make use of computer
technology inorder to steal the personal information of the user, business trade secrets or other malicious
purpose. They obtain these information by hacking, spamming and phishing to. Apart from this, the illegal person also
use computers for communication, document or data storage purpose.

According to the law enforcement agency, internet-related crimes are divided into two types which are as follows,

1. Advanced Cybercrime/High-tech Crime: It refers to the crimes or attacks against the computer hardware and software.

2. Cyber-enabled Crime: It refers to the crimes against youngsters, monetary crimes and terrorism acts.

Cybercrimes has a huge irnpact on government, businesses and general public, By employing digital forensic tools one

computer's must be maximized by uninstalling old software, deleting temporary files, removmg registry errors and so on. As
the computer crimes as constantly' grov. inge the tools that are required to reduce them should be developed rapidly.

Categories of Cyber Crime

Scanned with CamScanner

 COMPUTER FORENSICS
t
Cyber crimes can be di v ided into five major categories,

1. Cyber Crime against Person: The crimes under this category include e-mail spoofing, on-line frauds, spamming,
cyber defaming, ccunputer sabotage. C} ber harassrnent is one of the major cyber crime which include
sexual harassment, social harassinent, religious harassment etc.

Cyber Crime against I'roperty: The crimes under this category include computer vandalism, download of harmful
program. Apart from this, i.t also includes credit card frauds, intellectual property crimes (PP) such as
software piracy, copytjght infringement, violation oftrademarks and Internet time theft.

Cy ber Crime again«t Organization: The crimes under this category include hacking, password sniffing, denial
ofservice attacks logic bomb, data diddling, Trojan horse, salami attack. distribution ofpirated software, Intrusions
in computer network, irus attacks, E-mail bombing and one of the distinct type of crime m this category is cyber
terrorism against government organ int Ions.
Cyber Crime against Society: The crimes under this category includes child pornography, traflicking, financial crimes,
distribution of illegal articles, online gambling, forgery, cybe+ terrorism and web-jacking.

ber Crime through Usenet Newsgroup: The crimes through Usenet Nev. sgroup can be very harmful and
Inaccurate. Basically. Usenet group otTer very offensive ;and Inappropnate materials and therefore, one should be
very careful while
using it.

SPECTRUM ALL-IN-ONE JOURNRL FOR ENGINEERING STUDENTS SIA GROUP

Scanned with CamScanner

 Introduction of Cybercrime, Digital Forensics and Incident

QIO. Discuss briefly about the types of cyber crimes.

Model Paper-
Il, Answer :
The cybercrimes can be broadly classified into two types,

1. Violent or Potentially Violent Cybercrimes

It refers to the crimes that causes physical risk to the people. Cyber terrorism, cyber talking, assaults by
threat and child pornography fall under this category of cyber crimes.
Non-violent Cybercrimes
It refers to the crimes that do not cause any physical risk to the people but rather they make economic' damage.
Cyber the cyber trespass, cyber fraud and destructive cybercrimes fall under this category of cyber crimes.
Some or the other types of cyber crimes are as follows,

l. Hacking

The term "hacking" refers to a process of entering into the computer system or the network by breaking the
authentication with some unauthorized techniques. The people who perform hacking are known as hackers. Hackers are
sometimes called crack. ers because, they illegally gain the access rights over the computer(s) in a network without the
owner's consent. These hackers can reconfigure or reprogram a system, can insert viruses, steal data, destroy the
database or completely vandalize a system.

hackers and the hacking techniques evolved over the time with respect to the growth in electronic media. Such criminals
can gain en•try into any system from anywhere provided that the targeted system connected to Internet.
2. Denial-of-Service (DOS) Attacks
This attack prevents the normal usage of various facilities provided by the system or network. It attacks some specific
target within the system due touhich all the messages destined to it will be suppressed or destroyed. Also, it damages
the entire system by overloading it with messages which in turn disables the overall performance of the system.
3. Trojan Horses
A trojan horse can be defined as a computer program containing hidden code, which results in harmful functioning
the

execution. These programs allow users to access. information for which they are not authorized. Also; these programs can
be modified when compared to other possible software programs.
Trojan horses allow the attackers io access functions indirectly. Most of the trojan horse infections occur because
user is trapped to execute an infected malicious program. The important feature of trojan horse is that it has afl
capabilities and permissions of an authorized user, Trojan horse can either be malicious or non-malicious program.
4. Credit Card Frauds
Credit card frauds are most simple and common form of frauds. It can be defined as an identity then that includes
unauthorized access of other person'} credit card information, with the intend or performing purchases and removing funds.
Credit card frauds can be categorized into two
types, (a) Application fraud
(b) Account takeover,
(a) Application Fraud: Application fraud refers •to an unauthorized opening of credit cards accounts in the name
of some other person. These crimes are serious and the victim may be acknowledged about this very late.
(b) Account Takeover: Account takeover refers to the criminal hijacking of existing credit card account. Here,
the fraudulent person obtain enough personal information of the victim and changes accounts billing
address. Then later, the fraudulent
may obtain new card by reporting the card loss.
5. Child Pornography
Child pornography is an offense which involves teenagers in illegal pornographic activities. It is a visual depiction whi

Scanned with CamScanner

1.6 COMPUTER FORENSICS [JNTU-HYDERABADI
includes,
(i) A Computerized (of a child) picture that is sexually exploited.
(ii) Any movie or pictures containing improper content which is unsuitable for child to view.
Internet has become a boom around the world where each and every individual is getting used to it. Day-by-day
broad connections are reaching every city and village due to which every major and minor is getting exploited. However,
minors specially getting trapped in the aggression ofpedophiles. Pedophiles generally refer to people who
psychologically or physically

Look for the SIA GROUP LOGO on the TITLE COVER before you buy
UNIT-I 1.5
6. Online Betting
Response Methodology
Online betting is also referred as online gambling or internet gambling. It is generally a gambling over the
internet which is done in multiple websites available over the internet.

Software Piracy

Software piracy refers to stealing of software programs through illegitimate ways i.e., copying of genuine or
original programs by violating laws. Some of the examples of software piracy are as follows,

(n) End-user Copying: Friends share genuine software disks with each other,

Hard Disk Loading with Illicit Means: Hard disk sellers copy pirated softwares in the disk and sell them in
much cheaper prices.

(c) Counterfeiting: Softwares are imitated in the disks fraudulently and distributed.
8. E-mail Spoofing

Spoofing e-mail is one of the most commonly performed cyber crime. Spoofing is an activity in which a cyber
criminals perform alternations on the address of the sender and other parts of the message header. These modifications are
done such that they appear as the e-mail originated from different source.

9. Forgery/Falsification

Forgery can be defined as the creation of false docunfents or performing unnecessary alternations in authentic
document. The forgery is committed with the aim to cheat people.

They are certain criminals who forge money or currency and such activities is generally called as counterfeiting
which is done with the help of complicated computers scanners and printers. It is possible to forge many entities Yvhich
may include students mark sheets, degree certificates, revenue stamps etc.

10. Phishing
Phishing is pronounced as fishing which refers to a process in which victims suffer an attack wherein they are
redirected to some other website when they click on the link. Such links are duplicate and victims generally conie across
these problems while browsing on internet or through e-mails in the mailbox.

Some of the websites by which users face problems are as follows,

1, Claim your lucky draw by clicking on the site below,

Scanned with CamScanner

 Introduction of Cybercrime, Digital Forensics and Incident
www.claimdraw.com

2. "Security breach", this hereby inform that, due to some security reasons customers are requested to provide their
account details by clicking on the site below, www.banking.com

As shown in the above example whenever the on the above websites, they are redirected to some duplicate website
which resembles with the original bank website.

Phishing attacks are usually executed by using URL's similar to the original websites URL's. Therefore, the user enter
its crucial information on the fake website then the attacker gains access to the users sensitive information and misuse lt.

ll. Cyber Terrorism

Cyber terrorism is an internet based attacks in terrorist activities. It is a controv ersial term which IS referred as a
dellberate usage Of computer networks and public internet inorder to effect the personal objectives by using tools such as
computer virus, These objectives include political or ideological in the form of terrorism,

SPEGRUH RU-IN-ONE JOURNAL FOR ENGINEERING STUDENTS SIA GROUP dé

12. Salami Attacks

It is a malicious program used to collcct small amount of Information illegally' and achieve a huge result. For
example small amount of money like fractional pennies during the calculation of' tax or jntcrcqt many not be considered
or Ignored b) some programs. Illcsc programs arc oncn suqccptiblc to Salami attack whcrejn all the Ignored amount
collccled [rom computation and stored clse Stncc. thc amount very It is unlikely to he noticed hy the users, T hrs
Qjnall amount then used by Illegal ptogrammcts for carryng out malicious

The following cgamplc clearly describes thc satuatton that faces the attack,

Consider a bank that is paying 6.5% intcrcst to cry account holder annually Jin! the calculat
ncccl to he madc monthly
by first calculatvng the Interest amount of a day then multipl} Ing It 'A4th -AO days. I lie result Will be so small I.e., SO-
5495726, '1 his value need to bc rounded dossn as banks deal only In full centq, Jhuq, round.offcrrors are engaged by
the provrarnrners.

13. Deramntion

ne C)bct dcfamatlon can bc dcfincd as a pcrcctwble offense that causeK damage to the reputation oc 'he person
using Internet. cnminals do this by '.crbal 'Mitten, or JtBt by representation They publish a defamatory statement
agarnst a rcrson tnorder to losu•r the reputation of the person tn pcncral public. damage caused to one's reputation
on website kecomes ',tral on Internet and IS trvcparablc as the information becomes awlllable to the entire v.orld

14. Cyber Stalking

Cyber stalking ts a form of onhnc stalking performed to harass people. It uses technology, basically the Internet
Ior this purpose. nte cy Ivrstalkers use s artous medgums like e-mails, Instant messages, phone calls and other
ornrnurucat1011 dev ices to harass, monitor, threat. exploit, destroy data or falsely accuse people. Usually cy berstalkers
are the persons ho are k nomi to us but not strangers. They can be a former friend, a relative an ex or any person v.ho
wants to trouble victim cy berstalking can ruin fnendships, self-image, career and self confidence. Victims of-
cyber.stalking may also face domestic 101ence, Cy berstalkers may use spyuare, softuare to monitor the activ'ltles and
gain införmation through the Victim's PC or phone. I lence, necessary for all of us to be aware of technology.and protect
ourselves froni being a victim cyberstalking,

Scanned with CamScanner

1.8 COMPUTER FORENSICS [JNTU-HYDERABADI
1.2 THE INTERNET SPAWNS CRIME, WORMS VERSUS VIRUSES

011. Explain briefly about,

(a) The intemet spawns crime

(b) Worms versus viruses.

Answer : Model Paper-111, 02

(a) The Internet Spawns Crime

An internet can be defined as a global network that provides huge information and various
communication facilities. While providing these services, there is a chance of occurrence of crimes. A computer
is considered as a tool of crime case of murder or fraud, object of crime in case of equipment theft and theme
of crime in case of hacking and expansion of viruses.

Criminal commandment is a Jaw enforcement that inquires about the members who are respon€ible for
executing the criminal activities. This investigation process is highly' difficult to perform in a computer
environment. In developed and de n. eloping nations, the implementation process of internet technologies is not
similar, In most of the developing countries. wirele ss communication technologies contain rapidly eclipsed wire
systems wherein the inheritance communication was under developed to large extent.

(b) Worms Versus Viruses

computersystem, But. both thesetermshave

Worms and viruses are considered as malicious programs which infect the

Scanned with CamScanner

 Introduction of cybercrime, Digital Forensics and Incident Response Methodology 1.9
UNIT-I
irjruses
A virus is a software program that replicates itself and infects another computer without the knowledge of.the user.
lhe computer virus gets its name from biological virus. For replicating itself, a virus must execute code and should be
written to the For this reason, many viruses attach themselves to executable files that part of authentic program.

A virus propagates by transmitting itself across network and bypassing security system. Viruses are otherwise said

to to be another in dormant when it's phase host (idle) is taken until to certain an uninfected events cause system. their They
code are to transmitted be executed. as Virus attachments also propagates in an e-mail from message one systemor in

a downloaded file.
Virus contains malicious code that causes damage to the system by destructing important programs, deleting

necessary files or by reformatting the hard disk. Some of other viruses are designed only to replicate themselves but not

to cause any damage.

Classification of Viruses
Viruses are classified into the following types:
1. Boot sector virus

2. File virus

3. Macro virus
4. Encrypted virus

5. Stealth virus
6. Polymorphic virus
7. Metamorphic virus
8. E-mail virus.

1. Boot Sector Virus

It is a type of virus, which damages the master-boot record. It propagates while booting the system from infected disk.
2. File Virus
It is a type of virus that damages only those files, which are assumed to be executable by the operating system.
3. Macro Virus

Macro virus is one of the common types of virus. These viruses cause much damage to system's data. They have become
a threat because of the following reasons,

(i) Macro virus damages Microsoft Word applications by inserting unnecessary words or phrases. Due to this, all hardware
and operating system which supports the word document also get afTected.

(ii) ) Macro virus damages only documents, and large parts of system information which is in the document form
instead of program code.

(iii) Macro virus can be transmitted without any difficulty. Encrypted Virus

It is a type of virus which infects in the following way,

Scanned with CamScanner

 1.10 COMPUTER FORENSICS [JNTU-HYDERABADI
Initiall a r
y, andom encryption key is produced by some part of the virus, Then, encryption is perfårmed on the
remaining part of Virus. The encrypted key is stored along with the virus and using this key. the virus is decrypted. s.
Stealth Virus

virus is d
esigned in such a way that it hides itself from being identified by any anti-virus software program.
6.
Polmorphic Virus

It is a virus that changes with each infection. It creates duplicate copy of itself where every copy of virus performs
same action' Heres every individual virus differs from one another in their bit pattern. This change in their bit patterns is
achieved using encryption process.

Metamorphic Virus
Nletanwrphic virus also gets modified with every infection as that of polymorphic virus. The difference here is
metamorphic virus rewrites itselfcompletely while damaging a nevv executable file. Because ofthis, detection
Ofmetamorphic '"rus becomes more difficult.

8. E-mail Virus
An e-mail virus is one of the latest developed harmful program. Melissa virus is an example ofemail virus. This virus
gets spread very fast. It uses word macro's that are inserted in an e-mail attachment. When these attachments are
opened

(i) E-mail virus is transmitted to everyone present in the mailing list.

(ii) These viruses are responsible for performing local damage.

Viruses can not spread without any kind of action fronl the user lik'e running the infected program. The effects of
virus are shown in below figure.

Figure: Effects of Virus

1%jrms
Worms are software programs (Irat replicate themselves and transnlit the cloned copy to other computers using
network. "l Ije•y are reproducing prograjn that execute independently and travel across netqork connection. These worms are
termed as network worjns.
Nature of Worms
Worms are similar to viruses but the only difference is that a worm doesn't attach thernselves to existing pr.ogram.
The dillicult task for a worm is that, it requires a program code to be executed on a remote host stein. Worrns propagate by
utilizing software vulnerabilities available in operating
E-mail virus has same behavrour as that ofcomputer ornih but, the fortner requir es a hurnan to perform the actions
whereas the latter independently searches for the stem to per10rm Its actions. Network can c.xhlbit similar property as computer

Scanned with CamScanner

 Introduction of cybercrime, Digital Forensics and Incident Response Methodology 1.11
Irus, once it has been activated to perforrn destructiu• action. 'l hese vs orlns propagate over network connection using network
chic les like.

1. E-mail Facility
In this, a ssorm sends a mail containing its cloned copy to other systems.
Remote Host Execution Ability
In this, a vsorm independently runs a copy of itself on other system.

Remote Login Ability

In this, a u orm login on a remote sy'stem by pretending as an authentic user and replicates itself using commands.
Network worms have the same life-cycle phases as that of computer virus. They are as f0110'"s,
Dormant phase

Propagation phase

Triggering phau• Execution

phase.

The
functions perfonned by propagation phase are,
(i) By monitoring the host table, network worm searches for other host system to infect.

(ii) This phase is responsible for establishing a connection with remote host.
(iii) Replicates itself on remote host and allows the cloned copy to execute and implement its functions.

Network worm is capable of'determining ifthe system was previously infected before replicating itself. In a
multiprogramming network worm hides themselves and pretend themselves as a system processor by using other
names that are not
detected by a person operating the system.
A system can be prevented from worm attacks by receiving regular updates about the patches and upgrades regarding
operating system and for other applications. The other way to protect a system from worms is to reduce the services and
applications
executing on the system.
The effects of worms are shown in below figure.

Figure: Effects of Worms.

SIA GROUP

Scanned with CamScanner

 1.12 COMPUTER FORENSICS [JNTU-HYDERABADI

1.3 COMPUTERS' ROLES IN CRIMES

Q12. Describe the role of computers in crimes.

Answer :
Model Paper-I, Q2(b)
Role of the Computers in Crime
The growth of the computer and the Internet has led to the increase in new crimes and its direct as well as indirect
association to varioüs criminal activities. This is due 10 the fact that many individual frequently make use of computers
and Internet for Communication, records maintenance and for carrying out business activities.
The computer association with crime is done in three ways, they are,
l. Target

The conputer (target) is considered as an object for initializing a criminal activities. In particular, the data stored in
the COmputer system can be the target of crime. Other computer related crimes are equipment then, equipment
damage, data
theft etc.
2.
Instrument

The COmputer system is taken as source for committing a crime. This includes spam, harassment, child pornography,
fraudulent activities, eavesdrop, tress pass etc.
3,
Support

The COmputer system is utilized to substantiate certain criminal activities. This includes record keeping, conspiracy etc.
Examples

Somq Of the examples of how computers are helpful in crime scenarios are as follows,
2. The Witness of the crime can view the suspects image on the screen by means of computers.

Finger Prints Ota person can be taken with the help of computers to check whether the person is related to past
crimes. By using computers, simulations or duplications can be performed.
4,

In so tramcjunctions, in such cases, the computers person can are be used arrested to identify immediately.the
Vehicle Identification Number (VIN), whether the car is stolen, etc.,

6, Ini COmputers and laptops are used to maintain the criminal records or databases.

All details about the criminals can be retrieved by from the databases that are created in computers.

RLL-INONE JOURNRL FOR ENGINEERING STUDENTS

Scanned with CamScanner

UNIT-I Introduction of cybercrime, Digital Forensics and Incident Response Methodology 1.13
1.10

about DigitalForensics. Qt
3. Write a brief.introduction
Answer :
ForenGc science plays a Vital role in criminal justice systems, It is also called as "forensics", The term 'forensic' is derived
the Latin mmrd 'forensis' i.e., open court. Forensic science can be implemented in both criminal and civil actions.

Dik'ital forensics is also called as digital forensic science which is a branch of computer forensic science. It includes the
recox and analysis ofcomponents that are identified in digital devices. The Information and Communication Technology (ICT)
related em ironments undergo the challenge or using the computer for long time while-performing the activities which are not
mnrk related.
The evolution of ICT resulted in upgradation or some areas like social networking, mobile technology, cloud computing
and storæe solutions. This advancements have increased the data flow and reduced the data security in the organization. The
Increased it.v in ICT environment also resulted in increase in the computers and networks misuse, such that an emp10> ee ean
implement simple passmnrd cracking tools and gain access to confidential information. So, the computer-related imestigations
Nvere performed to check the misusage of computers and networks. Wherein auditing was the key component that helped to
ans\xer the user activity and cybercrime questions.

In the recent years. due to the advancements made in tools and systems, the digital forensic department have made quick
development. These tools helped the common users to perform difficult audit tasks. In internet, there are many irrelevant and easy
tutorials that provides information to gain access to any computer. By using this, a common computer user can access any
information sueh as illegal software, confidential documents etc. In order to control such activities there is high need of computer
security methods and forensic tools for collecting the accurate digital evidence or information. There is a misconception about
various forensic tools which are available for free that they can be used to conduct digital forensic *investigations. These tools
possess various features that promote the digital forensic investigation process. The court of law m%inly focuses on the digital
evidence and its respective process that is used to gather the evidence and these are considered as important. The committees such
as the Digital Forensic Research Workshop Group (DFRWS) and the American Society of Digital Forensics and eDiscovery
(ASDFED) have proposed various processes that should be used to gather the digital evidence, As there are various processes, so
no specific process is considered as standard forensic. process that is required fo be used by digital forensic investigators. If a
forensic investigator does not use or consider the appropriate process that should be followed to gather the evidences, then it may
be considered as a major mistake. Because when the evidences are submitted without proof then the defence may raise questions
regarding the process of digital evidence collection.

1.5
INTRODUCTION TO INCIDENT - INCIDENT RESPONSE METHODOLOGY, STEPS
Q14. Explain briefly about Incident.
Answer :
Model Paper-Il, Q3(a)
An Incident
An incident can be viewed as an occurrence or an attack. In terms of information technology, it is an event which can happen
where ever the service could not function properly and fails to produce the feature which it is intended to deliver.
Incident Response

SIA GROUP

Scanned with CamScanner

 COMPUTER FORENSICS [JNTU-HYDERABAD]

Each time a security branch or incident occurs a method called incident response is implemented. Ideally, it is defined as an
associated degree-organized approach. It is meant to solve and manage the situation created after the occurrence Of security attack.
Its functions by controlling the situation in such a manner that the damage and cost is less also the recovery time is less.

The approach has a policy defining an occurrence facilitating a pieceineal method which is followed intermittently.

An incident rgsponse plan can be described as a step by step procedure. This procedure is implemented at the time Of currence
of incident.

Since incident response is a fundamental stream-line approach. It addresses issues causedpfter security branch. Look for the
SIA GROUP LOGO on the TITLE COVER before you buy
Stages of Incident Response
At first, the computer incident response team carry out an organizations incident response which is nothing but a

group f selected members• In SUPPIement to the security and IT staff other representatives include legal, human

resource and public relation departments.

The following are the six steps necessary to resolve the incident.
I. Preparation
2. Identification

3. Containment
4. Eradication
5. Recovery
6. Lessons learned.

1. Preparation
In this step, the teams role is to create formal incident response capability. In doing so, they develop an incident
response process which represents the organizational structure. It shows the roles and responsibilities for developing
procedures with detailed guidance so as to address the incident appropriately.
This is made possible by selecting right and skillful persons. These persons holds the capability to define the criteria
for declaring the incident. In addition to this, they also select proper tools to managing the incident. Subsequently,
they also defines the generated report and the point of contact like whom to approach for the discussion. More
importantly, this step is fundamental and crucial one where the team assures that each and every actions are known
and well coordinated. Apart from this, teams good preparation can extensively, minimize the potential damage by
facilitating quick and effective actions.
Identification

In this step, the team initiates the process of verification once the following occurs,
(i) Occurrence of occasion
(ii) Sustaining the observations corresponding to the events and indicators.
(iii) Transgressing from traditional operations and for malicious activities.
Therefore, during the protection mechanism the team can perform identification. While the incident handler team with
help of their skill set.
For determining the signs and indicators. These observations can be posted on network, host or system level. At this
point the team alerts and logs from routers, firewalls, IDs, SIEM, AV, gateways, OS, network flows.
Containment
In this s
tep, the team members limit damage caused by offenders and attackers. Here, the team makes the decision cor
res ondi
p ng to the strategy that will be implemented, It contains the incident depending upon the processes and procedures.

Scanned with CamScanner

UNIT-I Introduction of cybercrime, Digital Forensics and Incident Response Methodology 1.15
On the Ot
her hand, the team in this step forms close bounds with home-based business owners and judges to accomplish
the s ste
y m. There is also possibility that network can get disconnected or its operations can be continued or monitored
certain factors like scope, magnitude and impact on incident plays a major role. Eradication
In this step, successive steps are employed to delete the intended reasons for the occurrence of incident. In essence, the
virus which has affected the system.
Ifthe Situation
becomes more serious then the team checks and eliminate ill-used susceptibilities. Apart from this, the team
also identifies its initial execution, applications and necessary measures so has to avoid its reoccurrence.
Recovery
In this ste
p' the team gets busy with the process Of restoring the backup or carrying out the process of reimaging. Once the Process Of
r
estoration is completed the task of monitoring starts. Monitoring is essential as the team has to determine the indications and
sign for detection.

Lessons Learned
In this step' the team carry out follow-up activity is essential. Here, the team can reflect as well as document the

occur1mPt0vements This helcorresponding ped them to learn to incident what sources handling has processes failed and and

what procedures.are still functional. The team will experience some

RLL.IN-ONE JOURML FOR ENGINEERING STUDENTS

1.12
Q15. Discus about incident response methodology.

Answer : Model Paperq, Q3(a)

Incident Response Methodology
The process can be streamlined by using the idea ofexploration. This is utilized for explaining the different phases
involved in the process. So, the searching begins in the right way for deciding the bright-line which clearly divides the grey
areas.
Moreover, with the use of flowcharts, the phases can be perfectly defined and the processes will be easily implemented
to basic cases. Developing a straight forward image corresponding to a process is a diffcult task and on the other hand and
SUStain_ ing a consistent level of accuracy due to the incident response process demands number of variables, factors effecting
the flow. But it is said that the developed event response method is straight forward, clear, error-free and actual.
Mostly, the computer security incidents are complex, multifaceted. These problems are addressed by employing black
box approach using a complex engineering problem. Subsequently, the larger problem domain corresponding to incident
resolution is segregated into smaller components. Then each component's of input and output are clearly scrutinized.
The figure below represents the approach to incident response.

SIA GROUP

Scanned with CamScanner

 COMPUTER FORENSICS [JNTU-HYDERABAD]
Incident

Figure: Incidence Response

Methodology
occurs point-in
time or
ongoing

%mponents of Incident Response Methodology

The following are the seven major components of incident response methodology.

I. Pre-incident preparation
2 Detection of incidents •f 3.
Initial
Formulate
Investigate the incident

response 4.
response strategy

Scanned with CamScanner

UNIT_I Introduction of cybercrime, and Incident Response Methodology
Digital•Forensics 1.13
Pre-incident Preparation

In this component' the necessary actions are taken prior to the occurrence of incident. This prepares the
organization and the cs1RT ,
Detection of Incident
1,
In this component, potential security incidents are identified.
Initial Response
3.
In this component, most generic specifications are recorded that defines the boundaries of incident. Apart from this, it
also include the collection Incident response team. Subsequently, the individuals who are involved are informed about
the incident. And the initial response team carries out initial investigation. Formulate Response Strategy 4.
In this component, the most emcient team is regulated and depending upon the generated result, from the
outcome of facts acquire the approval Of the management. Now, based on this data regulate the civil, criminal,
administrative and other actions deduced from the investigation records.
5. Investigate the Incident

In this component, data is collected completely so as to identify what actually had happened, time of occurrence,
who had carried it out and what are the preventions to be adopted to stop its occurrence in future.
6. Reporting

In this component, error free information about the investigation record is stored. It is used by decision makers.
1, Resolution

1.14
In this component, multiple resolution are applied. These resolutions are implementing security measures, procedural
changes, recording of lessons, development of long-term fixes to problems.

Q16. Explain about,

(a) Pre-incident preparation
(b) Detection of incidents (c)
Initial response.
Answer :
(a) Pre-incident Preparation
An Incident response can be made successful through perfect planning. In this phase, before responding to the computer
security incident, the organization must prepare not just entire organization but also the CSIRT members.

Since' the computer security incidents are uncontrollable and the investigator will stay unaware of the upcoming incident. Even
though they stay unaware, their role does not end here, they had to encourage the organization members to respond the
Incidents' Typically, the incident response can be vulnerable in nature. Subsequently, the pre-incident preparation phases
involves only Preemptiveneasures on which the CSIRT can trust to secure the orgapizations possessions and information,

Some Of the steps necessary to be taken to save time and effort are as follows,

Preparing the Organization

In this step, important corporate wide strategies are designed. So, a typical preparation pf organization include,

(i) Employ host-based security actions.

SIA GROUP

Scanned with CamScanner

 COMPUTER FORENSICS [JNTU-HYDERABAD]

(ii) Employ network-based security procedures.

(iii) Conduct training for eventual users.

(iv) Ensure that the intrusion detection system is functional.
(v) Developing strong access control.
(vi) Carrying out timely weakness assessments.

-IN-ONE JOURNAL
(vii) Secure
the backup to be used on regular basis.
(i)
(ii)

(iv)

017. Explain how to develop response strategy.

Scanned with CamScanner
UNIT-I Introduction of Cybercrime, and Response Methodology
Model Paper-I,
Q3(b) Answer :
To establish the most suitable response strategy, the conditions of the incident is the primary goal of the response
strategy formulation stage, The factors like political, legal, technical and business that encircle the incident should be
considered. Selection of a strategy depends on the following objectives of the group or individuals on which the final
solution lies.

1. Considering the Totality of the Circumstances

Depending on the events of computer security incident, the response strategy vary. In the course of deciding the
number ofresourccs needed to scrutinize an incident, whether to generate a forensic duplication ofrelevant systems or to
make a criminal referral, whether to pursue civil litigation and other features of your response strategy the following
aspects are required to be considered,

(a) How much are the affected systems critical?

(b) How delicate is the compromised or stolen information?

(c) Who are the likely guilty party?

(d) It is the incident in the public eye?

(e) What is the severity of unauthorized access acquired by the attacker?

(f) What is the intruder's apparent skill?

(g) Involvement of system and user downtime.

(h) The altogether dollar loss.

From virus outbursts to theft of consumer's credit card information, the incidents may vary to a large degree.
A routine virus outburst usually results in some idle time and last productivity. The phishing ofcustomer's
credit card inforrnation can place an inexperienced dot.com operation out of business. The response strategy
for each event will swing consequently. Mostly, a
virus Outburst is neglected. The theft of critical information like that of a credit card is like a fire alarm blare which should
impel a response that includes public relations department, the CEO and all available technical resources of the
organization. It is essential to reproof details of the incident before the response strategy is picked.

The response strategy is vital in a big organization as it provides future update for new CSIRT team to finalize
technical resources, political considerations, legal limitations and business intention.

2. Considering Appropriate Responses

One Should be able to reach at a feasible response strategy that is equipped with the circumstances of the attack
and the capacity to respond. It displays few common situations with response strategies and possible consequences. The
response strategy determines how you move forward from an incident to outcome.

SPECTRUM RLL:IN-ONE JOURNAL FOR ENGINEERING STUDENTS SIA GROUP

1.16

following table describes some examples of incident and its response strategy and its expected outcomes.
Response Strategy Likely Outcome
Incident Example
Scanned with CamScanner
 COMPUTER FORENSICS [JNTU-HYDERABAD]
Dos attack TFN DDoS attack (a popular Reconfigure router to reduce Effects of attack mitigated
Distributed Denial of Service impact of the flooding. by router countermeasures.
attack).
Establishment of
perpetrator's identity may
require several resources to
be worthwhile

investment.
Unauthorized use Employ work computers to Possible forensic Perpetrator identified and
facilitate pornography sites. duplication and evidence collected for
Investigation, Interview disciplinary action. Action
with suspect. taken may be based on the
employee position or past
enforcement of company
policy.
Vandalism Defaced website. Monitor, repair and Website restored to
investigate website while it operational
is online. Implement website
"refresher" program. status. Decision to identify
perpetrator may involve
law enforcement.
Theft of information Stolen credit card and NIake public affairs Detailed imcstigation
custorner information from statement, forensic Initiated. I-mv enforcement
compan> database. duplication of relevant participation possible. C 6. il
systems, and imcstigation of
complaint field to restore
theft.
potential damages, Systems
potentially online for

some tune.
Computer intrusion Remote admimstratne Monitor acti\ Ities of Vu Inerability leading to
access via attacks such as attacker. Isolate and contain intrusion identified and
cmsd butler overflow and scope of unauthorized
Internet Information acces». Secure and recover
corrected. Decision made
Services (IIS) attacks. sy stems, hether to identify
perpetrators.
Table: Response Strategy for Attacks

The response strategy must take into consideration the business otyectives of your organization. It rnust be approved by
the higher authorities due to its probable impact to the organization. The response strategy must be quantified with respect to
the pros and cons of the following.

(a) Evaluate the dollar loss.

(b) Impact to daily operations and netivork dm\lltime.

(c) Impact to operations and user dountlrne,

(d) Js your organization capable or not to legally take certain action•.

(e) Public disclosure of the incident and the affect of It on reputation or organi,'ältton.

(f) Stealing of intellectual property and its potential economic Impact.

Scanned with CamScanner

UNIT-I Introduction of Cybercrime, and Response Methodology
3. Taking Measures
An organization must regulate the activity of a employee or respond to a malicious attack by anonynous person, Mils
task can be Initiated with a delinquent referral or an adrmnßtrative approach or privilege repeal 'Mien the incident IS barranted

Scanned with CamScanner

 COMPUTER FORENSICS [JNTU-HYDERABAD]
Is

UNIT-I Introduction of Cybercrime, Digital Forensics and Incident Response Methodology

1
Legal Action 1. Data Collection
4.
The process ofgathering facts and clues tha
It is customary to probe a computer security required during your forensic analysis is referred as
incident that quantifies for legal action or that could lead collection. This phase involves various forensic chall
to a law suit or court proceeding. While deciding whether which are as follows,
law enforcement must be included in the incident
response or not, the following particulars should be
considered, (i) The electronic data must be gathered in a forens
sound way.
(a) Does the damage of the incident qualify for a
(ii) The storage capacity of computer canno
criminal criterion?
increased.
Is it likely that the expected outcome by your organization
will be achieved by criminal or civil action? (iii) The collected data must be handled in such a
that it secure integrity of data.
(c) Was the actual cause of the incident been established
reasonably?

For a comprehensive investigation, does your

organization have adequate documentation and
sequential report?

(e) Does you organization possess a working relationship

with the local or federal law enforcement officers?
(f) Do the previous performances of the individual excelled
any legal action?
(d) 5. Administrative Action
(e)
At present, rather than performing civil or criminal
actions, terminating employees by means of
administrative measures is common. To set right the
internal employee, ad-

rmnistrative measures that can be put to practice include,

(a) Letter of reproof

ing (b)
an Immediate termination
means
(c) Leave ofabsence for a specific length oftime is
compulsory. Data
Collection
Job duties must be reassigned.
Temporary deduction in pay for reparation of loss daJnage.
Public/private apology for regulated actions.
Q18. Discuss the process of Investigating the
incident.
Answer : Model Paper-Il, Q3(b)
An investigation phase involves the process
ofestablishwho, what, when, where, how and why

Scanned with CamScanner

 corresponding to incident. Inorder to run your 1. Rev iew volatile data
investigation, the host-based eudence. network-based Review network connections
evidence and evidence collected by of traditional. Determine any rogue processes
nontechnical investigative steps must be reviewed. While (Blackdoors, sniffers)
investigating an incident, the main key is to determine 2. Analyze the relevant time/date of a
which things were harmed by while people while system,
establishing the identity behind the people on a network Identify files upload to system by an
which increasingly tough. attacker.
Identify file downloaded from
The identification ofan attacker can be of less the system,
concern to victim that the property harmed or 3.
Review the log tiles
destroyed. The following the two stages of computer 4.
Determine unauthonzed user accounts
security investigation, 5.
Check for unusual or hidden files
6.
l. Data collection Analysejobs run by the scheduler
service
2. Forensic analysis.
Perform ord searches.
Figure: Data Collection and Data Analysis
the are

RU-IN-ONE JOURNRL FOR ENGINEERING STUDENTS

GROU
P
SPECTRUM
1.18 Applications that are under execution on the
system.
The data collection phase is further
categorized into three fundamental components Establishment of current network
connections.
host-based information, networkbased information
and other information. Recently opened ports.

(a) Host-based Information The state of network interface.

A host-based component includes (b) Network-based Information

logs, records, documents and other related data
A networklbased component includes
which is identified on a system. This component
IDS logs, consensual monitoring logs, nonconsesual
deals with information gathering in two distinct
wiretaps, pen-register/trap and traces, router logs
forms i.e., live data collection and forensic
duplications. and firewall logs. A network surveillance is
performed to confirm suspicions gather evidence
In some situations, when the corresponding
and to determine co-conspirators involved in an
system shuts down, the evidence which is required
incidence. It enables an organization to carry out
to understand the incident is lost. Therefore, data
various tasks like,
collection forms the first step to collect this volatile
information before it .is lost. Inorder to retrieve the
To drive away the suspicions over computer
lost information one must record the following,
security incident.
Date and time of the system
To gather additional evidence and data

Scanned with CamScanner

 COMPUTER FORENSICS [JNTU-HYDERABAD]
To verify scope of a compromise file statistical data
lists partition
To identify additional parties involved table file
system
Create a
To determine timeline of events occurred on working Recover Perform file
network deleted signature
of all data analysis
To ensure compliance with a desired activity. evidence
media
(c) Other Evidence Recover Identify
unallocated
This component involves collection of space system file
personnel files, interview employees, interview
witnesses, interview.character witnesses and
documents of the data gathered. Analysis of Data

Extract Review Review

Look for the SIA GROUP LOGO email and browser installed
2. Forensic Analysis attachments history files application

Forensic analysis refers to the process of

reviewing data gathered. It includes reviewing Review data
collected Review all
log files, system tion files, trust relations, web
Search for the
browser history records, electq mail messages, during relevant network-based
and the corresponding attachments. This phas live response strings evidence
Perform Identify and
involves performing more low-level tasks like software decrypt
looking throué data that has been deleted analysis encrypted
logically from the system. files

Perform Perfom
Perbrm file-by-file specialize
forensic review d
duplicat
analysis
ion

Figure: Steps Performed During Forensic

Analysis
pre aration of Data
Create Perform on the TITLE COVER before you buy
1.19
UNIT-I Introduction of Cybercrime, Digital Forensics and Incident Response Mothodology
019. Discuss briefly about,
(a) Reporting
(b) Resolution.
M
odel Paper-Ill. Answer :
(a) Reporting

Scanned with CamScanner

 Reporting is considered as the difficult phase in the incident response process. In this
phase, the mam task or challenge is to generate reports in which the incident details are
defined. The generated reports need to be clear and understandable to the decision makers.

In reporting phase, the following rules are must be followed or implemented.

1. Document Immediately

It is important to document all the investigative steps and conclusions immediately. If the
document is written in short and Simple terms when the evidences are identified, it helps to
save time, improve accuracy and also ensure that the investigation details can be discussed or
communicated with others easily at any moment. It also becomes easy if any other new
member takes the lead for the Investigation process.

2. Write Concisely and Clearly

It is better to Implement the "write it tight" logic. It means to use short and simple words as
much as possible. In order to document the investigative steps, the suitable methods and format is
required.

report should be written in a way that it can be understandable to writer and others
involved in the investigation process. it is suggested not to use short hand or shortcuts. If a
report contains any indefinite notations, incomplete scribbling and unclear documentation, it
may result in redundant efforts, forced notes translation, notes confirmation and comprehend
notes failure.
3. Use a Standard Format
A specific format must be developed for reports and the same must be maintained
throughout the reporting process. The Incident response process outlines and templates are
used to create the permanent data standard formats. This standard format helps in report
vmting, saves the amount of time and improves accuracy.
4. Use Editors

The technical editors can be hired or engaged in order to read the forensic reports. By
using editors, the reports can be generated or developed in such a way that non-technical
people can also be able to understand it easily. But, one disadvantage Of using editors is that It
may modify the meamng of the critical information so, it is required to review the final product
before submission.

(b) Resolution

The main objective of the resolution phase is to implement the host-based, network-
based and procedural counter steps on the incident in order to avoid or prevent the further
damage by the corresponding incident to the orgapization. It may also retum good operational
status to the organization. This phase consists of problem, solution to the problem or problem
solution and the Preventive measures to prevent the reoccurrence of the problem. In case of
any potential eivil, criminal or administrative action, It is better to gather all the evidence
information before implementing any security measures. If the system is secured by changung
the network topology, packet filtering or by installing a software on a host with out proper
review and validation it may result in the loss of good investigative clues like system state at
incident time.

Scanned with CamScanner

 COMPUTER FORENSICS [JNTU-HYDERABAD]
In order to resolve a computer security incident, the following steps must be introduced or
implemented,

l. Initially' identify the pnorities of the problems that occur in the organization. It means the
problem with highest priority IS resolved first.

2. Identify the incident type by gathering enough information and analyze the "what" security
measures by using the host. based and network-based measures to address the incident.

GROU
RLL-IN-ONE JOURNAL FOR ENGINEERING STUDENTS P

d
1.20
3, It is also required to determine the underlying or systematic causes of the incident which are need
to be handled.

4. It is better to restore any affected or compromised systems. It is required to depend upon

the previous data version, server platform software or application software to make sure

that the system performance as user wants.

5. In order to handle any host-based vulnerabilities, the required corrections can be made• It

is also required to check and test all the problems in a lab environment before
implementing on the production systems.

6. The network-based counter steps or remedial measures such as access control lists,
firewalls or IDS can be implementq

7. The systematic issues are need to be rectified by assigning the responsible role.

8. It is required to track the progress on all the corrections.

9. It is also required to check whether the host-based, network-based and systemic measures
are implemented properly.

10. It is required to update the security policy and procedures in order to improve the response
process.

Scanned with CamScanner

 1.6 ACTIVITIES IN INITIAL RESPONSE, PHASE AFTER
DETECTION OF AN INCIDENT
Q20. Describe the activities in initial response.

Answer :
Model Paper-Il, Q2(b)
An organization may face challenges or issues when the occurrence of computer security
incident takes place. A process is required to provide more support for the following tasks.

l. It is required to make fast and effective decision making.

2. It is required to gather huge amount of information.

3. Rapid growth of the incident is required.

4. The growth of participants notification is required to assemble the CSIRT.

Gathering Preliminary Information

The main objective of initial response phase is to gather enough information in order to get
a suitable response, It must include the following activities in initial response.

Initially, an incident should

receive an initial notification. (ii) Then,

incident details and declaration should

be recorded.

(iii) Assemble the CSIRT.

(iv) Now, implement the traditional investigative steps.

(v) Conduct the interview process.

Finally, determine the growth of incident.

Documentation of Considered Steps

The other objective of the initial response phase is to document the steps which are
considered. On detecting an incident' the organization methods and practices can be used to avoid
the knee-jerk reactions. A good initial response plan helps to promote a formal reporting process
and also provides support to maintain good metrics. By recording the incident details, the
organization can know about the possible number Of attacks that have occurred such as its •type,
frequency. damages and their effects on organization. These type of metrics becomes difficult while
measuring the retum on investment of a good plan.

Scanned with CamScanner

 COMPUTER FORENSICS [JNTU-HYDERABAD]
Look for the SIA GROUP LOGO on the TITLE COVER before you
buy
UNIT-I Introduction of Cybercrime, Digital Forensics and Incident Response Methodology

Q21. Explain the phases after detection of an Incident.

Answer :
After the detection of an Incident, the following phases should be implemented.

1. Recording the Incident Details After Initial Detection

An implementation of good incident response plan requires a checklist. One type of checklist
is initial respons•c checklist.

Initial Response Checklists

It is used to record the incident details aftér receiving the initial notification. This checklist is
divided into two parts where the first part consists of general information and second part consists
of more specific information. The second part information can be used by CSIRT members to
handle the technical details of the incident. A CSIRT member is must respond personally in order to
retrieve and store the information. Initial response checklist is specifically used to handle the
issues.

2. Incident Declaration

It is usually an easy task to predict that an activity can possess suspicious behaviour with
respect to computer security. In some cases, it becomes diffcult to find out the occurrence of an
incident depending on the details stored in initial response checklist. So, in this case, the activity
should be considered as an incident until the investigation process is proved.

If it is not possible to notify the occurrence of an incident immediately then it is better to

assign a number to an incident so as to make investigation process easier. This incident number is
considered as specific to the corresponding incident. These incident numbers are organized in the
form that is based on the order of occurrence and type of incidents.

3. Assembling the Computer Security Incident Response Team

Most of the organizations includes a CSIRT which is developed with respect to occurrence of
a particular incident only. But as do not possess a dedicated centralized team. So it is required to
form an official and centralized CSIRT which is responSible for handling the security incidents. The
team should possess good skills such that they can respond to particular incident immediately.
Some of the organizational areas provide hardware, software technical knowledge and man power
to support the incident response effort.

Scanned with CamScanner

4. Performing Traditional Investigation Steps
This phase determines the "who, what, when, where, how and why" analysis corresponding
to an incident. In order to plan a good technical investigation. It is better to divide the collected
evidences or information into the following three categories„

(i) Host-based Evidence

I
t refers to the data that is collected from the WINDOWS or UNIX machines or the system
data which is involved in the incident,

(ii) Network-based Evidence

It
refers to the data that is collected from routers, IDS or some networks monitors. These
data sources are not involved in an incident directly.

(iii) Other Evidence

It refers to the testimonial data such as motive, intent or some other information.

Conducting Interviews
When the CSIRT analyzes the suspected incident it is required to investigate or enquire the
questions such as "who, what, when, where and how". These questions may provide some
information about the incident such as the systefnts location, adminis trative contacts and so on. It is
easy to solve or fix the situation if all the answers are obtained from the questions. But the
problem is that the answer may not be available for every question.

SPECTRUM GU-IN-ONE JOURN8L FOR ENGINEERING STUDENTS SIA GROUP

Scanned with CamScanner

 COMPUTER
FORENSICS
[JNTU-
Strategy HYDERABADI
1.22
Developing a Response
Response strategy is considered as important aspect in incident response. In this phase, one can know about the remedial
measures that must be considered to recover from the incident. The response strategy should also contain initiating adverse
tion against an external attacker or an internal employee. In order to' develop a good response strategy, It is required to analyze,
discuss and conduct the sessions about the strategy. Basically this sessions should include discussion about response strategy
considerations and policy verification.

Figure: Developing a Response Strategy

Scanned with CamScanner