Internet and Network Forensics

Network Forensics Basics - Cyber Crime Scene

Definition: Scientific examination, collection, and analysis of network traffic, logs, and device configurations to investigate cyber incidents.
Cyber Crime Scene: Virtual, dynamic, and highly volatile. Evidence can be altered or deleted remotely and rapidly.
Order of Volatility: Crucial for evidence collection. Prioritize:
- Most Volatile: CPU registers, cache, routing tables, process table, memory (RAM).
- Less Volatile: ARP cache, active connections, temporary file systems, disk data, remote logs, physical configuration, archival media.
Sources of Evidence:
- Network Devices: Routers (logs, routing tables), switches (MAC tables, CAM tables for Layer 2 switching), firewalls (ACLs, logs), IDS/IPS alerts.
- Servers & Endpoints: System/application logs, PCAP files, browser history.
- Service Providers: ISP logs, cloud service logs.
Challenges: Data volume, encryption, dynamic IP addresses, anonymity tools (VPNs, Tor), jurisdictional issues.

⭐ Critical timeframe principle in network forensics emphasizes rapid acquisition of volatile data (e.g., RAM contents, active connections, routing tables) before it is lost or overwritten, essential for successful investigation of live systems under BNS Chapter XVI cyber crime provisions.

Traffic Analysis - Packet Patrol

Definition: Interception, recording, and analysis of network communication (packets) to uncover digital evidence.
Key Goals:
- Identify sources & destinations (IP addresses, MAC addresses).
- Determine protocols used (TCP, UDP, HTTP, DNS).
- Reconstruct sessions & data transfers.
- Detect anomalies, intrusions, or illicit activities.
Modern Tools:
- Wireshark & tcpdump: Traditional packet analyzers (still fundamental).
- SIEM Systems: Security Information and Event Management platforms.
- NDR Platforms: Network Detection and Response solutions.
- Specialized Forensic Suites: Integrated analysis tools for complex investigations.
Contemporary Data Sources:
- Full Packet Captures (PCAP files).
- Cloud environment logs and EDR system data.
- Network flow data (NetFlow, sFlow, IPFIX).
- Threat intelligence feeds and behavioral analytics.

Data Layer of a Modern SOC Platform

⭐ Port 443 (HTTPS) analysis now dominates modern investigations, requiring traffic flow analysis and behavioral analytics for encrypted communications, while Port 80 (HTTP) becomes increasingly rare.

Analysis Focus: Timestamps, packet headers, encrypted traffic patterns, connection duration, data volume, metadata extraction from encrypted sessions.

Internet Traces - Digital Fingerprints

IP Address: Unique network device identifier.
- Dynamic (changes) vs. Static (fixed).
- Provides approximate geolocation.
MAC Address: Unique hardware ID for network interfaces.
Browser Artifacts:
- History: Visited URLs, timestamps.
- Cache: Stored web page components.
- Cookies: User data, session info.
- Downloads: Record of downloaded files.
Email Artifacts:
- Headers: Detailed path, sender/recipient IPs.
- Metadata: Author, creation/modification dates.
Social Media/Messaging:
- Posts, messages, logs, geotags, timestamps.
Cloud Storage: Access logs, file versions.

Digital Forensics: Email and Network Investigation

⭐ Email headers can reveal the originating IP address of the sender, crucial for tracing anonymous emails.

Legal & Cloud - Evidence In Ether

Indian Legal Framework:
- Digital India Act (expected): Will replace IT Act, 2000 for cybercrimes & e-evidence. Current IT Act Sec: 65 (tampering), 66 (hacking), 67 (obscene material), 69 (decryption/monitoring orders) remain applicable.
- Bharatiya Sakshya Adhiniyam (BSA), 2023: Sec 63 mandates certificate for admissibility of electronic records.
- BNSS, 2023: Governs search & seizure (Sec 94, 96).
Cloud Forensics:
- Challenges: Jurisdiction, data volatility, multi-tenancy, deleted data recovery.
- Evidence: Logs (server, access, application), snapshots, metadata, user activity.
- Models (IaaS, PaaS, SaaS) dictate data access & provider cooperation.
Process: Legal Acquisition of Digital Evidence

⭐ Section 63 of the Bharatiya Sakshya Adhiniyam (BSA), 2023, is pivotal for the admissibility of electronic evidence, requiring a specific certificate to authenticate it in court proceedings.

High‑Yield Points - ⚡ Biggest Takeaways

IP addresses (IPv4/IPv6) and MAC addresses are key for device identification.

Log files (server, firewall, router) provide crucial event timelines.

Email header analysis helps trace origin and path.

Browser forensics examines history, cache, and cookies for user activity.

Network traffic analysis (e.g., Wireshark) detects intrusions and data leakage.

Admissibility of digital evidence is governed by Sections 61, 62, and 63 BSA.

Maintaining chain of custody is vital for digital evidence integrity.

Internet and Network Forensics Indian Medical PG Practice Questions and MCQs

Practice Indian Medical PG questions for Internet and Network Forensics. These multiple choice questions (MCQs) cover important concepts and help you prepare for your exams.

Internet and Network Forensics Indian Medical PG Question 1: What is the forensic method of identification that utilizes lip prints?

A. Trichology
B. Dactylography
C. Poroscopy
D. Cheiloscopy (Correct Answer)

Internet and Network Forensics Explanation: ***Cheiloscopy*** - **Cheiloscopy** is the scientific study of lip prints for human identification, based on the unique patterns of furrows on the human lips. - These patterns are considered individual and permanent, making them useful in forensic investigations. *Dactylography* - **Dactylography** is the study of fingerprints, which involves analyzing the unique patterns of ridges and furrows on the fingertips for identification. - It is one of the most widely used and reliable methods for personal identification in forensic science, but does not involve lip prints, *Poroscopy* - **Poroscopy** is a forensic technique that involves the examination of the pores on the ridges of fingerprints. - It is used to individualize fingerprints when there is insufficient ridge detail, but it focuses on pores, not lip prints. *Trichology* - **Trichology** is the scientific study of hair and scalp. - In forensics, it involves analyzing hair samples to determine characteristics such as origin, race, and presence of toxins, but not lip prints.

Internet and Network Forensics Indian Medical PG Question 2: The web-based IT system for case-based surveillance under National Tuberculosis Elimination Programme (NTEP, formerly RNTCP) is

A. NIKSHAY (Correct Answer)
B. E-TB Tracker
C. SURAKSHA
D. SAFETY-NET

Internet and Network Forensics Explanation: ***NIKSHAY*** - **NIKSHAY** is the official web-based IT system used by the National Tuberculosis Elimination Programme (NTEP, formerly RNTCP) in India for **case-based surveillance** and monitoring of TB cases. - Launched in 2012, it facilitates **real-time data entry**, tracking of patient outcomes, drug logistics management, and program monitoring, significantly improving the efficiency of TB control efforts. - It enables **notification of all TB cases**, both from public and private sectors, ensuring comprehensive surveillance. *E-TB Tracker* - **E-TB Tracker** is not the designated IT system for TB surveillance under NTEP in India. - This term may refer to other electronic tracking systems used in different contexts, but NIKSHAY remains the official platform for India's TB programme. *SURAKSHA* - **SURAKSHA** means safety or protection in Hindi and is not associated with any specific web-based IT system for TB surveillance under NTEP. - This is not a recognized TB surveillance platform in the Indian context. *SAFETY-NET* - **SAFETY-NET** is a generic term referring to social protection programs or health support systems. - There is no specific NTEP initiative for TB surveillance identified by this name.

Internet and Network Forensics Indian Medical PG Question 3: Hair investigation is useful in which type of poisoning?

A. Lead
B. Mercury
C. Arsenic (Correct Answer)
D. Cannabis

Internet and Network Forensics Explanation: ***Arsenic*** - Hair analysis is the **gold standard** for detecting **chronic arsenic poisoning** in forensic toxicology. - Arsenic deposits in **keratinized tissues** (hair, nails) during growth, providing a **chronological timeline** of exposure over months to years. - Can differentiate between acute single exposure and chronic repeated poisoning. - **Most classical and commonly taught example** in forensic medicine for hair investigation. *Mercury* - Hair analysis is useful for **methylmercury (organic mercury)** exposure, particularly from dietary sources like fish. - While medically valid, mercury hair analysis is more commonly used in **environmental/occupational monitoring** rather than acute forensic poisoning investigations. - In forensic medicine curriculum, **arsenic remains the primary teaching example** for hair investigation in poisoning cases. *Lead* - **Blood lead levels** are the gold standard for lead poisoning assessment, reflecting recent or current exposure. - Hair analysis for lead is **less standardized** and prone to **external contamination** from environmental sources. - Not reliable for forensic diagnosis of lead poisoning. *Cannabis* - Hair can detect **THC metabolites** with a longer detection window (weeks to months) than urine or blood. - However, cannabis "poisoning" refers to acute intoxication, where **blood/urine tests** are more relevant for immediate clinical and forensic assessment. - Hair testing used more for long-term drug use monitoring, not acute poisoning investigation.

Internet and Network Forensics Indian Medical PG Question 4: Doctor or nurse disclosing the identity of a rape victim is punishable under the following section of IPC?

A. Section 224A
B. Section 226A
C. Section 222A
D. Section 228A (Correct Answer)

Internet and Network Forensics Explanation: ***Section 228A IPC*** - This section of the Indian Penal Code specifically deals with the **disclosure of the identity of a victim of rape and certain sexual offenses** (Sections 376, 376A, 376AB, 376B, 376C, 376D, 376DA, 376DB, 376E). - Making public the name or any matter that can reveal the identity of a rape victim by **any person, including doctors and nurses**, is a punishable offense. - **Punishment**: Imprisonment up to **2 years** and fine. - **Exception**: Disclosure is permitted only to authorized persons like police officers for investigation purposes. - **Important**: This is now covered under **Section 72 of Bharatiya Nyaya Sanhita (BNS) 2023**, which replaced the IPC. *Section 224A* - This is **not a valid or recognized provision** within the Indian Penal Code. - It does not relate to offenses concerning privacy or the identity of sexual assault victims. *Section 226A* - This is **not a valid or recognized provision** within the Indian Penal Code. - It does not pertain to the confidentiality of victims of sexual offenses. *Section 222A* - This is **not a valid or recognized provision** within the Indian Penal Code. - There is no such specific section addressing disclosure of victim identity in the IPC.

Internet and Network Forensics Indian Medical PG Question 5: A systematic observation and recording of activities of one or more individuals at random intervals is done in –

A. Input-output analysis
B. Work sampling (Correct Answer)
C. System analysis
D. Network analysis

Internet and Network Forensics Explanation: ***Work sampling*** - **Work sampling**, also known as activity sampling, involves making a large number of instantaneous observations at random intervals over a period to estimate the proportion of time a person or machine spends on different activities. - This method is particularly useful for studying activities that are **irregular or non-repetitive**, providing a statistically valid estimate without continuous observation. *Input-output analysis* - **Input-output analysis** is an economic technique that describes the interdependencies between different sectors of an economy. - It focuses on how the output of one industry becomes the input for another, rather than observing individual activities. *System analysis* - **System analysis** is a problem-solving technique that breaks down a system into its component pieces to study how these parts interact and work together. - It is used for understanding and improving overall system function, not for random observation of individual activities. *Network analysis* - **Network analysis** involves studying the structure and flow within a network, such as social networks, computer networks, or project management networks. - It focuses on relationships and connections between entities, not on the random sampling of individual activities.

Internet and Network Forensics Indian Medical PG Question 6: Dying declaration comes under?

A. Section 60 IEA
B. 291 CrPC
C. Section 32 IEA (Correct Answer)
D. Section 32 IPC

Internet and Network Forensics Explanation: ***Section 32 IEA*** - This section of the **Indian Evidence Act (IEA)** specifically deals with cases in which a statement of a relevant fact by a person who is dead or cannot be found, etc., is relevant. - A **dying declaration** is a statement made by a person as to the cause of their death, or as to any of the circumstances of the transaction which resulted in their death when the cause of that person's death is in question. *Section 60 IEA* - This section refers to **oral evidence** and states that oral evidence must, in all cases whatever, be direct. - It does not specifically address the admissibility of statements made by deceased persons. *291 CrPC* - This section relates to the **Code of Criminal Procedure (CrPC)** and deals with the evidence of formal character, which can be proved by affidavit. - It is not concerned with the concept of dying declarations. *Section 32 IPC* - This refers to the **Indian Penal Code (IPC)**, which defines various offenses and their punishments. - Section 32 of the IPC states that words referring to acts include illegal omissions; it does not deal with evidence or dying declarations.

Internet and Network Forensics Indian Medical PG Question 7: A physician is accused of death threats via anonymous email. Investigation reveals the email was sent through multiple proxy servers and TOR network from a public WiFi location. The suspect's home computer shows no direct evidence. Evaluate which combination of digital artifacts would MOST conclusively link the suspect to the anonymous communication?

A. TOR browser installation artifacts, typing pattern analysis (keystroke dynamics), linguistic stylometry of email content, correlation with suspect's known writings, WiFi connection logs on suspect's devices matching crime timeframe, and browser artifacts showing proxy/anonymizer research preceding the incident (Correct Answer)
B. IP address logs from public WiFi and timestamp correlation alone
C. Eyewitness testimony of suspect's presence at WiFi location
D. Confession obtained during interrogation

Internet and Network Forensics Explanation: ***TOR browser installation artifacts, typing pattern analysis (keystroke dynamics), linguistic stylometry of email content, correlation with suspect's known writings, WiFi connection logs on suspect's devices matching crime timeframe, and browser artifacts showing proxy/anonymizer research preceding the incident*** - This multimodal approach establishes a link by combining **behavioral biometrics** (keystroke dynamics and stylometry) with **forensic artifacts** (TOR installation and research) to overcome the technological anonymity provided by several proxy layers. - Evidence of **premeditation** (researching anonymizers) and **temporal-spatial correlation** (WiFi logs matching the crime scene) provides the high level of certainty required for legal attribution in digital forensics. *IP address logs from public WiFi and timestamp correlation alone* - While this places a device at the location, it fails to account for **TOR network masking**, which hides the original source IP from external logs. - **IP addresses** alone are insufficient for definitive attribution, as they do not identify the specific user behind the terminal or account for MAC address spoofing. *Eyewitness testimony of suspect's presence at WiFi location* - Presence at a public location is **circumstantial** and does not prove that the suspect was the individual interacting with the specific digital service at that time. - Testimony is subject to **human error and bias**, lacking the objective scientific rigor found in **digital footprint analysis** and linguistic fingerprints. *Confession obtained during interrogation* - Confessions may be **retracted or ruled inadmissible** if any procedural errors or coercion are alleged during the interrogation process. - Without **corroborating digital evidence**, a confession alone lacks the technical proof necessary to explain how the suspect bypassed complex security and **anonymization protocols**.

Internet and Network Forensics Indian Medical PG Question 8: A hospital's electronic medical records system was allegedly tampered with to alter a patient's medication history before a medico-legal case. The accused claims system errors caused the changes. Multiple users have access. How would you BEST establish intentional tampering versus system malfunction?

A. Rely on testimony of IT administrator alone
B. Compare only the final version with the original record
C. Check only the current database entries for inconsistencies
D. Correlate database transaction logs with user authentication logs, audit trails, system logs, and backup differentials to establish specific user actions, timing patterns inconsistent with normal workflow, and evidence of privilege escalation or unauthorized access (Correct Answer)

Internet and Network Forensics Explanation: ***Correlate database transaction logs with user authentication logs, audit trails, system logs, and backup differentials to establish specific user actions, timing patterns inconsistent with normal workflow, and evidence of privilege escalation or unauthorized access*** - Intentional tampering is best proven by correlating **multi-source forensic data**, which identifies specific **user-linked actions** that deviate from automated system processes. - Unlike system glitches, which appear as random or non-specific patterns, deliberate modification is evidenced by **targeted SQL queries**, **privilege escalation**, or changes occurring during unauthorized login sessions. *Rely on testimony of IT administrator alone* - Forensic evidence must be **objective and verifiable**; subjective testimony is insufficient for high-level medico-legal cases without technical proof. - An administrator may have **conflicts of interest** or lack the specific technical data needed to distinguish between a hardware fault and a malicious act. *Compare only the final version with the original record* - Comparing versions reveals *that* a change occurred, but it fails to show **how, when, or by whom** the modification was made. - This method cannot differentiate between a **legitimate clinical update**, an automated system synchronization error, or manual tampering. *Check only the current database entries for inconsistencies* - Looking at current entries provides only a **static view** of the data and does not capture the **chronological sequence** of events required for forensic reconstruction. - Inconsistencies could be blamed on **bug-ridden software** or data corruption unless a full **audit trail** links those inconsistencies to specific user accounts.

Internet and Network Forensics Indian Medical PG Question 9: An autopsy surgeon receives a laptop allegedly containing child pornography. Initial examination shows no illegal images in accessible folders, but forensic tools detect suspicious encrypted container files. Anti-forensic timestamp manipulation is suspected. Which analytical approach would provide the MOST legally defensible evidence?

A. Interview suspect first before digital analysis
B. Screenshot visible content and prepare report
C. Decrypt containers and rely solely on file content analysis
D. Hash comparison against known illegal image databases, analysis of file system journals, examination of thumbnail cache and temporary internet files, coupled with entropy analysis of encrypted containers (Correct Answer)

Internet and Network Forensics Explanation: ***Hash comparison against known illegal image databases, analysis of file system journals, examination of thumbnail cache and temporary internet files, coupled with entropy analysis of encrypted containers*** - This approach is most defensible because **hash values** provide unique digital signatures that match against known databases (like **NCMEC**) without needing to view every image. - **File system journals** and **thumbnail caches** provide objective proof of possession and usage history that bypasses manual **timestamp manipulation**. *Interview suspect first before digital analysis* - Interviewing before securing a **forensic image** of the data risks the suspect remotely wiping or destroying evidence via **kill switches**. - Digital evidence must be preserved and analyzed objectively before testimony to maintain a solid **chain of custody**. *Screenshot visible content and prepare report* - Screenshots do not capture **metadata** or hidden data, and they are easily challenged in court as they do not prove the **integrity** of the original file. - This method ignores the **encrypted containers**, failing to address the primary locations where illegal material is likely hidden. *Decrypt containers and rely solely on file content analysis* - Relying only on content analysis might fail if encryption keys cannot be recovered or if the suspect claims the files were **planted**. - This narrow approach lacks the corroborating evidence provided by **entropy analysis** and **internet temporary files** which show the intent and history of the user's actions.

Internet and Network Forensics Indian Medical PG Question 10: A medical professional is accused of leaking confidential patient data via USB drive. Forensic examination reveals no files on the USB, but Registry analysis shows recent USB activity. File carving recovers deleted patient records. Which combination of artifacts would BEST establish the accused's intent and timeline?

A. Link files (LNK), Prefetch files, USB connection timestamps, and recovered file metadata showing access patterns (Correct Answer)
B. USB serial number from Registry and file creation dates only
C. Link files (LNK), Prefetch files, USB connection timestamps, and recovered file metadata showing access patterns (Correct Answer)
D. Recycle Bin contents and recent documents list only
E. Browser history and email logs only

Internet and Network Forensics Explanation: ***Link files (LNK), Prefetch files, USB connection timestamps, and recovered file metadata showing access patterns*** - **LNK files** and **Prefetch files** provide evidence of specific file execution and volume serial numbers, linking the patient data directly to the external drive. - **USB connection timestamps** and **metadata** establish a chronological timeline of when the device was connected and when files were accessed or deleted, proving **deliberate intent**. *USB serial number from Registry and file creation dates only* - While the **USB serial number** proves the device was connected, it does not provide information about which specific files were handled. - **File creation dates** alone cannot distinguish between a legitimate automated system process and a manual, intentional data export by a user. *Recycle Bin contents and recent documents list only* - Files deleted from a **USB drive** typically do not go to the system **Recycle Bin**, making this artifact unreliable for external data leak investigations. - **Recent documents** lists show file names but lack the **forensic depth** required to prove that the data was actually transferred to an external medium. *Browser history and email logs only* - These artifacts focus on **network-based exfiltration** and do not provide evidence regarding local physical transfers via **USB interface**. - They fail to capture the **file carving** results or the specific interaction between the host OS and the hardware device in question.

More Internet and Network Forensics Indian Medical PG questions available in the OnCourse app. Practice MCQs, flashcards, and get detailed explanations.

Internet and Network Forensics

On this page

Network Forensics Basics - Cyber Crime Scene

Traffic Analysis - Packet Patrol

Internet Traces - Digital Fingerprints

Legal & Cloud - Evidence In Ether

High‑Yield Points - ⚡ Biggest Takeaways

Practice Questions: Internet and Network Forensics

Flashcards: Internet and Network Forensics

Enjoying this lesson?