DF-2

Assignment-2

Vamsi
CSE CSF B2
Roll Number 58
SAP ID 500053371

1. i) JTAG stands for ‘Joint Test Action Group’. It is an advanced level data acquisition
method which involves connecting to Test Access Ports (TAPs) on a device and instructing
the processor to transfer the data stored on a computer’s memory chips. When supported,
jtagging is extremely effective to extract a full physical image from devices that cannot be
acquired with normal tools.
ii) D-O-R-A Process:-
The DORA process stands for:
Discover
Offer
Request
Acknowledge
It is a process in DHCP used for message flows between client and server.
By the ‘Discover’, the message interaction starts between server and client. Discover is sent
by the client that is connected to a local subnet. Offer is sent as a response to Discover
message by the DHCP server to the DHCP clients. It contains a network configuration setting
for the client like an IP address offered to the client. Request to offer is indicating that the
client has accepted the network configuration. It means to accept the offer by the DHCP
server. Acknowledge is sent to the client. This is to clear that now you can start using the
network.

iii) IMEI
IMEI is short for International Mobile Equipment Identity and is a unique number given to
every single mobile phone, typically found behind the battery.
IMEI numbers of cellular phones connected to a GSM network are stored in a database (EIR -
Equipment Identity Register) containing all valid mobile phone equipment.
2Ans.
JPEG (Joint Photographic Experts Group) is a lossy compression method. JPEG images are
usually stored in the JFIF (JPEG File Interchange Format). Nearly every digital camera can
save images in the JPEG format, which supports 8 bit grayscale images and 24 bit color
images. It applies lossy compression to images, which can result in a significant reduction of
the file size, which is helpful when there is less storage space to work with. JPEG files suffer
generational degradation when repeatedly edited and saved. JPEG supports lossless image
storage as well, which is not widely supported.
GIF
GIF or graphic Interchange format, is in normal use limited to an 8 bit palette or 256 colors.
GIF is most suitable for storing graphics with a few colors such as simple drawings, logos,
shapes, etc. It uses lossless compression which is more effective when large areas have a
single color, and less effective for photographic images or dithered images. It is widely used
to provide animation effects, despite its low compression ratio compared to modern video
formats.
PNG
The PNG (Portable Network Graphics) file format was created as a free, open-source
alternative to GIF. The PNG file format supports eight-bit paletted images (with optional
transparency for all palettes ) and 24-bit truecolor (16 million colors) or 48-bit TrueColor
with and without alpha channel - while GIF supports only 256 colours and a single
transparent colour.
Compared to JPEG, PNG excels when the image has large, uniformly coloured areas. Even
for photographs – where JPEG is often the choice for final distribution since its compression
technique typically yields smaller file sizes – PNG is still well-suited to storing images during
the editing process because of its lossless compression.

3 Ans. Steganalysis is the study of detecting messages hidden using steganography. This is
analogous to cryptanalysis applied to cryptography. The goal of Steganalysis is to identify
suspected packages, determine whether or not they have a payload encoded into them, and, if
possible, recover the payload. Steganalysis generally starts with a pile of suspect data files,
but little information about which of the files, if any, contain a payload. The steganalyst is
usually something of a forensic statistician, and must start by reducing this set of data files
(which is often quite large; in many cases, it may be the entire set of files on a computer) to
the subset most likely to have been altered.
There are many Steganalysis tools, few of them are:-
1. Camouflage
2. Steganos
3. JPHide
4 Ans. There are a variety of steganographic attacks, they are:-
i. File Only
In this, the attacker has access to the file and should determine whether the data is
hidden in it or not.

ii. File and Original copy

If the attacker has a copy of the original file and pre-encoded file then the real
question is what the attacker will do with the secret message ergo – destroy hidden
information, extract hidden information, replace it, etc.

iii. Reformat Attack

One of the possible attack is to change the format of the file. Different file formats do
not store the data exactly in the same way.

iv. Destroy Everything Attack

In this, attacker could simply replace the whole message.

v. Compression Attack
One of the simplest attack is to compress the file containing the hidden information.
Compression algorithms try to remove the extraneous information for a file, and
usually a hidden file is also meant to be extraneous.

vi. Random Tweaking Attack

An attacker could simply add small, random tweaks in order to destroy the message
rendering the entire process useless.

vii. Structural Attack

Steganographic algorithms generally have a characteristic structure to the data. The
organization of the information document is distinctive when data is implanted into it.
The assailant can distinguish how close he/she is to the secret message by analyzing
the factual profile of the bits without much of a stretch. These progressions to the
information record for the most part fall into easily identifying the original message.

5 Ans. Physical acquisition, also known as a physical memory dump, is a technique for
capturing all the data from flash memory chips on the mobile device. It allows the  It allows
the forensic tool to collect remnants of deleted data. Initially, the received data is in raw
format and cannot be read. Later on, some methods are applied to convert that data into a
human readable form. Whereas Logical Acquisition, or logical extraction, is a technique for
extracting the files and folders without any of the deleted data from a mobile device.
However, some vendors describe logical extraction narrowly as the ability to gather a
particular data type, such as pictures, call history, text messages, calendar, videos, and
ringtones. A software tool is used to make a copy of the files.

For example, If we find an iPhone to be evidence in a case, the memory locally stored on the
flash drive would be the physical data we acquire whereas the iTunes backup is used to make
a logical image of an iPhone or iPad and that is the logical data we acquire.
6 Ans. Given the scenario, these are the following steps I would take to deal with the issue:-
I. Immediately ask the employee to stop using that machine as it has been compromised.
II. Perform a security audit and check if any more systems or accounts are affected
unknowing to the employees.
III. Ask him to change his passwords(as many set the same password for multiple
accounts) and set up 2 factor authentication.
IV. Check the network for any backdoors.
V. Update/Install patches for all the anti-virus software the organization is using.
VI. Fix the loophole that let the attacker get into the system.