SECTION B: DESCRIPTION QUESTIONS

1.a. Define the process of digital forensics.

Digital forensics is a structured process where investigators identify potential digital evidence, preserve it so it is not altered, collect it in a forensically sound way, analyze it to extract meaning, and finally present it in a form that courts can accept.

1.b. What is the core goal?

The core goal is to accurately recover, analyze, and present digital evidence while preserving its integrity, so that it can be trusted in legal or organizational decisions.

1.c. What are the challenges?

Investigators must cope with huge data volumes, easily altered or volatile evidence, strong encryption and security measures, deliberate anti-forensics, constantly changing technologies, and the need to maintain a flawless chain of custody under tight time and legal constraints.

2.a. What is the difference between traditional forensics and AI-driven forensics?

Traditional digital forensics leans heavily on manual work, simple keyword searches, and rule-based checks, which can be slow and may overlook subtle or complex patterns in large datasets. AI-driven forensics adds machine learning and automation, letting systems quickly scan massive data, spot non-obvious patterns or anomalies, and even predict where relevant evidence is likely to reside, making investigations faster and often more accurate.

3.a. What is the role of AI in forensics?

AI acts as a force multiplier: it automates repetitive tasks, highlights suspicious behaviors or patterns that humans might miss, and helps investigators make sense of Big Data in a reasonable time.

3.b. Describe AI techniques used in forensics.

Common techniques include machine learning classifiers and clustering algorithms to group or tag evidence, NLP models to analyze emails and messages, computer vision models to detect manipulated images or videos, anomaly detection to flag abnormal behaviors, and graph neural networks to trace relationships such as IP paths or cryptocurrency flows.

3.c. Give two examples of AI in forensic analysis.

One example is AI-based malware detection that learns from code behavior and network traces to identify new malware variants, even when signatures don’t exist yet. Another is deepfake audio detection, where models examine spectrograms and acoustic features to tell a synthetic “CEO voice” from a real one in voice-phishing fraud cases.

4.a. Explain the importance of chain of custody in digital forensic investigations. Describe how improper handling can affect legal admissibility of evidence.

Chain of custody is the formal record that shows exactly who handled a piece of evidence, when they handled it, why they had it, and what they did with it, proving that the evidence has not been tampered with since it was collected. If the chain is broken—through missing signatures, incorrect timestamps, unexplained transfers, or mismatched hash values—defense attorneys can argue that the evidence might have been altered or planted, which can lead to that evidence being thrown out or an otherwise strong case being undermined.

Data volume

Big Data systems can hold petabytes of information, so copying everything is unrealistic; investigators deal with this by doing targeted collections (focusing on certain users, time windows, or data types), using distributed forensic tools that work in parallel, and applying intelligent sampling strategies.

Data velocity

Many Big Data platforms process data at high speed with continuous streams, meaning evidence can change or disappear quickly; to keep up, investigators rely on live forensics, real-time monitoring and logging, and point in-time snapshots to capture critical data before it is overwritten.

Data distribution

Evidence may be spread across many nodes, data centers, or cloud regions; the usual approach is to map the whole architecture first, then coordinate simultaneous or carefully sequenced acquisitions using Hadoop-aware tools so that timestamps and contexts still line up.

Evidence volatility

Some Big Data evidence only exists briefly in memory or temporary buffers; investigators prioritize grabbing the most volatile data first (memory and transient logs), use continuous monitoring tools that can run on live systems without breaking them, and then move on to more persistent storage once the most fragile evidence is safe.