Emerging Trends in Computer Engineering - Information Technology
Emerging Trends in Computer Engineering - Information Technology
Emerging Trends in
Computer Engineering and
Information Technology
(22618)
Semester - VI
(CO, CM, CW, IF)
Maharashtra State
Board of Technical Education, Mumbai
(Autonomous)(ISO:9001:2015) (ISO/IEC 27001:2013)
Maharashtra State
Board of Technical Education, Mumbai
(Autonomous) (ISO:9001:2015) (ISO/IEC 27001:2013)
4th Floor, Government Polytechnic Building, 49, Kherwadi,
Bandra (East), Mumbai -400051.
(Printed on May, 2018)
Maharashtra State
Board of Technical Education
Certificate
This is to certify that Mr. / Ms. ………………………………….
Roll No……………………….of ………… Semester of Diploma
in……...……………………..………………………….of
Institute…………………………………….………(Code………
………..) has attained pre-defined practical outcomes(PROs)
satisfactorily in courseEmerging Trends in CO and
IT(22618)for the academic year 20…….to 20…..... as prescribed
in the curriculum.
Seal of the
Institute
Emerging Trends in CO and IT (22618)
Preface
The primary focus of any engineering work in the technical education system is to develop the
much needed industry relevant competency & skills. With this in view, MSBTE embarked on
innovative “I” scheme curricula for engineering diploma programmes with outcome based
education through continuous inputs from socio economic sectors. The industry experts
during the consultation while preparing the Perspective Plan for diploma level technical
education categorically mentioned that the curriculum, which is revised and implemented
normally further revised after 4-5 years. The technological advancements being envisaged and
faced by the industry in the present era are rapid and curriculum needs to be revised by taking
care of such advancements and therefore should have a provision of accommodating continual
changes. These views of industry experts were well taken & further discussed in the academic
committee of MSBTE, wherein it was decided to have a dynamism in curriculum for
imparting the latest technological advancements in the respective field of engineering. In
order to provide an opportunity to students to learn the technological advancements, a course
with a nomenclature of “Emerging Trends in Computer Engineering & Information
Technology” is introduced in the 6th semester of Computer Engineering & Information
Technology Group.
The technological advancements to be depicted in the course called emerging trends was a
challenging task and therefore it was decided to prepare a learning material with the
involvement of industrial and academic experts for its uniformity in the aspect of delivery,
implementation and evaluation.
This learning manual is designed to help all stakeholders, especially the students and teachers
and to develop in the student the pre-determined outcomes. It is expected to explore further by
both students and teachers, on the various topics mentioned in learning manual to keep
updated themselves about the advancements in related technology.
MSBTE wishes to thank the Learning Manual development team, specifically Mr.
Nareshumar Harale, Chairman of the Course Committee, Industry Experts, Smt. M.U. Kokate
Coordinator of the Computer Engineering & Mr. J. R. Nikhade, Coordinator of the
Information Technology and academic experts for their intensive efforts to formulate the
learning material on “Emerging Trends in Computer Engineering & Information
Technology”. Being emerging trend and with the provision of dynamism in the curricula, any
suggestions towards enrichment of the topic and thereby course will be highly appreciated.
Unit
Unit/ Topic Page No.
No.
3.3 Ethical issues in digital forensic 60
General ethical norms for investigators 60
Unethical norms for investigation 60
4 Digital Evidences 62
4.1 3.1 Digital Evidences 62
Definition of Digital Evidence 62
Best Evidence Rule 64
Original Evidence 64
4.2 Rules of Digital Evidence 65
4.3 Characteristics of Digital Evidence 66
Locard’s Exchange Principle 66
Digital Stream of bits 67
4.4 Types of evidence 67
Illustrative, Electronics, Documented, Explainable, Substantial, 67
Testimonial
4.5 Challenges in evidence handling 68
Authentication of evidence 68
Chain of custody 68
Evidence validation 71
4.6 Volatile evidence 72
5 Basics of Hacking 80
5.1 Ethical Hacking 80
How Hackers Beget Ethical Hackers 82
Defining hacker, Malicious users 85
5.2 Understanding the need to hack your own systems 87
5.3 Understanding the dangers your systems face 88
Nontechnical attacks 88
Network-infrastructure attacks 89
Operating-system attacks 89
Application and other specialized attacks 89
5.4 Obeying the Ethical hacking Principles 90
Working ethically 90
Respecting privacy 90
Not crashing your systems 90
5.5 The Ethical hacking Process 90
Formulating your plan 90
Selecting tools 92
Executing the plan 93
Evaluating results 94
Moving on 94
5.6 Cracking the Hacker Mind-set 94
What You’re Up Against? 94
Who breaks in to computer systems? 96
Unit
Unit/ Topic Page No.
No.
Why they do it? 97
Planning and Performing Attacks 99
Maintaining Anonymity 100
6 Types of Hacking 107
6.1 Network Hacking 107
Network Infrastructure 108
Network Infrastructure Vulnerabilities 108
Scanning-Ports 109
Ping sweeping 112
Scanning SNMP 113
Grabbing Banners 113
Analysing Network Data and Network Analyzer 114
MAC-daddy attack 115
Wireless LANs: 117
Implications of Wireless Network Vulnerabilities, 117
Wireless Network Attacks 117
6.2 Operating System Hacking 119
Introduction ofWindows and LinuxVulnerabilities 119
6.3 Applications Hacking 121
Messaging Systems 121
Vulnerabilities, 121
E-Mail Attacks- E-Mail Bombs, 122
Banners, 124
Best practices for minimizing e-mail security risks 124
Web Applications: 125
Web Vulnerabilities, 125
Directories Traversal and Countermeasures, 126
Database system 127
Database Vulnerabilities 127
Best practices for minimizing database security risks 128
Content
1.1 Introduction of AI
o Concept
o Scope of AI
o Components of AI
o Types of AI
o Application of AI
1.2 Concept of machine learning and deep learning.
1.1 Introduction of AI
A branch of Computer Science named Artificial Intelligence (AI)pursues creating the
computers / machines as intelligent as human beings. John McCarthy the father of Artificial
Intelligence described AI as, “The science and engineering of making intelligent machines,
especially intelligent computer programs”. Artificial Intelligence (AI) is a branch of
Science which deals with helping machines find solutions to complex problems in a more
human-like fashion.
Artificial is defined in different approaches by various researchers during its evolution, such
as “Artificial Intelligence is the study of how to make computers do things which at the
moment, people do better.”
There are other possible definitions “like AI is a collection of hard problems which can be
solved by humans and other living things, but for which we don’t have good algorithms for
solving.” e. g., understanding spoken natural language, medical diagnosis, circuit design,
learning, self-adaptation, reasoning, chess playing, proving math theories, etc.
Data: Data is defined as symbols that represent properties of objects events and their
environment.
Information: Information is a message that contains relevant meaning, implication, or
input for decision and/or action.
Knowledge: It is the (1) cognition or recognition (know-what), (2) capacity to
act(know-how), and(3)understanding (know-why)that resides or is contained within
the mind or in the brain.
1.1.1 Concept:
Artificial Intelligence is one of the emerging technologies that try to simulate human
reasoning in AI systems The art and science of bringing learning, adaptation and self-
organization to the machine is the art of Artificial Intelligence. Artificial Intelligence is the
ability of a computer program to learn and think.Artificial intelligence (AI) is an area of
computer science that emphasizes the creation of intelligent machines that work and reacts
like humans. AI is built on these three important concepts
Machine learning: When you command your smartphone to call someone, or when you chat
with a customer service chatbot, you are interacting with software that runs on AI. But this
type of software actually is limited to what it has been programmed to do. However, we
expect to soon have systems that can learn new tasks without humans having to guide them.
The idea is to give them a large amount of examples for any given chore, and they should be
able to process each one and learn how to do it by the end of the activity.
Deep learning: The machine learning example I provided above is limited by the fact that
humans still need to direct the AI’s development. In deep learning, the goal is for the software
to use what it has learned in one area to solve problems in other areas. For example, a
program that has learned how to distinguish images in a photograph might be able to use this
learning to seek out patterns in complex graphs.
Neural networks: These consist of computer programs that mimic the way the human brain
processes information. They specialize in clustering information and recognizing complex
patterns, giving computers the ability to use more sophisticated processes to analyze data.
AI Approach:
The difference between machine and human intelligence is that the human think / act
rationally compare to machine. Historically, all four approaches to AI have been followed,
each by different people with different methods.
Think Well:
Develop formal models of knowledge representation, reasoning, learning, memory, problem
solving thatcan be rendered in algorithms. There is often an emphasis on a systems that are
provably correct, and guarantee finding an optimal solution.
Act Well:
For a given set of inputs, generate an appropriate output that is not necessarily correct but gets
the job done.
A heuristic (heuristic rule, heuristic method) is a rule of thumb, strategy, trick,
simplification, or any other kind of device which drastically limits search for solutions
in large problem spaces.
Heuristics do not guarantee optimal solutions; in fact, they do not guarantee any
solution at all:
all that can be said for a useful heuristic is that it offers solutions which are good
enough most of the time
GPS (General Problem Solver): Goal not just to produce humanlike behavior (like ELIZA),
but to produce a sequence of steps of the reasoning process that was similar to the steps
followed by a person in solving the same task.
include bits of the input (after simple transformations (my →your) Weizenbaum was shocked
at reactions: Psychiatrists thought it had potential. People unequivocally anthropomorphized.
1.1.3 Components of AI
The core components and constituents of AI are derived from the concept of logic, cognition
and computation; and the compound components, built-up through core components are
knowledge, reasoning, search, natural language processing, vision etc.
The core entities are inseparable constituents of AI in that these concepts are fused at atomic
level. The concepts derived from logic are propositional logic, tautology, predicate calculus,
model and temporal logic. The concepts of cognitive science are of two types: one is
functional which includes learning, adaptation and self-organization, and the other is memory
and perception which are physical entities. The physical entities generate some functions to
make the compound components
The compound components are made of some combination of the logic and cognition stream.
These are knowledge, reasoning and control generated from constituents of logic such as
predicate calculus, induction and tautology and some from cognition (such as learning and
adaptation). Similarly, belief, desire and intention are models of mental states that are
predominantly based on cognitive components but less on logic. Vision, utterance (vocal) and
expression (written) are combined effect of memory and perceiving organs or body sensors
such as ear, eyes and vocal. The gross level contains the constituents at the third level which
are knowledge-based systems (KBS), heuristic search, automatic theorem proving, multi-
agent systems, Al languages such as PROLOG and LISP, Natural language processing (NLP).
Speech processing and vision are based mainly on the principle of pattern recognition.
AI Dimension: The philosophy of Al in three-dimensional representations consists in logic,
cognition and computation in the x-direction, knowledge, reasoning and interface in the y-
direction. The x-y plane is the foundation of AI. The z-direction consists of correlated systems
of physical origin such as language, vision and perception as shown in Figure.1.1
Cognition:
Computers has became so popular in a short span of time due to the simple reason that they
adapted and projected the information processing paradigm (IPP) of human beings: sensing
organs as input, mechanical movement organs as output and the central nervous system (CNS)
in brain as control and computing devices, short-term and long-term memory were not
distinguished by computer scientists but, as a whole, it was in conjunction, termed memory.
In further deepening level, the interaction of stimuli with the stored information to produce
new information requires the process of learning, adaptation and self-organization. These
functionalities in the information processing at a certain level of abstraction of brain activities
demonstrate a state of mind which exhibits certain specific behaviour to qualify as
intelligence. Computational models were developed and incorporated in machines which
mimicked the functionalities of human origin. The creation of such traits of human beings in
the computing devices and processes originated the concept of intelligence in machine as
virtual mechanism. These virtual machines were termed in due course of time artificial
intelligent machines.
Computation
The theory of computation developed by Turing-finite state automation—was a turning point
in mathematical model to logical computational. Chomsky's linguistic computational theory
generated a model for syntactic analysis through a regular grammar.
The third dimension is basically the application domain. Here, if the entities are near the
origin, more and more concepts are required from the x-y plane. For example, consider
information and automation, these are far away from entities on z-direction, but contain some
of the concepts of cognition and computation model respectively on x-direction and concepts
of knowledge (data), reasoning and interface on the y-direction.
In general, any quantity in any dimension is correlated with some entities on the other
dimension.
The implementation of the logical formalism was accelerated by the rapid growth in electronic
technology, in general and multiprocessing parallelism in particular.
1.1.4 Types of AI
Artificial Intelligence can be divided in various types, there are mainly two types of main
categorization which are based on capabilities and based on functionally of AI. Following is
flow diagram which explain the types of AI.
2. General AI:
General AI is a type of intelligence which could perform any intellectual task with
efficiency like a human.
The idea behind the general AI to make such a system which could be smarter and
think like a human by its own.
Currently, there is no such system exist which could come under general AI and can
perform any task as perfect as a human.
The worldwide researchers are now focused on developing machines with General AI.
As systems with general AI are still under research, and it will take lots of efforts and
time to develop such systems.
3. Super AI:
Super AI is a level of Intelligence of Systems at which machines could surpass human
intelligence, and can perform any task better than human with cognitive properties. It
is an outcome of general AI.
Some key characteristics of strong AI include capability include the ability to think, to
reason, solve the puzzle, make judgments, plan, learn, and communicate by its own.
Super AI is still a hypothetical concept of Artificial Intelligence. Development of such
systems in real is still world changing task.
2. Limited Memory
Limited memory machines can store past experiences or some data for a short period
of time.
These machines can use stored data for a limited time period only.
Self-driving cars are one of the best examples of Limited Memory systems. These cars
can store recent speed of nearby cars, the distance of other cars, speed limit, and other
information to navigate the road.
3. Theory of Mind
Theory of Mind AI should understand the human emotions, people, beliefs, and be
able to interact socially like humans.
This type of AI machines are still not developed, but researchers are making lots of
efforts and improvement for developing such AI machines.
4. Self-Awareness
Self-awareness AI is the future of Artificial Intelligence. These machines will be super
intelligent, and will have their own consciousness, sentiments, and self-awareness.
These machines will be smarter than human mind.
Self-Awareness AI does not exist in reality still and it is a hypothetical concept.
1.1.5 Application of AI
AI has been dominant in various fields such as −
Gaming: AI plays crucial role in strategic games such as chess, poker, tic-tac-toe, etc.,
where machine can think of large number of possible positions based on heuristic
knowledge.
Robotics
Machine learning is a vast area and it is quite beyond the scope of this tutorial to cover all its
features. There are several ways to implement machine learning techniques, however the most
commonly used ones are supervised and unsupervised learning.
Supervised Learning: Supervised learning deals with learning a function from available
training data. A supervised learning algorithm analyzes the training data and produces an
inferred function, which can be used for mapping new examples. Common examples of
supervised learning include:
classifying e-mails as spam,
labeling webpages based on their content, and
voice recognition.
There are many supervised learning algorithms such as neural networks, Support Vector
Machines (SVMs), and Naive Bayes classifiers. Mahout implements Naive Bayes classifier.
Deep learning has evolved hand-in-hand with the digital era, which has brought about an
explosion of data in all forms and from every region of the world. This data, known simply as
big data, is drawn from sources like social media, internet search engines, e-commerce
platforms, and online cinemas, among others. This enormous amount of data is readily
accessible and can be shared through fintech applications like cloud computing.
However, the data, which normally is unstructured, is so vast that it could take decades for
humans to comprehend it and extract relevant information. Companies realize the incredible
potential that can result from unraveling this wealth of information and are increasingly
adapting to AI systems for automated support.
References:
https://www.tutorialspoint.com/artificial_intelligence/artificial_intelligence_overview.
htm
https://www.javatpoint.com/introduction-to-artificial-intelligence
https://www.tutorialspoint.com/tensorflow/tensorflow_machine_learning_deep_learni
ng.htm
Content
2.1 Embedded Systems:
Embedded system concepts, purpose of embedded systems, Architecture of embedded
systems, embedded processors-PIC, ARM, AVR,ASIC
2.2 IoT: Definition and characteristics of IoT
Physical design of IoT,
o Things of IoT,
o IoT Protocols
Logical design of IoT,
o IoT functional blocks,
o IoT Communication models,
o IoT Communication APIs,
IoT Enabling Technologies,
IoT levels and deployment templates,
IoT Issues and Challenges, Applications
IoT Devices and its features: Arduino, Uno, Raspberry Pi, Nodeµ
Case study on IoT Applications using various Sensors and actuators
the embedded system may have the different functionalities. Every embedded system is
designed to accomplished the purpose of any one or a combination of following task.
Data collection/storage/Representation: Data is collected from the outside world
using various sensors for storage, analysis, manipulation and transmission. The data
may be information such as voice, text, image, graphics, video, electrical signals or
other measurable quantities. The Collected data may be stored or transmitted to other
device or processed by the embedded system for meaningful representation.
Data communication in embedded system:The data can be transmitted either
through wireless media or wired media. The data can be an analog or digital. The data
transmission can be done through wireless media such as Bluetooth, ZigBee, Wi-FI,
GPRS, Edge etc or wired media such as RS232C, USB, TCP/IP, PC2, Firewire port,
SPI, CAN, I2C etc.
Data processing:The data which may in the form of Voice, Image, Video, electrical
signal or any other measurable quantities is collected by an embedded system and used
for various kind of processing depending on the application
Monitoring the performance/operation of embedded system:The embedded
systems mostly used for monitoring purpose. For example, ECG (Electro cardiogram)
machine is used to monitor the heartbeat of the patient.
Control the embedded system:The embedded system having control functionalities
executes control over some variables as per the input variable. The embedded system
having control functionalities contains both sensor and actuator. Sensors are connected
as input to the ports of the system to capture the change in measuring variable and
actuator are connected to output port as a final control element to control the system as
per change in input variables within the specified range. For example, air conditioning
system at home is used to control the room temperature as per the specified limit.
Application specific user’s interface: Most of the embedded system comes with
Application specific user’s interface such as switches, buttons, display, light, bell,
keypad etc. For example, mobile phone comes with user interface such as Keyboard,
LCD or LED display, Speaker, vibration alert etc.
Sensor – Sensor is used to measure the physical quantity and converts it to an electrical
signal which can be read by any electronic device like an A-D converter.
A-D Converter − An analog-to-digital converter converts the analog signal given by the
sensor into a digital signal.
Processor & ASICs − Processors process the data to measure the output and store it to the
memory.
D-A Converter − A digital-to-analog converter converts the digital data given by the
processor to analog data.
Actuator − An actuator compares the output given by the D-A Converter to generates the
actual or expected output.
Application of PIC:
1. Motor Control, Digital Power & Lighting
Motor Control
Digital Power
Lighting
Automotive
Home Appliance
High Temperature for 150C
2. Human Interface
Graphics Solutions
Segmented LCD
Touch Sensing Solutions
Audio and Speech
3. Connectivity
Wireless
USB
Ethernet
CAN
Features of AVR
AVRs provides a wide range of features:
Internal, self-programmable instruction flash memory up to 256 KB
In-system programmable (ISP) using serial/parallel low-voltage proprietary interfaces
andOn-chip debugging support through JTAG
Internal data EEPROM up to 4 KB and SRAM up to 16 KB
External 64 KB little endian data space in some models of AVR
8-bit and 16-bit timers
PWM output, Analog comparator
10 or 12-bit A/D converters, with multiplex of up to 16 channels
12-bit D/A converters
Synchronous/asynchronous serial peripherals (UART/USART), Serial Peripheral
Interface Bus (SPI), I2C
Multiple power-saving sleep modes
Lighting and motor control (PWM) controller models
CAN, USB. Ethernet, LCD, DMA controller support
Low-operating voltage devices i.e.1.8 V
Applications of AVR
Signal sensing and Data acquisition
Motion control and Interface motors
Displays on LCD
Interface any type of sensors and transducers
Interface GSM and GPS
Characteristics of IoT:
Dynamic &Self-Adapting:IoT devices and systems may have the capability to
dynamically adapt with the changing contexts and take actions based on their
operating conditions, user's context, or sensed environment.For example, the
surveillance cameras can adapt their modes (to normal or infra-red night modes) based
on whether it is day or night.
Self-Configuring:IoT devices may have self-configuring capability, allowing a large
number of devices to work together to provide certain functionality (such as weather
monitoring).
Features of IoT:
Connectivity: Connectivity refers to establish a proper connection between all the
things of IoT to IoT platform it may be server or cloud.
Analyzing: After connecting all the relevant things, it comes to real-time analyzing
the data collected and use them to build effective business intelligence.
Integrating: IoT integrating the various models to improve the user experience as
well.
Artificial Intelligence: IoT makes things smart and enhances life through the use of
data.
Sensing: The sensor devices used in IoT technologies detect and measure any change
in the environment and report on their status.
Active Engagement: IoT makes the connected technology, product, or services to
active engagement between each other.
Endpoint Management: It is important to be the endpoint management of all the IoT
system otherwise; it makes the complete failure of the system.
Reduced Waste: IoT makes areas of improvement clear. Current analytics give us
superficial insight, but IoT provides real-world information leading to more effective
management of resources.
Enhanced Data Collection: Modern data collection suffers from its limitations and its
design for passive use. IoT breaks it out of those spaces, and places it exactly where
humans really want to go to analyze our world. It allows an accurate picture of
everything.
Disadvantages of IoT
Security: As the IoT systems are interconnected and communicate over networks. The
system offers little control despite any security measures, and it can be lead the various
kinds of network attacks.
Privacy: Even without the active participation on the user, the IoT system provides
substantial personal data in maximum detail.
Complexity: The designing, developing, and maintaining and enabling the large
technology to IoT system is quite complicated.
Flexibility: Many are concerned about the flexibility of an IoT system to integrate
easily with another. They worry about finding themselves with several conflicting or
locked systems.
Compliance: IoT, like any other technology in the realm of business, must comply
with regulations. Its complexity makes the issue of compliance seem incredibly
challenging when many consider standard software compliance a battle.
IoT Protocols
802.11- WiFi: IEEE 802.11 is a collection of wireless local area network (WLAN)
communication standards, including extensive description of the link layer. 802.11a operates
in the 5 GHz band, 802.11b and 802.11g operate in the 2.4 GHz band, 802.11n operates in the
2.4/5 GHz bands, 802.11ac operates in the 5 GHz band and 802.11ad operates in the 60 GHz
band. These standards provide data rates from 1 Mb/s to upto 6.75 Gb/s.
6LOWPAN: 6LOWPAN (IPv6 over Low power Wireless Personal Area Networks) brings IP
protocol to the low-power devices which have limited processing capability. 6LOWPAN
operates in the 2.4 GHz frequency range and provides data transfer rates of 250 Kb/s.
6LOWPAN works with the 802.15.4 link layer protocol and defines compression mechanisms
for IPv6 datagrams over IEEE 802.15.4-based networks.
UDP: UDP is a connectionless protocol. UDP is useful for time-sensitive applications that
have very small data units to exchange and do not want the overhead of connection setup.
UDP is a transaction oriented and stateless protocol. UDP does not provide guaranteed
delivery, ordering of messages and duplicate elimination. Higher levels of protocols can
ensure reliable delivery or ensuring connections created are reliable.
XMPP: Extensible Messaging and Presence Protocol (XMPP) is a protocol for real-time
communication and streaming XML data between network entities. XMPP powers wide range
of applications including messaging, presence, data syndication, gaming, multi-party chat and
voice/video calls. XMPP allows sending small chunks of XML data from one network entity
to another in near real-time. XMPP is a decentralized protocol and uses a client-server
architecture. XMPP supports both client-to-server and server-to-server communication paths.
In the context of IoT, XMPP allows real-time communication between IoT devices.
DDS: Data Distribution Service (DDS) is a data-centric middleware standard for device-to-
device or machine-to-machine communication. DDS uses a publish-subscribe model where
publishers (e.g. devices that generate data) create topics to which subscribers (e.g., devices
that want to consume data) can subscribe. Publisher is an object responsible for data
distribution and the subscriber is responsible for receiving published data. DDS provides
quality-of-service (QoS) control and configurable reliability.
AMOP: Advanced Message Queuing Protocol (AMQP) is an open application layer protocol
for business messaging. AMQP supports both point-to-point and publisher/subscriber models,
routing and queuing. AMQP brokers receive messages from publishers (e.g., devices or
applications that generate data) and route them over connections to consumers (applications
that process data). Publishers publish the messages to exchanges which then distribute
message copies to queues. Messages are either delivered by the broker to the consumers
which have subscribed to the queues or the consumers can pull the messages from the queues.
Push-Pull: Push-Pull is a communication model in which the data producers push the data to
queues and the consumers pull the data from the queues. Producers do not need to be aware of
the consumers. Queues help in decoupling the messaging between the producers and
consumers. Queues also act as a buffer which helps in situations when there is a mismatch
between the rate at which the producers push data and the rate rate at which the consumers
pull data.
Exclusive Pair: Exclusive Pair is a bi-directional, fully duplex communication model that
uses a persistent connection between the client and server. Once the connection is setup it
remains open until the client sends a request to close the connection. Client and server can
send messages to each other after connection setup. Exclusive pair is a stateful
communication model and the server is aware of all the open connections.
A RESTful web service is a "web API" implemented using HTTP and REST principles.
HTTP Resource Type Action Example
Method
GET Collection URI List all the resources http://example.com/api/
in a collection tasks/(list all tasks)
GET Element URI Get information http://example.com/api/
about a resource tasks/1/(get information on task-
1)
POST Collection URI Create a new http://example.com/api/
Unlike request-response APIs such as REST, the WebSocket APIs allow full duplex
communication and do not require a new connection to be setup for each message to be sent.
WebSocket communication begins with a connection setup request sent by the client to the
server. This request (called a WebSocket handshake) is sent over HTTP and the server
interprets it as an upgrade request. If the server supports WebSocket protocol, the server
responds to the WebSocket handshake response. After the connection is setup, the client and
server can send data/messages to each other in full-duplex mode. WebSocket APIs reduce the
network traffic and latency as there is no overhead for connection setup and termination
requests for each message. WebSocket is suitable for IoT applications that have low latency or
high throughput requirements.
ZigBee is one of the most popular wireless technologies used by WSNs. ZigBee specifications
are based on IEEE 802.15.4. ZigBee operates at 2.4 GHz frequency and offers data rates upto
250 KB/s and range from 10 to 100 meters depending on the power output and environmental
conditions.
Cloud Computing:
Cloud computing is a transformative computing paradigm that involves delivering
applications and services over the internet. Cloud computing services are offered to user in
different forms:
Infrastructure-as-a-Service (IaaS):IaaS provides the users the ability to provision
computing and storage resources. These resources are provided to the users as virtual
machine instances and virtual storage. Users can start, stop, configure and manage the
virtual machine instances and virtual storage. Users can deploy operating systems and
applications of their choice on the virtual resources provisioned in the cloud. The
cloud service provider manages the underlying infrastructure. Virtual resources
provisioned by the users are billed based on a pay-per-use paradigm. Some examples
of the wide usage of IaaS are automated, policy-driven operations such as backup,
recovery, monitoring, clustering, internal networking, website hosting, etc. The service
provider is responsible for building the servers and storage, networking firewalls/
security, and the physical data center. Some key players offering IaaS are Amazon
Platform-as-a-Service (PaaS): PaaS provides the users the ability to develop and
deploy application in the cloud using the development tools, application programming
interfaces (APIs), software libraries and services provided by the cloud service
provider. The cloud service provider manages the underlying cloud infrastructure
including servers, network, operating systems and storage. The users, themselves, are
responsible for developing, deploying, configuring and managing applications on the
cloud infrastructure. The PaaS environment enables cloud users (accessing them via a
webpage) to install and host data sets, development tools and business analytics
applications, apart from building and maintaining necessary hardware. Some key
players offering PaaS are Bluemix, CloudBees, Salesforce.com, Google App Engine,
Heroku, AWS, Microsoft Azure, OpenShift, Oracle Cloud, SAP and OpenShift.
help identify the data that is most important to the business and future business decisions.
Analysts working with Big Data typically want the knowledge that comes from analyzing the
data.Big Data Analytics involved several steps starting from data cleansing, data munging (or
wrangling), data processing and visualization.
Fig.2.13IoT Level-1
IoT Level2: has a single node that performs sensing and/or actuating and local analysis as
shown in fig. Data is stored in cloud and application is usually cloud based. Level2 IoT
systems are suitable for solutions where data are involved is big, however, the primary
analysis requirement is not computationally intensive and can be done locally itself. An e,g.,
of Level2 IoT system for Smart Irrigation.
IoT Level3: system has a single node. Data is stored and analyzed in the cloud application is
cloud based as shown in fig. Level3 IoT systems are suitable for solutions where the data
involved is big and analysis requirements are computationally intensive. An example of IoT
level3 system for tracking package handling.
IoT Level4: System has multiple nodes that perform local analysis. Data is stored in the cloud
and application is cloud based as shown in fig. Level4 contains local and cloud based observer
nodes which can subscribe to and receive information collected in the cloud from IoT devices.
An example of a Level4 IoT system for Noise Monitoring.
Fig.2.16IoT Level-4
IoT Level5: System has multiple end nodes and one coordinator node as shown in fig. The
end nodes that perform sensing and/or actuation. Coordinator node collects data from the end
nodes and sends to the cloud. Data is stored and analyzed in the cloud and application is cloud
based. Level5 IoT systems are suitable for solution based on wireless sensor network, in
which data involved is big and analysis requirements are computationally intensive. An
example of Level5 system for Forest Fire Detection.
Fig.2.17IoT Level-5
IoT Level6: System has multiple independent end nodes that perform sensing and/or
actuation and sensed data to the cloud. Data is stored in the cloud and application is cloud
based as shown in fig. The analytics component analyses the data and stores the result in the
cloud data base. The results are visualized with cloud based application. The centralized
controller is aware of the status of all the end nodes and sends control commands to nodes. An
example of a Level6 IoT system for Weather Monitoring System.
Cities:
Smart Parking: make the search for parking space easier and convenient for drivers.
Smart parking are powered by IoT systems that detect the no. of empty parking slots
and send information over internet to smart application back ends.
Smart Lighting: for roads, parks and buildings can help in saving energy.
Smart Roads: Equipped with sensors can provide information on driving condition,
travel time estimating and alert in case of poor driving conditions, traffic condition and
accidents.
Structural Health Monitoring: uses a network of sensors to monitor the vibration
levels in the structures such as bridges and buildings.
Surveillance: The video feeds from surveillance cameras can be aggregated in cloud
based scalable storage solution.
Emergency Response:IoT systems for fire detection, gas and water leakage detection
can help in generating alerts and minimizing their effects on the critical infrastructures.
Environment:
Weather Monitoring: Systems collect data from a no. of sensors attached and send
the data to cloud based applications and storage back ends. The data collected in cloud
can then be analyzed and visualized by cloud based applications.
Air Pollution Monitoring: System can monitor emission of harmful gases (CO2, CO,
NO, NO2 etc.,) by factories and automobiles using gaseous and meteorological
sensors. The collected data can be analyzed to make informed decisions on pollutions
control approaches.
Noise Pollution Monitoring: Due to growing urban development, noise levels in
cities have increased and even become alarmingly high in some cities. IoT based noise
pollution monitoring systems use a no. of noise monitoring systems that are deployed
at different places in a city. The data on noise levels from the station is collected on
servers or in the cloud. The collected data is then aggregated to generate noise maps.
Forest Fire Detection: Forest fire can cause damage to natural resources, property
and human life. Early detection of forest fire can help in minimizing damage.
River Flood Detection: River floods can cause damage to natural and human
resources and human life. Early warnings of floods can be given by monitoring the
water level and flow rate. IoT based river flood monitoring system uses a no. of sensor
nodes that monitor the water level and flow rate sensors.
Retail:
Inventory Management:IoT systems enable remote monitoring of inventory using
data collected by RFID readers.
Smart Payments: Solutions such as contact-less payments powered by technologies
such as Near Field Communication(NFC) and Bluetooth.
Smart Vending Machines: Sensors in a smart vending machines monitors its
operations and send the data to cloud which can be used for predictive maintenance.
Logistics:
Route generation &scheduling:IoT based system backed by cloud can provide first
response to the route generation queries and can be scaled upto serve a large
transportation network.
Fleet Tracking: Use GPS to track locations of vehicles in real-time.
Shipment Monitoring:IoT based shipment monitoring systems use sensors such as
temp, humidity, to monitor the conditions and send data to cloud, where it can be
analyzed to detect food spoilage.
Remote Vehicle Diagnostics: Systems use on-board IoT devices for collecting data
on Vehicle operation’s (speed, RPMetc.,) and status of various vehicle sub systems.
Agriculture:
Smart Irrigation: to detemine moisture amount in soil.
Green House Control: to improve productivity.
Industry:
Machine diagnosis and prognosis
Indoor Air Quality Monitoring
2.2.6 IoT Devices and its features: Arduino, Uno, Raspberry Pi, Nodeµ
IoT Devices:
Internet of Things Devices is non-standard devices that connect wirelessly to a
network with each other and able to transfer the data. IoT devices are enlarging the
internet connectivity beyond standard devices such as smartphones, laptops, tablets,
and desktops.
There are large varieties of IoT devices available based on IEEE 802.15.4 standard.
These devices range from wireless motes, attachable sensor-boards to interface-board
which are useful for researchers and developers.
IoT devices include computer devices, software, wireless sensors, and actuators. These
IoT devices are connected over the internet and enabling the data transfer among
objects or people automatically without human intervention.
Some of the common and popular IoT devices are given below
Controlled: IoT devices may control from some endpoint also. Otherwise, the IoT
devices are themselves communicate with each other endlessly leads to the system
failure.
Arduino Uno:
Arduino devices are the microcontrollers and microcontroller kit for building digital
devices that can be sense and control objects in the physical and digital world.
Arduino boards are furnished with a set of digital and analog input/output pins that
may be interfaced to various other circuits.
Some Arduino boards include USB (Universal Serial Bus) used for loading programs
from the personal computer.
Arduino is an open-source electronics platform based on easy-to-use hardware and
software.
Properties of Arduino:
Inexpensive:Arduino boards are relatively inexpensive compared to other
microcontroller platforms. The least expensive version of the Arduino module can be
assembled by hand, and even the pre-assembled Arduino modules cost less than $50.
Cross-platform: The Arduino Software (IDE) runs on Windows, Macintosh OSX,
and Linux operating systems. Most microcontroller systems are limited to Windows.
Simple, clear programming environment: The Arduino Software (IDE) is easy-to-
use for beginners, yet flexible enough for advanced users to take advantage of as well.
For teachers, it's conveniently based on the Processing programming environment, so
students learning to program in that environment will be familiar with how the
Arduino IDE works.
Open source and extensible software: The Arduino software is published as open
source tools, available for extension by experienced programmers. The language can
be expanded through C++ libraries, and people wanting to understand the technical
details can make the leap from Arduino to the AVR C programming language on
which it's based. Similarly, you can add AVR-C code directly into your Arduino
programs if you want to.
Open source and extensible hardware: The plans of the Arduino boards are
published under a Creative Commons license, so experienced circuit designers can
make their own version of the module, extending it and improving it. Even relatively
inexperienced users can build the breadboard version of the module in orderto
understand how it works and save money.
Raspberry Pi:
The Raspberry Pi is a low cost, credit-card sized computer that plugs into a computer monitor
or TV, and uses a standard keyboard and mouse. The Raspberry Pi is a very cheap computer
that runs Linux, but it also provides a set of GPIO (general purpose input/output) pins that
allow you to control electronic components for physical computing and explore the Internet of
Things (IoT). Raspberry Pi has an ARMv6 700 MHz single-core processor, a VideoCore IV
GPU and 512MB of RAM. it uses an SD card for its operating system and data storage. The
Raspberry Pi officially supports Raspbian, a lightweight linux OS based on Debian. Back in
2006, while Eben Upton, his colleagues at University of Cambridge, in conjunction with Pete
Lomas and David Braben, formed the Raspberry Pi Foundation.
work (taking input, doing calculations and producing output), and the GPU handles
graphics output.
GPIO -- These are exposed general-purpose input/output connection points that will
allow the real hardware hobbyists the opportunity to tinker.
RCA -- An RCA jack allows connection of analog TVs and other similar output
devices.
Audio out -- This is a standard 3.55-millimeter jack for connection of audio output
devices such as headphones or speakers. There is no audio in.
LEDs -- Light-emitting diodes, for all of your indicator light needs.
USB -- This is a common connection port for peripheral devices of all types (including
your mouse and keyboard). Model A has one, and Model B has two. You can use a
USB hub to expand the number of ports or plug your mouse into your keyboard if it
has its own USB port.
HDMI -- This connector allows you to hook up a high-definition television or other
compatible device using an HDMI cable.
Power -- This is a 5v Micro USB power connector into which you can plug your
compatible power supply.
SD cardslot -- This is a full-sized SD card slot. An SD card with an operating system
(OS) installed is required for booting the device. They are available for purchase from
the manufacturers, but you can also download an OS and save it to the card yourself if
you have a Linux machine and the wherewithal.
Ethernet -- This connector allows for wired network access and is only available on
the Model B.
Applications of Raspberry pi
The different applications of the raspberry pi model are
Media steamer
Tablet computer
Home automation
Internet radio
Controlling robots
Cosmic Computer
Arcade machines
Raspberry pi based projects
Nodeµ
NodeMCU is an open source IoT platform.
The NodeMCU (Node MicroController Unit) is an open source software and
hardware development environment that is built around a very inexpensive System-
on-a-Chip (SoC) called the ESP8266.
The ESP8266 can be controlled from your local Wi-Fi network or from the internet
(after port forwarding). The ESP-01 module has GPIO pins that can be programmed
to turn an LED or a relay ON/OFF through the internet.
The module can be programmed using an Arduino/USB-to-TTL converter through the
serial pins (RX,TX).
It uses the Lua scripting and C language with arduinosoftware(using arduino library).
It has 10 GPIO, every GPIO can be PWM, I2C, 1-wire. It is Wi-Fi enabled device.
NodeMCU Development board is featured with wifi capability, analog pin, digital
pins and serial communication protocols.
NodeMCUDev Kit has Arduino like Analog (i.e. A0) and Digital (D0-D8) pins on its
board. It supports serial communication protocols i.e. UART, SPI, I2C etc.
Using such serial protocols we can connect it with serial devices like I2C enabled
LCD display, Magnetometer HMC5883, MPU-6050 Gyro meter + Accelerometer,
RTC chips, GPS modules, touch screen displays, SD cards etc.
2.2.7 Case study on IoT Applications using various Sensors and actuators
Sensors: A sensor is an electronic instrument that is able to measure the physical quantity and
generate a considerate output. These output of the sensors are usually in the form of electrical
signals. Sensors are placed as such they can directly interact with the environment to sense the
input energy with the help of sensing element. This sensed energy is converted into a more
suitable form by a transduction element. There are various types of sensors such as position,
temperature, pressure, speed sensors, but fundamentally there are two types – analog and
digital. The different types come under these two basic types. A digital sensor is incorporated
with an Analog-to-digital converter while analog sensor does not have any ADC.
Actuators: An actuator is a device that alters the physical quantity as it can cause a
mechanical component to move after getting some input from the sensor. In other words, it
receives control input (generally in the form of the electrical signal) and generates a change in
the physical system through producing force, heat, motion, etcetera. An actuator can be
interpreted with the example of the stepper motor, where an electrical pulse drives the motor.
Each time a pulse given in the input accordingly motor rotates in a predefined amount. A
stepper motor is suitable for the applications where the position of the object has to be
controlled precisely, for example, robotic arm.
Humidity sensors: The amount of water vapour in air, or humidity, can affect human comfort
as well as many manufacturing processes in industries. So monitoring humidity level is
important. Most commonly used units for humidity measurement are relative humidity (RH),
dew/frost point (D/F PT) and parts per million (PPM).
Motion sensors: Motion sensors are not only used for security purposes but also in automatic
door controls, automatic parking systems, automated sinks, automated toilet flushers, hand
dryers, energy management systems, etc. You use these sensors in the IoT and monitor them
from your smartphone or computer. HC-SR501 passive infrared (PIR) sensor is a popular
motion sensor for hobby projects.
Gas sensors: These sensors are used to detect toxic gases. The sensing technologies most
commonly used are electrochemical, photo-ionisation and semiconductor. With technical
advancements and new specifications, there are a multitude of gas sensors available to help
extend the wired and wireless connectivity deployed in IoT applications.
Smoke sensors: Smoke detectors have been in use in homes and industries for quite a long
time. With the advent of the IoT, their application has become more convenient and user-
friendly. Furthermore, adding a wireless connection to smoke detectors enables additional
features that increase safety and convenience.
Pressure sensors: These sensors are used in IoT systems to monitor systems and devices that
are driven by pressure signals. When the pressure range is beyond the threshold level, the
device alerts the user about the problems that should be fixed. For example, BMP180 is a
popular digital pressure sensor for use in mobile phones, PDAs, GPS navigation devices and
outdoor equipment. Pressure sensors are also used in smart vehicles and aircrafts to determine
force and altitude, respectively. In vehicle, tyre pressure monitoring system (TPMS) is used to
alert the driver when tyre pressure is too low and could create unsafe driving conditions.
Image sensors: These sensors are found in digital cameras, medical imaging systems, night-
vision equipment, thermal imaging devices, radars, sonars, media house and biometric
systems. In the retail industry, these sensors are used to monitor customers visiting the store
through IoT network. In offices and corporate buildings, they are used to monitor employees
and various activities through IoT networks.
Accelerometer sensors: These sensors are used in smartphones, vehicles, aircrafts and other
applications to detect orientation of an object, shake, tap, tilt, motion, positioning, shock or
vibration. Different types of accelerometers include Hall-effect accelerometers, capacitive
accelerometers and piezoelectric accelerometers.
Proximity sensors: These sensors detect the presence or absence of a nearby object without
any physical contact. Different types of proximity sensors are inductive, capacitive,
photoelectric, ultrasonic and magnetic. These are mostly used in object counters, process
monitoring and control.
Stepper Motor: Stepper motors are DC motors that move in discrete steps. They have
multiple coils that are organized in groups called “phases”. By energizing each phase in
sequence, the motor will rotate, one step at a time. With a computer controlled stepping, you
can achieve very precise positioning and/or speed control.
DC motors: Direct Current (DC) motor is the most common actuator used in electronics
projects. They are simple, cheap, and easy to use. DC motors convert electrical into
mechanical energy. They consist of permanent magnets and loops of wire inside. When
current is applied, the wire loops generate a magnetic field, which reacts against the outside
field of the static magnets.
Linear Actuator: A linear actuator is an actuator that creates motion in a straight line, in
contrast to the circular motion of a conventional electric motor. Linear actuators are used in
machine tools and industrial machinery, in computer peripherals such as disk drives and
printers, in valves and dampers, and in many other places where linear motion is required.
and triggering. They are frequently used in home appliances (e.g. washing machine valves),
office equipment (e.g. copy machines), automobiles (e.g. door latches and the starter
solenoid), pinball machines (e.g., plungers and bumpers), and factory automation.
Fig. 2.37Solenoid
References:
https://data-flair.training/blogs/iot-applications/
https://books.google.co.in/books?id=JPKGBAAAQBAJ&pg=PA45&source=gbs_toc_
r&cad=2#v=onepage&q&f=false
https://www.tutorialspoint.com/arduino/arduino_board_description.htm#
https://kainjan1.files.wordpress.com/2018/01/chapter-1_iot.pdf
https://www.tutorialspoint.com/internet_of_things/internet_of_things_tutorial.pdf
https://www.iare.ac.in/sites/default/files/lecture_notes/IOT%20LECTURE%20NOTE
S_IT.pdf
https://components101.com/microcontrollers/arduino-uno
https://computer.howstuffworks.com/raspberry-pi2.htm
https://www2.deloitte.com/content/dam/insights/us/articles/iot-primer-iot-
technologies-applications/DUP_1102_InsideTheInternetOfThings.pdf
https://techdifferences.com/difference-between-sensors-and-actuators.html
https://electronicsforu.com/technology-trends/tech-focus/iot-sensors
https://iotbytes.wordpress.com/basic-iot-actuators/
https://en.wikipedia.org/wiki/NodeMCU
https://www.electronicwings.com/nodemcu/introduction-to-nodemcu
https://www.instructables.com/id/Programming-ESP8266-ESP-12E-NodeMCU-
Using-Arduino-/
https://datafloq.com/read/3-major-challenges-facing-future-iot/2729
b. Self-Configuring
c. Endpoint Management
d. Artificial Intelligence
3. Which not anIoT Communication model
a. Request-Response
b. Publish-Subscribe
c. Push-Producer
d. Exclusive Pair
4. WSN Stands for
a. Wide Sensor Network
b. Wireless Sensor Network
c. Wired Sensor Network
d. None of these
5. Devices that transforms electrical signals into physical movements.
a. Sensors
b. Actuators
c. Switches
d. display
Content
3.1 Digital forensics
Introduction to digital forensic
History of forensic
Rules of digital forensic
Definition of digital forensic
Digital forensics investigation and its goal
3.2 Models of Digital Forensic Investigation
Digital Forensic Research Workshop Group (DFRWS) Investigative Model
Abstract Digital Forensics Model (ADFM)
Integrated Digital Investigation Process (IDIP)
End to End digital investigation process (EEDIP)
An extended model for cybercrime investigation
UML modeling of digital forensic process model (UMDFPM)
3.3 Ethical issues in digital forensic
General ethical norms for investigators
Unethical norms for investigation
While performing digital forensics investigation, the investigator should follow the given
rules:
1. Handle and locate certain amount of valid data from large amount of files stored in
computer system.
2. It is viable that the information has been deleted, I such situation searching inside the
file is worthless.
3. If the files are secured by some passwords, investigators must find a way to read the
protected data in an unauthorized manner.
4. Data may be stored in damaged device but the investigator searches the data in
working devices.
5. Major obstacle is that, each and every case is different identifying the techniques and
tools will take long time.
6. The digital data found should be protected from being modified. It is very tedious to
prove that data under examination is unaltered.
7. Common procedure for investigation and standard techniques for collecting and
preserving digital evidences are desired.
Identification
Preservation
Collection
Examination
Analysis
Presentation
Fig 3.1 Road map for digital forensic research
Preparation
Approach Strategy
Preservation
Collection
Examination
Analysis
Presentation
Digital Crime
Investigation
4. Physical Crime Investigation phase The goal of these phases is to collect and
analyze the physical evidence and reconstruct the actions that took place during the
incident.
It includes six phases:
Preservation phase; which seeks to preserve the crime scene so that evidence can be
later identified and collected by personnel trained in digital evidence identification.
Survey phase; that requires an investigator to walk through the physical crime
scene and identify pieces of physical evidence.
Documentation phase; which involves taking photographs, sketches, and videos of the
crime scene and the physical evidence. The goal is to capture as much information as
possible so that the layout and important details of the crime scene are preserved and
recorded.
Search and collection phase; that entails an in-depth search and collection of the scene
is performed so that additional physical evidence is identified and hence paving way
for a digital crime investigation to begin
Reconstruction phase; which involves organizing the results from the analysis done
and using them to develop a theory for the incident.
Presentation phase; that presents the physical and digital evidence to a court or
corporate management.
5. Digital Crime Investigation phaseThe goal is to collect and analyze the digital
evidence that was obtained from the physical investigation phase and through any
other future means. It includes similar phases as the Physical Investigation phases,
although the primary focus is on the digital evidence. The six phases are:
Preservation phase; which preserves the digital crime scene so that evidence can
later be synchronized and analyzed for further evidence.
Survey phase; whereby the investigator transfers the relevant data from a venue
out of physical or administrative control of the investigator to a controlled location.
Documentation phase; which involves properly documenting the digital evidence
when it is found. This information is helpful in the presentation phase.
Search and collection phase; whereby an in-depth analysis of the digital evidence
is performed. Software tools are used to reveal hidden, deleted, swapped and
corrupted files that were used including the dates, duration, log file etc. Low-level
time lining is performed to trace a user’s activities and identity.
Reconstruction phase; which includes putting the pieces of a digital puzzle
together, and developing investigative hypotheses.
Presentation phase; that involves presenting the digital evidence that was found to
the physical investigative team.
It is noteworthy that this DFPM facilitates concurrent execution of physical and digital
investigation.
6. Review phase this entails a review of the whole investigation and identifies areas of
improvement. The IDIP model does well at illustrating the forensic process, and also
conforms to the cyber terrorism capabilities which require a digital investigation to
address issues of data protection, data acquisition, imaging, extraction, interrogation,
ingestion/normalization, analysis and reporting. It also highlights the reconstruction of
the events that led to the incident and emphasizes reviewing the whole task, hence
ultimately building a mechanism for quicker forensic examinations.
1. Identification phase involves identifying the nature of incident from possible known
indicators. Indicators are experience investigator.
2. The preservation phase includes condensing the investigation and finding till date.
3. The collection phase includes documentation of the physical scene and replication of
the digital evidence using approved standard procedure.
4. Examination phase involves obtaining and studying the digital evidence .Method of
extraction is used for reconstructing data from the media.
5. In the analysis phase the vitally of the documented evidence is explored and
conclusions are drawn by integrating chunk of data.
6. The presentation phase involves summarizing the evidences found in the process of
investigation.
Identification
Preservation
Collection
Examination
Analysis
Presentation
Phases of EMCI: The EMCI follows waterfall model as every activity occurs in sequence.
The sequence of examine, hypothesis, present, and prove/defend are bound to be repeated as
the evidence heap increases during the investigation.
1. Awareness is the phase during which the investigator are informed that a crime has
taken place; the crime is reported to some authority. An intrusion detection system
may also triggered such awareness.
2. Authorization is the stage where the nature of investigation has been identified and the
unplanned authorization may be required to proceed and the authorization is obtained
internally or externally.
3. Planning is impacted by information from which and outside the organization that will
affect the investigation. Internal factors are the organization policies, procedures, and
former investigative knowledge while outside factors consist of legal and other
requirements not known by the investigators.
Storage of
Awareness Evidence
Authorization Examination
of evidence
Planning Hypothesis
Notification
Presentation
of hypothesis
Search for
identify evidence Proof/
Defense of
hypothesis
Collection
of evidence
Dissemination
of information
Transport of
Evidence
Evidence
report
Phases of UMDFPM:
Kohn and Oliver made use of UML and case diagram (Figure 2.6) to demonstrate all the
phases and its interaction with all investigators. Two processes have been added to the activity
diagram to club with Kohn framework. These are “prepare” in the preparation phase and
“present” in presentation phase.
1. The whole process is trigged by criminal activity, which constitutes of starting point.
Prepare is the first step. The rest of the processes follow logically from prepare to
collect, authenticate, examination and the analyze
2. Authentication is introduce between examination and collection phase to make sure
that the data integrity of the data before the examination is started is preserved.
3. Examination can alter the contents of data such as in the case of compressed files,
hidden files and other forms of data incomprehension.
The primary investigator will consider whether to analyze more data or to extract more data
from the original source. After reaching this decision points an evidence report is compiled as
part of the report procedure. Whole document is compiled during the investigation phase. The
evidence document is the output of investigation phase.
References:
Digital Forensic by Dr. Nilakshi Jain and Dr. DhanjayKalbande Wiley publication
ISBN:978-81-265-6574-0
2.https://www.academia.edu/34925415/Computer_Forensics_Digital_Forensic_Analys
is_Methodology
http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=0C1681D4A48C19E12DFD
96B781B18532?doi=10.1.1.258.7882&rep=rep1&type=pdf
To meet the requirements of the judging body and to withstand or face any challenges, it is
essential to follow the evidence-handling procedure. Also, it is necessary to ensure that the
evidence-handling procedures chosen are not difficult to implement at your organization as
this can sometimes become an overhead for an organization.
While investigating a computer security incident, we are sometimes unsure and indecisive
whether an item(viz. a chip, floppy disk, etc)should be considered as an evidence or an
attachment or an addendum.
Digital devices are everywhere in today’s world, helping people communicate locally and
globally with ease. Most people immediately think of computers, cell phones and the Internet
as the only sources for digital evidence, but any piece of technology that processes
information can be used in a criminal way. For example, hand-held games can carry encoded
messages between criminals and even newer household appliances, such as a refrigerator with
a built-in TV, could be used to store, view and share illegal images. The important thing to
know is that responders need to be able to recognize and properly seize potential digital
evidence.
There are many sources of digital evidence; the topic is divided into three major forensic
categories of devices where evidence can be found: Internet-based, stand-alone computers or
devices, and mobile devices. These areas tend to have different evidence-gathering processes,
tools and concerns, and different types of crimes tend to lend themselves to one device or the
other.
Some of the popular electronic devices which are potential digital evidence are: HDD,
CD/DVD media, backup tapes, USB drive, biometric scanner, digital camera, smart phone,
smart card, PDA, etc.
Forms of digital evidence: Text message, emails, pictures, videos and internet searches are
most common types of Digital evidences.
The digital evidence are used to establish a credible link between the attacker, victim,
and the crime scene. Some of the information stored in the victim’s system can be potential
digital evidence, are IP address, system log-in & remote log-in details, browsing history, log
files, emails, images, etc.
Encrypted file
Compressed files
Temp files
Recycle Bin
Web History
Cache files
Cookies
Registry
Unallocated Space
Slack Space
Web/E-Mail server access Logs
Domain access Logs
One of the rules states that if evidence is readable by sight or reflects the data accurately, such
as any printout or data stored in a computer or similar devices or any other output, it is
considered as "original".
It states that multiple copies of electronic files may be a part of the "original" or equivalent to
the "original". The collected electronic evidence is mostly transferred to different media.
Hence, many computer security professionals are dependent on this rule.
Best Evidence: The most complete copy or a copy which includes all necessary parts of
evidence, which is closely related to the original evidence.
Example-A client has a copy of the original evidence media.
The "Best Evidence Rule" says that an original writing must be offered as evidence unless it is
unavailable, in which case other evidence, like copies, notes, or other testimony can be used.
Since the rules concerning evidence on a computer are fairly reasonable (what you can see on
the monitor is what the computer contains, computer printouts are best evidence) computer
records and records obtained from a computer are best evidence.
For this purpose original evidence as the truth or real (original) copy of the evidence media
which is given by victim/client.
We define best incidence as the most complete copy, which includes all the necessary parts of
the evidence that are closely related to the original evidence. It is also called as duplication of
the evidence media. There should be an evidence protector which will store either the best
evidence or original evidence for every investigation in the evidence safe.
1. The proper protocol should be followed for acquisition of the evidence irrespective of
whether it physical or digital. Gentle handling should be exercised for those situations
where the device may be damaged(eg. Dropped or wet).
2. Special handling may be required for some situations. For example, when the device is
actively destroying data through disk formatting, it may need to be shut down
immediately to preserve the evidence. On the other hand, in some situations, it would
not be appropriate to shut down the device so that the digital forensics expert can
examine the device’s temporary memory.
3. All artifacts, physical and/or digital should be collected, retained and transferred using
a preserved chain of custody.
4. All materials should be date and time stamped, identifying who collected the evidence
and the location it is being transported to after initial collection.
5. Proper logs should be maintained when transferring possession.
6. When storing evidence, suitable access controls should be implemented and tracked to
certify the evidence has only been accessed by authorized individual.
Fig.4.1: Evidence transfer in the physical and digital dimensions helps investigators
establish connections between victims, offenders, and crime scenes.
In computer intrusions, the attackers will leave multiple traces of their presence
throughout the environment, including in the fi le systems, registry, system logs, and network-
level logs. Furthermore, the attackers could transfer elements of the crime scene back with
them, such as stolen user passwords or PII in a file or database. Such evidence can be useful
to link an individual to an intrusion.
In an e-mail harassment case, the act of sending threatening messages via a Web-based
e-mail service such as Hotmail can leave a number of traces. The Web browser used to send
messages will store fi les, links, and other information on the sender’s hard drive along with
date-time–related information. Therefore, forensic analysts may find an abundance of
information relating to the sent message on the offender’s hard drive, including the original
message contents. Additionally, investigators may be able to obtain related information from
Hotmail, including Web server access logs, IP addresses, and possibly the entire message in
the sent mail folder of the offender’s e-mail account.
4. Explainable Evidence: This type of evidence is typically used in criminal cases in which it
supports the dependent, either partially or totally removing their guilt in the case. It is also
referred to as exculpatory.
5. Substantial Evidence: A proof that is introduced in the form of a physical object, whether
whole or in part is referred to as substantial evidence. It is also called as physical evidence.
Such evidence might consist of dried blood, fingerprint, and DNA samples, casts of footprints
or tries at the scene of crime.
6. Testimonial: It is the kind of evidence spoken by the spectator under the oath , or written
evidence given under the oath by an official declaration that is affidavit. This is the common
forms of evidence in the system.
Such documentations give an impression of having a certain quality against the natural
instincts of the technical practical knowledge of individuals, who often investigate computer
security incidents.
The challenges faced in the evidence handling must be properly understood by all the
investigators. They should also understand how to meet these challenges. Therefore, it is
essential for every organization to have formal evidence handling procedures that support
computer security investigation. The most difficult task for an evidence handler is to
substantiate the collected evidence at the judicial proceedings. Maintaining the chain of
custody is also necessary. You must have both power and skill to validate your evidence.
The evidence that are collected by any person/investigator should be collected using
authenticate methods and techniques because during court proceedings these will become
major evidences to prove the crime. In other words, for providing a piece of evidence of the
testimony, it is necessary to have an authenticated evidence by a spectator who has a personal
knowledge to its origin.
sequence of control, transfer, and analysis. It also documents each person who handled the
evidence, the date/time it was collected or transferred, and the purpose for the transfer.
is not corrupt and reflects the true nature of the original evidence. If this is not the
case, then the forensic analysis may be flawed and may result in problems, thus
rendering the copy non-authentic.
The procedure of the chain of custody might be different. depending on the jurisdiction in
which the evidence resides; however, the steps are largely identical to the ones outlined
above.
Identify and document the types and volume of media, including removable
media.
Document the location from which the media was removed.
Identify offsite storage areas and/or remote computing locations.
Identify proprietary software.
Determine the operating system in question.
The considerations above need to be taken into account when dealing with digital
evidence due to the fragile nature of the task at hand.
If there is a break in the chain of custody brought to the attention of the court, then the
court has to decide whether the breach is so severe as to meet exclusion of the item from trial.
Alternatively, the court can decide that the Trier (trial judge or jury) need to decide the value
of the evidence. To prevent a breach, a forensic investigation should follow a written policy,
so that necessary deviations of the policy can be argued. The policy itself should take all
reasonable (or arguably reasonable) precautions against tampering.
For example, assume that a PDA is seized from a suspected drug dealer. In the case of
an PDA, there is no hard drive image to mirror, that is, the examination will have to be done
on the powered-on original. The PDA can lose data, for example by disconnecting it from its
battery. On seizure, the device should not be switched on. If it is seized switched on, it should
be switched off in order to preserve battery power. It needs to be put into an evidence bag that
does not allow access to the PDA without breaking the seal (no clear plastic bag!). The
evidence needs to be tagged with all pertinent data, including the serial number of the PDA
and the circumstances of the seizure. The PDA should never be returned to the accused at the
scene, because the device can lose data if reset. To maintain the data in the PDA, it needs to
be kept in a continuously charged mode. It should only be used to extract evidence by a
competent person who can testify in court. As long as the PDA could be evidence, it needs to
be kept in an evidence locker, with check-out logs, so that it can be determined who had
access to the PDA at any time.
4.5.3 Evidence Validation: The challenge is to ensure that providing or obtaining the data
that you have collected is similar to the data provided or presented in court. Several years pass
between the collection of evidence and the production of evidence at a judiciary proceeding,
which is very common. To meet the challenge of validation, it is necessary to ensure that the
original media matches the forensic duplication by using MD5 hashes. The evidence for every
file is nothing but the MD5 hash values that are generated for every file that contributes to the
case.
The verify function within the Encase application can be used while duplicating a hard
drive with Encase. To perform a forensic duplication using dd , you must record MD5 hash
for both the original evidence media and binary files or the files which compose the forensic
duplication.
Note: Evidence collection calculated by MD5 after 6 months may not be helpful.MD5 hashes
should be performed when the evidence is obtained.
4.6 Volatile Evidence: Not all the evidence on a system is going to last very long. Some
evidence is residing in storage that requires a consistent power supply; other evidence may be
stored in information that is continuously changing. When collecting evidence, you should
always try to proceed from the most volatile to the least. Of course, you should still take the
individual circumstances into account—you shouldn’t waste time extracting information from
an unimportant/unaffected machine’s main memory when an important or affected machine’s
secondary memory hasn’t been examined.
You need to respond to the target system at the console during the collection of volatile
data rather than access it over the network. This way the possibility of the attacker monitoring
your responses is eliminated, ensuring that you are running trust commands. If you are
creating a forensic duplication of the targeted system, you should focus on obtaining the
volatile system data before shutting down the system.
To determine what evidence to collect first, you should draw up an Order of Volatility—a
list of evidence sources ordered by relative volatility. An example an Order of Volatility
would be:
Note: Once you have collected the raw data from volatile sources you may be able to
shutdown the system.{Matthew Braid, “Collecting Electronic Evidence After A System
Compromise,” Australian Computer Emergency Response Team}
Registers, Cache: The contents of CPU cache and registers are extremely volatile, since they
are changing all of the time. Literally, nanoseconds make the difference here. An examiner
needs to get to the cache and register immediately and extract that evidence before it is lost.
Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory: Some of these
items, like the routing table and the process table, have data located on network devices. In
other words, that data can change quickly while the system is in operation, so evidence must
be gathered quickly. Also, kernel statistics are moving back and forth between cache and main
memory, which make them highly volatile. Finally, the information located on random access
memory (RAM) can be lost if there is a power spike or if power goes out. Clearly, that
information must be obtained quickly.
Temporary File Systems: Even though the contents of temporary file systems have the
potential to become an important part of future legal proceedings, the volatility concern is not
as high here. Temporary file systems usually stick around for awhile.
Disk: Even though we think that the data we place on a disk will be around forever, that is not
always the case (see the SSD Forensic Analysis post from June 21). However, the likelihood
that data on a disk cannot be extracted is very low.
Remote Logging and Monitoring Data that is Relevant to the System in Question: The
potential for remote logging and monitoring data to change is much higher than data on a hard
drive, but the information is not as vital. So, even though the volatility of the data is higher
here, we still want that hard drive data first.
Physical Configuration, Network Topology, and Archival Media: Here we have items that
are either not that vital in terms of the data or are not at all volatile. The physical configuration
and network topology is information that could help an investigation, but is likely not going to
have a tremendous impact. Finally, archived data is usually going to be located on a DVD or
tape, so it isn’t going anywhere anytime soon. It is great digital evidence to gather, but it is not
volatile.
City : Chennai
Background:
The assistant manager (the complainant) with the fraud control unit of a large business
process outsourcing (BPO) organization filed a complaint alleging that two of its employees
had conspired with a credit card holder to manipulate the credit limit and as a result cheated
the company of INR 0.72 million.
The BPO facility had about 350 employees. Their primary function was to issue the bank's
credit cards as well as attend to customer and merchant queries. Each employee was assigned
to a specific task and was only allowed to access the computer system for that specific task.
The employees were not allowed to make any changes in the credit-card holder's account
unless they received specific approvals.
Each of the employees was given a unique individual password. In case they entered an
incorrect password three consecutive times then their password would get blocked and they
would be issued a temporary password.
The company suspected that its employees conspired with the son (holding an add-on card) of
one of the credit card holders. The modus operandi suspected by the client is as follows.
The BPO employee deliberately keyed in the wrong password three consecutive times (so that
his password would get blocked) and obtained a temporary password to access the computer
system. He manually reversed the transactions of the card so that it appeared that payment for
the transaction has taken place. The suspect also changed the credit card holder's address so
that the statement of account would never be delivered to the primary card holder.
The team analysed the attendance register which showed that the accused was present at all
the times when the fraudulent entries had been entered in the system. They also analysed the
system logs that showed that the accuser's ID had been used to make the changes in the
system.
The team also visited the merchant establishments from where some of the transactions had
taken place. The owners of these establishments identified the holder of the add-on card.
Current status: The BPO was informed of the security lapse in the software utilised. Armed
with this evidence the investigating team arrested all the accused and recovered, on their
confession, six mobile phones, costly imported wrist watches, jewels, electronic items, leather
accessories, credit cards, all worth INR 0. 3 million and cash INR 25000. The investigating
team informed the company of the security lapses in their software so that instances like this
could be avoided in the future.
This case won the second runner-up position for the India Cyber Cop Award, for its
investigating officer Mr S. Balu, Assistant Commissioner of Police, Crime, Chennai Police.
The case was remarkable for the excellent understanding displayed by the investigating team,
of the business processes and its use in collecting digital evidence.
Background: The complainant stated that some unknown person had created an e-mail ID
using her name and had used this ID to post messages on five Web pages describing her as a
call-girl along with her contact numbers.
Using the same log-in details, the investigating team accessed the Web pages where these
profiles were uploaded. The message had been posted on five groups, one of which was a
public group. The investigating team obtained the access logs of the public group and the
message to identify the IP addresses used to post the message. Two IP addresses were
identified.
The ISP was identified with the help of publicly available Internet sites. A request was made
to the ISPs to provide the details of the computer with the IP addresses at the time the
messages were posted. They provided the names and addresses of two cyber cafes located in
Mumbai to the police.
The investigating team scrutinised the registers maintained by the cyber cafes and found that
in one case the complainant's name had been signed into the register.
The team also cross-examined the complainant in great detail. During one of the meetings she
revealed that she had refused a former college mate who had proposed marriage.
In view of the above the former college mate became the prime suspect. Using this
information the investigating team, with the help of Mumbai police, arrested the suspect and
seized a mobile phone from him. After the forensic examination of the SIM card and the
phone, it was observed that phone had the complainant’s telephone number that was posted on
the internet. The owner of the cyber cafes also identified the suspect as the one who had
visited the cyber cafes.
Based on the facts available with the police and the sustained interrogation the suspect
confessed to the crime.
Current status:The suspect was convicted of the crime and sentenced to two years of
imprisonment as well as a fine.
City : Pune
Background: The accused in the case were working in a BPO, that was handling the business
of a multinational bank. The accused, during the course of their work had obtained the
personal identification numbers (PIN) and other confidential information of the bank’s
customers. Using these the accused and their accomplices, through different cyber cafes,
transferred huge sums of money from the accounts of different customers to fake accounts.
The investigators were successful in arresting two people as they laid a trap in a local bank
where the accused had fake accounts for illegally transferring money.
During the investigation the system server logs of the BPO were collected. The IP addresses
were traced to the Internet service provider and ultimately to the cyber cafes through which
illegal transfers were made.
The registers maintained in cyber cafes and the owners of cyber cafes assisted in identifying
the other accused in the case. The e-mail IDs and phone call print outs were also procured and
studied to establish the identity of the accused. The e-mail accounts of the arrested accused
were scanned which revealed vital information to identify the other accused. Some e-mail
accounts of the accused contained swift codes, which were required for internet money
transfer.
All the 17 accused in the case were arrested in a short span of time. The charge sheet was
submitted in the court within the stipulated time. In the entire wire transfer scam, an amount
to the tune of about INR 19 million was transferred, out of this INR 9 million was blocked in
transit due to timely intimation by police, INR 2 million was held in balance in one of the
bank accounts opened by the accused which was frozen. In addition the police recovered cash,
ornaments, vehicles and other articles amounting to INR 3 million.
During the investigation the investigating officer learned the process of wire transfer, the
banking procedures and weakness in the system. The investigating officer suggested measures
to rectify the weakness in the present security systems of the call centre. This has helped the
local BPO industry in taking appropriate security measures.
City : Mumbai
Sections of : 420, 465, 467, 468, 471, 34 of IPC r/w 143 of Indian
Law Railway Act 1989.
Background: The accused in this case was posing to be a genuine railway ticket agent and
had been purchasing tickets online by using stolen credit cards of non residents. The accused
created fraudulent electronic records/ profiles, which he used to carry out the transactions.The
tickets so purchased were sold for cash to other passengers. Such events occurred for a period
of about four months.
The online ticket booking service provider took notice of this and lodged a complaint with the
cyber crime investigation cell.
The investigating team visited the cyber cafŽs but was not able to get the desired logs as they
were not maintained by the cyber cafŽ owners. The investigating team was able to short list
the persons present at cyber cafes when the bookings were made. The respective owners of
the cyber cafes were able to identify two persons who would regularly book railway tickets.
The investigating team then examined the passengers who had travelled on these tickets. They
stated that they had received the tickets from the accused and identified the delivery boy who
delivered the tickets to them. On the basis of this evidence the investigating team arrested two
persons who were identified in an identification parade.
Current status: The charge sheet has been submitted in the court.
Case-5: Creating Fake Profile
State : Andhra Pradesh
City : Hyderabad
Background: The complainant received an obscene e-mail from an unknown e-mail ID. The
complainant also noticed that obscene profiles along with photographs of his daughter had
been uploaded on matrimonial sites.
The investigating officer took the original e-mail from the complainant and extracted the IP
address of the same. From the IP address he could ascertain the Internet service provider.
The IP address was traced to a cable Internet service provider in the city area of Hyderabad.
The said IP address was allotted to the former husband sometime back and his house was
traced with the help of the staff of ISP.
A search warrant was obtained and the house of the accused was searched. During the search
operation, a desktop computer and a handicam were seized from the premises. A forensic IT
specialist assisted the investigation officer in recovering e-mails (which were sent to the
complainant), using a specialised disk search tool as well as photographs (which had been
posted on the Internet) from the computer and the handicam respectively. The seized
computer and the handicam were sent to the forensic security laboratory for further analysis.
The experts of the forensic security laboratory analysed the material and issued a report
stating that: the hard disk of the seized computer contained text that was identical to that of
the obscene e-mail; the computer had been used to access the matrimonial websites on which
the obscene profiles were posted; the computer had been used to access the e-mail account
that was used to send the obscene e-mail; the handicam seized from the accused contained
images identical to the ones posted on the matrimonial Websites. Based on the report of the
FSL it was clearly established that the accused had: created a fictitious e-mail ID and had sent
the obscene e-mail to the complainant; posted the profiles of the victim along with her
photographs on the matrimonial sites.
Current status: Based on the material and oral evidence, a charge sheet has been filed
against the accused and the case is currently pending for trial.
References
1. http://www.forensicsciencesimplified.org/digital/
2. http://www.forensicsciencesimplified.org/digital/
3. https://www.helpnetsecurity.com/2007/07/20/the-rules-for-computer-forensics/ as on
28 August 2019
4. Digital Evidence and Computer Crime, Third Edition © 2011 Eoghan Casey.
Published by Elsevier Inc.
5. www.cse.scu.edu/~tschwarz/COEN252_13/LN/legalissues.html
Contents
Hacker’s attitude:
A hacker-cracker separation give more emphasis to a range of different categories, such
as white hat (ethical hacking), grey hat, black hat and script kiddie. The term cracker
refer to black hat hackers, or more generally hackers with unlawful intentions.
Hackers are problem solvers. They get extract from understanding a problem and sorting out a
solution. Their motivation to meet challenges is internal. Hackers do what they do because
it’s extremely satisfying to solve puzzles and fix the up-until-now unfixable. The pleasure
derived is both intellectual and practical but one don’t have to be a geek to be a hacker. Being
Computer Hacking
Computer Hackers have been in existence for more than a century. Originally, "hacker" did
not carry the negative implications. In the late 1950s and early 1960s, computers were much
different than the desktop or laptop systems most people are familiar with. In those days,
most companies and universities used mainframe computers: giant, slow-moving hunks of
metal locked away in temperature-controlled glass cages. It cost thousands of dollars to
maintain and operate those machines, and programmers had to fight for access time.
Because of the time and money involved, computer programmers began looking for ways to
get the most out of the machines. The best and brightest of those programmers created what
they called "hacks" - shortcuts that would modify and improve the performance of a
computer's operating system or applications and allow more tasks to be completed in a
shorter time.
Still, for all the negative things hackers have done, they provide a necessary (and even
valuable) service, which is elaborated on after a brief timeline in the history of computer
hacking
Ethical hacker’s attitude encompasses formal and methodical penetration testing, white
hat hacking, and vulnerability testing ,which involves the same tools, tricks, and techniques
that criminal hackers use, but with one major difference: Ethical hacking is performed with
the target’s permission in a professional setting.
The intent of ethical hacking is to discover vulnerabilities from a malicious attacker’s
viewpoint to better secure systems. Ethical hacking is part of an overall information risk
management program that allows for on-going security improvements. Ethical hacking can
also ensure that vendors’ claims about the security of their products are genuine.
Policy considerations
If it is chosen to make ethical hacking an important part of business’s information risk
management program, one really need to have a documented security testing policy. Such a
policy outlines who’s doing the testing, the general type of testing that is performed, and
how often the testing takes place.
What is Hacking?
Hacking is identifying weakness in computer systems or networks to exploit its weaknesses
to gain access.
Example of Hacking:
Computers have become mandatory to run a successful businesses. It is not enough to have
isolated computers systems; they need to be networked to facilitate communication with
external businesses.
Using password cracking algorithm to gain access to a system.
This exposes them to the outside world and hacking. Hacking means using
computers to commit fraudulent acts such as fraud, privacy invasion, stealing
corporate/personal data, etc.
Cybercrimes cost many organizations millions of dollars every year. Businesses
need to protect themselves against such attacks.
Definition
Ethical hacking:
Refers to the act of locating weaknesses and vulnerabilities of computer and
information systems by duplicating the intent and actions of malicious hackers.
known as penetration testing, intrusion testing, or red teaming.
An ethical hacker is a security professional who applies their hacking skills for defensive
purposes on behalf of the owners of information systems.
By conducting penetration tests, an ethical hacker looks to answer the following four basic
questions:
1. What information/locations/systems can an attacker gain access?
2. What can an attacker see on the target?
3. What can an attacker do with available information?
4. Does anyone at the target system notice the attempts?
An ethical hacker operates with the knowledge and permission of the organization for
which they are trying to defend. In some cases, the organization will neglect to inform their
information security team of the activities that will be carried out by an ethical hacker in an
attempt to test the effectiveness of the information security team. This is referred to as
a double-blind environment. In order to operate effectively and legally, an ethical hacker
must be informed of the assets that should be protected, potential threat sources, and the
extent to which the organization will support an ethical hacker's efforts.
Users search through critical database systems to collect sensitive information, e-mail
confidential client information to the competition or elsewhere to the cloud, or delete
sensitive files from servers that they probably do not have access.
There’s also the occasional ignorant insider whose intent is not malicious but who still
causes security problems by moving, deleting, or corrupting sensitive information. Even an
innocent “fat-finger” on the keyboard can have terrible consequences in the business world.
Malicious users are often the worst enemies of IT and information security professionals
because they know exactly where to go to get the goods and don’t need to be computer
savvy to compromise sensitive information. These users have the access they need and the
management trusts them, often without question. In short they take the undue advantage of
the trust of the management.
Hackers are classified according to the intent of their actions.
As hackers expand their knowledge, one should also gain the required knowledge of it. You
must think like them to protect your systems from them. As the ethical hacker, one must
know activities hackers carry out and how to stop their efforts. One should know what to
look for and how to use that information to spoil hackers’ efforts.
One cannot protect the systems from everything. The only protection against everything is
to unplug computer systems and lock them away so no one can touch them , not even you.
That’s not the best approach to information security. What’s important is to protect your
systems from known vulnerabilities and common hacker attacks. It’s impossible to support
all possible vulnerabilities on all systems. One can’t plan for all possible attacks, especially
the ones that are currently unknown.
However, the more combinations you try — the more you test whole systems instead of
individual units ,the better your chances of discovering vulnerabilities that affect everything
as a whole.
Building the Foundation for Ethical Hacking
One should not forget about insider threats from malicious employees. One’s overall goals
as an ethical hacker should be as follows:
Hack your systems in a non-destructive fashion.
Enumerate vulnerabilities and, if necessary, prove to upper management that
vulnerabilities exist.
Apply results to remove vulnerabilities and better secure your systems.
Nontechnical attacks
Exploits that involve manipulating people or end users and even yourself are the greatest
vulnerability within any computer or network infrastructure. Humans are trusting by nature,
which can lead to social-engineering exploits. Social engineering is defined as the
exploitation of the trusting nature of human beings to gain information for malicious
purposes.
Other common and effective attacks against information systems are physical. Hackers
break into buildings, computer rooms, or other areas containing critical information or
property. Physical attacks can include dumpster diving (searching through trash cans and
dumpsters for intellectual property, passwords, network diagrams, and other information).
Network-infrastructure attacks
Hacker attacks against network infrastructures can be easy, because many networks can be
reached from anywhere in the world via the Internet.
Here are some examples of network-infrastructure attacks:
Connecting into a network through a rogue modem attached to a computer behind a
firewall
Exploiting weaknesses in network transport mechanisms, such as TCP/IP and
NetBIOS.
Flooding a network with too many requests, creating a Denial of Service (DoS) for
legitimate requests
Installing a network analyzer on a network and capturing every packet that travels
across it, revealing confidential information in clear text
Piggybacking onto a network through an insecure wireless configuration.
Working ethically
The word ethical in this context can be defined as working with high professional morals
and principles. While performing ethical hacking tests against own systems or for someone
who has hired for, everything one need to do as an ethical hacker must be above board and
must support the company’s goals. No hidden agendas are allowed. Trustworthiness is the
ultimate principle. The misuse of information is absolutely forbidden. That’s what the bad
guys or hackers do.
Respecting privacy
Treat the information gathered with the greatest respect. All information obtained during
testing from Web-application log files to clear-text passwords must be kept private. This
information shall not be used to watch into confidential corporate information or private
lives. If you sense or feel that someone should know there’s a problem, consider sharing
that information with the appropriate manager.
Involve others in process. This is a “watch the watcher” system that can build trust and
support ethical hacking projects.
The authorization can be as simple as an internal memo from the senior-most person or
boss if one is performing these tests on own systems. If the testing is for a customer, one
should have a signed contract in place, stating the customer’s support and authorization. Get
written approval on this sponsorship as soon as possible to ensure that none of the time or
effort is wasted. This documentation works as a proof as what one is doing when someone
asks or demands.
A detailed plan is needed, but that doesn’t mean that it needs volumes of testing
procedures. One slip can crash your systems.
One should not stop with one security hole. This can lead to a false sense of
security. One should keep going to see what else he/she can discover. It’s not like to
keep hacking until the end of time or until one crash all his/ her systems. Simply
pursue the path he/she is going down until he//she can’t hack it any longer.
One of the goals may be to perform the tests without being detected.
For example, one may be performing his/her tests on remote systems or on a remote
office, and he/she doesn’t want the users to be aware of what they are doing.
Otherwise, the users may be on to him/her and be on their best behaviour.
Extensive knowledge of the systems is not needed for testing . Just a basic
understanding is required to protect the tested systems.
Understanding the systems which are being tested shouldn’t be difficult if one is
hacking his/her own in-house systems. If hacking a customer’s systems, one may
have to dig deeper. In fact, Most people are scared of these assessments. Base the
type of test one will perform on his/her organization’s or customer’s needs.
Selecting tools
If one don’t have the right tools for ethical hacking, to accomplish the task is
effectively difficult. just using the right tools doesn’t mean that all vulnerabilities
will be discovered.
Know the personal and technical limitations.
Many security-assessment tools generate false positives and negatives (incorrectly
identifying vulnerabilities). Some tools may miss vulnerabilities. Many tools focus
on specific tests, but no one tool can test for everything. This is why a set of specific
tools are required that can call on for the task at hand. The more are the tools , the
easier ethical hacking efforts are.
Make sure the right tool is being used for the task :
To crack passwords, one needs a cracking tool such as LC4, John the Ripper, or
pwdump.
A general port scanner, such as SuperScan, may not crack passwords.
For an in-depth analysis of a Web application, a Web-application assessment tool
(such as Whisker or WebInspect) is more appropriate than a network analyzer (such
as Ethereal).
When selecting the right security tool for the task, ask around. Get advice from the
colleagues and from other people online. A simple Groups search on Google
(www.google.com) or perusal of security portals, such as SecurityFocus.com,
SearchSecurity.com, and ITsecurity.com, often produces great feedback from other
security experts.
Some of the widely used commercial, freeware, and open-source security tools:
Nmap
EtherPeek
SuperScan
QualysGuard
WebInspect
LC4 (formerly called L0phtcrack)
LANguard Network Security Scanner
Network Stumbler
ToneLoc
Here are some other popular tools:
Internet Scanner
Ethereal
Nessus
Nikto
Kismet
THC-Scan
The capabilities of many security and hacking tools are often misunderstood. This
misunderstanding has shed negative light on some excellent tools, such as SATAN
(Security Administrator Tool for Analysing Networks) and Nmap (Network
mapper).
Some of these tools are complex. Whichever tools are being used, one should be
familiarized with them before starting to use them.
mat think they can improve electronic and mechanical devices by “rewiring them.” More
recent evidence shows that many hackers may also hack for political, social, competitive,
and even financial purposes, so times are changing.
Hackers who perform malicious acts don’t really think about the fact that human beings are
behind the firewalls, wireless networks, and web applications they’re attacking. They ignore
that their actions often affect those human beings in negative ways, such as put in danger
their job security and putting their personal safety at risk.
These people don’t hack in the way people normally suppose. Instead, they root around in
files on server shares; probe into databases they know they shouldn’t be in; and sometimes
steal, modify, and delete sensitive information to which they have access. This behaviour is
often very hard to detect . This activity is continued if these users passed their criminal
background and credit checks before they were hired. Past behaviour is often the best
predictor of future behaviour, but just because someone has a clean record and authorization
to access sensitive systems doesn’t mean he or she won’t do anything bad. Criminals may
have to start from somewhere.
As negative as breaking into computer systems often can be, hackers and malicious users
play key roles in the advancement of technology. In a world without hackers, odds are good
that the latest intrusion prevention technology, data leakage protection, or vulnerability
scanning tools would not exist. Such a world may not be bad, but technology does keep
security professionals employed and keep the field moving forward. Unfortunately, the
technical security solutions can’t ward off all malicious attacks and unauthorized use
because hackers and (sometimes) malicious users are usually a few steps ahead of the
technology designed to protect against their disobedient actions.
However when the stereotypical hacker or malicious user is being viewed, one thing is
certain: Somebody will always try to take down computer systems and compromise
information by poking and prodding where he or she shouldn’t, through denial of service
attacks or by creating and launching malware. One must take the appropriate steps to
protect his/her systems against this kind of intrusion.
These hackers are possibly some of the worst enemies in information security.
Security researchers: These uber-hackers are highly technical and publicly
known IT professionals who not only monitor and track computer, network, and
application vulnerabilities but also write the tools and other code to exploit them.
If these guys didn’t exist, ethical hackers wouldn’t have much in the way of open
source and even certain commercial security-testing tools.
There are good-guy (white hat) and bad-guy (black hat) hackers. Gray hat hackers
are a little bit of both. There are also blue-hat hackers who are invited by software
vendors to find security flaws in their systems.
A recent study at the Black Hat security conference found that everyday IT
professionals even engage in malicious and criminal activity against others. And
people wonder why IT doesn’t get the respect it deserves? Perhaps this group will
evolve into a fourth general category of hackers in the coming years.
Perhaps more important than a hacker’s skill level is his or her motivation.
Hacktivists try to distribute political or social messages through their work. A
hacktivist wants to raise public awareness of an issue. In many situations, criminal
hackers will try to take the person down if he/she expresses a view that’s contrary
to theirs. Examples of hacktivism include messages about legalizing drugs,
protests against the war in Iraq, protests centered around wealth envy and big
corporations, and just about any other social and political issues.
Cyber-terrorists (both organized and unorganized) attack government computers
or public utility infrastructures, such as power grids and air-traffic control towers.
They crash critical systems or steal classified government information. Countries
take the threats these cyber-terrorists pose so seriously that many mandate
information security controls in crucial industries, such as the power industry, to
protect essential systems against these attacks.
Hackers for hire are part of organized crime on the Internet. Many of these
hackers hire out themselves or their botnets for money and lots of it.
These criminal hackers are in the minority. Like the spam kings of the world, many of the
wicked acts from members of collectives that prefer to remain nameless are carried out by a
small number of criminals. Many other hackers just love to tinker and only seek knowledge
of how computer systems work. One of the greatest threats works inside premises and has
an access badge to the building and a valid network account, so don’t discount the insider
threat.
Some common motives are revenge, basic bragging rights, curiosity, boredom,
challenge, vandalism, theft for financial gain, sabotage, blackmail, extortion,
corporate intelligence, and just generally speaking out against “the man.” Hackers
regularly cite these motives to explain their behavior, but these motivations tend to
be cited more commonly during difficult economic conditions.
Many business owners and managers — even some network and security
administrators believe that they don’t have anything that a hacker wants or that
hackers can’t do much damage if they break in. This indifferent kind of thinking
helps support the bad guys and promote their objectives.
Hackers can compromise a seemingly unimportant system to access the network and
use it as a launching pad for attacks on other systems, and many people would be
none the wiser because they don’t have the proper controls to prevent and detect
malicious use.
Hackers often hack just because they can. Some hackers go for high-profile systems,
but hacking into anyone’s system helps them fit into hacker circles. Hackers exploit
many people’s false sense of security and go for almost any system they think they
can compromise. Electronic information can be in more than one place at the same
time, so if hackers merely copy information from the systems they break into, it’s
tough to prove that hackers possess that information.
Computer openings continue to get easier to execute yet harder to prevent for several
reasons:
Widespread use of networks and Internet connectivity
Anonymity provided by computer systems working over the Internet and often on
the internal network (because, effectively, logging and especially log monitoring
rarely takes place)
Greater number and availability of hacking tools
Large number of open wireless networks that help hackers cover their tracks
Greater complexity and size of the codebase in the applications and databases being
developed today
Computer-savvy children
Unlikelihood that attackers will be investigated or prosecuted if caught
A malicious hacker only needs to find one security hole whereas IT professionals and
business owners must find and block them all.
Although many attacks go unnoticed or unreported, criminals who are discovered are
often not pursued or prosecuted. When they’re caught, hackers often rationalize their
services as being unselfish and a benefit to society: They’re merely pointing out
vulnerabilities before someone else does.
The same goes for malicious users. Typically, their troubles go unnoticed, but if they’re
trapped, the security breach may be kept secret in the name of shareholder value or not
wanting to disturb any customer or business partner. However, recent information security
and privacy laws and regulations are changing this because in most situations breach
notification is required. Sometimes, the person is fired or asked to resign. Although public
cases of internal breaches are becoming more common, these cases don’t give a full
picture of what’s really taking place in the average organization.
Required Education
In order to become an ethical hacker it's necessary to have a bachelor's degree in a related
field, such as computer science. Ethical hackers need to have computer programming
experience and familiarity with a range of different programming languages. It's common for
employers to require ethical hackers to have Certified Ethical Hacker(CEH) certification
and other recognized certifications, such as CompTIA, that prepare them to work as experts in
cyber security.
Required Skills
Ethical hackers need to have:
Strong analytical skills because their work involves reviewing a lot of data to identify
potential issues with computer network security.
Consulting with clients, explaining their findings to managers or clients, and
collaborating with other professionals who are involved with information security.
Excellent customer service skills and strong interpersonal skills.
Communication skills are also important so that they can effectively explain their test
results to clients and co-workers.
Exceptional problem-solving skills and attention to detail are fundamental since
ethical hackers need to be thorough in their attempts to breech the security systems in
place.
Develop new and often innovative strategies that enable them to identify problems
with the security systems they work on.
Some of the things you may need to keep in mind when doing experiments
Keep a backup before any experiment.
Start small and have check points.
Know when to stop.
Document your progress
Keep improvising
Automate repetitive tasks
Step 9: Read Some Good Books From Experts
Step 10: Participate In Hacking Challenges: Apart from that, there are some websites
listed below that regularly offer hacking challenges online.
hackquest.de
Page on hacktissite.org
www.trythis0ne.com
www.hackchallenge.net
Home : Hacking-Lab.com
Step 11: Go Next Level: Write Vulnerability
Step 12: Contribute To Open Source Security Projects
Step 13: Continue Learning And Keep Listening To Security Talks
Above are few exhaustive steps that can teach how to be a hacker and help to walk the road of
being an expert hacker. However, one should be a responsible citizen and be selective,
ensuring one don’t use this skill to breach the security of important institutions, as it may land
you in dire straits. One should always remember, for every hacking tool, there is always a
counter hacking tool. Therefore, be a smart hacker and more importantly, be a responsible
hacker.
Hacking Tools: are computer programs and scripts that help you find and exploit
weaknesses in computer systems, web applications, servers and networks. There is a
variety of such tools available on the market. Some of them are open source while others
are commercial solution.
References
https://www.dynamicchiropractic.com/mpacms/dc/article.php?id=18078)
Hacking For Dummies, 5th Edition By Kevin Beaver
http://cdn.ttgtmedia.com/searchNetworking/downloads/hacking_for_dummies
http://wiki.cas.mcmaster.ca/index.php/Ethical_Hacking
https://www.dummies.com/programming/networking/what-is-a-malicious- user/
https://www.guru99.com/what-is-hacking-an-introduction.html#2
http://cdn.ttgtmedia.com/searchNetworking/downloads/hacking_for_dummies.pdf
2600 — The Hacker Quarterly magazine (www.2600.com)
(IN)SECURE Magazine (www.net-security.org/insecuremag.php)
Hackin9 (http://hakin9.org)
PHRACK (www.phrack.org/archives/)
https://learning.oreilly.com/library/view/hacking-for-dummies/
9781118380956/06_9781118380956-ch02.html
https://www.quora.com/What-knowledge-is-required-to-become-an-ethical-hacker
4) Ethical hacking will allow to________ all the massive security breaches.
a. remove
b. measure
c. reject
d. None of these
6.1.3 Scanning-Ports
A port scanner is a software tool that basically scans the network to see who’s there.
Port scanners provide basic views of how the network is laid out. They can help
identify unauthorized hosts or applications and network host configuration errors that
can cause serious security vulnerabilities.
The big-picture view from port scanners often uncovers security issues that may
otherwise go unnoticed. Port scanners are easy to use and can test systems regardless
of what operating systems and applications they’re running. The tests can be
performed very quickly without having to touch individual network hosts, which
would be a real pain otherwise.
Port-scan tests take time. The length of time depends on the number of hosts you have,
the number of ports you scan, the tools you use, and the speed of your network links.
Also, perform the same tests with different utilities to see whether you get different
results. Not all tools find the same open ports and vulnerabilities. This is unfortunate,
but it’s a reality of ethical hacking tests.
If your results don’t match after you run the tests using different tools, you may want
to explore the issue further. If something doesn’t look right such as a strange set of
open ports it probably isn’t. Test it again; if you’re in doubt, use another tool for a
different perspective.
As an ethical hacker, you should scan all 65,535 UDP and 65,535 TCP ports on each
network host that’s found by your scanner. If you find questionable ports, look for
documentation that the application is known and authorized. For speed and simplicity,
you can scan commonly hacked ports.
22 SSH TCP
23 Telnet TCP
135 RPC/DCE end point mapper for Microsoft networks TCP, UDP
137,
NetBIOS over TCP/IP TCP, UDP
138, 139
5631,
pcAnywhere TCP
5632
6346,
Gnutella TCP, UDP
6347
12345,
12346,
12631,
NetBus TCP
12632,
20034,
20035
A Serious Threat
Any times there are open ports on one's personal computer, there is potential for the
loss of data, the occurrence of a virus, and at times, even complete system
compromise.
It is essential for one to protect his or her virtual files, as new security risks concerning
personal computers are discovered every day.
Computer protection should be the number one priority for those who use personal
computers.
Port scanning is considered a serious threat to one's PC, as it can occur without
producing any outward signs to the owner that anything dangerous is taking place.
Firewall Protection
- Protection from port scanning is often achieved through the use of a firewall. A
firewall monitors incoming and outgoing connections through one's personal
computer.
- One technique used by firewall technology is the opening of all the ports at one time.
This action stops port scans from returning any ports. This has worked in many
situations in the past, however, most experts agree it is best to have all open ports
investigated individually.
- Another approach is to filter all port scans going to one's computer. An individual can
also choose to port scan his or her own system, which enables one to see the personal
computer through the eyes of a hacker.
- Firewalls are the best protection one can invest in with regard to port scanning.
Firewalls deny outside access to an individual's personal computer. With this type of
protection, a personal computer is essentially hidden from unwelcome visitors and is
also protected from a variety of other hacking techniques. With firewall software, an
individual is assured that his or her sensitive and personal information remains
protected.
A ping sweep of all your network subnets and hosts is a good way to find out which
hosts are alive and kicking on the network.
A ping sweep is when you ping a range of addresses using Internet Control Message
Protocol (ICMP) packets.
Dozens of Nmap command-line options exist, which can be overwhelming when you
just want to do a basic scan.
You can just enter nmap on the command line to see all the options available.
Vulnerabilities (SNMP)
- The problem is that most network hosts run SNMP that isn’t hardened or patched to
prevent known security vulnerabilities. The majority of network devices have SNMP
enabled and don’t even need it.
- If SNMP is compromised, a hacker can gather such network information as ARP
tables and TCP connections to attack your systems. If SNMP shows up in port scans,
you can bet that a hacker will try to compromise the system.
Countermeasures (SNMP)
- Preventing SNMP attacks can be as simple as A-B-C:
- Always disable SNMP on hosts if you’re not using it period.
- Block the SNMP port (UDP port 161) at the network perimeter.
- Change the default SNMP community string from public to another value that’s more
difficult to guess. This makes SNMP harder to hack.
For the sake of security, if banners are not a requirement of business or other software
on a host system, the services that provide them may be disabled altogether. Banners
can also be customized to present disinformation or even a warning message for
hackers
Banners are the welcome screens that divulge software version numbers and other host
information to a network host. This banner information may identify the operating
system, the version number, and the specific service packs, so hackers know possible
vulnerabilities. You can grab banners by using either plain old telnet or Netcat.
Telnet
You can telnet to hosts on the default telnet port (TCP port 23) to see whether you’re
presented with a login prompt or any other information.
Just enter the following line at the command prompt in Windows or UNIX:
telnet ip_address
Netcat
Netcat can grab banner information from routers and other network hosts, such as a
wireless access point or managed Ethernet switch.
Countermeasures (Banner Grabbing)
The following steps can reduce the chance of banner-grabbing attacks:
- If there is no business need for services that offer banner information, disable those
unused services on the network host.
- If there is no business need for the default banners, or if you can customize the banners
displayed, configure the network host’s application or operating system to either
disable the banners or remove information from the banners that could give an attacker
a leg up.
Physical security
- Ensure that adequate physical security is in place to prevent a hacker from
plugging into your network
- Keep the bad guys out of your server room and wiring closet
- A special monitor port on a switch where a hacker can plug in a network
analyzer is especially sensitive. Make sure it’s extra secure
- Make sure that such unsupervised areas as unoccupied desks don’t have
live network connections.
Network-analyzer detection
- You can use a network- or host-based utility to determine if someone is running an
unauthorized network analyzer on your network
- Some Network analyzer detection tools are sniffdet, PromiscDetect. These tools
enable us to monitor the network for Ethernet cards that are running in Promiscuous
mode.
A too much number of ARP (Address Resolution Protocol) requests can be a sign of
an ARP poisoning or spoofing attack on your network. Anyone can run a program,
such as dsniff tool or Cain & Abel tool, can modify the ARP tables, which are
responsible for saving IP addresses to media access control (MAC) address mappings
on network hosts.
That makes the victim machines to think they require to forward traffic to the hacker’s
computer rather than to the correct destination machine when communicating on the
network. And this is a type of man-in-the-middle (MITM) attacks. Spoofed ARP
responses can be sent to a switch, which returns the switch to broadcast mode and
basically turns it into a hub. When this happens, a hacker can sniff every packet going
through the switch and capture anything and everything from the network.
ARP spoofing
An excessive amount of ARP requests can be a sign of an ARP poisoning
attack (or ARP spoofing) on your network.
What happens is that a client running a program such as the UNIX-based dsniff
or the UNIX- and DOS/Windows-based ettercap can change the ARP tables
the tables that store IP addresses to media access control (MAC) mappings on
network hosts.
This causes the victim computers to think they need to send traffic to the
attacker’s computer, rather than the true destination computer, when
communicating on the network. This is often referred to as a Man-in-the-
Middle (MITM) attack.
MAC-address spoofing
MAC-address spoofing tricks the switch into thinking you (actually, your
computer) are someone else. You simply change your MAC address and
masquerade as another user
You can use this trick to test such access control systems as your IDS, fire-
wall, and even operating-system login controls that check for specific MAC
addresses.
Countermeasures (MAC-daddy attack)
A few countermeasures on your network can minimize the effects of a hacker
attack against ARP and MAC addresses on your network.
- You can prevent MAC-address spoofing if your switches can enable port security to
prevent automatic changes to the switch MAC address tables.
- No realistic countermeasures for ARP poisoning exist. The only way to prevent ARP
poisoning is to create and maintain static ARP entries in your switches for every host
on the network. This is definitely something that no network administrator has time to
do.
Detection
You can detect these two types of hacks through either an IDS or a stand-alone
MAC address monitoring utility.
Arp watch is a UNIX-based program alerts you via e-mail if it detects changes
in MAC addresses associated with specific IP addresses on the network.
Wireless LAN
A wireless LAN (or WLAN) is one in which a mobile user can connect to a local
area network (LAN) through a wireless (radio) connection. The IEEE 802.11 group
of standards specify the technologies for wireless LANs 802.11 standards used the
Ethernet Protocol and CSMA/CA (carrier sense multiple access with collision
avoidance) for path sharing and include an encryption method, the Wired Equivalent
Privacy algorithm.
Encrypted traffic
- Wireless traffic can be captured directly out of the airwaves, making this
communications medium susceptible to malicious eavesdropping.
- Unless the traffic is encrypted, it’s sent and received in clear text just like on a
standard wired network.
- On top of that, the 802.11 encryption protocol, Wired Equivalent Privacy (WEP), has
its own weakness that allows hackers to crack the encryption keys and decrypt the
captured traffic.
Rogue networks
- Watch out for unauthorized Access Points and wireless clients attached to your
network that are running in ad-hoc mode.
- Using NetStumbler or your client manager software, you can test for Access Points
that don’t belong on your network.
- You can also use the network monitoring features in a WLAN analyzer such as
AiroPeek.
- Walk around your building or campus to perform this test to see what you can find.
- Physically look for devices that don’t belong a well-placed Access Point or WLAN
client that’s turned off won’t show up in your network analysis tools.
- Search near the outskirts of the building or near any publicly accessible areas.
- Scope out boardrooms and the offices of upper level managers for any unauthorized
devices. These are places that are typically off limits but often are used as locations for
hackers to set up rogue Access Points.
Physical-security problems
- Various physical-security vulnerabilities can result in physical theft, the
reconfiguration of wireless devices, and the capturing of confidential information.
- You should look for the security vulnerabilities when testing your systems such as
Access Points mounted on the outside of a building and accessible to the public,Poorly
mounted antennas or the wrong types of antennas that broadcast too strong a signal
and that are accessible to the public.
- You can view the signal strength in NetStumbler or your wireless client manager.
Vulnerable wireless workstations
- Wireless workstations have tons of security vulnerabilities from weak passwords to
unpatched security holes to the storage of WEP(Wired Equivalent Privacy) keys
locally.
- One serious vulnerability is for wireless clients using the Orinoco wireless card.
- The Orinoco Client Manager software stores encrypted WEP keys in the Windows
Registry even for multiple networks.
Default configuration settings
- Similar to wireless workstations, wireless Access Points have many known
vulnerabilities.
- The most common ones are default SSIDs (Service Set IDentifier) and admin
passwords. The more specific ones occur only on certain hardware and software
versions that are posted in vulnerability databases and vendor Web sites.
- The one vulnerability that stands out above all others is that certain Access Poinits,
including Linksys, D-Link, and more, are susceptible to a vulnerability that exposes
any WEP key(s), MAC(Media Access Control) address filters, and even the admin
password! All that hackers have to do to exploit this is to send a broadcast packet on
UDP port 27155 with a string of gstsearch.
Windows
The Microsoft Windows OS is the most widely used OS in the world.
It’s also the most widely hacked, because Microsoft doesn’t care as much about
security as other OS vendors? The answer is no.Numerous security mistakes were
unnoticed especially in the Windows NT days but because Microsoft products are
so pervasive throughout networks. Microsoft is the easiest vendor to pick on, and
often its Microsoft products that end up in the crosshairs of hackers. This is the
same reason for many vulnerability alerts on Microsoft products. The one positive
about hackers is that they’re driving the requirement for better security!
There are variants of vulnerabilities that have been around for a long time in UNIX
and Linux, such as the RPC vulnerabilities that the Blaster worm used. Most
Windows attacks are prevented if the patches were properly applied. Thus, poor
security management is often the real reason Windows attacks are successful
- Much vulnerability have been published for windows operating system.
- Some of the common vulnerabilities found in all versions of windows are:
DoS, Remote Code Execution, Memory Corruption, Overflow, Sql Injection,
XSS, Http Response Splitting, Directory Traversal, Bypass something Gain
Information /Privileges, CSRF File Inclusion etc.
- The maximum number of vulnerabilities detected were of Gaining Privileges
by which the confidentiality and integrity was highly impacted.
Windows Vulnerabilities
Due to the ease of use of Windows, many organizations have moved to the
Microsoft platform for their networking needs.
Many businesses especially the small to medium sized ones depend solely on
the Windows OS for network usage.
Many large organizations run critical servers such as Web servers and database
servers on the Windows platform.
If security vulnerabilities aren’t addressed and managed properly, they can
bring a network or an entire organization to its knees.
When Windows and other Microsoft software are attacked especially by a
widespread Internet-based worm or virus hundreds of thousands of
organizations and millions of computers are affected.
Many well-known attacks against Windows can lead to
- Leakage of confidential information, including files being copied and credit card
numbers being stolen
- Passwords being cracked and used to carry out other attacks
- Systems taken completely offline by DoS attacks
- Entire databases being corrupted or deleted when insecure Windows-based systems
are attacked, serious things can happen to a tremendous number of computers around
the world.
- Autoplay feature came in Windows XP. This feature checks removable media/ devices
then identifies and launches appropriate application based on its contents. This feature
is useful for authentic users but is a gateway for an attacker.
- Clipboard vulnerability can allow attacker to get access to the sensitive clipboard data.
In windows clipboard is common for all applications. This may lead to access and
modification in the clipboard of all applications in the operating system.
- MS-Windows stores its configuration settings and options in a hierarchical database
which is known as windows Registry. Registry is used for low level operating system
settings and for settings of applications running on the platform.
LINUX
It is the latest flavor of UNIX that has really taken off in corporate networks.
It is the competitor Operating System for Microsoft.
A common misunderstanding is that Windows is the most insecure operating
system. However, Linux and most of its sister variants of UNIX are prone to
the same security vulnerabilities as any other operating system.
Hackers are attacking Linux because of its popularity and growing usage in
today’s network environment, because some versions of Linux are free.
Many organizations are installing Linux for their Web servers and e-mail
servers in expectations of saving money.
Linux has grown in popularity for other reasons, including the following:
- Ample resources available, including books, Web sites, and consultant expertise.
- Perception that Linux is more secure than Windows.
- Unlikeliness that Linux will get hit with as many viruses (not necessarily worms) as
Windows and its applications do. This is an area where Linux excels when it comes to
security, but it probably won’t stay that way.
- Increased buy-in from other UNIX vendors, including IBM and Sun Micro systems
- Growing ease of use.
Linux Vulnerabilities
Vulnerabilities and hacker attacks against Linux are affecting a growing
number of organizations especially e-commerce companies and ISPs that rely
on Linux for many of their systems.
When Linux systems are hacked, the victim organizations can experience the
same side effects as if they were running Windows, including:
- Leakage of confidential intellectual property and customer information
- Passwords being cracked
- Systems taken completely offline by DoS attacks
- Corrupted or deleted databases
-
Gathering messaging trend information, via log files or a network analyzer,
that can tip off the hacker about conversations between people and
organizations
- Gathering internal network configuration information, such as hostname and IP
addresses
Hacker attacks like these can lead to such problems as lost business, unauthorized and
potentially illegal disclosure of confidential information
and loss of information.
Email Attacks
Many people rely on the Internet for many of their professional, social and personal
activities. But there are also people, who attempt to damage our Internet-connected
computers, violate our privacy and render inoperable the Internet services.
Email is a universal service used by number of people worldwide. As one of the most
popular services, email has become a major vulnerability to users and organizations.
The following e-mail attacks use the most common e-mail security vulnerabilities.
Some of these attacks require the basic hacking methodologies, gathering public
information, scanning and enumerating your systems, and attacking. Others can be
carried out by sending e-mails or capturing network traffic.
Different email attacks are email bomb, banner etc.
Email Bombs
E-mail bombs can crash a server and provide unauthorized administrator access.
They attack by creating DoS conditions against your e-mail software and even
your network and Internet connection by taking up so much bandwidth and
requiring so much storage space.
An email bomb is a form of Internet abuse which is perpetrated through the
sending of massive volumes of email to a specific email address with the goal of
overflowing the mailbox and overwhelming the mail server hosting the address,
making it into some form of denial of service attack.
An email bomb is also known as a letter bomb.
Different email bomb attacks are as attachment overloading attack, connection
attack, autoresponder attack.
deleted by individual user accounts, the server will be unable to receive new
messages.
- This can create a serious DoS problem for your e-mail system, either crashing it or
requiring you take your system offline to clean up the junk that has accumulated.
E.g. 100MB file attachment sent ten times to 80 users can take 80GB of storage
space.
b. Bandwidth blocking
- An attacker can crash your e-mail service or bring it to a crawl by filling the
incoming Internet connection with junk. Even if your system automatically
identifies and discards obvious attachment attacks, the bogus messages eat
resources and delay processing of valid messages
2. Connection Attack
A hacker can send a huge amount of e-mails simultaneously to addresses on your
network.
These connection attacks can cause the server to give up on servicing any inbound or
outbound TCP requests.
This can lead to a complete server lockup or a crash, often resulting in a condition
where the attacker is allowed administrator or root access to the system!
This attack is often carried out as spam attack.
3. Autoresponders Attack
This is an interesting attack to find two or more users on the same or different e-mail
systems that have autoresponder configured.
Autoresponder is that annoying automatic e-mail response you often get back from
random users when you’re subscribing to a mailing list.
A message goes to the mailing list of subscribers and then users have their e-mail
configured to automatically respond back, saying they’re out of the office or, on
vacation.
An autoresponder attack is a pretty easy hack.
Many unsuspecting users and e-mail administrators never know what hit them!
The hacker sends each of the two (or more) users an e-mail from the other simply by
masquerading as that
This attack can create a never-ending loop that bounces thousands of messages back
and forth between users.
This can create a DoS condition by filling either the user’s individual disk space quota
on the e-mail server or the e-mail server’s entire disk space.
Countermeasures (Banners)
There is not a 100 percent secure way of disguising banner information.
Following are some banner security tips for SMTP, POP3, and IMAP servers:
- Change your default banners to cover up the information.
- Make sure that you’re always running the latest software patches.
- Harden your server as much as possible by using well-known best practices
The security vulnerabilities actually lie within either the Web applications themselves
or the Web server and browser software that the applications run on and communicate
with.
Many attacks against Web applications are just minor nuisances or may not affect
confidential information or system availability.
However, some attacks can cause destruction on your systems. Whether the Web
attack is against a basic brochure ware site or against the company’s most critical
customer server, these attacks can hurt your organization.
Some other web application security vulnerabilities are as follows
SQL Injection
- Injection is a security vulnerability that allows an attacker to alter
backend SQL statements by manipulating the user supplied data.
- Injection occurs when the user input is sent to an interpreter as part of command or
query and trick the interpreter into executing unintended commands and gives access
to unauthorized data.
Cross site scripting
- Cross Site Scripting is also shortly known as XSS.
- XSS vulnerabilities target scripts embedded in a page that are executed on the client
side i.e. user browser rather than at the server side. These flaws can occur when the
application takes untrusted data and send it to the web browser without proper
validation.
- Attackers can use XSS to execute malicious scripts on the users in this case victim
browsers. Since the browser cannot know if the script is trusty or not, the script will
be executed, and the attacker can hijack session cookies, deface websites, or redirect
the user to an unwanted and malicious websites.
- XSS is an attack which allows the attacker to execute the scripts on the victim's
browser.
Security Misconfiguration
- Security Configuration must be defined and deployed for the application,
frameworks, application server, web server, database server, and platform. If these
are properly configured, an attacker can have unauthorized access to sensitive data
or functionality.
- Sometimes such flaws result in complete system compromise. Keeping the software
up to date is also good security.
Directory Traversals
A directory traversal is a really basic attack, but it can turn up interesting
information about a Web site.
This attack is basically browsing a site and looking for clues about the server’s
directory structure.
Properly controlling access to web content is crucial for running a secure web server.
Root directory
- The root directory is the top-most directory on the server file System.
- User access is confined to the root directory, meaning users are unable to access
directories or files outside of the root
Countermeasures (Directory Traversal Attack)
There are two main countermeasures to having files compromised via Malicious
directory traversals:
o Don’t store old, sensitive, or otherwise nonpublic files on your Web server.
- The only files that should be in your /htdocs or Document Root folder are those that
are needed for the site to function properly.
- These files should not contain confidential information that you don’t want the world
to see.
o Ensure that your Web server is properly configured to allow public access only
to those directories that are needed for the site to function.
- Minimum necessary privileges are key here, so provide access only to the bare-
minimum files and directories needed for the Web application to perform properly.
Use a WAF
- Employ web application firewalls.
- The misconception here might be that protecting the web server has nothing to do with
the database.
- Nothing could be further from the truth. In addition to protecting a site against cross-
site scripting vulnerabilities and web site vandalism, a good application firewall can
thwart SQL injection attacks as well.
- By preventing the injection of SQL queries by an attacker, the firewall can help keep
sensitive information stored in the database away from prying eyes.
References:
1. Hacking for Dummies (5th Edition), Kevin Beaver CISSP, Wiley Publishing Inc.
ISBN: 978-81-265-6554-2
2. CISSP for Dummies(5th Edition),Lawrence C. Miller, Peter H. Gregory, ISBN: 978-1-
119-21023-8
3. http://www.applicure.com/blog/database-security-best-practice
4. https://thecybersecurityplace.com/database-hacking-its-prevention
5. https://www.valencynetworks.com/blogs/cyber-attacks-explained-database-hacking
6. https://www.acunetix.com/websitesecurity/directory-traversal
7. https://www.veracode.com/security/directory-traversal
2. Which of the following tool is used for Network Testing and port Scanning
a. NetCat
b. SuperScan
c. NetScan
d. All of Above
3. Banner grabbing is often used for
a. White Hat Hacking
b. Black Hat Hacking
c. Gray Hat Hacking
d. Script Kiddies