UNIT-III:Cyber Crime and Cyber

Security-Legal perspectives
•Cyber Law – The Legal Perspectives: Introduction, Cybercrime and the
Legal Landscape around the World, Why do we need cyberlaws: the
indian context, the indian IT act.
UNIT-III Cyber Law
🠶 Introduction
🠶 cybercrime is the largest illegal industry.
🠶 Cybercrime involves massive, coordinated attacks against the information infrastructure of a country
.

paradigm for Cyber Security

UNIT-III Cyber Law
🠶 Introduction
🠶 Cybercrime was broken into two categories and defined as:
🠶 1. Cybercrime in a restrictive sense (computer crime): It is referred to any illegal behavior that is
carried out by means of electronic methods targeting the security of computer systems and the data
processed by them. This can be considered as a narrow definition of the term cybercrime.
🠶 2. Cybercrime in a general sense (computer-related crime): It is referred to any illegal behavior that is
committed by means of, or in relation to, a computer system or network, including such crimes as illegal
possession, and offering or distributing information by means of a computer system or network. This
can be considered as a broader definition of the term cybercrime.
UNIT-III Cyber Law
🠶 Introduction
🠶 These definitions are complicated by the fact that an act may be illegal in one nation but not
in another.
🠶 There are more concrete examples, including
1. Unauthorized access to computer
2. Causing damage to computer data or programs;
3. An act of computer sabotage;
4. Doing unauthorized interception of communications;
5. Carrying out computer espionage.
UNIT-III Cyber Law
🠶 Introduction
🠶 In reference to the above-mentioned term unauthorized access, note that the law considers computer
trespass to be a crime. For example, according to Sections 18.2–152.4 of Virginia State Criminal Law,
computer trespass is deemed to have occurred when any person uses a computer or computer network
without authority and with the intent to:
🠶 1. Temporarily or permanently remove computer data, computer programs or computer
software from a computer or computer network;
🠶 2. cause a computer to malfunction regardless of how long the malfunction persists;
🠶 3. alter or erase any computer data, computer programs or computer software;
🠶 4. effect the creation or alteration of a financial instrument or of an electronic transfer of
funds;
🠶 5. cause physical injury to the property of another; or make or cause to be made an unauthorized copy, in
any form, including, but not limited to, any printed or electronic form of computer data, computer
programs or computer software residing in, communicated by or produced by a computer or computer
network shall be guilty of the crime of computer trespass which shall be punishable as a Class 1
misdemeanor.
UNIT-III Cyber Law
🠶 Cybercrime and the Legal Landscape around the World
🠶 Crime or an offense is “a legal wrong that can be followed by criminal proceedings which
may result into punishment”
🠶 The hallmark of criminality is that it is breach of the criminal law.
🠶 A Broad View on Cybercrime Law Scenario in the Asia-Pacific Region
🠶 Online Safety and Cybercrime Laws: Detailed Perspective on the Current Asia-Pacific
Scenario
🠶 Anti-Spam Laws in Canada
🠶 Cybercrime and Federal Laws in the US
🠶 The EU Legal Framework for Information Privacy to Prevent Cybercrime
🠶 Cybercrime Legislation in the African Region
UNIT-III Cyber Law
🠶 Cybercrime and the Legal Landscape around the World
🠶 A Broad View on Cybercrime Law Scenario in the Asia-Pacific Region
🠶 Only a few countries of the Asia-Pacific region have appropriate legal and regulatory frameworks to meet
these challenges.
🠶 Even where awareness is growing and where legislation may be adequate, capacity to use information
security technologies and related procedures as well as to protect against, detect and respond
effectively to cybercrime, and to assist other countries, is low.
🠶 As a result, published cybercrime reports may represent only a small fraction of their incidence and there
is a need for more accurate estimates of the prevalence of cybercrime
UNIT-III Cyber Law
🠶 Cybercrime and the Legal Landscape around the World
🠶 Online Safety and Cybercrime Laws: Detailed Perspective on the Current Asia-Pacific
Scenario
🠶 In the privacy arena, there are numerous regional norms, such as the Asia-Pacific Economic Co-operation
(APEC) Privacy Framework and the EU’s Data Protection Directive, but an international consensus on the
best approach to data protection regulation has not yet been reached. However, CoE’s Convention on
Cybercrime serves as the benchmark legislation.
🠶 There are nine principles to the APEC Privacy Framework:
🠶 1. Preventing harm;
🠶 2. integrity of personal information;
🠶 3. notice;
🠶 4. security safeguards;
🠶 5. collection limitations;
🠶 6. access and correction;
🠶 7. uses of personal information;
🠶 8. accountability;
🠶 9. choice.
UNIT-III Cyber Law
🠶 Cybercrime and the Legal Landscape around the World
🠶 Anti-Spam Laws in Canada
🠶 In early 2009, the Canadian Government tabled anti-Spam legislation, Bill C-27, T e Electronic Commerce Protection
Act, to address Spam, counterfeit websites and Spyware.
🠶 The proposed legislation also brings amendment to Canada’s Personal Information Protection and Electronic
Documents Act (PIPEDA) which covers online privacy in detail and contains many provisions relevant to E-Mail
marketing.
🠶 Basically, PIPEDA is based on the FIPs (Fair Information Practices):
🠶 1. Principle 1 – Accountability
🠶 2. Principle 2 – Identifying purposes
🠶 3. Principle 3 – Consent
🠶 4. Principle 4 – Limiting collection
🠶 5. Principle 5 – Limiting use, disclosure and retention
🠶 6. Principle 6 – Accuracy
🠶 7. Principle 7 – Safeguards
🠶 8. Principle 8 – Openness
🠶 9. Principle 9 – Individual access
🠶 10. Principle 10 – Challenging compliance
UNIT-III Cyber Law
🠶 Cybercrime and the Legal Landscape around the World
🠶 Anti-Spam Laws in Canada
🠶 There are two laws currently being discussed in Canadian legislative assemblies:
🠶 1. Senate Bill S-220:
🠶 The bill was introduced by Senator Yoine Goldstein in early February 2009.
🠶 It is slated to become the Anti-Spam Act. It is a private member’s bill with private right of action and criminal
remedies.

🠶 2. Parliamentary Bill C-27:

🠶 The bill was tabled by the government in April 2009, with private right of action, coordination between various enforcement
agencies, civil remedies.
🠶 The Electronic Commerce Protection Act (ECPA) (aka: Bill C-27) is an Anti-Spam Act that covers E-Mail communications,
unauthorized installed applications and the alteration of data during transmission between senders and recipients.
🠶 The bill forbids anyone from installing a program on a computer that could send an electronic message without the consent of
the owner or user
UNIT-III Cyber Law
🠶 Cybercrime and the Legal Landscape around the World
🠶 Cybercrime and Federal Laws in the US
🠶 On 15 September 2008, the US House of Representatives approved the bill H.R. 5938.
🠶 The amendment, as part of Senate Bill S. 2168, was meant to expand the ability of the Federal
Government to prosecute criminal of identity theft and to allow victims to seek compensation for the
victims’ efforts (time and money) spent on trying to restore their credit.
🠶 The legislation was signed by President George W. Bush. It had provisions for a fine as well as
imprisonment up to 5 years for Spyware.
🠶 Florida Computer Crimes Act (1988 version) and a summary of the penalties
🠶 The Act specifies the following type of crimes:

🠶1. Offenses against intellectual property;

🠶2. offenses against computer equipment or supplies;
🠶3. offenses against computer users.
UNIT-III Cyber Law
🠶 Cybercrime and the Legal Landscape around the World
🠶 The EU Legal Framework for Information Privacy to Prevent Cybercrime
🠶 The EU is an economic and political union of 27 memberstates, located primarily in
Europe.
🠶 Readers can visit the link to understand the EU member countries.Also see Box 6.7 to know
the names of EU member countries.
🠶 Data protection EU legal framework addressed the principles for information management (fairness,
consent, transparency, purpose specification, data retention, security and access).
UNIT-III Cyber Law
🠶 Cybercrime and the Legal Landscape around the World
🠶 The EU Legal Framework for Information Privacy to Prevent Cybercrime
🠶 In the EU, cybercrime law is primarily based on the CoE’s Convention on Cybercrime
(November 2001).
🠶 Under the convention, member states are obliged to criminalize:
🠶 1. Illegal access to computer system ;
🠶 2. Illegal interception of data to a computer system;
🠶 3.Interfering with computer system without rights and intentional interference with computer
data without rights;
🠶 4. The use of inauthentic data with intent to put it across as authentic (data forgery);
🠶 5. Infringement of copyright-related rights online;
🠶 6. Interference with data or functioning of computer system;
🠶 7. Child pornography-related off enses possession/distribution/procuring/producing of
child pornographic.
UNIT-III Cyber Law
🠶 Cybercrime and the Legal Landscape around the World
🠶 Cybercrime Legislation in the African Region
🠶 There is a common agreement that the African regions are in dire need for legislation to fight
cybercrime.
🠶 Africa is witnessing explosive growth in ICTs.
🠶 With this growth, however, cybercrime has also become a reality in this part of the world
too.
🠶 African countries, mostly because of inadequate action and controls to protect computers and networks,
are targets of attack.
🠶 A great deal of criminal activity is said to take place from this part of the world.
UNIT-III Cyber Law
🠶 Cybercrime and the Legal Landscape around the
World
🠶 Cybercrime Legislation in the African Region
UNIT-III Cyber Law
🠶 Why do we need Cyberlaws: the Indian context
🠶 Cyberlaw is a framework created to give legal recognition to all risks arising out of the usage of
computers and computer networks.
🠶 Under the purview of cyberlaw, there are several aspects, such as, intellectual property, data protection
and privacy, freedom of expression and crimes committed using computers.
🠶 The Indian Parliament passed its first cyberlaw, the ITA 2000, aimed at providing the legal infrastructure
for E-Commerce in India.
🠶 ITA 2000 received the assent of the President of India and it has now become the law of the
land in India.
🠶 The Government of India felt the need to enact relevant cyberlaws to regulate Internet-based computer
related transactions in India.
🠶 It manages all aspects, issues, legal consequences and conflict in the world of cyberspace,
Internet or WWW.
🠶 In the Preamble to the Indian ITA 2000, it is mentioned that it is an act to provide legal recognition for
transactions carried out by means of electronic data interchange and other means of electronic
communication, commonly referred to as electronic commerce.
UNIT-III Cyber Law
🠶 Why do we need Cyberlaws: the Indian context
🠶 The reasons for enactment of cyberlaws in India are summarized below:
🠶 1. Although India possesses a very well-defined legal system, covering all possible situations and cases that
have occurred or might take place in future, the country lacks in many aspects when it comes to newly
developed Internet technology. It is essential to address this gap through a suitable law given the
increasing use of Internet and other computer technologies in India.
🠶 2. There is a need to have some legal recognition to the Internet as it is one of the most
dominating sources of carrying out business in today’s world.
🠶 3. With the growth of the Internet, a new concept called cyberterrorism came into existence.
Cyberterrorism includes the use of disruptive activities with the intention to further social, ideological,
religious, political or similar objectives, or to intimidate any person in furtherance of such objectives in
the world of cyberspace. It actually is about committing an old offense but in an innovative way.
🠶 Keeping all these factors into consideration, Indian Parliament passed the Information Technology Bill on
17 May 2000, known as the ITA 2000.
🠶 This law is based on Model UNCITRAL law for E-Commerce
UNIT-III Cyber Law
🠶 The Indian IT act.
🠶 Cybercrimes and Other Related Crimes Punishable under Indian Laws
🠶 1. Under Section 65 of Indian Copyright Act any person who knowingly makes, or has in his/her
possession, any plate for the purpose of making infringing copies of any work in which Copyright subsists
is punishable with imprisonment which may extend to 2 years with fine.
🠶 2. Sending pornographic or obscene E-Mails are punishable under Section 67 of the IT Act.
🠶 • An offense under this section is punishable on fi rst conviction with imprisonment for a term, which may extend to 5 years and
with fi ne, which may extend to 1 lakh rupees (Rs.1,00,000).
🠶 • In the event of a second or subsequent conviction, the recommended punishment is imprisonment for a term, which may
extend to 10 years and also with fi ne which may extend to 2 lakh rupees (Rs.2,00,000).

🠶 3. E-Mails that are defamatory in nature are punishable under Section 500 of the Indian Penal Code (IPC)
that recommends an imprisonment of upto 2 years or a fi ne or both.
🠶 4. Threatening E-Mails are punishable under the provisions of the IPC pertaining to criminal
intimidation, insult and annoyance (CHAPTER XXII) and extortion (CHAPTER XVII).
🠶 5. E-Mail spoofing is covered under provisions of the IPC with regard to fraud, cheating by

personation (CHAPTER XVII) and forgery (CHAPTER XVIII).

UNIT-III Cyber Law
🠶 The Indian IT act.
🠶 Weak Areas of the ITA 2000
🠶 As mentioned before, there are limitations too in the IT Act; those are mainly due to the following gray
areas:
🠶 1. The ITA 2000 is likely to cause a conflict of jurisdiction.
🠶 2. E-Commerce is based on the system of domain names. The ITA 2000 does not even touch the issues
relating to domain names. Domain names have not been defi ned and the rights and liabilities of domain
name owners do not find any mention in the law. The law does not address the rights and liabilities of
domain name holders.
🠶 3. The ITA 2000 does not deal with issues concerning the protection of Intellectual Property
🠶 Rights (IPR) in the context of the online environment. Contentious yet very important issues
🠶 concerning online copyrights, trademarks and patents have been left untouched by the law,
🠶 thereby leaving many loopholes. Thus, the law lacks “Proper Intellectual Property Protection for
Electronic Information and Data” – the law misses out the issue of IPR, and makes no provisions
whatsoever for copyrighting, trade marking or patenting of electronic information and data. However, the
corresponding provisions are available under the Indian Copyright
Act.
UNIT-III Cyber Law
🠶 The Indian IT act.
🠶 Weak Areas of the ITA 2000
🠶 4. As the cyberlaw is evolving, so are the new forms and manifestations of cybercrimes. The offenses
defined in the ITA 2000 are by no means exhaustive. However, the drafting of the relevant provisions of
the ITA 2000 makes it appear as if the offenses detailed therein are the only cyberoffenses possible and
existing. The ITA 2000 does not cover various kinds of cybercrimes and Internet-related crimes.
🠶 These include:

🠶 • Theft of Internet hours;

🠶 • cybertheft;
🠶 • cyberstalking;
🠶 • cyberharassment;
🠶 • cyberdefamation;
🠶 • cyberfraud;
🠶 • misuse of credit card numbers;
🠶 • chat room abuse;
🠶 • cybersquatting (not addressed directly).
UNIT-III Cyber Law
🠶 The Indian IT act.
🠶 Weak Areas of the ITA 2000
🠶 5. The ITA 2000 has not tackled vital issues pertaining to E-Commerce sphere like privacy and content
regulation to name a few.
🠶 6. The Information Technology Act is not explicit about regulation of Electronic Payments, and avoids
applicability of IT Act to Negotiable Instruments. The Information Technology Act stays silent over the
regulation of electronic payments gateway and rather segregates the negotiable instruments from the
applicability of the IT Act. This may have major eff ect on the growth of E-Commerce in India.
🠶 This has led to tendencies of banking and financial sectors being irresolute in their stands.
🠶 7. IT Act does not touch upon antitrust issues.
🠶 8. The most serious concern about the Indian Cyberlaw relates to its implementation. The ITA 2000
does not lay down parameters for its implementation. Also, when Internet penetration in India is
extremely low and government and police officials, in general, are not very computer savvy, the new
Indian cyberlaw raises more questions than it answers. It seems that the Parliament would be required to
amend the ITA 2000 to remove the gray areas mentioned above.
UNIT-III Cyber Forensics
🠶 Introduction
🠶 Cyberforensics plays a key role in investigation of cybercrime. “Evidence” in the case of
“cyberoffenses” is extremely important from legal perspective.
🠶 There are legal aspects involved in the investigation as well as handling of the digital forensics
evidence.
🠶 Only the technically trained and experienced experts should be involved in the forensics
activities.
UNIT-III Cyber Forensics
🠶 Historical background of Cyber Forensics
🠶 Computer is either the subject or the object of cybercrimes or is used as a tool to commit a
cybercrime.
🠶 The earliest recorded computer crimes occurred in 1969 and 1970 when student protestors burned
computers at various universities.
🠶 Around the same time, people were discovering methods for gaining unauthorized access to
large-time shared computers.
🠶 Computer intrusion and fraud committed with the help of computers were the first crimes to be widely
recognized as a new type of crime.
UNIT-III Cyber Forensics
🠶 Historical background of Cyber Forensics
🠶 The Florida Computer Crimes Act was the first computer crime law to address computer
fraud and intrusion. It was enacted in Florida in 1978.
🠶 “Forensics evidence” is important in the investigation of cybercrimes.
🠶 Computer forensics is primarily concerned with the systematic “identification,” “acquisition”,
“preservation” and “analysis” of digital evidence, typically after an unauthorized access to computer or
unauthorized use of computer has taken place; while the main focus of “computer security” is the
prevention of unauthorized access to computer systems as well as maintaining
“confidentiality”,“integrity” and “availability” of computer systems.
UNIT-III Cyber Forensics
🠶 Historical background of Cyber Forensics
🠶 There are two categories of computer crime: one is the criminal activity that involves using a computer to
commit a crime, and the other is a criminal activity that has a computer as a target.
🠶 Forensics means a “characteristic of evidence” that satisfies its suitability for admission as fact and its
ability to persuade based upon proof (or high statistical confidence level).
🠶 The goal of digital forensics is to determine the “evidential value” of crime scene and related evidence.
🠶 The roles and contributions of the digital forensics/computer forensics experts are almost parallel to those
involved as forensics scientists in other crimes, namely, analysis of evidence, provision of expert
testimony, furnishing training in the proper recognition, and collection and preservation of the evidence
UNIT-III Cyber Forensics
🠶 Digital Forensics Science
🠶 Digital forensics is the application of analyses techniques to the reliable and unbiased
collection, analysis, interpretation and presentation of digital evidence.
🠶 There is a number of slightly varying definitions.
🠶 The term computer forensics, however, is generally considered to be related to the use of analytical and
investigative techniques to identify, collect, examine and preserve evidence/information which is
magnetically stored or encoded.
UNIT-III Cyber Forensics
🠶 Digital Forensics Science
🠶 The objective of “cyberforensics” is to provide digital evidence of a specific or general activity.
Following are two more definitions worth considering:
🠶 1. Computer forensics:
🠶 It is the lawful and ethical seizure, acquisition, analysis, reporting and safeguarding of data and
metadata derived from digital devices which may contain information that is notable and perhaps of
evidentiary value to the trier of fact in managerial, administrative, civil and criminal investigations.
🠶 In other words, it is the collection of techniques and tools used to find evidence in a computer.
🠶 2. Digital forensics: It is the use of scientifically derived and proven methods toward the preservation,
collection, validation, identification, analysis, interpretation, documentation and presentation of digital
evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of
events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to
planned operations.
UNIT-III Cyber Forensics
🠶 Digital Forensics Science
🠶 In general, the role of digital forensics is to:
1. Uncover and document evidence and leads.
2. Corroborate evidence discovered in other ways.
3. Assist in showing a pattern of events (data mining has an application here).
4. Connect attack and victim computers.
5. Reveal an end-to-end path of events leading to a compromise attempt, successful or not.
6. Extract data that may be hidden, deleted or otherwise not directly available.
UNIT-III Cyber Forensics
🠶 Digital Forensics Science
🠶 The typical scenarios involved are:
1. Employee Internet abuse;
2. data leak/data breach – unauthorized disclosure of corporate information and data (accidental and intentional);
3. industrial espionage (corporate “spying” activities);
4. damage assessment (following an incident);
5. criminal fraud and deception cases;

6. criminal cases (many criminalssimply store information on computers, intentionally or

unwittingly) and countless others;
7. copyright violation
Using digital forensics techniques, one can:
1. Corroborate and clarify evidence otherwise discovered.
2. Generate investigative leads for follow-up and verification in other ways.
3. Provide help to verify an intrusion hypothesis.
4. Eliminate incorrect assumptions.
UNIT-III Cyber Forensics
🠶 Digital Forensics Figure shows the kind of data you “see” using forensics tools.
Science
UNIT-III Cyber Forensics
🠶 The need for Computer Forensics
🠶 The convergence of Information and Communications Technology (ICT) advances and the pervasive use of
computers worldwide together have brought about many advantages to mankind.
🠶 At the same time, this tremendously high technical capacity of modern

computers/computing devices provides avenues for misuse as wellas opportunities for

committing crime.
🠶 This has lead to new risks for computer users and also increased opportunities for social harm.
🠶 The users, businesses and organizations worldwide have to live with a constant threat from hackers who
use a variety of techniques and tools to break into computer systems, steal information, change data and
cause havoc.
🠶 The widespread use of computer forensics is the result of two factors:
1. The increasing dependence of law enforcement on digital evidence
2. the ubiquity of computers that followed from the microcomputer revolution
UNIT-III Cyber Forensics
🠶 The need for Computer Forensics
🠶 The media, on which clues related to
cybercrime reside, would vary from case
to case.
🠶 There are many challenges for the
forensics investigator because
storage devices are getting
miniaturized due to advances in
electronic technology;
🠶 for example, externalstorage
devices such as mini hard
disks
(pen drives) are available in
amazing shapes.
UNIT-III Cyber Forensics
🠶 The need for Computer Forensics
🠶 Computer forensics services include the following:
1. Data culling and targeting;
2. Discovery/subpoena process;
3. Production of evidence;
4. Expert affidavit support;
5. Criminal/civil testimony;
6. Cell phone forensics;
7. PDA forensics.
 UNIT-III Cyber Forensics
🠶 The need for Computer Forensics
🠶 Specific client requests for forensics evidence extracting solution support include:
1. Index of fi les on hard drive;
2. Index of recovered files;
3. MS Office/user generated document extraction;
4. Unique E-Mail address extraction;
5. Internet activity/history;
6. Storage of forensics image for 1 year (additional charges then apply);
7. Keywords search; 13. Conversion to PDF;
8. Chain of custody; 14. Log extraction;
9. Mail indexing; 15. Imessaging history recovery;
10. Deleted fi le/folder recovery; 16. Password recovery;
11. Office document recovery; 17. Format for forensics extracts (DVD, CD, HDD, other);
12. Metadata indexing; 18. Network acquisitions.
UNIT-III Cyber Forensics
🠶 The need for Computer Forensics
🠶 Chain of custody means the chronological documentation trail, etc. that indicates the seizure, custody,
control, transfer, analysis and disposition of evidence, physical or electronic.
🠶 “Fungibility” means the extent to which the components of an operation or product can be inter-changed
with similar components without decreasing the value of the operation or product.
🠶 Chain of custody is also used in most evidence situations to maintain the integrity of the evidence by
providing documentation of the control, transfer and analysis of evidence.
🠶 Chain of custody is particularly important in situations where sampling can identify the
existence of contamination and can be used to identify the responsible party.
🠶 The purpose behind recording the chain of custody is to establish that the alleged evidence is,
indeed, related to the alleged crime, that is, the purpose is to establish the integrity of the evidence.
🠶 In the context of conventional crimes, establishing “chain of custody” is especially important
when the evidence consists of fungible goods.
UNIT-III Cyber Forensics
🠶 Cyber Forensics and Digital Evidence
🠶 Cyberforensics can be divided into two domains:
🠶 1. Computer forensics;
🠶 2. network forensics

🠶 Network forensics is the study of network traffi c to search for truth in civil, criminal and administrative
matters to protect users and resources from exploitation, invasion of privacy and any other crime fostered
by the continual expansion of network connectivity.
UNIT-III Cyber Forensics
🠶 Cyber Forensics and Digital Evidence
🠶 There are many forms of cybercrimes:
🠶 sexual harassment cases – memos, letters, E-Mails; obscene chats or
🠶 embezzlement cases – spreadsheets, memos, letters, E-Mails, online banking
information;
🠶 corporate espionage by way of memos, letters, E-Mails and chats;
🠶 and frauds through memos, letters, spreadsheets and E-Mails.
🠶 In case of computer crimes/cybercrimes, computer forensics helps.
🠶 Computer forensics experts know the techniques to retrieve the data from files listed in standard directory
search, hidden files, deleted files, deleted E-Mail and passwords, login IDs, encrypted files, hidden
partitions, etc.
🠶 Typically, the evidences reside on computer systems, user created files, user protected files, computer
created files and on computer networks.
UNIT-III Cyber Forensics
🠶 Cyber Forensics and Digital Evidence
🠶 Computer systems have the following:
🠶 1. Logical fi le system that consists of
🠶 • File system: It includes files, volumes, directories and folders, file allocation tables (FAT) as in the older
version of Windows Operating System, clusters, partitions, sectors.
🠶 • Random access memory.
🠶 • Physical storage media: It has magnetic force microscopy that can be used to recover data from
overwritten area.
🠶 (a) Slack space: It is a space allocated to the fi le but is not actually used due to internal fragmentation and
🠶 (b) unallocated space.

🠶 2. User created files: It consists of address books, audio/video files, calendars, database fi
les, spreadsheets, E-Mails, Internet bookmarks, documents and text files.
🠶 3. Computer created files: It consists of backups, cookies, configuration files, history files,
log files, swap files, system files, temporary files, etc.
🠶 4. Computer networks: It consists of the Application Layer, the Transportation Layer, the Network Layer,
the Datalink Layer.
UNIT-III Cyber Forensics
🠶 Cyber Forensics and Digital Evidence
🠶 The Rules of Evidence
🠶 “Evidence” means and includes:
1.All statements which the court permits or requires to be made before it by witnesses, in relation to
matters of fact under inquiry, are called oral evidence.
2. All documents that are produced for the inspection of the court are called documentary
evidence

🠶 Paper evidence, the process is clear and intuitively obvious. Digital evidence by its very nature is
invisible to the eye. Therefore, the evidence must be developed using tools other than the human eye.
UNIT-III Cyber Forensics
🠶 Cyber Forensics and Digital Evidence
🠶 T ere are number of contexts involved in
actually identifying a piece of digital evidence:
🠶 1. Physical context: It must be definable in its physical
form, that is, it should reside on a specific piece of
media.
🠶 Logical context: It must be identifiable as to its logical
position, that is, where does it reside relative to the fi
le system.
🠶 Legal context: We must place the evidence in
the correct context to read its meaning. T is
may require looking at the evidence as
machine language, for example, American
Standard Code for Information Interchange
(ASCII).
UNIT-III Cyber Forensics
🠶 Cyber Forensics and Digital Evidence
🠶 Following are some guidelines for the (digital) evidence collection phase:
🠶 1. Adhere to your site’s security policy and engage the appropriate incident handling and
law enforcement personnel.
🠶 2. Capture a picture of the system as accurately as possible.
🠶 3. Keep detailed notes with dates and times. If possible, generate an automatic transcript (e.g., on Unix
systems the “script” program can be used; however, the output fi le it generates should not be given to
media as that is a part of the evidence). Notes and printouts should be signed and dated.
🠶 4. Note the difference between the system clock and Coordinated Universal Time (UTC). For each
timestamp provided, indicate whether UTC or local time is used (since 1972 over 40 countries throughout
the world have adopted UTC as their official time source).
🠶 5. Be prepared to testify (perhaps years later) outlining all actions you took and at what
times. Detailednotes will be vital.
🠶 6. Minimize changes to the data as you are collecting it. T is is not limited to content changes; avoid
updating fi le or directory access times.

🠶 7. Remove external avenues for change.

UNIT-III Cyber Forensics
🠶 Cyber Forensics and Digital Evidence
🠶 8. When confronted with a choice between collection and analysis you should do collection
first and analysis later.
🠶 9. Needless to say, your procedures should be implementable. As with any aspect of an incident response
policy, procedures should be tested to ensure feasibility, particularly, in a crisis. If possible, procedures
should be automated for reasons of speed and accuracy. Being methodical always helps.
🠶 10. For each device, a systematic approach should be adopted to follow the guidelines laid down in your
collection procedure. Speed will often be critical; therefore, where there are a number of devices requiring
examination, it may be appropriate to spread the work among your team to collect the evidence in
parallel. However, on a single given system collection should be done step by step.
UNIT-III Cyber Forensics
🠶 Cyber Forensics and Digital Evidence
🠶 11. Proceed from the volatile to the less volatile; order of volatility is as follows:
🠶 • Registers, cache (most volatile, i.e., contents lost as soon as the power is turned OFF);
🠶 • routing table, Address Resolution Protocol (ARP) cache, process table, kernel statistics, memory;
🠶 • temporary file systems;
🠶 • disk;
🠶 • remote logging and monitoring data that is relevant to the system in question;
🠶 • physical configuration and network topology;
🠶 • archival media (least volatile, i.e., holds data even after power is turned OFF).
🠶 12. You should make a bit-level copy of the system’s media. If you wish to do forensics analysis you
should make a bit-level copy of your evidence copy for that purpose, as your analysis will almost certainly
alter file access times. Try to avoid doing forensics on the evidence copy
UNIT-III Cyber Forensics
🠶 Digital Forensics Lifecycle
🠶 The cardinal rules to remember are that evidence:

1. is admissible;
2. is authentic;
3. is complete;
4. is reliable;
5. is understandable and believable.
UNIT-III Cyber Forensics
🠶 Digital Forensics Lifecycle
🠶 The Digital Forensics
Process
UNIT-III Cyber Forensics
🠶 Digital Forensics Lifecycle
🠶 The Phases in Computer Forensics/Digital Forensics
🠶 The Phases in Computer Forensics/Digital Forensics the forensics life cycle involves the
following phases:
1. Preparation and identification;
2. storing and transporting;
3. collection and recording;
4. examination/investigation;
5. analysis, interpretation and attribution;
6. reporting;
7. testifying.
UNIT-III Cyber Forensics
🠶 Digital Forensics Lifecycle
🠶 The Phases in Computer Forensics/Digital Forensics
🠶 To mention very briefly, the process involves the following activities:
1. Prepare: Case briefings, engagement terms, interrogatories, spoliation prevention,
disclosure and discovery planning, discovery requests.
2. Record: Drive imaging, indexing, profiling, search plans, cost estimates, risk analysis.
3. Investigate: Triage images, data recovery, keyword searches, hidden data review,
communicate, iterate.
4. Report: Oral vs. written, relevant document production, search statistic reports, chain
of custody reporting, case log reporting.
5. Testify: Testimony preparation, presentation preparation, testimony.
UNIT-III Cyber Forensics
🠶 Digital Forensics Lifecycle
🠶 The Phases in Computer Forensics/Digital Forensics
🠶 Preparing for the Evidence and Identifying the Evidence
🠶 Collecting and Recording Digital Evidence
🠶 Storing and Transporting Digital Evidence
🠶 Examining/Investigating Digital Evidence
🠶 Analysis, Interpretation and Attribution
🠶 Reporting
🠶 Testifying
UNIT-III Cyber Forensics
🠶 Digital Forensics Lifecycle
🠶 Precautions to be Taken when Collecting Electronic Evidence
UNIT-III Cyber Forensics
🠶 Digital Forensics Lifecycle
🠶 Precautions to be Taken when Collecting Electronic Evidence
UNIT-III Cyber Forensics
🠶 Digital Forensics Lifecycle
🠶 Precautions to be Taken when Collecting Electronic Evidence
UNIT-III Cyber Forensics
🠶 Challenges in Computer Forensics.
🠶 Technical Challenges: Understanding the Raw Data and its Structure
🠶 The Legal Challenges in Computer Forensics and Data Privacy Issues
UNIT-III Cyber Forensics
🠶 Challenges in Computer Forensics.
🠶 Technical Challenges: Understanding the Raw Data and its Structure
🠶 There are two aspects of the technical challenges faced in digital forensics investigation – one is the “
complexity” problem and the other is the “quantity” problem involved in a digital forensics investigation.
🠶 A digital forensics investigator often faces the “complexity problem” because acquired data is
typically at the lowest and most raw format.
🠶 Non-technical people may find it too difficult to understand such format. For resolving the complexity
problem, tools are useful; they translate data through one or more “layers of abstraction” until it can be
understood.
🠶 For example, to view the contents of a directory from a fi le system image, tools process the
fi le system structures so that the appropriate values are displayed.
🠶 The data that represents the fi les in a directory exist in formats that are too low level to identify without
the assistance of tools
UNIT-III Cyber Forensics
🠶 Challenges in Computer Forensics.
🠶 Technical Challenges: Understanding the Raw Data and its Structure
🠶 The directory is a layer of abstraction in the fi le system. Examples of non-fi le system layers
of abstraction include:
🠶 1. ASCII;
🠶 2. HTML Files;
🠶 3. Windows Registry;
🠶 4. Network Packets;
🠶 5. Source Code.
🠶 Examples of abstraction layers are data reduction techniques; for example
1. Identifying known network packets using IDS signatures;
2. identifying unknown entries during log processing;
3. identifying known fi les using hash databases;
4. sorting fi les by their type.
UNIT-III Cyber Forensics
🠶 Challenges in Computer Forensics.
🠶 Technical Challenges: Understanding the Raw Data and its Structure
🠶 For Example if we are examine the FAT File system Disk
🠶 The FAT fi le system has seven layers of abstraction. The first layer uses just the partition image as input,
🠶 assuming that the acquisition was done of the raw partition using a tool such as the UNIX
“dd” tool.
🠶 This layer uses the defined Boot Sector structure and extracts the size and location values.
Examples of extracted values include:
🠶 1. Starting location of FAT;
🠶 2. size of each FAT;
🠶 3. number of FATs;
🠶 4. number of sectors per cluster;
🠶 5. location of Root Directory
UNIT-III Cyber Forensics
🠶 Challenges in Computer Forensics.
🠶 Technical Challenges: Understanding the Raw Data and its Structure
🠶 The abstraction layers of the FAT file system are as follows:
🠶1. Layer 0: Raw file system image;
🠶2. Layer 1: File system image and values from Boot Sector and FAT Entry Size;
🠶3. Layer 2: FAT Area and Data Area;
🠶4. Layer 3: Starting Cluster, FAT Entries;
🠶5. Layer 4: Clusters, Raw Cluster Content and Content Type;
🠶6. Layer 5: Formatted Cluster Content;
🠶7. Layer 6: List of Clusters.
UNIT-III Cyber Forensics
🠶 Challenges in Computer Forensics.
🠶 The Legal Challenges in Computer Forensics and Data Privacy Issues
🠶 Evidence, to be admissible in court, must be relevant, materialand competent, and its
probative value must outweigh any prejudicial effect.
🠶 There are many types of personnel involved in digital forensics/computer forensics:
🠶(a) Technicians: who carry out the technical aspects of gathering evidence
🠶(b) Policy makers: establish forensics policies that refl ect broad considerations
🠶(c) Professionals: the link between policy and execution – who must have extensive technical
skills as well as good understanding of the legal procedure
UNIT-III Cyber Forensics
🠶 Challenges in Computer Forensics.
🠶 The Legal Challenges in Computer Forensics and Data Privacy Issues
🠶 Skills for digital forensics professionals are the following:
1. Identify relevant electronic evidence associated with violations of specific laws;
2. identify and articulate probable cause necessary to obtain a search warrant and
recognize the limits of warrants;
3. locate and recover relevant electronic evidence from computer systems using tools;
4. recognize and maintain a chain of custody;
5. follow a documented forensics investigation process.