Cyber Forensic

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 123

Course: Cyber Forensics MCA

Programme

Module1
Computer Forensics Fundamentals: What is Computer Forensics, Use of Computer Forensics
in Law Enforcement, Steps taken by Computer Forensics Specialists, Scientific method in
Computer Forensic Analysis.
Types of Computer Forensic Technology: Types of Military Computer Forensic Technology,
Types of Law enforcement. Types of Business Computer Forensic Technology
Types of Computer Forensic Systems-Basics of Internet Security Systems, Intrusion Detection
Systems, Firewall Security Systems, Biometric Security Systems, Network Disaster Recovery
Systems, Public Key Infrastructure Systems, Wireless network security systems
Computer Forensics Fundamentals
Computer Forensics
The process of
 IDENTIFYING,
 COLLECTING,
 PRESERVING,
 ANALYZING AND
 PRESENTING
the computer-related/digital evidence in a manner that is legally acceptable by court
Digital evidence is any information or data of value to an investigation that is stored on,
received by, or transmitted by an electronic device. Text messages, emails, pictures and videos,
and internet searches are some of the most common types of digital evidence.
Section 79A of IT (Amendment) Act, 2008
Digital evidence or electronic evidence is “any probative information stored or transmitted
in digital form that a party to a court case may use at trial”. Section 79A of IT (Amendment)
Act, 2008 defines electronic form evidence as “any information of probative value that is
either stored or transmitted in electronic form and includes computer evidence, digital
audio, digital video, cell phones, and digital fax machines”
Digital Trail
Most criminals now leave a digital footprint; a suspect’s IP address, posting on a Social Media
platform or using their mobile device for everyday use in place of a traditional computer and
camera.

1
Course: Cyber Forensics MCA
Programme

This is information could reveal:


 Intent,
 Location and time of crime,
 Relationship with victim(s), and
 Relationship with other suspect(s)
POTENTIAL SOURCES OF EVIDENCE
 Transaction records
 Email traffic
 Those held by third party
 Personal Computers
 Smart phones/ Tablets
 Selected data media
 Access control logs
 Internet activity logs
 Anti- virus logs
 Intrusion detection logs
 Backup media
 CCTV recordings
Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the digital
evidence residing on various types of electronic devices.
The ultimate goal
To produce evidence for legal cases.
Objectives
 Prepare for an Investigation.
 Acquire Data.
 Analyze Data.
 Identify the Evidence and Present It.

2
Course: Cyber Forensics MCA
Programme

Digital evidence principles


 Actions taken to secure and collect digital evidence should not change that evidence;
persons conducting the examination of digital evidence should be trained for this purpose
and activity relating to the seizure, examination, storage, or transfer of digital
evidence should be fully documented, preserved, and available for review.

Digital evidence
The main characteristics of digital evidence are, can transcend national borders with ease and
speed, highly fragile and can be easily altered, damaged, or destroyed and time sensitive.
For this reason, special precautions should be taken to document, collect, preserve, and examine
this type of evidence.
Types of investigations
Public investigations
 In the context of criminal cases
 Conducted by the law enforcement officers and driven by the statutes in the criminal
law.
Examples
 Drug crimes.
 Sexual exploitation.
 Theft
Private investigations
 Contextualized in
 Civil or Internal Cases.
 Conducted By
 Organizations or Corporations.
Examples
 sabotage
 embezzlement
 industrial espionage

3
Course: Cyber Forensics MCA
Programme

Digital Forensics Process

Tools for Forensic Investigations

Computer Forensic software suite.


 A comprehensive set of features
 Cover an investigation from the beginning to its completion.
Abilities to
 acquire and process data,
 conduct searches, and
 generate reports.

4
Course: Cyber Forensics MCA
Programme

Hardware needs
Resource Intensive
 Processing power,
 Memory size, and
 Disk space.

To be effective as a computer forensics investigator, You must have as many relevant tools as
possible.
USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT
Computer forensics assists in Law Enforcement. This can include:
 Recovering deleted files such as documents, graphics, and photos.
 Searching unallocated space on the hard drive, places where an abundance of data often
resides.
 Tracing artifacts, those tidbits of data left behind by the operating system. Our experts know
how to find these artifacts and, more importantly, they know how to evaluate the value of the
information they find.
 Processing hidden files — files that are not visible or accessible to the user — that contain
past usage information. Often, this process requires reconstructing and analyzing the date codes
for each file and determining when each file was created, last modified, last accessed and when
deleted.
 Running a string-search for e-mail, when no e-mail client is obvious.

COMPUTER FORENSICS SERVICES

5
Course: Cyber Forensics MCA
Programme

Computer forensics professionals should be able to successfully perform complex evidence


recovery procedures with the skill and expertise that lends credibility to your case. For example,
they should be able to perform the following services:
1. DATA SEIZURE
Following federal guidelines, computer forensics experts should act as the representative, using
their knowledge of data storage technologies to track down evidence. The experts should also be
able to assist officials during the equipment seizure process.
2. DATA DUPLICATION/PRESERVATION
When one party must seize data from another, two concerns must be addressed: the data must not
be altered in any way. the seizure must not put an undue burden on the responding party. The
computer forensics experts should acknowledge both of these concerns by making an exact
duplicate of the needed data. When experts work on the duplicate data, the integrity of the
original is maintained.
3. DATA RECOVERY
Using proprietary tools, your computer forensics experts should be able to safely recover and
analyze otherwise inaccessible evidence. The ability to recover lost evidence is made possible by
the expert’s advanced understanding of storage technologies.

4. DOCUMENT SEARCHES
Computer forensics experts should also be able to search over 200,000 electronic documents in
seconds rather than hours. The speed and efficiency of these searches make the discovery process
less complicated and less intrusive to all parties involved.
5. MEDIA CONVERSION
Computer forensics experts should extract the relevant data from old and un-readable devices,
convert it into readable formats, and place it onto new storage media for analysis.

6. EXPERT WITNESS SERVICES


Computer forensics experts should be able to explain complex technical processes in an easy-to-
understand fashion. This should help judges and juries comprehend how computer evidence is found,
what it consists of, and how it is relevant to a specific situation.

7. COMPUTER EVIDENCE SERVICE OPTIONS


Computer forensics experts should offer various levels of service, each designed to suit your
individual investigative needs. For example, they should be able to offer the following services:
 Standard service: Computer forensics experts should be able to work on your case during nor-mal
business hours until your critical electronic evidence is found.
 On-site service: Computer forensics experts should be able to travel to your location to per-form
complete computer evidence services. While on-site, the experts should quickly be able to produce
exact duplicates of the data storage media in question.
 Emergency service: Your computer forensics experts should be able to give your case the highest
priority in their laboratories. They should be able to work on it without interruption until your
evidence objectives are met.

6
Course: Cyber Forensics MCA
Programme

 Priority service: Dedicated computer forensics experts should be able to work on your case
during normal business hours (8:00 A.M. to 5:00 P.M., Monday through Friday) until the evidence is
found. Priority service typically cuts your turnaround time in half.
 Weekend service: Computer forensics experts should be able to work from 8:00 A.M. to 5:00
P.M., Saturday and Sunday, to locate the needed electronic evidence and will continue 14 Computer
Forensics, Second Edition working on your case until your evidence objectives are met.
8. OTHER MISCELLANEOUS SERVICES
Computer forensics experts should also be able to provide extended services. These services include:
 Analysis of computers and data in criminal investigations
 On-site seizure of computer data in criminal investigations
 Analysis of computers and data in civil litigation.
 On-site seizure of computer data in civil litigation
 Analysis of company computers to determine employee activity
 Assistance in preparing electronic discovery requests
 Reporting in a comprehensive and readily understandable manner
 Court-recognized computer expert witness testimony
 Computer forensics on both PC and Mac platforms
 Fast turnaround time.

BENEFITS OF PROFESSIONAL FORENSIC METHODOLOGY


A knowledgeable computer forensics professional should ensure that a subject computer system is
carefully handled to ensure that:
1. No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to
investigate the computer.
2. No possible computer virus is introduced to a subject computer during the analysis process.
3. Extracted and possibly relevant evidence is properly handled and protected from later mechanical
or electromagnetic damage.
4. A continuing chain of custody is established and maintained.
5. Business operations are affected for a limited amount of time, if at all.
6. Any client-attorney information that is inadvertently acquired during a forensic exploration is
ethically and legally respected and not divulged.

STEPS TAKEN BY COMPUTER FORENSICS SPECIALISTS


The computer forensics specialist should take several careful steps to identify and attempt to
retrieve possible evidence that may exist on a subject’s computer system. For example, the
following steps should be taken:
1. Protect the subject computer system during the forensic examination from any possible
alteration, damage, data corruption, or virus introduction.
2. Discover all files on the subject system. This includes existing normal files, deleted yet
remaining files, hidden files, password-protected files, and encrypted files.
3. Recover all of discovered deleted files.
4. Reveal the contents of hidden files as well as temporary or swap files used by both the
application programs and the operating system.
5. Access the contents of protected or encrypted files.

7
Course: Cyber Forensics MCA
Programme

6. Analyze all possibly relevant data found in special areas of a disk. This includes but is not
limited to what is called unallocated space on a disk, as well as slack space in a file (the remnant
area at the end of a file in the last assigned disk cluster, that is unused by current file data, but
once again, may be a possible site for previously created and relevant evidence).
7. Print out an overall analysis of the subject computer system, as well as a listing of all possibly
relevant files and discovered file data.
8. Provide an opinion of the system layout; the file structures discovered; any discovered data
and authorship information; any attempts to hide, delete, protect, and encrypt information; and
anything else that has been discovered and appears to be relevant to the overall computer system
examination.
9. Provide expert consultation and/or testimony, as required.
Slack space (file slack space)
Slack space is the leftover storage that exists on a computer’s hard disk drive when a computer
file does not need all the space it has been allocated by the operating system. The examination of
slack space is an important aspect of computer forensics.
To understand why slack space plays an important role in E-discovery, one must first understand
how data is stored on computers that have hard disk drives. Computers with hard disk drives
store data in a sealed unit that contains a stack of circular, spinning disks called platters. Each
platter is composed of logically defined spaces called sectors and by default, most operating
system (OS) sectors are configured to hold no more than 512 bytes of data. If a text file that is
400 bytes is saved to disk, the sector will have 112 bytes of extra space left over. When the
computer’s hard drive is brand new, the space in a sector that is not used – the slack space – is
blank, but that changes as the computer gets used.
When a file is deleted, the operating system doesn't erase the file, it simply makes the sector the
file occupied available for reallocation. Should a new file that is only 200 bytes be allocated to
the original sector, the sector’s slack space will now contain 200 bytes of leftover data from the
first file in addition to the original 112 bytes of extra space. That leftover data, which is called
latent data or ambient data, can provide investigators with clues as to prior uses of the computer
in question as well as leads for further inquiries.

8
Course: Cyber Forensics MCA
Programme

Scientific method in Computer Forensic Analysis.

Asking or defining a question


Start with a question that can be tested. The question should be specific. It can be based on a
observation. Information is normally gathered before the final question is decided.
Researching the problem or question
Books,journal articles,magazines,manuals,newspaper,internet etc are used in the research. The
hypotheiss have already being studied or researched. Research sources used should be scientific,
objective and unbiased.
Forming a hypothesis
The answer to the question is given in the form of an educated guess of what is expected to
happened or the answer.
The hypothesis
 Must be in the form of a statement
 Must be researched before it’s stated
 Must be testable. If it is not, it is not a valid hypothesis.
 Must allow for a variable to be tested and what results are expected
 Should be given in the format: “If this ------------ is done/changed, then this
------------------- will happened.be observed.
Null Hypothesis – what the researcher is seeking to not have happen, to disprove or to nullify.
The opposite of hypothesis.

9
Course: Cyber Forensics MCA
Programme

Developing and performing the experiment


 Must test the hypothesis
 Should have planned steps for implementation
 Should only have one variable that is tested
 Either supports or disproves the hypothesis
 The experiment will be retested to validate the results
Collecting the data
A lab notebook is kept through all of the steps of the scientific method. All observations that led
to the question should be recorded as should the research that was done, the formation of the
hypothesis, and any hypothesis that were not used. Write down how the experiment was
designed and all its steps.
 All the details, data and measurements of the experiment are documented.
 Document every details.
 Write down any mistake or changes.
 Leave nothing out.
Clearly labelled tables are normally used for documentation as it changes over time and makes
easy to update these changes.
Analyze the data
Data collected is scrutunized. Information is compared and contrasted. Graphs, tables and charts
are used to visually review the data. Averages, mean and deviations should be calculated,
statistical analyses should be performed.
Writing the conclusion
Data and results are studied inorder to draw conclusions. It is stated whether the result supports
or disapprove the hypothesis. It is perfectly ok for the hypothesis to be incorrect. Any additiional
data found or new data established that were unexpected might need research to be explained.
All problems or sources of errors should be discussed. Results should be interpreted without any
bias or prejudice and as objectively as possible. Any future data or experiment needed for the
future should be considered.
Communicating the result
The results are communicated and published in written format in scientific journals.
Lecturing,sharing and retesting are performed on it. The format used for communicating depends
on the actually topic studied and the type of audience who will be reviewing/using the scientific
research.
It is seldom that the method proceeds through all eight steps in an organized fashion.
This is especially true in criminal investigations
 Research yields more knowledge that changes the hypothesis and the experiments.

10
Course: Cyber Forensics MCA
Programme

 More data is collected that also might change the hypothesis


 The exploration changes
 The results are not expected
 Conclusions can change and the process may begin again
Types of computer forensics
Database forensics.
The examination of information contained in databases, both data and related metadata.
Email forensics.
The recovery and analysis of emails and other information contained in email platforms,
such as schedules and contacts.
Malware forensics.
Sifting through code to identify possible malicious programs and analyzing their payload.
Such programs may include Trojan horses, ransomware or various viruses.
Mobile forensics.
The examination of mobile devices to retrieve and analyze the information they contain,
including contacts, incoming and outgoing text messages, pictures and video files.
Network forensics.
Looking for evidence by monitoring network traffic, using tools such as
a firewall or intrusion detection system.
Memory forensics.
Collecting information stored in a computer's random-access memory (RAM) and cache.
Types of Computer Forensic Technology
Types of Military Computer Forensic Technology
Key objectives of cyber forensics include rapid discovery of evidence, estimation of potential
impact of the malicious activity on the victim, and assessment of the intent and identity of the
perpetrator.
Key objectives of cyber forensics include rapid discovery of evidence, estimation of potential
impact of the malicious activity on the victim, and assessment of the intent and identity of the
perpetrator.
 Real-time tracking of potentially malicious activity is especially difficult when the
pertinent information has been intentionally hidden, destroyed, or modified in order to elude
discovery.
 National Law Enforcement and Corrections Technology Center (NLECTC) works with
criminal justice professionals to identify urgent and emerging technology needs.

11
Course: Cyber Forensics MCA
Programme

 NLECTC centers demonstrate new technologies, test commercially available technologies


and publish results — linking research and practice.
 National Institute of Justice (NIJ) sponsors research and development or identifies best
practices to address those needs.
 The information directorate entered into a partnership with the NIJ via the auspices of the
NLECTC, to test the new ideas and prototype tools. The Computer Forensics Experiment
2000 (CFX-2000) resulted from this partnership.
COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000)
CFX-2000 is an integrated forensic analysis framework.
 The central hypothesis of CFX-2000 is that it is possible to accurately determine the
motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber
terrorists by deploying an integrated forensic analysis framework.
 The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf
software and directorate-sponsored R&D prototypes. CFX includes SI-FI integration
environment.
 The Synthesizing Information from Forensic Investigations (SI-FI) integration
environment supports the collection, examination, and analysis processes employed during a
cyber-forensic investigation.
 The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamperproof
containers used to store digital evidence.
 Investigators can seal evidence in the DEBs and use the SI-FI implementation to
collaborate on complex investigations.
 Authorized users can securely reopen the DEBs for examination, while automatic audit of
all actions ensures the continued integrity of their contents.
 The teams used other forensic tools and prototypes to collect and analyze specific features
of the digital evidence, perform case management and time lining of digital events, automate
event link analysis, and perform steganography detection.
 The results of CFX-2000 verified that the hypothesis was largely correct and that it is
possible to ascertain the intent and identity of cyber criminals.
 As electronic technology continues its explosive growth, researchers need to continue
vigorous R&D of cyber forensic technology in preparation for the onslaught of cyber
reconnaissance probes and attacks.
Types of Law enforcement

12
Course: Cyber Forensics MCA
Programme

Computer forensics tools and techniques have become important resources for use in internal
investigations, civil lawsuits, and computer security risk management. Law enforcement and
military agencies have been involved in processing computer evidence for years.
Computer Evidence Processing Procedures Processing procedures and methodologies
should conform to federal computer evidence processing standards.
1. Preservation of Evidence
Computer evidence is fragile and susceptible to alteration or erasure by any number of
occurrences. Computer evidence can be useful in criminal cases, civil disputes, and human
resources/ employment proceedings.
 Black box computer forensics software tools are good for some basic investigation tasks, but
they do not offer a full computer forensics solution.
 SafeBack software overcomes some of the evidence weaknesses inherent in black box
computer forensics approaches. SafeBack technology has become a worldwide standard in
making mirror image backups since 1990.
TROJAN HORSE PROGRAMS
The computer forensic expert should be able to demonstrate his or her ability to avoid destructive
programs and traps that can be planted by computer users bent on destroying data and evidence.
Such programs can also be used to covertly capture sensitive information, passwords, and
network logons.
COMPUTER FORENSICS DOCUMENTATION
Without proper documentation, it is difficult to present findings. If the security or audit findings
become the object of a lawsuit or a criminal investigation, then documentation becomes even
more important.
FILE SLACK
Slack space in a file is the remnant area at the end of a file in the last assigned disk cluster, that is
unused by current file data, but once again, may be a possible site for previously created and
relevant evidence. Techniques and automated tools that are used by the experts to capture and
evaluate file slack.
DATA-HIDING TECHNIQUES
Trade secret information and other sensitive data can easily be secreted using any number of
techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk
drive partitions. Computer forensic experts should understand such issues and tools that help in
the identification of such anomalies.
E-COMMERCE INVESTIGATIONS

13
Course: Cyber Forensics MCA
Programme

Net Threat Analyzer can be used to identify past Internet browsing and email activity done
through specific computers. The software analyzes a computer’s disk drives and other storage
areas that are generally unknown to or beyond the reach of most general computer users. Net
Threat Analyzer available free of charge to computer crime specialists, school officials, and
police.

DUAL-PURPOSE PROGRAMS
Programs can be designed to perform multiple processes and tasks at the same time. Computer
forensics experts must have hands-on experience with these programs.
TEXT SEARCH TECHNIQUES
Tools that can be used to find targeted strings of text in files, file slack, unallocated file space,
and Windows swap files.
FUZZY LOGIC TOOLS USED TO IDENTIFY UNKNOWN TEXT
Computer evidence searches require that the computer specialist know what is being searched
for. Many times not all is known about what may be stored on a given computer system. In such
cases, fuzzy logic tools can provide valuable leads as to how the subject computer was used.
2. Disk Structure
Computer forensic experts must understand how computer hard disks and floppy diskettes are
structured and how computer evidence can reside at various levels within the structure of the
disk. They should also demonstrate their knowledge of how to modify the structure and hide
data in obscure places on floppy diskettes and hard disk drives.
3. Data Encryption
Computer forensic experts should become familiar with the use of software to crack security
associated with the different file structures.
4. Matching a Diskette to a Computer
Specialized techniques and tools that make it possible to conclusively tie a diskette to a
computer that was used to create or edit files stored on it. Computer forensic experts should
become familiar how to use special software tools to complete this process.
5. Data Compression
Computer forensic experts should become familiar with how compression works and how
compression programs can be used to hide and disguise sensitive data and also learn how
password- protected compressed files can be broken.
6. Erased Files

14
Course: Cyber Forensics MCA
Programme

Computer forensic experts should become familiar with how previously erased files can be
recovered by using DOS programs and by manually using data-recovery technique & familiar
with cluster chaining.
7. Internet Abuse Identification and Detection
Computer forensic experts should become familiar with how to use specialized software to
identify how a targeted computer has been used on the Internet. This process will focus on
computer forensics issues tied to data that the computer user probably doesn’t realize exists (file
slack, unallocated file space, and Windows swap files).
8. The Boot Process and Memory Resident Programs
Computer forensic experts should become familiar with how the operating system can be
modified to change data and destroy data at the whim of the person who configured the system.
Such a technique could be used to covertly capture keyboard activity from corporate executives,
for example. For this reason, it is important that the experts understand these potential risks and
how to identify them.
TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY
The following are different types of business computer forensics technology:-
REMOTE MONITORING OF TARGET COMPUTERS
Data Interception by Remote Transmission (DIRT) is a powerful remote control monitoring tool
that allows stealth monitoring of all activity on one or more target computers simultaneously
from a remote command center. No physical access is necessary. Application also allows agents
to remotely seize and secure digital evidence prior to physically entering suspect premises.
CREATING TRACKABLE ELECTRONIC DOCUMENTS
Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection tool that allows
users to create trackable electronic documents. BAIT identifies (including their location)
unauthorized intruders who access, download, and view these tagged documents. BAIT also
allows security personnel to trace the chain of custody and chain of command of all who possess
the stolen electronic documents.
THEFT RECOVERY SOFTWARE FOR LAPTOPS AND PCS
What it really costs to replace a stolen computer: The price of the replacement hardware &
software. The cost of recreating data, lost production time or instruction time, reporting and
investigating the theft, filing police reports and insurance claims, increased insurance, processing
and ordering replacements, cutting a check, and the like. The loss of customer goodwill. If a thief
is ever caught, the cost of time involved in prosecution.
PC PHONEHOME
PC Phone Home is a software application that will track and locate a lost or stolen PC or laptop
any-where in the world. It is easy to install. It is also completely transparent to the user. If your
15
Course: Cyber Forensics MCA
Programme

PC Phone Home-protected computer is lost or stolen, all you need to do is make a report to the
local police and call CD’s 24-hour command center. CD’s recovery specialists will assist local
law enforcement in the recovery of your property.

FORENSIC SERVICES AVAILABLE


Services include but are not limited to:
 Lost password and file recovery
 Location and retrieval of deleted and hidden files
 File and email decryption
 Email supervision and authentication
 Threatening email traced to source
 Identification of Internet activity
 Computer usage policy and supervision
 Remote PC and network monitoring
 Tracking and location of stolen electronic files
 Honeypot sting operations
 Location and identity of unauthorized software users
 Theft recovery software for laptops and PCs
 Investigative and security software creation
 Protection from hackers and viruses.
Types of Computer Forensic Systems
Internet Security Systems
Internet and network security are topics that many executives and managers avoid talking about.
The purpose of this section is to demystify and inform the executive how Internet security can
easily and effectively be implemented in order to conduct computer forensics
General Internet Security Principles and Architecture
The first step in defining a corporate Internet security policy is to draft a high-level
management policy statement establishing a framework and context for security within an
organization. This policy needs to define the adequate and appropriate Internet security

measures ne The next step is to start a systematic analysis of the assets of an organization,
determining the value of information, or the possible damage to reputation should it be disclosed,
along with possible risks. This step is no more difficult than the risk management that a
corporation already exercises every day. Most businesses already have clearly established
what information is valuable, who should have access to it, and who has responsibility for
protecting it.

16
Course: Cyber Forensics MCA
Programme

Security Hierarchy

Mission Critical
Information such as trade secrets, vault and authorization codes, and lock and key information
are clearly of a mission critical nature, and their unintended disclosure could cause severe loss to
a business or operation.
Departmental information
Departmental information is typically data that is private to a particular department, such as
payroll information in finance and medical records in personnel.
Company private information
Company private information varies from company to company but typically consists of
information that should only be disclosed to employees and partners of a company, such as
policy and procedure manuals.
Public information
Public information is information such as product literature, brochures, and catalogs that needs to
be freely available to anyone, but whose integrity needs to be assured to prevent unauthorized
alteration. This information is often provided to customers and interested parties by means of the
Internet
Intrusion Detection Systems

17
Course: Cyber Forensics MCA
Programme

Intrusion Detection System (IDS)


An intrusion detection system (IDS) is a device or software application that monitors a network
for malicious activity or policy violations. Any malicious activity or violation is typically
reported or collected centrally using a security information and event management system.

IDS Detection Types


The most common classifications are:
Network intrusion detection systems (NIDS): A system that analyzes incoming network traffic.
Host-based intrusion detection systems (HIDS): A system that monitors important operating
system files.
Signature-based:
Signature-based IDS detects possible threats by looking for specific patterns, such as byte
sequences in network traffic, or known malicious instruction sequences used by malware
Anomaly-based
A newer technology designed to detect and adapt to unknown attacks, primarily due to the
explosion of malware. This detection method uses machine learning to create a defined model of
trustworthy activity, and then compare new behavior against this trust model.
Why Intrusion Detection Systems are Important
Modern networked business environments require a high level of security to ensure safe and
trusted communication of information between various organizations. An intrusion detection
system acts as an adaptable safeguard technology for system security after traditional
technologies fail. Cyber-attacks will only become more sophisticated, so it is important that
protection technologies adapt along with their threats.
Firewall Security Systems, Biometric Security Systems, Network Disaster Recovery
Systems
Firewall Security Systems
A Firewall is a network security device that monitors, and filters incoming and outgoing network
traffic based on an organization’s previously established security policies. At its most basic, a
firewall is essentially the barrier that sits between a private internal network and the public
Internet. A firewall’s main purpose is to allow non-threatening traffic in and to keep dangerous
traffic out.
Firewall History

18
Course: Cyber Forensics MCA
Programme

Firewalls have existed since the late 1980’s and started out as packet filters, which were
networks set up to examine packets, or bytes, transferred between computers. Though packet
filtering firewalls are still in use today, firewalls have come a long way as technology has
developed throughout the decades.

Types of Firewall
Packet filtering
A small amount of data is analyzed and distributed according to the filter’s standards.
Proxy service
Network security system that protects while filtering messages at the application layer.
Stateful inspection
Dynamic packet filtering that monitors active connections to determine which network packets to
allow through the Firewall.
Next Generation Firewall (NGFW)
Deep packet inspection Firewall with application-level inspection.
Why Do We Need Firewalls?
Firewalls, especially Next Generation Firewalls, focus on blocking malware and application-
layer attacks. Along with an integrated intrusion prevention system (IPS), these Next Generation
Firewalls are able to react quickly and seamlessly to detect and combat attacks across the whole
network.

The following are the primary benefits of using a firewall:


 Protection from vulnerable services
 Controlled access to site systems

19
Course: Cyber Forensics MCA
Programme

 Concentrated security
 Enhanced privacy
 Logging and statistics on network use and misuse
 Policy enforcement

Biometric Security Systems


What is biometric security?
 It involves using biometric security software to automatically recognize people based on their
behavioral or biological characteristics. The biometric technology currently used most often
in physical access control is fingerprint recognition because of its lower price
What is biometric authentication?
Authentication is a way to verify, beyond a doubt, that a person is who they say they are.
Biometric authentication performs this verification by checking distinctive biological or
behavioral characteristics.
For example, in a facial recognition system, different facial features are processed and converted
into numerical data, which is stored in a database. When a person tries to log in, the system
recaptures their face, extracts numerical data, and then compares it with what’s stored in the
database.

Other types of biometric authentication are:


 Fingerprint scanning
 DNA matching
 Retina scanning

20
Course: Cyber Forensics MCA
Programme

 Vein scanning
 Behavioral biometrics

The Bad
Yes, biometrics are generally more secure, but they aren’t foolproof. Hackers can spoof
biometric data by using various techniques like downloading or printing a person’s photo, using
a fake silicone fingerprint, or a 3D mask. Such attacks are known as presentation attacks.

Network Disaster Recovery Systems


A network disaster could negate the capability of the organization to provide uninterrupted
service to its internal and external customers
Network disaster recovery (NDR) is the ability to respond to an interruption in network
services by implementing a disaster recovery plan to restore an organization’s critical business
functions.
A fundamental requirement of economic viability is the ability to recover crucial data
quickly after a disaster.

21
Course: Cyber Forensics MCA
Programme

While the great majority of companies have plans for NDR in place, those without an NDR plan
indicate that they intend to create one. Is intend to create one good enough to make sure the
critical parts of your business will be able to continue to function in the event of a catastrophe

Possible Causes of Network Failures


 Hardware failure. Network equipment such as routers, switches, modems, gateways, or
any other device can fail and, as a result, affect the performance of all other devices
connected to them.
 Cascading failure. A single network consists of multiple routers, nodes, or switches.
One of those network components might become overloaded and stop working, which
can trigger a cascade of failures within a single network.
 Issues with the internet connection. Failure to set up an internet connection can cause
problems with network connectivity and interrupt data transfer.
 Human errors. Sometimes, network connectivity problems might be the result of
mistakes made by employees when working with network equipment or manually
configuring network components without an adequate grasp of required knowledge.
 Network attacks. Network services can get disrupted after a cyber-attack, whose aim is
to prevent the organization from delivering its services, forcing it to shut down.
 Natural or man-made disaster. Disasters of any type can significantly damage or even
destroy your production center and virtual infrastructure, thus causing significant
business losses.
Network Disaster Recovery Plan
The network disaster recovery plan is usually in the form a formal document that is created by
network administrator and other key IT /network management staff. Depending on the
underlying network and organization requirements, it may include plans and procedures for
recovering:
• Local area networks (LAN), wide area networks (WAN) and wireless networks
• Network-based applications and services
• Servers and computer systems
Factors to Consider During Network Disaster Recovery Planning
Identify business continuity and disaster recovery objectives
This is an important step in network disaster recovery planning because identifying your
business continuity (BC), and disaster recovery objectives allows you to determine what your

22
Course: Cyber Forensics MCA
Programme

DR plan needs to accomplish. Recognizing your expectations for network disaster recovery helps
to define how your DR plan should be structured in order to achieve the best results.
Create an IT recovery team and assign responsibilities
It is not enough to create a network disaster recovery plan; you should also decide who will
implement the plan when an actual disaster strikes. Thus, create a recovery team and identify the
employees that will join it. Each recovery team member should be assigned with a specific role
and a unique set of responsibilities to avoid any confusion and panic during a DR event.
Back up network configuration files
When it comes to network disaster recovery planning, the main aim is to ensure that a network is
restored to its normal state as rapidly as possible. That is why it is important to regularly back up
network configuration files, including the initial parameters and settings for configuring network
devices. For that purpose, you need to install third-party data protection software, which can be
used to back up and recover mission-critical data when your infrastructure is hit by a disaster.
Why Is a Network Disaster Recovery Plan So Important?
The answer to this question is simple: an organization cannot function properly if one of
its system components stops working. Without network services, a company cannot properly
execute its business operations and move data within the infrastructure.
Public Key Infrastructure Systems, Wireless network security systems
Public Key Infrastructure Systems
The purpose of PKI is to provide an environment that addresses today’s business, legal,
network, and security demands for trust and confidentiality in data transmission and storage. PKI
accomplishes these goals for an enterprise through policy and technology components
What is PKI and What is it used for?
The Public key infrastructure (PKI) is the set of hardware, software, policies, processes, and
procedures required to create, manage, distribute, use, store, and revoke digital certificates and
public-keys
Who Are the Key Players Involved in PKI?

23
Course: Cyber Forensics MCA
Programme

2. Certificate authorities (CAs)


CAs are trusted third-party bodies that develop and manage digital certificates. Trusted is the key
word there as CAs hold the prestigious honor of being trusted to issue certificates by meeting
ultra-strict criteria established by the CA/Browser Forum (CA/B Forum), an independent group
largely made up of representatives from the world’s largest browsers.
Digital certificates
which are created by the CAs, are the final element. A digital certificate acts as the passports of
PKI. Just as you need a passport to travel internationally, you need a digital certificate to travel
through PKI. That’s because a PKI digital certificate carries documentation that details
information about the key and its owner. It also comes with a signature from the CA, similar to a
passport coming with a signoff from the traveler’s government.
There are two things PKI does to secure communications:
 Authentication — This ensures that the other party is the legitimate
server/individual that you’re trying to communicate with.
 Encryption — This makes sure that no other parties can read your
communications.
PKI
PKI is a fully functional everything that allows for all of us to safely and securely operate in the
digital world. With encryption and authentication, it governs this world allowing messages to

24
Course: Cyber Forensics MCA
Programme

travel, documents and downloads to be trusted and above all us, PKI allows us to enjoy the
beautiful world behind our computer screen
How Does Public Key Infrastructure Work?
1. PKI authenticates you and your server. It allows your site users’ web browsers to
authenticate your server before connecting with it (so they can verify that they’re
connecting to a legitimate server). You can also use client certificates to limit access to
authenticated users. This gives you greater control over your network and other IT
systems.
2. PKI facilitates encryption and decryption. PKI enables you to use digital certificates
and public encryption key pairs to encrypt and decrypt data or the transmission channels
you use to send it using the secure SSL/TLS protocol.
3. PKI ensures the integrity of your data. PKI lets users, their browsers or their devices
know whether the data you send has been tampered with.
SSL certificate
SSL uses PKI to do two things:
o Your browser authenticates that it’s connected to the correct server that’s owned
by the website
o All the data that passes between your browser and our web server is encrypted.
Wireless network security systems
 Wireless network security is the process of designing, implementing and ensuring
security on a wireless computer network.
 It is a subset of network security that adds protection for a wireless computer network.
The different ways you can secure wireless network.
Encrypt Your Wireless Network
This is the first and one of the most important steps towards securing a wireless network.
Encryption of the wireless network simply means that you should not just leave your network
without any password for anyone to connect.
Change Router’s Default Settings
Every router comes with a lot of important default settings. Moreover, since the manufacturer
sets these settings, these are available to everyone. Keeping these settings sure makes the setup
process easy but at the same time vulnerable to a breach. If you are serious to secure wireless
network, you need to consider changing these default settings.
Disable Remote Access

25
Course: Cyber Forensics MCA
Programme

Usually, routers allow you to access their settings/interface only from a connected device.
However, some of them allow access even from remote systems
Keep The Router’s Firmware Up To Date
Updating Router’s firmware is a good move towards a secure wireless network.
Firmware updates usually carry patches for known bug fixes and security updates.
Router’s firmware, like every other software, contains flaws and can be exploited by the cyber
criminals and hackers. Most of the times routers do not have an auto update feature, so you have
to update the firmware manually.
Enable Router Firewall
Many routers come with a firewall that can be enabled from the router’s settings. If it is
available, we suggest you enable this feature, as it shall help add an additional layer of security.
The wireless network is cool, and we cannot imagine a life without it. We use internet day in day
out but keep your device connected to some wire while using it is unimaginable. With all the
cool features or qualities there is a dark side to it too. We should take all the possible measures to
secure wireless network because leaving it unprotected may have consequences.
These steps may help secure wireless network, but there may be other measures that one can take
to protect wireless networks

26
Course: Cyber Forensics MCA
Programme

Module 2
Data Recovery: Data recovery defined. Data backup and Recovery, the role of Backup in Data
Recovery, The Data- Recovery Solution, Hiding and Recovering Hidden Data. Evidence
Collection: Why Collect evidence. Collection options, Types of Evidence, Rules of evidence,
General procedure. Collection and Archiving, Methods of collection, Artifacts, Collection steps.
Controlling contamination, Reconstructing the attack
Data recovery defined
Data recovery is the process in which highly trained engineers evaluate and extract data from
damaged media and return it in an intact format
What happens when you delete a file?
When you a delete a file, it isn’t really erased.
The file continues existing on your hard drive, even after you empty it from the Recycle Bin.
This allows to recover files you’ve deleted.
Every file is made from many bits of information.
 When you delete a file, all those bits that form it are not physically erased, and they
continue to hold the information that makes the file.
 Instead of physically deleting files, which can take a significant amount of time,
especially if those files are large, the operating system only marks the deleted files as free
space.
In many operating systems, the file's data is moved to a temporary holding area (recycle bin)
where it can be recovered or cleared and the disk space it was taking up can be reclaimed. When
emptying the recycle bin, in many cases, only the pointer record to where the file's data was
located on the physical disk is removed. When you delete a file, Windows marks it as free space
by removing only its pointer, nothing else. The content of the file is still there, physically.
Slack space
Slack - The leftover storage on a computer’s hard disk drive when a computer file does not need
all the space it has been allocated by the operating system.
Uses of data recovery

■ Average User:

■ Recover important lost files

27
Course: Cyber Forensics MCA
Programme

■ Keep your private information private

■ Law enforcement:

■ Locate illegal data

■ Restore deleted/overwritten information.

■ Prosecute criminals based on discovered data

Why some deleted files cannot be recovered, even if you are using an excellent file recovery
tool?
 Recovering lost files is not always possible!
 If Windows overwrites the space that a deleted file was occupying, the original file can
no longer be restored.
 That is because the content of that original file is just not there anymore.
 New information was stored over its content, so the old information was destroyed.

Data backup and recovery, the role of Backup in Data Recovery


Backup and recovery
 Backup and recovery describes the process of creating and storing copies of data that can
be used to protect organizations against data loss. This is sometimes referred to
as operational recovery.
 Recovery from a backup typically involves restoring the data to the original location, or
to an alternate location where it can be used in place of the lost or damaged data.
Why Backup and Recovery is important
28
Course: Cyber Forensics MCA
Programme

The purpose of the backup is to create a copy of data that can be recovered in the event of a
primary data failure. Primary data failures can be the result of hardware or software failure, data
corruption, or a human-caused event, such as a malicious attack (virus or malware), or accidental
deletion of data. Backup copies allow data to be restored from an earlier point in time to
help the business recover from an unplanned event

Types of Backups
 Full backups
A full backup is the most complete type of backup where you clone all the selected data. This
includes files, folders, SaaS applications, hard drives and more. The highlight of a full backup is
the minimal time it requires to restore data. However, since as everything is backed up in one go,
it takes longer to backup compared to other types of backup.
 Incremental backups
The first backup in an incremental backup is a full backup. The succeeding backups will only
store changes that were made to the previous backup. Businesses have more flexibility in
spinning these types of backups as often as they want, with only the most recent changes stored.
Incremental backup requires space to store only the changes (increments), which allows for
lightning-fast backups.
 Differential Backup
A differential backup straddles the line between a full and an incremental backup. This type of
backup involves backing up data that was created or changed since the last full backup. To put it
simply, a full backup is done initially, and then subsequent backups are run to include all the
changes made to the files and folders. It lets you restore data faster than full back up since it
requires only two backup components: an initial full backup and the latest differential backup.
Let’s see how a differential backup works:
Day 1 – Schedule a full backup
Day 2 – Schedule a differential backup. It will cover all the changes that took place between Day
1 and Day 2
Day 3 – Schedule a differential backup. It will make a copy of all the data that has changed from
Day 2 (this includes the full backup on Day 1 + differential backup) and Day 3.

29
Course: Cyber Forensics MCA
Programme

30
Course: Cyber Forensics MCA
Programme

The role of Backup in Data Recovery


Many factors affect back-up:
 Storage costs are decreasing.
 Systems must be online continuously.
The Role of Backup Has Changed
It’s no longer just about restoring data. Operationally, ready or mirrored data does not guard
against data corruption and user error. The role of backup now includes the responsibility for
recovering user errors and ensuring that good data has been saved and can quickly be restored
The Data- Recovery Solution, Hiding and Recovering Hidden Data.
The best data recovery software and services makes it simple and easy to recover deleted
files and folders on your computer, mobile device, or storage media. Ask anyone who has
experienced data loss whether it’s a fun experience, and they’ll tell you that data loss, whether
due to hardware or software failure, accidental deletion, or cybercrime, is a stressful experience
What is Data Loss?
The inability to access any data from a previously functioning computer system or backup. The
accidental deletion of files or the overwriting of data control structures. Corrupted or inaccessible
files due to abnormal device operation or damage
Reasons for data loss
 Human causes of data loss include intentional or accidental deletion or overwriting of
files.
 Virus damage, operating system or application software bugs or failed upgrades may also
cause data loss.
 Common physical causes of data loss include power loss or power surge, overheating,
electrostatic ("static") discharge and any kind of physical damage to the storage device or
medium.
General Data-Loss Prevention Tips
 Document your systems and archive original copies of your software in a safe place.
 Back up your files on a regular basis, then test and verify that your backup is a complete
copy of the original. External drives are an excellent choice for this task.
 Never upgrade software or hardware without a complete, verified backup available in
case you need to restore data.

31
Course: Cyber Forensics MCA
Programme

Write a contingency plan


Write a contingency plan and practice restoring your data in case of problems. Your contingency
plan should require, as a minimum:
 Locating all available backups, including dates and types of backup
 Listing and locating all original software packages, detailing updates since the original
installation
 Locating and making ready an alternate computer.
Data recovery software
Stellar Data Recovery
Stellar Data Recovery is one of the most popular data recovery services for businesses and for
good reason. The platform comes with several scan options, meaning you can tailor the scan for
the type of data loss that has occurred. This saves time if you’ve deleted an important file and
realized straight away, meaning there’s no need for a full system scan.
EaseUS Data Recovery Wizard
EaseUS isn't overstating the 'Wizard' part of this software's title – it really is 'wizard' in the sense
of being good at something. EaseUS Data Recovery Wizard is straightforward to use, taking you
step-by-step through the recovery process. Run EaseUS Data Recovery Wizard Pro quickly
enough after disaster has occurred and it'll be able to resurrect just about everything, from
inadvertently-deleted partitions to virus-ruined files.
Evidence Collection: Why Collect evidence, Collection options, Types of Evidence
Evidence Collection
In the pursuit of a criminal case, evidence is the foundation upon which both sides build their
respective arguments. During the investigation into a crime, great care must be taken to collect,
preserve, and record evidence that could be critical in establishing the facts surrounding a
criminal case
Evidence Preservation
Preservation of evidence is important because it can impact the entire course of a criminal case
and its influence can extend well beyond the initial resolution through the appeals process. The
government has a duty to properly collect and preserve evidence in a criminal case to fulfill the
obligations spelled out in the Sixth and Fourteenth Amendments to the Constitution.
Why Collect evidence
Electronic evidence can be very expensive to collect. The processes are strict and exhaustive, the
systems affected may be unavailable for regular use for a long period of time, and analysis of the
data collected must be performed.

32
Course: Cyber Forensics MCA
Programme

Reasons that evidence preservation is critical in a criminal case.


Establishes Prosecution Arguments
 Because the state and authorities in charge of investigating criminal cases will use the
evidence collected during the investigation to establish key facts about the case, it’s
critical that the evidence is collected correctly and in accordance with recognized
standards.
 If the evidence wasn’t correctly collected and preserved, then its credibility is
significantly damaged, and it may even be rendered inadmissible.
 A good defense attorney will question not only the credibility of the evidence, but the
integrity of its collection and preservation.
 Failure to preserve evidence properly can lead to a mistrial or abandonment of charge
against the accused since evidence is the basis of a prosecution case.
Establishes Defense Arguments
The evidence is equally as important to the defendant’s case in a criminal trial. First, a defense
attorney can examine evidence assembled against the defendant and assault its credibility if it
wasn’t properly collected and preserved.
Also, because the defendant may have evidence to submit of an exculpatory nature that can be
used to establish an alibi, it’s important that such evidence is preserved to protect its integrity as
well.
Protects Due Process for Accused

33
Course: Cyber Forensics MCA
Programme

 Even if a criminal case has reached its initial resolution, the defendant has the right to an
appeals process that could stretch on for a considerable time.
 Therefore, any evidence that could reasonably be important to the appeals process must
also be preserved to ensure that it’s available for use in future legal proceedings to reach
a just final disposition.
 Preservation of evidence is a key component in the due process rights of the accused and
is, therefore, an integral component in the pursuit of justice in the legal system.
Collection options
Once a compromise has been detected, you have two options:
1. Pull the system off the network and begin collecting evidence or
2. Leave it online and attempt to monitor the intruder.
Leave it online and attempt to monitor the intruder.
 In the case of monitoring, you may accidentally alert the intruder while monitoring and
cause him to wipe his tracks any way necessary, destroying evidence as he goes.
 You also leave yourself open to possible liability issues if the attacker launches further
attacks at other systems from your own network system
 If you disconnect the system from the network, you may find that you have insufficient
evidence or, worse, that the attacker left a dead man switch that destroys any evidence
once the system detects that it’s offline. What you choose to do should be based on the
situation
Types of Evidence
Evidence
Real evidence is any evidence that speaks for itself without relying on anything else. In
electronic terms, this can be a log produced by an audit function—provided that the log can be
shown to be free from contamination
Testimonial Evidence
Testimonial evidence is any evidence supplied by a witness. This type of evidence is
subject to the perceived reliability of the witness, but as long as the witness can be considered
reliable, testimonial evidence can be almost as powerful as real evidence. Word processor
documents written by a witness may be considered testimonial—as long as the author is willing
to state that he wrote it.
Hearsay

34
Course: Cyber Forensics MCA
Programme

Hearsay is any evidence presented by a person who was not a direct witness. Word processor
documents written by someone without direct knowledge of the incident are hearsay. Hearsay is
generally inadmissible in court and should be avoided
Rules of evidence, general procedure
Golden rule of electronic evidence

■ Original media should never be altered or modified in any way.

There are five rules of collecting electronic evidence. These relate to five properties that
evidence must have to be useful
1. Admissible
2. Authentic
3. Complete
4. Reliable
5. Believable
Admissible
This is the most basic rule and a measure of evidence validity and importance. The evidence
must be preserved and gathered in such a way that it can be used in court or elsewhere.
Many errors can be made that could cause a judge to rule a piece of evidence as inadmissible.
For example, evidence that is gathered using illegal methods is commonly ruled inadmissible.
Authentic
 The evidence must be tied to the incident in a relevant way to prove something.
 The forensic examiner must be accountable for the origin of the evidence.
Complete
When evidence is presented, it must be clear and complete and should reflect the whole story. It
is not enough to collect evidence that just shows one perspective of the incident.
Presenting incomplete evidence is more dangerous than not providing any evidence at all as it
could lead to a different judgment.

Reliable
 Evidence collected from the device must be reliable.

35
Course: Cyber Forensics MCA
Programme

 This depends on the tools and methodology used. The techniques used and evidence
collected must not cast doubt on the authenticity of the evidence.
 If the examiner used some techniques that cannot be reproduced, the evidence is not
considered unless they were directed to do so. This would include possible destructive
methods such as chip-off extraction.
Believable
A forensic examiner must be able to explain, with clarity and conciseness, what processes they
used and the way the integrity of the evidence was preserved.
The evidence presented by the examiner must be clear, easy to understand, and believable by
jury.
General Procedure
When collecting and analyzing evidence, there is a general four-step procedure you should
follow. Note that this is a very general outline. You should customize the details to suit your
situation
Identification of Evidence
You must be able to distinguish between evidence and junk data. For this purpose, you should
know what the data is, where it is located, and how it is stored. Once this is done, you will be
able to work out the best way to retrieve and store any evidence you find.
Preservation of Evidence
The evidence you find must be preserved as close as possible to its original state. Any changes
made during this phase must be documented and justified.
Analysis of Evidence
The stored evidence must then be analyzed to extract the relevant information and recreate the
chain of events. Analysis requires in-depth knowledge of what you are looking for and how to
get it. Always be sure that the person or people who are analyzing the evidence are fully
qualified to do so
Presentation of Evidence
Communicating the meaning of your evidence is vitally important—otherwise you can’t do
anything with it. The manner of presentation is important, and it must be understandable by a
layman to be effective. It should remain technically correct and credible. A good presenter can
help in this respect.

Collection and Archiving

36
Course: Cyber Forensics MCA
Programme

Once you’ve developed a plan of attack and identified the evidence that needs to be collected,
it’s time to start the actual process of capturing the data. Storage of that data is also important, as
it can affect how the data is perceived
A. Switched off systems -
a. Secure the scene of crime and disable all the modems, network connections etc. Unplug the
power and all other devices from sockets. Never switch on the computer, in any circumstances.
Allow printers to finish printing, pending if any.
b. Confirm that the computer is switched off. As sometimes the screen may mislead, that should
be done from the hard dive and monitor activity lights. Some laptops switch on, only by opening
the lid. So remove the battery if required.
c. Label and photograph (or video) all the components in-situ. Label the in & out port cables so
as if required, the computer could be reconstructed in future.
d. Open the side casing of CPU/Laptop carefully and detach the hard disk from the mother board
by disconnecting the data transfer cable and power cable
e. Take out the Hard disk carefully and record the unique identifiers (like- make, model, serial
number etc.). Take signature of the accused & witnesses with date & time on the Hard disk, by a
permanent marker. All other items/documents should also be signed and pasted with exhibit
labels.
f. Ask the user for the passwords, operating system, application package running on the
suspected system, details of the other users and the off-site data storage, if any.
g. After the Hard disk is removed, switch on the system and go to BIOS. Note down the date and
time shown in BIOS. Prepare detail notes of "when, where, what, why & who“ and overall
actions taken in connection with the computer system.
h. The suspected hard drive should be connected to the investigator computer only through a
"wite-block device, for forensic preview/copy
B. Switched on systems -
a. Secure the scene of crime and disconnect the modem and all other connection cables. if
attached. Label and photograph (or video) all the components in-situ.
b. Carefully remove all the equipment attached and record their unique identifiers
separately. All the items should have signed exhibit labels attached.
e. Ask the user for the passwords, operating system, application package running on the
suspected system, details of the other users and the off-site data storage, if any.
d. Photograph the ,live screen" and also prepare a written note of the content. Do not touch the
keyboard or click the mouse

37
Course: Cyber Forensics MCA
Programme

e. In case a screen saver is active or the screen is blank, given to the circumstances of the case,
the E.O. shall decide whether he wants to restore and inspect the screen. If required, the screen
could be restored with a gentle movement of the mouse. Then follow the procedure (c) above.
Record every mouse activity with time.
f. If available, use live forensics tools to extract the information present in the RAM Otherwise,
remove the power cable (end attached to the computer) without closing down any program. Then
follow (A) above
C. Cell Phone systems -
a. If the device is switched off. do not turn that “on". If the device is live or switched on. let
that remain so. Photograph the device and screen display. Label and collect all the cables
and additional storage media available; and transport them with the device.
b. Keep the device charged; if not possible, then the forensic analysis must be completed
before the battery gets discharged or the data may be lost. Record every activity with
photograph (if possible) and time
Faraday bags:
Faraday bags: The mobile handsets often get "PIN locked, and keep communicating with the
Network which may tamper with the evidences. The Faraday Bags arc envelops made of flexible
metallic fabric or conductive mess, which block external electromagnetic fields. Whenever an
external field or radio frequency interference comes into contact with the mess, it produces equal
and opposite electrical charges distributed over the surface, which neutralizes the effect of the
field inside the envelop.
Thus, they are used for electromagnetic shielding. The mobile handsets and other sensitive radio
equipment should be secured in faraday bags. It potentially avoids the PIN locking and prevents
the networks from communicating with the device (covert acquisition). At the same time, an
examiner can also view the equipment in 'faraday, condition, through the window in the bag
LOG FILES IN CYBER FORENSICS
The most important element of cyber forensics is authenticity of evidences presented in court of
law. Just like airplane has black box in it, which tracks every event that occurred within it, same
way logs track every event that occurs within the system, application interacting with the system
and networks interaction with the system. Log files composed of log data that provide the data of
events occurred in the system or network. Log data is created for each event that occurred in the
system. The data in log files is the different entities of events which are required to understand
the situation of the system when that log is created for the events
With the evolution of Information technology field across the world, the number of forgery,
threats and by-passing the security has greatly increased. Thus, revolution of computer security
started which require the log management and integrity to be need of the hour. Log management
is required to ensure that log data is stored securely with complete details for appropriate time
frame. Thus, log management states to ensure that creating, transmitting, storing along with

38
Course: Cyber Forensics MCA
Programme

analyzing and disposing of log data is done under secure environment and that no tempering of
log data is done. Thus, the key characteristics to ensure are confidentiality, integrity,
completeness and availability of logs
Methods of collection, Artifacts, Collection steps
Methods of collection
There are two basic forms of collection:
Freezing the scene and honeypotting.
The two aren’t mutually exclusive. You can collect frozen information after or during any
honeypotting.
Freezing the scene involves taking a snapshot of the system in its compromised state. The
necessary authorities should be notified (the police and your incident response and legal teams),
but you shouldn’t go out and tell the world just yet
You should then start to collect whatever data is important onto removable nonvolatile media in
a standard format. Make sure the programs and utilities used to collect the data are also collected
onto the same media as the data. All data collected should have a cryptographic message digest
created, and those digests should be compared to the originals for verification.
Honeypotting
Honeypotting is the process of creating a replica system and luring the attacker into it for further
monitoring. A related method (sandboxing) involves limiting what the attacker can do while still
on the compromised system, so he can be monitored without (much) further damage. The
placement of misleading information and the attacker’s response to it is a good method for
determining the attacker’s motives
You must make sure that any data on the system related to the attacker’s detection and actions is
either removed or encrypted; otherwise, they can cover their tracks by destroying it.
Honeypotting and sandboxing are extremely resource intensive, so they may be infeasible to
perform. There are also some legal issues to contend with, most importantly entrapment. As
previously mentioned, you should consult your lawyers
ARTIFACTS
Whenever a system is compromised, there is almost always something left behind by the attacker
—be it code fragments, trojaned programs, running processes, or sniffer log files. These are
known as artifacts. They are one of the important things you should collect, but you must be
careful. You should never attempt to analyze an artifact on the compromised system. Artifacts
are capable of anything, and you want to make sure their effects are controlled. Artifacts may be
difficult to find; trojaned programs may be identical in all obvious ways to the originals (file
size, medium access control [MAC] times, etc.). Use of cryptographic checksums may be
necessary, so you may need to know the original file’s checksum. If you are performing regular

39
Course: Cyber Forensics MCA
Programme

file integrity assessments, this shouldn’t be a problem. Analysis of artifacts can be useful in
finding other systems the attacker (or his tools) has broken into.
COLLECTION STEPS
You now have enough information to build a step-by-step guide for the collection of the
evidence. Once again, this is only a guide. You should customize it to your specific situation.
You should perform the following collection
1. Find the evidence.
2. Find the relevant data
3. Create an order of volatility.
4. Remove external avenues of change.
5. Collect the evidence.
6. Document everything.
Find the Evidence
Determine where the evidence you are looking for is stored. Use a checklist. Not only does it
help you to collect evidence, but it also can be used to double-check that everything you are
looking for is there.
Find the Relevant Data
Once you’ve found the evidence, you must figure out what part of it is relevant to the case. In
general, you should err on the side of over-collection, but you must remember that you must
work fast. Don’t spend hours collecting information that is obviously useless.
Create an Order of Volatility
Now that you know exactly what to gather, work out the best order in which to gather it. The
order of volatility for your system is a good guide and ensures that you minimize loss of
uncorrupted evidence
Remove External Avenues of Change
It is essential that you avoid alterations to the original data, and prevention is always better than a
cure. Preventing anyone from tampering with the evidence helps you create as exact an image as
possible. However, you have to be careful. The attacker may have been smart and left a dead-
man switch. In the end, you should try to do as much as possible to prevent changes.
Collect the Evidence
You can now start to collect the evidence using the appropriate tools for the job. As you go,
reevaluate the evidence you’ve already collected. You may find that you missed something
important. Now is the time to make sure you get it

40
Course: Cyber Forensics MCA
Programme

Document Everything
Your collection procedures may be questioned later, so it is important that you document
everything you do. Timestamps, digital signatures, and signed statements are all important. Don’t
leave anything out

Controlling contamination, Reconstructing the attack


Precautions to be taken while collecting Digital evidences:
 Collection of digital evidences require special precautions because,
(a) Even the slightest mishandling may vanish or corrupt the evidences.
(b) They may not be admissible in the court of law if proper documentation is not done,
(c) levelling and preserving digital evidences may require special skills
Precautions -I
 If the systems are "off, those should not be turned "on,. If the systems are 'on, those
should be left "on" and photographed. The time zone/system time displayed should be
photographed. Perishable evidences should be identified
 The Evaluation Officer should make note of the attached network cables, power lines, all
the network connections, modems, telephone lines; and mark them at the both ends- at
the equipment connection end and at the source end in the wall and preserved.
Precautions -II
 The search team shall physically inspect ail the storage mediums, take photographs and
record observations. Good data encryption should be used and housed in multiple copies
at different locations and guarded against mechanical & electronic hazards.
 The E.O. shall establish a baseline of contents for authentication and proof of integrity
by calculating hash value for each of the contents.
 The E.O shall ensure that some technical person from the suspect side, along with two
independent local witnesses, should remain present, identify the equipment correctly,
guide and sign the search & seizure proceedings
Precautions -III
 He shall ensure that the provisions of Sec. 165 Cr.PC and Sec. 80 IT Act are strictly
followed.
 A serial number should be allotted to each device. The same should be noted in the
document as well as in the 'Chain of Custody, and "Digital Evidences Collection forms
Precautions -IV
 Digital Evidence Form : A proper documentation of the processes used (like- kind of
software, version, time and media on which the evidence is being copied etc.) should be
done for every device separately.

41
Course: Cyber Forensics MCA
Programme

 The E.O shall image the evidences forensically, acquire hash value and record the
process, the tool, time and hashing algorithm should be mentioned in the report prepared.
The report generated by the forensic tool shall form an enclosure to the DEC.
 The Hard Disk or any other internal parts, once removed from the system, should be
photographed along with the system. The serial no., case no. and sections of law involved
should also be marked to the extent possible
Precautions -V
Chain of custody should be prepared.
 As electronic evidences are prone to tamper/damage, it is necessary- to know by whom,
when, where, what and why the evidence was transferred. Therefore, once the evidence
is collected and every time that is transferred, that shall be properly documented and no
one other than the “persons entrusted “should have access to that.
Forensic Duplication:
Every storage media consists certain data. For the forensic purpose, the data needs to be copied
in a manner that does not change any information available in the device. The common
techniques are follows-
(i) Logical Backup- It copies the directories & files of a logical volume. It does not capture
other data that may be present on the media, like- deleted files or residual data stored in the slack
spaces.
(ii) Bit Stream Imaging- Also known as imaging or cloning, it generates copy of the original
media bit-for-bit. It can be done in a “disk-to-disk, (from target media to another media) or
“disk-file” (from media to single logical file) fashion: and requires more space-time.
(iii) Write blocker- These are the hardware or software tools which prevent a computer from
writing on a storage media. The suspected storage media is directly connected to the hardware
write blocker, and then the write blocker is connected to the device taking the backup. Similarly,
a software write blocker is loaded onto the suspect computer, before the copying device is
connected to that
Precautions:
a. The integrity of the original media must be maintained. After the duplication is complete, it
should be verified that the copied data is an exact copy of the original data.
b. Hash value of the copied data should be calculated to ensure the data integrity.
c. The forensic image files must be written as logical files, on a brand new freshly formatted
media or forensically wiped sterile media. HDDs should be used only for evidence storage.
d. The logical file copies of the forensic image files shall be made on a brand-new sterile HDD
before traveling back to the office and labeled as copy of hard drive etc. using barcode. If use of

42
Course: Cyber Forensics MCA
Programme

barcode is not possible, serial code with relevant information (like- unit name, year, case number
etc.) can be used
Acquiring data from some common devices:
a. Hard Drives of Desktop/Laptops- Use forensic software like Cyber Check Suite, Encase, FTK
to image the drives. Be sure to connect the evidence drives to a write blocker so that the OS does
not accidentally write to the hard drive. The Write blockers restricts any data to be Witten on to
the seized hard disk either intentionally or accidently.
 The Write protection device is used as an interface between the seized media and the
forensic computer.
 When the hard drive (like-SSDs) cannot be removed, the entire device should be taken
into the evidence. Connect the suspect computer to the forensic computer with the help of
a network crossover cable boot that from a forensic Distribution (like- Helix or Linen);
then connect with the forensic computer and duplicate via forensic tools like- Encase
b. Smartphones- All data like- Contact lists, call records. SMS, MMS, GPS. pictures/videos can
be acquired from a cell phone using software like- Cellebrite. Paraben Device Seizure etc.
However, while working with a live (switched on) Cell phone, necessary precautions like use of
network jammers/Faraday bags, should be taken.
c. USB Drives- They can easily be imaged by connecting to a forensic machine. However, must
use soft/hard-ware write blockers to maintain data integrity.
d. Digital Camera- The internal memory as well as the memory card can easily be imaged using
same technique and precautions, as for the USB drives
Seizure of Digital Evidences:
It involves-
(a) calculating hash value of the suspect storage media.
(b) creating a digital fingerprint of the same at a System on Chip (SoC) and
`(c) calculating hash value of the forensic image as well
Precautions:
(i) The digital evidences may look simple to gather. but maintaining its reliability integrity and
legal relevance is always challenging. The E.O. should adopt a thorough professional approach
and follow the guidelines prescribed here and also provided from time to time.
(ii) No file should be opened without using a write blocker. Otherwise, the time stamping would
change which amounts to tempering with the evidences.
(iii) Always, a permanent sterile new physical storage media should be used. In case of an
already used hard disk, all previous data must be wiped off prior to the forensic storage.

43
Course: Cyber Forensics MCA
Programme

(iv) The new physical media must be fire proof & tamper proof Immediately after imaging the
data on it, that should be marked with a unique exhibit number related to the case.
(v) Thereafter, a unique number should be given lo the contents of the forensic storage media.
duly computed through hash algorithm. This number should be mentioned in the panchnama to
authenticate the evidence in future
(vi) It should be verified and cross-checked that the hash values of the evidences in original (say
Nl) and that of the copies imaged (N2, N3, N4 etc.) are be the same.
(vii) The seizure memo should be prepared in the format prescribed and the evidences to be sent
to the Cyber Cell/FSL/Court for further analysis or presentation.
(viii) The digital evidences so collected, should always be preserved in an anti-static cover with
all details and tag/barcode, with separate inventory lists for all the media seized with case/other
reference numbers; and stored in a dry & cool place
Packaging, Labelling and transportation:
 The collected digital evidences shall be numbered and labelled in a manner so as
connecting those lo the case in future could be easy. That shall be attached with a tag
bearing the number as well as all the visible details of the evidence. The same shall be
recorded in the daily diary, case diary and schedule of evidences maintained.
 During transportation, the digital evidences should not be kept in a place of frequent
mechanical shocks or with drastic temperature changes. As far as possible, anti-static
bags should be used, soas any localized electrostatic induction could not affect the data.
Legal procedure after seizure: After seizure, due documentation and transportation, the digital
evidences should be brought to the knowledge of the Court having jurisdiction and permission to
keep the same in the custody of the E.O for further investigation, should be obtained. Permission
of the Court to image and send the same to the forensic labs should also be obtained, if required.
 All such transactions should be duly recorded in the chain of custody.
 The accused/owners of the material seized, may approach the Court for release of the
same. The EO should carefully prepare his objections based on merit of the case and their
requirement for further investigation. He should ensure that no original evidences having
bearing on the prosecution of the case, are returned. Even if the Court is inclined to
consider the accused’s request, the E.O should try to impress upon that only an
authentically imaged copy is provided to him. not the evidences in original
Gathering information from various agencies:
The Internet service providers (ISPs) and other firms are liable to preserve certain information
and provide them to the LEAs, if requisitioned under the law. Normally, they have "Nodal
officers' who functions as per the guidelines of the ministry concerned.
Telecom Service Providers (TSP)/ Internet Service Providers (ISPs)-

44
Course: Cyber Forensics MCA
Programme

E-mail service Providers-


Mobile service providers
Social networking sites
Financial institutions/Internet banking institutions Web site domain/hosting providers
Deposition in the Court: The EO may have to depose/testify the evidences in the court of law.
He should carefully go through the facts of the case, digital and other evidences and prepare his
notes in the following manner –
a. Details of the information/complaint received by him.
b. Collection of relevant information for pre-investigation assessment.
c. Visit and evaluation of the Scene of Crime,
d. Identification and collection of the evidences.
e. The care and procedures followed during collection of digital evidence,
f. Steps taken to maintain integrity of the evidences,
g. The labelling, sealing and other documentation (like-entries into case diary) done.
h. Request for expert opinion or forensic analysis,
i. Analysis & Interpretation of the evidences and reconstruction of the case before the Court
RECONSTRUCTING THE ATTACK
Now that you have collected the data, you can attempt to reconstruct the chain of events leading
to and following the attacker’s break-in. You must correlate all the evidence you have gathered
(which is why accurate timestamps are critical), so it’s probably best to use graphical tools,
diagrams, and spreadsheets. Include all of the evidence you’ve found when reconstructing the
attack—no matter how small it is. You may miss something if you leave a piece of evidence out.
Finally, as you can see, collecting electronic evidence is no trivial matter. There are many
complexities you must consider, and you must always be able to justify your actions. It is far
from impossible though. The right tools and knowledge of how everything works is all you need
to gather the evidence required.

45
Course: Cyber Forensics MCA
Programme

Module 3
Conducting Digital Investigation-Digital investigation process models, scaffolding for digital
investigations, applying scientific method in Digital Investigations-Formation and Evaluation of
Hypotheses, Preparation, Survey, Preservation, Examination, Analysis, Reporting and
Testimony.
Computer Basics for Digital Investigators-Basic Operation of Computers, Representation of
Data, Storage Media and Data Hiding, File Systems and Location of Data, Dealing with
Password Protection and Encryption. Log files, Registry, Internet traces.
Digital investigation process models
Computer Security Incident
 Unauthorized /Unlawful Intrusions into computing systems
 Scanning a system - Systematic probing of ports to see which ones are open ( test IPs)
 Denial–of–Service (DoS) attack - any attack designed to disrupt the ability of authorized
users to access data
 Malicious Code – any program or procedure that makes unauthorized modifications or
triggers unauthorized actions
 virus, worm, Trojan horse
 Digital investigation process models,
 Scaffolding for digital investigations,
 Applying scientific method in Digital Investigations-
The goal of any investigation is to uncover and present the truth
Digital investigations
Digital investigations inevitably vary depending on technical factors such as the type of
computing or communications device, whether the investigation is in a criminal, civil,

46
Course: Cyber Forensics MCA
Programme

commercial, military, or other context, and case-based factors such as the specific claims to be
investigated
Despite this variation, there exists a sufficient amount of similarity between the ways digital
investigations are undertaken that commonalities may be observed. These commonalities tend to
be observed from a number of perspectives, with the primary ways being process, principles, and
methodology
Methodology

■ Treat every case as if it will end up in the court.

■ Forensics Methodology

■ Acquire the evidence without altering or damaging the origin.

■ Authenticate that your recovered evidence is the same as the originally seized
data.

■ Analyze the data without modifying it

Compute Forensic
The process of identifying, preserving, analyzing and presenting digital evidence in a manner
that is legally acceptable. (McKemmish, 1999)
Digital Investigation Process Models
The most common steps for conducting a complete and competent digital investigation are:
Preparation:
Generating a plan of action to conduct an effective digital investigation and obtaining
supporting resources and materials.
Survey/Identification:
Finding potential sources of digital evidence (e.g., at a crime scene, within an
organization, or on the Internet). Because the term identification has a more precise meaning in
forensic science relating to the analysis of an item of evidence, this process can be more clearly
described as survey of evidence. Survey is used throughout this chapter when referring to this
step
Preservation:

47
Course: Cyber Forensics MCA
Programme

Preventing changes of in situ digital evidence, including isolating the system on the
network, securing relevant log files, and collecting volatile data that would be lost when the
system is turned off. This step includes subsequent collection or acquisition
Examination and Analysis:
Searching for and interpreting trace evidence. Some process models use the terms
examination and analysis interchangeably
Examination and Analysis of Evidence
 Forensic examination is the process of extracting and viewing information from the
evidence and making it available for analysis.
 In contrast, forensic analysis is the application of the scientific method and critical
thinking to address the fundamental questions in an investigation: who, what, where,
when, how, and why
Presentation:
 Reporting of findings in a manner which satisfies the context of the investigation,
whether it be legal, corporate, military, or any other
Process models
When attempting to conceive of a general approach to describe the investigation process within
digital forensics, one should make such a process generalizable. This led to the proposal of a
number of models for describing investigations, which have come to be known as “process
models
Why Process models
Using a formalized methodology encourages a complete, rigorous investigation, ensures proper
evidence handling, and reduces the chance of mistakes created by preconceived theories, time
pressures, and other potential pitfalls.
Digital Investigation Process Models
 Physical Model
 Staircase Model
 Evidence Flow Model
 Subphase Model
 Roles and Responsibilities Model
Physical Model
 A computer being investigated can be considered a digital crime scene and investigations
as a subset of the physical crime scene where it is located.

48
Course: Cyber Forensics MCA
Programme

 Physical evidence may exist around a server that was attached by an employee and usage
evidence may exist around a home computer that contains contraband.
 Furthermore, the end goal of most digital investigation is to identify a person who is
responsible and therefore the digital investigation needs to be tied to a physical
investigation.

Staircase Model

49
Course: Cyber Forensics MCA
Programme

Evidence Flow Model

50
Course: Cyber Forensics MCA
Programme

Subphase Model

51
Course: Cyber Forensics MCA
Programme

Roles and Responsibilities Model

52
Course: Cyber Forensics MCA
Programme

Scaffolding for digital investigations, applying scientific method in Digital Investigations

Scaffolding focuses on 6 Aspects

53
Course: Cyber Forensics MCA
Programme

54
Course: Cyber Forensics MCA
Programme

 Factors that contribute to the severity of an offense include threats of physical injury,
potential for significant losses, and risk of wider system compromise or disruption.
 Within an organization, if a security breach or policy violation can be contained quickly,
if there is little or no damage, and if there are no exacerbating factors, a full investigation
may not be warranted.
 The output of this step in the investigative process is a decision that will fit into two basic
categories:
Threshold considerations are not met—No further action is required. For example, available data
and information are sufficient to indicate that there has been no wrongdoing. Document
decisions with detailed justification, report, and reassign resources.
Threshold considerations are met—Continue to apply investigative resources based on the merits
of evidence examined to this point with priority based on initial available information. This step
aims to inform about discernment based on practical as well as legal precedent coupled with the
informed experience of the investigative team.

55
Course: Cyber Forensics MCA
Programme

Applying scientific method in Digital Investigations

56
Course: Cyber Forensics MCA
Programme

Applying scientific method in Digital Investigations-Formation and Evaluation of


Hypotheses, Preparation, Survey
Although process models that define each step of an investigation can be useful for certain
purposes, such as developing procedures, they are too complex and rigid to be followed in every
investigation.
In practice, most digital investigations do not proceed in a linear manner and the common steps
of preparation, survey, preservation, examination, and analysis are not neatly separated
 The scientific method provides the necessary structure to help digital investigators
complete each step of an investigation in a repeatable manner to achieve reliable results.
 In practice, digital investigators are better served by simpler methodologies that guide
them in the right direction, while allowing them to maintain the flexibility to handle
diverse situations. The scientific method provides such a simple, flexible methodology
The scientific method begins with fact gathering and validation, and proceeds to hypothesis
formation and experimentation/ testing, actively seeking evidence that disproves the hypothesis,
and revising conclusions as new evidence emerges
 From a practical viewpoint, at each stage of the investigative process a digital
investigator is trying to address specific questions and accomplish certain goals relating
to the case.
 These questions and goals will drive the overall digital investigation process and will
influence specific tasks within each step.

57
Course: Cyber Forensics MCA
Programme

Therefore, it is important for digital investigators to have a robust and repeatable methodology
within each step to help them accomplish the goals and address the questions that are necessary
to solve the case
Digital investigators are generally instructed to focus on specific issues in a case, sometimes with
time constraints or other restrictions.
For example, in order to find a missing person as quickly as possible, digital investigators may
be compelled to progress rapidly through the preparation, survey, preservation, examination, and
analysis steps at the expense of completeness and accuracy
Carrier’s Hypothesis
Carrier’s Hypothesis Based Approach to digital forensic investigations (Carrier, 2006) provides
an initial model which bridges digital investigation practices and computer science theory,
demonstrating the role of the scientific method within a digital investigation.
Now let's see how the scientific method is applied to each step of a digital investigation
(preparation, survey, preservation, examination, and analysis), which can guide a digital
investigator through almost any investigative situation, whether it involves a single compromised
host, a single network link, or an entire enterprise
The general methodology for Investigation
Observation:
One or more events will occur that will initiate your investigation. These events will include
several observations that will represent the initial facts of the incident. Digital investigators will
proceed from these facts to form their investigation. For example, a user might have observed
that his or her web browser crashed when he or she surfed to a specific Web site, and that an
antivirus alert was triggered shortly afterward.
Hypothesis:
Based on the current facts of the incident, digital investigators will form a theory of what
may have occurred. For example, in the initial observation described earlier, a digital investigator
may hypothesize that the web site that crashed the user’s web browser used a browser exploit to
load a malicious executable onto the system.
Prediction:
Based on the hypothesis, digital investigators will then predict where the artifacts related
to that event may be located. Using the hypothesis, and knowledge of the general operation of
web browsers, operating systems, a digital investigator may predict that there will be evidence of
an executable download in the history of the web browser, and potentially, files related to the
malware were created around the time of the incident.

58
Course: Cyber Forensics MCA
Programme

Experimentation/Testing:
Digital investigators will then analyze the available evidence to test the hypothesis,
looking for the presence of the predicted artifacts. In the previous example, a digital investigator
might create a forensic duplicate of the target system, and from that image extract the web
browser history to check for executable downloads in the known timeframe. Part of the scientific
method is also to test possible alternative explanations—if the original hypothesis is correct a
digital investigator will be able to eliminate alternative explanations on the basis of available
evidence (this process is called falsification).
Conclusion:
Digital investigators will then form a conclusion based upon the results of their findings.
A digital investigator may have found that the evidence supports the hypothesis, falsifies the
hypothesis, or that there were not enough findings to generate a conclusion
This general methodology can be repeated as many times as necessary to reach conclusions
at any stage of a digital investigation.
Preparation
The general aim of preparing for a digital investigation is to create a plan of action to
perform an effective digital investigation, and to obtain the necessary personnel and equipment.
Preparation for the preservation step ensures that the best evidence can be preserved when the
opportunity arises
An example of applying the scientific method to preparation for the preservation step of a
digital investigation is provided here:
Observation:
gathering information about the crime scene to anticipate what number and type of
computer systems to expect, and whether full disk encryption is in use. This stage can involve
interviewing people familiar with the location to be searched, and reviewing documentation such
as IT network diagrams, asset inventory, and purchase orders for computers. When no inside
knowledge is readily available, this observation process may require covert surveillance.
Hypothesis/Predication:
Based on the information gathered about the crime scene, digital investigators will form
theories about the types of computer systems and internal components such as hard drive
capacity and interface (e.g., ATA, SATA, serial attached SCSI).
Experimentation/Testing:
It may be possible to test some predictions about what will or will not be encountered at
the crime scene. For instance, it may be possible to glean details about internal and public servers
by examining e-mail headers and connecting to them over the Internet

59
Course: Cyber Forensics MCA
Programme

Conclusions:
The outcome of this process should be a robust plan for preserving evidence at the crime
scene. In some instances, digital investigators also need to prepare for some on-scene processing
of digital evidence. For instance, when digital investigators are not authorized to collect every
computer system, some on-scene keyword searching of many computers must be performed to
identify which are relevant to the investigation
Survey
With a plan in hand from the preparation step, digital investigators should be well
prepared to recognize sources of digital evidence at the crime scene. The aim of the process is for
digital investigators to find all potential sources of digital evidence and to make informed,
reasoned decisions about what digital evidence to preserve at the crime scene
Observation:
A methodical inspection of the crime scene should be performed in an effort to locate the
expected items and to find unanticipated items. Carrier’s Integrated Digital Investigation Process
model encourages use of traditional approaches to searching the physical crime scene in a
methodical manner. A comparable methodical approach to searching a digital crime scene should
be used to find and assess potential sources of digital evidence.
Hypothesis:
Theories should be developed about why certain expected items are not present, and why
certain unexpected items were found
Prediction:
Ideas should be considered for where missing items may be found, and which items may
contain potentially relevant data. When large quantities of computers or removable media are
involved, it may be necessary to develop theories about which ones do and do not contain
potentially relevant digital evidence
Experimentation/Testing:
When digital investigators believe that certain items are not relevant to the case, some
experimentation and testing is needed to confirm this belief. For example, it may be necessary to
perform a triage search of these seemingly irrelevant systems or storage media for responsive
evidence to ensure that they, in fact, do not contain anything of interest.
Conclusions:
Based on the methodical assessment of available information, there is a high degree of
confidence that an inventory has been made of all potentially relevant sources of digital evidence
at the crime scene that need to be preserved

60
Course: Cyber Forensics MCA
Programme

In an organization, documentation relating to the survey phase may take the form of a map
indicating where evidence is located on a network—a digital evidence map. Such a map may
include e-mail, log files, and backup tapes, may specify for how long each source of digital
evidence is retained, and may reference procedures for collecting the evidence to help digital
investigators handle the data properly
Preservation, Examination, Analysis, Reporting and Testimony
 Working from the known inventory of identified components, investigators must act to
make sure that potentially volatile items are collected or acquired in such a way that
captures their current state.
 Another way to put it is that proper actions must be taken to ensure the integrity of
potential evidence, physical and digital. The methods and tools employed to ensure
integrity are key here. Their accuracy and reliability as well as professional acceptance
may be subject to question by opposing counsel if the case is prosecuted
 To many practitioners in digital forensics, the preservation step is where digital forensics
begins. It is generally the first stage in the process that employs commonly used tools of a
particular type. The output of this stage is usually a set of duplicate copies of all sources
of digital data
This output provides investigators with two categories of exhibits.
 First, the original material is cataloged and stored in a proper environmentally controlled
location, in an unmodified state.
 Second, an exact duplicate of the original material is created that will be scrutinized as
the investigation continues
Consider examples of the scientific process applied to the preservation of common forms of
digital evidence
Hard Drives
Observation: A hard drive has a SATA interface with a certain number of sectors
documented on the label.
Hypothesis: A complete and accurate duplicate of the hard drive can be obtained without
altering the original.
Prediction: The resulting forensic duplicate will have the same hash value as the original
hard drive.
Experimentation/Testing:
Comparing the hash value of the forensic duplicate with that of the original hard drive
confirms that they are the same. However, comparing the size of the forensic duplicate with the
capacity of the hard drive reveals a discrepancy. Further experimentation is needed to determine
that this discrepancy is caused by an incorrect number of sectors being detected by the
61
Course: Cyber Forensics MCA
Programme

acquisition method used. Using an alternative method to acquire data from the hard drive gives a
complete and accurate duplicate of the digital evidence.
Conclusions:
There is a high degree of confidence that an accurate duplicate of all data on the hard
drive was acquired in a forensically sound manner
Prior to attempting to preserve digital evidence, it is most effective to prepare the necessary
forensic preservation tools and techniques to handle various forms of evidence. During the
preparation step of a digital investigation, activities such as testing tools and sanitizing and/or
encrypting storage media can be performed to make preservation processes go more smoothly.
Examination
Forensic examination is the process of extracting and viewing information from the evidence,
and making it available for analysis Forensic examination of digital evidence is generally one of
the most resource intensive and time-consuming steps in a digital investigation. To produce
useful results in a timely manner at different phases of an investigation, it is useful to employ
three levels of forensic examination
1. Survey/Triage Forensic Inspection: Targeted review of all available media to determine
which items contain the most useful evidence and require additional processing.
2. Preliminary Forensic Examination: Forensic examination of items identified during
survey/triage as containing the most useful evidence, with the goal of quickly providing
investigators with information that will aid them in conducting interviews and developing
leads.
3. In-Depth Forensic Examination: Comprehensive forensic examination of items that
require more extensive investigation to gain a more complete understanding of the
offense and address specific questions.
When conducting a forensic examination, it is useful to consider Carrier’s Integrated Digital
Investigation Process model, which treats sources of digital evidence as individual crime scenes.
By conceptually treating each source of digital evidence as a crime scene, digital investigators
are encouraged to apply each step of the investigative process to each source of evidence and
thereby develop a more comprehensive and methodical approach to a forensic examination
Preparation for Forensic Examinations:
Prior to performing a forensic examination of digital evidence, it is advisable to prepare a
plan of action that outlines what steps will be taken and what processes will be performed on
each item of digital evidence.
Survey in Forensic Examinations:
Digital investigators will generally survey each source of digital evidence, including the
contents of hard drives, mobile devices, log files, and other data to develop an overall familiarity

62
Course: Cyber Forensics MCA
Programme

with the corpus delicti (a.k.a. totality of the evidence) to find items of potential relevance to the
investigation
Forensic Examinations:
Certain items within a source of digital evidence may require special processing so that
they can be examined more easily. Such special items can include mailboxes, password-
protected files, encrypted volumes, and unallocated space
Forensic examination of digital evidence,
whether it is an entire hard drive or an individual’s mailbox, generally involves some
level of recovery, harvesting, organization, search, and reduction to produce a reduced dataset
for forensic analysis
Recovery:
Data should be extracted from available sources, including items that have been deleted,
hidden, camouflaged, or that are otherwise unavailable for viewing using the native operating
system and resident file system. The objective is to recover all unavailable data whether or not
they may be germane to the case or incident. In some instances, it may also be necessary to
reconstitute data fragments to recover an item. The output provides the maximum available
content for the investigators, like a complete data timeline and information that may provide
insight into the motives of an offender if concrete proof of purposeful obfuscation is found and
recorded
Harvesting:
Data and metadata (data about data) should be gathered about all recovered objects of
interest. This gathering will typically proceed with little, or no discretion related to the data
content, its context, or interpretation. Rather, the investigator will look for categories of data that
can be harvested for later analysis—groupings of data with certain class characteristics that, from
experience or training, seem or are known to be related to the major facts of the case or incident
known to this point in the investigation
Organization and Search:
A thorough analysis should be facilitated by organizing the reduced set of materials from
the previous step, grouping, tagging, or otherwise placing them into meaningful units. At this
stage, it may be advantageous to actually group certain files physically to accelerate the analysis
stage. They may be placed in groups using folders or separate media storage, or in some
instances a database system may be employed to simply point to the cataloged file system
objects for easy, accurate reference without having to use rudimentary search capability offered
by most host operating systems
Reduction:
Irrelevant items should be eliminated, or specific items targeted in the collected data as
potentially germane to an investigation. This process is analogous to separating the wheat from

63
Course: Cyber Forensics MCA
Programme

the chaff. The decision to eliminate or retain is made on the basis of external data attributes such
as hashing or checksums, type of data (after type is verified), etc. In addition, material facts
associated with the case or incidents are also brought to bear to help eliminate data as potential
evidence
Applying the scientific method to the forensic examination process can be a time-consuming and
repetitive process, but the effort is generally well spent, giving digital investigators the
information, they need to resolve a case. A less methodical or scientifically rigorous forensic
examination may miss important information or may give erroneous results.
Analysis
The forensic analysis process is inseparable from the scientific method. By definition,
forensic analysis is the application of the scientific method and critical thinking to address the
fundamental questions in an investigation: who, what, where, when, how, and why
 This step involves the detailed scrutiny of data identified, preserved, and examined
throughout the digital investigation.
 The techniques employed here will tend to involve review and study of specific, internal
attributes of the data such as text and narrative meaning of readable data, or the specific
format of binary audio and video data items.
 Additionally, class and individual characteristics found in this step are used to establish
links, determine the source of items, and ultimately locate the offender.
 Ultimately, the information that has been accumulated during the digital investigation is
combined to reconstruct a comprehensive understanding of events relating to the crime or
incident
Observation:
Human readable (or viewable) digital data objects have substance that can be perceived
as well as context that can be reconstructed. That content and context of digital evidence may
contain information that is used to reconstruct events relating to the offense and to determine
factors such as means, motivation, and opportunity.
Hypothesis:
Develop a theory to explain digital evidence.
Prediction:
Based upon the hypothesis, digital investigators will then predict where they believe the
artifacts of that event will be located.
Experimentation/Testing:
A very general term but applied here to mean any activity used to determine whether or
not digital evidence is compatible with the working theory. These activities can include running

64
Course: Cyber Forensics MCA
Programme

experiments using a specific operating system or application to learn about their behavior and
associated artifacts or loading the subject system into a virtualized environment to observe it as
the user would.
Conclusions:
The result of a thorough forensic analysis generally includes an investigative
reconstruction based on fusion and correlation of information
During the investigation, data (information) have been collected from many sources (digital and
nondigital). The likelihood is that digital evidence alone will not tell the full tale. The converse is
also true. The data must be fused or brought together to populate structures needed to tell the full
story
Reporting and Testimony
To provide a transparent view of the investigative process, final reports should contain
important details from each step, including reference to protocols followed and methods used to
seize, document, collect, preserve, recover, reconstruct, organize, and search key evidence. The
majority of the report generally deals with the analysis leading to each conclusion and
descriptions of the supporting evidence. No conclusion should be written without a thorough
description of the supporting evidence and analysis. Also, a report can exhibit the investigator or
examiner’s objectivity by describing any alternative theories that were eliminated because they
were contradicted or unsupported by evidence
A significant amount of effort is required to prepare for questioning and to convey technical
issues in a clear manner. Therefore, this step in the process includes techniques and methods
used to help the analyst and/or domain expert translate technological and engineering details into
understandable narrative for discussion with decision makers
Computer Basics for Digital Investigators-Basic Operation of Computers
Assignment
 Write a note on History of Computers
 Write a note on Basic Operation of Computers
 Write a note on Representation of Data
Representation of Data, Storage Media and Data Hiding File Systems and Location of Data
All digital data are basically combinations of ones and zeros, commonly called bits. It is often
necessary for digital investigators to deal with data at the bit level, requiring an understanding of
how different systems represent data.

65
Course: Cyber Forensics MCA
Programme

Storage Media and Data Hiding


[On binary systems] each data element is implemented using some physical device that can be
in one of two stable states: in a memory chip, for example, a transistor switch may be on or off;
in a communications line, a pulse may be present or absent at a particular place and at a
particular time; on a magnetic disk, a magnetic domain may be magnetized to one polarity or to
the other; and, on a compact disk, a pit may be present or not at a particular place
Although storage media come in many forms, hard disks are the richest sources of digital
evidence on computers. Understanding how hard drives function, how data are stored on them,
and where data can be hidden can help digital investigators deal with hard drives as a source of
evidence.
Understanding disk drives
The architecture of a hard disk consists of several physical components that include:
 Platters
 Spindle
 Read/write heads
 Tracks
 Sectors
Platters
Hard disks are organized as a concentric stack of disks. An individual disk is referred to as
a platter.
Each platter consists of two surfaces: a lower and an upper surface.
Spindle
 The platters within the hard disk are connected by a spindle that runs through the middle
of the platters.

66
Course: Cyber Forensics MCA
Programme

 The spindle moves in a unidirectional manner along its axis (either clockwise or
counterclockwise).
 The movement of the spindle causes the platters to rotate as well.
Read/write head
 Each surface on a platter contains a read/write head that is used to read or write data onto
the disk.
 The read/write heads can move back and forth along the surface of a platter. Read/write
heads are in turn connected to a single actuator arm.
Tracks
 Each surface of a platter consists of a fixed number of tracks. These are circular areas on
the surface of a platter that decrease in circumference as we move towards the center of
the platter.
 Data is first written to the outermost track.
Sectors
Each track is divided into a fixed number of sectors. Sectors divide track sections and store data.
When data are stored in hard disk, they make cluster as a unit. So no matter the file is large or
small, there will be some unused space in the last cluster (unless the size is integer times as large
as the cluster size).
Furthermore, the left space cannot be used by other files (even if the file is only 0 byte. It does
not allow 2 or more files to share a cluster, because it may cause data corruption.)
What is Data Obfuscation?
Data obfuscation is a process to obscure the meaning of data as an added layer of data protection.
In the event of a data breach, sensitive data will be useless to attackers. The organization — and
any individuals in the data — will remain uncompromised. Organizations should prioritize
obfuscating sensitive information in their data.1
Top data obfuscation methods
 If you ask ten people the definition of data obfuscation, you'll get 12 different answers.
That's because there are many different methods, each designed for specific purposes.
 Obfuscation is an umbrella term for a variety of processes that transform data into
another form in order to protect sensitive information or personal data.
 Three of the most common techniques used to obfuscate data are encryption,
tokenization, and data masking.
Encryption

67
Course: Cyber Forensics MCA
Programme

is very secure, but you lose the ability to work with or analyze the data while it’s
encrypted. The more complex the data encryption algorithm, the safer the data will be from
unauthorized access. Encryption is a good obfuscation method if you need to store or transfer
sensitive data securely.
Tokenization
substitutes sensitive data with a value that is meaningless. This process can't be reversed.
However, you can map the token back to the original data. Tokenized data supports operations
like running a credit card payment without revealing the credit card number. The real data never
leaves the organization and can't be seen or decrypted by a third-party processor.
Data masking
substitutes realistic but false data for original data to ensure privacy. Using masked out data,
testing, training, development, or support teams can work with a dataset without putting real data
at risk. Data masking goes by many names. You may have heard of it as data scrambling, data
blinding, or data shuffling. The process of permanently stripping personally identifiable
information (PII) from sensitive data is also known as data anonymization or data sanitization.
Whatever you call it, fake data replaces real data. There is no algorithm to recover the original
values of masked data.
Masking out
is a way to create different versions of the data with a similar structure. The data type
does not change, only the value change. Data can be modified in several ways, for example
shifting numbers or letters, replacing words, and switching partial data between records.

68
Course: Cyber Forensics MCA
Programme

A storage device without a file system would be in the same situation - and it would be a useless
electronic device. However, a file system changes everything:
Understanding file systems
A file system isn't just a bookkeeping feature, though.
 Space management, metadata, data encryption, file access control, and data integrity are
the responsibilities of file system too.
Everything begins with partitioning

When partitioning is done, the partitions should be formatted.


Most operating systems allow you to format a partition based on a set of file systems.
 For instance, if you are formatting a partition on Windows, you can choose
between FAT32, NTFS, and exFAT file systems.
 Formatting involves the creation of various data structures and metadata used to manage
files within a partition.
 These data structures are one aspect of a file system.
Windows File Systems
 File Allocation Table or FAT
 New Technology File System or NTFS.
Terminology
Metadata
 File Name
 Time Stamp
 Other Attributes
File Data
69
Course: Cyber Forensics MCA
Programme

Sectors
 512 MB of data
Clusters
 Smallest Logical Unit of File Storage
 One or more sectors
Logical and Physical Storage Units
 Logical
 Recognized by OS
 E.g., Clusters
 Physical
 Recognized by a Device
 E.g., sectors
OS Stores Files in Clusters (Wasted Space Problem)
Example
 File Size 2050 bytes
 One Cluster = two sectors
 Slack

Efficiency
 NTFS
 Smaller Cluster Size

70
Course: Cyber Forensics MCA
Programme

 Less Slack Space -> Less Wasted Space


Resilient File System (ReFS)
 Compatibility
 Availability
 Scalability

Dealing with Password Protection and Encryption


Passwords
When data is password protected, it’s as if you’ve gathered all your data, in its original,
readable form, put it into a lock box, and locked the box with a password or passcode. The box is
protected by the passcode, but if the lock box is not particularly strong and someone is able to
break into it, then getting at all your valuable data is simple.
Windows and Mac Operating Systems: Password Protected
The most obvious, and perhaps most dangerous, example of simple, password protected data is
right in front of you: your Windows or Mac desktop or laptop. Even a novice hacker knows
there are several very easy ways to get around the OS passwords and get directly at your data:
First, there are CD-based tools readily available on the Internet that someone can use to boot
your PC, read your supposedly super secret password, and then have unfettered access to
everything – including Outlook email. Second, there’s the brute force method: someone can
simply pull the hard drive out of your PC, hook it up to another PC via an external hard drive
enclosure, and voila, have access to everything on the hard drive. Scary to think about, isn’t it?
What is encryption?

71
Course: Cyber Forensics MCA
Programme

Encryption is a way of scrambling data so that only authorized parties can understand the
information. In technical terms, it is the process of converting human-readable plaintext to
incomprehensible text, also known as ciphertext. In simpler terms, encryption takes readable data
and alters it so that it appears random. Encryption requires the use of a cryptographic key: a set
of mathematical values that both the sender and the recipient of an encrypted message agree on.

What is a key in cryptography?


A cryptographic key is a string of characters used within an encryption algorithm for altering
data so that it appears random. Like a physical key, it locks (encrypts) data so that only someone
with the right key can unlock (decrypt) it.
What are the different types of encryption?
The two main kinds of encryption are symmetric encryption and asymmetric encryption.
Asymmetric encryption is also known as public key encryption.
What is Symmetric Encryption?

What is Asymmetric Encryption?

72
Course: Cyber Forensics MCA
Programme

What is the impact of encryption on forensic investigation?


As investigators, we are limited to the information on the device that we can access. If a hard
drive is fully encrypted, we have no easy access to the stored data and our investigative options
become limited. The first thing an investigator must do is to determine the level and extent of the
encryption. Weak passwords can be cracked, but if the user has implemented a strong password,
it becomes almost impossible to access via brute force methods. It could be that just a few files
are encrypted and there could be unencrypted copies elsewhere on the device. The user could
also be a creature of habit and use the same set of passwords. These passwords can be quickly
located in easily decipherable formats throughout the system. In all cases, though, I tell
investigators that digital evidence is just one piece of the body of evidence in a case. Don’t fall
into a trap where you spend too much time trying to decrypt a potentially probative item, when
valuable unencrypted data may be found by simply continuing your examination.
Log files, Registry, Internet traces
 A log file is an event that took place at a certain time and might have metadata that
contextualizes it.
 Logs files are a historical record of everything and anything that happens within a
system, including events such as transactions, errors and intrusions. That data can be
transmitted in different ways and can be in both structured, semi-structured and
unstructured format.
73
Course: Cyber Forensics MCA
Programme

The basic anatomy of a log file includes:


 The timestamp – the exact time at which the event logged occurred
 User information
 Event information – what was the action taken

However, depending on the type of log source, the file will also contain a wealth of relevant data.
For example, server logs will also include the referred webpage, http status code, bytes served,
user agents, and more.
Where do Log Files Come From?

74
Course: Cyber Forensics MCA
Programme

Types of Logs
Nearly every component in a network generates a different type of data and each component
collects that data in its own log. Because of that, many types of logs exist, including:
Event logs
An event log is a high-level log that records information about network traffic and
usage, such as login attempts, failed password attempts, and application events.
Server logs
A server log is a text document containing a record of activities related to a specific
server in a specific period of time.
System logs
A system log, or syslog, is a record of operating system events. It includes startup
messages, system changes, unexpected shutdowns, errors and warnings, and other important
processes. Windows, Linux, and macOS all generate syslogs.
Authorization logs and access logs
Authorization logs and access logs include a list of people or bots accessing certain
applications or files.
Change logs
Change logs include a chronological list of changes made to an application or file.
Availability logs
Availability logs track system performance, uptime, and availability.
Resource logs
Resource logs provide information about connectivity issues and capacity limits.
Threat logs
Threat logs contain information about system, file, or application traffic that matches
a predefined security profile within a firewall.
Log files are an important source of digital forensic evidence because they usually connect
events to points in time Indeed, log file data can be used to investigate network anomalies due
to insider threats, data leaks and misuse of IT assets Log files can help identify network
intruders
Registry
 Inside every operating system there must be some place to keep settings.

75
Course: Cyber Forensics MCA
Programme

 What is my current internet address? What are all the users on my system and what are
their passwords?
 What color desktop am I using? What applications are installed? If I double click on a file
with a docx extension, what application needs to fire up to associate with that?
 There are hundreds of thousands of questions like this that even the simplest individual
machine must answer, and we've got to store that somewhere
 Windows uses a single storage area called the registry.
 This is not a text file. It is a binary file that can only be read by a particular program
called Regedit
Windows registry
 The registry or Windows registry is a database of information, settings, options, and
other values for software and hardware installed on all versions of Microsoft
Windows operating systems. When a program is installed, a new subkey is created in the
registry. This subkey contains settings specific to that program, such as its location,
version, and primary executable.
 The Windows Registry is a database where Windows and many programs store their
configuration settings.
 The Windows registry is a collection of several databases. There are system-wide registry
settings that apply to all users, and each Windows user account also has its own user-
specific settings.

There are two ways to open Registry Editor in Windows 10:


1. In the search box on the taskbar, type regedit, then select Registry Editor (Desktop app)
from the results.
2. Right-click Start , then select Run. Type regedit in the Open: box, and then select OK.
What Is a Registry Hive?

76
Course: Cyber Forensics MCA
Programme

 A hive in the Windows Registry is the name given to a major section of the registry that
contains registry keys, registry subkeys, and registry values.
 All keys that are considered hives begin with "HKEY" and are at the root, or the top of
the hierarchy in the registry, which is why they're also sometimes called root keys or core
system hives.
Here is a list of the common registry hives in Windows:
 HKEY_CLASSES_ROOT
 HKEY_CURRENT_USER
 HKEY_LOCAL_MACHINE
 HKEY_USERS
 HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
 Holds the user settings for the currently logged in user and is usually abbreviated HKCU
This is actually just a link to HKEY_USERS\<SID-FOR-CURRENT-USER>. The most
important sub-key in here is HKCU\Software, which contains user-level settings for most
of your software.
HKEY_LOCAL_MACHINE
 All of the system-wide settings are stored here, and it is usually abbreviated as HKLM.
You’ll mostly use the HKLM\Software key to check machine-wide settings.
HKEY_USERS
 Stores all of the settings for all users on the system. You’ll typically use HKCU instead,
but if you need to check settings for another user on your computer, you can use this one.
HKEY_CURRENT_CONFIG
 Stores all of the information about the current hardware configuration. This one isn’t used
very often, and it just a link to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\
Current
Internet traces
Accessing the Internet leaves a wide variety of information on a computer including Web sites,
contents viewed, and newsgroups accessed. For instance, some Windows systems maintain a
record of accounts that are used to connect to the Internet as shown in Figure

77
Course: Cyber Forensics MCA
Programme

Web Browsing
When an individual first views a Web page, the browser caches the page and associated
elements such as images on disk—the creation and modification times are the same time as the
page was viewed. When the same site is accessed in the future, the cached file is accessed. The
number of times that a given page was visited is recorded in some Web browser history
databases
The web is a vast and powerful tool
 Over the course of a few decades, the internet has changed the way we work, the way we
play and the way we interact with one another.
 Depending on how it’s used, it bridges nations, drives commerce, nurtures relationships,
drives the innovation engine of the future and is responsible for more memes than we
know what to do with.
What Are Cookies?
 Cookies are text files with small pieces of data — like a username and password — that
are used to identify your computer as you use a computer network. Specific cookies
known as HTTP cookies are used to identify specific users and improve your web
browsing experience.
 Data stored in a cookie is created by the server upon your connection. This data is labeled
with an ID unique to you and your computer.
Session
Overview
 A session is a group of user interactions with your website that take place within a given
time frame.
 For example, a single session can contain multiple page views, events, social interactions,
and ecommerce transactions.

78
Course: Cyber Forensics MCA
Programme

 You can think of a session as the container for the actions a user takes on your site.

A single user can open multiple sessions. Those sessions can occur on the same day, or over
several days, weeks, or months. As soon as one session ends, there is then an opportunity to start
a new session. There are two methods by which a session ends:
• Time-based expiration:
 After 30 minutes of inactivity
 At midnight
• Campaign change:
 If a user arrives via one campaign, leaves, and then comes back via a different
campaign.
What is a web session?

79
Course: Cyber Forensics MCA
Programme

Email
Short for electronic mail, e-mail or email is information stored on a computer that is exchanged
between two users over telecommunications. More plainly, e-mail is a message that may
contain text, files, images, or other attachments sent through a network to a specified individual
or group of individuals.
What is an Email Protocol: Definition and Types
Email protocol is a standard method for exchanging information between email clients like
Thunderbird, Apple Mail, or Mailbird and email provider’s servers like Gmail, Outlook, Yahoo,
and vice versa.
 Email protocols differ by function: some receive emails and send and transport
emails.
 Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP), for
example, allow receiving and sending emails, while Simple Message Transfer Protocol
(SMTP) is responsible only for sending emails.
Email protocol
 Email protocol is a method by which a communication channel is established between
two computers and email is transferred between them.

80
Course: Cyber Forensics MCA
Programme

 When an email is transferred, a mail server and two computers are involved. One
computer sends the mail and the other one receives it.
 The mail server stores the mail and lets the receiving device access it and download it if
needed
POP3 stands for Post Office Protocol.
As the name suggests, it allows you to use your email inbox like a post office – emails are
downloaded onto your computer and removed from the mail server.
When accessing your emails using the POP3 protocol, a copy of the emails is created and stored
locally on your computer.
The originals are usually, but not always, removed from the mail server. In other words, emails
are tied to the specific device. Once the email is downloaded onto one device (and removed from
the mail server), it cannot be accessed by another email client or device.
IMAP
 IMAP stands for Internet message access protocol.
 Unlike POP3, IMAP lets you log into different email clients or webmail interfaces and
view the same emails because in the IMAP setup, emails are kept on the mail server,
rather on your computer.
 When you access your emails using the IMAP protocol, you are essentially using the
email client to connect to your mail server and managing your emails directly on your
mail server.
 In this setup, your mail server rather than your local computer is the main storage source
of your emails.
 Because of this, IMAP makes it possible to access your emails from different devices and
all changes are synchronized with the mail server and any email client(s) you are using.
 In other words, if you delete an email from one email client, it is deleted from the mail
server and the action is reflected across all devices and email clients.

Example of how POP3 and IMAP works


When you wake up and access your mail from your phone,
 POP3 will download all the emails to your phone for you to view, and by doing so, all
emails are removed from the mail server
 IMAP will send a copy of the emails to your phone, but leaving the originals on your
mail server
SMTP
 SMTP stands for Simple Mail Transfer Protocol.
81
Course: Cyber Forensics MCA
Programme

 SMTP is a set of communication guidelines that allow software to transmit an electronic


mail over the internet is called Simple Mail Transfer Protocol.
 It is a program used for sending messages to other computer users based on e-mail
addresses.
 It provides a mail exchange between users on the same or different computers, and it also
supports:
 It can send a single message to one or more recipients.
 Sending message can include text, voice, video or graphics.
 It can also send the messages on networks outside the internet
 The main purpose of SMTP is used to set up communication rules between servers.
 The servers have a way of identifying themselves and announcing what kind of
communication they are trying to perform.
 They also have a way of handling the errors such as incorrect email address.
 For example, if the recipient address is wrong, then receiving server reply with an error
message of some kind.
Components of SMTP

What is an Email Header?


The email header is a code snippet in an HTML email, that contains information about the
sender, recipient, email’s route to get to the inbox and various authentication details. The email
header always precedes the email body.
What purpose do email headers serve
 Providing information about the sender and recipient. An email header tells who sent
the email and where it arrived. Some markers indicate this information, like

82
Course: Cyber Forensics MCA
Programme

“From:” — sender’s name and email address, “To:” — the recipient’s name and email
address, and “Date:” — the time and date of when the email was sent. All of these are
mandatory indicators. Other parts of the email header are optional and differ among email
service providers.
 Preventing spam. The information displayed in the email header helps email service
providers troubleshoot potential spam issues. ESPs analyzes the email header, the
“Received:” tag, in particular, to decide whether to deliver an email or not.
 Identifying the email route. When an email is sent from one computer to another, it
transfers through the Mail Transfer Agent which automatically “stamps” the email with
information about the recipient, time and date in the email header.

83
Course: Cyber Forensics MCA
Programme

Module 4
Cyber Crimes-What is Cyber Crime, Categories of Cyber Crime-Against Individual, Institution
and States.
Crime Types-Basics of SQL Injections, Theft of FTP password. Cross-site scripting. Viruses,
Worms, Logical bombs. E-mail bombing, DoS attack, Spamming, Web jacking. Identity theft
and Credit card fraud. Data diddling, Salami attacks, Phishing, Cyber stalking. Spoofing,
Pornography, Defamation, Computer vandalism. Cyber terrorism. Cyber warfare. Hacking
Types of Hackers-Black hat. White hat. Gray hat. Different types of Malwares
Cyber Crimes -What is Cyber Crime, Categories of Cyber Crime-Against Individual,
Institution and States.
Cybercrime, also called Computer Crime, the use of a computer as an instrument to further
illegal ends, such as committing fraud, trafficking in child pornography
and intellectual property, stealing identities, or violating privacy.
Cybercrime, especially through the Internet, has grown in importance as the computer has
become central to commerce, entertainment, and government.
Role of Computer in the Crime
 Computers will probably be involved in crimes that no one has ever imagined
 When investigating a case, it is important to know what roles the computer played in
the crime.
 Then tailor the investigative process to that role.
The computer (by which we mean the information resident on the computer, code as well as
data) is the target of the crime, with an intention of damaging its integrity, confidentiality, and/or
availability.
 Many of these violations involve gaining unauthorized access to the target system (i.e.,
hacking into it)
 The computer is a repository for information used or generated in the commission of a
crime.
 To store stolen password lists, credit card or calling card numbers, proprietary corporate
information, pornographic image files, or ‘‘warez’’ (pirated commercial software).
 The computer is used as a tool in committing a crime
 Many of the examples in this report deal with unlawful conduct that exists in the
physical, off-line world—the illegal sale of prescription drugs, controlled substances,
alcohol and guns, fraud, gambling, and child pornography

84
Course: Cyber Forensics MCA
Programme

All these crimes leave digital tracks


 Investigation include searching computers that are suspected of being involved
in illegal activities
 Based about the crime,
Cybercrimes are classified into three broad groups.
Crimes against individuals –
These are committed against individuals or their properties.

Crimes against Institutions


Some examples of cybercrimes against institutions are:

85
Course: Cyber Forensics MCA
Programme

Crimes against State


Some examples of crimes against state are:

Here are 5 that were the most damaging for enterprises in 2020
1. Social engineering.
In 2020, almost a third of the breaches incorporated social engineering
techniques, of which 90% were phishing. Social engineering attacks include, but are not limited
to, phishing emails, scareware, quid pro quo and other techniques — all of which manipulate
human psychology to attain specific goals.
2. Ransomware.
Ransomware is a data-encrypting program that demands payment to release the infected
data. The overall sum of ransom demands will have reached $1.4 billion in 2020, with an
average sum to rectify the damage reaching up to $1.45 million. Ransomware is the third most
popular type of malware used in data breaches and is employed in 22% of the cases.
3. DDoS attacks.
There were 4.83 million DDoS attacks attempted in the first half of 2020 alone and each hour of
service disruption may have cost businesses as much as $100k on average. To form a botnet
needed for a coordinated DDoS attack, hackers employ devices previously compromised by
malware or hacking. Thus, every machine can be performing criminal activity with its owner
being unaware. The traffic can then be targeted against, say, AWS, which reported
having prevented a 2.3Tbps attack the February 2020.
4. Third party software.
The top 30 ecommerce retailers in the US are connected to 1,131 third-party resources each and
23% of those assets have at least one critical vulnerability. If one of the applications within this

86
Course: Cyber Forensics MCA
Programme

ecosystem is compromised, it opens the hackers a gateway to other domains. A breach caused by
a third-party costs $4.29 million on average.
5. Cloud computing vulnerabilities.
The global market for cloud computing is estimated to grow 17% this year, totaling $227.8
billion. While the pandemic lasts, the economy also witnessed a 50% increase in cloud use
across all industries.
This trend is a perfect lure for hackers, who performed 7.5 million external attacks on cloud
accounts in Q2 2020. Since the beginning of the year, the number of the attempted breaches grew
by 250% compared to 2019. The criminals scan for cloud servers with no password, exploit
unpatched systems and perform brute-force attacks to access the user accounts. Some try to plant
ransomware or steal sensitive data, whilst others, use cloud systems for cryptojacking or
coordinated DDoS attacks.
Crime Types-
Basics of SQL Injections, Theft of FTP password, Cross-site scripting.
Cybercrime
Cybercrime is any criminal activity that involves a computer, networked device or a network.
Basics of SQL Injections

87
Course: Cyber Forensics MCA
Programme

What is SQL injection (SQLi)?


 A SQL injection attack consists of insertion or “injection” of a SQL query via the input
data from the client to the application
 It generally allows an attacker to view data that they are not normally able to retrieve.
This might include data belonging to other users, or any other data that the application
itself is able to access.
In some situations, an attacker can escalate an SQL injection attack to compromise the
underlying server or other back-end infrastructure or perform a denial-of-service attack.
What is the impact of a successful SQL injection attack?
 A successful SQL injection attack can result in unauthorized access to sensitive data,
such as passwords, credit card details, or personal user information.
 In some cases, an attacker can obtain a persistent backdoor into an organization's
systems, leading to a long-term compromise that can go unnoticed for an extended
period.
SQL injection examples
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in
different situations. Some common SQL injection examples include:
Retrieving hidden data, where you can modify an SQL query to return additional results.
Subverting application logic, where you can change a query to interfere with the application's
logic.
UNION attacks, where you can retrieve data from different database tables.
Examining the database, where you can extract information about the version and structure of the
database.
Blind SQL injection, where the results of a query you control are not returned in the application's
responses.
Retrieving hidden data
Consider a shopping application that displays products in different categories. When the
user clicks on the Gifts category, their browser requests the URL:
https://insecure-website.com/products?category=Gifts
This causes the application to make an SQL query to retrieve details of the relevant products
from the database:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
This SQL query asks the database to return:

88
Course: Cyber Forensics MCA
Programme

 all details (*)


 from the products table
 where the category is Gifts
 and released is 1.
The restriction released = 1 is being used to hide products that are not released. For
unreleased products, presumably released = 0.
If application doesn't implement any defences against SQL injection attacks, we can
attacker can construct an attack like:
https://insecure-website.com/products?category=Gifts'--
This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
Subverting application logic
 Consider an application that lets users log in with a username and password. If a user
submits the username wiener and the password bluecheese, the application checks the
credentials by performing the following SQL query:
 SELECT * FROM users WHERE username = 'wiener' AND password =
'bluecheese'
Here, an attacker can log in as any user without a password simply by using the SQL comment
sequence -- to remove the password check from the WHERE clause of the query.
For example, submitting the username administrator'-- and a blank password results in the
following query:
SELECT * FROM users WHERE username = 'administrator'--' AND password = ''
SQL injection attack occurs when:
1. An unintended data enters a program from an untrusted source.
2. The data is used to dynamically construct a SQL query
The main consequences are:
Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a
frequent problem with SQL Injection vulnerabilities.
Authentication: If poor SQL commands are used to check usernames and passwords, it may be
possible to connect to a system as another user with no previous knowledge of the password.
Authorization: If authorization information is held in a SQL database, it may be possible to
change this information through the successful exploitation of a SQL Injection vulnerability.

89
Course: Cyber Forensics MCA
Programme

Integrity: Just as it may be possible to read sensitive information, it is also possible to make
changes or even delete this information with a SQL Injection attack.
SQL Injection Prevention
SQL Injection attacks are unfortunately very common, and this is due to two factors:
1. the significant prevalence of SQL Injection vulnerabilities, and
2. the attractiveness of the target (i.e., the database typically contains all the
interesting/ critical data for your application).
To avoid SQL injection flaws is simple.
Developers need to either:
a) stop writing dynamic queries; and/or
b) prevent user supplied input which contains malicious SQL from affecting the logic of
the executed query.
Primary Defenses:
 Option 1: Use of Prepared Statements (with Parameterized Queries)
 Option 2: Use of Stored Procedures
 Option 3: Allow-list Input Validation
 Option 4: Escaping All User Supplied Input
Theft of FTP password
 This is another very common way to tamper with web sites.
 FTP password hacking takes advantage of the fact that many webmasters store their
website login information on their poorly protected PCs.
 The thief searches the victim’s system for FTP login details, and then relays them to his
own remote computer.
 He then logs into the web site via the remote computer and modifies the web pages as he
or she pleases.
In a typical XSS attack, the hacker infects a web page with a malicious client-side script or
program.
When you visit this web page, the script is automatically downloaded to your browser and
executed.
Typically, attackers inject HTML, JavaScript, VBScript, ActiveX or Flash into a vulnerable
application to deceive you and gather confidential information.

90
Course: Cyber Forensics MCA
Programme

Viruses, Worms, Logical bombs. E-mail bombing, DoS attack, Spamming, Web jacking.
Virus
 A Virus is a “program that is loaded onto your computer without your knowledge and
runs against your wishes
Signs of Viruses

TYPES OF VIRUSES
RESIDENT VIRUS
 Resident viruses set up shop in your RAM and intrude with your system operations.
They’re so sneaky that they can even attach themselves to your anti-virus software files.

91
Course: Cyber Forensics MCA
Programme

MULTIPARTITE VIRUS
This virus infects the entire system – multipartite viruses spread by performing unauthorized
actions on your operating system, folders, and programs.
DIRECT ACTION
This virus targets a specific file type, most commonly executable files (.exe), by replicating and
infecting files. Due to its targeted nature, this virus type is one of the easier ones to detect and
remove.
BROWSER HIJACKER
Easily detected, this virus type infects your browser and redirects you to malicious websites.
OVERWRITE VIRUS
As the name implies, overwrite viruses overwrite file content to infect entire folders, files, and
programs
WEB SCRIPTING VIRUS
This sneaky virus disguises itself in the coding of links, ads, images, videos, and site code. It can
infect systems when users download malicious files or visit malicious websites.

FILE INFECTOR
By targeting executable files (.exe), file infector viruses slow down programs and damage
system files when a user runs them.
NETWORK VIRUS
Network viruses travel through network connections and replicate themselves through shared
resources
BOOT SECTOR VIRUS

92
Course: Cyber Forensics MCA
Programme

One of the easier viruses to avoid, this virus hides out in a file on a USB drive or email
attachment. When activated, it can infect the system’s master boot record to damage the system
Solution
Install a security suite that protects the computer against threats such as viruses and worms

Worm
A computer worm is a type of malware that spreads copies of itself from computer to computer.
A worm can replicate itself without any human interaction, and it does not need to attach itself to
a software program in order to cause damage.
How to tell if your computer has a worm ?
If you suspect your devices are infected with a computer worm, run a virus scan immediately.
Even if the scan comes up negative, continue to be proactive by following these steps.
1. Keep an eye on your hard drive space. When worms repeatedly replicate themselves,
they start to use up the free space on your computer.
2. Monitor speed and performance. Has your computer seemed a little sluggish lately?
Are some of your programs crashing or not running properly? That could be a red flag
that a worm is eating up your processing power.
3. Be on the lookout for missing or new files. One function of a computer worm is to
delete and replace files on a computer.
How to help protect against computer worms

93
Course: Cyber Forensics MCA
Programme

1. Since software vulnerabilities are major infection vectors for computer worms, be sure
your computer’s operating system and applications are up to date with the latest versions.
Install these updates as soon as they’re available because updates often include patches
for security flaws.
2. Phishing is another popular way for hackers to spread worms (and other types of
malware). Always be extra cautious when opening unsolicited emails, especially those
from unknown senders that contain attachments or dubious links.
3. Be sure to invest in a strong internet security software solution that can help block these
threats. A good product should have anti-phishing technology as well as defenses against
viruses, spyware, ransomware, and other online threats.

Logic Bomb
A Logic Bomb is a piece of often-malicious code that is intentionally inserted into software. It is
activated upon the host network only when certain conditions are met.
Example:
 “Some dissatisfied developers have a way of ‘going out screaming’ when they leave or
are terminated from a work setting. They insert logic bombs into company systems that,
upon certain events or at certain times, execute malicious functions such as files
deletions.”
An email bomb is a form of Internet abuse which is perpetrated through the sending of massive
volumes of email to a specific email address with the goal of overflowing the mailbox and

94
Course: Cyber Forensics MCA
Programme

overwhelming the mail server hosting the address, making it into some form of denial-of-service
attack.
An email bomb is also known as a letter bomb.
There are three ways to create an email bomb
Mass mailing - involves sending numerous duplicates of the same email to one email address.
Because of the simplicity of this attack, it can be easily detected by spam filters.
List linking - meant more to annoy rather than cause real trouble. The technique involves
subscribing the address for attack to different email list subscriptions so it would always receive
spam mail from these lists. The user then has to manually unsubscribe from each list.

ZIP bombing
 The latest twist on email bombing using ZIP archived attachments. Mail servers always
check email attachments for viruses, especially zip archives and .exe files.
 The idea here is to place a text file with millions or billions of arbitrary characters or even
a single letter repeated millions of times so that the scanner would require a greater
amount of processing power to read each one.
 Combining this with mass mailing techniques ups the potential for a denial-of-service
attack to succeed.
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making
it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with
traffic or sending it information that triggers a crash. In both instances, the DoS attack deprives
legitimate users (i.e., employees, members, or account holders) of the service or resource they
expected.
Spamming
Spamming is the use of electronic messaging systems like e-mails and other digital delivery
systems and broadcast media to send unwanted bulk messages indiscriminately. The term
spamming is also applied to other media like in internet forums, instant messaging, and
mobile text messaging, social networking spam, junk fax transmissions, television
advertising and sharing network spam.

95
Course: Cyber Forensics MCA
Programme

Web jacking.
 When a Web application improperly redirects a user’s browser from a page on a trusted
domain to a bogus domain without the user’s consent, it’s called Web Jacking.
 Web Jacking attack method is another type of social engineering attack method called
Phishing attack, often used to steal user data, including login credentials and credit card
numbers.
Web Jacking Attack Method:
 The first step of web jacking attack method is to create a fake page of victim website for
example www.anywebsite.com/login.php.
 The second step is to host it either on your local computer or shared hosting.
 The third step is to send the link of a fake page to the victim.
 The fourth step victim will open the link and enter their details and submit.
 Last step, you will get all the details submitted by victim.
How to be safe from web jacking attack method!
 First of all do not enter sensitive data in any link sent to you.
 Check the URL
 Just because the address looks Ok, don’t assume this is a legitimate site.
 Read company name carefully, is it right or wrong.
 check that there is http protocol or https, if http then do not enter your data.
 If you are not sure, site is real or fake, enter a wrong username and password.
 Use a browser with antiphising detection
Identity theft and Credit card fraud, Data diddling, Salami attacks, Phishing, Cyber
stalking.
Identity theft
 Identity theft is the crime of obtaining the personal or financial information of another
person to use their identity to commit fraud, such as making unauthorized transactions or
purchases.
 Identity theft is committed in many ways and its victims are typically left with damage to
their credit, finances, and reputation.
What Are the Most Common Ways That Identity Theft or Fraud Can Happen to You?

96
Course: Cyber Forensics MCA
Programme

In public places, for example, criminals may engage in "shoulder surfing"– watching you from
a nearby location as you punch in your telephone calling card number or credit card number – or
listen in on your conversation if you give your credit-card number over the telephone.
 Many people respond to "spam"– unsolicited E-mail – that promises them some benefit
but requests identifying data, without realizing that in many cases, the requester has no
intention of keeping his promise.
 In some cases, criminals reportedly have used computer technology to steal large
amounts of personal data.
With enough identifying information about an individual, a criminal can take over that
individual's identity to conduct a wide range of crimes.
For example:
 False applications for loans and credit cards,
 Fraudulent withdrawals from bank accounts,
 Fraudulent use of telephone calling cards or online accounts, or
 Obtaining other goods or privileges which the criminal might be denied if he were to use
his real name
Credit card fraud
How credit card fraud happens
Credit card fraud occurs when an unauthorized person gains access to your information and uses
it to make purchases.
Here are some ways fraudsters get your information:
 Lost or stolen credit cards
 Skimming your credit card, such as at a gas station pump
 Hacking your computer
 Calling about fake prizes or wire transfers
 Phishing attempts, such as fake emails
 Looking over your shoulder at checkout
 Stealing your mail
Data diddling
Data diddling is a form of computer fraud involving the intentional falsification of numbers
in data entry. It most often involves the inflation or understatement of income or expenses to
benefit a company or individual when completing tax or other financial documents.

97
Course: Cyber Forensics MCA
Programme

Unlike other fraud, data diddling specifically refers to the misrepresentation of information
during entry, and not after. The phrase is comprised of the term data, which is digital
information, and the verb diddle, which means to falsify or exploit.
Salami attacks
The attacker uses an online database to seize the information of customers that is bank/credit
card details deducting very little amounts from every account over a period. The customers
remain unaware of the slicing and hence no complaint is launched thus keeping the hacker away
from detection.
In its most basic form, a hacker simply tries making small deposits into random bank accounts
by attempting thousands of combinations of routing numbers and bank accounts.
Phishing
 Phishing is a type of social engineering attack often used to steal user data, including
login credentials and credit card numbers.
 It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening
an email, instant message, or text message.

98
Course: Cyber Forensics MCA
Programme

Cyberstalking refers to the use of the internet and other technologies to harass or stalk another
person online. This online harassment, which is an extension of cyberbullying and in-person
stalking, can take the form of e-mails, text messages, social media posts, and more and is often
methodical, deliberate, and persistent.
Spoofing, Pornography, Defamation, Computer vandalism
Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be
something else in an attempt to gain our confidence, get access to our systems, steal data, steal
money, or spread malware
Spoofing attacks come in many forms, primarily:
 Email spoofing
 Website and/or URL spoofing
 Caller ID spoofing
 Text message spoofing
 GPS spoofing
 Man-in-the-middle attacks
 Extension spoofing

99
Course: Cyber Forensics MCA
Programme

 IP spoofing
 Facial spoofing
“Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be
something else in an attempt to gain our confidence, get access to our systems, steal data, steal
money, or spread malware.”
Pornography
Pornography refers to the portrayal of sexual subject or matter in form of books, magazines,
postcards, photographs, sculpture, drawing, painting, animation, sound recording, writing, film,
video, and video games for the purpose of sexual excitement
 Watching or possessing pornographic materials in India is legal, however, individuals
should not do so in public places. Production, publication, or distribution of pornographic
materials is illegal in India.
 Watching or production, publication, or distribution of child pornography is illegal and
can lead to a 5-year term of imprisonment and a Rs 40 lakh fine.
Child Pornography
 According to the Ministry of Women and Child Development, child pornography is
defined as “any visual depiction of sexually explicit conduct involving a child which
includes photographs, videos, digital or computer-generated image indistinguishable from
an actual child and an image created, adapted or modified but appear to depict a child.”
Market size of the Adult & Pornographic Websites industry in the US in 2021?
The market size, measured by revenue, of the Adult & Pornographic Websites industry is
$803.6m in 2021.
Defamation
Defamation is any statement that damages the reputation of another individual or party. ... A
defamation example would be if a customer accused the restaurant owner of food
poisoning even though it was not actually the restaurant's food that caused them to be ill.
Computer vandalism
 The term vandalism describes the deliberate act of damaging or destroying another
person or company's property without their permission.
 For example, with a computer, hardware vandalism is the act of intentionally breaking
or destroying computer hardware. For example, a student could purposely damage
a laptop given to them by the school.
With the Internet, vandalism or cyber vandalism could include any of the following.
 Hacking into and defacing a website.

100
Course: Cyber Forensics MCA
Programme

 Intentionally damaging or destroying a digital object.


 Post fake reviews.
 Giving bad information on a forum or wiki.
 Cheating or creating bots to cheat in online gaming.
 Posting fake news on a social network.
 Post a virus or other malware for others to download unknowingly.
Cyber terrorism, Cyber warfare, Hacking
INTRODUCTION
 Almost every person in the world has a vague idea of what terrorism is. Using violent
means to achieve political goals, especially by targeting innocent civilians, is a hallmark
of terrorism., Nonetheless, in the last two or three decades, the world has come to realize
that terror can be inflicted on countries and organizations, not just through guns and
bombs, but also through digital networks and the internet.
These attacks can cause incalculable damage, given humanity’s dependence on the internet and
information technology.
Such attacks are referred to as Cyber terrorism. Instances of Cyber-terror have increased
exponentially in the past few decades, and Cybersecurity is forced to adapt for defending
information systems, sensitive information, and data from Cyber terrorists.
WHAT IS CYBER TERRORISM?
 Information and communication technology, commonly referred to as ICT, has changed
the world as we know it but also offers plenty of scope for terror outfits to expand,
recruit, and propagandize on various ICT platforms.
 The internet can be used by terrorists to finance their operations, train other terrorists, and
plan terror attacks. The more mainstream idea of Cyber terrorism also includes the
hacking of government or private servers to access sensitive information or even siphon
funds for use in terror activities.
EXAMPLES OF CYBER TERRORISM
1. Introduction of viruses to vulnerable data networks.
2. Hacking of military servers to disrupt communication and steal sensitive information.
3. Defacing websites and making them inaccessible to the general public thereby causing
inconvenience and financial losses.
4. Hacking communication platforms to intercept or stop communications and make terror
threats using the internet.
5. Attacks on financial institutions to transfer money and cause terror.
Cyber warfare

101
Course: Cyber Forensics MCA
Programme

 Cyber warfare involves the actions by a nation-state or international organization to


attack and attempt to damage another nation's computers or information networks
through, for example, computer viruses or denial-of-service attacks
Examples of acts that might qualify as cyberwarfare include the following:
viruses, phishing, computer worms and malware that can take down critical infrastructure;
distributed denial-of-service (DDoS) attacks that prevent legitimate users from accessing
targeted computer networks or devices;
hacking and theft of critical data from institutions, governments and businesses;
spyware or cyber espionage that results in the theft of information that compromises national
security and stability;
ransomware that holds control systems or data hostage; and
propaganda or disinformation campaigns used to cause serious disruption or chaos.
What are the goals of cyberwarfare?
 According to the Cybersecurity and Infrastructure Security Agency, the goal of
cyberwarfare is to "weaken, disrupt or destroy" another nation.
 To achieve their goals, cyberwarfare programs target a wide spectrum of objectives that
might harm national interests.
 These threats range from propaganda to espionage and serious disruption with extensive
infrastructure disruption and loss of life to the citizens of the nation under attack.
Hacking
 Hacking refers to activities that seek to compromise digital devices, such as computers,
smartphones, tablets, and even entire networks.
 And while hacking might not always be for malicious purposes, nowadays most
references to hacking, and hackers, characterize it/them as unlawful activity by
cybercriminals—motivated by financial gain, protest, information gathering (spying), and
even just for the “fun” of the challenge.
How does hacking work?
Hackers breach defenses to gain unauthorized access into computers, phones, tablets, IoT
devices, networks, or entire computing systems. Hackers also take advantage of weaknesses
in network security to gain access. The weaknesses can be technical or social in nature.

102
Course: Cyber Forensics MCA
Programme

Who is a Hacker?
A Hacker is a person who finds and exploits the weakness in computer systems and/or networks
to gain access. Hackers are usually skilled computer programmers with knowledge of computer
security.
What is ethical hacking?
 Ethical hacking involves the legal use of hacking techniques for benevolent versus
malicious purposes. Ethical hackers use penetration testing and other tactics to find
software vulnerabilities and other security weaknesses so they can be promptly
addressed.
Types of Hackers-Black hat. White hat. Gray hat.
Hackers
 In common a hacker is a person who breaks into computers, usually by gaining access to
administrative controls.
Types of Hackers
 White Hat Hacker
 Grey Hat Hacker
 Black Hat Hacker
Black Hat
Black Hat hacking is a type of hacking in which hacker is a villain. Unlike all other hackers,
black hat hackers usually have extensive knowledge about computer networks and security
protocols. However, they use their skills to steal, damage the vulnerable device.
For example, if a system has a vulnerability, then black hat hacker will search for it and will
break into it to steal the information and then damage the whole system.
Black hat hackers are the bad guys who will never think twice to steal your credit card details to
hack into your bank account.
White Hat
 White hat hackers are also known as “Ethical hackers” the working procedure of Black
hat and White hat are almost same.
 But white hat hackers are the good guys who work for the companies as security
specialists that get paid for finding security holes with the help of their hacking
capabilities.

103
Course: Cyber Forensics MCA
Programme

 There is another major difference between a Black hat and White Hat hackers. White hat
hackers do everything with permissions from the owner of the system administrator,
which makes it completely legal.
 White hat hacker after finding any vulnerability would disclose it to the developer,
allowing them to patch their product and improve the security before it’s compromised.
Grey Hat
Grey hat hackers are a blend of both Black hat and white hat activities, but they are less skilled
compared to the black hat or white hat. Grey hat hackers are not bad guys, they look for
vulnerabilities in the system without the permission.
If issues are found, they report it to the owner, sometimes they request a small fee for
discovering and fixing the problem if the owner doesn’t respond, they post the vulnerability in
the public forum for the world to see.
Different types of Malwares
Malware, being one of the common causes of data breaches, is something every IT and security
expert should be concerned about. It’s a fact that many businesses will install anti-virus and
forget about it, not knowing that malware can still bypass anti-virus software and firewalls.
Malware
 The word "malware" comes from the term "MALicious softWARE."
 Malware is any software that infects and damages a computer system without the owner's
knowledge or permission
No anti-virus or anti-malware will protect you from ALL malware
What is malware?
 Malware is an umbrella term for any piece of software that has malicious intent.
 There are several types of malware and each of them has a unique way of infiltrating your
computer which may include attempts at gaining unauthorized control of your computer
systems, stealing your personal information, encrypting your important files, or causing
other harm to your computers. Sometimes the damage can be irrevocable.
Where does malware come from?
Phishing – Emails can be disguised to be coming from a fraudulent company for the sole purpose
of getting you to reveal personal information
Malicious Websites – Some websites may attempt to install malware onto your computer,
usually through popups or malicious links
Torrents – Files shared through BitTorrents are generally unsafe because you never know what
to expect until they’re downloaded

104
Course: Cyber Forensics MCA
Programme

Shared Networks – A malware-infected computer on the same shared network may spread
malware onto your computer
7 Common Types of Malware
1. Trojans
A Trojan (or Trojan Horse) disguises itself as legitimate software with the purpose of tricking
you into executing malicious software on your computer.
2. Spyware
Spyware invades your computer and attempts to steal your personal information such as credit
card or banking information, web browsing data, and passwords to various accounts.
3. Adware
Adware is unwanted software that displays advertisements on your screen. Adware collects
personal information from you to serve you with more personalized ads.
4. Rootkits
Rootkits enable unauthorized users to gain access to your computer without being detected.
5. Ransomware
Ransomware is designed to encrypt your files and block access to them until a ransom is paid.
6. Worms
A worm replicates itself by infecting other computers that are on the same network. They’re
designed to consume bandwidth and interrupt networks.
7. Keyloggers
Keyloggers keep track of your keystrokes on your keyboard and record them on a log. This
information is used to gain unauthorized access to your accounts.

105
Course: Cyber Forensics MCA
Programme

Module 5
Cyber Laws-Defining Cyber Law, Concept and scope of Jurisprudence, Basics of Cyber Space,
Basics of IPC and CrPC, Indian Evidence Act.
IT Act 2000-Introduction to IT Act 2000, Amendment in IT Act, Different Offences under IT
Act 2000-Sections: S.65,S.66, S.66A, S.66B, S.66C, S.66D, S.66 E, S.67, S.67A,S.67B,S.67C.
Cyber Space
 The computer-generated world of internet is known as cyberspace and the laws prevailing
this area are known as Cyber laws and all the users of this space come under the ambit of
these laws as it carries a kind of worldwide jurisdiction.
 Cyber law can also be described as that branch of law that deals with legal issues related
to use of inter-networked information technology.
 In short, cyber law is the law governing computers and the internet.
Cyber law
The growth of Electronic Commerce has propelled the need for vibrant and effective regulatory
mechanisms which would further strengthen the legal infrastructure, so crucial to the success of
Electronic Commerce. All these governing mechanisms and legal structures come within the
domain of Cyber law.
Cyber law is important because it touches almost all aspects of transactions and activities and on
involving the internet, World Wide Web and cyberspace. Every action and reaction in
cyberspace has some legal and cyber legal angles.
Cyber law encompasses laws relating to:
 Cyber crimes
 Electronic and digital signatures
 Intellectual property
 Data protection and privacy
Cyber space includes computers, networks, softwares, data storage devices(such as hard
disks, USB disks etc), the internet, websites, emails and even electronic devices such as cell
phones, ATM machines etc.
Need for Cyber Law
In today’s techno-savvy environment, the world is becoming more and more digitally
sophisticated and so are the crimes. Internet was initially developed as a research and

106
Course: Cyber Forensics MCA
Programme

information sharing tool and was in an unregulated manner. As the time passed by it became
more transactional with e-business, e-commerce, e-governance and e-procurement etc. All legal
issues related to internet crime are dealt with through cyber laws. As the number of internet users
is on the rise, the need for cyber laws and their application has also gathered great momentum.
Cyber Laws in India
In India, cyber laws are contained in the Information Technology Act, 2000 (“IT Act”)
which came into force on October 17, 2000. The main purpose of the Act is to provide legal
recognition to electronic commerce and to facilitate filing of electronic records with the
Government.
Importance of Cyber Laws
# We are living in highly digitalized world.
# All companies depend upon their computer networks and keep their valuable data in electronic
form.
# Government forms including income tax returns, company law forms etc are now filled in
electronic form.
# Consumers are increasingly using credit cards for shopping.
# Most people are using email, cell phones and SMS messages for communication.
# Even in “non-cybercrime” cases, important evidence is found in computers/ cell phones e.g., in
cases of divorce, murder, kidnapping, organized crime, terrorist operations, counterfeit currency
etc.
# Since it touches all the aspects of transactions and activities on and concerning the Internet, the
World Wide Web and Cyberspace therefore Cyber law is extremely important.
Cyber Law Definition
Cyber law, also known as Internet Law or Cyber Law, is the part of the overall legal
system that is related to legal informatics and supervises the digital circulation of information, e-
commerce, software and information security. It is associated with legal informatics and
electronic elements, including information systems, computers, software, and hardware. It covers
many areas, such as access to and usage of the Internet, encompassing various subtopics as well
as freedom of expression, and online privacy
What happens if anyone breaks a cyber law?
If anyone breaks a cyber law, the action would be taken against that person on the basis
of the type of cyberlaw he broke, where he lives, and where he broke the law. There are many
situations like if you break the law on a website, your account will be banned or suspended and
blocked your IP (Internet Protocol) address. Furthermore, if any person performs a very serious
illegal activity, such as causing another person or company distress, hacking, attacking another
person or website, advance action can be taken against that person.
Concept and scope of Jurisprudence, Basics of Cyber Space
Background and Meaning of Jurisprudence

107
Course: Cyber Forensics MCA
Programme

The term Jurisprudence is derived from two Latin words that are Juris + Prudentia = law +
knowledge which means ‘knowledge of the law’. Jurisprudence tells about fundamental
principles of law.
It is also known as philosophy, science, and the skill of law. It does not master a particular field
of a legal doctrine rather goes into the understanding of nature and purpose of law in general.
Jurisprudence implies in a real sense and customarily “common insight about law,” the scholarly
ability to outline and apply laws as per sound hypothetical standards.
The Case of the Speluncean Explorers
There was cannibalism preferred by defendants to rescue themselves from dying.
Father of Jurisprudence’.
 Jeremy Bentham is known as a ‘Father of Jurisprudence’.
 John Austin is also known as the founder of English Jurisprudence. He took forward the
work of Bentham.
Forms of Jurisprudence
 Which analyses, explain, classify and criticize the entire bodies of law.
 Which also compares or contrasts law with other fields of knowledge. e.g.: – history,
psychology, etc.
 Which reveal the historical, moral and cultural basis of legal concept.
 The branch focuses on finding what the law is and how do judges decide the case
properly.
“Jurisprudence is the science of law, the statements and systematic arrangement of rules
followed by courts and the principles involved in these rules.”
Definition from Oxford dictionary-
States that “Jurisprudence is the systematic and formulated knowledge or the science of
human law.”
Scope of Jurisprudence
According to jurists, the scope of jurisprudence is limited and unlimited as per their
definitions, so the perception and different authorities attribute different meanings and varying
premises to the law which causes different opinions about the exact limit of the fields covered by
jurisprudence. Jurisprudence has been defined as to cover moral and religious percepts also and
that has created confusion.
Basics of Cyber Space
What is Cyber Space?

108
Course: Cyber Forensics MCA
Programme

 Cyberspace is an interactive domain made up of digital networks that is used to store,


modify and communicate information.
 It includes the internet, but also the other information systems that support our
companies, infrastructure and services

Cyberspace can be divided into a multi-layer model comprised


Physical foundations:
such as land and submarine cables, and satellites that provide communication pathways,
along with routers that direct information to its destination.
Logical building blocks:
including software such as smartphone apps, operating systems, or web browsers, which
allow the physical foundations to function and communicate.
Information:
that transits cyberspace, such as social media posts, texts, financial transfers or video
downloads. Before and after transit, this information is often stored on (and modified by)
computers and mobile devices, or public or private cloud storage services.
People:
that manipulate information, communicate, and design the physical and logical
components of cyberspace

Basics of IPC and CrPC, Indian Evidence Act.

109
Course: Cyber Forensics MCA
Programme

Introduction to Criminal Law in India


Since criminal acts are considered offences in rem, i.e., against society in general, the State acts
as the prosecuting party in court.
The central, State, and Local governments
The Constitution of India provides for a federal system wherein powers are divided between the
central, state, and local governments. The demarcation of powers is provided in Schedule VII
read with Article 246 of the Constitution. Powers are divided into three lists:
The Union List:
The Union Parliament has exclusive power to make laws with respect to the matters
enumerated within this list.
The State List:
State Legislatures have the exclusive power to make laws with respect to the matters
enumerated within this list.
Concurrent List:
Both the Parliament and State Legislatures have the power to make laws with respect to
the matters enumerated within this list.

In the event of contradiction between Central and State laws, the Central law will prevail.
IPC and CrPC
110
Course: Cyber Forensics MCA
Programme

Criminal law and criminal procedure fall under the Concurrent List while matters relating to
Police and Prisons fall under the State List. The laws that govern criminal law in India are the
Indian Penal Code, 1860 (IPC) and the Criminal Procedure Code, 1974 (CrPC)
The IPC provides for the substantive law to be followed in case a crime has been committed. The
CrPC provides for the procedures to be followed during investigation and trial by the police and
courts.
Courts
There exist specific courts for criminal trials to held called Sessions Courts at the District level.
India has adopted the adversarial system of legal procedure wherein the judge acts as a neutral
party and the case is argued by the prosecutor suing the plaintiff and defense attorney who
defends their plaintiff.
Indian Penal Code (1860)
The Indian Penal Code (IPC) Introduction
 The Indian Penal Code is the official criminal code of India, which was drafted way back
in 1860.
 Its objective is to provide a general penal code for the country.
 It has 511 sections across 23 chapters, providing the list of crimes along with their
definitions and punishments.
 The IPC has been amended several times and is now supplemented by other Acts. Its
jurisdiction extends to the whole of India
The Indian Penal Code (IPC) is the main document which governs all criminal acts and the
punishments they ought to be charged with. The objective of enacting the IPC was to provide a
general and exhaustive penal code for crime in India. However, there are several other penal
statutes that govern various other offences in addition to the IPC.
Criminal Procedure Code (1974)
Criminal Procedure Code (1974)
 The Criminal Procedure Code (CrPC) is a procedural law which states how the police
machinery is to function as far as investigation and procedure is to be followed by courts
during investigation and trial.
 The CrPC classifies criminal offences into several categories such as bailable, non-
bailable, cognizable and non-cognizable offences. The procedural treatment of different
offences is different.
The various steps at the time to filing a complaint such as filing a First Information Report (FIR),
gathering evidence and initiating an enquiry are all governed by the CrPC.

111
Course: Cyber Forensics MCA
Programme

The CrPC further lays down classes of criminal courts.

There are two types of offences under the IPC:


Cognizable offence:
If such an offence has been committed, the police may arrest a person without warrant.
Police are authorized to start an investigation into a cognizable offence on their own and do not
require any court orders to do so. Examples of cognizable offences include murder and rape.
Non-cognizable offence:
If such an offence has been committed, the police do not have the authority to arrest
without a warrant. Police are not authorized to start an investigation into a non-cognizable
offence without a court’s permission. Examples of non-cognizable offences include cheating and
forgery.
IPC, CrPC and The Indian Evidence ACT
The Indian Penal Code, Code of Criminal Procedure, and the Indian Evidence Act are the three
primary pieces of legislation governing criminal law in India. They continue to play an important
role in the court of law for the effective administration of justice.
The Indian Evidence ACT
Indian Evidence Act - 1872
The Indian Evidence Act, originally passed in India by the Imperial Legislative Council in 1872,
during the British Raj, contains a set of rules and allied issues governing admissibility of
evidence in the Indian courts of law.
The Indian Evidence Act, identified as Act no. 1 of 1872, and called the Indian Evidence Act,
1872, has eleven chapters and 167 sections, and came into force 1 September 1872. At that time,
India was a part of the British Empire. Over a period of more than 150 years since its enactment,
the Indian Evidence Act has basically retained its original form except certain amendments from
time to time.
Why do we need Evidence Laws?
 Finding proof is a challenging task. Criminals work hard to remove all traces of evidence,
and some of it may come to light much after the case has been decided. If there are no
laws governing evidence, anything may be passed off as such.
 If there are no laws governing evidence, it becomes nearly impossible to know when a
case has been definitively solved and closed. Therefore, there are strict rules that regulate
the nature of evidence, the quality and the authenticity of the evidence.

112
Course: Cyber Forensics MCA
Programme

What is purpose of Indian Evidence Act?


The very objective of the Evidence Act is meted out that is the Court has to find out the truth
on the basis of the facts brought before the Court by the parties to meet the ends of justice
as expeditiously as possible
What is Proof? How does it differ from Evidence?
Evidence
Evidence refers to information or facts that help us to establish the truth or existence of
something.
Proof
Proof is the sum of evidence which helps to prove something. The main difference between
evidence and proof is that proof is more concrete and conclusive than evidence.
Try being a Judge!
IN AGATHA CHRISTIE’S WITNESS FOR THE PROSECUTION: THE ACCUSED WAS THE
LAST PERSON TO HAVE BEEN WITH THE OLD WOMAN WHO WAS MURDERED, AND
THE ACCUSED’S WIFE TESTIFIED THAT THE ACCUSED HAD CONFESSED TO
MURDERING THE OLD WOMAN AND THERE WAS BLOOD ON HIS SHIRTSLEEVES. DO
YOU THINK THIS AMOUNTS TO PROOF BEYOND ALL REASONABLE DOUBT THAT HE
WAS THE MURDERER?
The Act has provided definitions to certain words which play an important part in
delineating the kind of evidence that may be put forth by either party.
Definitions include:
 Admissibility
 Fact
 Relevant
 Fact in Issue
Admissibility/Admission of Evidence
This lays down the boundaries of what may be admitted as evidence. The Courts consider the
evidence gathered by the parties and decides which of them would be eligible for consideration.
When any person makes an ‘admission’ of a statement in Court, they are stating that it is a fact to
be noted for the record, and that it has some relevance to the case in issue.
Fact
Fact means and includes— (1) anything, state of things, or relation of things, capable of
being perceived by the senses; (2) any mental condition of which any person is conscious.

113
Course: Cyber Forensics MCA
Programme

For example, if it was proved that a man had lunch at a particular restaurant, then it is a
fact that he was at the place before sundown.
Fact and Opinion
 For example, Ashok and Hasan were roommates for 4 years during college. If Ashok
opined that Hasan was very disciplined and pious, it would be an opinion considered as
fact for this purpose.
 There is a requirement that the facts be relevant to the case.
Relevant
The word relevant is used in the Act to mean both (i) admissible, and (ii) connected with the
case. One fact is said to be relevant to another when the one is connected with the other in any of
the ways referred to in the provisions of this Act relating to the relevancy of facts.
Fact in Issue
A “fact in issue” forms the core of the case. It is the essence of the dispute at hand, and it
consists of all the facts, due to which or connected to which, there is disagreement between the
parties.
It includes any fact from which, either by itself or in connection with another fact, there
may be a disagreement about the existence, nature and extent of any right or liability.
Example
Niteshwar Prasad was brought before a Court on the charge of murder of Venkatesh. He pleaded
that he committed it upon grave provocation because he had caught Venkatesh committing
adultery with his wife. The Court held that determining whether adultery was committed was a
fact in issue.
Sources of Evidence
There are two main sources of evidence: a. Primary and b. Secondary. Primary evidence is direct
evidence or original copies of a document, secondary evidence is copies of those documents,
books of account, etc.
Primary Evidence
 For example, when two parties enter into a contract, each copy of the contract is primary
evidence against the party executing it.
 For example, in a continuing contract, that is periodically renewed, each renewal contract
is evidence of the contract itself.
Secondary Evidence
For example, a photograph of an original document is secondary proof of the document.

114
Course: Cyber Forensics MCA
Programme

For example, an oral account of a document by a person who has herself seen it is secondary
proof of the document.
Conclusion
The Indian Evidence Act, 1872 is so vast and its implications and interpretations are wide. The
application of the above Act though mostly depends upon the statutory provisions but depending
upon the circumstances, nature of the case along with the underlying principles of natural justice
the application also varies hugely. However, the very objective of the Evidence Act is meted out
that is the Court has to find out the truth on the basis of the facts brought before the Court by the
parties to meet the ends of justice as expeditiously as possible. Thus, the Rule of Evidence is not
to put limitations and restrictions on the parties rather it acts as a guiding factor for the Courts to
take evidence.
IT Act 2000-Introduction to IT Act 2000
Information Technology Act, 2000
The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is an Act of the
Indian Parliament (No 21 of 2000) notified on 17 October 2000. It is the primary law in India
dealing with cybercrime and electronic commerce.
IT Act, 2000
The bill was passed in the budget session of 2000 and signed by President K. R. Narayanan on 9
June 2000. The bill was finalised by a group of officials headed by then Minister of Information
Technology Pramod Mahajan.
Objectives of the Act
 The Information Technology Act, 2000 provides legal recognition to the transaction done
via electronic exchange of data and other electronic means of communication or
electronic commerce transactions.
 This also involves the use of alternatives to a paper-based method of communication and
information storage to facilitate the electronic filing of documents with the Government
agencies.
Salient Features of the Information Technology Act, 2000
 Digital signature has been replaced with electronic signature to make it a more
technology neutral act.
 It elaborates on offenses, penalties, and breaches.
 It outlines the Justice Dispensation Systems for cyber-crimes.
 The Information Technology Act defines in a new section that cyber café is any facility
from where the access to the internet is offered by any person in the ordinary course of
business to the members of the public.

115
Course: Cyber Forensics MCA
Programme

 It provides for the constitution of the Cyber Regulations Advisory Committee.


 The Information Technology Act is based on The Indian Penal Code, 1860, The Indian
Evidence Act, 1872, The Bankers’ Books Evidence Act, 1891, The Reserve Bank of
India Act, 1934, etc.
 It adds a provision to Section 81, which states that the provisions of the Act shall have
overridden effect. The provision states that nothing contained in the Act shall restrict any
person from exercising any right conferred under the Copyright Act, 1957.
Amendments
 A major amendment was made in 2008. It introduced Section 66A which penalized
sending "offensive messages".
 It also introduced Section 69, which gave authorities the power of "interception or
monitoring or decryption of any information through any computer resource".
 Additionally, it introduced provisions addressing - pornography, child porn, cyber
terrorism and voyeurism. The amendment was passed on 22 December 2008 without any
debate in Lok Sabha. The next day it was passed by the Rajya Sabha. It was signed into
law by President Pratibha Patil, on 5 February 2009.
Amendment in IT Act
 A major amendment was made in 2008. Amendment introduced the Section 66A which
penalized sending of “offensive messages”.
 It also introduced the Section 69, which gave authorities the power of “interception or
monitoring or decryption of any information through any computer resource”. It also
introduced penalties for child porn, cyber terrorism and voyeurism.
 Amendment was passed on 22 December 2008 without any debate in Lok Sabha. The
next day it was passed by the Rajya Sabha. It was signed by the then President (Pratibha
Patil) on 5 February 2009.
The Information Technology Act, 2000 has brought amendment in four statutes vide section 91-
94. These changes have been provided in schedule 1-4.
 The first schedule contains the amendments in the Penal Code. It has widened the scope
of the term “document” to bring within its ambit electronic documents.
 The second schedule deals with amendments to the India Evidence Act. It pertains to the
inclusion of electronic document in the definition of evidence.
 The third schedule amends the Banker’s Books Evidence Act. This amendment brings
about change in the definition of “Banker’s-book”. It includes printouts of data stored in
a floppy, disc, tape or any other form of electromagnetic data storage device. Similar
change has been brought about in the expression “Certified-copy” to include such
printouts within its purview.
116
Course: Cyber Forensics MCA
Programme

 The fourth schedule amends the Reserve Bank of India Act. It pertains to the regulation
of fund transfer through electronic means between the banks or between the banks and
other financial institution.
Objectives of the Amendments in The Information Technology Act, 2000:
 With proliferation of information technology enabled services such as e-governance, e-
commerce and e-transactions,
 protection of personal data and information and implementation of security practices and
procedures relating to these applications of electronic communications have assumed
greater importance and they require harmonization with the provisions of the Information
Technology Act.
 A rapid increase in the use of computer and internet has given rise to new forms of
crimes like publishing sexually explicit materials in electronic form, video voyeurism and
breach of confidentiality and leakage of data by intermediary, e-commerce frauds like
personation commonly known as Phishing, identity theft and offensive messages through
communication services.
 So, penal provisions are required to be included in the Information Technology Act, the
Indian Penal Code, the Indian Evidence Act and the Code of Criminal Procedure to
prevent such crimes.
The service providers may be authorized by the Central Government or the State
Government to set up, maintain and upgrade the computerized facilities and collect, retain
appropriate service charges for providing such services at such scale as may be specified by
the Central Government or the State Government.
Incorporation of Electronic Signature:
To go by their aim of making the act ‘technologically neutral, the term ‘digital signature’
has been replaced with ‘electronic signature’, as the latter represents an umbrella term which
encompasses many different types of digital marketing, while the former is a specific type of
electronic signature.
Fight against Cyber-terrorism:
Pursuant to the 26/11 Mumbai Attacks, the amendment has incorporated the concept of cyber
terrorism and prescribed hefty punishments for it.
The scope of cybercrime under Section 66 is widened with many major additions defining
various cybercrimes along with the controversial Section 66A which penalized sending
“offensive messages”. Section 66A was later found to be in violation of one’s fundamental right
to freedom of Child Pornography:
Along with reducing the term of imprisonment and increasing the fine for publishing obscene
material in electronic form, an array of sections has also been inserted under Section 67, one
among which recognizes publishing child pornography as a felonious act.

117
Course: Cyber Forensics MCA
Programme

speech and expression and thus was struck down.


Cyber Cafes:
Cybercrimes like sending obscene e-mails to harass individuals, identity theft, and maliciously
acquiring net banking passwords have many at times been taking place at Cyber Cafes. Due to
the lack of inclusion of ‘Cyber Cafes’ in the IT Act, they are incapable of being regulated. The
2008 amendment explicitly defines them and includes them under the term ‘intermediaries’, thus
allowing several aspects of the Act to be applicable to them.
Government Interception and Monitoring:
The new amendment allows the government to listen in to your phone calls, read your SMS’s
and emails, and monitor the websites you visit without getting a warrant from a magistrate. The
same clause under the Telegraph Act was restricted by the condition of public emergency or
safety, but the new amendment drops all such restrictions, vastly extending the government’s
power.
Conclusion
The Information Technology (Amendment) Act, 2008 was passed to overcome some inherent
shortcomings of the original Act and with the goal to tackle various challenges in the cyber
world.
As the horizons of technology widen, more amendments will be needed to tackle the existing and
future shortcomings in order to create a satisfactory, well laid-out framework which along with
its plethora of goals, deters cybercriminals.
Different Offences under IT
Act 2000
The offences included in the IT Act 2000 are as follows:
1. Tampering with the computer source documents.
2. Hacking with computer system.
3. Publishing of information which is obscene in electronic form.
4. Power of Controller to give directions
5. Directions of Controller to a subscriber to extend facilities to decrypt information
6. Protected system
7. Penalty for misrepresentation
8. Penalty for breach of confidentiality and privacy
9. Penalty for publishing Digital Signature Certificate false in certain particulars
10. Publication for fraudulent purpose
11. Act to apply for offence or contravention committed outside India
12. Confiscation
13. Penalties or confiscation not to interfere with other punishments.
14. Power to investigate offences.

118
Course: Cyber Forensics MCA
Programme

CONCLUSION
Due to the increase in digital technology, various offenses are increasing day by day. Therefore,
the IT Act 2000 need to be amended in order to include those offenses which are now not
included in the Act. In India, cybercrime is not of high rate. Therefore, we have time in order to
tighten the cyber laws and include the offenses which are now not included in the IT Act 2000
IT ACT 2000: Sections: S.65, S.66, S.66A, S.66B, S.66C, S.66D, S.66 E
Section 65. Tampering with computer source documents.
Section 65 in The Information Technology Act, 2000
Tampering with computer source documents.
-Whoever knowingly or intentionally conceals, destroys or alters or intentionally or
knowingly causes another to conceal, destroy, or alter any computer source code used for a
computer, computer programme, computer system or computer network, when the computer
source code is required to be kept or maintained by law for the time being in force, shall be
punishable with imprisonment up to three years, or with fine which may extend up to two lakh
rupees, or with both.
Section 66. Hacking with computer system.
(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or
damage to the public or any person destroys or deletes or alters any information residing in a
computer resource or diminishes its value or utility or affects it injuriously by any means,
commits hack:
(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with
fine which may extend upto two lakh rupees, or with both.
Section 66A: Punishment for sending offensive messages through communication service,
etc. - Information Technology Act
Any person who sends, by means of a computer resource or a communication device,-
a) any information that is grossly offensive or has menacing character; or
b) any information which he knows to be false, but for the purpose of causing annoyance,
inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill
will, persistently by making use of such computer resource or a communication device,
c) any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of such
messages, shall be punishable with imprisonment for a term which may extend to three years and
with fine.
Explanation:

119
Course: Cyber Forensics MCA
Programme

For the purposes of this section, terms "Electronic mail" and "Electronic Mail Message"
means a message or information created or transmitted or received on a computer, computer
system, computer resource or communication device including attachments in text, image, audio,
video and any other electronic record, which may be transmitted with the message.
Section 66B: Punishment for dishonestly receiving stolen computer resource or
communication device
Whoever dishonestly receives or retains any stolen computer resource or communication
device knowing or having reason to believe the same to be stolen computer resource or
communication device, shall be punished with imprisonment of either description for a term
which may extend to three years or with fine which may extend to rupees one lakh or with both.
Section 66C: Punishment for Identity Theft, Misuse of Digital Signature
Whoever, fraudulently or dishonestly make use of the electronic signature, password or
any other unique identification feature of any other person, shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakh.
Section 66D: Punishment for cheating by personation by using computer resource
Whoever, by means of any communication device or computer resource cheats by
personation, shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees.
Section 66E: Punishment for violation of privacy
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area
of any person without his or her consent, under circumstances violating the privacy of that
person, shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees, or with both.
Explanation. - For the purposes of this section -
(a) “transmit” means to electronically send a visual image with the intent that it be viewed by a
person or persons;
(b) “capture”, with respect to an image, means to videotape, photograph, film or record by any
means;
(c) “private area” means the naked or undergarment clad genitals, pubic area, buttocks or female
breast;
(d) “publishes” means reproduction in the printed or electronic form and making it available for
public;
(e) “under circumstances violating privacy” means circumstances in which a person can have a
reasonable expectation that-

120
Course: Cyber Forensics MCA
Programme

(i) he or she could disrobe in privacy, without being concerned that an image of his private area
was being captured; or
(ii) any part of his or her private area would not be visible to the public, regardless of whether
that person is in a public or private place.
Section 66F: Punishment for cyber terrorism
Whoever, -
(A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror
in the people or any section of the people by –
(i) denying or cause the denial of access to any person authorised to access computer resource; or
(ii) attempting to penetrate or access a computer resource without authorisation or exceeding
authorised access; or
(iii) introducing or causing to introduce any Computer Contaminant.
and by means of such conduct causes or is likely to cause death or injuries to persons or damage
to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption
of supplies or services essential to the life of the community or adversely affect the critical
information infrastructure specified under section 70, or
B) knowingly or intentionally penetrates or accesses a computer resource without authorisation
or exceeding authorised access, and by means of such conduct obtains access to information,
data or computer database that is restricted for reasons of the security of the State or foreign
relations; or any restricted information, data or computer database, with reasons to believe that
such information, data or computer database so obtained may be used to cause or likely to cause
injury to the interests of the sovereignty and integrity of India, the security of the State, friendly
relations with foreign States, public order, decency or morality, or in relation to contempt of
court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of
individuals or otherwise, commits the offence of cyber terrorism.
(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with
imprisonment which may extend to imprisonment for life’.
Sections: S.67, S.67A, S.67B, S.67C
Section 67. Publishing of information which is obscene in electronic form.
Whoever publishes or transmits or causes to be published in the electronic form, any
material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to
deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read,
see or hear the matter contained or embodied in it, shall be punished on first conviction with
imprisonment of either description for a term which may extend to five years and with fine
which may extend to one lakh rupees and in the event of a second or subsequent conviction with

121
Course: Cyber Forensics MCA
Programme

imprisonment of either description for a term which may extend to ten years and also with fine
which may extend to two lakh rupees.
Section 67A: Punishment for publishing or transmitting of material containing sexually
explicit act, etc. in electronic form, Information Technology Act 2000
Whoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupees and in the event of second or subsequent conviction with
imprisonment of either description for a term which may extend to seven years and also with fine
which may extend to ten lakh rupees.
Exception: This section and section 67 does not extend to any book, pamphlet, paper, writing,
drawing, painting, representation or figure in electronic form-
(i) the publication of which is proved to be justified as being for the public good on the ground
that such book, pamphlet, paper, writing, drawing, painting, representation or figure is in the
interest of science, literature, art, or learning or other objects of general concern; or (ii) which is
kept or used bona fide for religious purposes.
Section 67B: Punishment for publishing or transmitting of material depicting children in
sexually explicit act, etc. in electronic form
Whoever,-
(a) publishes or transmits or causes to be published or transmitted material in any electronic
form which depicts children engaged in sexually explicit act or conduct or
(b) (b) creates text or digital images, collects, seeks, browses, downloads, advertises,
promotes, exchanges or distributes material in any electronic form depicting children in
obscene or indecent or sexually explicit manner or
(c) cultivates, entices or induces children to online relationship with one or more children for and
on sexually explicit act or in a manner that may offend a reasonable adult on the computer
resource or
(d) facilitates abusing children online or
(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act
with children, shall be punished on first conviction with imprisonment of either description for a
term which may extend to five years and with a fine which may extend to ten lakh rupees and in
the event of second or subsequent conviction with imprisonment of either description for a term
which may extend to seven years and also with fine which may extend to ten lakh rupees:
Provided that the provisions of section 67, section 67A and this section does not extend to
any book, pamphlet, paper, writing, drawing, painting, representation or figure in
electronic form-

122
Course: Cyber Forensics MCA
Programme

(i) The publication of which is proved to be justified as being for the public good on the ground
that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the
interest of science, literature, art or learning or other objects of general concern; or
(ii) which is kept or used for bonafide heritage or religious purposes
Explanation: For the purposes of this section, "children" means a person who has not completed
the age of 18 years.
Section 67 C: Preservation and Retention of information by intermediaries, Section 67C of
Information Technology Act
(1) Intermediary shall preserve and retain such information as may be specified for such duration
and in such manner and format as the Central Government may prescribe.
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to fine.

123

You might also like