Cyber Forensic
Cyber Forensic
Cyber Forensic
Programme
Module1
Computer Forensics Fundamentals: What is Computer Forensics, Use of Computer Forensics
in Law Enforcement, Steps taken by Computer Forensics Specialists, Scientific method in
Computer Forensic Analysis.
Types of Computer Forensic Technology: Types of Military Computer Forensic Technology,
Types of Law enforcement. Types of Business Computer Forensic Technology
Types of Computer Forensic Systems-Basics of Internet Security Systems, Intrusion Detection
Systems, Firewall Security Systems, Biometric Security Systems, Network Disaster Recovery
Systems, Public Key Infrastructure Systems, Wireless network security systems
Computer Forensics Fundamentals
Computer Forensics
The process of
IDENTIFYING,
COLLECTING,
PRESERVING,
ANALYZING AND
PRESENTING
the computer-related/digital evidence in a manner that is legally acceptable by court
Digital evidence is any information or data of value to an investigation that is stored on,
received by, or transmitted by an electronic device. Text messages, emails, pictures and videos,
and internet searches are some of the most common types of digital evidence.
Section 79A of IT (Amendment) Act, 2008
Digital evidence or electronic evidence is “any probative information stored or transmitted
in digital form that a party to a court case may use at trial”. Section 79A of IT (Amendment)
Act, 2008 defines electronic form evidence as “any information of probative value that is
either stored or transmitted in electronic form and includes computer evidence, digital
audio, digital video, cell phones, and digital fax machines”
Digital Trail
Most criminals now leave a digital footprint; a suspect’s IP address, posting on a Social Media
platform or using their mobile device for everyday use in place of a traditional computer and
camera.
1
Course: Cyber Forensics MCA
Programme
2
Course: Cyber Forensics MCA
Programme
Digital evidence
The main characteristics of digital evidence are, can transcend national borders with ease and
speed, highly fragile and can be easily altered, damaged, or destroyed and time sensitive.
For this reason, special precautions should be taken to document, collect, preserve, and examine
this type of evidence.
Types of investigations
Public investigations
In the context of criminal cases
Conducted by the law enforcement officers and driven by the statutes in the criminal
law.
Examples
Drug crimes.
Sexual exploitation.
Theft
Private investigations
Contextualized in
Civil or Internal Cases.
Conducted By
Organizations or Corporations.
Examples
sabotage
embezzlement
industrial espionage
3
Course: Cyber Forensics MCA
Programme
4
Course: Cyber Forensics MCA
Programme
Hardware needs
Resource Intensive
Processing power,
Memory size, and
Disk space.
To be effective as a computer forensics investigator, You must have as many relevant tools as
possible.
USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT
Computer forensics assists in Law Enforcement. This can include:
Recovering deleted files such as documents, graphics, and photos.
Searching unallocated space on the hard drive, places where an abundance of data often
resides.
Tracing artifacts, those tidbits of data left behind by the operating system. Our experts know
how to find these artifacts and, more importantly, they know how to evaluate the value of the
information they find.
Processing hidden files — files that are not visible or accessible to the user — that contain
past usage information. Often, this process requires reconstructing and analyzing the date codes
for each file and determining when each file was created, last modified, last accessed and when
deleted.
Running a string-search for e-mail, when no e-mail client is obvious.
5
Course: Cyber Forensics MCA
Programme
4. DOCUMENT SEARCHES
Computer forensics experts should also be able to search over 200,000 electronic documents in
seconds rather than hours. The speed and efficiency of these searches make the discovery process
less complicated and less intrusive to all parties involved.
5. MEDIA CONVERSION
Computer forensics experts should extract the relevant data from old and un-readable devices,
convert it into readable formats, and place it onto new storage media for analysis.
6
Course: Cyber Forensics MCA
Programme
Priority service: Dedicated computer forensics experts should be able to work on your case
during normal business hours (8:00 A.M. to 5:00 P.M., Monday through Friday) until the evidence is
found. Priority service typically cuts your turnaround time in half.
Weekend service: Computer forensics experts should be able to work from 8:00 A.M. to 5:00
P.M., Saturday and Sunday, to locate the needed electronic evidence and will continue 14 Computer
Forensics, Second Edition working on your case until your evidence objectives are met.
8. OTHER MISCELLANEOUS SERVICES
Computer forensics experts should also be able to provide extended services. These services include:
Analysis of computers and data in criminal investigations
On-site seizure of computer data in criminal investigations
Analysis of computers and data in civil litigation.
On-site seizure of computer data in civil litigation
Analysis of company computers to determine employee activity
Assistance in preparing electronic discovery requests
Reporting in a comprehensive and readily understandable manner
Court-recognized computer expert witness testimony
Computer forensics on both PC and Mac platforms
Fast turnaround time.
7
Course: Cyber Forensics MCA
Programme
6. Analyze all possibly relevant data found in special areas of a disk. This includes but is not
limited to what is called unallocated space on a disk, as well as slack space in a file (the remnant
area at the end of a file in the last assigned disk cluster, that is unused by current file data, but
once again, may be a possible site for previously created and relevant evidence).
7. Print out an overall analysis of the subject computer system, as well as a listing of all possibly
relevant files and discovered file data.
8. Provide an opinion of the system layout; the file structures discovered; any discovered data
and authorship information; any attempts to hide, delete, protect, and encrypt information; and
anything else that has been discovered and appears to be relevant to the overall computer system
examination.
9. Provide expert consultation and/or testimony, as required.
Slack space (file slack space)
Slack space is the leftover storage that exists on a computer’s hard disk drive when a computer
file does not need all the space it has been allocated by the operating system. The examination of
slack space is an important aspect of computer forensics.
To understand why slack space plays an important role in E-discovery, one must first understand
how data is stored on computers that have hard disk drives. Computers with hard disk drives
store data in a sealed unit that contains a stack of circular, spinning disks called platters. Each
platter is composed of logically defined spaces called sectors and by default, most operating
system (OS) sectors are configured to hold no more than 512 bytes of data. If a text file that is
400 bytes is saved to disk, the sector will have 112 bytes of extra space left over. When the
computer’s hard drive is brand new, the space in a sector that is not used – the slack space – is
blank, but that changes as the computer gets used.
When a file is deleted, the operating system doesn't erase the file, it simply makes the sector the
file occupied available for reallocation. Should a new file that is only 200 bytes be allocated to
the original sector, the sector’s slack space will now contain 200 bytes of leftover data from the
first file in addition to the original 112 bytes of extra space. That leftover data, which is called
latent data or ambient data, can provide investigators with clues as to prior uses of the computer
in question as well as leads for further inquiries.
8
Course: Cyber Forensics MCA
Programme
9
Course: Cyber Forensics MCA
Programme
10
Course: Cyber Forensics MCA
Programme
11
Course: Cyber Forensics MCA
Programme
12
Course: Cyber Forensics MCA
Programme
Computer forensics tools and techniques have become important resources for use in internal
investigations, civil lawsuits, and computer security risk management. Law enforcement and
military agencies have been involved in processing computer evidence for years.
Computer Evidence Processing Procedures Processing procedures and methodologies
should conform to federal computer evidence processing standards.
1. Preservation of Evidence
Computer evidence is fragile and susceptible to alteration or erasure by any number of
occurrences. Computer evidence can be useful in criminal cases, civil disputes, and human
resources/ employment proceedings.
Black box computer forensics software tools are good for some basic investigation tasks, but
they do not offer a full computer forensics solution.
SafeBack software overcomes some of the evidence weaknesses inherent in black box
computer forensics approaches. SafeBack technology has become a worldwide standard in
making mirror image backups since 1990.
TROJAN HORSE PROGRAMS
The computer forensic expert should be able to demonstrate his or her ability to avoid destructive
programs and traps that can be planted by computer users bent on destroying data and evidence.
Such programs can also be used to covertly capture sensitive information, passwords, and
network logons.
COMPUTER FORENSICS DOCUMENTATION
Without proper documentation, it is difficult to present findings. If the security or audit findings
become the object of a lawsuit or a criminal investigation, then documentation becomes even
more important.
FILE SLACK
Slack space in a file is the remnant area at the end of a file in the last assigned disk cluster, that is
unused by current file data, but once again, may be a possible site for previously created and
relevant evidence. Techniques and automated tools that are used by the experts to capture and
evaluate file slack.
DATA-HIDING TECHNIQUES
Trade secret information and other sensitive data can easily be secreted using any number of
techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk
drive partitions. Computer forensic experts should understand such issues and tools that help in
the identification of such anomalies.
E-COMMERCE INVESTIGATIONS
13
Course: Cyber Forensics MCA
Programme
Net Threat Analyzer can be used to identify past Internet browsing and email activity done
through specific computers. The software analyzes a computer’s disk drives and other storage
areas that are generally unknown to or beyond the reach of most general computer users. Net
Threat Analyzer available free of charge to computer crime specialists, school officials, and
police.
DUAL-PURPOSE PROGRAMS
Programs can be designed to perform multiple processes and tasks at the same time. Computer
forensics experts must have hands-on experience with these programs.
TEXT SEARCH TECHNIQUES
Tools that can be used to find targeted strings of text in files, file slack, unallocated file space,
and Windows swap files.
FUZZY LOGIC TOOLS USED TO IDENTIFY UNKNOWN TEXT
Computer evidence searches require that the computer specialist know what is being searched
for. Many times not all is known about what may be stored on a given computer system. In such
cases, fuzzy logic tools can provide valuable leads as to how the subject computer was used.
2. Disk Structure
Computer forensic experts must understand how computer hard disks and floppy diskettes are
structured and how computer evidence can reside at various levels within the structure of the
disk. They should also demonstrate their knowledge of how to modify the structure and hide
data in obscure places on floppy diskettes and hard disk drives.
3. Data Encryption
Computer forensic experts should become familiar with the use of software to crack security
associated with the different file structures.
4. Matching a Diskette to a Computer
Specialized techniques and tools that make it possible to conclusively tie a diskette to a
computer that was used to create or edit files stored on it. Computer forensic experts should
become familiar how to use special software tools to complete this process.
5. Data Compression
Computer forensic experts should become familiar with how compression works and how
compression programs can be used to hide and disguise sensitive data and also learn how
password- protected compressed files can be broken.
6. Erased Files
14
Course: Cyber Forensics MCA
Programme
Computer forensic experts should become familiar with how previously erased files can be
recovered by using DOS programs and by manually using data-recovery technique & familiar
with cluster chaining.
7. Internet Abuse Identification and Detection
Computer forensic experts should become familiar with how to use specialized software to
identify how a targeted computer has been used on the Internet. This process will focus on
computer forensics issues tied to data that the computer user probably doesn’t realize exists (file
slack, unallocated file space, and Windows swap files).
8. The Boot Process and Memory Resident Programs
Computer forensic experts should become familiar with how the operating system can be
modified to change data and destroy data at the whim of the person who configured the system.
Such a technique could be used to covertly capture keyboard activity from corporate executives,
for example. For this reason, it is important that the experts understand these potential risks and
how to identify them.
TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY
The following are different types of business computer forensics technology:-
REMOTE MONITORING OF TARGET COMPUTERS
Data Interception by Remote Transmission (DIRT) is a powerful remote control monitoring tool
that allows stealth monitoring of all activity on one or more target computers simultaneously
from a remote command center. No physical access is necessary. Application also allows agents
to remotely seize and secure digital evidence prior to physically entering suspect premises.
CREATING TRACKABLE ELECTRONIC DOCUMENTS
Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection tool that allows
users to create trackable electronic documents. BAIT identifies (including their location)
unauthorized intruders who access, download, and view these tagged documents. BAIT also
allows security personnel to trace the chain of custody and chain of command of all who possess
the stolen electronic documents.
THEFT RECOVERY SOFTWARE FOR LAPTOPS AND PCS
What it really costs to replace a stolen computer: The price of the replacement hardware &
software. The cost of recreating data, lost production time or instruction time, reporting and
investigating the theft, filing police reports and insurance claims, increased insurance, processing
and ordering replacements, cutting a check, and the like. The loss of customer goodwill. If a thief
is ever caught, the cost of time involved in prosecution.
PC PHONEHOME
PC Phone Home is a software application that will track and locate a lost or stolen PC or laptop
any-where in the world. It is easy to install. It is also completely transparent to the user. If your
15
Course: Cyber Forensics MCA
Programme
PC Phone Home-protected computer is lost or stolen, all you need to do is make a report to the
local police and call CD’s 24-hour command center. CD’s recovery specialists will assist local
law enforcement in the recovery of your property.
measures ne The next step is to start a systematic analysis of the assets of an organization,
determining the value of information, or the possible damage to reputation should it be disclosed,
along with possible risks. This step is no more difficult than the risk management that a
corporation already exercises every day. Most businesses already have clearly established
what information is valuable, who should have access to it, and who has responsibility for
protecting it.
16
Course: Cyber Forensics MCA
Programme
Security Hierarchy
Mission Critical
Information such as trade secrets, vault and authorization codes, and lock and key information
are clearly of a mission critical nature, and their unintended disclosure could cause severe loss to
a business or operation.
Departmental information
Departmental information is typically data that is private to a particular department, such as
payroll information in finance and medical records in personnel.
Company private information
Company private information varies from company to company but typically consists of
information that should only be disclosed to employees and partners of a company, such as
policy and procedure manuals.
Public information
Public information is information such as product literature, brochures, and catalogs that needs to
be freely available to anyone, but whose integrity needs to be assured to prevent unauthorized
alteration. This information is often provided to customers and interested parties by means of the
Internet
Intrusion Detection Systems
17
Course: Cyber Forensics MCA
Programme
18
Course: Cyber Forensics MCA
Programme
Firewalls have existed since the late 1980’s and started out as packet filters, which were
networks set up to examine packets, or bytes, transferred between computers. Though packet
filtering firewalls are still in use today, firewalls have come a long way as technology has
developed throughout the decades.
Types of Firewall
Packet filtering
A small amount of data is analyzed and distributed according to the filter’s standards.
Proxy service
Network security system that protects while filtering messages at the application layer.
Stateful inspection
Dynamic packet filtering that monitors active connections to determine which network packets to
allow through the Firewall.
Next Generation Firewall (NGFW)
Deep packet inspection Firewall with application-level inspection.
Why Do We Need Firewalls?
Firewalls, especially Next Generation Firewalls, focus on blocking malware and application-
layer attacks. Along with an integrated intrusion prevention system (IPS), these Next Generation
Firewalls are able to react quickly and seamlessly to detect and combat attacks across the whole
network.
19
Course: Cyber Forensics MCA
Programme
Concentrated security
Enhanced privacy
Logging and statistics on network use and misuse
Policy enforcement
20
Course: Cyber Forensics MCA
Programme
Vein scanning
Behavioral biometrics
The Bad
Yes, biometrics are generally more secure, but they aren’t foolproof. Hackers can spoof
biometric data by using various techniques like downloading or printing a person’s photo, using
a fake silicone fingerprint, or a 3D mask. Such attacks are known as presentation attacks.
21
Course: Cyber Forensics MCA
Programme
While the great majority of companies have plans for NDR in place, those without an NDR plan
indicate that they intend to create one. Is intend to create one good enough to make sure the
critical parts of your business will be able to continue to function in the event of a catastrophe
22
Course: Cyber Forensics MCA
Programme
DR plan needs to accomplish. Recognizing your expectations for network disaster recovery helps
to define how your DR plan should be structured in order to achieve the best results.
Create an IT recovery team and assign responsibilities
It is not enough to create a network disaster recovery plan; you should also decide who will
implement the plan when an actual disaster strikes. Thus, create a recovery team and identify the
employees that will join it. Each recovery team member should be assigned with a specific role
and a unique set of responsibilities to avoid any confusion and panic during a DR event.
Back up network configuration files
When it comes to network disaster recovery planning, the main aim is to ensure that a network is
restored to its normal state as rapidly as possible. That is why it is important to regularly back up
network configuration files, including the initial parameters and settings for configuring network
devices. For that purpose, you need to install third-party data protection software, which can be
used to back up and recover mission-critical data when your infrastructure is hit by a disaster.
Why Is a Network Disaster Recovery Plan So Important?
The answer to this question is simple: an organization cannot function properly if one of
its system components stops working. Without network services, a company cannot properly
execute its business operations and move data within the infrastructure.
Public Key Infrastructure Systems, Wireless network security systems
Public Key Infrastructure Systems
The purpose of PKI is to provide an environment that addresses today’s business, legal,
network, and security demands for trust and confidentiality in data transmission and storage. PKI
accomplishes these goals for an enterprise through policy and technology components
What is PKI and What is it used for?
The Public key infrastructure (PKI) is the set of hardware, software, policies, processes, and
procedures required to create, manage, distribute, use, store, and revoke digital certificates and
public-keys
Who Are the Key Players Involved in PKI?
23
Course: Cyber Forensics MCA
Programme
24
Course: Cyber Forensics MCA
Programme
travel, documents and downloads to be trusted and above all us, PKI allows us to enjoy the
beautiful world behind our computer screen
How Does Public Key Infrastructure Work?
1. PKI authenticates you and your server. It allows your site users’ web browsers to
authenticate your server before connecting with it (so they can verify that they’re
connecting to a legitimate server). You can also use client certificates to limit access to
authenticated users. This gives you greater control over your network and other IT
systems.
2. PKI facilitates encryption and decryption. PKI enables you to use digital certificates
and public encryption key pairs to encrypt and decrypt data or the transmission channels
you use to send it using the secure SSL/TLS protocol.
3. PKI ensures the integrity of your data. PKI lets users, their browsers or their devices
know whether the data you send has been tampered with.
SSL certificate
SSL uses PKI to do two things:
o Your browser authenticates that it’s connected to the correct server that’s owned
by the website
o All the data that passes between your browser and our web server is encrypted.
Wireless network security systems
Wireless network security is the process of designing, implementing and ensuring
security on a wireless computer network.
It is a subset of network security that adds protection for a wireless computer network.
The different ways you can secure wireless network.
Encrypt Your Wireless Network
This is the first and one of the most important steps towards securing a wireless network.
Encryption of the wireless network simply means that you should not just leave your network
without any password for anyone to connect.
Change Router’s Default Settings
Every router comes with a lot of important default settings. Moreover, since the manufacturer
sets these settings, these are available to everyone. Keeping these settings sure makes the setup
process easy but at the same time vulnerable to a breach. If you are serious to secure wireless
network, you need to consider changing these default settings.
Disable Remote Access
25
Course: Cyber Forensics MCA
Programme
Usually, routers allow you to access their settings/interface only from a connected device.
However, some of them allow access even from remote systems
Keep The Router’s Firmware Up To Date
Updating Router’s firmware is a good move towards a secure wireless network.
Firmware updates usually carry patches for known bug fixes and security updates.
Router’s firmware, like every other software, contains flaws and can be exploited by the cyber
criminals and hackers. Most of the times routers do not have an auto update feature, so you have
to update the firmware manually.
Enable Router Firewall
Many routers come with a firewall that can be enabled from the router’s settings. If it is
available, we suggest you enable this feature, as it shall help add an additional layer of security.
The wireless network is cool, and we cannot imagine a life without it. We use internet day in day
out but keep your device connected to some wire while using it is unimaginable. With all the
cool features or qualities there is a dark side to it too. We should take all the possible measures to
secure wireless network because leaving it unprotected may have consequences.
These steps may help secure wireless network, but there may be other measures that one can take
to protect wireless networks
26
Course: Cyber Forensics MCA
Programme
Module 2
Data Recovery: Data recovery defined. Data backup and Recovery, the role of Backup in Data
Recovery, The Data- Recovery Solution, Hiding and Recovering Hidden Data. Evidence
Collection: Why Collect evidence. Collection options, Types of Evidence, Rules of evidence,
General procedure. Collection and Archiving, Methods of collection, Artifacts, Collection steps.
Controlling contamination, Reconstructing the attack
Data recovery defined
Data recovery is the process in which highly trained engineers evaluate and extract data from
damaged media and return it in an intact format
What happens when you delete a file?
When you a delete a file, it isn’t really erased.
The file continues existing on your hard drive, even after you empty it from the Recycle Bin.
This allows to recover files you’ve deleted.
Every file is made from many bits of information.
When you delete a file, all those bits that form it are not physically erased, and they
continue to hold the information that makes the file.
Instead of physically deleting files, which can take a significant amount of time,
especially if those files are large, the operating system only marks the deleted files as free
space.
In many operating systems, the file's data is moved to a temporary holding area (recycle bin)
where it can be recovered or cleared and the disk space it was taking up can be reclaimed. When
emptying the recycle bin, in many cases, only the pointer record to where the file's data was
located on the physical disk is removed. When you delete a file, Windows marks it as free space
by removing only its pointer, nothing else. The content of the file is still there, physically.
Slack space
Slack - The leftover storage on a computer’s hard disk drive when a computer file does not need
all the space it has been allocated by the operating system.
Uses of data recovery
■ Average User:
27
Course: Cyber Forensics MCA
Programme
■ Law enforcement:
Why some deleted files cannot be recovered, even if you are using an excellent file recovery
tool?
Recovering lost files is not always possible!
If Windows overwrites the space that a deleted file was occupying, the original file can
no longer be restored.
That is because the content of that original file is just not there anymore.
New information was stored over its content, so the old information was destroyed.
The purpose of the backup is to create a copy of data that can be recovered in the event of a
primary data failure. Primary data failures can be the result of hardware or software failure, data
corruption, or a human-caused event, such as a malicious attack (virus or malware), or accidental
deletion of data. Backup copies allow data to be restored from an earlier point in time to
help the business recover from an unplanned event
Types of Backups
Full backups
A full backup is the most complete type of backup where you clone all the selected data. This
includes files, folders, SaaS applications, hard drives and more. The highlight of a full backup is
the minimal time it requires to restore data. However, since as everything is backed up in one go,
it takes longer to backup compared to other types of backup.
Incremental backups
The first backup in an incremental backup is a full backup. The succeeding backups will only
store changes that were made to the previous backup. Businesses have more flexibility in
spinning these types of backups as often as they want, with only the most recent changes stored.
Incremental backup requires space to store only the changes (increments), which allows for
lightning-fast backups.
Differential Backup
A differential backup straddles the line between a full and an incremental backup. This type of
backup involves backing up data that was created or changed since the last full backup. To put it
simply, a full backup is done initially, and then subsequent backups are run to include all the
changes made to the files and folders. It lets you restore data faster than full back up since it
requires only two backup components: an initial full backup and the latest differential backup.
Let’s see how a differential backup works:
Day 1 – Schedule a full backup
Day 2 – Schedule a differential backup. It will cover all the changes that took place between Day
1 and Day 2
Day 3 – Schedule a differential backup. It will make a copy of all the data that has changed from
Day 2 (this includes the full backup on Day 1 + differential backup) and Day 3.
29
Course: Cyber Forensics MCA
Programme
30
Course: Cyber Forensics MCA
Programme
31
Course: Cyber Forensics MCA
Programme
32
Course: Cyber Forensics MCA
Programme
33
Course: Cyber Forensics MCA
Programme
Even if a criminal case has reached its initial resolution, the defendant has the right to an
appeals process that could stretch on for a considerable time.
Therefore, any evidence that could reasonably be important to the appeals process must
also be preserved to ensure that it’s available for use in future legal proceedings to reach
a just final disposition.
Preservation of evidence is a key component in the due process rights of the accused and
is, therefore, an integral component in the pursuit of justice in the legal system.
Collection options
Once a compromise has been detected, you have two options:
1. Pull the system off the network and begin collecting evidence or
2. Leave it online and attempt to monitor the intruder.
Leave it online and attempt to monitor the intruder.
In the case of monitoring, you may accidentally alert the intruder while monitoring and
cause him to wipe his tracks any way necessary, destroying evidence as he goes.
You also leave yourself open to possible liability issues if the attacker launches further
attacks at other systems from your own network system
If you disconnect the system from the network, you may find that you have insufficient
evidence or, worse, that the attacker left a dead man switch that destroys any evidence
once the system detects that it’s offline. What you choose to do should be based on the
situation
Types of Evidence
Evidence
Real evidence is any evidence that speaks for itself without relying on anything else. In
electronic terms, this can be a log produced by an audit function—provided that the log can be
shown to be free from contamination
Testimonial Evidence
Testimonial evidence is any evidence supplied by a witness. This type of evidence is
subject to the perceived reliability of the witness, but as long as the witness can be considered
reliable, testimonial evidence can be almost as powerful as real evidence. Word processor
documents written by a witness may be considered testimonial—as long as the author is willing
to state that he wrote it.
Hearsay
34
Course: Cyber Forensics MCA
Programme
Hearsay is any evidence presented by a person who was not a direct witness. Word processor
documents written by someone without direct knowledge of the incident are hearsay. Hearsay is
generally inadmissible in court and should be avoided
Rules of evidence, general procedure
Golden rule of electronic evidence
There are five rules of collecting electronic evidence. These relate to five properties that
evidence must have to be useful
1. Admissible
2. Authentic
3. Complete
4. Reliable
5. Believable
Admissible
This is the most basic rule and a measure of evidence validity and importance. The evidence
must be preserved and gathered in such a way that it can be used in court or elsewhere.
Many errors can be made that could cause a judge to rule a piece of evidence as inadmissible.
For example, evidence that is gathered using illegal methods is commonly ruled inadmissible.
Authentic
The evidence must be tied to the incident in a relevant way to prove something.
The forensic examiner must be accountable for the origin of the evidence.
Complete
When evidence is presented, it must be clear and complete and should reflect the whole story. It
is not enough to collect evidence that just shows one perspective of the incident.
Presenting incomplete evidence is more dangerous than not providing any evidence at all as it
could lead to a different judgment.
Reliable
Evidence collected from the device must be reliable.
35
Course: Cyber Forensics MCA
Programme
This depends on the tools and methodology used. The techniques used and evidence
collected must not cast doubt on the authenticity of the evidence.
If the examiner used some techniques that cannot be reproduced, the evidence is not
considered unless they were directed to do so. This would include possible destructive
methods such as chip-off extraction.
Believable
A forensic examiner must be able to explain, with clarity and conciseness, what processes they
used and the way the integrity of the evidence was preserved.
The evidence presented by the examiner must be clear, easy to understand, and believable by
jury.
General Procedure
When collecting and analyzing evidence, there is a general four-step procedure you should
follow. Note that this is a very general outline. You should customize the details to suit your
situation
Identification of Evidence
You must be able to distinguish between evidence and junk data. For this purpose, you should
know what the data is, where it is located, and how it is stored. Once this is done, you will be
able to work out the best way to retrieve and store any evidence you find.
Preservation of Evidence
The evidence you find must be preserved as close as possible to its original state. Any changes
made during this phase must be documented and justified.
Analysis of Evidence
The stored evidence must then be analyzed to extract the relevant information and recreate the
chain of events. Analysis requires in-depth knowledge of what you are looking for and how to
get it. Always be sure that the person or people who are analyzing the evidence are fully
qualified to do so
Presentation of Evidence
Communicating the meaning of your evidence is vitally important—otherwise you can’t do
anything with it. The manner of presentation is important, and it must be understandable by a
layman to be effective. It should remain technically correct and credible. A good presenter can
help in this respect.
36
Course: Cyber Forensics MCA
Programme
Once you’ve developed a plan of attack and identified the evidence that needs to be collected,
it’s time to start the actual process of capturing the data. Storage of that data is also important, as
it can affect how the data is perceived
A. Switched off systems -
a. Secure the scene of crime and disable all the modems, network connections etc. Unplug the
power and all other devices from sockets. Never switch on the computer, in any circumstances.
Allow printers to finish printing, pending if any.
b. Confirm that the computer is switched off. As sometimes the screen may mislead, that should
be done from the hard dive and monitor activity lights. Some laptops switch on, only by opening
the lid. So remove the battery if required.
c. Label and photograph (or video) all the components in-situ. Label the in & out port cables so
as if required, the computer could be reconstructed in future.
d. Open the side casing of CPU/Laptop carefully and detach the hard disk from the mother board
by disconnecting the data transfer cable and power cable
e. Take out the Hard disk carefully and record the unique identifiers (like- make, model, serial
number etc.). Take signature of the accused & witnesses with date & time on the Hard disk, by a
permanent marker. All other items/documents should also be signed and pasted with exhibit
labels.
f. Ask the user for the passwords, operating system, application package running on the
suspected system, details of the other users and the off-site data storage, if any.
g. After the Hard disk is removed, switch on the system and go to BIOS. Note down the date and
time shown in BIOS. Prepare detail notes of "when, where, what, why & who“ and overall
actions taken in connection with the computer system.
h. The suspected hard drive should be connected to the investigator computer only through a
"wite-block device, for forensic preview/copy
B. Switched on systems -
a. Secure the scene of crime and disconnect the modem and all other connection cables. if
attached. Label and photograph (or video) all the components in-situ.
b. Carefully remove all the equipment attached and record their unique identifiers
separately. All the items should have signed exhibit labels attached.
e. Ask the user for the passwords, operating system, application package running on the
suspected system, details of the other users and the off-site data storage, if any.
d. Photograph the ,live screen" and also prepare a written note of the content. Do not touch the
keyboard or click the mouse
37
Course: Cyber Forensics MCA
Programme
e. In case a screen saver is active or the screen is blank, given to the circumstances of the case,
the E.O. shall decide whether he wants to restore and inspect the screen. If required, the screen
could be restored with a gentle movement of the mouse. Then follow the procedure (c) above.
Record every mouse activity with time.
f. If available, use live forensics tools to extract the information present in the RAM Otherwise,
remove the power cable (end attached to the computer) without closing down any program. Then
follow (A) above
C. Cell Phone systems -
a. If the device is switched off. do not turn that “on". If the device is live or switched on. let
that remain so. Photograph the device and screen display. Label and collect all the cables
and additional storage media available; and transport them with the device.
b. Keep the device charged; if not possible, then the forensic analysis must be completed
before the battery gets discharged or the data may be lost. Record every activity with
photograph (if possible) and time
Faraday bags:
Faraday bags: The mobile handsets often get "PIN locked, and keep communicating with the
Network which may tamper with the evidences. The Faraday Bags arc envelops made of flexible
metallic fabric or conductive mess, which block external electromagnetic fields. Whenever an
external field or radio frequency interference comes into contact with the mess, it produces equal
and opposite electrical charges distributed over the surface, which neutralizes the effect of the
field inside the envelop.
Thus, they are used for electromagnetic shielding. The mobile handsets and other sensitive radio
equipment should be secured in faraday bags. It potentially avoids the PIN locking and prevents
the networks from communicating with the device (covert acquisition). At the same time, an
examiner can also view the equipment in 'faraday, condition, through the window in the bag
LOG FILES IN CYBER FORENSICS
The most important element of cyber forensics is authenticity of evidences presented in court of
law. Just like airplane has black box in it, which tracks every event that occurred within it, same
way logs track every event that occurs within the system, application interacting with the system
and networks interaction with the system. Log files composed of log data that provide the data of
events occurred in the system or network. Log data is created for each event that occurred in the
system. The data in log files is the different entities of events which are required to understand
the situation of the system when that log is created for the events
With the evolution of Information technology field across the world, the number of forgery,
threats and by-passing the security has greatly increased. Thus, revolution of computer security
started which require the log management and integrity to be need of the hour. Log management
is required to ensure that log data is stored securely with complete details for appropriate time
frame. Thus, log management states to ensure that creating, transmitting, storing along with
38
Course: Cyber Forensics MCA
Programme
analyzing and disposing of log data is done under secure environment and that no tempering of
log data is done. Thus, the key characteristics to ensure are confidentiality, integrity,
completeness and availability of logs
Methods of collection, Artifacts, Collection steps
Methods of collection
There are two basic forms of collection:
Freezing the scene and honeypotting.
The two aren’t mutually exclusive. You can collect frozen information after or during any
honeypotting.
Freezing the scene involves taking a snapshot of the system in its compromised state. The
necessary authorities should be notified (the police and your incident response and legal teams),
but you shouldn’t go out and tell the world just yet
You should then start to collect whatever data is important onto removable nonvolatile media in
a standard format. Make sure the programs and utilities used to collect the data are also collected
onto the same media as the data. All data collected should have a cryptographic message digest
created, and those digests should be compared to the originals for verification.
Honeypotting
Honeypotting is the process of creating a replica system and luring the attacker into it for further
monitoring. A related method (sandboxing) involves limiting what the attacker can do while still
on the compromised system, so he can be monitored without (much) further damage. The
placement of misleading information and the attacker’s response to it is a good method for
determining the attacker’s motives
You must make sure that any data on the system related to the attacker’s detection and actions is
either removed or encrypted; otherwise, they can cover their tracks by destroying it.
Honeypotting and sandboxing are extremely resource intensive, so they may be infeasible to
perform. There are also some legal issues to contend with, most importantly entrapment. As
previously mentioned, you should consult your lawyers
ARTIFACTS
Whenever a system is compromised, there is almost always something left behind by the attacker
—be it code fragments, trojaned programs, running processes, or sniffer log files. These are
known as artifacts. They are one of the important things you should collect, but you must be
careful. You should never attempt to analyze an artifact on the compromised system. Artifacts
are capable of anything, and you want to make sure their effects are controlled. Artifacts may be
difficult to find; trojaned programs may be identical in all obvious ways to the originals (file
size, medium access control [MAC] times, etc.). Use of cryptographic checksums may be
necessary, so you may need to know the original file’s checksum. If you are performing regular
39
Course: Cyber Forensics MCA
Programme
file integrity assessments, this shouldn’t be a problem. Analysis of artifacts can be useful in
finding other systems the attacker (or his tools) has broken into.
COLLECTION STEPS
You now have enough information to build a step-by-step guide for the collection of the
evidence. Once again, this is only a guide. You should customize it to your specific situation.
You should perform the following collection
1. Find the evidence.
2. Find the relevant data
3. Create an order of volatility.
4. Remove external avenues of change.
5. Collect the evidence.
6. Document everything.
Find the Evidence
Determine where the evidence you are looking for is stored. Use a checklist. Not only does it
help you to collect evidence, but it also can be used to double-check that everything you are
looking for is there.
Find the Relevant Data
Once you’ve found the evidence, you must figure out what part of it is relevant to the case. In
general, you should err on the side of over-collection, but you must remember that you must
work fast. Don’t spend hours collecting information that is obviously useless.
Create an Order of Volatility
Now that you know exactly what to gather, work out the best order in which to gather it. The
order of volatility for your system is a good guide and ensures that you minimize loss of
uncorrupted evidence
Remove External Avenues of Change
It is essential that you avoid alterations to the original data, and prevention is always better than a
cure. Preventing anyone from tampering with the evidence helps you create as exact an image as
possible. However, you have to be careful. The attacker may have been smart and left a dead-
man switch. In the end, you should try to do as much as possible to prevent changes.
Collect the Evidence
You can now start to collect the evidence using the appropriate tools for the job. As you go,
reevaluate the evidence you’ve already collected. You may find that you missed something
important. Now is the time to make sure you get it
40
Course: Cyber Forensics MCA
Programme
Document Everything
Your collection procedures may be questioned later, so it is important that you document
everything you do. Timestamps, digital signatures, and signed statements are all important. Don’t
leave anything out
41
Course: Cyber Forensics MCA
Programme
The E.O shall image the evidences forensically, acquire hash value and record the
process, the tool, time and hashing algorithm should be mentioned in the report prepared.
The report generated by the forensic tool shall form an enclosure to the DEC.
The Hard Disk or any other internal parts, once removed from the system, should be
photographed along with the system. The serial no., case no. and sections of law involved
should also be marked to the extent possible
Precautions -V
Chain of custody should be prepared.
As electronic evidences are prone to tamper/damage, it is necessary- to know by whom,
when, where, what and why the evidence was transferred. Therefore, once the evidence
is collected and every time that is transferred, that shall be properly documented and no
one other than the “persons entrusted “should have access to that.
Forensic Duplication:
Every storage media consists certain data. For the forensic purpose, the data needs to be copied
in a manner that does not change any information available in the device. The common
techniques are follows-
(i) Logical Backup- It copies the directories & files of a logical volume. It does not capture
other data that may be present on the media, like- deleted files or residual data stored in the slack
spaces.
(ii) Bit Stream Imaging- Also known as imaging or cloning, it generates copy of the original
media bit-for-bit. It can be done in a “disk-to-disk, (from target media to another media) or
“disk-file” (from media to single logical file) fashion: and requires more space-time.
(iii) Write blocker- These are the hardware or software tools which prevent a computer from
writing on a storage media. The suspected storage media is directly connected to the hardware
write blocker, and then the write blocker is connected to the device taking the backup. Similarly,
a software write blocker is loaded onto the suspect computer, before the copying device is
connected to that
Precautions:
a. The integrity of the original media must be maintained. After the duplication is complete, it
should be verified that the copied data is an exact copy of the original data.
b. Hash value of the copied data should be calculated to ensure the data integrity.
c. The forensic image files must be written as logical files, on a brand new freshly formatted
media or forensically wiped sterile media. HDDs should be used only for evidence storage.
d. The logical file copies of the forensic image files shall be made on a brand-new sterile HDD
before traveling back to the office and labeled as copy of hard drive etc. using barcode. If use of
42
Course: Cyber Forensics MCA
Programme
barcode is not possible, serial code with relevant information (like- unit name, year, case number
etc.) can be used
Acquiring data from some common devices:
a. Hard Drives of Desktop/Laptops- Use forensic software like Cyber Check Suite, Encase, FTK
to image the drives. Be sure to connect the evidence drives to a write blocker so that the OS does
not accidentally write to the hard drive. The Write blockers restricts any data to be Witten on to
the seized hard disk either intentionally or accidently.
The Write protection device is used as an interface between the seized media and the
forensic computer.
When the hard drive (like-SSDs) cannot be removed, the entire device should be taken
into the evidence. Connect the suspect computer to the forensic computer with the help of
a network crossover cable boot that from a forensic Distribution (like- Helix or Linen);
then connect with the forensic computer and duplicate via forensic tools like- Encase
b. Smartphones- All data like- Contact lists, call records. SMS, MMS, GPS. pictures/videos can
be acquired from a cell phone using software like- Cellebrite. Paraben Device Seizure etc.
However, while working with a live (switched on) Cell phone, necessary precautions like use of
network jammers/Faraday bags, should be taken.
c. USB Drives- They can easily be imaged by connecting to a forensic machine. However, must
use soft/hard-ware write blockers to maintain data integrity.
d. Digital Camera- The internal memory as well as the memory card can easily be imaged using
same technique and precautions, as for the USB drives
Seizure of Digital Evidences:
It involves-
(a) calculating hash value of the suspect storage media.
(b) creating a digital fingerprint of the same at a System on Chip (SoC) and
`(c) calculating hash value of the forensic image as well
Precautions:
(i) The digital evidences may look simple to gather. but maintaining its reliability integrity and
legal relevance is always challenging. The E.O. should adopt a thorough professional approach
and follow the guidelines prescribed here and also provided from time to time.
(ii) No file should be opened without using a write blocker. Otherwise, the time stamping would
change which amounts to tempering with the evidences.
(iii) Always, a permanent sterile new physical storage media should be used. In case of an
already used hard disk, all previous data must be wiped off prior to the forensic storage.
43
Course: Cyber Forensics MCA
Programme
(iv) The new physical media must be fire proof & tamper proof Immediately after imaging the
data on it, that should be marked with a unique exhibit number related to the case.
(v) Thereafter, a unique number should be given lo the contents of the forensic storage media.
duly computed through hash algorithm. This number should be mentioned in the panchnama to
authenticate the evidence in future
(vi) It should be verified and cross-checked that the hash values of the evidences in original (say
Nl) and that of the copies imaged (N2, N3, N4 etc.) are be the same.
(vii) The seizure memo should be prepared in the format prescribed and the evidences to be sent
to the Cyber Cell/FSL/Court for further analysis or presentation.
(viii) The digital evidences so collected, should always be preserved in an anti-static cover with
all details and tag/barcode, with separate inventory lists for all the media seized with case/other
reference numbers; and stored in a dry & cool place
Packaging, Labelling and transportation:
The collected digital evidences shall be numbered and labelled in a manner so as
connecting those lo the case in future could be easy. That shall be attached with a tag
bearing the number as well as all the visible details of the evidence. The same shall be
recorded in the daily diary, case diary and schedule of evidences maintained.
During transportation, the digital evidences should not be kept in a place of frequent
mechanical shocks or with drastic temperature changes. As far as possible, anti-static
bags should be used, soas any localized electrostatic induction could not affect the data.
Legal procedure after seizure: After seizure, due documentation and transportation, the digital
evidences should be brought to the knowledge of the Court having jurisdiction and permission to
keep the same in the custody of the E.O for further investigation, should be obtained. Permission
of the Court to image and send the same to the forensic labs should also be obtained, if required.
All such transactions should be duly recorded in the chain of custody.
The accused/owners of the material seized, may approach the Court for release of the
same. The EO should carefully prepare his objections based on merit of the case and their
requirement for further investigation. He should ensure that no original evidences having
bearing on the prosecution of the case, are returned. Even if the Court is inclined to
consider the accused’s request, the E.O should try to impress upon that only an
authentically imaged copy is provided to him. not the evidences in original
Gathering information from various agencies:
The Internet service providers (ISPs) and other firms are liable to preserve certain information
and provide them to the LEAs, if requisitioned under the law. Normally, they have "Nodal
officers' who functions as per the guidelines of the ministry concerned.
Telecom Service Providers (TSP)/ Internet Service Providers (ISPs)-
44
Course: Cyber Forensics MCA
Programme
45
Course: Cyber Forensics MCA
Programme
Module 3
Conducting Digital Investigation-Digital investigation process models, scaffolding for digital
investigations, applying scientific method in Digital Investigations-Formation and Evaluation of
Hypotheses, Preparation, Survey, Preservation, Examination, Analysis, Reporting and
Testimony.
Computer Basics for Digital Investigators-Basic Operation of Computers, Representation of
Data, Storage Media and Data Hiding, File Systems and Location of Data, Dealing with
Password Protection and Encryption. Log files, Registry, Internet traces.
Digital investigation process models
Computer Security Incident
Unauthorized /Unlawful Intrusions into computing systems
Scanning a system - Systematic probing of ports to see which ones are open ( test IPs)
Denial–of–Service (DoS) attack - any attack designed to disrupt the ability of authorized
users to access data
Malicious Code – any program or procedure that makes unauthorized modifications or
triggers unauthorized actions
virus, worm, Trojan horse
Digital investigation process models,
Scaffolding for digital investigations,
Applying scientific method in Digital Investigations-
The goal of any investigation is to uncover and present the truth
Digital investigations
Digital investigations inevitably vary depending on technical factors such as the type of
computing or communications device, whether the investigation is in a criminal, civil,
46
Course: Cyber Forensics MCA
Programme
commercial, military, or other context, and case-based factors such as the specific claims to be
investigated
Despite this variation, there exists a sufficient amount of similarity between the ways digital
investigations are undertaken that commonalities may be observed. These commonalities tend to
be observed from a number of perspectives, with the primary ways being process, principles, and
methodology
Methodology
■ Forensics Methodology
■ Authenticate that your recovered evidence is the same as the originally seized
data.
Compute Forensic
The process of identifying, preserving, analyzing and presenting digital evidence in a manner
that is legally acceptable. (McKemmish, 1999)
Digital Investigation Process Models
The most common steps for conducting a complete and competent digital investigation are:
Preparation:
Generating a plan of action to conduct an effective digital investigation and obtaining
supporting resources and materials.
Survey/Identification:
Finding potential sources of digital evidence (e.g., at a crime scene, within an
organization, or on the Internet). Because the term identification has a more precise meaning in
forensic science relating to the analysis of an item of evidence, this process can be more clearly
described as survey of evidence. Survey is used throughout this chapter when referring to this
step
Preservation:
47
Course: Cyber Forensics MCA
Programme
Preventing changes of in situ digital evidence, including isolating the system on the
network, securing relevant log files, and collecting volatile data that would be lost when the
system is turned off. This step includes subsequent collection or acquisition
Examination and Analysis:
Searching for and interpreting trace evidence. Some process models use the terms
examination and analysis interchangeably
Examination and Analysis of Evidence
Forensic examination is the process of extracting and viewing information from the
evidence and making it available for analysis.
In contrast, forensic analysis is the application of the scientific method and critical
thinking to address the fundamental questions in an investigation: who, what, where,
when, how, and why
Presentation:
Reporting of findings in a manner which satisfies the context of the investigation,
whether it be legal, corporate, military, or any other
Process models
When attempting to conceive of a general approach to describe the investigation process within
digital forensics, one should make such a process generalizable. This led to the proposal of a
number of models for describing investigations, which have come to be known as “process
models
Why Process models
Using a formalized methodology encourages a complete, rigorous investigation, ensures proper
evidence handling, and reduces the chance of mistakes created by preconceived theories, time
pressures, and other potential pitfalls.
Digital Investigation Process Models
Physical Model
Staircase Model
Evidence Flow Model
Subphase Model
Roles and Responsibilities Model
Physical Model
A computer being investigated can be considered a digital crime scene and investigations
as a subset of the physical crime scene where it is located.
48
Course: Cyber Forensics MCA
Programme
Physical evidence may exist around a server that was attached by an employee and usage
evidence may exist around a home computer that contains contraband.
Furthermore, the end goal of most digital investigation is to identify a person who is
responsible and therefore the digital investigation needs to be tied to a physical
investigation.
Staircase Model
49
Course: Cyber Forensics MCA
Programme
50
Course: Cyber Forensics MCA
Programme
Subphase Model
51
Course: Cyber Forensics MCA
Programme
52
Course: Cyber Forensics MCA
Programme
53
Course: Cyber Forensics MCA
Programme
54
Course: Cyber Forensics MCA
Programme
Factors that contribute to the severity of an offense include threats of physical injury,
potential for significant losses, and risk of wider system compromise or disruption.
Within an organization, if a security breach or policy violation can be contained quickly,
if there is little or no damage, and if there are no exacerbating factors, a full investigation
may not be warranted.
The output of this step in the investigative process is a decision that will fit into two basic
categories:
Threshold considerations are not met—No further action is required. For example, available data
and information are sufficient to indicate that there has been no wrongdoing. Document
decisions with detailed justification, report, and reassign resources.
Threshold considerations are met—Continue to apply investigative resources based on the merits
of evidence examined to this point with priority based on initial available information. This step
aims to inform about discernment based on practical as well as legal precedent coupled with the
informed experience of the investigative team.
55
Course: Cyber Forensics MCA
Programme
56
Course: Cyber Forensics MCA
Programme
57
Course: Cyber Forensics MCA
Programme
Therefore, it is important for digital investigators to have a robust and repeatable methodology
within each step to help them accomplish the goals and address the questions that are necessary
to solve the case
Digital investigators are generally instructed to focus on specific issues in a case, sometimes with
time constraints or other restrictions.
For example, in order to find a missing person as quickly as possible, digital investigators may
be compelled to progress rapidly through the preparation, survey, preservation, examination, and
analysis steps at the expense of completeness and accuracy
Carrier’s Hypothesis
Carrier’s Hypothesis Based Approach to digital forensic investigations (Carrier, 2006) provides
an initial model which bridges digital investigation practices and computer science theory,
demonstrating the role of the scientific method within a digital investigation.
Now let's see how the scientific method is applied to each step of a digital investigation
(preparation, survey, preservation, examination, and analysis), which can guide a digital
investigator through almost any investigative situation, whether it involves a single compromised
host, a single network link, or an entire enterprise
The general methodology for Investigation
Observation:
One or more events will occur that will initiate your investigation. These events will include
several observations that will represent the initial facts of the incident. Digital investigators will
proceed from these facts to form their investigation. For example, a user might have observed
that his or her web browser crashed when he or she surfed to a specific Web site, and that an
antivirus alert was triggered shortly afterward.
Hypothesis:
Based on the current facts of the incident, digital investigators will form a theory of what
may have occurred. For example, in the initial observation described earlier, a digital investigator
may hypothesize that the web site that crashed the user’s web browser used a browser exploit to
load a malicious executable onto the system.
Prediction:
Based on the hypothesis, digital investigators will then predict where the artifacts related
to that event may be located. Using the hypothesis, and knowledge of the general operation of
web browsers, operating systems, a digital investigator may predict that there will be evidence of
an executable download in the history of the web browser, and potentially, files related to the
malware were created around the time of the incident.
58
Course: Cyber Forensics MCA
Programme
Experimentation/Testing:
Digital investigators will then analyze the available evidence to test the hypothesis,
looking for the presence of the predicted artifacts. In the previous example, a digital investigator
might create a forensic duplicate of the target system, and from that image extract the web
browser history to check for executable downloads in the known timeframe. Part of the scientific
method is also to test possible alternative explanations—if the original hypothesis is correct a
digital investigator will be able to eliminate alternative explanations on the basis of available
evidence (this process is called falsification).
Conclusion:
Digital investigators will then form a conclusion based upon the results of their findings.
A digital investigator may have found that the evidence supports the hypothesis, falsifies the
hypothesis, or that there were not enough findings to generate a conclusion
This general methodology can be repeated as many times as necessary to reach conclusions
at any stage of a digital investigation.
Preparation
The general aim of preparing for a digital investigation is to create a plan of action to
perform an effective digital investigation, and to obtain the necessary personnel and equipment.
Preparation for the preservation step ensures that the best evidence can be preserved when the
opportunity arises
An example of applying the scientific method to preparation for the preservation step of a
digital investigation is provided here:
Observation:
gathering information about the crime scene to anticipate what number and type of
computer systems to expect, and whether full disk encryption is in use. This stage can involve
interviewing people familiar with the location to be searched, and reviewing documentation such
as IT network diagrams, asset inventory, and purchase orders for computers. When no inside
knowledge is readily available, this observation process may require covert surveillance.
Hypothesis/Predication:
Based on the information gathered about the crime scene, digital investigators will form
theories about the types of computer systems and internal components such as hard drive
capacity and interface (e.g., ATA, SATA, serial attached SCSI).
Experimentation/Testing:
It may be possible to test some predictions about what will or will not be encountered at
the crime scene. For instance, it may be possible to glean details about internal and public servers
by examining e-mail headers and connecting to them over the Internet
59
Course: Cyber Forensics MCA
Programme
Conclusions:
The outcome of this process should be a robust plan for preserving evidence at the crime
scene. In some instances, digital investigators also need to prepare for some on-scene processing
of digital evidence. For instance, when digital investigators are not authorized to collect every
computer system, some on-scene keyword searching of many computers must be performed to
identify which are relevant to the investigation
Survey
With a plan in hand from the preparation step, digital investigators should be well
prepared to recognize sources of digital evidence at the crime scene. The aim of the process is for
digital investigators to find all potential sources of digital evidence and to make informed,
reasoned decisions about what digital evidence to preserve at the crime scene
Observation:
A methodical inspection of the crime scene should be performed in an effort to locate the
expected items and to find unanticipated items. Carrier’s Integrated Digital Investigation Process
model encourages use of traditional approaches to searching the physical crime scene in a
methodical manner. A comparable methodical approach to searching a digital crime scene should
be used to find and assess potential sources of digital evidence.
Hypothesis:
Theories should be developed about why certain expected items are not present, and why
certain unexpected items were found
Prediction:
Ideas should be considered for where missing items may be found, and which items may
contain potentially relevant data. When large quantities of computers or removable media are
involved, it may be necessary to develop theories about which ones do and do not contain
potentially relevant digital evidence
Experimentation/Testing:
When digital investigators believe that certain items are not relevant to the case, some
experimentation and testing is needed to confirm this belief. For example, it may be necessary to
perform a triage search of these seemingly irrelevant systems or storage media for responsive
evidence to ensure that they, in fact, do not contain anything of interest.
Conclusions:
Based on the methodical assessment of available information, there is a high degree of
confidence that an inventory has been made of all potentially relevant sources of digital evidence
at the crime scene that need to be preserved
60
Course: Cyber Forensics MCA
Programme
In an organization, documentation relating to the survey phase may take the form of a map
indicating where evidence is located on a network—a digital evidence map. Such a map may
include e-mail, log files, and backup tapes, may specify for how long each source of digital
evidence is retained, and may reference procedures for collecting the evidence to help digital
investigators handle the data properly
Preservation, Examination, Analysis, Reporting and Testimony
Working from the known inventory of identified components, investigators must act to
make sure that potentially volatile items are collected or acquired in such a way that
captures their current state.
Another way to put it is that proper actions must be taken to ensure the integrity of
potential evidence, physical and digital. The methods and tools employed to ensure
integrity are key here. Their accuracy and reliability as well as professional acceptance
may be subject to question by opposing counsel if the case is prosecuted
To many practitioners in digital forensics, the preservation step is where digital forensics
begins. It is generally the first stage in the process that employs commonly used tools of a
particular type. The output of this stage is usually a set of duplicate copies of all sources
of digital data
This output provides investigators with two categories of exhibits.
First, the original material is cataloged and stored in a proper environmentally controlled
location, in an unmodified state.
Second, an exact duplicate of the original material is created that will be scrutinized as
the investigation continues
Consider examples of the scientific process applied to the preservation of common forms of
digital evidence
Hard Drives
Observation: A hard drive has a SATA interface with a certain number of sectors
documented on the label.
Hypothesis: A complete and accurate duplicate of the hard drive can be obtained without
altering the original.
Prediction: The resulting forensic duplicate will have the same hash value as the original
hard drive.
Experimentation/Testing:
Comparing the hash value of the forensic duplicate with that of the original hard drive
confirms that they are the same. However, comparing the size of the forensic duplicate with the
capacity of the hard drive reveals a discrepancy. Further experimentation is needed to determine
that this discrepancy is caused by an incorrect number of sectors being detected by the
61
Course: Cyber Forensics MCA
Programme
acquisition method used. Using an alternative method to acquire data from the hard drive gives a
complete and accurate duplicate of the digital evidence.
Conclusions:
There is a high degree of confidence that an accurate duplicate of all data on the hard
drive was acquired in a forensically sound manner
Prior to attempting to preserve digital evidence, it is most effective to prepare the necessary
forensic preservation tools and techniques to handle various forms of evidence. During the
preparation step of a digital investigation, activities such as testing tools and sanitizing and/or
encrypting storage media can be performed to make preservation processes go more smoothly.
Examination
Forensic examination is the process of extracting and viewing information from the evidence,
and making it available for analysis Forensic examination of digital evidence is generally one of
the most resource intensive and time-consuming steps in a digital investigation. To produce
useful results in a timely manner at different phases of an investigation, it is useful to employ
three levels of forensic examination
1. Survey/Triage Forensic Inspection: Targeted review of all available media to determine
which items contain the most useful evidence and require additional processing.
2. Preliminary Forensic Examination: Forensic examination of items identified during
survey/triage as containing the most useful evidence, with the goal of quickly providing
investigators with information that will aid them in conducting interviews and developing
leads.
3. In-Depth Forensic Examination: Comprehensive forensic examination of items that
require more extensive investigation to gain a more complete understanding of the
offense and address specific questions.
When conducting a forensic examination, it is useful to consider Carrier’s Integrated Digital
Investigation Process model, which treats sources of digital evidence as individual crime scenes.
By conceptually treating each source of digital evidence as a crime scene, digital investigators
are encouraged to apply each step of the investigative process to each source of evidence and
thereby develop a more comprehensive and methodical approach to a forensic examination
Preparation for Forensic Examinations:
Prior to performing a forensic examination of digital evidence, it is advisable to prepare a
plan of action that outlines what steps will be taken and what processes will be performed on
each item of digital evidence.
Survey in Forensic Examinations:
Digital investigators will generally survey each source of digital evidence, including the
contents of hard drives, mobile devices, log files, and other data to develop an overall familiarity
62
Course: Cyber Forensics MCA
Programme
with the corpus delicti (a.k.a. totality of the evidence) to find items of potential relevance to the
investigation
Forensic Examinations:
Certain items within a source of digital evidence may require special processing so that
they can be examined more easily. Such special items can include mailboxes, password-
protected files, encrypted volumes, and unallocated space
Forensic examination of digital evidence,
whether it is an entire hard drive or an individual’s mailbox, generally involves some
level of recovery, harvesting, organization, search, and reduction to produce a reduced dataset
for forensic analysis
Recovery:
Data should be extracted from available sources, including items that have been deleted,
hidden, camouflaged, or that are otherwise unavailable for viewing using the native operating
system and resident file system. The objective is to recover all unavailable data whether or not
they may be germane to the case or incident. In some instances, it may also be necessary to
reconstitute data fragments to recover an item. The output provides the maximum available
content for the investigators, like a complete data timeline and information that may provide
insight into the motives of an offender if concrete proof of purposeful obfuscation is found and
recorded
Harvesting:
Data and metadata (data about data) should be gathered about all recovered objects of
interest. This gathering will typically proceed with little, or no discretion related to the data
content, its context, or interpretation. Rather, the investigator will look for categories of data that
can be harvested for later analysis—groupings of data with certain class characteristics that, from
experience or training, seem or are known to be related to the major facts of the case or incident
known to this point in the investigation
Organization and Search:
A thorough analysis should be facilitated by organizing the reduced set of materials from
the previous step, grouping, tagging, or otherwise placing them into meaningful units. At this
stage, it may be advantageous to actually group certain files physically to accelerate the analysis
stage. They may be placed in groups using folders or separate media storage, or in some
instances a database system may be employed to simply point to the cataloged file system
objects for easy, accurate reference without having to use rudimentary search capability offered
by most host operating systems
Reduction:
Irrelevant items should be eliminated, or specific items targeted in the collected data as
potentially germane to an investigation. This process is analogous to separating the wheat from
63
Course: Cyber Forensics MCA
Programme
the chaff. The decision to eliminate or retain is made on the basis of external data attributes such
as hashing or checksums, type of data (after type is verified), etc. In addition, material facts
associated with the case or incidents are also brought to bear to help eliminate data as potential
evidence
Applying the scientific method to the forensic examination process can be a time-consuming and
repetitive process, but the effort is generally well spent, giving digital investigators the
information, they need to resolve a case. A less methodical or scientifically rigorous forensic
examination may miss important information or may give erroneous results.
Analysis
The forensic analysis process is inseparable from the scientific method. By definition,
forensic analysis is the application of the scientific method and critical thinking to address the
fundamental questions in an investigation: who, what, where, when, how, and why
This step involves the detailed scrutiny of data identified, preserved, and examined
throughout the digital investigation.
The techniques employed here will tend to involve review and study of specific, internal
attributes of the data such as text and narrative meaning of readable data, or the specific
format of binary audio and video data items.
Additionally, class and individual characteristics found in this step are used to establish
links, determine the source of items, and ultimately locate the offender.
Ultimately, the information that has been accumulated during the digital investigation is
combined to reconstruct a comprehensive understanding of events relating to the crime or
incident
Observation:
Human readable (or viewable) digital data objects have substance that can be perceived
as well as context that can be reconstructed. That content and context of digital evidence may
contain information that is used to reconstruct events relating to the offense and to determine
factors such as means, motivation, and opportunity.
Hypothesis:
Develop a theory to explain digital evidence.
Prediction:
Based upon the hypothesis, digital investigators will then predict where they believe the
artifacts of that event will be located.
Experimentation/Testing:
A very general term but applied here to mean any activity used to determine whether or
not digital evidence is compatible with the working theory. These activities can include running
64
Course: Cyber Forensics MCA
Programme
experiments using a specific operating system or application to learn about their behavior and
associated artifacts or loading the subject system into a virtualized environment to observe it as
the user would.
Conclusions:
The result of a thorough forensic analysis generally includes an investigative
reconstruction based on fusion and correlation of information
During the investigation, data (information) have been collected from many sources (digital and
nondigital). The likelihood is that digital evidence alone will not tell the full tale. The converse is
also true. The data must be fused or brought together to populate structures needed to tell the full
story
Reporting and Testimony
To provide a transparent view of the investigative process, final reports should contain
important details from each step, including reference to protocols followed and methods used to
seize, document, collect, preserve, recover, reconstruct, organize, and search key evidence. The
majority of the report generally deals with the analysis leading to each conclusion and
descriptions of the supporting evidence. No conclusion should be written without a thorough
description of the supporting evidence and analysis. Also, a report can exhibit the investigator or
examiner’s objectivity by describing any alternative theories that were eliminated because they
were contradicted or unsupported by evidence
A significant amount of effort is required to prepare for questioning and to convey technical
issues in a clear manner. Therefore, this step in the process includes techniques and methods
used to help the analyst and/or domain expert translate technological and engineering details into
understandable narrative for discussion with decision makers
Computer Basics for Digital Investigators-Basic Operation of Computers
Assignment
Write a note on History of Computers
Write a note on Basic Operation of Computers
Write a note on Representation of Data
Representation of Data, Storage Media and Data Hiding File Systems and Location of Data
All digital data are basically combinations of ones and zeros, commonly called bits. It is often
necessary for digital investigators to deal with data at the bit level, requiring an understanding of
how different systems represent data.
65
Course: Cyber Forensics MCA
Programme
66
Course: Cyber Forensics MCA
Programme
The spindle moves in a unidirectional manner along its axis (either clockwise or
counterclockwise).
The movement of the spindle causes the platters to rotate as well.
Read/write head
Each surface on a platter contains a read/write head that is used to read or write data onto
the disk.
The read/write heads can move back and forth along the surface of a platter. Read/write
heads are in turn connected to a single actuator arm.
Tracks
Each surface of a platter consists of a fixed number of tracks. These are circular areas on
the surface of a platter that decrease in circumference as we move towards the center of
the platter.
Data is first written to the outermost track.
Sectors
Each track is divided into a fixed number of sectors. Sectors divide track sections and store data.
When data are stored in hard disk, they make cluster as a unit. So no matter the file is large or
small, there will be some unused space in the last cluster (unless the size is integer times as large
as the cluster size).
Furthermore, the left space cannot be used by other files (even if the file is only 0 byte. It does
not allow 2 or more files to share a cluster, because it may cause data corruption.)
What is Data Obfuscation?
Data obfuscation is a process to obscure the meaning of data as an added layer of data protection.
In the event of a data breach, sensitive data will be useless to attackers. The organization — and
any individuals in the data — will remain uncompromised. Organizations should prioritize
obfuscating sensitive information in their data.1
Top data obfuscation methods
If you ask ten people the definition of data obfuscation, you'll get 12 different answers.
That's because there are many different methods, each designed for specific purposes.
Obfuscation is an umbrella term for a variety of processes that transform data into
another form in order to protect sensitive information or personal data.
Three of the most common techniques used to obfuscate data are encryption,
tokenization, and data masking.
Encryption
67
Course: Cyber Forensics MCA
Programme
is very secure, but you lose the ability to work with or analyze the data while it’s
encrypted. The more complex the data encryption algorithm, the safer the data will be from
unauthorized access. Encryption is a good obfuscation method if you need to store or transfer
sensitive data securely.
Tokenization
substitutes sensitive data with a value that is meaningless. This process can't be reversed.
However, you can map the token back to the original data. Tokenized data supports operations
like running a credit card payment without revealing the credit card number. The real data never
leaves the organization and can't be seen or decrypted by a third-party processor.
Data masking
substitutes realistic but false data for original data to ensure privacy. Using masked out data,
testing, training, development, or support teams can work with a dataset without putting real data
at risk. Data masking goes by many names. You may have heard of it as data scrambling, data
blinding, or data shuffling. The process of permanently stripping personally identifiable
information (PII) from sensitive data is also known as data anonymization or data sanitization.
Whatever you call it, fake data replaces real data. There is no algorithm to recover the original
values of masked data.
Masking out
is a way to create different versions of the data with a similar structure. The data type
does not change, only the value change. Data can be modified in several ways, for example
shifting numbers or letters, replacing words, and switching partial data between records.
68
Course: Cyber Forensics MCA
Programme
A storage device without a file system would be in the same situation - and it would be a useless
electronic device. However, a file system changes everything:
Understanding file systems
A file system isn't just a bookkeeping feature, though.
Space management, metadata, data encryption, file access control, and data integrity are
the responsibilities of file system too.
Everything begins with partitioning
Sectors
512 MB of data
Clusters
Smallest Logical Unit of File Storage
One or more sectors
Logical and Physical Storage Units
Logical
Recognized by OS
E.g., Clusters
Physical
Recognized by a Device
E.g., sectors
OS Stores Files in Clusters (Wasted Space Problem)
Example
File Size 2050 bytes
One Cluster = two sectors
Slack
Efficiency
NTFS
Smaller Cluster Size
70
Course: Cyber Forensics MCA
Programme
71
Course: Cyber Forensics MCA
Programme
Encryption is a way of scrambling data so that only authorized parties can understand the
information. In technical terms, it is the process of converting human-readable plaintext to
incomprehensible text, also known as ciphertext. In simpler terms, encryption takes readable data
and alters it so that it appears random. Encryption requires the use of a cryptographic key: a set
of mathematical values that both the sender and the recipient of an encrypted message agree on.
72
Course: Cyber Forensics MCA
Programme
However, depending on the type of log source, the file will also contain a wealth of relevant data.
For example, server logs will also include the referred webpage, http status code, bytes served,
user agents, and more.
Where do Log Files Come From?
74
Course: Cyber Forensics MCA
Programme
Types of Logs
Nearly every component in a network generates a different type of data and each component
collects that data in its own log. Because of that, many types of logs exist, including:
Event logs
An event log is a high-level log that records information about network traffic and
usage, such as login attempts, failed password attempts, and application events.
Server logs
A server log is a text document containing a record of activities related to a specific
server in a specific period of time.
System logs
A system log, or syslog, is a record of operating system events. It includes startup
messages, system changes, unexpected shutdowns, errors and warnings, and other important
processes. Windows, Linux, and macOS all generate syslogs.
Authorization logs and access logs
Authorization logs and access logs include a list of people or bots accessing certain
applications or files.
Change logs
Change logs include a chronological list of changes made to an application or file.
Availability logs
Availability logs track system performance, uptime, and availability.
Resource logs
Resource logs provide information about connectivity issues and capacity limits.
Threat logs
Threat logs contain information about system, file, or application traffic that matches
a predefined security profile within a firewall.
Log files are an important source of digital forensic evidence because they usually connect
events to points in time Indeed, log file data can be used to investigate network anomalies due
to insider threats, data leaks and misuse of IT assets Log files can help identify network
intruders
Registry
Inside every operating system there must be some place to keep settings.
75
Course: Cyber Forensics MCA
Programme
What is my current internet address? What are all the users on my system and what are
their passwords?
What color desktop am I using? What applications are installed? If I double click on a file
with a docx extension, what application needs to fire up to associate with that?
There are hundreds of thousands of questions like this that even the simplest individual
machine must answer, and we've got to store that somewhere
Windows uses a single storage area called the registry.
This is not a text file. It is a binary file that can only be read by a particular program
called Regedit
Windows registry
The registry or Windows registry is a database of information, settings, options, and
other values for software and hardware installed on all versions of Microsoft
Windows operating systems. When a program is installed, a new subkey is created in the
registry. This subkey contains settings specific to that program, such as its location,
version, and primary executable.
The Windows Registry is a database where Windows and many programs store their
configuration settings.
The Windows registry is a collection of several databases. There are system-wide registry
settings that apply to all users, and each Windows user account also has its own user-
specific settings.
76
Course: Cyber Forensics MCA
Programme
A hive in the Windows Registry is the name given to a major section of the registry that
contains registry keys, registry subkeys, and registry values.
All keys that are considered hives begin with "HKEY" and are at the root, or the top of
the hierarchy in the registry, which is why they're also sometimes called root keys or core
system hives.
Here is a list of the common registry hives in Windows:
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
Holds the user settings for the currently logged in user and is usually abbreviated HKCU
This is actually just a link to HKEY_USERS\<SID-FOR-CURRENT-USER>. The most
important sub-key in here is HKCU\Software, which contains user-level settings for most
of your software.
HKEY_LOCAL_MACHINE
All of the system-wide settings are stored here, and it is usually abbreviated as HKLM.
You’ll mostly use the HKLM\Software key to check machine-wide settings.
HKEY_USERS
Stores all of the settings for all users on the system. You’ll typically use HKCU instead,
but if you need to check settings for another user on your computer, you can use this one.
HKEY_CURRENT_CONFIG
Stores all of the information about the current hardware configuration. This one isn’t used
very often, and it just a link to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\
Current
Internet traces
Accessing the Internet leaves a wide variety of information on a computer including Web sites,
contents viewed, and newsgroups accessed. For instance, some Windows systems maintain a
record of accounts that are used to connect to the Internet as shown in Figure
77
Course: Cyber Forensics MCA
Programme
Web Browsing
When an individual first views a Web page, the browser caches the page and associated
elements such as images on disk—the creation and modification times are the same time as the
page was viewed. When the same site is accessed in the future, the cached file is accessed. The
number of times that a given page was visited is recorded in some Web browser history
databases
The web is a vast and powerful tool
Over the course of a few decades, the internet has changed the way we work, the way we
play and the way we interact with one another.
Depending on how it’s used, it bridges nations, drives commerce, nurtures relationships,
drives the innovation engine of the future and is responsible for more memes than we
know what to do with.
What Are Cookies?
Cookies are text files with small pieces of data — like a username and password — that
are used to identify your computer as you use a computer network. Specific cookies
known as HTTP cookies are used to identify specific users and improve your web
browsing experience.
Data stored in a cookie is created by the server upon your connection. This data is labeled
with an ID unique to you and your computer.
Session
Overview
A session is a group of user interactions with your website that take place within a given
time frame.
For example, a single session can contain multiple page views, events, social interactions,
and ecommerce transactions.
78
Course: Cyber Forensics MCA
Programme
You can think of a session as the container for the actions a user takes on your site.
A single user can open multiple sessions. Those sessions can occur on the same day, or over
several days, weeks, or months. As soon as one session ends, there is then an opportunity to start
a new session. There are two methods by which a session ends:
• Time-based expiration:
After 30 minutes of inactivity
At midnight
• Campaign change:
If a user arrives via one campaign, leaves, and then comes back via a different
campaign.
What is a web session?
79
Course: Cyber Forensics MCA
Programme
Email
Short for electronic mail, e-mail or email is information stored on a computer that is exchanged
between two users over telecommunications. More plainly, e-mail is a message that may
contain text, files, images, or other attachments sent through a network to a specified individual
or group of individuals.
What is an Email Protocol: Definition and Types
Email protocol is a standard method for exchanging information between email clients like
Thunderbird, Apple Mail, or Mailbird and email provider’s servers like Gmail, Outlook, Yahoo,
and vice versa.
Email protocols differ by function: some receive emails and send and transport
emails.
Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP), for
example, allow receiving and sending emails, while Simple Message Transfer Protocol
(SMTP) is responsible only for sending emails.
Email protocol
Email protocol is a method by which a communication channel is established between
two computers and email is transferred between them.
80
Course: Cyber Forensics MCA
Programme
When an email is transferred, a mail server and two computers are involved. One
computer sends the mail and the other one receives it.
The mail server stores the mail and lets the receiving device access it and download it if
needed
POP3 stands for Post Office Protocol.
As the name suggests, it allows you to use your email inbox like a post office – emails are
downloaded onto your computer and removed from the mail server.
When accessing your emails using the POP3 protocol, a copy of the emails is created and stored
locally on your computer.
The originals are usually, but not always, removed from the mail server. In other words, emails
are tied to the specific device. Once the email is downloaded onto one device (and removed from
the mail server), it cannot be accessed by another email client or device.
IMAP
IMAP stands for Internet message access protocol.
Unlike POP3, IMAP lets you log into different email clients or webmail interfaces and
view the same emails because in the IMAP setup, emails are kept on the mail server,
rather on your computer.
When you access your emails using the IMAP protocol, you are essentially using the
email client to connect to your mail server and managing your emails directly on your
mail server.
In this setup, your mail server rather than your local computer is the main storage source
of your emails.
Because of this, IMAP makes it possible to access your emails from different devices and
all changes are synchronized with the mail server and any email client(s) you are using.
In other words, if you delete an email from one email client, it is deleted from the mail
server and the action is reflected across all devices and email clients.
82
Course: Cyber Forensics MCA
Programme
“From:” — sender’s name and email address, “To:” — the recipient’s name and email
address, and “Date:” — the time and date of when the email was sent. All of these are
mandatory indicators. Other parts of the email header are optional and differ among email
service providers.
Preventing spam. The information displayed in the email header helps email service
providers troubleshoot potential spam issues. ESPs analyzes the email header, the
“Received:” tag, in particular, to decide whether to deliver an email or not.
Identifying the email route. When an email is sent from one computer to another, it
transfers through the Mail Transfer Agent which automatically “stamps” the email with
information about the recipient, time and date in the email header.
83
Course: Cyber Forensics MCA
Programme
Module 4
Cyber Crimes-What is Cyber Crime, Categories of Cyber Crime-Against Individual, Institution
and States.
Crime Types-Basics of SQL Injections, Theft of FTP password. Cross-site scripting. Viruses,
Worms, Logical bombs. E-mail bombing, DoS attack, Spamming, Web jacking. Identity theft
and Credit card fraud. Data diddling, Salami attacks, Phishing, Cyber stalking. Spoofing,
Pornography, Defamation, Computer vandalism. Cyber terrorism. Cyber warfare. Hacking
Types of Hackers-Black hat. White hat. Gray hat. Different types of Malwares
Cyber Crimes -What is Cyber Crime, Categories of Cyber Crime-Against Individual,
Institution and States.
Cybercrime, also called Computer Crime, the use of a computer as an instrument to further
illegal ends, such as committing fraud, trafficking in child pornography
and intellectual property, stealing identities, or violating privacy.
Cybercrime, especially through the Internet, has grown in importance as the computer has
become central to commerce, entertainment, and government.
Role of Computer in the Crime
Computers will probably be involved in crimes that no one has ever imagined
When investigating a case, it is important to know what roles the computer played in
the crime.
Then tailor the investigative process to that role.
The computer (by which we mean the information resident on the computer, code as well as
data) is the target of the crime, with an intention of damaging its integrity, confidentiality, and/or
availability.
Many of these violations involve gaining unauthorized access to the target system (i.e.,
hacking into it)
The computer is a repository for information used or generated in the commission of a
crime.
To store stolen password lists, credit card or calling card numbers, proprietary corporate
information, pornographic image files, or ‘‘warez’’ (pirated commercial software).
The computer is used as a tool in committing a crime
Many of the examples in this report deal with unlawful conduct that exists in the
physical, off-line world—the illegal sale of prescription drugs, controlled substances,
alcohol and guns, fraud, gambling, and child pornography
84
Course: Cyber Forensics MCA
Programme
85
Course: Cyber Forensics MCA
Programme
Here are 5 that were the most damaging for enterprises in 2020
1. Social engineering.
In 2020, almost a third of the breaches incorporated social engineering
techniques, of which 90% were phishing. Social engineering attacks include, but are not limited
to, phishing emails, scareware, quid pro quo and other techniques — all of which manipulate
human psychology to attain specific goals.
2. Ransomware.
Ransomware is a data-encrypting program that demands payment to release the infected
data. The overall sum of ransom demands will have reached $1.4 billion in 2020, with an
average sum to rectify the damage reaching up to $1.45 million. Ransomware is the third most
popular type of malware used in data breaches and is employed in 22% of the cases.
3. DDoS attacks.
There were 4.83 million DDoS attacks attempted in the first half of 2020 alone and each hour of
service disruption may have cost businesses as much as $100k on average. To form a botnet
needed for a coordinated DDoS attack, hackers employ devices previously compromised by
malware or hacking. Thus, every machine can be performing criminal activity with its owner
being unaware. The traffic can then be targeted against, say, AWS, which reported
having prevented a 2.3Tbps attack the February 2020.
4. Third party software.
The top 30 ecommerce retailers in the US are connected to 1,131 third-party resources each and
23% of those assets have at least one critical vulnerability. If one of the applications within this
86
Course: Cyber Forensics MCA
Programme
ecosystem is compromised, it opens the hackers a gateway to other domains. A breach caused by
a third-party costs $4.29 million on average.
5. Cloud computing vulnerabilities.
The global market for cloud computing is estimated to grow 17% this year, totaling $227.8
billion. While the pandemic lasts, the economy also witnessed a 50% increase in cloud use
across all industries.
This trend is a perfect lure for hackers, who performed 7.5 million external attacks on cloud
accounts in Q2 2020. Since the beginning of the year, the number of the attempted breaches grew
by 250% compared to 2019. The criminals scan for cloud servers with no password, exploit
unpatched systems and perform brute-force attacks to access the user accounts. Some try to plant
ransomware or steal sensitive data, whilst others, use cloud systems for cryptojacking or
coordinated DDoS attacks.
Crime Types-
Basics of SQL Injections, Theft of FTP password, Cross-site scripting.
Cybercrime
Cybercrime is any criminal activity that involves a computer, networked device or a network.
Basics of SQL Injections
87
Course: Cyber Forensics MCA
Programme
88
Course: Cyber Forensics MCA
Programme
89
Course: Cyber Forensics MCA
Programme
Integrity: Just as it may be possible to read sensitive information, it is also possible to make
changes or even delete this information with a SQL Injection attack.
SQL Injection Prevention
SQL Injection attacks are unfortunately very common, and this is due to two factors:
1. the significant prevalence of SQL Injection vulnerabilities, and
2. the attractiveness of the target (i.e., the database typically contains all the
interesting/ critical data for your application).
To avoid SQL injection flaws is simple.
Developers need to either:
a) stop writing dynamic queries; and/or
b) prevent user supplied input which contains malicious SQL from affecting the logic of
the executed query.
Primary Defenses:
Option 1: Use of Prepared Statements (with Parameterized Queries)
Option 2: Use of Stored Procedures
Option 3: Allow-list Input Validation
Option 4: Escaping All User Supplied Input
Theft of FTP password
This is another very common way to tamper with web sites.
FTP password hacking takes advantage of the fact that many webmasters store their
website login information on their poorly protected PCs.
The thief searches the victim’s system for FTP login details, and then relays them to his
own remote computer.
He then logs into the web site via the remote computer and modifies the web pages as he
or she pleases.
In a typical XSS attack, the hacker infects a web page with a malicious client-side script or
program.
When you visit this web page, the script is automatically downloaded to your browser and
executed.
Typically, attackers inject HTML, JavaScript, VBScript, ActiveX or Flash into a vulnerable
application to deceive you and gather confidential information.
90
Course: Cyber Forensics MCA
Programme
Viruses, Worms, Logical bombs. E-mail bombing, DoS attack, Spamming, Web jacking.
Virus
A Virus is a “program that is loaded onto your computer without your knowledge and
runs against your wishes
Signs of Viruses
TYPES OF VIRUSES
RESIDENT VIRUS
Resident viruses set up shop in your RAM and intrude with your system operations.
They’re so sneaky that they can even attach themselves to your anti-virus software files.
91
Course: Cyber Forensics MCA
Programme
MULTIPARTITE VIRUS
This virus infects the entire system – multipartite viruses spread by performing unauthorized
actions on your operating system, folders, and programs.
DIRECT ACTION
This virus targets a specific file type, most commonly executable files (.exe), by replicating and
infecting files. Due to its targeted nature, this virus type is one of the easier ones to detect and
remove.
BROWSER HIJACKER
Easily detected, this virus type infects your browser and redirects you to malicious websites.
OVERWRITE VIRUS
As the name implies, overwrite viruses overwrite file content to infect entire folders, files, and
programs
WEB SCRIPTING VIRUS
This sneaky virus disguises itself in the coding of links, ads, images, videos, and site code. It can
infect systems when users download malicious files or visit malicious websites.
FILE INFECTOR
By targeting executable files (.exe), file infector viruses slow down programs and damage
system files when a user runs them.
NETWORK VIRUS
Network viruses travel through network connections and replicate themselves through shared
resources
BOOT SECTOR VIRUS
92
Course: Cyber Forensics MCA
Programme
One of the easier viruses to avoid, this virus hides out in a file on a USB drive or email
attachment. When activated, it can infect the system’s master boot record to damage the system
Solution
Install a security suite that protects the computer against threats such as viruses and worms
Worm
A computer worm is a type of malware that spreads copies of itself from computer to computer.
A worm can replicate itself without any human interaction, and it does not need to attach itself to
a software program in order to cause damage.
How to tell if your computer has a worm ?
If you suspect your devices are infected with a computer worm, run a virus scan immediately.
Even if the scan comes up negative, continue to be proactive by following these steps.
1. Keep an eye on your hard drive space. When worms repeatedly replicate themselves,
they start to use up the free space on your computer.
2. Monitor speed and performance. Has your computer seemed a little sluggish lately?
Are some of your programs crashing or not running properly? That could be a red flag
that a worm is eating up your processing power.
3. Be on the lookout for missing or new files. One function of a computer worm is to
delete and replace files on a computer.
How to help protect against computer worms
93
Course: Cyber Forensics MCA
Programme
1. Since software vulnerabilities are major infection vectors for computer worms, be sure
your computer’s operating system and applications are up to date with the latest versions.
Install these updates as soon as they’re available because updates often include patches
for security flaws.
2. Phishing is another popular way for hackers to spread worms (and other types of
malware). Always be extra cautious when opening unsolicited emails, especially those
from unknown senders that contain attachments or dubious links.
3. Be sure to invest in a strong internet security software solution that can help block these
threats. A good product should have anti-phishing technology as well as defenses against
viruses, spyware, ransomware, and other online threats.
Logic Bomb
A Logic Bomb is a piece of often-malicious code that is intentionally inserted into software. It is
activated upon the host network only when certain conditions are met.
Example:
“Some dissatisfied developers have a way of ‘going out screaming’ when they leave or
are terminated from a work setting. They insert logic bombs into company systems that,
upon certain events or at certain times, execute malicious functions such as files
deletions.”
An email bomb is a form of Internet abuse which is perpetrated through the sending of massive
volumes of email to a specific email address with the goal of overflowing the mailbox and
94
Course: Cyber Forensics MCA
Programme
overwhelming the mail server hosting the address, making it into some form of denial-of-service
attack.
An email bomb is also known as a letter bomb.
There are three ways to create an email bomb
Mass mailing - involves sending numerous duplicates of the same email to one email address.
Because of the simplicity of this attack, it can be easily detected by spam filters.
List linking - meant more to annoy rather than cause real trouble. The technique involves
subscribing the address for attack to different email list subscriptions so it would always receive
spam mail from these lists. The user then has to manually unsubscribe from each list.
ZIP bombing
The latest twist on email bombing using ZIP archived attachments. Mail servers always
check email attachments for viruses, especially zip archives and .exe files.
The idea here is to place a text file with millions or billions of arbitrary characters or even
a single letter repeated millions of times so that the scanner would require a greater
amount of processing power to read each one.
Combining this with mass mailing techniques ups the potential for a denial-of-service
attack to succeed.
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making
it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with
traffic or sending it information that triggers a crash. In both instances, the DoS attack deprives
legitimate users (i.e., employees, members, or account holders) of the service or resource they
expected.
Spamming
Spamming is the use of electronic messaging systems like e-mails and other digital delivery
systems and broadcast media to send unwanted bulk messages indiscriminately. The term
spamming is also applied to other media like in internet forums, instant messaging, and
mobile text messaging, social networking spam, junk fax transmissions, television
advertising and sharing network spam.
95
Course: Cyber Forensics MCA
Programme
Web jacking.
When a Web application improperly redirects a user’s browser from a page on a trusted
domain to a bogus domain without the user’s consent, it’s called Web Jacking.
Web Jacking attack method is another type of social engineering attack method called
Phishing attack, often used to steal user data, including login credentials and credit card
numbers.
Web Jacking Attack Method:
The first step of web jacking attack method is to create a fake page of victim website for
example www.anywebsite.com/login.php.
The second step is to host it either on your local computer or shared hosting.
The third step is to send the link of a fake page to the victim.
The fourth step victim will open the link and enter their details and submit.
Last step, you will get all the details submitted by victim.
How to be safe from web jacking attack method!
First of all do not enter sensitive data in any link sent to you.
Check the URL
Just because the address looks Ok, don’t assume this is a legitimate site.
Read company name carefully, is it right or wrong.
check that there is http protocol or https, if http then do not enter your data.
If you are not sure, site is real or fake, enter a wrong username and password.
Use a browser with antiphising detection
Identity theft and Credit card fraud, Data diddling, Salami attacks, Phishing, Cyber
stalking.
Identity theft
Identity theft is the crime of obtaining the personal or financial information of another
person to use their identity to commit fraud, such as making unauthorized transactions or
purchases.
Identity theft is committed in many ways and its victims are typically left with damage to
their credit, finances, and reputation.
What Are the Most Common Ways That Identity Theft or Fraud Can Happen to You?
96
Course: Cyber Forensics MCA
Programme
In public places, for example, criminals may engage in "shoulder surfing"– watching you from
a nearby location as you punch in your telephone calling card number or credit card number – or
listen in on your conversation if you give your credit-card number over the telephone.
Many people respond to "spam"– unsolicited E-mail – that promises them some benefit
but requests identifying data, without realizing that in many cases, the requester has no
intention of keeping his promise.
In some cases, criminals reportedly have used computer technology to steal large
amounts of personal data.
With enough identifying information about an individual, a criminal can take over that
individual's identity to conduct a wide range of crimes.
For example:
False applications for loans and credit cards,
Fraudulent withdrawals from bank accounts,
Fraudulent use of telephone calling cards or online accounts, or
Obtaining other goods or privileges which the criminal might be denied if he were to use
his real name
Credit card fraud
How credit card fraud happens
Credit card fraud occurs when an unauthorized person gains access to your information and uses
it to make purchases.
Here are some ways fraudsters get your information:
Lost or stolen credit cards
Skimming your credit card, such as at a gas station pump
Hacking your computer
Calling about fake prizes or wire transfers
Phishing attempts, such as fake emails
Looking over your shoulder at checkout
Stealing your mail
Data diddling
Data diddling is a form of computer fraud involving the intentional falsification of numbers
in data entry. It most often involves the inflation or understatement of income or expenses to
benefit a company or individual when completing tax or other financial documents.
97
Course: Cyber Forensics MCA
Programme
Unlike other fraud, data diddling specifically refers to the misrepresentation of information
during entry, and not after. The phrase is comprised of the term data, which is digital
information, and the verb diddle, which means to falsify or exploit.
Salami attacks
The attacker uses an online database to seize the information of customers that is bank/credit
card details deducting very little amounts from every account over a period. The customers
remain unaware of the slicing and hence no complaint is launched thus keeping the hacker away
from detection.
In its most basic form, a hacker simply tries making small deposits into random bank accounts
by attempting thousands of combinations of routing numbers and bank accounts.
Phishing
Phishing is a type of social engineering attack often used to steal user data, including
login credentials and credit card numbers.
It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening
an email, instant message, or text message.
98
Course: Cyber Forensics MCA
Programme
Cyberstalking refers to the use of the internet and other technologies to harass or stalk another
person online. This online harassment, which is an extension of cyberbullying and in-person
stalking, can take the form of e-mails, text messages, social media posts, and more and is often
methodical, deliberate, and persistent.
Spoofing, Pornography, Defamation, Computer vandalism
Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be
something else in an attempt to gain our confidence, get access to our systems, steal data, steal
money, or spread malware
Spoofing attacks come in many forms, primarily:
Email spoofing
Website and/or URL spoofing
Caller ID spoofing
Text message spoofing
GPS spoofing
Man-in-the-middle attacks
Extension spoofing
99
Course: Cyber Forensics MCA
Programme
IP spoofing
Facial spoofing
“Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be
something else in an attempt to gain our confidence, get access to our systems, steal data, steal
money, or spread malware.”
Pornography
Pornography refers to the portrayal of sexual subject or matter in form of books, magazines,
postcards, photographs, sculpture, drawing, painting, animation, sound recording, writing, film,
video, and video games for the purpose of sexual excitement
Watching or possessing pornographic materials in India is legal, however, individuals
should not do so in public places. Production, publication, or distribution of pornographic
materials is illegal in India.
Watching or production, publication, or distribution of child pornography is illegal and
can lead to a 5-year term of imprisonment and a Rs 40 lakh fine.
Child Pornography
According to the Ministry of Women and Child Development, child pornography is
defined as “any visual depiction of sexually explicit conduct involving a child which
includes photographs, videos, digital or computer-generated image indistinguishable from
an actual child and an image created, adapted or modified but appear to depict a child.”
Market size of the Adult & Pornographic Websites industry in the US in 2021?
The market size, measured by revenue, of the Adult & Pornographic Websites industry is
$803.6m in 2021.
Defamation
Defamation is any statement that damages the reputation of another individual or party. ... A
defamation example would be if a customer accused the restaurant owner of food
poisoning even though it was not actually the restaurant's food that caused them to be ill.
Computer vandalism
The term vandalism describes the deliberate act of damaging or destroying another
person or company's property without their permission.
For example, with a computer, hardware vandalism is the act of intentionally breaking
or destroying computer hardware. For example, a student could purposely damage
a laptop given to them by the school.
With the Internet, vandalism or cyber vandalism could include any of the following.
Hacking into and defacing a website.
100
Course: Cyber Forensics MCA
Programme
101
Course: Cyber Forensics MCA
Programme
102
Course: Cyber Forensics MCA
Programme
Who is a Hacker?
A Hacker is a person who finds and exploits the weakness in computer systems and/or networks
to gain access. Hackers are usually skilled computer programmers with knowledge of computer
security.
What is ethical hacking?
Ethical hacking involves the legal use of hacking techniques for benevolent versus
malicious purposes. Ethical hackers use penetration testing and other tactics to find
software vulnerabilities and other security weaknesses so they can be promptly
addressed.
Types of Hackers-Black hat. White hat. Gray hat.
Hackers
In common a hacker is a person who breaks into computers, usually by gaining access to
administrative controls.
Types of Hackers
White Hat Hacker
Grey Hat Hacker
Black Hat Hacker
Black Hat
Black Hat hacking is a type of hacking in which hacker is a villain. Unlike all other hackers,
black hat hackers usually have extensive knowledge about computer networks and security
protocols. However, they use their skills to steal, damage the vulnerable device.
For example, if a system has a vulnerability, then black hat hacker will search for it and will
break into it to steal the information and then damage the whole system.
Black hat hackers are the bad guys who will never think twice to steal your credit card details to
hack into your bank account.
White Hat
White hat hackers are also known as “Ethical hackers” the working procedure of Black
hat and White hat are almost same.
But white hat hackers are the good guys who work for the companies as security
specialists that get paid for finding security holes with the help of their hacking
capabilities.
103
Course: Cyber Forensics MCA
Programme
There is another major difference between a Black hat and White Hat hackers. White hat
hackers do everything with permissions from the owner of the system administrator,
which makes it completely legal.
White hat hacker after finding any vulnerability would disclose it to the developer,
allowing them to patch their product and improve the security before it’s compromised.
Grey Hat
Grey hat hackers are a blend of both Black hat and white hat activities, but they are less skilled
compared to the black hat or white hat. Grey hat hackers are not bad guys, they look for
vulnerabilities in the system without the permission.
If issues are found, they report it to the owner, sometimes they request a small fee for
discovering and fixing the problem if the owner doesn’t respond, they post the vulnerability in
the public forum for the world to see.
Different types of Malwares
Malware, being one of the common causes of data breaches, is something every IT and security
expert should be concerned about. It’s a fact that many businesses will install anti-virus and
forget about it, not knowing that malware can still bypass anti-virus software and firewalls.
Malware
The word "malware" comes from the term "MALicious softWARE."
Malware is any software that infects and damages a computer system without the owner's
knowledge or permission
No anti-virus or anti-malware will protect you from ALL malware
What is malware?
Malware is an umbrella term for any piece of software that has malicious intent.
There are several types of malware and each of them has a unique way of infiltrating your
computer which may include attempts at gaining unauthorized control of your computer
systems, stealing your personal information, encrypting your important files, or causing
other harm to your computers. Sometimes the damage can be irrevocable.
Where does malware come from?
Phishing – Emails can be disguised to be coming from a fraudulent company for the sole purpose
of getting you to reveal personal information
Malicious Websites – Some websites may attempt to install malware onto your computer,
usually through popups or malicious links
Torrents – Files shared through BitTorrents are generally unsafe because you never know what
to expect until they’re downloaded
104
Course: Cyber Forensics MCA
Programme
Shared Networks – A malware-infected computer on the same shared network may spread
malware onto your computer
7 Common Types of Malware
1. Trojans
A Trojan (or Trojan Horse) disguises itself as legitimate software with the purpose of tricking
you into executing malicious software on your computer.
2. Spyware
Spyware invades your computer and attempts to steal your personal information such as credit
card or banking information, web browsing data, and passwords to various accounts.
3. Adware
Adware is unwanted software that displays advertisements on your screen. Adware collects
personal information from you to serve you with more personalized ads.
4. Rootkits
Rootkits enable unauthorized users to gain access to your computer without being detected.
5. Ransomware
Ransomware is designed to encrypt your files and block access to them until a ransom is paid.
6. Worms
A worm replicates itself by infecting other computers that are on the same network. They’re
designed to consume bandwidth and interrupt networks.
7. Keyloggers
Keyloggers keep track of your keystrokes on your keyboard and record them on a log. This
information is used to gain unauthorized access to your accounts.
105
Course: Cyber Forensics MCA
Programme
Module 5
Cyber Laws-Defining Cyber Law, Concept and scope of Jurisprudence, Basics of Cyber Space,
Basics of IPC and CrPC, Indian Evidence Act.
IT Act 2000-Introduction to IT Act 2000, Amendment in IT Act, Different Offences under IT
Act 2000-Sections: S.65,S.66, S.66A, S.66B, S.66C, S.66D, S.66 E, S.67, S.67A,S.67B,S.67C.
Cyber Space
The computer-generated world of internet is known as cyberspace and the laws prevailing
this area are known as Cyber laws and all the users of this space come under the ambit of
these laws as it carries a kind of worldwide jurisdiction.
Cyber law can also be described as that branch of law that deals with legal issues related
to use of inter-networked information technology.
In short, cyber law is the law governing computers and the internet.
Cyber law
The growth of Electronic Commerce has propelled the need for vibrant and effective regulatory
mechanisms which would further strengthen the legal infrastructure, so crucial to the success of
Electronic Commerce. All these governing mechanisms and legal structures come within the
domain of Cyber law.
Cyber law is important because it touches almost all aspects of transactions and activities and on
involving the internet, World Wide Web and cyberspace. Every action and reaction in
cyberspace has some legal and cyber legal angles.
Cyber law encompasses laws relating to:
Cyber crimes
Electronic and digital signatures
Intellectual property
Data protection and privacy
Cyber space includes computers, networks, softwares, data storage devices(such as hard
disks, USB disks etc), the internet, websites, emails and even electronic devices such as cell
phones, ATM machines etc.
Need for Cyber Law
In today’s techno-savvy environment, the world is becoming more and more digitally
sophisticated and so are the crimes. Internet was initially developed as a research and
106
Course: Cyber Forensics MCA
Programme
information sharing tool and was in an unregulated manner. As the time passed by it became
more transactional with e-business, e-commerce, e-governance and e-procurement etc. All legal
issues related to internet crime are dealt with through cyber laws. As the number of internet users
is on the rise, the need for cyber laws and their application has also gathered great momentum.
Cyber Laws in India
In India, cyber laws are contained in the Information Technology Act, 2000 (“IT Act”)
which came into force on October 17, 2000. The main purpose of the Act is to provide legal
recognition to electronic commerce and to facilitate filing of electronic records with the
Government.
Importance of Cyber Laws
# We are living in highly digitalized world.
# All companies depend upon their computer networks and keep their valuable data in electronic
form.
# Government forms including income tax returns, company law forms etc are now filled in
electronic form.
# Consumers are increasingly using credit cards for shopping.
# Most people are using email, cell phones and SMS messages for communication.
# Even in “non-cybercrime” cases, important evidence is found in computers/ cell phones e.g., in
cases of divorce, murder, kidnapping, organized crime, terrorist operations, counterfeit currency
etc.
# Since it touches all the aspects of transactions and activities on and concerning the Internet, the
World Wide Web and Cyberspace therefore Cyber law is extremely important.
Cyber Law Definition
Cyber law, also known as Internet Law or Cyber Law, is the part of the overall legal
system that is related to legal informatics and supervises the digital circulation of information, e-
commerce, software and information security. It is associated with legal informatics and
electronic elements, including information systems, computers, software, and hardware. It covers
many areas, such as access to and usage of the Internet, encompassing various subtopics as well
as freedom of expression, and online privacy
What happens if anyone breaks a cyber law?
If anyone breaks a cyber law, the action would be taken against that person on the basis
of the type of cyberlaw he broke, where he lives, and where he broke the law. There are many
situations like if you break the law on a website, your account will be banned or suspended and
blocked your IP (Internet Protocol) address. Furthermore, if any person performs a very serious
illegal activity, such as causing another person or company distress, hacking, attacking another
person or website, advance action can be taken against that person.
Concept and scope of Jurisprudence, Basics of Cyber Space
Background and Meaning of Jurisprudence
107
Course: Cyber Forensics MCA
Programme
The term Jurisprudence is derived from two Latin words that are Juris + Prudentia = law +
knowledge which means ‘knowledge of the law’. Jurisprudence tells about fundamental
principles of law.
It is also known as philosophy, science, and the skill of law. It does not master a particular field
of a legal doctrine rather goes into the understanding of nature and purpose of law in general.
Jurisprudence implies in a real sense and customarily “common insight about law,” the scholarly
ability to outline and apply laws as per sound hypothetical standards.
The Case of the Speluncean Explorers
There was cannibalism preferred by defendants to rescue themselves from dying.
Father of Jurisprudence’.
Jeremy Bentham is known as a ‘Father of Jurisprudence’.
John Austin is also known as the founder of English Jurisprudence. He took forward the
work of Bentham.
Forms of Jurisprudence
Which analyses, explain, classify and criticize the entire bodies of law.
Which also compares or contrasts law with other fields of knowledge. e.g.: – history,
psychology, etc.
Which reveal the historical, moral and cultural basis of legal concept.
The branch focuses on finding what the law is and how do judges decide the case
properly.
“Jurisprudence is the science of law, the statements and systematic arrangement of rules
followed by courts and the principles involved in these rules.”
Definition from Oxford dictionary-
States that “Jurisprudence is the systematic and formulated knowledge or the science of
human law.”
Scope of Jurisprudence
According to jurists, the scope of jurisprudence is limited and unlimited as per their
definitions, so the perception and different authorities attribute different meanings and varying
premises to the law which causes different opinions about the exact limit of the fields covered by
jurisprudence. Jurisprudence has been defined as to cover moral and religious percepts also and
that has created confusion.
Basics of Cyber Space
What is Cyber Space?
108
Course: Cyber Forensics MCA
Programme
109
Course: Cyber Forensics MCA
Programme
In the event of contradiction between Central and State laws, the Central law will prevail.
IPC and CrPC
110
Course: Cyber Forensics MCA
Programme
Criminal law and criminal procedure fall under the Concurrent List while matters relating to
Police and Prisons fall under the State List. The laws that govern criminal law in India are the
Indian Penal Code, 1860 (IPC) and the Criminal Procedure Code, 1974 (CrPC)
The IPC provides for the substantive law to be followed in case a crime has been committed. The
CrPC provides for the procedures to be followed during investigation and trial by the police and
courts.
Courts
There exist specific courts for criminal trials to held called Sessions Courts at the District level.
India has adopted the adversarial system of legal procedure wherein the judge acts as a neutral
party and the case is argued by the prosecutor suing the plaintiff and defense attorney who
defends their plaintiff.
Indian Penal Code (1860)
The Indian Penal Code (IPC) Introduction
The Indian Penal Code is the official criminal code of India, which was drafted way back
in 1860.
Its objective is to provide a general penal code for the country.
It has 511 sections across 23 chapters, providing the list of crimes along with their
definitions and punishments.
The IPC has been amended several times and is now supplemented by other Acts. Its
jurisdiction extends to the whole of India
The Indian Penal Code (IPC) is the main document which governs all criminal acts and the
punishments they ought to be charged with. The objective of enacting the IPC was to provide a
general and exhaustive penal code for crime in India. However, there are several other penal
statutes that govern various other offences in addition to the IPC.
Criminal Procedure Code (1974)
Criminal Procedure Code (1974)
The Criminal Procedure Code (CrPC) is a procedural law which states how the police
machinery is to function as far as investigation and procedure is to be followed by courts
during investigation and trial.
The CrPC classifies criminal offences into several categories such as bailable, non-
bailable, cognizable and non-cognizable offences. The procedural treatment of different
offences is different.
The various steps at the time to filing a complaint such as filing a First Information Report (FIR),
gathering evidence and initiating an enquiry are all governed by the CrPC.
111
Course: Cyber Forensics MCA
Programme
112
Course: Cyber Forensics MCA
Programme
113
Course: Cyber Forensics MCA
Programme
For example, if it was proved that a man had lunch at a particular restaurant, then it is a
fact that he was at the place before sundown.
Fact and Opinion
For example, Ashok and Hasan were roommates for 4 years during college. If Ashok
opined that Hasan was very disciplined and pious, it would be an opinion considered as
fact for this purpose.
There is a requirement that the facts be relevant to the case.
Relevant
The word relevant is used in the Act to mean both (i) admissible, and (ii) connected with the
case. One fact is said to be relevant to another when the one is connected with the other in any of
the ways referred to in the provisions of this Act relating to the relevancy of facts.
Fact in Issue
A “fact in issue” forms the core of the case. It is the essence of the dispute at hand, and it
consists of all the facts, due to which or connected to which, there is disagreement between the
parties.
It includes any fact from which, either by itself or in connection with another fact, there
may be a disagreement about the existence, nature and extent of any right or liability.
Example
Niteshwar Prasad was brought before a Court on the charge of murder of Venkatesh. He pleaded
that he committed it upon grave provocation because he had caught Venkatesh committing
adultery with his wife. The Court held that determining whether adultery was committed was a
fact in issue.
Sources of Evidence
There are two main sources of evidence: a. Primary and b. Secondary. Primary evidence is direct
evidence or original copies of a document, secondary evidence is copies of those documents,
books of account, etc.
Primary Evidence
For example, when two parties enter into a contract, each copy of the contract is primary
evidence against the party executing it.
For example, in a continuing contract, that is periodically renewed, each renewal contract
is evidence of the contract itself.
Secondary Evidence
For example, a photograph of an original document is secondary proof of the document.
114
Course: Cyber Forensics MCA
Programme
For example, an oral account of a document by a person who has herself seen it is secondary
proof of the document.
Conclusion
The Indian Evidence Act, 1872 is so vast and its implications and interpretations are wide. The
application of the above Act though mostly depends upon the statutory provisions but depending
upon the circumstances, nature of the case along with the underlying principles of natural justice
the application also varies hugely. However, the very objective of the Evidence Act is meted out
that is the Court has to find out the truth on the basis of the facts brought before the Court by the
parties to meet the ends of justice as expeditiously as possible. Thus, the Rule of Evidence is not
to put limitations and restrictions on the parties rather it acts as a guiding factor for the Courts to
take evidence.
IT Act 2000-Introduction to IT Act 2000
Information Technology Act, 2000
The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is an Act of the
Indian Parliament (No 21 of 2000) notified on 17 October 2000. It is the primary law in India
dealing with cybercrime and electronic commerce.
IT Act, 2000
The bill was passed in the budget session of 2000 and signed by President K. R. Narayanan on 9
June 2000. The bill was finalised by a group of officials headed by then Minister of Information
Technology Pramod Mahajan.
Objectives of the Act
The Information Technology Act, 2000 provides legal recognition to the transaction done
via electronic exchange of data and other electronic means of communication or
electronic commerce transactions.
This also involves the use of alternatives to a paper-based method of communication and
information storage to facilitate the electronic filing of documents with the Government
agencies.
Salient Features of the Information Technology Act, 2000
Digital signature has been replaced with electronic signature to make it a more
technology neutral act.
It elaborates on offenses, penalties, and breaches.
It outlines the Justice Dispensation Systems for cyber-crimes.
The Information Technology Act defines in a new section that cyber café is any facility
from where the access to the internet is offered by any person in the ordinary course of
business to the members of the public.
115
Course: Cyber Forensics MCA
Programme
The fourth schedule amends the Reserve Bank of India Act. It pertains to the regulation
of fund transfer through electronic means between the banks or between the banks and
other financial institution.
Objectives of the Amendments in The Information Technology Act, 2000:
With proliferation of information technology enabled services such as e-governance, e-
commerce and e-transactions,
protection of personal data and information and implementation of security practices and
procedures relating to these applications of electronic communications have assumed
greater importance and they require harmonization with the provisions of the Information
Technology Act.
A rapid increase in the use of computer and internet has given rise to new forms of
crimes like publishing sexually explicit materials in electronic form, video voyeurism and
breach of confidentiality and leakage of data by intermediary, e-commerce frauds like
personation commonly known as Phishing, identity theft and offensive messages through
communication services.
So, penal provisions are required to be included in the Information Technology Act, the
Indian Penal Code, the Indian Evidence Act and the Code of Criminal Procedure to
prevent such crimes.
The service providers may be authorized by the Central Government or the State
Government to set up, maintain and upgrade the computerized facilities and collect, retain
appropriate service charges for providing such services at such scale as may be specified by
the Central Government or the State Government.
Incorporation of Electronic Signature:
To go by their aim of making the act ‘technologically neutral, the term ‘digital signature’
has been replaced with ‘electronic signature’, as the latter represents an umbrella term which
encompasses many different types of digital marketing, while the former is a specific type of
electronic signature.
Fight against Cyber-terrorism:
Pursuant to the 26/11 Mumbai Attacks, the amendment has incorporated the concept of cyber
terrorism and prescribed hefty punishments for it.
The scope of cybercrime under Section 66 is widened with many major additions defining
various cybercrimes along with the controversial Section 66A which penalized sending
“offensive messages”. Section 66A was later found to be in violation of one’s fundamental right
to freedom of Child Pornography:
Along with reducing the term of imprisonment and increasing the fine for publishing obscene
material in electronic form, an array of sections has also been inserted under Section 67, one
among which recognizes publishing child pornography as a felonious act.
117
Course: Cyber Forensics MCA
Programme
118
Course: Cyber Forensics MCA
Programme
CONCLUSION
Due to the increase in digital technology, various offenses are increasing day by day. Therefore,
the IT Act 2000 need to be amended in order to include those offenses which are now not
included in the Act. In India, cybercrime is not of high rate. Therefore, we have time in order to
tighten the cyber laws and include the offenses which are now not included in the IT Act 2000
IT ACT 2000: Sections: S.65, S.66, S.66A, S.66B, S.66C, S.66D, S.66 E
Section 65. Tampering with computer source documents.
Section 65 in The Information Technology Act, 2000
Tampering with computer source documents.
-Whoever knowingly or intentionally conceals, destroys or alters or intentionally or
knowingly causes another to conceal, destroy, or alter any computer source code used for a
computer, computer programme, computer system or computer network, when the computer
source code is required to be kept or maintained by law for the time being in force, shall be
punishable with imprisonment up to three years, or with fine which may extend up to two lakh
rupees, or with both.
Section 66. Hacking with computer system.
(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or
damage to the public or any person destroys or deletes or alters any information residing in a
computer resource or diminishes its value or utility or affects it injuriously by any means,
commits hack:
(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with
fine which may extend upto two lakh rupees, or with both.
Section 66A: Punishment for sending offensive messages through communication service,
etc. - Information Technology Act
Any person who sends, by means of a computer resource or a communication device,-
a) any information that is grossly offensive or has menacing character; or
b) any information which he knows to be false, but for the purpose of causing annoyance,
inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill
will, persistently by making use of such computer resource or a communication device,
c) any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of such
messages, shall be punishable with imprisonment for a term which may extend to three years and
with fine.
Explanation:
119
Course: Cyber Forensics MCA
Programme
For the purposes of this section, terms "Electronic mail" and "Electronic Mail Message"
means a message or information created or transmitted or received on a computer, computer
system, computer resource or communication device including attachments in text, image, audio,
video and any other electronic record, which may be transmitted with the message.
Section 66B: Punishment for dishonestly receiving stolen computer resource or
communication device
Whoever dishonestly receives or retains any stolen computer resource or communication
device knowing or having reason to believe the same to be stolen computer resource or
communication device, shall be punished with imprisonment of either description for a term
which may extend to three years or with fine which may extend to rupees one lakh or with both.
Section 66C: Punishment for Identity Theft, Misuse of Digital Signature
Whoever, fraudulently or dishonestly make use of the electronic signature, password or
any other unique identification feature of any other person, shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakh.
Section 66D: Punishment for cheating by personation by using computer resource
Whoever, by means of any communication device or computer resource cheats by
personation, shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees.
Section 66E: Punishment for violation of privacy
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area
of any person without his or her consent, under circumstances violating the privacy of that
person, shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees, or with both.
Explanation. - For the purposes of this section -
(a) “transmit” means to electronically send a visual image with the intent that it be viewed by a
person or persons;
(b) “capture”, with respect to an image, means to videotape, photograph, film or record by any
means;
(c) “private area” means the naked or undergarment clad genitals, pubic area, buttocks or female
breast;
(d) “publishes” means reproduction in the printed or electronic form and making it available for
public;
(e) “under circumstances violating privacy” means circumstances in which a person can have a
reasonable expectation that-
120
Course: Cyber Forensics MCA
Programme
(i) he or she could disrobe in privacy, without being concerned that an image of his private area
was being captured; or
(ii) any part of his or her private area would not be visible to the public, regardless of whether
that person is in a public or private place.
Section 66F: Punishment for cyber terrorism
Whoever, -
(A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror
in the people or any section of the people by –
(i) denying or cause the denial of access to any person authorised to access computer resource; or
(ii) attempting to penetrate or access a computer resource without authorisation or exceeding
authorised access; or
(iii) introducing or causing to introduce any Computer Contaminant.
and by means of such conduct causes or is likely to cause death or injuries to persons or damage
to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption
of supplies or services essential to the life of the community or adversely affect the critical
information infrastructure specified under section 70, or
B) knowingly or intentionally penetrates or accesses a computer resource without authorisation
or exceeding authorised access, and by means of such conduct obtains access to information,
data or computer database that is restricted for reasons of the security of the State or foreign
relations; or any restricted information, data or computer database, with reasons to believe that
such information, data or computer database so obtained may be used to cause or likely to cause
injury to the interests of the sovereignty and integrity of India, the security of the State, friendly
relations with foreign States, public order, decency or morality, or in relation to contempt of
court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of
individuals or otherwise, commits the offence of cyber terrorism.
(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with
imprisonment which may extend to imprisonment for life’.
Sections: S.67, S.67A, S.67B, S.67C
Section 67. Publishing of information which is obscene in electronic form.
Whoever publishes or transmits or causes to be published in the electronic form, any
material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to
deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read,
see or hear the matter contained or embodied in it, shall be punished on first conviction with
imprisonment of either description for a term which may extend to five years and with fine
which may extend to one lakh rupees and in the event of a second or subsequent conviction with
121
Course: Cyber Forensics MCA
Programme
imprisonment of either description for a term which may extend to ten years and also with fine
which may extend to two lakh rupees.
Section 67A: Punishment for publishing or transmitting of material containing sexually
explicit act, etc. in electronic form, Information Technology Act 2000
Whoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupees and in the event of second or subsequent conviction with
imprisonment of either description for a term which may extend to seven years and also with fine
which may extend to ten lakh rupees.
Exception: This section and section 67 does not extend to any book, pamphlet, paper, writing,
drawing, painting, representation or figure in electronic form-
(i) the publication of which is proved to be justified as being for the public good on the ground
that such book, pamphlet, paper, writing, drawing, painting, representation or figure is in the
interest of science, literature, art, or learning or other objects of general concern; or (ii) which is
kept or used bona fide for religious purposes.
Section 67B: Punishment for publishing or transmitting of material depicting children in
sexually explicit act, etc. in electronic form
Whoever,-
(a) publishes or transmits or causes to be published or transmitted material in any electronic
form which depicts children engaged in sexually explicit act or conduct or
(b) (b) creates text or digital images, collects, seeks, browses, downloads, advertises,
promotes, exchanges or distributes material in any electronic form depicting children in
obscene or indecent or sexually explicit manner or
(c) cultivates, entices or induces children to online relationship with one or more children for and
on sexually explicit act or in a manner that may offend a reasonable adult on the computer
resource or
(d) facilitates abusing children online or
(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act
with children, shall be punished on first conviction with imprisonment of either description for a
term which may extend to five years and with a fine which may extend to ten lakh rupees and in
the event of second or subsequent conviction with imprisonment of either description for a term
which may extend to seven years and also with fine which may extend to ten lakh rupees:
Provided that the provisions of section 67, section 67A and this section does not extend to
any book, pamphlet, paper, writing, drawing, painting, representation or figure in
electronic form-
122
Course: Cyber Forensics MCA
Programme
(i) The publication of which is proved to be justified as being for the public good on the ground
that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the
interest of science, literature, art or learning or other objects of general concern; or
(ii) which is kept or used for bonafide heritage or religious purposes
Explanation: For the purposes of this section, "children" means a person who has not completed
the age of 18 years.
Section 67 C: Preservation and Retention of information by intermediaries, Section 67C of
Information Technology Act
(1) Intermediary shall preserve and retain such information as may be specified for such duration
and in such manner and format as the Central Government may prescribe.
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to fine.
123