UNIT 3

What is email tracking and IP tracking

Email Tracking

What it is: Email tracking refers to techniques that help identify and gather
information about the origin, path, and interactions with an email. It involves
checking details like the email’s headers, metadata, and server logs to understand
where the email came from, who sent it, and even if the recipient opened or
interacted with it.

How it works:

● Every email has header information that includes the sender’s and receiver's IP
addresses, timestamps, and routing details.
● Investigators analyze these headers to trace back the sender's email server and
sometimes their IP address.
● They can also track when and if the recipient opened the email, which can be
useful for understanding the timing and interaction with phishing or scam
emails.

Example: Imagine a phishing email tricking users into revealing sensitive information.
Investigators could examine the email headers to see that it originated from an IP
address in another country or a compromised server, helping them locate the sender.

IP Tracking

What it is: IP tracking involves following the digital trail of an IP address to find out
where certain online activities originated. It can show which device or network was
used for malicious actions, like hacking, fraud, or illegal access.

How it works:

● Every internet-connected device has an IP address, which acts like a digital

"home address."
● Investigators use logs from websites, emails, or servers that the suspect
interacted with to find this IP address.
 ● They can then link this IP address to a physical location or internet service
provider (ISP), potentially narrowing down to the device owner.

Example: A hacker attempts to break into a company’s network. The company logs the
IP addresses of all attempts. Investigators can check these logs, trace the suspicious IP
to a specific ISP or region, and use this information to further narrow down the suspect.

What are encryption and decryption and their techniques

Encryption

What it is: Encryption is the process of converting plain, readable data (plaintext) into
an unreadable format (ciphertext) to keep it safe from unauthorized access. This is
done using an algorithm and a key that scrambles the data.

How it works:

● When data is encrypted, it’s turned into a sequence of random characters that’s
meaningless without the correct decryption key.
● Only someone with the correct key can decrypt and read the information, which
protects it from hackers.

Example: Imagine sending a message over the internet with your bank details. If this
message is encrypted, it will appear as a jumble of letters and numbers to anyone
intercepting it, making it useless to them.

Decryption

What it is: Decryption is the reverse of encryption. It’s the process of converting
encrypted data (ciphertext) back into its original, readable format (plaintext) using a
key.

How it works:

● When you receive an encrypted message, you use a key to decode it back to its
original form.
● Without the right decryption key, the encrypted data remains unreadable and
secure.

Example: Imagine the bank sends a secure statement to you that’s encrypted. You’d
use the decryption key provided by the bank (such as a password or code) to convert it
back to readable form so you can view your statement.
Encryption Techniques

There are several encryption techniques, but here are the most common types:

1. Symmetric Encryption
○ What it is: Symmetric encryption uses a single, shared key for both
encryption and decryption.
○ How it works: Both the sender and receiver must know and keep the key
secure.
○ Example Technique: AES (Advanced Encryption Standard) – widely
used in secure applications, such as banking and government data.
2. Example: Imagine you and your friend share a password to encrypt and decrypt
messages. Only those who know this password can read the messages.
3. Asymmetric Encryption (Public Key Encryption)
○ What it is: Asymmetric encryption uses two keys: a public key (for
encryption) and a private key (for decryption). The public key is shared
with others, while the private key remains confidential.
○ How it works: Anyone can encrypt messages using your public key, but
only you can decrypt them with your private key.
○ Example Technique: RSA (Rivest-Shamir-Adleman) – widely used in
secure web communications.
4. Example: You publish your public key online. Anyone can use it to encrypt a
message and send it to you, but only you, with your private key, can decrypt it.
5. Hashing (One-Way Encryption)
○ What it is: Hashing converts data into a fixed-size string of characters.
It’s a one-way process, meaning it can’t be decrypted back to its original
form.
○ How it works: Hashing is typically used for data integrity checks (e.g.,
verifying that files haven’t been tampered with).
○ Example Technique: SHA-256 (Secure Hash Algorithm) – often used for
secure password storage.
6. Example: When you create a password for a website, it’s hashed before being
stored in the database. Even if someone accesses the database, they can’t see
your actual password, only the hash.
UNIT - IV

Introduction to digital forensics, and explain about forensic

software and hardware

Digital Forensics?

Definition: Digital forensics is the science of recovering and analyzing data from
electronic devices, like computers, smartphones, servers, and networks, to investigate
cybercrime or unauthorized activity. It aims to answer critical questions, such as who,
what, when, where, and how an incident occurred.

Purpose: Digital forensics is used in cybercrime investigations, corporate security

breaches, and legal cases to uncover evidence and verify facts. The process typically
involves:

1. Data Collection: Gathering data without altering the original.

2. Data Preservation: Ensuring data integrity by creating a copy.
3. Analysis: Reviewing the data to find relevant evidence.
4. Reporting: Documenting findings in a clear, legally admissible format.

Example: If a company suspects an insider threat, a digital forensic investigator might

analyze email records, access logs, and device usage to pinpoint suspicious activity.

Forensic Software

Forensic software is a specialized digital tool designed to locate, recover, and analyze
evidence from electronic devices. Here are some commonly used types of forensic
software:

1. Data Recovery Tools

○ What it is: Software to retrieve deleted or lost files from devices.
○ How it works: Scans storage media for data remnants or hidden files that
can still be reconstructed.
○ Example: EnCase – used by forensic experts to retrieve data from hard
drives or damaged devices.
 Example: If a cybercriminal deletes important files from a hard drive, forensic
experts can use EnCase to recover those files.

2. Disk Imaging Software

○ What it is: Creates an exact replica (or image) of a storage device for
analysis, preserving the original evidence.
○ How it works: Copies all data, including hidden and deleted files, without
altering the original drive.
○ Example: FTK Imager – creates a bit-by-bit copy of a drive for forensic
examination.

Example: During an investigation, an investigator might use FTK Imager to

create a safe, working copy of a suspect’s laptop for examination without
touching the original files.

3. Network Forensic Tools

○ What it is: Analyzes network traffic to detect unauthorized access or
suspicious activities.
○ How it works: Records and reviews network data, including packets and
logs, to spot cyber threats.
○ Example: Wireshark – widely used to capture and analyze network
packets in real-time.

Example: If there’s a suspicion of data leakage within a network, Wireshark can

help trace suspicious traffic patterns and IP addresses to identify unauthorized
users.

4. Mobile Forensics Software

○ What it is: Specialized tools for extracting data from mobile devices, like
call logs, messages, and location data.
○ How it works: Connects to a smartphone or tablet to recover contacts,
texts, multimedia, and deleted data.
○ Example: Cellebrite – used for extracting data from smartphones and
other portable devices.

Example: Investigators might use Cellebrite to recover text messages and

location data from a suspect’s phone in a cyberstalking case.

Forensic Hardware
Forensic hardware includes physical devices that help forensic investigators safely
collect, transfer, and analyze data from digital storage media.

1. Write Blockers
○ What it is: A device that allows data to be read from a storage drive
without the risk of altering it.
○ How it works: Prevents accidental changes to the original drive by
blocking any write commands.
○ Example: Tableau Write Blocker – commonly used to access hard drives
securely.

Example: When collecting data from a suspect’s hard drive, investigators use a
write blocker to prevent accidental modifications, preserving the integrity of the
evidence.

2. Forensic Workstations
○ What it is: High-powered computers designed for processing and
analyzing large amounts of data.
○ How it works: Equipped with powerful processors and large memory, they
run forensic software smoothly, handle complex computations, and store
large datasets.
○ Example: FRED (Forensic Recovery of Evidence Device) – provides
powerful hardware for intensive forensic analysis.

Example: A forensic expert working on a large data breach case might use FRED
to analyze hundreds of gigabytes of network logs and user activity records
quickly.

3. Faraday Bags
○ What it is: Special bags that block wireless signals from reaching
electronic devices.
○ How it works: Prevents devices from receiving or sending data, which can
help preserve evidence.
○ Example: Mission Darkness Faraday Bag – used to store smartphones or
tablets without risk of remote data wiping.

Example: If investigators seize a suspect’s phone, they place it in a Faraday bag

to prevent any external signals that could trigger remote deletion or alteration.
Analysis and Advanced tools

Analysis in Cyber Crime Investigation

What it is: Analysis in CCI involves examining collected digital evidence to identify
patterns, understand the methods used by cybercriminals, and link evidence to specific
incidents or individuals. It’s a step-by-step process that transforms raw data into
actionable insights.

How it works:

● Investigators review data from devices, emails, network traffic, and social
media to reconstruct events.
● They look for signatures of known attacks (e.g., malware patterns), anomalies,
or unique identifiers like IP addresses, timestamps, and device IDs.
● Analysis can reveal important details like:
○ The timeline of an attack.
○ The techniques used (e.g., phishing, DDoS).
○ Connections between a suspect and the crime.

Example: In a ransomware attack, investigators might analyze server logs, email

headers, and file access records to find when the ransomware was installed, where it
originated, and who accessed the affected files.

Advanced Tools in Cyber Crime Investigation

Advanced tools in CCI help investigators perform in-depth analysis and manage
complex investigations efficiently. These tools cover various domains, from data
recovery and malware analysis to mobile forensics and network monitoring.

Here are some of the advanced tools and their applications:

a) Malware Analysis Tools

● What they do: Detect, dissect, and understand malicious software (malware)
used in attacks.
● How they work: Allow investigators to isolate malware, analyze its code, and
identify its behavior and purpose.
 ● Example Tool: IDA Pro – a powerful reverse-engineering tool that dissects
malware code to reveal its operations.

Example Use Case: If a company experiences a malware attack, IDA Pro can help
investigators understand the malware’s structure, how it infects devices, and if it was
designed to steal data.

b) Network Analysis Tools

● What they do: Monitor and analyze network traffic to detect unauthorized
access, data exfiltration, or intrusions.
● How they work: Capture and examine network packets, providing insights into
real-time and historical traffic data.
● Example Tool: Splunk – widely used to search, monitor, and analyze network
logs for anomalies or patterns.

Example Use Case: If a bank suspects a breach, investigators can use Splunk to
identify unusual network activity and trace the path of the intruder.

c) Mobile Forensics Tools

● What they do: Extract and analyze data from mobile devices, such as texts, call
logs, app data, and location history.
● How they work: Connect to mobile devices and retrieve data, even if it has been
deleted.
● Example Tool: Magnet AXIOM – retrieves data from mobile devices, cloud
services, and computers, preserving evidence integrity.

Example Use Case: In a cyberstalking case, investigators could use Magnet AXIOM to
retrieve a suspect's deleted messages and location data, which could link them to the
crime.

d) File Carving and Data Recovery Tools

● What they do: Recover deleted files or data fragments from storage devices.
● How they work: Analyze storage blocks to retrieve files that may not be
accessible through traditional methods.
● Example Tool: Autopsy – an open-source digital forensics tool that recovers files
from damaged or formatted drives.

Example Use Case: Investigators may use Autopsy to recover files from a destroyed
hard drive to find evidence of fraud or theft.