Cyber Security &

Cryptography
Open Elective (OE2)
For B. Tech IV-II
As per JNTUK R-19 Syllabus

MID II Notes
Compiled by:

Dr. A. B. Siddique
Department of ECE

ADITYA COLLEGE OF ENGINEERING & TECHNOLOGY

Aditya Nagar, ADB Road, Surampalem - 533437

 Cyber Security & Cryptography
UNIT III: Cyber Crime Investigation
3.9 E-Mail Recovery,
3.10 Hands on Case Studies.
3.11 Encryption and Decryption Methods,
3.12 Search and Seizure of Computers,
3.13 Recovering Deleted Evidences,
3.14 Password Cracking (Discussed in 2.3)

3.9 E-Mail Recovery

An employee working as a Team Leader in a BPO firm was arrested by the police in the drug-
dealing case in 2016. Initially, he was a social media freak and a well-performing candidate.
He used to do illegal dealings with customers through emails. During the investigation, police
found that there is no thread of records and proof of drug dealing in the culprit’s email account.
Email recovery in cyber forensics is one sector that could have helped. Maybe he deleted all
his emails. Unfortunately, the police had to release him because of no proof.

• In digital forensics, to tackle such kind of situations, there comes a need of investigators
to recover lost or deleted email data. This is because it is the only way that may help
the investigators to get the evidential leads of the case. Nowadays, emails play a
significant role in everyone’s life as it is crucial for business or personal
communication, sharing confidential documents which may be crucial, etc. It could be
a nightmare for users to lose such important data in any situation.
• In most of the illegal cases, criminals usually delete such suspected emails intentionally
to remove the leads of evidence. Because of this, we’re going be disclose the finest
solution to recover deleted/lost emails manually. Moreover, an instant email recovery
solution that is exclusively important in cyber forensics is also here 3.10 Hands on Case
Studies.

Some common methods to recover E-mails:

1. Manual Method for Email Recovery in Cyber Forensics
Step-1. Click on the “Trash folder” option in your email application.
Step-2. “Select” the desired message you want to restore.
Step-3. Click on the “Move” button.
Step-4. Select the desired location where you want to restore the deleted message.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 2

 Cyber Security & Cryptography
2. Email Recovery in Cyber Forensics Using an Automated Software
Step-1. Launch the software and, create a new case to begin the investigation.
Step-2. Now, add the evidential file into the software for scanning by clicking on the Add
New Evidence button. An add Evidence window will appear, now choose the file type and
browse evidence file using the Add File button.
Step-3. The software will preview all the deleted emails in red colour; hence users can easily
find the deleted emails.
Step-4. After adding the suspected file in the software, one can view the emails in different
preview modes. Moreover, it allows investigators to find precise information from the emails
that helps in extracting the evidence.
Step-5. To view the deleted files separately, select the Deleted option from the Standard
Filters. It will show you all the recovered files individually.
Step-6. To save the data into your local system, select the emails to export and click on the
Export button. Then, select the Export Selected Items option and choose the desired file
format in which you want to export the recovered lost emails.

3.11 Encryption and Decryption Methods,

• We all work on the internet, we communicate through the internet, and want our data
and information should be secured, and it is done by cryptography. Cryptography
prevents the other user and attackers from accessing our confidential data and
information. The two essential functionalities of cryptography are encryption and
decryption.
Encryption: Encryption is the process that converts the original message sent by the sender
into an unrecognizable form so that no one from the network can read or understand it. It
converts the normal message i.e., plain text into a meaningless or useless message i.e.,
ciphertext. This new form of message, i.e., the unrecognizable form is totally different from
the original message. This is Thereason that attackers and many external agents are not able to
read the data as senders send the data by using an encryption algorithm. It takes place at the
sender’s end. The message can be encrypted easily by using the secret key or public key.
The below diagram depicts the clear process of how the encryption technique is applied and
the original message and data are converted to the ciphertext.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 3

 Cyber Security & Cryptography
Decryption: Decryption is the process in which the encrypted code or data is converted back
to a form that is easily understandable and readable by a human or machine. This is basically
known as decoding encrypted data. It takes place at the receiver end. The message can be
decrypted either with the secret key or the private key.
The below diagram clearly shows the decryption technique and the encrypted text i.e., the
ciphertext is converted back to the original message.

What are the types of Keys available?

There are some key presents that help in performing the encryption and decryption technique.
Let’s see in more detail about the keys available.
1. Symmetric Key: This key helps in performing Symmetric Encryption also known as
the Symmetric-key encryption algorithm. It uses the same cryptographic keys for
performing both the encryption of plaintext from the sender’s side and the decryption
of the ciphertext on the receiver side.
2. Asymmetric Key: Asymmetric key encryption algorithm uses two pairs of keys, which
are used for encryption. These two different keys are used for encrypting the data and
for decrypting the data. The public key is made available to anyone whereas the secret
key is only made available to the receiver side of the message. This provides more
security as compared to symmetric key encryption.
3. Public Key: Public keys are the keys that are basically used to encrypt the message for
the receiver. This cryptography is an encryption system that is based on two pairs of
keys.
4. Private Key: The private key usually used with the asymmetric encryption algorithm
as one can use the same key for encrypting and decrypting the data. It also may be a
part of the public/private asymmetric key pair.
5. Pre-Shared Key: It is also known as PSK, is a shared secret key that was earlier shared
between two different organizations or people using a secure channel before it is used.
Important reasons for using encryption:
➢ It provides confidentiality to our private data and information and for organizations.
➢ It helps in protecting or preventing plagiarism and thus protects the IP.
➢ It helps in protecting our important data such as our user ID, password, login ID, which
are very confidential.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 4

 Cyber Security & Cryptography
➢ It is a very essential and useful method for the organization or company as it helps to
protect the data from outsiders and no one can be able to access the data. It provides
security.
➢ It also helps you to ensure that no one can able to modify or alter the data or file.
➢ It is very helpful over the internet as most of us working on the internet, and where an
attacker can easily access your data, so in order to prevent this, we use the encryption
technique.
3.12 Search and Seizure of Computers,
➢ Seizure of computers and related peripherals is not always the practical approach
without preliminary investigation. A cybercrime investigator has to decide whether it
is prudent to seize or to complete the investigation at the scene.
➢ Seizing and carrying out the investigation off-site would involve proper packaging and
transporting of the computers and accessories, reassembling them at the laboratory and
then recreating the network or configuration. This can be a complex and sensitive issue
and hence the cybercrime investigator must bear the following in mind before taking
the decision on whether to confiscate and then investigate or whether to investigate on-
site.
Prior to search and seizure, you already have the proper documents filled as well as permission
from the authority to search and seize the suspect’s machine.
Step 1: Preparation
You should check all media that is to be used in the examination process. Document the wiping
and scanning process. Check to make sure that all computer forensic tools are licensed for use
and all lab equipment is in working order.
Step 2: Snapshot
We should photograph the scene, whether it is a room in a home or in a business. You should
also note the scene. Take advantage of your investigative skills here. Note pictures, personal
items, and the like. Photograph the actual Evidence. For example, the evidence is a PC in a
home office. Take a photograph of the monitor. Remove the case cover carefully and
photograph the internals.
Step 3: Transport
If you have the legal authority to transport the evidence to your lab, you should pack the
evidence securely. Photograph/videotape and document the handling of evidence leaving the
scene to the transport vehicle and from transport vehicle to the lab examination facility.
Step 4: Examination
You should prepare the acquired evidence for examination in your lab. There are many options
to on what tool to use image the drive. You could use EnCase, the Unix command DD,
ByetBack, or also SafeBack. It is wise to have a variety of tools in your lab. Each of these tools
has its respective strengths. The important note to remember here is: Turn off virus-scanning
software. We must record the time and date of the COMS. Do not boot the suspect machine.
When making the image, make sure that the tool you use does not access the file system of the
target evidence media. After making the image, seal the original media in an electrostatic-safe
container, catalog it, and initial the container. Finally, the examination of the acquired image
begins.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 5

 Cyber Security & Cryptography
3.13 Recovering Deleted Evidence
Forensic Data Recovery:
• Forensic Data recovery is the extraction of data from damaged, corrupted or lost
evidence sources i.e., damaged or formatted hard drives, removable media. The data
are recovered in a manner that will make Theresulting evidence admissible in the law
court.
• Data recovery is usually carried out in order to safely acquire evidence from computer
systems by a away of forensic analysis (i.e. retrieve deleted, hidden, or mistakenly
damaged data).
• This technique is classically used in criminal or civil investigations which are designed
to yield information which can be used in court, although forensic data recovery can
also be used by auditing firms and in a variety of other circumstances. This process is
performed by trained technicians who have studied computer science, information
technology, and forensics.
Importance of Recovering Deleted Evidence
• Today, there are several white-collar criminals, pedophiles etc, who delete data (that
can incriminate theme) from their computer systems in other to hide their dubious
activities.
• Cyber Forensic Data Recovery is the only way to gather sufficient evidences of fraud
or any form of crime committed using a computer or internet — hence why data
recovery is important in solving cybercrime related cases.
Process of Recovering Data
➢ The process of retrieving data (whether lost, damaged or corrupted) from a hardware
that has been used to commit a crime can be challenging.
➢ Care must be taken in other not to avoid modifying or over-writing the source of
evidence. Typically, you will find most cyber forensic investigators very often use a
write blocker to freeze the source of evidence., make a forensic copy and work off the
copy.
➢ The information to be retrieved will depend on each case file.
➢ As modern technology advances, the job of a forensic specialist becomes more
complicated, and new sub-branches of the field pop up yearly.
➢ Generally speaking, though, when a data recovery specialist starts their investigation,
they have to go through several stages. These stages are:
1. Seizure
2. Forensic acquisition
3. Data analysis
4. Final report production
➢ Forensic specialists deal with both the private and public sectors. For public work, they
push to prove or support a hypothesis in criminal court. Private forensic recovery
usually relates to corporate investigations.
➢ To perform data recovery, specialists use advanced software options and forensic tools.
➢ The list of recovery tools is given in the table below:

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 6

 Cyber Security & Cryptography

➢
➢ These data recovery experts use both hardware and software solutions to extract the
digital data and revive it from the recycle bin.
➢ The first thing they will do is make a bit-accurate replica of the hard drive. Specialists
either use hardware solutions like a write blocking device or use a software solution to
recover data.
➢ Sometimes the data recovery process involves using a pre-packaged suite of software
tools. Other specialists prefer to create their own tool kit by piecing together key pieces
of software to tackle certain problems.
➢ Options are plentiful at almost every stage of the forensic data recovery process.
Sometimes a forensic specialist will need to use software to perform a data capture of
the drive. Specialists use other software to analyse emails.
➢ Forensic software can cater to specific operating systems too. This includes different
operating systems, like open source and secure Linux builds. Forensics data recovery
services use a whole arsenal of software and hardware tools for criminal investigations.
➢

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 7

 Cyber Security & Cryptography
UNIT IV: Computer Forensics and Investigations
4.1 Understanding Computer Forensics,
4.2 Preparing for Computer Investigations.
4.3 Current Computer Forensics Tools: Evaluating Computer Forensics Tools needs
4.4 Computer Forensics Software Tools,
4.5 Computer Forensics Hardware Tools,
4.6 Validating and Testing Forensics Software,
4.7 Face, Iris and Fingerprint Recognition,
4.8 Audio Video Analysis,
4.9 Windows System Forensics,
4.10 Linux System Forensics,
4.11 Graphics and Network Forensics,
4.12 E-mail Investigations (Same as 3.6)
4.13 Cell Phone and Mobile Device Forensics

4.1 Understanding Computer Forensics:

• Computer forensics: It is the lawful and ethical seizure, acquisition, analysis, reporting
and safeguarding of data and metadata derived from digital devices which may contain
information that is notable and perhaps of evidentiary value to the trier of fact in
managerial, administrative, civil and criminal investigations.
• It is the process of methodically examining computer media (hard disks, diskettes,
tapes, etc.) for evidence.
• In other words, computer forensics is the collection, preservation, analysis, and
presentation of computer-related evidence.
• Computer forensics also referred to as computer forensic analysis, electronic discovery,
electronic evidence discovery, digital discovery, data recovery, data discovery,
computer analysis, and computer examination
• Overall, it is the collection of techniques and tools used to find evidence in a computer.
• Computer evidence can be useful in criminal cases, civil disputes, and human resources/
employment proceedings.
• Applications of computer forensics in law enforcement. Computer forensics assists
in Law Enforcement. This can include:
✓ Recovering deleted files such as documents, graphics, and photos.
✓ Searching unallocated space on the hard drive, places where an abundance of data
often resides.
✓ Tracing artifacts, those tidbits of data left behind by the operating system. Our
experts know how to find these artifacts and, more importantly, they know how to
evaluate the value of the information they find.
✓ Processing hidden files — files that are not visible or accessible to the user — that
contain past usage information. Often, this process requires reconstructing and
analyzing the date codes for each file and determining when each file was created,
last modified, last accessed and when deleted.
✓ Running a string-search for e-mail, when no e-mail client is obvious.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 8

 Cyber Security & Cryptography
4.2 Preparing for Computer Investigations.
➢ Preparing for a computer investigation is probably the most important step in computer
investigations. The better you prepare, the smoother your investigation will be.
➢ The following sections discuss the tasks you should complete before you search for
evidence.
➢ To perform these tasks, you might need to get answers from the victim (the
complainant) and an informant, who could be a police detective assigned to the case, a
law enforcement witness, or a manager or co-worker of the person of interest to the
investigation.
➢ The investigator must be properly trained to perform the specific kind of investigation
that is at hand.
➢ Tools that are used to generate reports for court should be validated. There are many
tools to be used in the process.
➢ One should determine the proper tool to be used based on the case.
➢ Broadly speaking, the forensics life cycle involves the following phases:
1. Preparation and identification.
2. collection and recording.
3. storing and transporting.
4. examination/investigation.
5. analysis, interpretation, and attribution.
6. reporting.
7. testifying.

➢ To mention very briefly, the process involves the following activities: Prepare >
Record > Investigate > Report > Testify.
Prepare: Case briefings, engagement terms, interrogatories, spoliation prevention, disclosure
and discovery planning, discovery requests.
Case briefing: In case briefings, consider the following:
1. Ensure that you know both your client’s and the adverse party’s position and have
seen all relevant paperwork.
2. Try not to project a bias in the case description; the intent should be to consider the
case objectively and provide you with the good news and the bad news (bad news early
can be good news).
3. Be upfront in discussing any limitations or restrictions on the forensics investigation,
including budgetary constraints, time deadlines, cooperation levels to be expected from
the adverse party, required travel, onsite or after-hours forensics imaging requirements,
etc.
Preparing for the Evidence and Identifying the Evidence:
➢ In order to be processed and applied, evidence must first be identified as evidence.
➢ It can happen that there is an enormous amount of potential evidence available for a
legal matter, and it is also possible that the vast majority of the potential evidence may
never get identified.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 9

 Cyber Security & Cryptography
➢ In order to be processed and analysed, evidence must first be identified. It might be
possible that the evidence may be overlooked and not identified at all. A sequence of
events in a computer might include interactions between:
o Different files
o Files and file systems
o Processes and files
o Log files
➢ In case of a network, the interactions can be between devices in the organization or
across the globe (Internet). If the evidence is never identified as relevant, it may never
be collected and processed.
➢ Consider that every sequence of events within a single computer might cause
interactions with files and the file systems in which they reside, other processes and the
programs they are executing and the files they produce and manage, and log files and
audit trails of various sorts. In a networked environment, this extends to all networked
devices, potentially all over the world.
➢ Evidence of an activity that caused digital forensics evidence to come into being might
be contained in a time stamp associated with a different program in a different computer
on the other side of the world that was off set from its usual pattern of behaviour by a
few microseconds.
➢ If the evidence cannot be identified as relevant evidence, it may never be collected or
processed at all, and it may not even continue to exist in digital form by the time it is
discovered to have relevance.

4.3 Current Computer Forensics Tools: Evaluating Computer Forensics Tools

needs.
• Computer forensics tools are constantly being developed, updated, patched, and
revised. Therefore, checking vendors’ Web sites routinely to look for new features and
improvements is important.
• Before purchasing any forensics tools, consider whether the tool can save you time
during investigations and whether that time savings affects the reliability of data you
recover.
In order to evaluate Computer Forensics tool, we need to ask few questions:
✓ On which OS does the forensic tool run?
✓ Is the tool versatile? For example, does it is compatible to different OS?
✓ Can the tool analyze more than one file system such as FAT, NTFS and Ext2fs?
✓ Can scripting language be used with the tool to automate repetitive functions and task?
✓ Does the tool have any automated features that can help reduce the time meeded to
analyse data?
✓ What is the vendor’s reputation for providing product support?
✓ When you search for tools, keep in mind what file types you’ll be analyzing. For
example, if you need to analyze Microsoft
✓ Access databases, look for a product designed to read these files.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 10

 Cyber Security & Cryptography
✓ If you’re analyzing e-mail messages, look for a forensics tool capable of reading e-mail
content.
Computer forensics tools are divided into two major categories: hardware and software. Each
category has additional subcategories. The following sections outline basic features required
and expected of most computer forensics tools.
• Tasks Performed by Computer Forensics Tools: All computer forensics tools, both
hardware and software, perform specific functions. These functions are grouped into
five major categories, each with sub functions for further refining data analysis and
recovery:
1) Acquisition
2) Validation and discrimination
3) Extraction
4) Reconstruction
5) Reporting
1) Acquisition: Acquisition, the first task in computer forensics investigations, is making a
copy of the original drive.
✓ Physical data copy
✓ Logical data copy
✓ Data acquisition format
✓ Command-line acquisition
✓ GUI acquisition
✓ Remote acquisition
✓ Verification
There are different tools to do this work:
• Some computer forensics software suites, such as AccessData FTK and EnCase,
provide separate tools for acquiring an image.
• However, some investigators opt to use hardware devices, such as the Logicube Talon,
VOOM HardCopy 3, or ImageMASSter Solo III Forensic unit from Intelligent
Computer Solutions, Inc., for acquiring an image.
• These hardware devices have their own built-in software for data acquisition.
• No other device or program is needed to make a duplicate drive; however, you still need
forensics software to analyze the data.
• Two types of data-copying methods are used in software acquisitions:
▪ physical copying of the entire drive and
▪ logical copying of a disk partition.
• The situation dictates whether you make a physical or logical acquisition
• All computer forensics acquisition tools have a method for verification of the data-
copying process that compares the original drive with the image.
• For example, EnCase prompts you to obtain the MD5 hash value of acquired data,
• FTK validates MD5 and SHA-1 hash sets during data acquisition, and Safe Back runs
an SHA-256 hash while acquiring data.
• Hardware acquisition tools, such as Image MASSter Solo, can perform simultaneous
MD5 and CRC-32 hashing during data acquisition.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 11

 Cyber Security & Cryptography
• Whether you choose a software or hardware solution for your acquisition needs, make
sure the tool has a hashing function for verification purposes.
2) Validation and discrimination: Two issues in dealing with computer evidence are critical.
✓ First is ensuring the integrity of data being copied—the validation process.
✓ Second is the discrimination of data, which involves sorting and searching through all
investigation data.
Many forensics software vendors offer three methods for discriminating data values:
1. Hashing
2. Filtering
3. Analyzing file headers
Validating data is done by obtaining hash values. This unique hexadecimal value for data, used
to make sure the original data hasn’t changed.
➢ The primary purpose of data discrimination is to remove good data from suspicious
data.
➢ Good data consists of known files, such as OS files and common programs (Microsoft
Word, for example).
➢ The National Software Reference Library (NSRL) has compiled a list of known file
hashes for a variety of OSs, applications, and images.
3) Extraction:
• The extraction function is the recovery task in a computing investigation and is the most
challenging of all tasks to master.
• Recovering data is the first step in analyzing an investigation’s data.
• The following sub functions of extraction are used in investigations.
➢ Data viewing
➢ Keyword searching
➢ Decompressing
➢ Carving
➢ Decrypting
➢ Bookmarking
• Many computer forensics tools include a dataviewing mechanism for digital evidence.
• Tools such as ProDiscover, X-Ways Forensics, FTK, EnCase, SMART, ILook, and
others offer several ways to view data, including logical drive structures, such as folders
and files.
• A common task in computing investigations is searching for and recovering key data
facts.
• Computer forensics programs have functions for searching for keywords of interest to
the investigation. Using a keyword search speeds up the analysis process for
investigators.
• With some tools, you can set filters to select the file types to search, such as searching
only PDF documents.
• Another function in some forensics tools is indexing all words on a drive.
• X-Ways Forensics and FTK 1.6x and earlier offer this feature, using the binary index
(Btree) search engine from dtSearch

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 12

 Cyber Security & Cryptography
4) Reconstruction:
• The purpose of having a reconstruction feature in a forensics tool is to re-create a
suspect drive to show what happened during a crime or an incident.
• Another reason for duplicating a suspect drive is to create a copy for other computer
investigators, who might need a fully functional copy of the drive so that they can
perform their own acquisition, test, and analysis of the evidence.
• These are the sub functions of reconstruction:
• Disk-to-disk copy
• Image-to-disk copy
• Partition-to-partition copy
• Image-to-partition copy
• There are several ways to re-create an image of a suspect drive. Under ideal
circumstances, the best and most reliable method is obtaining the same make and model
drive as the suspect drive,
• If the suspect drive has been manufactured recently, locating an identical drive is fairly
easy.
• A drive manufactured three months ago might be out of production and unavailable for
sale, which makes locating identical older drives more difficult.
• The simplest method of duplicating a drive is using a tool that makes a direct disk-to-
disk copy from the suspect drive to the target drive.
• One free tool is the UNIX/Linux dd command, but it has a major disadvantage:
• The target drive being written to must be identical to the original (suspect) drive, with
the same cylinder, sector, and track count.
• For a disk-to-disk copy, both hardware and software duplicators are available;
hardware duplicators are the fastest way to copy data from one disk to another.
• Hardware duplicators, such as Logicube Talon, Logicube Forensic MD5, and
ImageMASSter Solo III Forensics
• Hard Drive Duplicator, adjust the target drive’s geometry to match the suspect drive’s
cylinder, sectors, and tracks
• For image-to-disk and image-to-partition copies, many more tools are available, but
they are considerably slower in transferring data.
• The following are some tools that perform an imageto-disk copy:
▪ SafeBack
▪ SnapBack
▪ EnCase
▪ FTK Imager
▪ ProDiscover
▪ X-Ways Forensics
5) Reporting
• To complete a forensics disk analysis and examination, you need to create a report.
• Before Windows forensics tools were available, this process required copying data from
a suspect drive and extracting the digital evidence manually.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 13

 Cyber Security & Cryptography
• The investigator then copied the evidence to a separate program, such as a word
processor, to create a report.
• Newer Windows forensics tools can produce electronic reports in a variety of formats,
such as word processing documents, HTML Web pages, or Acrobat PDF files.
• These are the sub functions of the reporting function:
o Log reports
o Report generator
• Many forensics tools, such as FTK, ILook, and X-Ways Forensics, can produce a log
report that records activities the investigator performed.
• Then a built-in report generator is used to create a report in a variety of formats.
• The following tools are some that offer report generators displaying bookmarked
evidence:
▪ EnCase
▪ FTK
▪ ILook
▪ X-Ways Forensics
▪ ProDiscover
• The log report can be added to your final report as additional documentation of the steps
you took during the examination, which can be useful if repeating the examination is
necessary.

Thus, in 4.3 we evaluated the need of Computer Forensics Tools for

forensic investigation.
4.4 Computer Forensics Software Tools,
•Whether you use a suite of tools or a taskspecific tool, you have the option of selecting
one that enables you to analyze digital evidence through the command line or in a GUI.
• The following sections explore some options for command-line and GUI tools in both
Windows and UNIX/Linux.
Command-Line Forensics Tools
• The first tools that analyzed and extracted data from floppy disks and hard disks were
MS-DOS tools for IBM PC file systems.
• One of the first MS-DOS tools used for computer investigations was Norton Disk Edit.
• This tool used manual processes that required investigators to spend considerable time
on a typical 500 MB drive.
• Eventually, programs designed for computer forensics were developed for DOS,
Windows, Apple, NetWare, and UNIX systems.
• Some of these early programs could extract data from slack and free disk space; others
were capable only of retrieving deleted files.
• Current programs are more robust and can search for specific words or characters,
import a keyword list to search, calculate hash values, recover deleted items, conduct
physical and logical analyses, and more.
• Some command-line forensics tools are created specifically for DOS/Windows
platforms;

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 14

 Cyber Security & Cryptography
• Others are created for Macintosh and UNIX/Linux. Because there are many different
versions of UNIX and Linux, these OSs are often referred to as *nix platforms.
UNIX/Linux Forensics Tools
• The *nix platforms have long been the primary command-line OSs, but typical end
users haven’t used them widely.
• However, with GUIs now available with *nix platforms, these OSs are becoming more
popular with home and corporate end users.
• There are several *nix tools for forensics analysis, such as SMART, BackTrack,
Autopsy with Sleuth Kit, and Knoppix-STD.
• SMART is designed to be installed on numerous Linux versions, including Gentoo,
Fedora, SUSE, Debian, Knoppix, Ubuntu, Slackware, and more.
• You can analyze a variety of file systems with SMART;
• SMART includes several plug-in utilities. This modular approach makes it possible to
upgrade SMART components easily and quickly.
• SMART can also take advantage of multithreading capabilities in OSs and hardware
• Another useful option in SMART is the hex viewer. Hex values are color-coded to
make it easier to see where a file begins and ends.
• SMART also offers a reporting feature. Everything you do during your investigation
with SMART is logged, so you can select what you want to include in a report, such as
bookmarks.
• Helix One of the easiest suites to use is Helix because of its user interface. What’s
unique about Helix is that you can load it on a live Windows system, Its Windows
component is used for live acquisitions
• During corporate investigations, often you need to retrieve RAM and other data, such
as the suspect’s user profile, from a workstation or server that can’t be seized or turned
off.
• This data is extracted while the system is running and captured in its state at the time
of extraction.
• To do a live acquisition, insert the Helix CD into the suspect’s machine. After clicking
I ACCEPT in the licensing window, you see the Helix menu.
• Backtrack is another Linux Live CD used by many security professionals and forensics
investigators. It includes a variety of tools and has an easy-to-use KDE interface.
• Autopsy and Sleuth Kit is a Linux forensics tool, and Autopsy is the GUI browser
interface for accessing Sleuth Kit’s tools.
• Knoppix-STD Security Tools Distribution (STD) is a collection of tools for
configuring security measures, including computer and network forensics.
• Note that Knoppix- STD is forensically sound, so it doesn’t allow you to alter or
damage the system you’re analyzing.
• If you boot this CD into Windows, Knoppix lists available tools. Although many of the
tools have GUI interfaces, some are still command line only.
• Like Helix, Knoppix-STD is a Linux bootable CD. If you shut down Windows and
reboot with the Knoppix-STD disc in the CD/DVD drive, your system boots into Linux

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 15

 Cyber Security & Cryptography
Other GUI Forensics Tools
• Several software vendors have introduced forensics tools that work in Windows.
• Because GUI forensics tools don’t require the same understanding of MS-DOS and file
systems as command-line tools, they can simplify computer forensics investigations.
• These GUI tools have also simplified training for beginning examiners; however, you
should continue to learn about and use command-line tools because some GUI tools
might miss critical evidence.
• GUI tools have several advantages, such as ease of use, the capability to perform
multiple tasks, and no requirement to learn older OSs.
• Their disadvantages range from excessive resource requirements (needing large
amounts of RAM, for example) and producing inconsistent results because of the type
of OS used, such as Windows Vista 32-bit or 64-bit systems

4.5 Computer Forensics Hardware Tools

• Hardware is hardware; whether it’s a rackmounted server or a forensic workstation,
• eventually it fails.
• For this reason, you should schedule equipment replacements periodically—ideally,
every 18 months if you use the hardware fulltime.
• Most computer forensics operations use a workstation 24 hours a day for a week or
longer between complete shutdowns.
• You should plan your hardware needs carefully, especially if you have budget
limitations.
• The longer you expect the forensic workstation to be running, the more you need to
anticipate physical equipment failure and the expense of replacement equipment
Forensic Workstations
• Many computer vendors offer a wide range of forensic workstations that you can tailor
to meet your investigation needs.
• Forensic workstations can be divided into the following categories:
1) Stationary workstation—A tower with several bays and, many peripheral devices
2) Portable workstation—A laptop computer with a built in LCD monitor and almost
as many bays and peripherals as a stationary workstation
3) Lightweight workstation—Usually a laptop computer built into a carrying case
with a small selection of peripheral options.
Building Your Own Workstation
• If you have the time and skill to build your own forensic workstation, you can customize
it to your needs and save money, although you might have trouble finding support for
problems that develop.
• For example, peripheral devices might conflict with one another, or components might
fail. If you build your own forensic workstation, you should be able to support the
hardware.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 16

 Cyber Security & Cryptography
• If you decide that building a forensic workstation is beyond your skills, several vendors
offer workstations designed for computer forensics, such as the F.R.E.D. unit from
Digital Intelligence or the Dual Xeon Workstation from Forensic PC.
• Having a vendor-supplied workstation has its advantages.
Using a Write-Blocker
• The first item you should consider for a forensic workstation is a write-blocker.
• Write blockers protect evidence disks by preventing data from being written to them.
Software and hardware write-blockers perform the same function but in a different
fashion.
• Software write-blockers, such as PDBlock from Digital Intelligence, typically run in a
shell mode (for example, DOS).
• If you attempt to write data to the blocked drive, an alarm sounds, advising that no
writes have occurred.
• With hardware write-blockers, you can connect the evidence drive to your workstation
and start the OS as usual.
• Hardware write-blockers are ideal for GUI forensics tools. They prevent Windows or
Linux from writing data to the blocked drive.
• Hardware write-blockers act as a bridge between the suspect drive and the forensic
workstation
• Many vendors have developed write-blocking devices that connect to a computer
through FireWire, USB 2.0, SATA, and SCSI controllers.
• Most of these write-blockers enable you to remove and reconnect drives without having
• to shut down your workstation, which saves time in processing the evidence drive.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 17

 Cyber Security & Cryptography
Additional information about various computer forensic tools:

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 18

 Cyber Security & Cryptography

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 19

 Cyber Security & Cryptography

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 20

 Cyber Security & Cryptography

4.6 Validating and Testing Forensics Software,

• Validating and Testing Forensics Software Now that you have selected some tools to
use, you need to make sure the evidence you recover and analyze can be admitted in
court.
• To do this, you must test and validate your software. The following sections discuss
validation tools available at the time of this writing and how to develop your own
validation protocols.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 21

 Cyber Security & Cryptography
• Using National Institute of Standards and Technology (NIST) Tools: The National
Institute of Standards and Technology publishes articles, provides tools, and creates
procedures for testing and validating computer forensics software.
• Software should be verified to improve evidence admissibility in judicial proceedings.
NIST sponsors the Computer Forensics Tool Testing (CFTT) project to manage
research on computer forensics tools.
• Establish categories for computer forensics tools—Group computer forensics software
according to categories, such as forensics tools designed to retrieve and trace e-mail. •
Identify computer forensics category requirements—For each category, describe the
technical features or functions a forensics tool must have.
• Develop test assertions—Based on the requirements, create tests that prove or diSprove
the tool’s capability to meet the requirements.
• dentify test cases—Find or create types of cases to investigate with the forensics tool,
and identify information to retrieve from a sample drive or other media. For example,
use the image of a closed case file created with a trusted forensics tool to test a new tool
in the same category and see whether it produces the same results.
• Establish a test method—Considering the tool’s purpose and design, specify how to test
it. • Report test results—Describe the test results in a report that complies with ISO
17025, which requires accurate, clear, unambiguous, and objective test reports.
• Another standards document, ISO 5725, demands accuracy for all aspects of the testing
pro- cess, so results must be repeatable and reproducible. ―Repeatable results‖ means
that if you work in the same lab on the same machine, you generate the same results.
―Reproducible results‖ means that if you’re in a different lab working on a different
machine, the tool still retrieves the same information
Testing Standards:
• Establish categories for computer forensics tools
• Identify computer forensics category requirements
• Develop test assertions
• Identify test cases
• Establish a test method
• Report test result
Using Validation Protocols
• After retrieving and examining evidence data with one tool, you should verify your
results by performing the same tasks with other similar forensics tools.
• For example, after you use one forensics tool to retrieve disk data, you use another to
see whether you retrieve the same information.
• Although this step might seem unnecessary, you might be asked on the witness stand
“How did you verify your results?” To satisfy the need for verification, you need at
least two tools to validate software or hardware upgrades.
• The tool you use to validate the results should be well tested and documented.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 22

 Cyber Security & Cryptography
Computer Forensics Examination Protocol
1) First, conduct your investigation of the digital evidence with one GUI tool.
2) Then perform the same investigation with a disk editor to verify that the GUI tool is
seeing the same digital evidence in the same places on the test or suspect drive’s image.
3) If a file is recovered, obtain the hash value with the GUI tool and the disk editor, and
then compare the results to verify whether the file has the same value in both tools.
Computer Forensics Tool Upgrade Protocol
• In addition to verifying your results by using two disk-analysis tools, you should test
all new releases and OS patches and upgrades to make sure they’re reliable and don’t
corrupt evidence data.
• New releases and OS upgrades and patches can affect the way your forensics tools
perform.

4.7 Face, Iris and Fingerprint Recognition,

1. Face recognition:
• A facial recognition system is a technology capable of matching a human face from a
digital image or a video frame against a database of faces. Such a system is typically
employed to authenticate users through ID verification services, and works by
pinpointing and measuring facial features from a given image.
• Facial recognition systems have seen wider uses in recent times on smartphones and in
other forms of technology, such as robotics.
• Because computerized facial recognition involves the measurement of a human's
physiological characteristics, facial recognition systems are categorized as biometrics.
• Although the accuracy of facial recognition systems as a biometric technology is lower
than iris recognition and fingerprint recognition, it is widely adopted due to its
contactless process. Facial recognition systems have been deployed in advanced
human–computer interaction, video surveillance and automatic indexing of image.
• Facial recognition technology (FRT) systems generate a probability match score, or a
confidence score between the suspect who is to be identified and the database of
identified criminals that is available with the police. The National Automated Facial
Recognition System (AFRS) is already being developed by the National Crime Records
Bureau (NCRB), a body constituted under the Ministry of Home Affairs. The project
seeks to develop and deploy a national database of photographs which would comport
with a facial recognition technology system by the central and state security agencies.
Techniques for face recognition
1) Traditional: Some face recognition algorithms identify facial features by extracting
landmarks, or features, from an image of the subject's face. For example, an algorithm
may analyze the relative position, size, and/or shape of the eyes, nose, cheekbones, and
jaw. These features are then used to search for other images with matching features.
Popular recognition algorithms include principal component analysis using eigenfaces,

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 23

 Cyber Security & Cryptography
linear discriminant analysis, elastic bunch graph matching using the Fisherface
algorithm, the hidden Markov model, the multilinear subspace learning using
tensor representation, and the neuronal motivated dynamic link matching. Modern
facial recognition systems make increasing use of machine learning techniques such
as deep learning
2) Human identification at a distance (HID): To enable human identification at a
distance (HID) low-resolution images of faces are enhanced using face hallucination.
In CCTV imagery faces are often very small. But because facial recognition algorithms
that identify and plot facial features require high resolution images, resolution
enhancement techniques have been developed to enable facial recognition systems to
work with imagery that has been captured in environments with a high signal-to-noise
ratio. Face hallucination algorithms that are applied to images prior to those images
being submitted to the facial recognition system use example-based machine learning
with pixel substitution or nearest neighbour distribution indexes that may also
incorporate demographic and age-related facial characteristics.
3) 3-dimensional recognition: Three-dimensional face recognition technique uses 3D
sensors to capture information about the shape of a face. This information is then used
to identify distinctive features on the surface of a face, such as the contour of the eye
sockets, nose, and chin. One advantage of 3D face recognition is that it is not affected
by changes in lighting like other techniques. It can also identify a face from a range of
viewing angles, including a profile view. Three-dimensional data points from a face
vastly improve the precision of face recognition.
4) Thermal cameras: by this procedure the cameras will only detect the shape of the head
and it will ignore the subject accessories such as glasses, hats, or makeup. Unlike
conventional cameras, thermal cameras can capture facial imagery even in low-light
and night time conditions without using a flash and exposing the position of the camera

2. Iris Recognition:
• Iris recognition is an automated method of biometric identification that uses
mathematical pattern-recognition techniques on video images of one or both of the
irises of an individual's eyes, whose complex patterns are unique, stable, and can be
seen from some distance. Iris recognition enables the avoidance of "collisions" (False
Matches) even in cross-comparisons across massive populations.
• Its major limitation is that image acquisition from distances greater than a meter or two,
or without cooperation, can be very difficult.
• Iris recognition uses video camera technology with subtle near infrared illumination to
acquire images of the detail-rich, intricate structures of the iris which are visible
externally.
• Digital templates encoded from these patterns by mathematical and statistical
algorithms allow the identification of an individual or someone pretending to be that
individual.
• First the system has to localize the inner and outer boundaries of the iris (pupil and
limbus) in an image of an eye. Further subroutines detect and exclude eyelids,
eyelashes, and specular reflections that often occlude parts of the iris. The set of pixels
containing only the iris, normalized by a rubber-sheet model to compensate for pupil

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 24

 Cyber Security & Cryptography
dilation or constriction, is then analyzed to extract a bit pattern encoding the
information needed to compare two iris images.
• In the case of Daugman's algorithms, a Gabor wavelet transform is used. The result is
a set of complex numbers that carry local amplitude and phase information about the
iris pattern.
• Aadhaar began operation in 2011 in India, Indian government has enrolled the iris
patterns (and other biometrics) of more than one billion residents for the Aadhaar
scheme for entitlements distribution, run by the Unique Identification Authority of
India (UIDAI).
• By October 2015, the number of persons enrolled exceeded 926 million, with each new
enrollee being compared to all existing ones for de-duplication checks (hence 926
trillion, i.e. 926 million-million, iris cross-comparisons per day."
• Iris technology providers must be granted a STQC (Standardisation Testing and Quality
Certification) certificate in order to supply iris scanners for the project.
• By far, there are providers such as: IriTech Inc. (dual iris scanner IriMagic 100BK),
Cogent (CIS-202), Iris ID (icam TD 100), Iris Guard (IG-AD-100), etc

3. Fingerprint Recognition:
• A fingerprint is an impression left by the friction ridges of a human finger.
• The recovery of partial fingerprints from a crime scene is an important method of
forensic science.
• Moisture and grease on a finger result in fingerprints on surfaces such as glass or metal.
Deliberate impressions of entire fingerprints can be obtained by ink or other substances
transferred from the peaks of friction ridges on the skin to a smooth surface such as
paper.
• Fingerprint records normally contain impressions from the pad on the last joint of
fingers and thumbs, though fingerprint cards also typically record portions of lower
joint areas of the fingers.
• Human fingerprints are detailed, nearly unique, difficult to alter, and durable over the
life of an individual, making them suitable as long-term markers of human identity.
• They may be employed by police or other authorities to identify individuals who wish
to conceal their identity, or to identify people who are incapacitated or deceased and
thus unable to identify themselves, as in the aftermath of a natural disaster.
• Fingerprint identification, known as dactyloscopy, or hand print identification, is the
process of comparing two instances of friction ridge skin impressions (see Minutiae),
from human fingers or toes, or even the palm of the hand or sole of the foot, to determine
whether these impressions could have come from the same individual.
• The flexibility of friction ridge skin means that no two finger or palm prints are ever
exactly alike in every detail; even two impressions recorded immediately after each
other from the same hand may be slightly different.[citation needed]
• Fingerprint identification, also referred to as individualization, involves an expert, or
an expert computer system operating under threshold scoring rules, determining
whether two friction ridge impressions are likely to have originated from the same
finger or palm.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 25

 Cyber Security & Cryptography
• Fingerprinting techniques: 1) Exemplar and 2)
1) Exemplar: Exemplar prints, or known prints, is the name given to fingerprints
deliberately collected from a subject, whether for purposes of enrollment in a system or
when under arrest for a suspected criminal offense. During criminal arrests, a set of
exemplar prints will normally include one print taken from each finger that has been
rolled from one edge of the nail to the other, plain (or slap) impressions of each of the
four fingers of each hand, and plain impressions of each thumb. Exemplar prints can be
collected using live scan or by using ink on paper cards.
2.) Latent: In forensic science a partial fingerprint lifted from a surface, is called a
latent fringerprint. Moisture and grease on fingers result in latent fingerprints on
surfaces such as glass. But because they are not clearly visible, their detection may
require chemical development through powder dusting, the spraying of ninhydrin,
iodine fuming, or soaking in silver nitrate.
o While the police often describe all partial fingerprints found at a crime scene as
latent prints, forensic scientists call partial fingerprints that are readily visible
patent prints.
o Chocolate, toner, paint or ink on fingers will result in patent fingerprints. Latent
fingerprints impressions that are found on soft material, such as soap, cement,
or plaster, are called plastic prints by forensic scientists.

4.8 Audio Video Analysis,

Introduction
• Unlike other forms of forensic evidence, audio and video recordings can provide a real-
time, eyewitness account of a crime so investigators can watch or hear what transpired.
• Closed circuit television systems (CCTV] and video and audio recorders can be found
in businesses, at traffic intersections, parking lots, bank machines, on police-vehicle
dashboards and of course, in cell phones.
• For most crimes, however, high-quality audio and/or video recordings are often not
available. This is where forensic audio and video expertise can help.
• Forensic experts have many techniques to enhance recordings that can bring out details
and provide a clearer picture of what occurred or make an audio recording more audible.
This in turn helps investigators, lawyers and jurors better conduct their duties.
Principles of Forensic Audio and Video Analysis: To assist in an investigation, forensic
experts can repair, recover, enhance, and analyse audio and video recordings using an array of
scientific tools and techniques.
1. Repair and Recovery of Evidence:
• Before audio and video evidence can be analysed, it may first need to be repaired or
recovered from damaged media or a damaged recording device.
• Repairing evidence is especially common for analog and digital magnetic tape. It may
need to be spliced back together or put into a new audio/video housing to recover the
audio or video. In today’ s digital world, CDs, DVDs, cell phones, portable cameras

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 26

 Cyber Security & Cryptography
and other sources of digital media and recording devices can be damaged by heat,
misuse, the environmental conditions of a crime scene, or simply on purpose by an
offender. Even in these situations, the digital files can be recovered and used for
analysis.
2. Evidence Enhancement
• The most common function of forensic video and audio experts is to clarify a recording
so that it is more apparent to investigators, attorneys and jurors what the evidence
demonstrates.
• To enhance a video recording, filters can be used to adjust the brightness and contrast,
correct the colour, crop and resize an image, enhance edge detail and reduce visual
distortion. The speed of playback can also be adjusted to more accurately display the
frame rate at which it was recorded.
• To enhance an audio recording, filters can be employed to improve clarity. This may
entail removal of unwanted noise or enhancing the intelligibility of speech. Recordings
will often be made in less-than-ideal circumstances, such as when someone is wearing
a body wire. Utilizing audio engineering techniques may allow faint voices or events
to be heard more clearly on playback.
3. Analysis, Interpretation and Identification
• Authentication of recordings - In many criminal cases, the authenticity of the recording
and the content of the recording may be called in to question. Forensic audio and video
experts can examine a variety of characteristics of the audio or video recording to
determine whether the evidence has been altered. This includes confirming the integrity
(verification] of the recording, as well as authenticating that the content of the image or
audio is what it purports to be.
• If the ambient sound present on an audio recording changes abruptly, this could indicate
that the environment where the recording took place suddenly changed.
• The volume and tone of a voice on the recording can provide clues as to distance and
spatial relationships within a scene. Lighting conditions can be examined to estimate
the time of day or environmental conditions at the time of the recording.
• Technical details may also confirm information about a recording. For instance, an
unnatural waveform present in the audio or video signal may indicate that an edit has
been made. A physical identifier may be present in the signal on magnetic tape that can
identify it as a copy or indicate that it was recorded on a particular device. Sometimes,
a perpetrator will try to destroy audio or video evidence; however, using these methods,
the recording can be analyzed to determine what occurred.
• Identifying people or objects on a recording - Identifying a person or object from an
image on a video or voice on an audio recording requires training in Image Content
Analysis or speech science. These examinations are detailed comparisons of an
unknown recording to a known recording, or an unknown object to a known object in
an attempt to make a positive identification. For instance, an image of a hat at the crime
scene may be compared with a hat found on a suspect. The comparison techniques used
in image analysis follow the same detailed comparison techniques as Fingerprint and

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 27

 Cyber Security & Cryptography
Document examiners. The analysis and comparison of voices is an evolving area of
practice that can be controversial in criminal cases.
How the Analysis Is Performed?
• The first step of an analysis is for the examiner to simply listen to or view the recorded
footage. The examiner will then begin to locate the area of interest to be enhanced and
examined in closer detail using specialized devices and software.
• Before processing audio and video evidence, a working copy of the evidence may be
created. This assures that the original evidence is always available in its unaltered state.
In addition, the original will always be available for comparison to the processed copy.
• All examination procedures are carefully constructed so that the image or video is a
true and accurate representation of the scene. Investigators never change the recorded
data—they only enhance what is already present.
• Video Enhancement Techniques - A variety of enhancement techniques can be
employed on video evidence. It is important that the best video recording be submitted
to obtain the best enhancement results. Limitations on the enhancement process may
exist if an analog copy or digital file that has undergone additional compression is
submitted for analysis. Techniques can include:
• Sharpening - Makes edges of images in the recording become more clear and distinct.
• Video stabilization - Reduces the amount of movement in the video, producing the
smoothest possible playback.
• Masking - Covers the face or areas of the video that may protect a witness, victim or
law enforcement officer.
• Interlacing - In an analog system, interlaced scanning is used to record images (a
technique of combining two television fields in order to produce a full frame of video].
A process called de-interlacing may be used to retrieve the information in both fields
of video.
• Demultiplexing - Allows for isolation of each camera. In CCTV systems, a device
called a multiplexer is used to combine multiple video signals into a single signal or
separate a combined signal. These devices are frequently used in security and law
enforcement applications for recording and/or displaying multiple camera images
simultaneously or in succession.
• Audio Enhancement Techniques - For audio recordings, a variety of filters can be
applied to enhance the material, bringing out specific aspects or events contained in the
recording.
• Frequency Equalization - Highly precise equalizers can be used to boost or cut
specific bands of frequencies. To help make speech more intelligible, the frequency
band containing most speech content, 200Hz-5000Hz, can be amplified or isolated. If
amplification is applied to a frequency range, other information residing in this
frequency range will be boosted as well. If noise resides in this same range, this noise
will also be increased, limiting the ability to clarify voices.
• Loud background noises may be analyzed by a spectrum analyzer and the
corresponding frequencies reduced so that these noises are less noticeable.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 28

 Cyber Security & Cryptography
• Compression - Faint sounds in the recording can be boosted by compressing or leveling
the signal so that the dynamic range of the material is reduced, making soft sounds more
apparent.
• Waveform of a recording made at a low volume with significantly loud ambient noise
that is masking the speech content of the recording.
• The same recording after enhancement. The noise is attenuated and the volume of the
speech is increased.

Pre 4.9 Operating system forensics: Operating System Forensics is the process of retrieving
useful information from the Operating System (OS) of the computer or mobile device in
question. The aim of collecting this information is to acquire empirical evidence against the
perpetrator.
• Forensic investigation on an OS can be performed because it is responsible for file
management, memory management, logging, user management, and many other
relevant details.
• The understanding of an OS and its file system is necessary to recover data for computer
investigations. The file system provides an operating system with a roadmap to data on
the hard disk. The file system also identifies how hard drive stores data. There are many
file systems introduced for different operating systems, such as FAT, exFAT, and NTFS
for Windows Operating Systems (OSs), and Ext2fs, or Ext3fs for Linux OSs.
• Data and file recovery techniques for these file systems include data carving, slack
space, and data hiding. Another important aspect of OS forensics is memory forensics,
which incorporates virtual memory, Windows memory, Linux memory, Mac OS
memory, memory extraction, and swap spaces.
• OS forensics also involves web browsing artifacts, such as messaging and email
artifacts. Some indispensable aspects of OS forensics are discussed in subsequent
sections.
• The examination steps in operating system forensics: There are five basic steps
necessary for the study of Operating System forensics. These five steps are listed below:
1. Policies and Procedure Development
2. Evidence Assessment
3. Evidence Acquisition
4. Evidence Examination
5. Documenting and Reporting

4.9 Windows System Forensics,

• Windows Forensics, include the process of conducting or performing forensic
investigations of systems which run on Windows operating systems, It includes analysis
of incident response, recovery, and auditing of equipment used in executing any
criminal activity.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 29

 Cyber Security & Cryptography
• In order to accomplish such intricate forensic analyses, the investigators should possess
extensive knowledge of the Microsoft Windows operating systems.
• Windows System Forensics is all about collection of volatile and non-volatile
information; performing windows memory and registry analysis; cache, cookie, and
history analysis; MD5 calculation, windows file analysis, etc.
Windows Forensics Methodology:
Collecting Volatile Information:
➢ Volatile Information refers to the data stored in the registries, cache, and RAM of digital
devices. This information is usually lost or erased whenever the system is turned off or
rebooted.
➢ The volatile information is dynamic in nature and keeps on changing with time; so the
investigators should be able to collect the data in real time.
➢ The investigators follow the Locard’s Exchange Principle and collect the contents of
the RAM right at the onset of investigation, so as to minimize the impact of further
steps on the integrity of the contents of the RAM.
➢ Based upon the collected volatile information, the investigators can determine the user
logged on; timeline of the security incident; programs and libraries involved; files
accessed and shared during the suspected attack; as well as other details.
System Time:
➢ The first step while investigating an incident is the collection of the system time. System
time refers to the exact date and time of the day when the incident happened, as per the
coordinated universal time (UTC). The system provides the system time so that the
applications launched have access to the accurate time and date.
➢ The knowledge of system time will give a great deal of context to the information
collected in the subsequent steps. It will also assist in developing an accurate timeline
of events that have occurred on the system. Apart from the current system time,
information about the amount of time that the system has been running, or the uptime,
can also provide a great deal of context to the investigation process.
➢ Investigators also record the real time, or wall time, when recording the system time.
Comparison of both the timings allows the investigator to further determine whether
the system clock was accurate or inaccurate. The investigators can extract system time
and date with the help of the date / t& time /t command or use the net statistics server
command.
➢ An alternative way for obtaining the system time details is by using the GetSystemTime
function.
Logged-On Users
➢ During an investigation, an investigator must gather details of all the users logged on
to the suspected system.
➢ This not only includes the information of people logged on locally (via the console or
keyboard) but also those who had remote access to the system (e.g. – via the net use
command or via a mapped share).

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 30

 Cyber Security & Cryptography
➢ This information allows an investigator to add context to other information collected
from the system, such as the user context of a running process, the owner of a file, or
the last access times on files.
➢ It is also useful to correlate the collected system time information with the Security
event log, particularly if the admin has enabled appropriate auditing.
➢ Some of the tools and commands used to determine logged-on users are as follows:
o PsLoggedOn
o net sessions
o LogonSessions
Other evidences collection: Investigators can search out evidence by analyzing the following
important locations of the Windows:
➢ Recycle Bin: This holds files that have been discarded by the user. When a user deletes
files, a copy of them is stored in recycle bin. This process is called “Soft Deletion.”
Recovering files from recycle bin can be a good source of evidence.
➢ Registry: Windows Registry holds a database of values and keys that give useful pieces
of information to forensic analysts. For example, see the table below that provides
registry keys and associated files that encompasses user activities on the system.
➢ Thumbs.db Files: These have images’ thumbnails that can provide relevant
information.
➢ Browser History: Every Web Browser generates history files that contain significant
information. Microsoft Windows Explorer is the default web browser for Windows
OSs. However, some other supported browsers are Opera, Mozilla Firefox, Google
Chrome, and Apple Safari.
➢ Print Spooling: This process occurs when a computer prints files in a Windows
environment. When a user sends a print command from a computer to the printer, the
print spooling process creates a “print job” to some files that remain in the queue unless
the print operation is completed successfully. Moreover, the printer configuration is
required to be set in either EMF mode or RAW mode. In a RAW mode, the print job
merely provides a straight graphic dump of itself, whereas with an EMF mode, the
graphics are converted into the EMF image format (Microsoft Enhanced Metafile).
These EMF files can be indispensable and can provide empirical evidence for forensic
purposes.
➢ Many tools can be used to perform data analysis on different Operating Systems.
➢ Cuckoo Sandbox: This tool is mainly designed to perform analysis on malware.
Cuckoo Sandbox takes snapshots of virtual machines so that the investigator can
compare the state of the system before and after the attack of malware. Since malware
mostly attacks Windows OS, Windows virtual machines are used for this purpose
➢ Helix CD also offers some tools for Windows Forensics, such as: Asterisk Logger;
Registry Viewer; Screen Capture File Recovery; Rootkit Revealer; MD5 Generator;
Command Shell; Security Reports; IE Cookies Viewer; ozilla Cookies Viewer
➢ X-Ways Forensics offers forensics work environment with some remarkable features,
such as:
o Disk imaging and cloning, including under Disk Operating System (DOS)
o Compatible with UDF, CDFS, ext2, ext3, NTFS, and FAT

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 31

 Cyber Security & Cryptography
o Views and dumps the virtual memory of running processes and physical RAM
o Gathers inter-partition space, free space, and slack space
o Mass hash calculations for files
o Ensures data authenticity with write protection feature
o Automated files, signature check, and much more

4.10 Linux System Forensics,

➢ Linux is an open source, Unix-like, and elegantly designed operating system that is
compatible with personal computers, supercomputers, servers, mobile devices,
netbooks, and laptops.
➢ Unlike other OSs, Linux holds many file systems of the ext family, including ext2, ext3,
and ext4.
➢ Linux can provide empirical evidence if the Linux-embedded machine is recovered
from a crime scene.

➢ In this case, forensic investigators should analyze the following folders and
directories.
➢ /etc[%SystemRoot%/System32/config] This contains system configurations
directory that holds separate configuration files for each application.
➢ /var/log This directory contains application logs and security logs. They are kept for 4-
5 weeks.
➢ /home/$USER This directory holds user data and configuration information.
➢ /etc/passwd This directory has user account information.
➢ Some tools used for Linus OS
➢ Forensic toolkit for Linux: Forensic specialists uses a forensic toolkit to collect
evidence from a Linux Operating System. The toolkit comprises many tools such as
Dmesg, Insmod, NetstatArproute, Hunter.O, DateCat, P-cat, and NC.
➢ Helix: Helix is the distributor of the Knoppix Live Linux CD. It provides access to a
Linux kernel, hardware detections, and many other applications.

4.11 Graphics and Network Forensics,

Graphics Forensics
• A graphics file contains an image, such as a digital photo, line art, a three- dimensional
image, or a scanned replica of a printed picture. A graphics program creates and saves
one of three types of graphics files: bitmap, vector, and metafile.
✓ Bitmap images are collections of dots, or pixels, that form an image.
✓ Vector graphics are mathematical instructions that define lines, curves,
text, and geometric shapes.
✓ Metafile graphics are combinations of bitmap and vector images.
• Most graphics editors enable you to create files in one or more of the standard graphics
file formats, such as Graphic Interchange Format (. gif), Joint Photographic Experts
Group (. jpeg), Windows Bitmap (. bmp), or Encapsulated Postscript (. eps).
Nonstandard graphics file formats include less common formats, such as Targa (. tga)

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 32

 Cyber Security & Cryptography
and Raster Transfer Language (. rtl); proprietary formats, such as Photoshop (. psd);
newer formats, such as Scalable Vector Graphics (. svg); and old or obsolete formats,
such as Paintbrush (. pcx).
• Digital camera photos are typically in raw and EXIF JPEG formats. The raw format is
the proprietary format of the camera’s manufacturer. The EXIF format is different from
the standard JFIF JPEG format because it contains metadata about the camera and
picture, such as shutter speed and date and time a picture was taken.
• Investigation:
• In a computer forensics investigation involving graphics files, you need to locate and
recover all graphics files on a drive and determine which ones are pertinent to the case.
• Because these files aren’t always stored in standard graphics file formats, we should
examine all files that our computer forensics tools find, even if they aren’t identified as
graphics files.
• A graphics file contains a header with instructions for displaying the image. Each type
of graphics file has its own header that helps you identify the file format. Because the
header is complex and difficult to remember, you can compare a known good file
header with that of a suspect file.
• When you’re examining recovered data remnants from files in slack or free space, you
might find data that appears to be a header for a common graphics file type.
• If you locate header data that’s partially overwritten, you must reconstruct the header
to make it readable again by comparing the hexadecimal values of known graphics file
formats to the pattern of the file header you found.
• After you identify fragmented data, you can use a computer forensics tool to recover
the fragmented file.
• If you can’t open a graphics file in an image viewer, the next step is to examine the file
header to see whether it matches the header in a known good file. If the header doesn’t
match, you must insert the correct hexadecimal values manually with a hex editor.
• The Internet is the best source for learning more about file formats and their extensions.
You can search for “file type” or “file format” and find a list of Web sites with
information on file extensions.
• You should analyze graphics file headers when you find new or unique file types that
computer forensics tools don’t recognize. The simplest way to do this is with a hex
editor. You can record the hexadecimal values in the header for future reference.
• Many popular viewer utilities are freeware or shareware and enable you to view a wide
range of graphics file formats. Most GUI forensics tools, such as ProDiscover, EnCase,
FTK, X- Ways Forensics, and ILook, include image viewers that display common
image formats, especially GIF and JPEG.
• Steganography is a method of hiding data by using a host file to cover the contents of
a secret message. The two major techniques are insertion and substitution. Insertion
places data from the secret file into the host file. When you view the host file in its
associated program, the inserted data is hidden unless you analyze the data structure.
Substitution replaces bits of the host file with other bits of data.
• Steganalysis tools can detect hidden data in graphics files, even in files that have been
renamed to protect their contents. If the file has been renamed, steganalysis tools can

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 33

 Cyber Security & Cryptography
use the file header to identify the file format and indicate whether the file contains an
image. Steganalysis tools can also detect variations in a graphics file.
Network Forensics
• Network forensics is a sub-branch of digital forensics relating to the monitoring and
analysis of computer network traffic for the purposes of information gathering, legal
evidence, or intrusion detection.
• Unlike other areas of digital forensics, network investigations deal with volatile and
dynamic information. Network traffic is transmitted and then lost, so network forensics
is often a pro-active investigation.
• Network forensics generally has two uses.
o The first, relating to security, involves monitoring a network for anomalous
traffic and identifying intrusions. An attacker might be able to erase all log files
on a compromised host; network-based evidence might therefore be the only
evidence available for forensic analysis.
o The second form relates to law enforcement. In this case analysis of captured
network traffic can include tasks such as reassembling transferred files,
searching for keywords and parsing human communication such as emails or
chat sessions.
• Network forensics is a comparatively new field of forensic science. The growing
popularity of the Internet in homes means that computing has become network-centric
and data is now available outside of disk-based digital evidence.
• Network forensics can be performed as a standalone investigation or alongside a
computer forensics analysis (where it is often used to reveal links between digital
devices or reconstruct how a crime was committed).
• Marcus Ranum is credited with defining Network forensics as "the capture, recording,
and analysis of network events in order to discover the source of security attacks or
other problem incidents".
• Compared to computer forensics, where evidence is usually preserved on disk, network
data is more volatile and unpredictable. Investigators often only have material to
examine if packet filters, firewalls, and intrusion detection systems were set up to
anticipate breaches of security.
Processes Involved in Network Forensics: Some processes involved in network forensics are
given below:
• Identification: In this process, investigators identify and evaluate the incident based
on the network pointers.
• Safeguarding: In this process, the investigators preserve and secure the data so that the
tempering can be prevented.
• Accumulation: In this step, a detailed report of the crime scene is documented and all
the collected digital shreds of evidence are duplicated.
• Observation: In this process, all the visible data is tracked along with the metadata.
• Investigation: In this process, a final conclusion is drawn from the collected shreds of
evidence.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 34

 Cyber Security & Cryptography
• Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.
Types of Networks: Discussion in relation to forensic
Ethernet:
• Wireshark, a common tool used to monitor and record network traffic.
• Apt all data on this layer and allows the user to filter for different events. With these
tools, website pages, email attachments, and other network traffic can be reconstructed
only if they are transmitted or received unencrypted.
• An advantage of collecting this data is that it is directly connected to a host. If, for
example the IP address or the MAC address of a host at a certain time is known, all data
sent to or from this IP or MAC address can be filtered.
• To establish the connection between IP and MAC address, it is useful to take a closer
look at auxiliary network protocols. The Address Resolution Protocol (ARP) tables list
the MAC addresses with the corresponding IP addresses.
• To collect data on this layer, the network interface card (NIC) of a host can be put into
"promiscuous mode". In so doing, all traffic will be passed to the CPU, not only the
traffic meant for the host.
• However, if an intruder or attacker is aware that his connection might be eavesdropped,
he might use encryption to secure his connection. It is almost impossible nowadays to
break encryption but the fact that a suspect's connection to another host is encrypted all
the time might indicate that the other host is an accomplice of the suspect.
TCP/IP
• On the network layer the Internet Protocol (IP) is responsible for directing the packets
generated by TCP through the network (e.g., the Internet) by adding source and
destination information which can be interpreted by routers all over the network.
Cellular digital packet networks, like GPRS, use similar protocols like IP, so the
methods described for IP work with them as well.
• For the correct routing, every intermediate router must have a routing table to know
where to send the packet next. These routing tables are one of the best sources of
information if investigating a digital crime and trying to track down an attacker.
• To do this, it is necessary to follow the packets of the attacker, reverse the sending route
and find the computer the packet came from (i.e., the attacker).
Encrypted Traffic Analytics
• Given the proliferation of TLS encryption on the internet, as of April 2021 it is
estimated that half of all malware uses TLS to evade detection.
• Encrypted traffic analysis inspects traffic to identify encrypted traffic coming from
malware and other threats by detecting suspicious combinations of TLS characteristics,
usually to uncommon networks or servers.
• Another approach to encrypted traffic analysis uses a generated database of
fingerprints, although these techniques have been criticized as being easily bypassed by
hackers and inaccurate.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 35

 Cyber Security & Cryptography
The Internet
• The internet can be a rich source of digital evidence including web browsing, email,
newsgroup, synchronous chat and peer-to-peer traffic. For example, web server logs
can be used to show when (or if) a suspect accessed information related to criminal
activity. Email accounts can often contain useful evidence; but email headers are easily
faked and, so, network forensics may be used to prove the exact origin of incriminating
material.
• Network forensics can also be used in order to find out who is using a particular
computer by extracting user account information from the network traffic.

4.12 E-mail Investigations (Same as 3.6)

4.13 Cell Phone and Mobile Device Forensics

• People store a wealth of information on cell phones, and the thought of losing your cell
phone and, therefore, the information stored on it can be a frightening prospect.
• Despite this concern, not many people think about securing their cell phones, although
they routinely lock and secure laptops or desktops. Depending on your phone’s model,
the following items might be stored on it:
✓ Incoming, outgoing, and missed calls
✓ Text and Short Message Service (SMS) messages
✓ E-mail
✓ Instant messaging (IM) logs
✓ Web pages
✓ Pictures
✓ Personal calendars
✓ Address books
✓ Music files
✓ Voice recordings
• Many people store more information on their cell phones than they do on their
computers and with this variety of information, piecing together the facts of a case is
possible.
• Recent cases, such as the rape allegations at Duke University and the Scott Peterson
murder trial, show that cell phone data is used increasingly in court as evidence.
• In some countries, cell phones are even used to log in to bank accounts and transfer
funds from one cell phone to another, which provides even more potential evidence.
• Despite the usefulness of these devices in providing clues for investigations,
investigating cell phones and mobile devices is one of the most challenging tasks in
digital forensics.
• No single standard exists for how and where cell phones store messages, although many
phones use similar storage schemes. In addition, new phones come out about every six

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 36

 Cyber Security & Cryptography
months, and they’re rarely compatible with previous models. Therefore, the cables and
accessories you have might become obsolete in a short time.
• Also, cell phones are often combined with PDAs, which can make forensics
investigations more complex.
Understanding Acquisition Procedures for Cell Phones and Mobile Devices
• All mobile devices have volatile memory, so making sure they don’t lose power before
you can retrieve RAM data is critical.
• At the investigation scene, determine whether the device is on or off. If it’s off, leave it
off, but find the recharger and attach it as soon as possible.
• Note this step in your log if you can’t determine whether the device was charged at the
time of seizure.
• If the device is on, check the LCD display for the battery’s current charge level. Because
mobile devices are often designed to synchronize with applications on a user’s PC, any
mobile device attached to a PC via a cable or cradle/docking station should be
disconnected from the PC immediately. This precaution helps prevent synchronization
that might occur automatically on a preset schedule and overwrite data on the device.
• In addition, collect the PC and any peripheral devices to determine whether the hard
drive contains any information that’s not on the mobile device.
• Depending on the warrant or subpoena, the time of seizure might be relevant.
• In addition, messages might be received on the mobile device after seizure that may or
may not be admissible in court.
• If you determine that the device should be turned off to preserve battery power or a
possible attack, note the time and date at which you take this step. The alternative is to
isolate the device from incoming signals with one of the following options:
o Place the device in paint can, preferably one that previously contained radio
wave– blocking paint.
o Use the Paraben Wireless Strong Hold Bag which conforms to Faraday wire
cage standards.
o Use eight layers of antistatic bags (for example, the bags that new hard drives
are wrapped in) to block the signal.
• The file system for a SIM card is a hierarchical structure. This file structure begins with
the root of the system (MF). The next level consists of directory files (DF), and under
them are files containing elementary data (EF). EFs under the GSM and DCS1800 DFs
contain network data on different frequency bands of operation. The EFs under the
Telecom DF contain service-related data.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 37

 Cyber Security & Cryptography

• You can retrieve quite a bit of data from a SIM card. The information that can be
retrieved falls into four categories:
✓ Service-related data, such as identifiers for the SIM card and subscriber
✓ Call data, such as numbers dialed
✓ Message information
✓ Location information
• If power has been lost, you might need PINs or other access codes to view files.
Typically, users keep the original PIN assigned to the SIM card, so when you’re
collecting evidence at, he scene, look for users’ manuals and other documentation that
can help you access the SIM card.
• With most SIM cards, you have three attempts at entering an access code before the
device is locked, which then requires calling the service provider or waiting a certain
amount of time before trying again. Common codes to try are 1-1-1-1 or 1-2-3-4.
• SIM Card Readers with GSM phones and many newer models of mobile devices, the
next step is accessing the SIM card, which you can do by using a combination hardware/
software device called a SIM card reader.
• To use this device, you should be in a forensics lab equipped with antistatic devices. In
addition, biological agents, such as fingerprints, might be present on the inside of the
case, so you should consult the lead investigator when you’re ready to proceed to this
step. The general procedure is as follows:
✓ Remove the back panel of the device.
✓ Remove the battery.
✓ Under the battery, remove the SIM card from its holder.
✓ Insert the SIM card into the card reader, which you insert into your forensic
workstation’s USB port.
• A variety of SIM card readers are on the market. Some are forensically sound and some
are not; make sure you note this feature of the device in your investigation log.
• Another problem with SIM card readers is dealing with text and SMS messages that
haven’t been read yet.
• After you view a message, the device shows the message as opened or read. For this
reason, documenting messages that haven’t been read is critical.
• Using a tool that takes pictures of each screen can be valuable in this situation. These
screen captures can provide additional documentation.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 38

 Cyber Security & Cryptography
UNIT V: Cyber Crime Legal Perspectives
5.1 Introduction, ·
5.2 Cybercrime and the Legal Landscape around the World,
5.3 The Indian IT Act,
5.4 Challenges to Indian Law and Cybercrime Scenario in India, ·
5.5 Consequences of Not Addressing the Weakness in Information Technology Act, ·
5.6 Digital Signatures and the Indian IT Act, ·
5.7 Amendments to the Indian IT Act, ·
5.8 Cybercrime and Punishment, ·
5.9 Cyberlaw, Technology and Students: Indian Scenario

5.1 Introduction, ·
• It is said that cybercrime is the largest illegal industry. Cybercrime involves massive,
coordinated attacks against the information infrastructure of a country.
• So, the knowledge of cyberlaws is essential for people who may directly or indirectly
interact with networked services either over the Internet or other proprietary networks
of businesses and enterprises of any other types – banks, stock brokers, intra-company
and inter-company information exchange systems, etc.
• In legal perspective Computer-related crime was defined in the broader meaning as:
any illegal act for which knowledge of computer technology is essential for a successful
prosecution.
• International legal aspects of computer crimes were studied in 1983. In that study,
computer crime was consequently defined as: encompasses any illegal act for which
knowledge of computer technology is essential for its perpetration.
• Cybercrime, in a way, is the outcome of “globalization.”Globalized information
systems accommodate an increasing number of transnationals offenses.
• The network context of cybercrime makes it one of the most globalized offenses of the
present and the most modernized threats of the future. This problem can be resolved in
two ways.
• One is to divide information systems into segments bordered by state boundaries (cross-
border flow of information).
• The other is to incorporate the legal system into an integrated entity obliterating these
state boundaries.
• Apparently, the first way is unrealistic. Although all ancient empires including Rome,
Greece and Mongolia became historical remnants, and giant empires are not prevalent
in current world, the partition of information systems cannot be an imagined practice.
• In a globally connected world, information systems become the unique empire without
tangible territory.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 39

 Cyber Security & Cryptography
5.2 Cybercrime and the Legal Landscape around the World,
• Cybercrime Legislation Worldwide: Cybercrime is a growing concern to countries at
all levels of developments and affects both, buyers and sellers.
• While 156 countries (80 per cent) have enacted cybercrime legislation, the pattern
varies by region: Europe has the highest adoption rate (91 per cent) and Africa the
lowest (72 per cent).
• The evolving cybercrime landscape and resulting skills gaps are a significant challenge
for law enforcement agencies and prosecutors, especially for cross-border enforcement.
• E-transactions Legislation Worldwide: A prerequisite for conducting commercial
transactions online is to have e-transaction laws that recognize the legal equivalence
between paper-based and electronic forms of exchange.
• Such laws have been adopted by 158 countries (81 per cent), of which 79 are developing
countries and 29 are Least Developing Countries.
• While almost all European countries (44 out of 45 countries) have in place e-transaction
laws, and 89% in the Americas, the share in Africa is only 61%.
• Data Protection and Privacy Legislation Worldwide: As more and more social and
economic activities have place online; the importance of privacy and data protection is
increasingly recognized.
• Of equal concern is the collection, use and sharing of personal information to third
parties without notice or consent of consumers. 137 out of 194 countries had put in
place legislation to secure the protection of data and privacy.
• Africa and Asia show different level of adoption with 61 and 57 per cent of countries
having adopted such legislations. The share in the least developed countries in only 48
percent.
• Online Consumer Protection Legislation Worldwide: Despite the importance of
consumer confidence for business-to-consumer e-commerce, many developing and
transition economies still lack laws to protect consumers online.
• In as many as 52 countries, it was not possible to obtain data, suggesting that online
consumer protection is not being fully addressed.
• Out of 142 countries for which data are available, 115 have adopted legislation on
consumer protection related to e-commerce. That share varies from 78% in Europe to
52% in Africa and 71% in the Americas.
• Recent developments:
• In Australia, cybercrime has a narrow statutory meaning as used in the Cyber Crime
Act 2001, which details offenses against computer data and systems. However, a broad
meaning is given to cybercrime at an international level.
• In the Council of Europe’s (CoE’s) Cyber Crime Treaty, cybercrime is used as an
umbrella term to refer to an array of criminal activity including offenses against
computer data and systems, computer-related offenses, content offenses and copyright
offenses.
• This wide definition of cybercrime overlaps in part with general offense categories that
need not be Information & Communication Technology (ICT)-dependent, such as
white-collar crime and economic crime.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 40

 Cyber Security & Cryptography
• August 4, 2006 Announcement: The US Senate ratifies CoE Convention on Cyber
Crime. The convention targets hackers, those spreading destructive computer viruses,
those using the Internet for the sexual exploitation of children or the distribution of
racist material, and terrorists attempting to attack infrastructure facilities or financial
institutions. The Convention is in full accord with all the US constitutional protections,
such as free speech and other civil liberties, and will require no change to the US laws.
• In August 18, 2006, there was a news article published “ISPs Wary About ‘Drastic
Obligations’ on Web Site Blocking.” European Union (EU) officials want to debar
suspicious websites as part of a 6-point plan to boost joint antiterrorism activities. They
want to block websites that incite terrorist action. Once again it is underlined that
monitoring calls, Internet and E-Mail traffic for law enforcement purposes is a task
vested in the government, which must reimburse carriers and providers for retaining
the data.
• CoE Cyber Crime Convention (1997–2001) was the first international treaty seeking to
address Internet crimes by harmonizing national laws, improving investigative
techniques and increasing cooperation among nations. More than 40 countries have
ratified the Convention to date.

Some specific cybercrime law

Africa

• Botswana – Chapter 08:06 (Cybercrime and Computer- related Crimes)

• South Africa
o Cybercrimes Act 2021 – South Africa (South Africa signed the Budapest
Convention in 2001)
o National Cybersecurity Policy Framework (‘NCPF’)
• Tanzania – Cybercrimes Act, 2015

The Americas

• The United States of America

o Cybersecurity Information Sharing Act (CISA)
o United States Code
o Framework for Improving Critical Infrastructure Cybersecurity Version 1.1

• Brazil’s Internet Act stipulates that connection and application providers must
comply with certain security standards when storing personal data and private
communications.

Canada

• The Personal Information Protection and Electronic Documents Act, SC 2000 c 5

(‘PIPEDA‘) is a privacy statute, but establishes two central cybersecurity obligations
for private sector organisations in Canada. The PIPEDA requires organisations to

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 41

 Cyber Security & Cryptography
o notify the regulator and affected individuals of certain cybersecurity incidents,
and
o adopt appropriate security safeguards.
• Criminal Code of Canada

Asia-Pacific

• Australia
o Privacy Principles (‘APPs‘) under the Privacy Act 1988 contain information
security obligations.
o Criminal Code Act 1995 Australia
o Cybercrime Act 2001 Australia
• Brunei Darussalam has the Computer Misuse Act, 2007
• China has two main laws governing cybercrimes:
o the Cybersecurity Law 2016, and
o the Data Security Law of the People’s Republic of China which came into
effect in September 2021.
• India has two laws that recognise the importance of cybersecurity:
o The Information Technology Act, 2000, and
o specific rules, like the Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information) Rules, 2011.
• Japan’s Basic Act on Cybersecurity is the central law governing cybersecurity.
• Malaysia has the Computer Crimes Act
• Philippines has the Cybercrime Prevention Act of 2012
• Thailand has the Act on Computer Crimes
• New Zealand’s main information cybersecurity obligations are contained in
Information Privacy Principle 5 under the Privacy Act 2020. The Crimes
Act,1961 also contains provisions relating to cybercrimes.

Europe

• Network and Information Security Directive

• France – Criminal Code
• UK – Computer Misuse Act, 2013

The Middle East

• Israel has several laws and regulations covering various aspects of cybersecurity such
as:
o the Protection of Privacy Law
o The Protection of Privacy Regulations (Data Security) (translated version)
• Jordan’s laws are available in Arabic only:
o The Cybersecurity Law No. 16 of 2019
o The Cybercrime Law No. 27 of 2015
• Saudi Arabia has the Law on the Use of Information Communications Technology in
Government Agencies (in Arabic only)

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 42

 Cyber Security & Cryptography

5.3 The Indian IT Act,

IT Act, 2000
The Information Technology Act, 2000 was enacted by the Indian Parliament in 2000. It is the
primary law in India for matters related to cybercrime and e-commerce.

• The act was enacted to give legal sanction to electronic commerce and electronic
transactions, to enable e-governance, and also to prevent cybercrime.
• Under this law, for any crime involving a computer or a network located in India,
foreign nationals can also be charged.
• The law prescribes penalties for various cybercrimes and fraud through
digital/electronic format.
• It also gives legal recognition to digital signatures.
• The IT Act also amended certain provisions of the Indian Penal Code (IPC), the
Banker’s Book Evidence Act, 1891, the Indian Evidence Act, 1872 and the Reserve
Bank of India Act, 1934 to modify these laws to make them compliant with new digital
technologies.
• In the wake of the recent Indo-China border clash, the Government of India banned
various Chinese apps under the Information Technology Act. Read more about this in
an RSTV titled, ‘TikTok, Other Chinese Apps Banned’.

The relevant portion from that is as follows:

1. Section 65: Tampering with computer source documents Whoever knowingly or

intentionally conceals, destroys or alters or intentionally or knowingly causes another to
conceal, destroy or alter any computer source code used for a computer, computer programme,
computer system or computer network, when the computer source code is required to be kept
or maintained by law for the time being in force, shall be punishable with imprisonment up to
3 years, or with fine which may extend up to 2 lakh rupees (` 2,00,000), or with both.
Explanation: For the purposes of this section, “computer source code” means the listing of
programmes, computer commands, design and layout and programme analysis of computer
resource in any form.

2. Section 66: Computer-related offences (1) Whoever with the intent to cause or knowing
that he is likely to cause wrongful loss or damage to the public or any person destroys or
deletes or alters any information residing in a computer resource or diminishes its value or
utility or affects it injuriously by any means, commits hack. (2) Whoever commits hacking
shall be punished with imprisonment up to 3 years, or with fine which may extend up to 5 lakh
rupees (` 5,00,000), or with both.

3. Section 67: Punishment for publishing or transmitting obscene material in electronic

form Whoever publishes or transmits or causes to be published in the electronic form, any
material which is lascivious or appeals to the prurient interest or if its eff ect is such as to tend
to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to
read, see or hear the matter contained or embodied in it, shall be punished on first conviction

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 43

 Cyber Security & Cryptography
with imprisonment of either description for a term which may extend to 3 years and with fine
which may extend to 5 lakh rupees (` 5,00,000) and in the event of a second or subsequent
conviction with imprisonment of either description for a term which may extend to 5 years
and also with fine which may extend to 10 lakh rupees (` 10,00,000).

4. Section 71: Penalty for misrepresentation Whoever makes any misrepresentation to, or
suppresses any material fact from, the Controller or the Certifying Authority for obtaining any
license or Digital Signature Certificate, as the case may be, shall be punished with
imprisonment for a term which may extend to 2 years, or with fine which may extend to 1 lakh
rupees (` 1,00,000), or with both.

5. Section 72: Penalty for breach of confidentiality and privacy Save as otherwise provided
in this Act or any other law for the time being in force, any person who, in pursuance of any
of the powers conferred under this Act, rules or regulations made there-under, has secured
access to any electronic record, book, register, correspondence, information, document or other
material without the consent of the person concerned discloses such electronic record, book,
register, correspondence, information, document or other material to any other person shall be
punished with imprisonment for a term which may extend to 2 years, or with fine which may
extend to 1 lakh rupees (` 1,00,000), or with both.

6. Section 73: Penalty for publishing Digital Signature Certificate false in certain particulars
(1) No person shall publish a Digital Signature Certificate or otherwise make it available to any
other person with the knowledge that:
(a) Th e Certifying Authority listed in the certificate has not issued it; or
(b) the subscriber listed in the certificate has not accepted it; or
(c) the certificate has been revoked or suspended, unless such publication is for the purpose of
verifying a digital signature created prior to such suspension or revocation.

(2) Any person who contravenes the provisions of subsection (1) shall be punished with
imprisonment for a term which may extend to 2 years, or with fine which may extend to 1 lakh
rupees (` 1,00,000), or with both.

7. Section 74: Publication for fraudulent purpose Whoever knowingly creates, publishes or
otherwise makes available a Digital Signature Certificate for any fraudulent or unlawful
purpose shall be punished with imprisonment for a term which may extend to 2 years, or with
fine which may extend to 1 lakh rupees (` 1,00,000), or with both.

5.4 Challenges to Indian Law and Cybercrime Scenario in India, ·

The Indian Law does not provide any definition to the term cybercrime. In fact, the IPC does
not use the term cybercrime at any point even after its amendment by the ITA 2000, supposedly,
the Indian cyberlaw. On the contrary, it has a separate Chapter XI entitled Offences in which
cybercrimes have been declared as penal offenses punishable with imprisonment and fine. The
offenses covered under CHAPTER XI of the Indian ITA 2000 include:
1. Tampering with the computer source code or computer source documents;
2. un-authorized access to computer (“hacking” is one such type of act);

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 44

 Cyber Security & Cryptography
3. publishing, transmitting or causing to be published any information in the electronic
form which is lascivious or which appeals to the prurient interest;
4. failure to decrypt information if the same is necessary in the interest of the
sovereignty or integrity of India, the security of the state, friendly relations with foreign
state, public order or for preventing incitement to the commission of any cognizable
offense;
5. securing access or attempting to secure access to a protected system;
6. misrepresentation while obtaining, any license to act as a Certifying Authority (CA)
or a digital signature certificate;
7. breach of confidentiality and privacy;
8. publication of digital signature certificates which are false in certain particulars;
9. publication of digital signature certificates for fraudulent purposes.
There are legal drawbacks with regard to cybercrimes addressed in India – there is a need
to improve the legal scenario. These drawbacks prevent cybercrimes from being addressed in
India.
• First, the difficulties/ drawbacks with most Indians not to report cybercrimes to the law
enforcement agencies because they fear it might invite a lot of harassment.
• Second, their awareness on cybercrime is relatively on the lower side.
• Another factor that contributes to the difficulty of cybercrime resolution is that the law
enforcement agencies in the country are neither well equipped nor knowledgeable
enough about cybercrime.
• There is a tremendous need for training the law enforcement agencies in India. Not all
cities have cybercrime cells. Most investigating officers with the Police force may not
be well equipped to fight cybercrime
• We need dedicated, continuous and updated training of the law enforcement agencies.
There is a lack of dedicated cybercrime courts in the country where expertise in
cybercrime can be utilized.
• There is a need to strengthen the legal scenario in India. It is not adequate to merely
enact a law.
• The law may even be theoretically effective; however, it is of no use if the law is not
enforced with true rigor and spirit. Thus, yet another dimension of current challenges
in India is that the current law enforcement machinery is not yet well equipped to deal
with cyberlaw offenses and contraventions.
• There is also a crying need for cyber-savvy judges. Judiciary plays a vital role in
shaping the enactment according to the order of the day. The cyber cell officials need a
sound technical training along with suitable technological support.
• Preservation of law and order in the society depends heavily on a sound judicial system.
A sound cyberlaw training to the judges and lawyers will go a long way in effective
enforcement of cyberlaws.
• There is a need for a distinct law on cybercrime and appropriate changes should be
made in the IPC and the Information Technology Act.
• Uniform guidelines on cyberfriendships tools and strategies should be circulated among
investigating officers of cybercrime in the country.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 45

 Cyber Security & Cryptography
5.5 Consequences of Not Addressing the Weakness in Information
Technology Act, ·
• In light of the discussion so far, we can see that there are many challenges in the Indian
scenario for fight with cybercrime.
• Cyberlaws of the country are yet to reach the level of sufficiency and adequate security
to serve as a strong platform to support India’s E-Commerce industry for which they
were meant.
• India has lagged behind in keeping pace with the world in this regard.
• The consequences of this are visible – India’s outsourcing sector may get impacted.
• There is many news about overseas customer worrying about data breaches and data
leakages in India.
• This can result in breaking India’s IT business leadership in international outsourcing
market.
• Outsourcing is on the rise; if India wishes to maintain its strong position in the global
outsourcing market, there should be quick and intelligent steps taken to address the
current weaknesses in the Information Technology Act.
• If this is not addressed in the near future, then the dream of India ruling the world’s
outsourcing market may not come true.

5.6 Digital Signatures and the Indian IT Act

Digital Signature
• According to section 2(1)(p) of the Information Technology Act, 2000 digital
signature means the authentication of any electronic record by a person who has
subscribed for the digital signature in accordance to the procedure mentioned
under section 3 of the same act.
• Section 5 of the Information Technology Act, 2000 gives legal recognition to digital
signatures.
Rule 4 of the Information Technology(Certifying Authorities) Rules, 2000, explains the
procedure of digital signature as:
• To sign an electronic record or any other item of information, the signer first applies
the hash function in the signer’s software. A hash function is a function which is
used to map data of arbitrary size onto data of a fixed size. The values returned by
a hash function are called hash values, hash codes, digests, or simply hashes
• The hash function computes a hash result of standard length, which is unique to the
electronic record.
• The signer’s software transforms the hash result into a Digital Signature using the
signer’s private key.
• The resulting Digital Signature is unique to both electronic record and private key
which is used to create it.
• The Digital Signature is attached to its electronic record and stored or transmitted
with its electronic record.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 46

 Cyber Security & Cryptography
Verification of Digital Signature
The recipient receives the original message and the digital signature. After this, there are two
steps which need to be followed:
• A new message digest is recovered from the original message by applying the hash
result.
• The signer’s public key is applied to the digital signature received by the recipient
and another message digest is recovered as the outcome of it.
• If both the message digests are identical, it means that the message is not altered.
Rule 5 of the Information Technology (Certifying Authorities) Rules, 2000, explains the
method of verification of digital signature as:
The verification of a Digital Signature shall be accomplished by computing a new hash result
of the original electronic record by means of a hash function which is used to create a Digital
Signature and by using the public key and the new hash result.

Usage of Digital Signature

1) Personal Use- It is at the liberty of the individual to use the signature personally without
creating the hassle to personally be at the given place.
2) Business– Professions such as Architecture, Construction and Engineering Companies
require to sign the tenders, market procurements or even biddings, Digital signature can prove
to be a great way to provide the assent.
3) Return filing for GST– GST filing and E-filing causes the individuals to compulsory opt
for Digital Signatures.
4) Filing for Income Tax– Some corporations require the business to file the tax all over India,
thus saving the light of the day.
5) For ROC E-filing– Filing with registrar of Companies and filing for various documents has
caused enough leverage for individuals to opt for Digital Signature.

Features of Digital Signature

The authenticity of the sender
The person who receives the electronic message or document is able to realise who is the sender
of the message. The digital signature makes it possible to verify the name of the person signing
the message digitally.
The integrity of the message
The receiver of the electronic message is able to determine whether he/she has received the
original document or whether the document has been altered before the receipt or not.
Non- Repudiation
The sender of the message cannot refute the contents of the electronic message and cannot deny
that he/she had never sent the message.

Benefits of Digital Signature

• Authenticity.
• Non-deviability.
• Message cannot be altered in between the transmission.

Problems With Digital Signature

• It functions online. Therefore, it has to be either purchased or downloaded
• It lacks trust and authenticity

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 47

 Cyber Security & Cryptography
5.7 Amendments to the Indian IT Act, ·

IT Act – 2008 Amendments

The IT Act, 2000 was amended in 2008. This amendment introduced the controversial Section
66A into the Act.
Section 66A

• Section 66A gave authorities the power to arrest anyone accused of posting content on
social media that could be deemed ‘offensive’.
• This amendment was passed in the Parliament without any debate.
• As per the said section, a person could be convicted if proved on the charges of sending
any ‘information that is grossly offensive or has menacing character’.
• It also made it an offence to send any information that the sender knows to be false, but
for the purpose of annoyance, inconvenience, danger, obstruction, insult, injury,
criminal intimidation, enmity, hatred or ill-will, through a computer or electronic
device.
• The penalty prescribed for the above was up to three years’ imprisonment with fine.
Arguments against Section 66A

• Experts stated that the terms ‘offensive’, ‘menacing’, ‘annoyance’, etc. were vague and
ill-defined or not defined at all.
• Anything could be construed as offensive by anybody.
• There was a lot of scope for abuse of power using this provision to intimidate people
working in the media.
• This also curbed the freedom of speech and expression enshrined as a fundamental right
in the Constitution.
• The section was used most notably to arrest persons who made any uncharitable
remarks or criticisms against politicians.

Section 69A

• Section 69A empowers the authorities to intercept, monitor or decrypt any information
generated, transmitted, received or stored in any computer resource if it is necessary or
expedient to do so in the interest of the sovereignty or integrity of India, defense of
India, the security of the State, friendly relations with foreign states or public order or
for preventing incitement to the commission of any cognizable offence or for
investigation of any offence.
• It also empowers the government to block internet sites in the interests of the nation.
The law also contained the procedural safeguards for blocking any site.
• When parties opposed to the section stated that this section violated the right to privacy,
the Supreme Court contended that national security is above individual privacy. The
apex court upheld the constitutional validity of the section. Also read about privacy
laws and India.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 48

 Cyber Security & Cryptography
• The recent banning of certain Chinese Apps was done citing provisions under Section
69A of the IT Act.
• Note:- The Indian Telegraph Act, 1885 allows the government to tap phones. However,
a 1996 SC judgement allows tapping of phones only during a ‘public emergency’.
Section 69A does not impose any public emergency restriction for the government.

Information Technology Intermediary Guidelines (Amendment) Rules, 2018

The Rules have been framed under Section 79 of the Information Technology Act. This section
covers intermediary liability.

• Section 79(2)(c) of the Act states that intermediaries must observe due diligence while
discharging their duties, and also observe such other guidelines as prescribed by the
Central Government.
• Online Intermediaries:
o An intermediary is a service that facilitates people to use the Internet, such as
Internet Services Providers (ISPs), search engines and social media platforms.
o There are two categories of intermediaries:
▪ Conduits: Technical providers of internet access or transmission
services.
▪ Hosts: Providers of content services (online platforms, storage services).
• Information Technology Intermediary Guidelines (Amendment) Rules were first
released in 2011 and in 2018, the government made certain changes to those rules.
• In 2018, there was a rise in the number of mob lynchings spurred by fake news &
rumours and messages circulated on social media platforms like Whatsapp.
• To curb this, the government proposed stringent changes to Section 79 of the IT Act.
What do the Rules say?

• According to the 2018 Rules, social media intermediaries should publish rules and
privacy policy to curb users from engaging in online material which is paedophilic,
pornographic, hateful, racially and ethnically objectionable, invasive of privacy, etc.
• The 2018 Rules further provide that whenever an order is issued by the government
agencies seeking information or assistance concerning cybersecurity, then the
intermediaries must provide them the same within 72 hours.
• The Rules make it obligatory for online intermediaries to appoint a ‘Nodal person of
Contact’ for 24X7 coordination with law enforcement agencies and officers to ensure
compliance.
• The intermediaries are also required to deploy such technologies based on automated
tools and appropriate mechanisms for the purpose of identifying or removing or
disabling access to unlawful information.
• The changes will also require online platforms to break end-to-end encryption in order
to ascertain the origin of messages.
• Online Intermediaries are required to remove or disable access to unlawful content
within 24 hours. They should also preserve such records for a minimum period of 180
days for the purpose of investigations.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 49

 Cyber Security & Cryptography
Rationale behind the Rules

• The government intends to make legal frameworks in order to make social media
accountable under the law and protect people and intermediaries from misusing the
same.
• The government wants to curb the spread of fake news and rumours, and also pre-empt
mob violence/lynching.
• There is a need to check the presentation of incorrect facts as news by social media,
that instigates people to commit crimes.
There has been criticism of the Rules from certain quarters, that says that the State is intruding
into the privacy of the individual. Some also say that this law widens the scope of state
surveillance of its citizens. These criticisms are notwithstanding the fact that the new Rules are
in line with recent SC rulings.

5.8 Cybercrime and Punishment, ·

• We conclude about punishment to cybercriminals by summarizing the following key
points:

1. Reliance on terrestrial laws may not be a reliable approach: Despite the progress
being made in many countries, most countries still rely on standard terrestrial law to
prosecute cybercrimes. Most countries are relying on archaic statutes that predate the
birth of cyberspace and have not yet been tested in court.
2. Weak penalties limit deterrence: The weak penalties in most updated criminal
statutes provide limited deterrence for crimes that can have large-scale economic and
social effects.
3. Self-protection remains the first line of defense: The general weakness of statutes
increases the importance of private sector efforts to develop and adopt strong and
efficient technical solutions and management practices for information security.
4. A global patchwork of laws creates little certainty: little consensus exists among
countries regarding exactly which crimes need to be legislated against. In the networked
world, no island is an island. Unless crimes are defined in a similar manner across
jurisdictions, coordinated efforts by law enforcement officials to combat cybercrime
will be complicated.
5. A model approach is needed: Most countries, particularly those in the developing
world, are seeking a model to follow. These countries recognize the importance of
banning malicious.
Explanation about Cybercrime and Punishment:
• The phenomenal rise in computer crime has caught attention around the world. The big
question is whether cybercriminals can be punished and what types of punishments are
in offering for them.
• In most countries around the world, existing laws are likely to be unenforceable against
such crimes, given methods of crime adopted and tools used by cybercriminals.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 50

 Cyber Security & Cryptography
• The possible lack of legal protection means that businesses and governments must rely
solely on technical measures to protect themselves from those who would steal, deny
access to or destroy valuable information.
• The situation is certainly not comfortable because although self-protection is essential,
it is not sufficient to make cyberspace a safe place to conduct business.
• The rule of law must also be enforced. The ability to compete in the new digital
economy will be much less for countries where legal protections are inadequate.
• As cybercrime crosses national borders, nations perceived as havens run the risk of
having their electronic messages blocked by the network. National governments should
examine their current statutes to determine whether they are sufficient to combat
cybercrimes.
• Where gaps exist, governments should draw on best practices from other countries and
work closely with industry to enact enforceable legal protections against these new
crimes.
• Cybercriminals and cyberterrorists around the world seem to be undeterred by the
prospect of arrest or prosecution as they lurk on the Net causing an omnipresent menace
to the financial health of businesses, to the trust of their customers and as an emerging
threat to nations’ security.
• Headlines of cyberattacks command our attention with increasing frequency. When it
comes to punishment, it is the peculiar nature of cybercrime/computer crime (as
compared to other forms of crime, i.e., non-computer crime) that presents the difficulty.
• Cybercrimes, which are the harmful acts committed from or against a computer or
network, differ from most terrestrial crimes in four ways:
(a) They are easy to learn how to commit,
(b) they require few resources relative to the potential damage caused,
(c) they can be committed in a jurisdiction without being physically present in
it and
(d) they are often not clearly illegal.
• The other problem that comes in way of punishing cybercriminals is that the laws of
most countries do not clearly prohibit cybercrimes. Existing terrestrial laws against
physical acts of trespass or breaking and entering often do not cover their “virtual”
counterparts.
• Often police officers may not realize (although there are constant efforts by government
to educate the police departments on cybercrimes) how cybercrimes are different in
nature compared to the traditional forms of crimes.
• For example, webpages such as the E-Commerce sites hit by widespread, distributed
denial-of-service attacks may not be covered by outdated laws as protected forms of
property.
• Why punishing the cybercriminals is so difficult? Part of the reason is that effective
law enforcement is complicated by the transnational nature of cyberspace.
• Mechanisms of cooperation across national borders to solve and prosecute crimes are
complex and slow.
• Cybercriminals can defy the conventional jurisdictional realms of sovereign nations,
originating an attack from almost any computer in the world, passing it across multiple

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 51

 Cyber Security & Cryptography
national boundaries or designing attacks that appear to be originating from foreign
sources. Such techniques dramatically increase both the technical and legal
complexities of investigating and prosecuting cybercrimes.
• A key point to note is that the issue of cybercrime is closely related to information
security. Although several countries, particularly in Europe and Asia, were found to
have addressed a number of these broader information security factors, few countries
have been able to demonstrate that adequate legal measures had been taken to ensure
that perpetrators of cybercrime would be held accountable for their actions.
• Outdated laws and regulations, and weak enforcement mechanisms for protecting
networked information, create a hostile environment from the standpoint of conducting
E-Business within a country and across national boundaries.
• Inadequate legal protection of digital information can create barriers to its exchange
and shunt the growth of E-Commerce.
• As E-Business expands globally, the need for strong and consistent means to protect
networked information will grow.
• The overall picture is that substantial improvement is needed in information security.
The year 2000 picture was that only a small fraction of countries needing substantial
improvement indicated that progress was currently underway; it provides a
categorization of the 52 countries surveyed.
• When it comes to punishing the cybercriminals, one other problem is non-uniform
treatment of crimes across the world: Crimes are not treated uniformly even in the
countries that have got updated legislation for cybercrime and this creates another
problem.

5.9 Cyberlaw, Technology and Students: Indian Scenario

The offenses covered under Cyberlaw in Indian Scenario:
1. Tampering with the computer source code or computer source documents.
2. un-authorized access to computer (“hacking” is one such type of act);
3. publishing, transmitting, or causing to be published any information in the electronic
form which is lascivious, or which appeals to the prurient interest.
4. failure to decrypt information if the same is necessary in the interest of the
sovereignty or integrity of India, the security of the state, friendly relations with foreign
state, public order or for preventing incitement to the commission of any cognizable
offense.
5. securing access or attempting to secure access to a protected system.
6. misrepresentation while obtaining, any license to act as a Certifying Authority (CA)
or a digital signature certificate.
7. breach of confidentiality and privacy.
8. publication of digital signature certificates which are false in certain particulars.
9. publication of digital signature certificates for fraudulent purposes.
There are legal drawbacks about cybercrimes addressed in the Indian Scenario:

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 52

 Cyber Security & Cryptography
• First, the difficulties/ drawbacks with most Indians not to report cybercrimes to the law
enforcement agencies because they fear it might invite a lot of harassment.
• Second, their awareness on cybercrime is relatively on the lower side.
• Another factor that contributes to the difficulty of cybercrime resolution is that the law
enforcement agencies in the country are neither well equipped nor knowledgeable
enough about cybercrime.
• There is a tremendous need for training the law enforcement agencies in India. Not all
cities have cybercrime cells. Most investigating officers with the Police force may not
be well equipped to fight cybercrime.
• We need dedicated, continuous and updated training of the law enforcement agencies.
There is a lack of dedicated cybercrime courts in the country where expertise in
cybercrime can be utilized.
• There is a need to strengthen the legal scenario in India. It is not adequate to merely
enact a law.
• The law may even be theoretically effective; however, it is of no use if the law is not
enforced with true rigor and spirit. Thus, yet another dimension of current challenges
in India is that the current law enforcement machinery is not yet well equipped to deal
with cyberlaw offenses and contraventions.
• There is also a crying need for cyber-savvy judges. Judiciary plays a vital role in
shaping the enactment according to the order of the day. The cyber cell officials need a
sound technical training along with suitable technological support.
• Preservation of law and order in the society depends heavily on a sound judicial system.
A sound cyberlaw training to the judges and lawyers will go a long way in effective
enforcement of cyberlaws.
• There is a need for a distinct law on cybercrime and appropriate changes should be
made in the IPC and the Information Technology Act.
Technology and Students: Indian Scenario
• India has a peculiar scenario given the current educational system. Most technology
students have either nil or low exposure to law and most law students have only limited
exposure to information technology.
• A computer science stream student in a college is taught how to develop programs that
can automatically transmit data across the Internet riding on a TCP/IP packet, without
alerting him on cybercrimes such as hacking or virus introduction.
• The topic of secure coding is not included in most syllabi.
• The Law students should be taught about Trade Marks and Copyrights without
recognizing their implications on the electronic documents.
• As a result, neither the technologist nor the lawyer is trained in his formative years to
understand cyberlaw.
• Given the strides made by India in the IT and ITES as well as BPO domains, there is a
strong need for techno-legal experts to demystify cyberlaw and make it possible for a
large section of the society to take up study of cyberlaw.
• In future, Engineering, Commerce and Management colleges need to teach cyberlaw as
an extension of computer science, commerce, and management education, even while

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 53

 Cyber Security & Cryptography
the law colleges try to extend their coverage of criminal laws and IPR laws to the
cyberworld.
• The advent of techno-legal specialists will bring a change in the legal perspective in the
country, and we can expect fresh ideas to emerge to form building blocks for the
development of cyber jurisprudence as a distinct field of study.

Time: 01:30 Hrs. Date: 05-04-2023 (R19 Regulation) Max. Marks: 30

Mar CO
Q.No Question ks No. TL

UNIT-3
A What are the process of Email Recovery in Cyber Forensics? 5 CO3 Analyse
1 Describe the Encryption and Decryption Methods and explain
B 5 CO3 Understand
about different keys used to implement it?
Explain about the steps involved in Search and Seizure of
A 5 CO3 Apply
Computers in Cyber Forensics?
2
Evaluate the importance and process of Recovering Deleted
B 5 CO3 Evaluate
Evidence?
Describe the purpose, process, and classification of Password
A 5 CO3 Remember
3 Cracking?

UNIT-4
Describe the concept of Computer Forensics, and how it is
A 5 CO4 Understand
applied in law enforcement?
1
B What are the phases in the forensics life cycle? Explain in detail 5 CO4 Analyse
about the preparation and identification phase in digital forensic?
Evaluate the need of current Computer Forensics Tools for
A 5 CO5 Evaluate
forensic investigation?
2
Describe about the various Software Tools used in Computer
B 5 CO5 Understand
Forensics?
Describe about the various Hardware Tools used in Computer
A 5 CO5 Analyse
Forensics?
3
What are the procedure need to be followed for Validating and
B 5 CO5 Analyse
Testing Forensics Software,
Explain in detail about Face, Iris and Fingerprint Recognition
A with respect to forensic 5 CO5 Understand
investigation?
4
Define the principles of Audio Video Analysis? Highlights the
B different techniques used 5 CO5 Remember
in the analysis?
What is Operating system forensics? Describe the Linux System
A 5 CO5 Apply
5 Forensics
B Describe the Windows System Forensics in detail? 5 CO5 Apply
Write a detail notes on i) Graphics Forensics and ii) Network
A 5 CO5 Remember
6 Forensics
B How the Cell Phone and Mobile Device Forensics is executed ? 5 CO5 Understand

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 54

 Cyber Security & Cryptography

UNIT-5
Analyse Cybercrimes and their Legal Landscape around the
A 5 CO6 Analyse
World?
1
What is The Indian IT Act? Expalin about the important sections
B 5 CO6 Remember
of The Indian IT Act?
What are the Challenges to Indian Law and Cybercrime
A 5 CO6 Understand
Scenario in India?
2
B What will be the Consequences of not addressing the weakness 5 CO6 Analyse
in Information Technology Act?
What are Digital Signatures? Explain in detail in relation to
A 5 CO6 Apply
Indian IT Act 2000?
3 What are the amendments done in the Indian IT Act 2008?
B Highlight the Information Technology Intermediary Guidelines 5 CO6 Apply
(Amendment) Rules, 2018
What are the real issues in handling Cybercrime and
A 5 CO6 Analyse
Punishment?
4
Explain in detail about Cyberlaw, Technology and Students:
B 5 CO6 Remember
Indian Scenario?

Wish you all the best.

by Dr. A. B. Siddique, Dept of ECE Aditya College of Engineering & Technology 55