Cyber Security Unit IV NOTES
Cyber Security Unit IV NOTES
Cyber Security (BCC 301)
– By Vishal Sir
UNIT - IV
Forensic: Forensic means applying scientific methods and techniques to investigate crimes
or analyze evidence for legal purposes.
Or
Or
Digital Forensics is a broad field that involves the recovery, investigation, and analysis of digital
data to uncover evidence of criminal activity or policy violations. It encompasses any device or
medium that stores digital data. It plays a critical role in addressing cybercrimes, corporate
frauds, and even personal data breaches. With the rapid increase in digital interactions, the
need for robust forensic practices has become essential.
Real-life example: In 2016, the FBI used computer forensics to unlock the iPhone of a
suspect involved in the San Bernardino attack, showcasing the role of forensics in solving
high-profile cases.
Types of Digital Forensics:
1. Computer Forensics: Focuses on computers and storage devices.
○ Example: Recovering deleted files from a suspect's computer.
1. Combating Cybercrime
Cybercrimes such as hacking, phishing, identity theft, and ransomware attacks are growing in
complexity and frequency. Computer forensics plays a crucial role in tracking down
cybercriminals and recovering stolen or compromised data.
Example: In 2021, a ransomware attack on the Colonial Pipeline disrupted fuel supplies in the
U.S. Forensic investigators analyzed the compromised systems, identified the ransomware
strain (DarkSide), and traced cryptocurrency payments made to the hackers.
Organizations are often required to comply with data protection and privacy laws (e.g., GDPR,
HIPAA). Forensic techniques help ensure compliance by investigating incidents like
unauthorized data access or breaches.
Example: A financial firm found discrepancies in its accounts. Forensic analysis of the
employee’s computer revealed they were using unauthorized software to siphon funds into a
personal account.
Siphon funds means to illegally or unethically take money from an organization, account, or project, often by diverting it for
personal use or other unauthorized purposes.
Example:
● A corrupt employee might siphon funds from a company's account by creating fake invoices and transferring money to
their personal bank account.
● In a charity organization, a dishonest manager could siphon funds by claiming expenses for events that never took
place.
Computer forensics is crucial for recovering data that has been accidentally or intentionally
deleted. This is particularly important for businesses that rely heavily on data for operations.
Example: A company’s critical financial data was deleted during a malware attack. Forensic
experts used specialized tools to recover the lost data, saving the organization from significant
losses.
Digital evidence gathered through computer forensics is often used in court cases, such as
fraud, intellectual property theft, and cyber harassment. Courts require evidence to be collected
and presented in a manner that ensures its integrity and authenticity.
Example: In a copyright infringement case, forensic experts analyzed the defendant’s hard
drive and found pirated copies of copyrighted software. This evidence was presented in court to
secure a conviction.
Governments use computer forensics to investigate cyber espionage, terrorism, and other
threats to national security. Forensics can trace cyberattacks to their source and gather
intelligence for countermeasures.
Example: In 2010, U.S. agencies used computer forensics to investigate the Stuxnet worm,
which was designed to sabotage Iran's nuclear program. The analysis revealed sophisticated
malware and led to changes in cybersecurity protocols.
Example: After a credit card breach affected millions of its customers, Target hired forensic
experts to investigate. Their quick action helped restore customer trust and improve security
measures.
With the increasing use of social media, crimes like cyberbullying, impersonation, and online
fraud have become prevalent. Computer forensics helps track the origin of these crimes.
Example: Forensic experts traced a fake social media profile used for blackmailing individuals
to an IP address, leading to the suspect’s arrest.
Forensic investigations not only address incidents but also provide insights into vulnerabilities,
helping organizations strengthen their cybersecurity posture.
Example: A forensic investigation into a phishing attack revealed gaps in employee training and
email filtering systems. The company implemented awareness programs and upgraded its
filters to prevent future attacks.
Cybercrimes often transcend borders, involving perpetrators and victims from different
countries. Computer forensics helps gather and share evidence in a legally acceptable format
for cross-border cooperation.
Example: An international credit card fraud ring was dismantled through collaborative forensic
investigations that traced transactions across multiple countries.
Cyber Forensics: Cyber forensics, also known as computer forensics, is a branch of digital
forensic science that focuses on the identification, preservation, analysis, and presentation of
electronic evidence in a manner admissible in a court of law. It involves the use of specialized
tools and techniques to investigate crimes involving digital devices like computers,
smartphones, servers, and cloud environments.
Cyber forensics helps in solving cyber crimes such as hacking, identity theft, financial fraud,
and cyberstalking, among others. It also plays a significant role in corporate investigations,
helping organizations detect data breaches, insider threats, and intellectual property theft.
1. EnCase: Forensic software for analyzing various types of digital evidence.
2. FTK (Forensic Toolkit): Used for data discovery, analysis, and recovery.
3. Wireshark: Network protocol analyzer to detect unusual traffic.
4. Autopsy: Open-source digital forensics platform.
Cyber forensics is a critical field in today's digital age, where cybercrimes are becoming
increasingly sophisticated.
A bank reports a suspected hacking incident where customer accounts were accessed, and
funds were transferred fraudulently. A cyber forensics team is hired to investigate.
Cyber Forensics Example Focus: Investigating network-based attacks and online activity
(e.g., hacking, malware).
Key Evidence: Network logs, IP addresses, server activity, malicious scripts.
Digital Evidence: Digital evidence is any data stored or transmitted using digital devices that
can be used in a court of law. Examples include emails, documents, images, chat logs,
metadata, video files, and more. Digital evidence is unique because it can be easily altered or
deleted, requiring careful handling.
A hospital discovers that patient medical records on a local system have been altered,
potentially for fraudulent purposes. A digital forensics investigator is called in to examine the
tampering.
Digital Forensics Example Focus: Investigating physical devices and their stored data
(e.g., local systems, hard drives, USBs).
Key Evidence: Files, metadata, user activity logs, USB history.
In both cases, the methods and tools differ based on the source of the evidence, making it clear
that digital forensics focuses on devices, while cyber forensics deals with network and
internet activities.
1. Header Analysis: Examines the metadata of the email (e.g., sender, recipient, IP
addresses, and timestamps).
Example: Checking if an email claiming to be from a bank is sent from the bank's official
domain.
2. Content Analysis: Analyzing the body of the email for suspicious content, including
malicious links or keywords.
Example: Identifying phishing attempts by examining the text for requests for sensitive
information like passwords.
4. Source Verification: Ensures the legitimacy of the sender using email authentication
mechanisms like SPF, DKIM, and DMARC records. These protocols help detect and
prevent spoofing, phishing, or other malicious activities
Example: Verifying that an email claiming to be from "paypal.com" is not sent by a
spoofed domain.
5. Server Log Analysis: Reviewing email server logs to track the journey of the email and
identify anomalies.
Example: Identifying an unusual login from a foreign IP address in the log.
1. Email Collection: Collect the email in its original format without tampering. Emails can
be collected from email servers, user inboxes, or archives.
2. Header Examination: Use tools like emailheader.org or manual inspection to study
the email header details. Key fields include:
○ From: Sender's email address.
○ To: Recipient's email address.
○ Subject: Email subject line.
○ Received: Details of servers the email passed through.
○ IP Address: Source IP of the sender.
3. Metadata Analysis: Extract metadata like time, encoding type, and MIME version.
5. Attachment Analysis: Open attachments in a secure sandbox environment to check for
malware.
6. Tracing the Source: Track the email’s journey using IP addresses from the header to
identify the sender's geographic location.
Simple Example
Step-by-Step Analysis:
1. Header Analysis: Examine the header to check if it was sent from the official email of a
contest organizer.
2. Content Analysis: Review the email body for generic greetings like "Dear User" instead
of your name and grammar mistakes.
3. Link Verification: Hover over the link (without clicking) to check if the URL redirects to a
suspicious website.
4. Attachment Check: If the email has an attachment, analyze it in a safe environment to
ensure it's not malware.
5. IP Tracing: Use tools like MXToolbox to trace the sender's IP from the header. It might
show the email originated from an unknown region.
Common Tools Used in Email Forensics
This simple and systematic approach ensures a clear understanding of how email forensic
analysis is conducted.
Digital Forensics Life Cycle
The Digital Forensics Life Cycle refers to the systematic process used to investigate and
analyze digital evidence. Each phase ensures that the evidence is handled properly to maintain
its integrity and reliability in legal proceedings. Below is a detailed explanation of each phase
with a suitable example:
1. Identification
● Example: In a financial fraud case, investigators identify devices like the suspect's
laptop, email accounts, and cloud storage services as potential sources of evidence.
2. Preservation
● Example: Investigators use forensic software (e.g., EnCase or FTK) to create an image
of a suspect's hard drive, ensuring the original data remains unaltered.
3. Collection
● Example: Collect login records, financial transaction logs, and metadata from the
suspect’s laptop and company servers.
4. Examination
● Example: Investigators recover deleted emails from the hard drive, showing
communications about fraudulent transactions.
5. Analysis
● Example: By analyzing server logs, investigators find that the suspect accessed
sensitive financial records at unusual hours and transmitted them to an external email.
6. Documentation
○ Record every step of the investigation, including methods, tools, and findings.
○ Maintain detailed logs, screenshots, and metadata.
○ Prepare the documentation in a clear format for presentation in court.
7. Presentation
● Example: In court, the forensic expert testifies how the suspect used malware to gain
unauthorized access to the company’s financial records and demonstrates this with logs
and recovered files.
Example Use Case: A Hacking Investigation
1. Identification: Detect compromised systems, including servers and employee laptops.
2. Preservation: Create forensic images of server logs and employee laptops to avoid
data tampering.
3. Collection: Gather relevant data, including firewall logs, email communication, and IP
traces.
4. Examination: Analyze logs to identify unusual activities, such as repeated login
attempts from foreign IP addresses.
5. Analysis: Correlate evidence to determine the attacker’s methods and timeline of the
breach.
6. Documentation: Compile a detailed report with findings, timelines, and visual diagrams.
7. Presentation: Submit the report to law enforcement and testify in court about the
breach and its connection to the suspect.
By following this structured approach, digital forensics professionals can ensure investigations
are thorough, reliable, and legally defensible.
Chain of Custody Concept
The Chain of Custody (CoC) is a critical principle in digital forensics that ensures the proper
handling, documentation, and integrity of evidence from its identification to its presentation in
court. It involves a detailed record of who collected, handled, transferred, or analyzed the
evidence at every stage of the investigation. This process ensures the evidence remains
authentic and legally admissible.
1. Documentation: A thorough log of each person who interacts with the evidence,
including timestamps, reasons for access, and actions taken.
2. Integrity: Ensuring the evidence is not altered, tampered with, or compromised at any
point in the process.
3. Security: Storing evidence securely and limiting access only to authorized personnel.
4. Continuity: Maintaining an unbroken chain of evidence handling from the moment it is
collected until it is presented in court.
1. Identification: Clearly label and document the evidence (e.g., device serial numbers,
filenames, and physical descriptions).
2. Collection: Record the time, date, and method of collection. Use appropriate tools to
avoid altering the original evidence.
3. Preservation: Create forensic copies of digital evidence and secure the originals using
tools like write-blockers.
4. Transfer: Document every transfer of the evidence, including who received it, why, and
when.
5. Storage: Secure the evidence in a tamper-proof location, such as a locked evidence
locker or digital vault.
6. Analysis: Record the analysis process, including the tools and methods used, to ensure
transparency.
7. Presentation: Present the evidence in court with detailed logs that verify its authenticity
and traceability.
2. Legal Admissibility: Evidence with a broken or improperly maintained chain of custody
may be deemed inadmissible in court.
3. Accountability: Clearly identifies who is responsible for the evidence at each stage.
4. Trustworthiness: Builds confidence in the investigation process and its findings.
2. Collection: The desktop hard drive is removed, labeled, and imaged. A log is created
noting the device's serial number, collection time, and collector's name.
3. Transfer: The hard drive is transferred to a forensic lab, with the transfer documented.
4. Analysis: Forensic software reveals deleted emails and metadata linking the employee
to fraudulent activity.
6. Court: The forensic expert testifies, presenting the evidence alongside the
chain-of-custody log, verifying its authenticity.
The Chain of Custody is a cornerstone of digital forensics. It ensures that evidence is handled
and documented in a manner that maintains its authenticity, integrity, and admissibility in court.
Without a well-maintained chain of custody, even the most compelling evidence might lose its
credibility.
Network Forensics
Network forensics is the process of capturing, recording, and analyzing network traffic to
uncover evidence of malicious activities or resolve cybersecurity issues. It involves monitoring
data transmitted over a network, investigating suspicious behavior, and reconstructing the
sequence of events leading to an incident.
1. Packet Capture: Capturing data packets transmitted over the network using tools like
Wireshark or tcpdump.
Example: Monitoring packets to detect an unauthorized file download from a server.
2. Log Analysis: Analyzing logs from firewalls, routers, and servers to identify suspicious
patterns.
Example: Checking firewall logs for repeated failed login attempts indicating a
brute-force attack.
3. Traffic Analysis: Examining the nature and volume of network traffic to identify
anomalies.
Example: Unusual spikes in outbound traffic could indicate data exfiltration.
4. Protocol Analysis: Inspecting protocols (HTTP, FTP, DNS, etc.) for misuse or
exploitation.
Example: Analyzing DNS queries to detect domain-based attacks like DNS spoofing.
5. Intrusion Detection: Using tools like Snort to identify and alert on potential security
breaches.
Example: Detecting an attacker attempting to scan the network using port scanning
tools.
1. Suspicious Activity: The IT team notices a sudden spike in outbound traffic during
non-working hours.
2. Packet Capture: They use Wireshark to capture packets and identify that the traffic is
directed to an unknown external IP.
3. Log Analysis: Firewall logs show repeated connections from a single workstation to the
external IP over FTP.
4. Content Inspection: Examining the packets reveals sensitive files being transmitted
without encryption.
5. Source Identification: The workstation's logs indicate a rogue process running under
the username of an employee who is on leave.
6. Response: The IT team quarantines the infected system, blocks the IP at the firewall,
and changes credentials.
7. Evidence Collection: Packet captures, logs, and event timelines are preserved for legal
action and internal review.
Tools Used in Network Forensics
Network forensics is a crucial discipline in cybersecurity that helps organizations protect assets,
uncover malicious activities, and ensure accountability in digital interactions.
Key Activities:
● Define Objectives: Clearly outline the purpose of the investigation (e.g., data theft,
fraud, hacking).
● Establish Guidelines: Follow organizational policies and legal standards such as the
chain of custody and data privacy laws.
● Assemble a Team: Form a team of forensic experts, IT specialists, and legal advisors
as needed.
● Gather Tools: Use specialized forensic tools such as EnCase, FTK, Autopsy, or write
blockers to ensure evidence integrity.
Example:
In a suspected case of employee data theft, the team may plan to acquire forensic images of
the employee's computer and external drives while ensuring minimal disruption to operations.
2. Identification
Key Activities:
● Locate Evidence Sources: Identify devices and media that may contain evidence (e.g.,
computers, external drives, cloud accounts, network logs).
● Determine Relevance: Isolate relevant data while excluding unrelated information to
narrow the scope of the investigation.
Example:
Identify the hard drive of a specific workstation and email logs on the organization's server that
may contain evidence of unauthorized data transfers.
3. Preservation
Key Activities:
● Create Forensic Copies: Make exact bit-by-bit copies of storage devices (forensic
images) to preserve original data.
● Isolate Evidence: Prevent tampering by securing devices in a controlled environment.
● Document Chain of Custody: Record every action taken on the evidence, including
who handled it, when, and why.
Example:
Forensic imaging tools like FTK Imager can create a clone of a suspect’s hard drive without
altering the original data. Original devices are stored securely, while investigations proceed on
the copies.
4. Analysis
Key Activities:
● Examine Evidence: Analyze files, emails, logs, and other digital artifacts using forensic
tools.
● Recover Deleted Data: Use recovery techniques to retrieve deleted or hidden files.
● Trace User Activity: Reconstruct events by analyzing timestamps, browser history,
application logs, and metadata.
● Identify Anomalies: Look for suspicious activities, such as unauthorized file access,
strange IP connections, or irregular logins.
Example:
In a fraud investigation, forensic experts may examine file metadata to uncover who created or
modified a document and when.
5. Documentation
Key Activities:
● Record Findings: Create detailed logs of analysis results, methodologies, and tools
used.
● Maintain Clarity: Ensure reports are concise and understandable for non-technical
stakeholders like lawyers or judges.
● Visualize Data: Use charts or timelines to illustrate key events and evidence.
Example:
Forensic investigators document a timeline showing that an employee accessed sensitive files
at 11:30 PM, which coincided with a data breach.
6. Presentation
Key Activities:
● Prepare a Report: Compile all findings into a formal report that adheres to legal
standards.
● Testify in Court (if necessary): Present evidence and explain technical details to legal
professionals.
● Support Legal Arguments: Highlight how the evidence connects to the case's key
issues.
Example:
7. Follow-Up
Key Activities:
● Evaluate Procedures: Assess the effectiveness of the investigation process for future
improvement.
● Implement Preventive Measures: Recommend steps to avoid similar incidents, such
as improving cybersecurity policies or employee training.
Example:
1. Preserve Evidence Integrity: Always handle original data with care to avoid altering it.
2. Use Authorized Tools and Techniques: Ensure the tools used are recognized and
validated in legal proceedings.
4. Adhere to Legal Standards: Follow applicable laws, such as GDPR, HIPAA, or the
Cybersecurity Act, depending on jurisdiction.
5. Collaborate with Stakeholders: Work closely with legal teams, IT departments, and
law enforcement for a comprehensive approach.
1. Phishing Attacks
● Threat: Cybercriminals use fake profiles, messages, or links to trick users into providing
sensitive information, such as passwords or credit card details.
● Example: A user receives a message on Facebook claiming to be from the platform's
support team, asking them to log in via a provided link. The link redirects to a fake site
that steals their credentials.
2. Data Breaches
● Threat: Hackers target social media platforms to steal user data, which may include
personal information, contact details, and private messages.
● Example: In 2021, LinkedIn suffered a breach where data from 700 million users was
scraped and sold on hacker forums, exposing email addresses, phone numbers, and
employment details.
3. Identity Theft
4. Malware Distribution
● Threat: Malicious links shared through posts or messages can infect users' devices with
malware.
● Example: On Twitter, a user clicks a shortened URL promising free giveaways, but it
leads to a website that installs ransomware on their device, locking their files until a
ransom is paid.
6. Social Engineering
7. Third-Party Applications
● Threat: Many social networking sites allow users to connect third-party apps, which may
misuse the access granted to user accounts.
● Example: A quiz app on Facebook asks for permissions to access a user's friends list
and personal details but later sells this data to advertisers without consent.
● Threat: Malicious users exploit social platforms to target individuals with abusive
messages, threats, or defamation.
● Example: A teenager is targeted on TikTok with harmful comments and false
accusations, leading to mental health issues.
● Threat: Social networks are often used to spread false information, leading to
confusion, panic, or harm.
● Example: During the COVID-19 pandemic, false claims about cures or vaccines
circulated widely on platforms like Facebook and WhatsApp, causing public health
challenges.
10. Catfishing
● Threat: Users create fake identities to deceive others, often for financial gain or
emotional manipulation.
● Example: A scammer poses as a romantic interest on a dating site like Tinder, building
trust with the victim before asking for money.
● Threat: Many SNS allow users to share their real-time location, making them vulnerable
to stalking or physical threats.
● Example: A user checks in at a restaurant on Facebook, and a stalker uses this
information to approach them in person.
● Threat: Explicit photos or videos shared in trust can be used maliciously or leaked
without consent.
● Example: A private video shared on Snapchat is saved using screen recording tools
and later posted online without the user’s permission.
14. Cyberstalking
● Threat: Persistent monitoring of an individual’s social media activity can lead to privacy
invasion and physical threats.
● Example: A stalker repeatedly messages a user on Instagram and comments on all
their posts, even showing up at locations they frequent based on shared posts.
● Threat: Many users lack knowledge of security and privacy measures, making them
easy targets.
● Example: A user accepts a friend request from a stranger on Facebook, unaware that
this grants access to their personal photos and posts.
Mitigation Strategies:
By understanding and mitigating these threats, users can significantly enhance their security
and privacy on social networking sites.
● Challenge: Encryption protects data from unauthorized access, making it difficult for
forensic investigators to access the evidence.
● Example: Criminals may use tools like BitLocker or VeraCrypt to encrypt their devices.
If investigators cannot obtain the decryption key, analyzing the data becomes nearly
impossible.
● Challenge: The sheer volume of data stored on modern devices or cloud services can
overwhelm investigators.
● Example: A single hard drive may contain terabytes of data, while cloud accounts can
store even more. For instance, investigating a company’s fraudulent activities might
involve analyzing years of emails, files, and logs.
4. Anti-Forensic Techniques
● Challenge: Criminals often use anti-forensic tools to erase or obfuscate evidence.
● Example: Data-wiping software like CCleaner or BleachBit can overwrite deleted files,
making recovery extremely challenging.
● Challenge: Digital evidence can be altered or corrupted easily if not handled properly.
● Example: Failure to create a proper forensic image of a hard drive might lead to
tampering accusations in court, rendering the evidence inadmissible.
6. Cross-Jurisdictional Issues
● Challenge: Data stored in the cloud may be spread across multiple physical locations,
often in different jurisdictions.
● Example: Investigating an online fraud case involving Google Drive or AWS requires
legal permissions to access data stored on remote servers.
8. Steganography
● Challenge: Criminals hide data within images, videos, or other file formats, making
detection difficult.
● Example: A terrorist group may embed secret communication within an image file using
tools like OpenPuff, bypassing standard checks.
● Challenge: Some digital evidence, such as log files, has a short lifespan and must be
captured quickly.
● Example: Server logs related to a hacking incident may be overwritten if not promptly
secured.
By addressing these challenges through advanced tools, continuous training, and legal reforms,
the field of computer forensics can better handle the complexities of modern cybercrime
investigations.
Unit 4: Completed