UNIT III

ANALYSIS AND VALIDATION

Validating Forensics Data

▪ Validation involves performing laboratory tests to verify that a particular

instrument, software program, or measurement technique is working
properly. Confidence in forensic DNA results is gained through
validation studies, which provide objective evidence that a DNA testing
method is robust, reliable and reproducible.
▪ Validation experiments define procedural limitations, identify critical
components of the procedure that requires quality control and
monitoring, and establish standard operating procedures and
interpretation guidelines for laboratories to follow while processing
samples.
▪ Validation is useful for achieving a number of desired outcomes. It
minimizes reinvention of methods in different laboratories. Methods that
have been validated are more readily accepted, more easily standardized,
and can be compared internationally between different laboratories.
Validation also helps to identify potential limitations specific to a method
or laboratory.
▪ Validation is the confirmation by examination and the provision of
objective evidence that a tool, technique or procedure functions correctly
and as intended.
▪ Verification is the confirmation of a validation with a laboratory’s tools,
techniques and procedures.
▪ Validation should be distinguished from other method-assessment
processes such as verification or evaluation. Verification is the process by
which collaborating lines of evidence are collected in order to determine
if a method is working as expected within a specific laboratory's own
conditions (operators, equipment, environment).
▪ During verification, results from a few samples are compared with results
obtained from other evidence. In the forensic field, this evidence is
usually validation data, typically in the form of publications or reports
that detail the performance characteristics of the standard method. The
outcomes of the verification process are closely linked to the quality and
reliability of the validation process. However, validation is a more
intensive and rigorous process than verification.
▪ System validation is associated with data generation and requires the
unique identification of systems, identification of system restarts,
identification of changed system configuration and attributes, and
validation that messages were in fact generated by the designated system.
▪ Application validation is similar to system validation except applied to
specific applications running on a system. As with system validation, it
must be verified that the application is expected to be sending the events
and that the application itself matches known characteristics.
▪ Application restarts, the user starting the application, and application
parameter settings can all be of critical importance in determining the
validity of the events generated by the application.
▪ User validation attempts to provide validation of the users of a system.
Algorithm implementation:
▪ Given that an algorithm itself has been validated, the implementation
must be similarly validated. Errors often occur in the transcription from a
theoretical algorithm to an implemented algorithm. For example, SSH
uses a well- established protocol for initiation of a connection and for
maintaining the security of that connection. This protocol is well
validated. However, there have been well-known bugs in the
implementation of the SSH protocol that have allowed it to be
compromised.
Data collection:
• After data is generated, a repository must collect the data. This will require
ensuring that the data is not modified on the way to the repository and
providing validation of temporal relationships. These needs for forensics
would be insufficient in terms of security, which would also require that the
data could not be read and examined in transit.
• Investigative digital forensics can be divided into several stages according
to the Digital Forensic Research Workshop and its examination of digital
forensic models. The different stages are:
Identification:
• Recognizing an incident from indicators and determining its type. This is
not within the field of forensics, but significant because it impacts other
steps and determines if a forensic examination is needed.
Preparation:
• Preparing a plan of action by selecting tools, techniques, monitoring
authorizations and management support. This also includes warrants if the
evidence lies with a third party.
Preservation:
• The preservation stage tries to freeze the crime scene. It consists of stopping
or preventing any activities that can damage the digital information being
collected like using electromagnetic devices, stopping ongoing file deletion
processes and stopping any scheduled jobs which might interfere with the
evidence.
Collection:
• Collecting digital information relevant to the investigation. The evidence is
duplicated in some other medium. It may involve removal of personal
computers and hard disks from the crime scene, copying log files from
computer devices and taking system snapshots of the devices involved.
Examination:
• Examination stage consists of in-depth systematic search of evidence
relating to the suspected crime. This stage focuses on identifying and
locating potential evidence, within unconventional locations, and
constructing detailed documentation for analysis. The outputs of
examination are data objects found in collected evidence. They may include
log file time stamps matching the security camera timestamp. It is a
mapping process of all the evidence collected.
Analysis:
• The aim of analysis is to draw conclusions based on the evidence found.
Different types of evidence are linked during this process.
Presentation:
• Summaries and provides explanations of conclusions based on the analysis
report. The technical data is translated into layman's terms using abstracted
terminology. All abstracted terminology should reference the specific
details.
Returning evidence:
• Ensuring physical and digital property is returned to its proper owner after
the investigation. It's not a forensic step but a clean way of concluding the
investigation.
Follow these basic steps for all digital forensics’ investigations:
1. For target drives, use recently wiped media that have been reformatted
and inspected for viruses
2. Inventory the hardware on the suspect's computer, and note condition
of seized computer
3. For static acquisitions, remove original drive and check the date and
time values in system's CMOS
4. Record how you acquired data from the suspect drive
5. Process drive's contents methodically and logically
6. List all folders and files on the image or drive
7. Examine contents of all data files in all folders
8. Recover file contents for all password-protected files
9. Identify function of every executable file that doesn't match hash
values.
Validating with Hexadecimal Editors
• Advanced hexadecimal editors support many features, which is not
available in computer forensics tools.
• A hex editor is a software used to view and edit binary files. A binary file is
a file that contains data in machine-readable form.
• Hex editors allow editing the raw data contents of a file, instead of other
programs which attempt to interpret the data for you. Since a hex editor is
used to edit binary files, they are sometimes called a binary editor or a
binary file editor.
• If you edit a file with a hex editor, you are said to hex edit the file, and the
process of using a hex editor is called hex editing.
• A typical hex editor has three areas: An address area on the left, a
hexadecimal area in the center and a character area on the right.
 • Data can be edited in a hex editor just like a normal text editor. A hex editor
has a cursor that can be moved by clicking with the mouse or using the
cursor keys.
• Position the cursor over the byte you want to edit and type the value you
want to change to using the keyboard. The cursor can be switched between
the hexadecimal area and the character area by pressing the 'Tab' key.
• When the cursor is in the hexadecimal area, you have to enter byte values in
hexadecimal notation, but when the cursor is in the character area, you can
enter regular characters just like a text editor.
• The most advanced feature of hex editors is now the ability to place a
template over a file that allow you to understand what the bytes of a binary
file actually mean.
• Hex workshop generates the hash value of selected data in a file or sector.
Data Hiding Techniques
Data hiding: Changing or manipulating a file to conceal information.
Techniques:
1. Hiding entire partitions 2. Changing file extensions
3. Setting file attributes to hidden 4. Bit-shifting
5. Using encryption 6. Setting up password protection.
 • Files are hiding by using operating system. One method is changing the file
extension. Advanced digital forensics tools check file headers and compare
the file extension to verify that it's correct or not. If there's a discrepancy,
the tool flags the file as a possible altered file. One more hiding technique is
selecting the hidden attribute in a file's properties dialog box.
Marking bad clusters:
• A data-hiding technique used in FAT file systems is placing sensitive or
incriminating data in free or slack space on disk partition clusters. It
involves using old utilities such as Norton Disk Edit. It can mark good
clusters as bad clusters in the FAT table so the OS considers them unusable.
• Only way they can be accessed from the OS is by changing them to good
clusters with a disk editor. Disk Edit runs only in MS-DOS and can access
only FAT-formatted disk media
Bit-shifting:
• Some users use a low-level encryption program that changes the order of
binary data. It makes altered data unreadable. To secure a file, users run an
assembler program to scramble bits. Run another program to restore the
scrambled bits to their original order. Bit shifting changes data from readable
code to data that looks like binary executable code.
Steganography
• Steganography is the art and science of communicating in a way which
hides the existence of the communication. The goal of steganography is to
hide messages inside other harmless messages in a way that does not allow
any enemy to even detect that there is a second message present
• Steganography can be used in a large amount of data formats in the digital
world of today. The most popular data formats are .bmp, .doc, .gif, .jpeg,
.mp3, .txt and .wav. Steganographic technologies are a very important part
of the future of internet security and privacy on open systems such as
internet.
 • Steganography is the science of hiding information. The purpose of
steganography is covert communication-to hide the existence of a message
from a third party.
• Information hiding generally relates to both water-marking and
steganography. A watermarking system's primary goal is to achieve a high
level of robustness. It should be impossible to remove a watermark with-out
degrading the data object's quality.
• Steganography is used for high security and capacity, which often entails
that the hidden information is breakable.
Figs: shows a common taxonomy of steganographic techniques

Taxonomy of steganographic techniques

Technical steganography:
It uses scientific methods to hide a message.
Linguistic steganography:
It hides the message in the carrier in some non-obvious ways and is
further categorized as semagrams or open codes.
Semagrams:
✓ It uses symbol or signs for information hiding.
✓ A visual semagram uses normal physical objects to convey a
message.
✓ A text semagram hides a message by modifying the appearance of the
carrier text.
✓ Open codes hide a message in a legitimate carrier message in ways
that are not obvious to an unsuspecting observer.
✓ Jargon code uses language that is understood by a group of people
but is meaningless to others.
✓ The goal of steganography is to avoid the detection or even raising
the suspicion that a secret message is being passed on. Steganalysis is
the art of detecting these covert messages. It involves the detection of
embedded messages. The types of steganalysis attacks are similar to
those of cryptanalysis attacks.
Steganography tools
a. MP3Stego: Hide files within mp3 files. MP3Stego will hide
information in MP3 files during the compression process. The data is
first compressed, encrypted and then hidden in the MP3 bit stream.
b. Text Hide: Simple text steganography
c. wbStego: This tool used for bitmaps, text files, HTML files and PDF
files Steganography.
d. Hide4PGP: Hide4PGP is a freeware program distributed as source
code in ANSI C and precompiled executables for DOS and the
Win32 console
 Difference between Stenography and Cryptography
Steganography Cryptography

✓ Output of information hiding is the ✓ Output in cryptography is a cipher

stego- media.
✓ It hides information
✓ Additional carrier is needed
✓ Steganography does not alter secret
of message but hides inside the cover
image
✓ In steganography the secret message
embeds in a harmless looking cover
such as a digital image file, then the
image file is transmitted.
text
✓ It does not hide information
✓ Additional carrier is not needed
✓ In cryptography, the structure of
message is scrambled to make it
meaningless
✓ Cryptography is the science of
using mathematics to encrypt and
decrypt data

Performing Remote Acquisition

• Remote forensic tools give digital investigators an alternative to the most
common and readily accessible methods of volatile data and RAM
acquisition. These remote forensic solutions can be used to access live
systems, and include the ability to acquire and sometimes analyze memory.
• These tools include enterprise solutions from core forensic application
vendors such as access data, guidance software, and technology pathways,
which all have agent-style installation options that may be rolled out to
most of the systems in a large network and accessed during an incident,
rather than run for the first time when a digital investigator accesses the
system.
• The Online DFS tool can acquire data from remote systems without
installing an agent. Another tool that can be used to acquire volatile data
and hard drive contents remotely from windows systems is F- Response.
This tool does not acquire the data from the remote system, but rather
provides access to memory and hard drives on a remote computer via an
iSCSI connection, which digital investigators can then acquire using their
tool of choice.
Following is the three different ways of determining the best acquisition
method of data acquisition:
1. Bit-stream disk-to-image file
2. Bit-stream disk-to-disk
3. Sparse data copy of a file or folder
Bit-stream copy:
Is a bit-by-bit copy of the original storage medium and is an exact
duplicate of the original disc. It is different from a simple backup copy because
backups can only copy files stored in a folder or are of a known file type.
Bit-stream image:
Is the file that contains the bit-stream copy of all the data on a disk or
disk partition.
Network Forensics
• Network forensics is a sub-branch of digital forensics relating to the
monitoring and analysis of computer network traffic for the purposes of
information gathering, legal evidence, or intrusion detection. Unlike other
areas of digital forensics, network investigations deal with volatile and
dynamic information.
• Now a day, most of the peoples depends upon e-mail, e-commerce, m-
commerce which required network support. Various networking technology
is used to support this type of operation. Digital investigators at-least known
the basics of computer network, working and functions of networking
devices. It helps to digital investigators to solve the problem and think in all
directions.
• Digital investigators understand the technology then it will enable to
recognize, collect, preserve, examine, and analyze evidence related to
crimes involving networks. Day by day, crime is increased by using
networking technology, so digital investigators must be familiar with the
networking technology.
Investigators need the ability to identify different packet types according to
various Internet Protocols. These include:
1. Email (POP3, SMTP and IMAP)
2. Web Mail (Yahoo Mail, Gmail, Hotmail)
3. Instant Messaging (Windows Live Messenger, Yahoo, ICQ)
4. FTP
5. Telnet
6. HTTP
7. VOIP
• Network forensics is the process of capturing information that moves over a
network and trying to make sense of it in some kind of forensics capacity.
Network forensics is the capture, recording, and analysis of network events
in order to discover the source of security attacks or other problem
incidents.
• A network forensics appliance is a device that automates this process.
Wireless forensics is the process of capturing information that moves over a
wireless network and trying to make sense of it in some kind of forensics
capacity.
Network attack:
1. Denial of service
• Denial of service attacks cause the service or program to cease
functioning or prevent others from making use of the service or program.
These may be performed at the network layer by sending carefully
crafted and malicious datagrams that cause network connections to fail.
• They may also be performed at the application layer, where carefully
crafted application commands are given to a program that cause it to
become extremely busy or stop functioning.
• Preventing suspicious network traffic from reaching hosts and
preventing suspicious program commands and requests are the best ways
of minimizing the risk of a denial-of-service attack.
• It is useful to know the details of the attack method, so you should
educate yourself about each new attack as it gets publicized.
 2. Spoofing
• This type of attack causes a host or application to mimic the actions of
another. Typically, the attacker pretends to be an innocent host by
following IP addresses in network packets.
• For example, a well-documented exploit of the BSD rlogin service can
use this method to mimic a TCP connection from another host by
guessing TCP sequence numbers.
• To protect against this type of attack, verify the authenticity of
datagrams and commands. Prevent datagram routing with invalid source
addresses. Introduce unpredictability into connection control
mechanisms, such as TCP sequence numbers and the allocation of
dynamic port addresses.
3. Eavesdropping
• This is the simplest type of attack.
• A host is configured to “listen” to and capture data not belonging
to it. Carefully written eavesdropping programs can take
usernames and passwords from user login network connections.
• Broadcast networks like ethernet are especially vulnerable to this
type of attack.
• To protect against this type of threat, avoid use of broadcast
network technologies and enforce the use of data encryption.
• IP firewalling is very useful in preventing or reducing
unauthorized access, network layer denial of service, and IP
spoofing attacks. It not very useful in avoiding exploitation of
weaknesses in network services or programs and eavesdropping.
Network Security Mechanisms
• Network security starts from authenticating any user, most likely a
username and a password. Once authenticated, a stateful firewall enforces
access policies such as what services are allowed to be accessed by the
network users
 • Though effective to prevent unauthorized access, this component fails to
check potentially harmful contents such as computer worms being
transmitted over the network.
• An Intrusion Prevention System (IPS) helps detect and prevent such
malware. IPS also monitors for suspicious network traffic for contents,
volume and anomalies to protect the network from attacks such as denial of
service.
• Communication between two hosts using the network could be encrypted to
maintain privacy.
• Individual events occurring on the network could be tracked for audit
purposes and for a later high-level analysis.
• Honeypots, essentially decoy network-accessible resources, could be
deployed in a network as surveillance and early-warning tools.
• Techniques used by the attackers that attempt to compromise these decoy
resources are studied during and after an attack to keep an eye on new
exploitation techniques.
• Such analysis could be used to further tighten security of the actual network
being protected by the honeypot.
• Some tools: Firewall, Antivirus software and Internet Security Software.
For authentication, use strong passwords and change it on a bi-
weekly/monthly basis. When using a wireless connection, use a robust
password. Network analyzer to monitor and analyze the network.
Network forensics systems can be one of two kinds:
1. “Catch-it-as-you-can” systems, in which all packets passing through a
certain traffic point are captured and written to storage with analysis
being done subsequently in batch mode. This approach requires large
amounts of storage, usually involving a RAID system.
2. “Stop, look and listen” systems, in which each packet is analyzed in a
rudimentary way in memory and only certain information saved for
future analysis. This approach requires less storage but may require a
faster processor to keep up with incoming traffic.
 • Network forensics is the process of collecting and analyzing raw network
data and then tracking network traffic to determine how an attack took
place.
• When intruders break into a network they leave a trail. Need to spot
variations in network traffic; detect anomalies.
• Network forensics can usually help to determine whether network has been
attacked or there is a user error.
• Examiners must establish standards procedures to carry out forensics.
Network forensics tools:
a. Network Miner
• Network Miner is a Network Forensic Analysis Tool
(NFAT) for windows.
• Network Miner can be used as a passive network
sniffer/packet capturing tool in order to detect operating
systems, sessions, hostnames, open ports etc. without putting
any traffic on the network.
• The purpose of Network Miner is to collect data (such as
forensic evidence) about hosts on the network rather than to
collect data regarding the traffic on the network.
• The main view is host centric (information grouped per host)
rather than packet centric (information showed as a list of
packets/frames).
Open-source tools
1. Wire shark
2. Kismet
3. Snort
4. OSSEC
5. Network Miner is an open-source Network Forensics Tool available at
Source Forge.
6. Xplico is an Internet/IP Traffic Decoder (NFAT). Protocols supported:
HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6.
Open-Source Tools: Wire shark
• Wire shark is the most widely used graphical application for network
monitoring and analysis. It is open-source and runs on most popular
computing platforms, including UNIX, Linux, and Windows. It is available
for download from http://www.wireshark.org.
• Wire shark is initiated by Gerald Combs under the name Ethereal. First
version was released in 1998. The name Wire shark was adopted in June
2006. Wire shark is a free and open-source packet analyzer. Wire shark is
software that “understands” the structure of different networking protocols.
• Wire shark is a network packet/protocol analyzer. A network packet
analyzer will try to capture network packets and tries to display that packet
data as detailed as possible. Wire shark is perhaps one of the best open-
source packet analyzers available today for UNIX and Windows.
• Wire shark does not support intrusion detection system. Wire shark is a
GUI Network Protocol Analyzer. Wire shark software has been developed
to work on Microsoft Windows, Linux, Solaris, and Mac OS X.
Use of wire shark:
1. Network administrators use it to troubleshoot network problems
2. Network security engineers use it to examine security problems
3. Developers use it to debug protocol implementations
4. People use it to learn network protocol internals
5. Displays the network traffic in human-readable format.
Use filters to capture only packets of interest to you. Wire shark uses two
types of filters:
1. Capture filters
2. Display filters
Capture filters:
Filtered while capturing. Like TCP Dump. Wire shark contains a
powerful capture filter engine that helps remove unwanted packets from a
packet trace and only retrieves the packets of our interest.
Display filters:
let you compare the fields within a protocol against a specific value,
compare fields against fields, and check the existence of specified fields or
protocols. More detailed filtering. Allows to compare values in packets but not
real time.

Fig shows wire shark startup screen.

 Fig. shows Wireshark graphical user interface.
Example:
1. Capture only UDP packets with destination port 53 (DNS requests): “udp
dstport 53”
2. Capture only UDP packets with source port 53 (DNS replies) : “udp srcport
53”
3. Capture only UDP packets with source or destination port 53 (DNS requests
and replies): udpport 53.
Comparison operators
Fields can also be compared against values. The comparison operators
can be expressed either through English like abbreviations or through C-like
symbols.
Symbol l Meaning

== Equal (eq)
!= Not equal (ne)
> Greater than (gt)
< Less than (lt)

>= Greater than or equal to (ge)

<= Less than or equal to (le)

() Grouping

Logical expressions
Tests can be combined using logical expressions. These too are
expressible in C-like syntax or with English like abbreviations:

Symbol Meaning

&& Logical AND

|| Logical OR
! Logical NOT
Snort
• Snort is an open-source Network Intrusion Detection System (NIDS) which
is available free of cost. NIDS is the type of Intrusion Detection System
(IDS) that is used for scanning data flowing on the network. Snort is a tool
for small, lightly utilized networks. Fig. 3.4.3 shows location of snort.
• Intrusion detection is a set of techniques and methods that are used to detect
suspicious activity both at the network and host level. Intrusion Detection
System is software, hardware or combination of both used to detect intruder
activity.
• A lightweight intrusion detection system can easily be deployed on most
any node of a network, with minimal disruption to operations. Snort is a
libpcap based packet sniffer and logger that can be used as a lightweight
 network intrusion detection system.

Location of the snort

• Snort uses rules stored in text files. Text editor can use for modifying the
rules. Rules are grouped in categories. Separate file is maintained for each
group. The “snort.conf “is the main configuration file and all group files are
included in this file. At startup time, snort reads these rules and builds data
structure.
Components of snort
A snort IDS contains the following components:
1. Packet decoder
2. Preprocessors
3. Detection engine
4. Logging and alerting system
5. Output modules
1. Packet decoder: It takes packets from different types of network interfaces
like Ethernet, SLIP, PPP and prepare for processing. Packets are passed into
the packet decoder. Translates specific protocol elements into an internal data
structure.
2. Preprocessor: Preprocessors are components that can be used with snort to
arrange or modify data packets before the detection engine does some
operation to find out if the packet is being used by an intruder. They are also
used to prepare data for detection engine; detect anomalies in packet headers;
packet defragmentation; decode HTTP URI and reassemble TCP streams.
3. Detection engine: The most important part, applies rules to packets. The
detection engine performs simple tests on a single aspect of each packet to
detect intrusions.
4. Logging and alerting system: It generates alert and log messages depending
upon what the detection engine finds inside a packet. Logs are kept in simple
text files and TCP dump- style files. Log files are stored under /var/log/snort
folder by default.

Snort components
5. Output modules: It process alerts and logs and generate final output.
Depending on the configuration, output modules can take following actions:
1. Simply logging to /var/log/snort/alerts file
2. Sending SNMP traps c. Sending messages to syslog facility
3. Logging to a database like MySQL or Oracle.
4. Generating XML output
5. Modifying configuration on routers and firewalls
Email Investigations
• Email is used in criminal acts, but also in inappropriate actions, such as
threats and frauds (phishing). While in principle email is hard to connect to
an individual, in practice, email can be traced and connected to the
perpetrator.
• Over a period of year's e-mail protocols have been secured through several
security extensions and producers, however, cybercriminals continue to
misuse it for illegitimate purposes by sending spam, phishing e-mails,
distributing child pornography, and hate e- mails besides propagating
viruses, worms, hoaxes and trojan horses.
• E-mail forensic analysis is used to study the source and content of e-mail
message as evidence, identifying the actual sender, recipient and date and
time it was sent, etc. to collect credible evidence to bring criminals to
justice.
• For networks, a port means an endpoint to a logical connection. The port
number identifies what type (application/service offered) of port it is. The
commonly used default port numbers used in e-mail are shown below:
 Protocol Port number

SMTP 25
HTTP 80
POP3 110
IMAP 143
HTTPS 443
SMTPS 465
MSA 587
IMAPS 993
POP3S SPOP 995

MSA 587

• Identities used in e-mail are globally unique and are: mailbox, domain
name, message-ID and ENVID. Mailboxes are conceptual entities identified
by e-mail address and receive mail.
• E-mail forensics refers to the study of source and content of e-mail as
evidence to identify the actual sender and recipient of a message, data/time
of transmission, detailed record of e- mail transaction, intent of the sender,
etc.
• A forensic investigation of e-mail can examine both email header and body.
An investigation should have the following:
> Examining sender's e-mail address

> Examining message initiation protocol (HTTP, SMTP)

> Examining message ID

> Examining sender's IP address

Email headers
• When investigating email, we usually start with the piece of email itself and
analyze the headers of the email. Since each SMTP server that handles a
message adds lines on top of the header.
• Meta data in the e-mail message in the form of control information i.e.
envelope and headers including headers in the message body contain
information about the sender and/or the path along which the message has
traversed.
 • Inconsistencies between the data that subsequent SMTP servers supposedly
created can prove that the email in question is faked. Another investigation
is that of the header contents itself.
• If a message does not have these, then it is faked. If possible, one can obtain
another email following supposedly the same path as the email under
investigation and see whether these idiosyncratic lines have changed. While
it is possible that the administrator of an SMTP node changed the behavior
or even the routing, these changes tend to be far and in between.
• In email server investigation, copies of delivered e-mails and server logs are
investigated to identify source of an e-mail message. E-mails purged from
the clients (senders or receivers) whose recovery is impossible may be
requested from servers (Proxy or ISP) as most of them store a copy of all e-
mails after their deliveries
Some other aspects that control forensics step include the following
properties:
1. Storage format of email: Server-side storage format may include maildir,
mbox format. Server- side stores email in SQL Server databases. Reading
different types of formats can be done for forensics analysis by using
notepad editor and applying regular expression-based searches. At the client-
side, an email is stored as mbox format. Client side may also store emails as
.PST (MS Outlook), and NSF (Lotus Notes) files.
2. Availability of backup copy of email: When checking from the serve side,
all copies are transferred to the client. This requires seizing the client
computer. For webmail, copies are always saved at the server side.
3. Protocol used to transport email: Email can be initiated and transported
based on SMTP or HTTP depending on the email server applications.

E-Mail forensic tools:

eMail TrackerPro analyses the headers of an e-mail to detect the IP
address of the machine that sent the message so that the sender can be tracked down. It can
trace multiple e-mails at the same time and easily keep track of them.
 Email Tracer is an Indian effort in cyber forensics by the Resource
Centre for -Cyber Forensics (RCCF) which is a premier center for cyber forensics in India. It
develops cyber forensic tools based on the requirements of law enforcement agencies.
Ad complain is a tool for reporting inappropriate commercial e-mail and
use net postings, as well as chain letters and “make money fast” postings.
Checking UNIX E-mail Server Logs
• Log file provides useful information for investigation. After sending the
mail, it creates number of files on the server to track and maintain the email
service.
• The “/etc/sendmail.cf” is the file for configuration information for send
mail. The “/etc/syslog.conf” file specifies how and which events send mail
logs.
• Communication between SMTP and POP3 is maintained in /var/log/maillog
file. It also records IP address and time stamp.
• Email evidence is in the email itself (header).? Email evidence is left behind
as the email travels from sender to recipient.
• Reviewing e-mail headers can offer clues to true origins of the mail and the
program used to send it.
• Received is the most essential field of the email header: It creates a list of
all the email servers through which the message traveled in order to reach
the receiver.
The best way to read are from bottom to top.
1. The bottom “Received” shows the IP address of the sender's mail server.
2. The top “Received” shows the IP address of receiver mail server.
3. The middle “Received” shows the IP address of the mail server through which
email passes from sender to receiver.
• The syslog.conf file simply specifies where to save different types of e-mail
log files. The first log file it configures is /var/log/maillog, which usually
contains a record of simple mail transfer protocol communication between
servers.
• UNIX systems are set to store log files in the /var/log directory.
Microsoft E-mail Server Log
• Microsoft e-mail server software is exchanging server. It uses database and
based on the Microsoft Extensible Storage Engine.
• Microsoft Extensible Storage Engine (ESE) uses different files in various
combinations for providing E-mail service. For investigation two database
files are helpful. They are “.edb “and “.stm “files.
• Checkpoint and temporary files also helpful for investigation. The .edb file
contains many tables that hold metadata for all e-mail messages and other
items in the exchange store.
• The .stm file stores native Internet content. Because Internet content is
written in native format, there is no need to convert messages and other
items to exchange format.
• An .edb file is responsible for messages formatted with Messaging
Application Programming Interface (MAPI), a Microsoft system that
enables different e-mail applications to work together.
• The .edb and .stm files function as a pair, and the database signature is
stored as a header in both files. The internal schema for the .stm pages is
stored in the .edb file.
E-mail Forensic Tools: MailXaminer
• Mail Xaminer is a tool-kit having multiple functionalities out of which
powerful search mechanism is the best feature without any limitation. With
this email search software, users can scan, view, search, investigate,
analyze, smart review and generate a report of emails in a very less amount
of time.
a. Input file in disk required: This indicates the presence of email file at
the local disk. Mail Xaminer requires input file to be present in the
disk.
b. Search option: This feature indicates how to perform search of
interesting words in the content of an email. Mail Xaminer can
perform plain text-based search.
 c. Information provided: This feature indicates the information
extracted and shown as part of forensic analysis. The Mail Xaminer
tool shows the message, date and time details of an email.
d. Recovery capability: A forensic tool should have the capability to
recover corrupted email or deleted email to be useful for
investigation. The MailXaminer can recover corrupted email. It also
has the capability to import corrupted contacts, calendar.
e. Email format supported: This feature indicates the file type supported
by a tool. The MailXaminer supports Gmail, yahoo, Hotmail, IMAP,
Mozilla Thunderbird, Lotus Notes, Outlook, Exchange, Mac Outlook
email format.
f. Visualization format supported: A forensic tool should allow
investigator different types of display of the extracted information to
enable more intelligence gathering. MailXaminer supports different
view options.
g. OS Supported: Ideally, a forensic tool should support different types
of operating systems to make it useful for email applications running
on different platforms. The MailXaminer can run on Windows
h. Export format: A forensic tool should have friendly format for saving
the examination results for compatible analysis with other forensic
tools.
i. Extended device support: This feature indicates if a tool can act on
plug-ins devices such as added hard disk or USB memory stick, etc.
Cell Phone and Mobile Devices Forensics
• Mobile devices are an evolving form of computing, used widely for
personal and organizational purposes. These compact devices are useful in
managing information, such as contact details and appointments,
corresponding electronically, and conveying electronic documents.
• Over time, they accumulate a sizeable amount of information about the
owner. When involved in crimes or other incidents, proper tools and
techniques are needed to recover evidence from such devices and their
associated media.
 • Mobile device forensics is the science of recovering digital evidence from a
mobile device under forensically sound conditions using accepted methods.
Mobile device forensics is an evolving specialty in the field of digital
forensics.
• Different mobile devices have different technical and physical characteristics
(e.g., size, weight, processor speed, memory capacity). Mobile devices may
also use different types of expansion capabilities to provide additional
functionality. Furthermore, mobile device capabilities sometimes include those
of other devices such as handheld Global Positioning Systems (GPS), cameras
(still and video) or personal computers.
• People store a lot of information on cell phones. But people do not think about
securing their cell phones. Data stored on mobile phones are as follows:
1. Incoming, outgoing and missed calls
2. SMS
3. E-mail
4. instant-messaging logs
5. Web pages
6. Pictures
7. Personal calendars
8. Address books
9. Music files
10. Voice recordings.
• Mobile phone consists of hardware components. It includes microprocessor,
ROM, RAM, a digital signal processor, a radio module, a microphone and
speaker, hardware interfaces, and display.
• Most basic phones have a proprietary OS and smart phone have Android
and other OS.
• Phones store system data in Electronically Erasable Programmable Read-
Only Memory (EEPROM). It enables service providers to reprogram
phones without having to physically access memory chips. OS is stored in
ROM
• The personal nature of the information on these devices can provide digital
investigators with valuable insights into the model operator of suspects and
activities of victims. Windows mobile uses a variation of the FAT file system
called the Transaction safe FAT (TFAT) file system, which has sorne recovery
features in the event of a sudden device shutdown.
• The forensic acquisition tools that are available to most forensic analysts do
not have direct access to flash memory on Windows Mobile devices and are
limited to acquiring data through a hardware abstraction layer.
• Mobile devices contain non- volatile and volatile memory. Volatile memory
(i.e., RAM) is used for dynamic storage and its contents are lost when power is
drained from the mobile device. Non- volatile memory is persistent as its
contents are not affected by loss of power or overwriting data upon reboot. For
example, Solid- State Drives (SSD) that stores persistent data on solid- state
flash memory.
• Mobile devices typically contain one or two different types of non- volatile
flash memory. These types are NAND and NOR. NOR flash has faster read
times, slower write times than NAND and is nearly immune to corruption and
bad blocks while allowing random access to any memory location. NAND
flash offers higher memory storage capacities, is less stable and only allows
sequential access.
• NAND flash memory contains: PIM data, graphics, audio, video, and other
user files. This type of memory generally provides the examiner with the most
useful information in most cases. NAND flash memory may leave multiple
copies of transaction- based files (e.g., databases and logs) due to wear leveling
algorithms and garbage collection routines.
• Since NAND flash memory cells can be re-used for only a limited amount of
time before they become unreliable, wear leveling algorithms are used to
increase the life span of Flash memory storage, by arranging data so that
erasures and re-writes are distributed evenly across the SSD.
SIM card
• Identity modules are synonymous with mobile devices that interoperate
with GSM cellular networks. Under the GSM framework, a mobile device
is referred to as a mobile station and is partitioned into two distinct
components: the Universal Integrated Circuit Card (UICC) and the Mobile
Equipment (ME).
• A UICC, commonly referred to as an identity module (e.g., Subscriber
Identity Module [SIM], Universal Subscriber Identity Module [USIM],
CDMA Subscriber Identity Module [CSIM]), is a removable component
that contains essential information about the subscriber.
• The ME and the radio handset portion cannot fully function without a
UICC. The UICC's main purpose entails authenticating the user of the
mobile device to the network providing access to subscribed services. The
UICC also offers storage for personal information, such as phonebook
entries, text messages, Last Numbers Dialed (LND) and service- related
information.
Fig. shows SIM card.

SIM

SIM stores following types of information:

1. SIM stores the International Mobile Subscriber Identity (IMSI), which is
a unique identifier for each subscriber in the system.
2. Subscribers can maintain a list of the numbers they call or they are called
from more frequently.
 3. Information about SMS traffic.
4. Information about subscriber's location: The SIM stores the last area
where the subscriber has been registered by the system.
5. Information about calls: The last numbers dialed are stored in a file in
the SIM file system.
6. Information about the provider: It is possible to extract the provider’s
name and the mobile network commonly used for communications, along
with mobile networks that are forbidden to the subscriber.
7. Information about the system: Every SIM card has a unique ID stored
in it.

Mobile Virtual Network Operator (MVNO)

• An MVNO does not own spectrum, it leases it from a network operator with
whom it has a relationship. An MVNO supplies the SIM card and has full
control over its subscribers and handles its own billing.
• An MVNO buys network capacity, usually as close to the base level as
possible and invests in a service infrastructure of its own.
• The MVNO thereby establishes a more independent position and is able to
compete directly with other mobile network operators in the market by
offering advanced services.
• MVNOs typically offer prepaid wireless plans on a subscription basis. Sales
and customer service may be handled directly by the MVNO or by yet
another entity called a Mobile Virtual Network Enabler (MVNE). MVNEs
specialize in marketing and administering mobile services.
• An MVNO usually offers not only voice services but also value-added
services or sometimes referred as mobile value-added services, which are a
combination of voice, data, graphics and video information. Examples
include mobile music, mobile TV, games, ring tones, multimedia
messaging, mobile commerce and location-based services.
There are different kinds of MVNOs:
1. Classic service provider: Resellers merely resell subscription to end users.
In most cases, resellers are completely dependent on MNOs for every
aspect of service provision, billing and customer care. MVNOs that operate
as resellers are likely to require an ASP license.
2. ESP (Enhanced Service Provider): Procures their own SIM cards and
controls a few network elements. So, enhanced service providers are those
who do not own or provide network facilities but have the ability to secure
its own numbering range, operate its own HLR and offer its own SIM cards
with its own mobile network code. They are dependent on MNOs for
network facilities, as well access to radio network.
3. Full MVNO: Owns everything (including HLR) except the radio network
equipment’s. A full MVNO is one that owns or provides network facilities
and network services such as towers, mobile switching centers, home
location registers (“HLR”) and cellular mobile services.
Types of evidence on mobile devices
Two types of evidence can be retrieved from mobile:
1. Electronic evidence
2. Retained data evidence.
• Electronic evidence includes the user's call history, contacts/phone book,
calendar information, and information stored on the SIM card.
• Retained data evidence is telecom records involving the detail of calls made
and received and the geographical location of the mobile phone when a call
took place.
The address book, call history and text messages are the three mains
components for digital evidence.
1. Address book: It contains contact information. Digital investigator
will reach to suspect to a victim using information from address book.
It can provide a cross- reference between real names and nicknames.
2. Call history: It maintains the last call sent, last call receiver with time
and date. It also gives the time taken to speak with another person.
3. Text messages: Texts are one of the most common forms of
electronic evidence. Texts offer concrete and direct information in
contrast to the call history and address book that only offer indirect
and inferential information. These contain the actual words written by
the owner or intended for the owner.
Evidence Extraction Process
Mobile phone evidence extraction process is as follows:
1. Intake: The evidence intake phase generally entails request forms
and intake paperwork to document chain of custody, ownership
information and the type of incident the phone was involved in.
2. Identification: For every examination, the examiner should identify
the legal authority to examine the phone, goals of the examination,
make, model and identifying information for the cellular phone.
3. Preparation: The preparation phase involves specific research the
regarding the particular phone to be examined, the appropriate
tools to be used during the examination and preparation of the
examination machine to ensure that all of the necessary equipment,
cables, software and drivers are in place for the examination.
4. Isolation: Isolation of the phone prevents the addition of new data
to the phone through incoming calls and text messages as well as
the potential destruction of data through a kill signal or accidental
overwriting of existing data as new calls and text messages come
in.
 5. Processing: SIM cards should be processed separately from the
cellular phone they are installed in to preserve the integrity of the
data contained on the SIM card.
6. Verification: The examiner could extract the file system of the cell
phone initially, perform the examination and then extract the file
system of the phone a second time.
7. Documentation/reporting: Documentation should include
information such as:
A. The date and time the examination was started.
B. The physical condition of the phone.
C. Pictures of the phone and individual components.
D. Status of the phone when received.
E. Make, model, and identifying information.
8. Presentation: The investigator may also want to provide reference
information regarding the source of date and time information,
EXIF data extracted from images or other data formats, in order
that recipients of the data are better able to understand the
information.
Challenges in Mobile Device Forensics
• Data volatility: It may be necessary to keep a seized device powered up
until the analysis is complete in order to prevent loss of important data that
may be changed or overwritten when the power shuts off or the device is
rebooted.
• Data Preservation: For a mobile phone investigation, it is important to
prevent the device from receiving any further data or voice communication.
As text messages are stored in a “First In, First Out” order, any new
incoming text messages could delete older stored text messages. Likewise,
incoming calls could erase call history logs, and some devices can be wiped
of all data remotely if not protected from incoming communications.
• Operating Systems and Communication Protocols: Another challenge
impeding the development of forensics tools is the various operating systems
used on mobile phones. Mobile phones have evolved into full-fledged
computing platforms requiring vendors to use sophisticated operating systems
so that various software applications can be run on them.
• Security Mechanisms: There are several security mechanisms used on mobile
phones to protect data. The handset lock is normally activated upon power-up,
which presents a problem for examiners who must attempt to investigate a
phone that was found or seized in a powered off state.
• Unique Data Formats: Textual information such as telephone numbers, address
books, email messages, and text messages are stored using proprietary file
formats. Makers of forensic software tools will need to be aware of these
formats so they can write software that will convert these files to information
easily understood by humans. An exception to these proprietary file formats is
for image and video files which are typically stored in common JPG and
MPEG formats.
Understanding Acquisition Procedures for Cell Phones and Mobile Devices
• Mobile device forensic acquisition can be performed using multiple methods.
The main concerns with mobile devices are loss of power and synchronization
with PCs.
• Acquisition should occur at a forensics laboratory once the seized equipment
has arrived and been checked in. The forensic examination begins with the
identification of the device.
• The type of device, its operating system, and other characteristics determine
the route to take in creating a forensic copy of the contents of the device
• All mobile devices have volatile memory. Making sure they don't lose power
before you can retrieve RAM data is critical.
• Mobile device attached to a PC via a cable or cradle/docking station should be
disconnected from the PC immediately
• Depending on the warrant or subpoena, the time of seizure might be relevant.
Messages might be received on the mobile device after seizure. Isolate the
device from incoming signals with one of the following options:
1. Place the device in a paint can
2. Use the Paraben Wireless Strong Hold Bag
3. Use eight layers of antistatic bags to block the signal
• The drawback to using these isolating options is that the mobile device is
put into roaming mode, which accelerates battery drainage.
• Check these areas in the forensics lab: Internal memory, SIM card,
removable or external memory cards and system server.
• Checking system servers requires a search warrant or subpoena. The SIM
card file system is a hierarchical structure.
1. Information that can be retrieved:
2. Service-related data, such as identifiers for the SIM card and
the subscriber
3. Call data, such as numbers dialed
4. Message information
5. Location information
• If power has been lost, PINs or other access codes might be required to
view files.
• To acquire data from a phone, a connection must be established to the
device from the forensic workstation. Before performing an acquisition, the
version of the tool being used should be documented, along with any
applicable patches or errata from the manufacturer applied to the tool.
• Caution should be taken to avoid altering the state of a mobile phone when
handling it, for example, by pressing keys that could potentially corrupt or
erase evidence.
• Once the connection has been established, the forensic software suite can
proceed to acquire data from the device.
• Acquiring a device's contents logically, the prevailing technique used by
present day forensic tools, requires the device to be switched on.
• The goal during acquisition is to affect memory contents as little as possible
and then only with the knowledge of what is occurring internally, relying
more on adherence to the second and third evidentiary principles that
respectively emphasize high competence of the specialist and the capture of
a detailed audit trail of the actions taken.
• The date and time maintained on the mobile phone is an important piece of
information. The date and time may be obtained from the network or
manually set by the user.
• Suspects may manually set the day or time to a completely different value
from the actual one to leave misleading values in the call and message
records found on the phone.
• If the phone was on when seized, the date and time maintained and
differences from a reference clock should have already been recorded, as
mentioned earlier. Nevertheless, confirmation at acquisition may prove
useful.
• If the phone was off when seized, the date and time maintained and
differences from a reference clock should be recorded immediately when
first turned on in the laboratory.
• Note that actions taken during acquisition, such as removal of the battery to
view the device label, may affect the time value maintained.
• Unlike desktop machines or network servers, only a few phones have a hard
disk and rely instead completely on semiconductor memory.
• Specialized software exists for performing a logical acquisition of PIM data
and, for certain phones, producing a physical image. However, the contents
of a phone are typically dynamic and continually changing.
• Two back-to-back acquisitions of a device using the same tool may produce
different results overall, though the majority of information, such as PIM
data, remains unchanged.
• Increasingly, mobile phones come with a built-in slot for some family of
memory cards.
 • Forensic tools that acquire the contents of a resident memory card normally
perform a logical acquisition.
• To recover deleted data that might reside on the memory card, a direct
acquisition can be performed on it after the contents of the mobile phone
have been successfully acquired.
• With either type of acquisition, the forensic tool may or may not have the
capability to decode recovered phone data stored on the card, requiring
additional manual steps to be taken.
• After an acquisition is finished, the forensic specialist should always
confirm that the contents of a device were captured correctly.
• On occasion, a tool may fail its task without any error notification and
require the specialist to reattempt acquisition with the same tool or another
tool.
• Similarly, some tools do not work as well with certain devices as others do,
and may fail with an error notification. Thus, where possible, it is advisable
to have multiple tools available and be prepared to switch to another if
difficulties occur with the initial tool.
Admissibility of Evidence
• In cyber forensics, the admissibility of digital evidence hinges on its
authenticity, relevance, and compliance with legal procedures, including
maintaining a proper chain of custody and ensuring the integrity of the data. In
India, Section 65B of the Indian Evidence Act, introduced through the
Information Technology Act of 2000, provides the statutory basis for the
admissibility of electronic records.
Key Factors for Admissibility:
• Authenticity: Digital evidence must be verifiable as originating from the
source it claims to be from.
• Relevance: The evidence must be directly related to the issues in the case.
• Integrity: The evidence must be shown to be unaltered and free from
tampering during collection, preservation, and presentation.
• Chain of Custody: A clear and unbroken record of who had possession of the
evidence from its collection to its presentation in court is crucial.
• Reliability: The methods used to collect and analyse the evidence must be
reliable and accepted by the court.
• Completeness: The evidence should encompass all aspects of the alleged
incident, ensuring it's sufficient to prove or disprove a particular activity.
• Probative Value vs. Prejudicial Effect: The evidence’s probative value (its
ability to prove something important) must outweigh any potential for unfair
prejudice, confusion, or misleading the jury.
Cyber Laws in India
• In Simple way we can say that cyber-crime is unlawful acts wherein the
computer is either a tool or a target or both. Cyber-crimes can involve
criminal activities that are traditional in nature, such as theft, fraud, forgery,
defamation and mischief, all of which are subject to the Indian Penal Code.
The abuse of computers has also given birth to a gamut of new age crimes
that are addressed by the Information Technology Act, 2000.
• We can categorize Cyber-crimes in two ways
1. The computer as a Target: -using a computer to attack other
computers.
e.g. Hacking, Virus/Worm attacks, DOS attack etc.
2. computer as a weapon: -using a computer to commit real world
crimes.
e.g. Cyber Terrorism, IPR violations, Credit card frauds, FT
frauds, Pornography etc.
• Cyber law (also referred to as cyberlaw) is a term used to describe the legal
issues related to use of communications technology, particularly
"cyberspace", i.e. the Internet. It is less a distinct field of law in the way that
property or contract are as it is an intersection of many legal fields,
including intellectual property, privacy, freedom of expression, and
jurisdiction. In essence, cyber law is an attempt to integrate the challenges
 presented by human activity on the Internet with legacy system of laws
applicable to the physical world.
Why Cyber Laws in India?
• When Internet was developed, the founding fathers of Internet hardly had
any inclination that Internet could transform itself into an all-pervading
revolution which could be misused for criminal activities and which
required regulation. Today, there are many disturbing things happening in
cyberspace. Due to the anonymous nature of the Internet, it is possible to
engage into a variety of criminal activities with impunity and people with
intelligence, have been grossly misusing this aspect of the Internet to
perpetuate criminal activities in cyberspace. Hence the need for Cyberlaws
in India.
Importance of Cyber Law
• The field of cyber law plays a very crucial role, in today’s digital era. Its
significance arises from the increasing reliance on internet and computer
networks across various aspects of our everyday lives ranging from
personal interactions to businesses.
• The importance is highlighted below: –
• Preserving Individual Rights: Cyber law serves to safeguard rights such
as privacy, identity and property within the realm of the world. It helps to
block entry to data, safeguards against cyberbullying and dangers online
and secures intellectual assets from being violated.
• Fighting Cybercrime: Cyber Laws are preventive and protective
regulations pertaining to cyberspace crimes. They set out punishments for
crimes such as hacking, phishing, data and identity theft, cyberbullying and
online fraud. These laws also outline procedures for catching and punishing
criminals and hence are aimed to prevent unlawful activities and hold
individuals accountable for their wrongful actions.
 • Strengthening Cybersecurity: Within the domain of cyber law lie
frameworks that aim to protect infrastructure encompassing computer
networks, data storage systems and online services. It mandates
cybersecurity measures, promotes secure practices and facilitates
cooperation in combating cyber threats.
• Examples are Computer Emergency Response Team (CERT-In) Directions to
protect data theft.
Types of Cyber Laws
1. Cybercrimes laws: The Information Technology Act addresses types of crimes
such, as hacking into computer systems spoofing, altering source documents
sharing content cyber stalking and more. These offenses are categorized as
cybercrimes against individuals and cybercrimes, against property.
2. Cybersecurity laws: Cybersecurity primarily aims to safeguard systems such,
as computer networks, data storage platforms and internet services against
cyber threats. Legal guidelines and regulations in cyber law provide the
foundation for enforcing strategies like incident response plans such, as those
outlined in the IT (The Indian Computer Emergency Response Team) Rules of
2013.
3. Data Privacy and Protection: Data protection involves the management of
data, how it is gathered, stored, utilized and transferred globally. Cyber law
oversees these operations by setting out rules to safeguard the confidentiality
and integrity of details. The Digital Personal Data Protection Act of 2023
(DPDPA), along with the IT (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, from 2011 (SPDI rules) are
aimed at safeguarding individuals’ privacy and preventing access or misuse of
their information. The notion of “Consent” holds importance in this context.
 Objectives of Cyber Law
• Cyber law has numerous objectives all with the purpose of establishing an
environment that is safe secure and reliable, for individuals, organizations
and nations. Few advantages of cyber law and its objectives have been
enumerated below: –
• Preserving Privacy: Cyber law ensures that individuals privacy rights are
protected in the world by ensuring collection, storage and proper processing
of personal data.
• Shielding Identity: Cyber law acts as a safeguard for Individuals identities
by preventing unlawful access, theft or misuse of identity. This protection
helps prevent impersonation and identity fraud.
• Preventing Cybercrime: Cyber law defines boundaries and penalties, for
cybercrimes. By doing it discourages individuals from participating in
malicious and unlawful activities online.

Difference between Cybercrime and Cybersecurity

BASIS CYBERCRIME CYBERSECURITY

Commission of illegal activities
Definition through use of computer
networks and programs.
Exploitation, harms towards
Focus On Individuals, property and
government.
Protection of computer systems
and networks from malicious
digital activities.
Security, prevention and
protection of harmful activities.

Legal Framework IT Act, Criminal laws, Contracts IT Act, Data Protection Laws

Protection of assets and

Deterring crimes, protection of
information, incident response
Objectives individuals, and to impose
plans and to minimise data
punishments on offenders.
attacks.
IPC that is going to be Bharatiya
IT Act, IPC that is going to be
Nyaya Sanhita from 1st July, CERT-
Examples Bharatiya Nyaya Sanhita from
IN Rules, The Digital Personal
1st July.
Data Protection Act.
How to protect yourself on the Internet?
1. Use Anti-virus software- Antivirus programs are designed to identify and
eliminate suspicious software that can pose a threat, to your device and
compromise its security. It’s important to scan your devices for viruses
and malware to ensure that they remain safeguarded.
2. Use strong passwords and 2 factor authentications: It’s very necessary
to prioritize passwords and multi factor authentication to protect your
accounts from unauthorized access. Avoid using information such, as
birthdays, names or common words, in your passwords. Instead opt for a
combination of upper- and lower-case letters, numbers and symbols to
create strong unbreakable passwords.
3. Be cautious of sharing information and the content you post: Phishing
scams are frequently utilized by cybercriminals to deceive people into
exposing information or clicking on links. It’s important to be cautious of
emails those containing attachments or links. Limit the amount of
information you share online on social media platforms. Refrain, from
disclosing details such, as your home address or phone number.
An overview of India's cyber laws is given below:
1. Information Technology Act, 2000:
• The primary legislation governing cyber activities in India.
• Defines cyber-crimes and provides legal framework for e-commerce,
digital signatures, and cyber offenses.
• Establishes various cyber offenses such as hacking, data theft, and
spreading of viruses.
2. Indian Penal Code (IPC), 1860:
• Certain cyber-crimes are punishable under the IPC, such as hacking
(Section 66) and identity theft (Section 66C).
3. The Indian Evidence Act, 1872:
• Provides guidelines for collecting and presenting electronic evidence in
court.
 • Recognizes electronic records as evidence in legal proceedings.
4. The Copyright Act, 1957:
• Protects digital content from unauthorized reproduction, distribution, and
use.
5. The Right to Privacy:
• While not a standalone law, the right to privacy is protected under Article
21 of the Indian Constitution.
• The Supreme Court has also recognized privacy as a fundamental right in
landmark judgments.
6. The National Cyber Security Policy, 2013:
• Aims to protect information infrastructure in India and strengthen cyber
security measures.
7. The Personal Data Protection Bill, 2019:
• Addresses issues related to the collection, storage, and processing of
personal data.
• Introduces principles for handling personal data and establishes a Data
Protection Authority.
8. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and
Services) Act, 2016:
• Governs the use and protection of Aadhaar data, India's biometric
identity system.
9. Cyber Appellate Tribunal (CAT):
• Established under the Information Technology Act to hear appeals
against decisions made by Adjudicating Officers.
10. Cyber Cells and Cyber Crime Investigation Units:
• Various state police departments have dedicated units to investigate
cyber-crimes.
11. International Cooperation:
• India cooperates with international organizations and other countries to
combat cyber-crimes that transcend national borders.
Cyber Crimes and Offenses & Section Under IT Act:
1. Tampering with computer source Documents Sec.65
2. Hacking with computer systems, Data Alteration Sec.66
3. Sending offensive messages through communication service, etc Sec.66A
4. Dishonestly receiving stolen computer resource or communication device
Sec.66B
5. Identity theft Sec.66C
6. Cheating by personation by using computer resource Sec.66D
7. Violation of privacy Sec.66E
8. Cyber terrorism Sec.66F
9. Publishing or transmitting obscene material in electronic form Sec .67
10. Publishing or transmitting of material containing sexually explicit act, etc. in
electronic form Sec.67A
11. Punishment for publishing or transmitting of material depicting children in
sexually explicit act, etc. in electronic form Sec.67B
12. Preservation and Retention of information by intermediaries Sec.67C
13. Powers to issue directions for interception or monitoring or decryption of
any information through any computer resource Sec.69
14. Power to issue directions for blocking for public access of any information
through any computer resource Sec.69A
15. Power to authorize to monitor and collect traffic data or information through
any computer resource for Cyber Security Sec.69B
16. Un-authorized access to protected system Sec.70
17. Penalty for misrepresentation Sec.71
18. Breach of confidentiality and privacy Sec.72
19. Publishing False digital signature certificates Sec.73
20. Publication for fraudulent purpose Sec.74
21. Act to apply for offence or contraventions committed outside India Sec.75
22. Compensation, penalties or confiscation not to interfere with other
punishment Sec.77
23. Compounding of Offences Sec.77A
24. Offences with three years’ imprisonment to be cognizable Sec.77B
25. Exemption from liability of intermediary in certain cases Sec.79
26. Punishment for abetment of offences Sec.84B
27. Punishment for attempt to commit offences Sec.84C Note: Sec.78 of I.T. Act
empowers Police Inspector to investigate cases falling under this Act
28. Offences by Companies Sec.85
29. Sending threatening messages by e-mail Sec .503 IPC
30. Word, gesture or act intended to insult the modesty of a woman Sec.509 IPC
31. Sending defamatory messages by e-mail Sec .499 IPC
32. Bogus websites, Cyber Frauds Sec .420 IPC
33. E-mail Spoofing Sec .463 IPC
34. Making a false document Sec.464 IPC
35. Forgery for purpose of cheating Sec.468 IPC
36. Forgery for purpose of harming reputation Sec.469 IPC
37. Web-Jacking Sec .383 IPC
38. E-mail Abuse Sec .500 IPC
39. Punishment for criminal intimidation Sec.506 IPC
40. Criminal intimidation by an anonymous communication Sec.507 IPC
41. When copyright infringed: - Copyright in a work shall be deemed to be
infringed Sec.51
42. Offence of infringement of copyright or other rights conferred by this Act.
Any person who knowingly infringes or abets the infringement of Sec.63
43. Enhanced penalty on second and subsequent covictions Sec.63A
44. Knowing use of infringing copy of computer programme to be an offence
Sec.63B
45. Obscenity Sec. 292 IPC
46. Printing etc. of grossly indecent or scurrilous matter or matter intended for
blackmail Sec.292A IPC
47. Sale, etc., of obscene objects to young person Sec .293 IPC
48. Obscene acts and songs Sec.294 IPC
49. Theft of Computer Hardware Sec. 378
50. Punishment for theft Sec.379
51. Online Sale of Drugs NDPS Act
52. Online Sale of Arms Act.