Unit 3

Ms. Vandita Srivastava

Ph.D. Scholar
School of Information Technology, Artificial Intelligence and Cyber
Security
Rashtriya Raksha University
Cryptography
• As technology evolves, so do the opportunities for new and innovative ways
and methods for concealing potential evidence.
• Cryptography is a technique of securing communication by converting plain
text into ciphertext. The prefix “crypt” means “hidden” and the suffix
“graphy” means “writing”.
• Encryption is the transformation of data into a form that is as close to
impossible as possible to read without the appropriate knowledge.
• Decryption is the reverse of encryption; it is the transformation of
encrypted data back into an intelligible form.
• Encryption and decryption generally require the use of some secret
information, referred to as a key.
Cryptography
• Four main principles:
• Confidentiality: Encrypted information can only be accessed by the person for
whom it is intended and no one else.
• Integrity: Encrypted information cannot be modified in storage or in transit
between the sender and the intended receiver without any alterations being
detected.
• Non-repudiation: The creator or sender of encrypted information cannot deny
their intention to send the information.
• Authentication: The identities of the sender and receiver, as well as the origin and
destination of the information are confirmed.

• Applications are secure communication, identification, authentication,

secret sharing, systems for electronic commerce, certification, secure
electronic mail, key recovery, and secure computer access.
Cryptography cipher example
• Ceaser Cipher
• It works by shifting the letters in the plaintext message by a certain number
of positions, known as the “shift” or “key”. The Caesar Cipher technique is
one of the earliest and simplest methods of encryption techniques.
• For example with a shift of 1, A would be replaced by B, B would become C,
and so on.

• Text : ATTACKATONCE
• Shift: 4
• Cipher: EXXEGOEXSRGI
Cryptographic Algorithms
• Secret Key Cryptography (SKC): Uses a single key for both encryption
and decryption.
• Public Key Cryptography (PKC): Uses one key for encryption and
another for decryption.
• Hash Functions: Uses a mathematical transformation to irreversibly
“encrypt” information.
Secret Key (Symmetric Key)
Encryption
• A single key is used for both encryption and decryption.

• Secret key cryptography schemes are generally categorized as being either stream ciphers or
block ciphers.
• Stream ciphers operate on a single bit at a time and implement some form of feedback
mechanism so that the key is constantly changing.
• A block cipher is so called because the scheme encrypts one block of data at a time using the
same key on each block.
• In general, the same plaintext block will always encrypt to the same ciphertext when using the
same key in a block cipher whereas the same plaintext will encrypt to different ciphertext in a
stream cipher.
• Secret key cryptography algorithms that are in use today include:
• Data Encryption Standard (DES): The most common SKC scheme used
today, DES, was designed by IBM in the 1970s. DES is a blockcipher
employing a 56-bit key that operates on 64-bit blocks.
• Advanced Encryption Standard (AES): In 1997, NIST initiated a very
public, 4-1/2 year process to develop a new secure cryptosystem for U. S.
government applications. The algorithm can use a variable block length
and key length; the latest specification allowed any combination of keys
lengths of 128, 192, or 256 bits and blocks of length 128, 192, or 256 bits
• A 128-bit key would require 1.872 x 1037 years. A 256-bit
system would take 3.31 x 1056 years. The entire universe is
believed to have existed for only 13.7 billion years
Public Key (Asymmetric) Encryption
• One key for encryption (public key) and another for decryption
(private key)
• In PKC, one of the keys is designated the public key and may be
advertised as widely as the owner wants. The other key is designated
the private key and is never revealed to another party.
Public Key (Asymmetric) Encryption
• Suppose Alice wants to send Bob a message, then Alice encrypts
some information using Bob’s public key; Bob decrypts the ciphertext
using his private key. This method could be also used to prove who
sent a message; Alice, for example, could encrypt some plaintext with
her private key; when Bob decrypts using Alice’s public key, he knows
that Alice sent the message and Alice cannot deny having sent the
message (non-repudiation).
• Public-key cryptography algorithms that are in use today for key
exchange or digital signatures include:
• RSA: can be used for key exchange, digital signatures, or encryption of
small blocks of data. RSA uses a variable size encryption block and a
variable size key. The keypair is derived from a very large number, “n,”
that is the product of two prime numbers chosen according to special
rules; these primes may be 100 or more digits in length each, yielding
an n with roughly twice as many digits as the prime factors. The public
key information includes n and a derivative of one of the factors of n;
an attacker cannot determine the prime factors of n (and, therefore,
the private key) from information alone and that is what makes the
RSA algorithm so secure.
• Diffie-Hellman: used for secret-key key exchange only, and not for
authentication or digital signatures
Hash Functions
• one-way encryption. Use no key.
• A fixed-length hash value is computed based upon the plaintext that
makes it impossible for either the contents or length of the plaintext
to be recovered.
• Hash algorithms are typically used to provide a digital fingerprint of a
file’s contents, often used to ensure that the file has not been altered
by an intruder or virus. Hash functions, then, provide a measure of
the integrity of a file.
• Hash algorithms that are in common use today include:
• Message Digest (MD) algorithms: A series of byte-oriented algorithms
that produce a 128-bit hash value from an arbitrary-length message.
• Secure Hash Algorithm (SHA): Algorithm for NIST’s Secure Hash
Standard (SHS). SHA-1 produces a 160-bit hash value.
• HAVAL (HAsh of VAriable Length): can create hash values that are 128,
160, 192, 224, or 256 bits in length.
• Whirlpool: A relatively new hash function, operates on messages less
than 2256 bits in length, and produces a message digest of 512 bits.
CASE STUDY: Kudankulam Nuclear
Power Plant (KKNPP) Cyber Attack
(2019)
• In October 2019, India faced a significant cyber threat when a targeted cyber-attack
was reported at the Kudankulam Nuclear Power Plant (KKNPP), one of the largest
nuclear facilities in India. The attack was linked to a North Korean hacker group,
Lazarus, known for sophisticated cyber-espionage campaigns.
• The attack involved malware known as DTrack, which was used to infiltrate the
plant’s administrative networks. it successfully breached the administrative system
responsible for maintaining records, staff information, and other operational details.
• If robust data encryption had been used on the sensitive information, the attackers
would have been unable to read or misuse the data even if they managed to breach
the system. Both Secret Key Cryptography (SKC) and Public Key Cryptography (PKC)
could have been employed for secure communication and data storage.
• Hash functions like SHA-256 could have been employed to ensure the integrity of
files and system configurations. Using hash functions, administrators could easily
verify that files hadn’t been altered or corrupted by malware.
Evidence management- location of
electronic data relating to crime -
electronically stored information (ESI)
• Electronically stored information (ESI) refers to “any type of
information that is created, used, and stored in digital form and
accessible by digital means.”
• ESI can exist in any media format, be that a flash drive, physical hard
drive, on-premises server, or cloud storage.
Evidence management- location of
electronic data relating to crime -
electronically stored information (ESI)
• There are three distinct phases in a record’s life cycle:
• The time at which a record is created or received and is of immediate
administrative, fiscal or legal value and use to the office of origin.
• The second phase is the point at which records have ongoing value and use
but are no longer referred to on a regular basis.
• The last phase in the life cycle is the point in time at which records have no
further operational value to the office of record and are disposed of either by
destroying them or transferring them [to the Archives] where they are
preserved for their archival value
• Categories of ESI • common sources that ESI comes from:
• Communication • Emails
Data • Team collaboration tools like Slack and Microsoft Teams
• Transaction Data • Text messages
• Metadata • Voice and Meeting recordings (Zoom, Google Meet,
etc.)
• Social media accounts
• Documents (Word documents, Excel spreadsheets, etc.)
• Computer hard drives
• Server networks
• Cloud-based storage
• The discovery of ESI differs markedly from that in paper form:
• Exponentially greater volumes exist than with hardcopy documents.
• Unlike paper, the information is dynamic, being affected by the turning on
and off of the computer itself, or by the computer deleting or overwriting
information without the operator’s intervention or direct knowledge.
• ESI, unlike words on paper, might be incomprehensible when separated from
the system that created it (loss of context, structure, and other problems). It
also found that the discovery of electronic information is becoming more
costly, time-consuming and burdensome than for hardcopy information
• Unlike other evidence, digital evidence cannot simply be boxed or bagged up.
A microSD card, for example, is smaller than an adult fingernail and can be
easily missed.
• Hypothetically, a suspect could set up a dead man’s switch with an Ethernet
connection so that a system becomes inoperable when that cable is
unplugged, or the suspect could launch a remote attack on the computer and
wipe the drive or encrypt the drive.
• Preserving the original content and metadata for electronically stored information is
required in order to eliminate claims of spoliation (Destruction) or tampering with evidence
later in the litigation.

• After data is identified by the parties on both sides of a matter, potentially relevant
documents (including both electronic and hard-copy materials) are placed under a legal hold
– meaning they cannot be modified, deleted, erased or otherwise destroyed.
• Potentially relevant data is collected and then extracted, indexed and placed into a
database.
• At this point, data is analyzed to cull or segregate the clearly non-relevant documents and
emails.
• The data is then hosted in a secure environment and made accessible to reviewers who code
the documents for their relevance to the legal matter
• A computer forensics examiner should always photograph and document
everything found at the crime scene. Particularly important at this point is the
need to photograph the connections between devices. These can be quite
complex, and photographs help the examiner, back at the lab, to see how
devices were configured and connected.
• A home network can contain so many connected devices, cables, and
adapters that creating an evidence list from a crime scene is critical.
• Investigators who seize a computer should also seize other digital devices,
cables, adapters, and boxes from these articles, along with manuals. Post-it
Notes, lying around, might have important passwords written on them. It
should also be noted that some people wear USB drives like jewelry or can
mask them as a toy.
• Crime scene investigators must carry a notebook and take copious notes about any
equipment they find.
• If the monitor shows activity, such as instant messaging, it should be photographed.
• Computers, hard drives, and other digital devices should be tagged with identifying
information, including make, model, serial number, and assigned investigator.
• antistatic bags should be used to contain computing devices and prevent any type of
evidence contamination.
• If a computer is still turned on, it is advisable for an investigator to perform triage
and image both RAM and potentially the hard drive.’
• tag evidence files and add them to a report so that the defense and jury do not need
to wade through thousands of files.
• each item should be photographed, and then the serial number should be
photographed up close. These images can be added to the investigator’s report.
• Evidence should be legally obtained through a court order, subpoena,
or search warrant or with consent of the owner.
• A subpoena is a type of court order, whereby a person is ordered to come to
court to testify. A court order is an order generally issued by a judge.
• After the evidence has been seized, the investigator needs to possess
and maintain a chain of custody form
• More mistakes can occur with digital evidence than with other types
of evidence, like a gun or a dress. For example, when making two
copies of a suspect’s hard drive, there are now multiple hard drives
that must be accounted for on the chain of custody form.
Completing worksheets for each
type of device: Computer worksheet
• An investigator should complete a separate computer worksheet for each computer that is analyzed. The
following details should be noted on this worksheet:
• Suspect and/or custodian
• Case number
• Date
• Location
• Investigator
• Make
• Model
• Serial number
• CPU
• RAM
• BIOS version
• BIOS boot sequence
• Operating system
• Drives (CD/CD-RW, etc.)
• BIOS system time and date
• Actual time and date
• Ports (USB, USB-C, IEEE 394 FireWire, etc.)
Hard Disk Drive Worksheet
• Suspect and/or custodian
• Case number
• Date
• Location
• Investigator
• Make
• Model
• Serial number
• Drive type (SATA, PATA, SCSI, etc.)
• Capacity
Hard Disk Drive Worksheet
• This form should also have notes detailing the forensic acquisition
(imaging or cloning) process.

• Software used
• Acquisition start and end times
• Acquisition verified (yes/no)
• Sanitized (yes/no)
• Make
• Model
• Serial number
Server worksheet
• Suspect and/or • BIOS • Operating system • Server type
custodian (file/email/web/DNS/b
• BIOS boot • Drives
• Case number sequence • Number ackup/virtualized/othe
• Date • System time and r)
• Type
date • Protocol (TCP/IP or
• Location • Size
• Actual time and VPN, etc.)
• Investigator • Domain
date • IT staff consulted
• Make
• System state • Domain IP
• Model (on/off) address(es) • Name
• Serial number • Shutdown method • DNS • Position
(hard/soft/left • Gateway IP address • Email address
• CPU
running) • Passwords
• RAM • Telephone
• Cables • Logging • Image verified (yes/no)
• Backups • Enabled— (yes/no)
• Drive mapping • Types of logs
Challenges in Managing ESI : Large
datasets
• Investigators often deal with terabytes of data, requiring efficient and
scalable methods for sorting, storing, and analyzing it.
• Storage Limitations: Handling such vast amounts of data requires significant
storage resources. Investigators may need to maintain and back up multiple
copies of evidence, adding to the complexity of managing data
infrastructure.
• Processing Power: Sorting through large datasets takes time and
computational power, particularly when dealing with video footage, large-
scale financial transactions, or communication logs. This increases the need
for high-performance forensic tools that can automate certain tasks (e.g.,
filtering relevant keywords or metadata analysis).
• Time-Consuming Analysis: Manually reviewing data is labor-intensive and
time-consuming, especially when it comes to identifying relevant files or
tracking communications across platforms.
Challenges in Managing ESI : Data
format compatibility
• Digital evidence exists in a wide variety of file formats. Investigators may
encounter standard formats (like .doc, .pdf, .jpg) alongside less common,
proprietary, or encrypted file formats, especially when dealing with specialized
software or applications.
• Conversion Issues: Converting proprietary formats to readable formats without
data loss can be difficult and may risk altering the original file’s metadata, which
could impact its admissibility as evidence.
• Encryption and Compression: Files might be compressed or encrypted using
custom algorithms, requiring specialized tools or decryption keys to unlock the
data for analysis.
• Cross-Platform Challenges: Investigators must sometimes analyze data that spans
across different platforms, operating systems (e.g., Windows, Linux, macOS), and
devices (e.g., mobile phones, tablets, IoT devices). Ensuring compatibility
between systems is a technical challenge.
Challenges in Managing ESI: Data
Integrity
• Maintaining the integrity of ESI is crucial to ensure that the data presented in court is a
true and accurate reflection of the original. Maintaining proper chain of custody is
crucial
• Handling Multiple Copies: Investigators often create multiple copies of ESI to ensure
redundancy, but each copy must be carefully tracked and protected. Failing to maintain
accurate records of each copy can raise questions about whether the evidence has
been altered.
• Access Control: Ensuring that only authorized personnel handle the evidence is
essential. Any unauthorized access, intentional or accidental, can compromise the
integrity of the data.
• Metadata Alteration: Even opening a file can potentially alter its metadata, such as last
accessed time, which can undermine its credibility as evidence. Specialized forensic
tools must be used to handle data without altering metadata.
Encryption and data hiding
• Breaking Encryption: Accessing encrypted data without the key
requires significant time and computing resources. Some forms of
encryption, especially modern ones, are extremely difficult to crack
without specialized tools or cooperation from the encryption’s owner.
• Legal Barriers: Investigators often need a court order or cooperation
from the suspect to compel decryption.
• Data Hiding Techniques:
• Steganography: The practice of hiding data within other files, such as
embedding a document inside an image or video, making it difficult to detect.
• Obfuscation: Some criminals intentionally obscure data by using misleading
filenames, storing data in non-standard locations (e.g., inside system files), or
splitting information across multiple files.
Jurisdictional and Legal Barriers
• Digital evidence is often spread across multiple jurisdictions, especially when cloud
services or internet-based communications are involved. A company’s servers might
be hosted in one country, while the suspects are located in another, complicating
access to data.
• Jurisdictional Conflicts: Different countries have different laws governing data
privacy, search and seizure of digital evidence, and the admissibility of that evidence
in court. Investigators must navigate complex international laws and treaties, such
as Mutual Legal Assistance Treaties (MLATs), to obtain necessary data.
• Compliance with Data Privacy Laws: Many countries have stringent data privacy
laws, like the General Data Protection Regulation (GDPR) in Europe, the Digital
Personal Data Protection Act (DPDP Act) in India, which place limits on what types
of data can be accessed and how it can be transferred across borders.
• Cloud Services: Cloud data might be stored in multiple physical locations, each
governed by different legal frameworks. Investigators may need to issue legal
requests to cloud service providers located in different countries to gain access to
the relevant data.