CYBER FORENSICS

UNIT- 2
CYBER FORENSICS
 Cyber forensics, also known as digital forensics, is the
process of collecting, analyzing, and preserving digital
evidence from electronic devices to investigate cybercrimes
and security incidents.
 It involves the identification, extraction, and documentation

of digital data to be used in legal proceedings or cyber

security investigations.
 It helps law enforcement, businesses, and cyber security

professionals track criminals, recover lost data, and protect

digital assets.
 Key areas: Computer, Network, Cloud, Mobile and

Malware forensics.
STEPS IN CYBER FORENSICS
INVESTIGATION:

 Identification – Detecting potential digital

evidence.
 Preservation – Securing and maintaining data

integrity.
 Analysis – Examining data using forensic tools.

 Documentation – Recording findings for legal use.

 Presentation – Presenting evidence in court or

cyber security reports.

DIGITAL DEVICE
 A digital device is any electronic device that processes,
stores, or transmits digital data. These devices use binary
code (0s and 1s) to perform operations and
communicate.
 Computers & Laptops, Smartphone & Tablets, Servers,

Smart watches & Wearable ,Cameras (Digital &

Surveillance), Networking Devices, Storage Devices,
Gaming Consoles, IoT Devices (Internet of Things),
Medical Devices.
HARD DISK
 A hard disk drive (HDD) is a data storage device
used in computers and other digital devices to store
and retrieve digital information using magnetic
storage.
 It is a non-volatile storage device, meaning data is

retained even when power is turned off.

TYPES OF HARD DISKS:

1. HDD (Hard Disk

Drive) – Traditional
spinning disk storage.
2. SSD (Solid State Drive)
– Faster, more durable,
but more expensive.
3. Hybrid Drives (SSHD)
– Combination of HDD
and SSD for balanced
speed and storage.
DISK CHARACTERISTICS
 Storage Capacity
 Data Transfer Speed (Read/Write Speed)

 Access Time & Latency

 RPM (Revolutions Per Minute) – For HDDs

 Interface Type (Connection Type): Determines how the

disk connects to the system.

 Durability & Reliability

 Power Consumption

 Shock & Vibration Resistance

 Lifespan & Endurance

 Cost & Price per GB

DISK IMAGING
 Disk imaging is the process of creating an exact copy (or
snapshot) of a storage device, such as a hard disk (HDD),
solid-state drive (SSD), or USB drive. This copy includes
everything on the disk like operating system, files, software,
partitions, and system settings, allowing for backup, recovery,
or forensic investigation.
 Popular Disk Imaging Tools:

🔹 Clonezilla – Free, open-source cloning tool.

🔹 Acronis True Image – Professional backup & disk imaging
software.
🔹 Macrium Reflect – Used for system backups and disk
cloning.
🔹 FTK Imager – Used in cyber forensics for evidence
collection.
DISK CARVING
 Data carving is the process of extracting deleted, lost, or fragmented
data from a storage device without relying on the file system.
 It is commonly used in digital forensics and data recovery to

retrieve files that have been deleted, damaged, or partially

overwritten.
 Key Features of Data Carving:

✔ File System Independent – Recovers data even if the file system is

corrupt or missing.
✔ Uses Signature-Based Searching – Identifies files based on unique
patterns (headers, footers, magic numbers).
✔ Recovers Deleted & Fragmented Data – Useful when files have
been removed from the recycle bin.
✔ Essential for Cyber Forensics – Helps recover evidence from
formatted or damaged drives.
HOW DATA CARVING WORKS

 Signature Analysis – Identifies file headers and footers

to locate file types (e.g., JPEG, PDF, DOCX).
 Data Extraction – Extracts identified data from

unallocated disk space or memory dumps.

 Reconstruction – Puts together fragmented files when

possible.
 Validation – Ensures extracted files are complete and

usable.
 Tools: Foremost, Scalpel, PhotoRec , Autopsy/Sleuth

Kit.
DISK CARVING TECHNIQUES
 Header/Footer Carving – Identifying file
signatures.
 File Fragment Reconstruction – Reassembling

broken file parts.

 Content-Based Carving – Searching for specific

file patterns.
 A forensic expert uses Scalpel or Foremost to

recover JPEG images from an unallocated space.

COMMERCIAL PIRACY
 Unauthorized copying and selling of software, movies, or
digital content.
 It includes illegally copying and distributing software, movies,
music, and other media. Examples are:
 Hard disk loading: A reseller buys a legal copy of software,
copies it, and installs it on a computer's hard disk. The
computer is then sold as having licensed software.
 Counterfeiting: Software is illegally copied and distributed as
if it were authentic.
 Soft lifting: A single version of software is downloaded onto
multiple devices, even though the license only allows one
download.
 Online piracy: Illegal software is shared, sold, or acquired
through the internet.
SOFT LIFTING
 Installing a legally purchased software on multiple devices
against licensing terms.
 Example: A company buys one license of Microsoft Office

but installs it on multiple computers, violating the license

agreement.
STEGANOGRAPHY
 Hiding data within other files (e.g., images, videos,
audio) without altering their appearance. Common
techniques:
 LSB (Least Significant Bit) Encoding – Modifying the

least significant bit in pixels.

 Masking & Filtering – Hiding text in images or audio.

 Tools: StegHide, OpenStego, SilentEye.

NETWORK COMPONENTS
 Router: Directs data packets between networks.
 Switch: Connects devices in a LAN, forwarding data

based on MAC addresses.

 Firewall: Filters incoming and outgoing traffic for

security.
 Proxy Server: Acts as an intermediary for network

requests.
ROUTER
 Device that forwards data packets between
computer networks.
 It acts as a gateway between different networks,

directing data traffic efficiently. Routers are

commonly used to connect local networks (like
home Wi-Fi) to the internet.
SWITCH
 Device that connects multiple devices within a local area
network (LAN) and helps in efficient data transfer.
Example:
 Home Network Switch – A Netgear 5-port switch can

be used to connect multiple devices (laptop, gaming

console, printer) to a home network.
 Enterprise Network Switch – A Cisco Catalyst switch

is used in offices to connect multiple computers, servers,

and printers, allowing fast and secure data transfer.
FIREWALL
 A firewall is a network security device or software that
monitors and controls incoming and outgoing network
traffic based on predefined security rules. Types of
Firewalls:
 Hardware Firewall – A physical device (e.g., Cisco

ASA, Fortinet) that filters network traffic before it

reaches your internal network.
 Software Firewall – A program installed on computers

or servers (e.g., Windows Defender Firewall, Norton

Firewall) to monitor and block suspicious activities.
PROXY SERVER
 A proxy server is an intermediary server that sits between a
user’s device and the internet. It processes requests on
behalf of the user, forwarding them to the target website and
then returning the response. Proxies help improve security,
privacy, and performance. Functions are:
 Anonymity & Privacy – Hides the user’s IP address,

making online activities more private.

 Security – Acts as a barrier against cyber threats and can

filter malicious content.

 Content Filtering – Used in organizations or schools to

block access to certain websites.

 Caching & Speed Improvement – Stores frequently

accessed web pages to load them faster.

VPN V/S PROXY SERVER
Feature Proxy server VPN
Function Acts as an intermediary for web Encrypts all internet traffic and
requests. routes it through a secure
server.

Encryption No encryption (except HTTPS Encrypts all traffic, protecting

proxies). data from hackers.

Hides IP only for specific Hides IP for the entire device

IP Address applications (e.g., browser). and all applications.
Masking

Security Basic security; not effective High security; protects against

against hackers. hackers and cyber threats.

Performance Faster Slightly slow

Example SOCKS5, HTTP Proxy (e.g., NordVPN, ExpressVPN,
Squid Proxy, SmartProxy). OpenVPN.
WHICH ONE SHOULD YOU USE?
 Use a proxy server if you just need to access
geo-restricted content or hide your IP for specific
websites.
 Use a VPN if you want full encryption, online

security, and privacy across all apps and internet

traffic.
PORT SCANS
 A port scan is used to discover open ports on a system, which
may indicate security vulnerabilities.
 Example: A hacker uses Nmap to scan a target server for

open ports.
 Command: nmap -p 1-65535 target_ip (Linux command)

 Types:

 TCP Scan – Checks for open TCP ports.

 UDP Scan – Detects open UDP ports.

 SYN Scan – Also called half-open scan, identifies responsive

ports.
WIRESHARK & PCAP ANALYSIS

 Wireshark: A network packet analyzer used for

monitoring network traffic.
 pcap (Packet Capture) Analysis: Examining

captured network packets for malicious activities.

 Uses:

 Detect network anomalies.

 Analyze communication patterns.

 Identify security threats.

 Command: wireshark -r captured_traffic.pcap

TROJANS AND BACKDOORS
 Trojan Horse: A malicious program disguised as a
legitimate software.
 Backdoor: A hidden way to access a system bypassing

security.
 Examples: Netbus, Sub7, Poison Ivy.

 Prevention: Antivirus, Firewalls, IDS/IPS, Regular

Patching.
BOTNETS
 A botnet is a network of compromised devices
(bots/zombies) controlled remotely by an attacker
(botmaster).
 Used for launching cyberattacks, such as DDoS,

phishing, and data theft.

 Examples: Mirai, Zeus, Conficker.

 Prevention: Firewalls, endpoint security, and botnet

detection systems
DOS (DENIAL OF SERVICE) ATTACK
 An attack that floods a server or network with
excessive requests, making it unavailable to
users. Types:
 TCP SYN Flood – Overwhelms a system with

incomplete TCP connections.

 Ping Flood – Sends large ICMP Echo requests.

 UDP Flood – Overloads network resources with

UDP packets.
DDOS (DISTRIBUTED DENIAL OF
SERVICE) ATTACK
 A more powerful version of DoS, where multiple
compromised devices (botnet) launch an attack
simultaneously. Common methods:
 Volumetric Attacks – Consumes network bandwidth

(e.g., UDP Floods).

 Application Layer Attacks – Overloads web applications

(e.g., HTTP Flood).

 Protocol Attacks – Exploits weaknesses in network

protocols (e.g., SYN Flood).

 Prevention: CDN services, rate limiting, firewalls, anti-

DDoS solutions.
HONEY POTS
 A decoy system designed to attract and analyze
attackers. Types:
 Low-Interaction Honey Pots – Simulate vulnerabilities

with limited real OS access.

 High-Interaction Honey Pots – Fully functional systems

that collect detailed attack data.

 Uses:

 Detect cyber threats.

 Study hacker techniques.

 Improve security defenses.

MALWARE (MALICIOUS SOFTWARE)
 Any software designed to harm, exploit, or steal data.
 Types of malware:
 Viruses – Attaches to files and spreads when executed.
 Worms – Self-replicates across networks without human
action.
 Trojans – Disguised as legitimate software but contains
malicious code.
 Ransomware – Encrypts user data and demands payment for
decryption.
 Spyware – Secretly gathers user information.
VIRUS
 A type of malware that requires user execution to spread.
 Spreads by attaching itself to files, documents, or boot

sectors.
 Common types:

 Macro Virus – Embedded in documents (e.g., Word,

Excel).
 Boot Sector Virus – Infects the boot partition of storage
drives.
 Polymorphic Virus – Changes code to avoid detection.
 Prevention: Antivirus software, avoiding suspicious files,

regular updates.
WORMS
 A self-replicating malware that spreads through networks
without user intervention.
 Exploits vulnerabilities in OS, software, or network

protocols.
 Famous worms:
 Morris Worm (1988) – One of the first internet worms.
 ILOVEYOU Worm (2000) – Spread via email attachments.
 Conficker Worm (2008) – Targeted Windows vulnerabilities.
 Prevention: Patch vulnerabilities, use firewalls, disable
unnecessary services.