​Cyber Security​

​Module 1: Introduction to Cyber Security​

​1. Introduction to Cyber Security​

​●​ D ​ efinition:​​Cyber Security (or Information Security) is the practice of protecting systems,​
​networks, programs, and data from digital attacks.​
​●​ ​Goal:​​These attacks are usually aimed at accessing, changing, or destroying sensitive​
​information; extorting money from users ([Link]); or interrupting normal business​
​processes.​
​●​ ​Core Elements:​​It involves a combination of​​people​​,​​processes​​, and​​technology​​to​
​defend against these threats.​

​2. Importance and Challenges in Cyber Security​

​Importance​

​●​ D ​ ata Protection:​​Protects sensitive personal data (like PII - Personally Identifiable​
​Information) and corporate data (like intellectual property, financial records) from theft​
​and misuse.​
​●​ ​Economic Stability:​​Prevents financial losses from fraud, extortion (e.g., ransomware),​
​and business disruption.​
​●​ ​National Security:​​Guards government secrets, military operations, and critical​
​infrastructure against attacks by hostile nations or terrorist groups.​
​●​ ​Trust:​​Maintains user and customer trust in digital services and e-commerce.​

​Challenges​

​●​ C ​ onstantly Evolving Threats:​​Attackers continuously create new types of malware and​
​adapt their tactics (e.g., zero-day exploits).​
​●​ ​Asymmetric Warfare:​​A single attacker with basic tools can cause massive damage to​
​a large, well-funded organization.​
​●​ ​Human Factor:​​Users are often the weakest link, falling for phishing scams or using​
​weak passwords. Social engineering is a major challenge.​
​●​ ​Expanding Attack Surface:​​The rise of IoT (Internet of Things) devices, cloud​
​computing, and "Bring Your Own Device" (BYOD) policies means there are more​
​potential entry points for attackers.​
​●​ ​Lack of Skilled Professionals:​​There is a significant global shortage of trained​
​cybersecurity professionals.​

​1​
​3. Key Concepts​

​●​ C ​ yberspace:​​The interconnected digital environment of information and communication​

​technologies (ICTs). It includes the internet, intranets, networks, computer systems, and​
​the data that flows through them. It is a virtual domain, not a physical one.​
​●​ ​Cyber Threats:​​Any potential danger that can exploit a vulnerability to breach security​
​and cause harm to a computer system or network. Common threats include:​
​○​ ​Malware:​​Malicious software (e.g., viruses, worms, ransomware, spyware).​
​○​ ​Phishing:​​Fraudulent emails or messages disguised as legitimate ones to steal​
​credentials or data.​
​○​ ​Denial-of-Service (DoS) / Distributed Denial-of-Service (DDoS):​
​Overwhelming a system with traffic to make it unavailable.​
​○​ ​Man-in-the-Middle (MitM):​​An attacker secretly intercepts and relays​
​communication between two parties.​
​○​ ​SQL Injection:​​A technique used to attack data-driven applications by inserting​
​malicious SQL code into a query.​
​●​ ​Cyberwarfare:​​The use of cyber attacks by one nation-state to attack and damage​
​another nation's computer systems or information networks.​
​○​ ​Objectives:​​Can include espionage (stealing state secrets), sabotage (disrupting​
​critical infrastructure), or propaganda (spreading disinformation).​
​○​ ​Example:​​Stuxnet, a malicious worm widely believed to have targeted Iran's​
​nuclear facilities.​
​●​ ​Cyber Terrorism:​​The use of computer-based attacks by terrorist groups to cause​
​widespread disruption, fear, or physical harm.​
​○​ ​Goal:​​To intimidate a population or coerce a government, often by targeting​
​critical systems like power grids, financial markets, or emergency services.​
​○​ ​Distinction from Cyberwarfare:​​The primary difference is the​​actor​​.​
​Cyberwarfare is conducted by nation-states, while cyber terrorism is conducted​
​by non-state actors (terrorist groups).​

​4. The CIA Triad​

​ he CIA Triad is the foundational model for cybersecurity policy. It outlines the three core goals​
T
​for protecting information.​

​●​ ​Confidentiality:​
​○​ ​What it is:​​Ensuring that information is not disclosed to unauthorized individuals,​
​entities, or processes. It's about secrecy and privacy.​
​○​ ​How it's achieved:​​Encryption, access controls (passwords, permissions), and​
​data classification.​
​●​ ​Integrity:​
​○​ ​What it is:​​Maintaining the consistency, accuracy, and trustworthiness of data. It​
​ensures that data cannot be modified or deleted in an unauthorized or​
​undetected manner.​

​2​
 ​○​ H ​ ow it's achieved:​​Hashing (e.g., MD5, SHA-256), digital signatures, file​
​permissions, and version control.​
​ ​ ​Availability:​
●
​○​ ​What it is:​​Ensuring that systems, networks, and data are operational and​
​accessible to authorized users when they are needed.​
​○​ ​How it's achieved:​​Hardware redundancy (e.g., RAID), backups, disaster​
​recovery plans, and defending against DDoS attacks.​

​5. Cyber Security of Critical Infrastructure​

​●​ W ​ hat is Critical Infrastructure (CI)?​​These are the physical and virtual assets,​
​systems, and networks that are vital to a nation's security, economy, and public health.​
​●​ ​Examples:​​Power grids, water supply systems, transportation networks (air, rail),​
​financial services (banks), healthcare (hospitals), and communication networks.​
​●​ ​Why it's a Target:​​An attack on CI can cause massive physical damage, economic​
​chaos, loss of life, and public panic.​
​●​ ​Challenges:​​Many CI systems are "legacy systems" (old technology) that were not​
​designed with modern cybersecurity in mind and are now being connected to the​
​internet, making them vulnerable.​

​6. Cybersecurity - Organizational Implications​

​ ybersecurity is not just an IT problem; it's a core business risk that affects the entire​
C
​organization.​

​●​ ​Financial Impact:​

​○​ ​Direct costs of remediation (cleaning systems, paying for experts).​
​○​ ​Cost of downtime and lost revenue.​
​○​ ​Fines and penalties from regulators (e.g., for GDPR or HIPAA violations).​
​●​ ​Reputational Damage:​
​○​ ​Loss of customer trust, which can be harder to recover than financial losses.​

​3​
 ​ ​ ​Negative press and brand damage.​
○
​●​ ​Legal and Regulatory:​
​○​ ​Organizations must comply with a growing number of data protection laws (like​
​GDPR, CCPA).​
​○​ ​Failure to comply can lead to legal action from customers or governments.​
​ ​ ​Operational Disruption:​
●
​○​ ​A ransomware attack can halt all business operations (e.g., manufacturing, sales,​
​communication) for days or weeks.​
​●​ ​Shift in Culture:​
​○​ ​Requires a "security-first" mindset across all departments, not just IT.​
​○​ ​Mandatory security awareness training for all employees (to prevent phishing,​
​etc.).​
​○​ ​Security must be integrated into business strategy and risk management.​

​Module 2: Hackers and Cyber Crimes​

​1. Types of Hackers​

​ he term "hacker" is often used broadly, but different types are distinguished by their motives,​
T
​ethics, and (legal) status.​

​●​ ​White Hat Hacker (Ethical Hacker):​

​○​ ​Motive:​​To improve security.​
​○​ ​Action:​​Legally and ethically hired by organizations to find vulnerabilities​​before​
​malicious actors do.​
​○​ ​Analogy:​​A "security inspector" or "digital locksmith" you hire to test your locks.​
​●​ ​Black Hat Hacker (Malicious Hacker):​
​○​ ​Motive:​​Personal gain (money), espionage, or destruction.​
​○​ ​Action:​​Illegally breaches systems to steal data, deploy ransomware, disrupt​
​services, or commit other crimes.​
​○​ ​Analogy:​​A "burglar" or "digital vandal."​
​●​ ​Grey Hat Hacker:​
​○​ ​Motive:​​A mix; often for fun, curiosity, or to gain recognition.​
​○​ ​Action:​​Finds vulnerabilities​​without permission​​from the owner. They might​
​report the vulnerability (sometimes asking for a fee) or, in some cases, exploit it.​
​They operate in a legal and ethical "grey area."​
​●​ ​Script Kiddie:​
​○​ ​Motive:​​To cause disruption or show off.​

​4​
 ​○​ A ​ ction:​​An unskilled individual who uses pre-written scripts and tools created by​
​others to launch attacks. They typically don't understand the underlying​
​technology.​
​●​ ​Hacktivist:​
​○​ ​Motive:​​Political, social, or ideological.​
​○​ ​Action:​​Uses hacking to promote a political agenda or social message. This can​
​include website defacement, leaking sensitive documents, or launching DDoS​
​attacks. (e.g., Anonymous).​
​ ​ ​State-Sponsored Hacker (APT - Advanced Persistent Threat):​
●
​○​ ​Motive:​​National espionage, cyberwarfare, or stealing intellectual property.​
​○​ ​Action:​​Employed by a government to target other nations, corporations, or​
​critical infrastructure. They are highly skilled, well-funded, and patient.​

​2. Hackers vs. Crackers​

​●​ H ​ acker:​​This term originally had a neutral or positive connotation, referring to a skilled​
​programmer who enjoyed exploring the limits of technology. In modern use, it often​
​refers to​​White Hat​​and​​Grey Hat​​individuals.​
​●​ ​Cracker:​​This term was coined to specifically distinguish malicious actors from the​
​broader "hacker" community. A​​Cracker​​is synonymous with a​​Black Hat​
​Hacker​​—someone who "cracks" security systems for criminal or malicious intent.​

​3. Cyber-Attacks and Vulnerabilities​

​●​ V ​ ulnerability:​​A​​weakness​​or flaw in a system's design, code, implementation, or​

​human processes. This is the "unlocked window" an attacker can use.​
​○​ ​Examples:​​An unpatched piece of software, a weak password, a misconfigured​
​firewall, or an employee who hasn't been trained to spot phishing.​
​●​ ​Cyber-Attack:​​The​​action​​of exploiting a known (or unknown, called a "zero-day")​
​vulnerability to gain unauthorized access, cause damage, or steal information. This is​
​the "act of climbing through the window."​

​4. The Hacking Process (A Typical Attack Lifecycle)​

​Attackers often follow a structured process to breach a system and achieve their goals.​

​1.​ ​Sniffing (Reconnaissance):​

​○​ ​What it is:​​Intercepting and "listening to" data packets as they travel across a​
​network (e.g., a public Wi-Fi).​
​○​ ​Goal:​​To capture unencrypted data like usernames, passwords, and other​
​sensitive information.​
​○​ ​Tool:​​A "packet sniffer" like Wireshark.​
​2.​ ​Gaining Access (Exploitation):​

​5​
 ​○​ W ​ hat it is:​​The initial breach of the system. This is where the attacker actively​
​exploits a vulnerability.​
​○​ ​Methods:​​Using malware (like a Trojan), sending a phishing email, or directly​
​attacking a web server (e.g., with SQL Injection).​
​3.​ ​Escalating Privileges (Post-Exploitation):​
​○​ ​What it is:​​Once inside, the attacker usually has only low-level (standard user)​
​access. Privilege escalation is the process of gaining​​administrative​​or "root"​
​access.​
​○​ ​Goal:​​To gain full control over the system, allowing them to disable security,​
​access all data, and install more tools.​
​4.​ ​Executing Applications (Maintaining Access):​
​○​ ​What it is:​​Running malicious programs on the compromised system.​
​○​ ​Goal:​​To install tools that ensure the attacker can return later, such as​
​backdoors​​or "bots" that join the computer to a botnet.​
​5.​ ​Hiding Files (Anti-Forensics):​
​○​ ​What it is:​​Concealing the attacker's presence and malicious files to avoid​
​detection by system administrators or antivirus software.​
​○​ ​Methods:​
​■​ ​Rootkits:​​Malware designed to hide its own presence (files, processes)​
​from the operating system.​
​■​ ​Steganography:​​Hiding data​​within​​other files (e.g., hiding a malicious​
​script inside an image file).​
​6.​ ​Covering Tracks (Anti-Forensics):​
​○​ ​What it is:​​The final step, where the attacker erases all evidence of their activity.​
​○​ ​Goal:​​To prevent discovery, delay investigation, and protect their identity.​
​○​ ​Methods:​​Deleting or modifying system logs, altering file timestamps, and using​
​anonymous networks.​

​5. Malware Threats (Malicious Software)​

​Malware is the primary tool used by attackers.​

​●​ ​Virus:​
​○​ ​How it works:​​A piece of malicious code that​​attaches itself to a legitimate​
​program or file​​(the "host").​
​○​ ​How it spreads:​​It requires​​human action​​(like opening the infected file) to​
​execute and spread to other files.​
​○​ ​Analogy:​​A biological virus that needs a host cell to replicate.​
​●​ ​Worm:​
​○​ ​How it works:​​A​​standalone​​piece of malware (it doesn't need a host file).​

​6​
 ​○​ H ​ ow it spreads:​​It​​self-replicates and spreads independently​​over a network,​
​exploiting vulnerabilities to jump from one computer to another.​
​○​ ​Analogy:​​A worm that burrows from one apple to the next on its own.​
​●​ ​Trojan (or Trojan Horse):​
​○​ ​How it works:​​Disguises itself as a legitimate or useful piece of software (e.g., a​
​game, a utility, or even an antivirus program).​
​○​ ​Goal:​​To trick the user into installing it. Once run, the Trojan executes its hidden​
​malicious function (e.g., installing a backdoor, stealing data).​
​○​ ​Analogy:​​The mythical Trojan Horse, which looked like a gift but hid enemy​
​soldiers inside.​
​ ​ ​Backdoor:​
●
​○​ ​What it is:​​A hidden, undocumented method of bypassing normal authentication​
​or security controls.​
​○​ ​Purpose:​​It gives an attacker (or even the original developer) easy, repeated​
​access to a system. A Trojan's main purpose is often to​​install​​a backdoor.​

​Module 3: Ethical Hacking and Social Engineering​

​1. Ethical Hacking Concepts and Scopes​

​●​ D ​ efinition:​​Ethical Hacking (or "White Hat" hacking) is the​​authorized and legal​
​practice of attempting to breach an organization's security defenses.​
​●​ ​Purpose:​​The goal is to identify vulnerabilities, assess the strength of defenses, and​
​report the findings​​before​​a malicious attacker (a "Black Hat") can exploit them.​
​●​ ​Scope:​​The scope is a critical component defined in a​​formal contract​​between the​
​ethical hacker and the organization. It clearly outlines:​
​○​ ​What​​systems/networks/applications are to be tested.​
​○​ ​What​​systems are​​off-limits​​.​
​○​ ​What​​methods are allowed (e.g., "Is social engineering allowed?").​
​○​ ​When​​the testing will occur (e.g., to avoid disrupting business operations).​
​○​ ​Rules of Engagement:​​How to handle sensitive data if found, who to report to,​
​etc.​
​●​ ​Key Principle:​​The core principle is​​consent​​. An ethical hacker has explicit permission,​
​while a malicious hacker does not.​

​7​
​2. Threats and Attack Vectors​
​●​ T ​ hreat:​​A​​potential danger​​that could exploit a vulnerability. It's the "who" or "what" that​
​could cause harm (e.g., a Black Hat hacker, a malware, a disgruntled employee).​
​●​ ​Attack Vector:​​The​​path or method​​a threat actor uses to gain unauthorized access to​
​a system to deliver a payload or launch an attack. It's the "how" the attack is carried out.​
​●​ ​Common Attack Vectors:​
​○​ ​Phishing emails (email vector)​
​○​ ​Malicious websites (web vector)​
​○​ ​Unpatched software vulnerabilities (network/software vector)​
​○​ ​Stolen credentials (identity vector)​
​○​ ​Infected USB drives (physical/removable media vector)​

​3. Information Assurance (IA)​

​●​ D ​ efinition:​​IA is a broader concept than just cybersecurity. It focuses on managing risks​
​related to the​​use, processing, storage, and transmission​​of information.​
​●​ ​Goal:​​To ensure the​​integrity, availability, confidentiality, authenticity, and​
​non-repudiation​​of information.​
​○​ ​Authenticity:​​Proving that users are who they claim to be and that data comes​
​from its stated source.​
​○​ ​Non-Repudiation:​​Ensuring that a party cannot deny having sent or received a​
​message (e.g., using digital signatures).​
​●​ ​In short:​​While cybersecurity focuses on​​protecting​​the data from attack, IA focuses on​
​ensuring the data is​​trustworthy and available​​for its entire lifecycle.​

​4. Threat Modelling​

​●​ W ​ hat it is:​​A structured process for identifying potential threats, vulnerabilities, and​
​attack vectors​​from an attacker's perspective​​.​
​●​ ​Purpose:​​It is a​​proactive​​(not reactive) process, usually done during the design phase​
​of a system or application. It helps developers "think like an attacker" to build more​
​secure systems from the start.​
​●​ ​Common Steps:​
​1.​ ​Identify Assets:​​What are we trying to protect (e.g., user data, admin accounts)?​
​2.​ ​Identify Threats:​​Who (or what) might attack this asset (e.g., an insider, an​
​external attacker)?​
​3.​ ​Identify Vulnerabilities:​​What weaknesses does our system have?​
​4.​ ​Prioritize Risks:​​Which threats are most likely and would cause the most​
​damage?​
​5.​ ​Mitigate:​​What security controls can we add to fix or reduce these risks?​

​8​
​5. Enterprise Information Security Architecture (EISA)​
​●​ D ​ efinition:​​EISA is the set of​​models, principles, and standards​​that guide the design​
​and implementation of security controls across an entire organization (the "enterprise").​
​●​ ​Analogy:​​It's the "master blueprint" for the organization's security. It ensures that​
​security is not just a collection of random tools (firewalls, antivirus) but a cohesive,​
​integrated system that aligns with the organization's business goals.​
​●​ ​Role:​​It answers questions like:​
​○​ ​"How should all our different departments (HR, Finance, IT) handle data?"​
​○​ ​"What is our standard for encrypting data?"​
​○​ ​"How do we manage user identities and access across all our applications?"​

​6. Vulnerability Assessment (VA) vs. Penetration Testing (PT)​

​These two are often confused but serve different purposes.​
​●​ ​Vulnerability Assessment (VA):​
​○​ ​Goal:​​To​​identify and list​​vulnerabilities in a system.​
​○​ ​Process:​​Uses automated scanning tools (like Nessus or OpenVAS) to scan for​
​known weaknesses (e.g., missing patches, misconfigurations).​
​○​ ​Output:​​A comprehensive​​report of​​potential​​weaknesses​​, often ranked by​
​severity.​
​○​ ​Analogy:​​"Making a list of all unlocked doors and windows in a building."​

​●​ ​Penetration Testing (Pen Test):​

​○​ ​Goal:​​To​​actively exploit​​vulnerabilities to see if unauthorized access or damage​
​is​​actually​​possible.​
​○​ ​Process:​​A (human) ethical hacker simulates a real-world attack, trying to breach​
​defenses, escalate privileges, and gain access to sensitive data.​
​○​ ​Output:​​A report detailing​​how the system was breached​​, the path taken, and​
​the potential business impact.​
​○​ ​Analogy:​​"Trying to actually open the unlocked doors, climb through the​
​windows, and see what you can steal."​

​9​
​ ey Difference:​​VA​​is a​​passive​​list of flaws ("finds vulnerabilities"), while​​PT​​is an​
K
​active​​simulation of an attack ("exploits vulnerabilities").​

​10​
​7. Social Engineering​
​ ocial Engineering is the art of​​psychological manipulation​​to trick people into divulging​
S
​confidential information or performing actions that compromise security. It attacks the "human​
​firewall," which is often the weakest link.​

​Types of Social Engineering​

​●​ P ​ hishing:​​A broad attack sent via​​email​​(or SMS, "Smishing"; or voice, "Vishing") to a​
​large number of random users. It creates a sense of urgency or fear (e.g., "Your account​
​is locked") to trick them into clicking a malicious link or revealing credentials.​
​●​ ​Spear Phishing:​​A​​highly targeted​​phishing attack aimed at a specific individual or​
​small group. The attacker first does reconnaissance (e.g., checks LinkedIn) to make the​
​email sound personal and believable (e.g., mentioning a real project or colleague's​
​name).​
​●​ ​Baiting:​​Uses a false promise to entice a victim. The "bait" can be physical (e.g., leaving​
​an infected USB drive labeled "Confidential Salaries" in a parking lot) or digital (e.g.,​
​"Free Movie Download" link).​
​●​ ​Pretexting:​​The attacker creates a fabricated scenario (a "pretext") to obtain​
​information. For example, calling an employee pretending to be from the IT department,​
​claiming they need the user's password to perform a "critical system update."​
​●​ ​Tailgating (or Piggybacking):​​A physical attack where an attacker follows an​
​authorized person into a secure area (e.g., an office building) by "piggybacking" through​
​a door before it closes.​

​Insider Attack & Threats​

​ ​ I​nsider Threat:​​A security risk that comes from​​within​​the organization.​
●
​●​ ​Types of Insiders:​
​1.​ ​Malicious Insider:​​A disgruntled employee, former employee, or contractor who​
​intentionally steals data or causes disruption for personal gain, revenge, or​
​espionage.​
​2.​ ​Negligent Insider (Accidental):​​A well-meaning employee who accidentally​
​causes a breach through carelessness (e.g., losing a company laptop, falling for​
​a phishing email, misconfiguring a database). This is the most common type of​
​insider threat.​

​Preventing Insider Threats​

​●​ P ​ rinciple of Least Privilege (PoLP):​​Give employees the​​minimum level of access​
​necessary to perform their jobs. An HR employee does not need access to the finance​
​database.​
​●​ ​Separation of Duties:​​Split critical tasks between multiple employees so no single​
​person has end-to-end control.​

​11​
 ​●​ A ​ ccess Controls:​​Implement strong password policies, Multi-Factor Authentication​
​(MFA), and role-based access control (RBAC).​
​●​ ​Monitoring:​​Use tools to monitor for unusual employee activity (e.g., accessing files at 3​
​AM, downloading large amounts of data).​
​●​ ​Employee Training:​​Regular, mandatory training on security policies and how to spot​
​social engineering.​
​●​ ​Offboarding:​​Have a formal process to immediately revoke all access for employees​
​who are leaving or have been terminated.​

​Social Engineering Targets & Defence Strategies​

​●​ ​Targets:​
​○​ ​New Employees:​​Less familiar with security policies.​
​○​ ​Help Desk / IT Support:​​Trained to be helpful and may be manipulated into​
​resetting passwords.​
​○​ ​Executive Assistants:​​Have high levels of access to sensitive information and​
​executive calendars.​
​○​ ​High-Level Executives ("Whaling"):​​A spear-phishing attack specifically​
​targeting senior executives.​
​●​ ​Defence Strategies:​
​○​ ​The "Human Firewall":​​The single most important defense.​
​○​ ​Training & Awareness:​​Train employees to be​​skeptical and vigilant​​.​
​○​ ​Policies:​​Create clear, simple policies for handling data and requests for​
​information.​
​○​ ​Verification:​​Encourage a culture of "Trust, but Verify." If someone calls from IT​
​asking for a password, the employee should hang up and call the IT department​
​back on a known, official number.​
​○​ ​Technical Controls:​​Use email filters to block spam/phishing, and web filters to​
​block malicious sites.​

​12​
​Module 4: Cyber Forensics & Security Auditing​

​Part 1: Cyber Forensics​

​1. Introduction to Cyber Forensics​

​●​ D ​ efinition:​​Cyber Forensics (or Digital Forensics) is the​​process of identifying,​

​preserving, collecting, analyzing, and presenting digital evidence​​in a manner that​
​is legally admissible in a court of law.​
​●​ ​Goal:​​To investigate a cybercrime or security incident to determine the "who, what,​
​when, where, and how" of the event.​
​●​ ​Key Principle:​​The integrity of the evidence must be maintained at all costs. The​
​analysis must be​​objective, accurate, and repeatable​​.​

​2. Computer Equipment and Storage Media​

​ igital evidence can be found on any device that stores or transmits data. These are​
D
​categorized by their volatility (how easily the data is lost).​

​●​ V ​ olatile Data:​​This is temporary data, primarily in​​RAM (Random Access Memory)​​. It's​
​lost when the device is powered off. It includes:​
​○​ ​Running processes and applications.​
​○​ ​Active network connections.​
​○​ ​The system's clipboard and command history.​
​○​ ​Rule:​​Volatile data must be collected​​first​​, while the system is still running (this is​
​called "live forensics").​
​●​ ​Non-Volatile Data:​​This is permanent storage. The data persists even when the device​
​is powered off. This includes:​
​○​ ​HDDs (Hard Disk Drives)​​and​​SSDs (Solid State Drives)​​.​
​○​ ​Removable Media:​​USB flash drives, SD cards, external hard drives.​
​○​ ​Optical Media:​​CDs, DVDs, Blu-ray discs.​
​○​ ​Other Devices:​​Mobile phones, tablets, routers, IoT devices, printers, and​
​servers.​

​3. Role of a Forensics Investigator​

​A forensics investigator is a "digital detective" who must be:​

​​ M
● ​ eticulous:​​Pays extreme attention to detail.​
​●​ ​Objective:​​Remains unbiased and only follows the evidence. The investigator's job is to​
​present facts, not to determine guilt or innocence​​.​
​●​ ​Ethical:​​Follows legal and professional standards.​

​13​
​Key Responsibilities:​

​​ S
● ​ ecure the digital "crime scene."​
​●​ ​Properly identify, label, and document all evidence.​
​●​ ​Establish and maintain the​​Chain of Custody​​(a formal log of who handled the​
​evidence, when, and for what purpose).​
​●​ ​Create​​forensic images​​(bit-for-bit copies) of storage media for analysis.​​The​
​investigator​​never​​works on the original evidence.​
​●​ ​Analyze the forensic image to find evidence (including deleted files, hidden data, and file​
​fragments).​
​●​ ​Write a detailed, clear, and objective report.​
​●​ ​Testify in court as an expert witness.​

​4. Forensics Investigation Process​

​This is a formal, multi-step process:​

​1.​ I​dentification:​​Recognize that an incident occurred and identify what evidence may be​
​present (e.g., which laptops, servers, or phones are involved).​
​2.​ ​Preservation (Collection):​
​○​ ​Secure the scene​​to prevent evidence from being tampered with.​
​○​ ​Collect volatile data​​(e.g., RAM dump) from live systems.​
​○​ ​Acquire non-volatile data​​by creating a forensic image (or "bitstream copy").​
​This is done using a​​write-blocker​​to ensure the original drive is not altered in​
​any way.​
​○​ ​Document everything​​and maintain the Chain of Custody.​
​3.​ ​Analysis:​
​○​ ​The investigator works on the​​copy​​(forensic image), not the original.​
​○​ ​Use specialized forensic tools (e.g., EnCase, FTK, Autopsy) to examine the data.​
​○​ ​This includes recovering deleted files, searching keywords, analyzing file​
​timestamps, and building a timeline of events.​
​4.​ ​Documentation:​
​○​ ​This happens​​throughout the entire process​​.​
​○​ ​Every action taken by the investigator—from plugging in a cable to running a​
​search—must be logged.​
​5.​ ​Presentation (Reporting):​
​○​ ​The findings are compiled into a formal report.​
​○​ ​The report must be clear, concise, and understandable to a non-technical​
​audience (like a judge, lawyers, or management).​

​14​
​5. Collecting Network-Based Evidence​

​Network evidence is the​​most volatile​​and disappears very quickly.​

​●​ ​Sources of Evidence:​

​○​ ​Logs:​​These are the primary source.​
​■​ ​Firewall, VPN, and proxy logs (show connections, blocked attempts).​
​■​ ​Server logs (web server, DNS, DHCP logs).​
​■​ ​IDS/IPS logs (show alerts for malicious activity).​
​○​ ​Live Network Data:​
​■​ ​Packet Capture:​​Using tools like Wireshark or​​ tcpdump​​to capture live​
​traffic.​
​■​ ​Device Status:​​Checking active connections (​​netstat​
​), ARP tables,​
​and routing tables on routers and switches.​
​●​ ​Challenges:​​The sheer volume of data ("big data") and the fact that logs may be deleted​
​by the attacker or overwritten by normal activity.​

​6. Writing Computer Forensics Reports​

​A good report is the final product of the investigation.​

​●​ ​Must be:​

​1.​ ​Accurate:​​Factually correct.​
​2.​ ​Objective:​​Unbiased, presenting only the facts found.​
​3.​ ​Clear:​​Avoids excessive technical jargon.​
​4.​ ​Complete:​​Includes all relevant findings, both incriminating and exonerating.​
​●​ ​Typical Structure:​
​1.​ ​Case Summary:​​High-level overview.​
​2.​ ​Investigator Details:​​Who performed the investigation.​
​3.​ ​Evidence Handled:​​A list of all items (e.g., "1x Dell Laptop, S/N: XYZ...").​
​4.​ ​Methodology:​​The tools and procedures used.​
​5.​ ​Findings:​​The detailed analysis and timeline of what was discovered.​
​6.​ ​Conclusion:​​A brief summary of the factual findings.​

​15​
​Part 2: auditors-report: Auditing and ISMS​

​1. Auditing​

​●​ D ​ efinition:​​An​​audit​​is a​​systematic, independent, and documented process​​for​

​obtaining evidence and evaluating it​​objectively​​to determine if the​​audit criteria​​are​
​met.​
​●​ ​Purpose:​​To verify that an organization is following its own policies, industry standards,​
​or legal regulations. It identifies non-compliance and areas for improvement.​
​●​ ​Audit Criteria:​​This is the "rulebook" or "checklist" you are auditing against. Examples:​
​○​ ​An internal company password policy.​
​○​ ​A legal requirement like HIPAA (for healthcare).​
​○​ ​A formal standard like​​ISO 27001​​.​

​2. Plan an Audit (Against a Set of Audit Criteria)​

​Planning is the most critical phase of an audit.​

​1.​ ​Define Audit Objectives & Scope:​

​○​ ​Objective:​​Why​​are we auditing? (e.g., "To verify compliance with the company's​
​new remote access policy.")​
​○​ ​Scope:​​What​​are we auditing? (e.g., "The HR and Finance departments," "The​
​main database server," "The period from Jan 1 to Mar 31.")​
​2.​ ​Identify Audit Criteria:​​Determine the​​exact​​rules you will be testing against (e.g., "ISO​
​27001, Annex A.9," or "Company Password Policy, v2.1").​
​3.​ ​Form the Audit Team:​​Select auditors who are​​independent​​of the department being​
​audited (you can't audit your own work).​
​4.​ ​Create the Audit Plan:​​This is the schedule.​
​○​ ​When will the audit happen?​
​○​ ​Who will be interviewed?​
​○​ ​What systems will be tested?​
​○​ ​When are the opening and closing meetings?​
​5.​ ​Prepare Checklists:​​Based on the criteria, create checklists and interview questions to​
​guide the evidence-gathering process.​

​3. Information Security Management System (ISMS)​

​●​ D ​ efinition:​​An​​ISMS​​is a​​holistic management framework​​of policies, procedures,​

​processes, and systems that manage an organization's information security risks.​
​●​ ​It's not just technology.​​An ISMS combines​​People,​​Processes, and Technology​​to​
​protect information.​
​●​ ​Goal:​​To establish, implement, operate, monitor, review,​​maintain, and continually​
​improve information security.​
​●​ ​Model:​​Most ISMS frameworks are built on the​​Plan-Do-Check-Act​​(PDCA)​​cycle:​

​16​
 ​​ P
○ ​ lan:​​Identify assets, assess risks, and select security controls.​
​○​ ​Do:​​Implement the selected controls.​
​○​ ​Check:​​Monitor the controls, conduct internal audits, and review their​
​effectiveness.​
​○​ ​Act:​​Take corrective actions to fix any problems and make improvements to the​
​ISMS.​

​4. Introduction to ISO 27001:2013​

​●​ W ​ hat is it?​​ISO 27001​​is the leading​​international standard​​that specifies the​

​requirements for an ISMS​​.​
​●​ ​ ISO 27001​​is the "rulebook" for​​building​​an ISMS. Organizations can be formally​
​audited and​​certified​​as "ISO 27001 compliant."​
​●​ ​ 2013​​is the version year of the standard (a new version, 2022, has since been released,​
​but 2013 is still widely used and tested on).​

​Key Structure of ISO 2[Link]​

​●​ C ​ lauses 4-10 (The Requirements):​​These are the mandatory "shalls" an organization​
​must​​do to be compliant.​
​○​ ​Clause 4:​​Context of the Organization (understanding the business).​
​○​ ​Clause 5:​​Leadership (getting management buy-in).​
​○​ ​Clause 6:​​Planning (this is where​​Risk Assessment​​happens).​
​○​ ​Clause 7:​​Support (resources, competence, awareness).​
​○​ ​Clause 8:​​Operation (implementing the risk plan).​
​○​ ​Clause 9:​​Performance Evaluation (monitoring, internal audits).​
​○​ ​Clause 10:​​Improvement (fixing non-conformities).​
​●​ ​Annex A (The Controls):​
​○​ ​This is a "catalog" of​​114 reference security controls​​grouped into​​14 domains​
​(e.g., A.9 Access Control, A.10 Cryptography, A.12 Operations Security).​
​○​ ​An organization​​does not​​have to implement all 114 controls.​
​○​ ​It must use its Risk Assessment (from Clause 6) to choose which controls from​
​Annex A are necessary.​

​17​
​Module 5: Cyber Ethics and Laws​
​1. Introduction to Cyber Laws​

​●​ D ​ efinition:​​Cyber Law (or Internet Law) is the part of the legal system that deals with​
​legal issues related to the internet and cyberspace. It covers a broad range of topics,​
​including data protection, intellectual property, cybercrime, and electronic commerce.​
​●​ ​Why is it needed?​
​○​ ​Borderless Nature:​​The internet is global, but laws are national (jurisdictional).​
​Cyber laws help define which laws apply to an online activity.​
​○​ ​Anonymity:​​It's easier for criminals to hide their identity online. Cyber laws​
​provide mechanisms for tracking and prosecuting them.​
​○​ ​New Types of Crime:​​It addresses crimes that don't exist in the physical world,​
​like data theft, hacking, and denial-of-service (DoS) attacks.​
​○​ ​Digital Evidence:​​It provides a legal framework for collecting and using digital​
​evidence in court (as seen in Module 4).​

​2. E-Commerce and E-Governance​

​●​ ​E-Commerce (Electronic Commerce):​

​○​ ​Definition:​​The buying and selling of goods or services using the internet (e.g.,​
​Amazon, Flipkart).​
​○​ ​Legal Aspects:​​Cyber laws provide the legal foundation for E-Commerce by:​
​■​ ​Validating Electronic Contracts:​​Ensuring that a contract signed or​
​agreed to online (e.g., clicking "I Agree") is as legally binding as a paper​
​one.​
​■​ ​Securing Electronic Payments:​​Regulating payment gateways and​
​protecting consumer financial data.​
​■​ ​Consumer Protection:​​Providing recourse for online fraud or​
​non-delivery of goods.​
​●​ ​E-Governance (Electronic Governance):​
​○​ ​Definition:​​The use of Information and Communication Technology (ICT) by the​
​government to deliver public services and information to citizens (e.g., paying​
​taxes online, applying for a passport, accessing land records).​
​○​ ​Legal Aspects:​​Cyber laws (like India's IT Act) enable E-Governance by:​
​■​ ​Recognizing Digital Signatures:​​Giving digital signatures the same legal​
​status as handwritten signatures, allowing for an official, paperless​
​workflow.​
​■​ ​Data Protection:​​Mandating that government bodies securely handle and​
​protect citizens' sensitive personal data.​
​■​ ​Authenticating Documents:​​Providing a framework for issuing and​
​verifying official electronic documents.​

​18​
​3. Certifying Authority (CA) and Controller (CCA)​

​ his is the trust framework for​​Digital Signatures​​(which are different from electronic​
T
​signatures).​

​●​ D ​ igital Signature Certificate (DSC):​​An electronic file that serves as a digital "ID card"​
​or "passport." It proves your identity in an online transaction and is issued by a Certifying​
​Authority.​
​●​ ​Certifying Authority (CA):​
​○​ ​Role:​​A CA is a​​trusted third party​​(like eMudhra, Sify) that is licensed to issue,​
​manage, revoke, and renew Digital Signature Certificates (DSCs) to individuals​
​and organizations.​
​○​ ​Function:​​Before issuing a DSC, the CA verifies the applicant's identity (like a​
​passport office verifies your identity before issuing a passport). This ensures that​
​the person using the digital signature is truly who they claim to be.​
​●​ ​Controller of Certifying Authorities (CCA):​
​○​ ​Role:​​This is the​​government body​​(under the IT Act in India) that​​regulates the​
​CAs​​.​
​○​ ​Function:​​The CCA's job is to license, audit, and oversee the CAs. It's the "boss"​
​of the CAs, ensuring they follow the standards and are trustworthy.​

​Certifying Authority (CA) Hierarchy:​

​4. Offences and Penalties under the IT Act, 2000 (India)​

​ he​​Information Technology Act, 2000​​(and its amendments, especially in 2008) is the​

T
​primary cyber law in India. It defines cybercrimes and their punishments.​

​●​ G
​ eneral "Offences"​​refer to criminal acts, while "Contraventions" often refer to civil​
​wrongs (which result in a financial penalty or "damages" rather than jail time).​

​19​
​Here are some of the most important sections:​

​●​ S ​ ection 43: Penalty and Compensation for Damage to Computer, Computer​
​System, etc.​
​○​ ​What it is (Civil Offence):​​This section deals with​​unauthorized access and​
​damage​​without​​criminal intent.​
​○​ ​Acts Covered:​
​■​ ​Accessing or downloading data without permission.​
​■​ ​Introducing a virus or malware.​
​■​ ​Damaging a computer system or network.​
​■​ ​Denial of Service (DoS) attacks.​
​■​ ​Stealing or destroying data.​
​○​ ​Penalty:​​The offender must pay​​financial damages​​(compensation) to the​
​person affected.​
​●​ ​Section 65: Tampering with Computer Source Code​
​○​ ​What it is (Criminal Offence):​​Knowingly or intentionally​​concealing,​
​destroying, or altering​​the source code of a computer program when it's​
​required to be kept.​
​○​ ​Penalty:​​Imprisonment up to​​3 years​​or a fine up to ₹2 lakh (or both).​
​●​ ​Section 66: Computer Related Offences (Hacking)​
​○​ ​What it is (Criminal Offence):​​This is the main "hacking" section. It's when a​
​person commits any act under Section 43 (like unauthorized access, data theft,​
​etc.) but with​​fraudulent or dishonest intent​​.​
​○​ ​Penalty:​​Imprisonment up to​​3 years​​or a fine up to ₹5 lakh (or both).​
​●​ ​Section 66B: Punishment for Dishonestly Receiving Stolen Computer Resource or​
​Communication Device​
​○​ ​What it is (Criminal Offence):​​The digital equivalent of "receiving stolen goods."​
​Knowingly receiving a stolen laptop, mobile phone, or stolen data.​
​○​ ​Penalty:​​Imprisonment up to​​3 years​​or a fine up to ₹1 lakh (or both).​
​●​ ​Section 66C: Punishment for Identity Theft​
​○​ ​What it is (Criminal Offence):​​Fraudulently or dishonestly using someone else's​
​electronic signature, password, or other unique identification feature​​.​
​○​ ​Penalty:​​Imprisonment up to​​3 years​​and a fine.​
​●​ ​Section 67: Punishment for Publishing or Transmitting Obscene Material in​
​Electronic Form​
​○​ ​What it is (Criminal Offence):​​Publishing or transmitting any material that is​
​"lascivious or appeals to the prurient interest" (i.e., obscene) online.​
​○​ ​Penalty (for first conviction):​​Imprisonment up to​​3 years​​and a fine up to ₹5​
​lakh. Penalties are higher for subsequent convictions.​

​20​
​5. Intellectual Property Rights (IPR) in Cyberspace​

I​ntellectual Property (IP) refers to creations of the mind (inventions, literary/artistic works,​
​symbols, names). Protecting IP in cyberspace is challenging due to the ease of copying and​
​distribution.​

​●​ ​Copyright:​
​○​ ​What it Protects:​​Original works of expression​​, such as software code,​
​website content (text and graphics), e-books, music, and videos.​
​○​ ​Cyberspace Issues:​
​■​ ​Software Piracy:​​Unauthorized copying and distribution of software.​
​■​ ​Digital Piracy:​​Illegal downloading/streaming of music and movies (e.g.,​
​via torrents).​
​■​ ​Website Content Theft:​​Copying text or images from one website and​
​using them on another.​
​●​ ​Trademark:​
​○​ ​What it Protects:​​Brand identifiers​​, such as logos, slogans, and names (e.g.,​
​the "Google" logo, Nike's "Just Do It").​
​○​ ​Cyberspace Issues:​
​■​ ​Cybersquatting:​​Registering a domain name (e.g.,​​ [Link]​ ​) that​
​is a famous trademark, with the intent of selling it to the company for a​
​high price.​
​■​ ​Phishing:​​Using a well-known brand's logo and name in an email to trick​
​users.​
​●​ ​Patent:​
​○​ ​What it Protects:​​Inventions and functional processes​​(e.g., Amazon's​
​"1-Click" shopping).​
​○​ ​Cyberspace Issues:​​This is a highly complex area, involving patents for​
​software algorithms, business methods, and other digital processes.​

​6. At Network Layer - IPSec (Internet Protocol Security)​

​(Note: This is a technical network security topic, distinct from the legal topics above.)​

​●​ W ​ hat it is:​​IPSec is a​​suite of protocols​​that secures data communications over an IP​
​network (like the internet).​
​●​ ​Layer:​​It operates at the​​Network Layer (Layer 3)​​of the OSI model.​
​●​ ​Main Goal:​​To provide security​​directly between two computers (hosts)​​or​​two​
​networks (gateways)​​, making the connection private and secure. It is the technology​
​that most​​VPNs (Virtual Private Networks)​​are built on.​

​21​
​IPSec provides the​​CIA Triad​​(from Module 1) for network traffic:​

​1.​ ​Confidentiality (Encryption):​

​○​ ​It​​encrypts the data packets​​themselves.​
​○​ ​If a "sniffer" (from Module 2) intercepts the traffic, they will only see unreadable,​
​scrambled data.​
​○​ ​Protocol:​​ESP (Encapsulating Security Payload)​​is used for this.​
​2.​ ​Integrity (Hashing):​
​○​ ​It ensures that the data was​​not altered​​in transit.​
​○​ ​It adds a "digital fingerprint" (hash) to the packet. The receiving computer checks​
​this fingerprint. If it doesn't match, the packet is discarded.​
​○​ ​Protocol:​​Both​​ESP​​and​​AH (Authentication Header)​​can provide this.​
​3.​ ​Authentication (Proof of Origin):​
​○​ ​It verifies that the packets are​​coming from the trusted source​​they claim to be​
​from.​
​○​ ​This prevents attackers from spoofing their identity.​
​○​ ​Protocol:​​AH (Authentication Header)​​is used for this.​

​IPSec has two modes of operation:​

​●​ T ​ ransport Mode:​​Encrypts only the​​payload​​(the actual data) of the packet. The packet​
​header (with source/destination IP) is visible.​
​○​ ​Use Case:​​Securing a connection between two end computers (e.g., your PC​
​and a web server).​
​●​ ​Tunnel Mode:​​Encrypts the​​entire​​original packet (both data and header) and puts it​
​inside a new IP packet.​
​○​ ​Use Case:​​Creating a secure "tunnel" between two entire networks (e.g.,​
​connecting a branch office's network to the main corporate network). This is the​
​most common mode for VPNs.​

​22​