COMPUTER FORENSIC EVIDENCE & CAPTURE

1.10 Data Recovery Defined

➢ Data recovery is the process in which highly trained engineers evaluate

and extract data from damaged media and return it in an intact format.

➢ Many people, even computer experts, fail to recognize data recovery as

an option during a data crisis. But it is possible to retrieve files that have been
deleted and passwords that have been forgotten or to recover entire hard drives
that have been physically damaged.

1.11 Data Back-up and Recovery

Back-up Obstacles

➢ Back-up Window: The back-up window is the period of time when

back-ups can be run. The back-up window is generally timed to occur during
nonproduction periods when network bandwidth and CPU utilization are low.

➢ Network bandwidth: If a network cannot handle the impact of

transporting hundreds of gigabytes of data over a short period of time, the
organization’s centralized backup strategy is not viable.

➢ System throughput: Three I/O bottlenecks are commonly found in

traditional backup schemes. These are

1. The ability of the system being backed up to push data to the backup server

2. The ability of the backup server to accept data from multiple systems
simultaneously

3. The available throughput of the tape device(s) onto which the data is moved

Page 15
3rd sem Cyber Forensics

Module-1

#Computer Forensics Fundamentals

*Computer Forensics:-Computer forensics, also referred to as computer forensic

analysis, electronic discovery, electronic evidence discovery, digital discovery, data recovery,
data discovery, computer analysis, and computer examination, is the process of examining
computer media (hard disks, diskettes, tapes, etc.) for evidence.
-In other words, computer forensics is the collection, preservation, analysis, and
presentation of computer-related evidence.
-Computer evidence can be useful in criminal cases, civil disputes, and human
resources/employment proceedings.
-Computer forensics is primarily used for two separate purposes, investigation and data
recovery.
-Computer forensics is the face of modern investigations.
-When a crime is committed and an investigation is started, one of the more common places
to look for clues is the computer or cell phone of a suspect.
-This is where a computer forensics professional enters the picture.
-When a suspect has been identified and their personal computer or cell phone taken into
evidence, a computer forensics professional goes searching for data that is relevant to the
investigation.
-Aside from working to collect evidence, computer forensics professionals can also work in
data recovery.
-When it comes to data recovery, forensics professionals can take broken hard drives,
crashed servers and other compromised devices and retrieve the data that was previously
lost.
-The objective in computer forensics is quite straightforward. It is to recover, analyze, and
present computer-based material in such a way that it is useable as evidence
in a court of law.

*Use of Computer Forensics in Law Enforcement (9 marks) :-If there is a computer

on the premises of a crime scene, the chances are very good that there is valuable evidence
on that computer.
-If the computer and its contents are examined (even if very briefly) by anyone other than a
trained and experienced computer forensics specialist, the usefulness and credibility of that
evidence will be lost.
-Computer forensics tools and techniques have proven to be a valuable resource for law
enforcement in the identification of leads and in the processing of computer-related
evidence.
-Computer forensics tools and techniques have become important resources for use in
internal investigations, civil lawsuits, and computer security risk management.
-Law enforcement and military agencies have been involved in processing computer
evidence for years.
-This are the Use of Computer Forensics in Law Enforcement they are;
● Recovering deleted files such as documents, graphics, and photos.
● Searching unallocated space on the hard drive, places where an abundance of data
often resides.
● Tracing artifacts, those tidbits of data left behind by the operating system.
-Our experts know how to find these artifacts and, more importantly, they know how
to evaluate the value of the information they find.
● Processing hidden files — files that are not visible or accessible to the user — that
contain past usage information.
-Often, this process requires reconstructing and analyzing the date codes for each file
and determining when each file was created, last modified, last accessed and when
deleted.
● Running a string-search for e-mail, when no e-mail client is obvious.

Q) 5W’s ?
-Who, what, where, when and why?

*Steps taken by Computer Forensics Specialists (5 marks ):-The computer forensics

specialist should take several careful steps to identify and attempt to retrieve possible
evidence that may exist on a subject’s computer system.
-This are the Steps taken by Computer Forensics Specialists they are;
1. Protect:- the subject computer system during the forensic examination from any
possible alteration, damage, data corruption, or virus introduction.
2. Discover:- all files on the subject system. This includes existing normal files, deleted
yet remaining files, hidden files, password-protected files, and encrypted files.
3. Recover:- all (or as much as possible) of discovered deleted files.
4. Reveal:- (to the greatest extent possible) the contents of hidden files as well as
temporary or swap files used by both the application programs and the operating
system.
5. Access:- the contents of protected or encrypted files.
6. Analyze:- all possibly relevant data found in special (and typically inaccessible) areas
of a disk.
7. Print out:- an overall analysis of the subject computer system, as well as a listing of
all possibly relevant files and discovered file data.
8. Provide an opinion of the system layout:- the file structures discovered; any
discovered data and authorship information; any attempts to hide, delete, protect,
 and encrypt information; and anything else that has been discovered and appears to
be relevant to the overall computer system examination.
9. Provide expert consultation:- and/or testimony, as required.

* Scientific method in Computer Forensic Analysis:-

#Types of Computer Forensic Technology (9mark):-There are 3 types of

computer forensics Technology they are;
1. Military computer forensic Technology
2. Law enforcement Computer Forensic Technology
3. Business Computer Forensic Technology
1. Types of Military computer forensic Technology:-Key objectives of cyber
forensics include rapid discovery of evidence, estimation of potential impact of the
malicious activity on the victim, and assessment (evaluating) of the intent and
identity of the criminal.
-Real-time tracking of potentially malicious activity is especially difficult.
-when relevant data has been purposefully altered, removed, or buried in order to
avoid being discovered.
-so, the National Law Enforcement and Corrections Technology Centre (NLECTC)
works with criminal justice professionals to find a technology.

-The result of their partnership they form Computer Forensics Experiment 2000
(CFX-2000).
-And conduct a experiment having a realistic cyber crime scenario specifically
designed to exercise and show the value of the technology used.
-The central hypothesis of CFX-2000 is possible to accurately determine the motives,
intent, targets, sophistication, identity, and location of cyber criminals and cyber
terrorists.
-The NLECTC assembled a diverse group of computer crime investigators from DoD
and federal, state, and local law enforcement to participate in the CFX-2000
exercise hosted by the New York State Police’s Forensic Investigative Center in Albany,
New York.
-The cyber forensic tools involved in CFX-2000 consisted of
commercial off the-shelf software and
directorate-sponsored R&D prototypes.
-The Synthesizing Information from Forensic
Investigations (SI-FI) integration environment,
developed under contract by WetStone
Technologies, Inc. [2], was the main component
Of the technology.
 -SI-FI supports the collection, examination, and analysis processes in a cyber
forensic investigation.
-The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamper
proof containers used to store digital evidence.
-The CFX-2000 results confirmed that the assumption was mostly accurate and that it
is easy to determine the identity and purpose of cybercriminals.
-In order to be ready for any kind of cyber attacks and investigations, researchers
must maintain a strong focus on the study and development of cyber forensic
technologies as electronic technology continues to grow quickly.

2. Types of Law enforcement Computer Forensic Technology:-Computer forensics

tools and techniques have become important resources for use in
internal investigations, civil lawsuits, and computer security risk management.
-Law enforcement and military agencies have been using computer evidence for
years.
-Computer forensics tools and techniques have proven to be a valuable resource
for law enforcement in the identification of leads and in the processing of computer
related evidence.

(Types of Law enforcement Computer Forensic Technology inta bakki annu Computer
Evidence Processing Procedures)

→Computer Evidence Processing Procedures:-Processing procedures and

methodologies should fit to federal computer evidence processing standards.
-It has been developed for the U.S. Treasury Department.

A. Preservation of Evidence:-Computer evidence is fragile and can be changed

or deleted by a variety of events.
 -Computer evidence can be useful in criminal cases, civil disputes, and human
resources/ employment proceedings.
-Black box computer forensics software tools are good for some basic
investigation tasks, but they do not offer a full computer forensics solution.
-SafeBack software overcomes some of the evidence weaknesses of black box
computer forensics approaches.
-SafeBack technology has become a worldwide standard in making mirror
image backups since 1990.
-(SafeBack is used to create mirror-image (bit-stream) backup files of hard
disks or to make a mirror-image copy of an entire hard disk drive or
partition.SafeBack image files cannot be altered or modified )

Q)What is mirror backup?

-A mirror backup is an exact copy of the selected folders and files
from the source being backed up.
-Mirror backups are unique in that when you delete a file from the
source, that file will eventually be deleted on the mirror backup.

B. Disk Structure:-Computer forensic experts must understand how computer

hard disks and floppy diskettes are structured .
-And where the computer evidence can exist in different layers of the disk's
structure.
-They should also demonstrate their knowledge of how to modify the
structure and hide data in deep places on floppy diskettes and hard disk
drives.
C. Data Encryption:-Computer forensic experts should become familiar with the
use of software to crack security connected with the different file structures.
D. Matching a Diskette to a Computer:-google
E. Data Compression:-Computer forensic experts should become familiar with
how compression works and how compression programs can be used to hide
and mask sensitive data.
-And also learn how password-protected compressed files can be broken.
F. Erased Files:-Computer forensic experts should become familiar with how
previously erased files can be recovered by using DOS programs and by
manually using data- recovery technique & familiar with cluster chaining.
G. Internet Abuse Identification and Detection:-Computer forensic experts
should become familiar with how to use specialized software to identify a
targeted computer that has been used on the Internet.
-This process will focus on the data that the computer user probably doesn’t
realize exists (file slack, unallocated file space, and Windows swap files).
 H. The Boot Process and Memory Resident Programs:-Computer forensic
experts should become familiar with how the operating system can be
modified to change data and destroy data.
-For example, this technology could be to secretly record business leaders
using their keyboards.

3. Types of Business Computer Forensic Technology:- This are types of business

computer forensics technology.

A. Remote monitoring of target computers:-Data Interception by Remote

Transmission (DIRT) is a powerful remote control monitoring tool that allows
quiet monitoring of all activity on one or more target computers
simultaneously from a remote command center.
-No physical access is necessary.
-Application also allows agents to remotely seize
and secure digital evidence prior to physically
entering suspect premises.
Or
-Moreover, agents can use this application to
remotely capture or seize and store digital evidence
before physically visiting a suspect location.

B. Creating trackable electronic documents:-There are so many powerful

intrusion(നുഴഞ്ഞുകയറ്റം) detection tools .
-Binary Audit Identification Transfer (BAIT) is one of a powerful intrusion
detection tool that allows users to create trackable electronic documents.
 -BAIT identifies (including their location) unauthorized intruders who access,
download, and view these tagged documents.
-BAIT also allows security personnel to trace the chain of custody and chain of
command of all who possess the stolen electronic documents.

C. Theft recovery software for laptops and PCs:-If your PC or laptop is stolen, is
it smart enough to tell you where it is?
-According to a recent FBI report, 98% of stolen computers are never
recovered.According to Safeware Insurance, 1,201,000 PCs and laptops were
stolen in 2002 and 2003, costing owners $7.8 billion dollars [9]. According to a
recent joint ComputerSecurity Institute/FBI survey, 72% of the Fortune 1000
companies experienced laptop theft [9].
–>What is the Real Cost of a StolenLaptop or PC?
-When you lose your wallet, the last thing you think of is how much it is going
to cost to replace your wallet.
-The same is true when equipment (especially a computer) is stolen.
➢ The price of the replacement hardware.
➢ The price of replacing the software.
➢ The cost of recreating data. If possible at all, do you keep perfect
back-ups?
➢ The cost of lost production time or instruction time.
➢ The loss of customer goodwill (lost faxes, delayed correspondence or
billings, problems answering questions and accessing data).
➢ The cost of reporting and investigating the theft, filing police reports
and insurance claims.
➢ The cost of increased insurance.
➢ Types of Computer Forensics Technology
➢ The cost of processing and ordering replacements, cutting a check,
and the like.
➢ If a thief is ever caught, the cost of time involved in prosecution .

-PC PhoneHome is a software application that will track and locate a lost or
stolen PC or laptop any-where in the world.
It is easy to install.
-It is also completely transparent to the user.
-If your PC PhoneHome-protected computer is lost or stolen, all you need to
do is make a report to the local police and call CD’s 24-hour command center.
-CD’s recovery specialists will assist local law enforcement in the recovery of
your property.
 D. Basic forensic tools and techniques:- explain cheyandaaa
E. Forensic services available (3 marks) :-this are the Forensic services available
they are;
➢ Lost password and file recovery
➢ Location and retrieval of deleted and hidden files
➢ File and email decryption
➢ Email supervision and authentication
➢ Threatening email traced to source
➢ Identification of Internet activity
➢ Computer usage policy and supervision
➢ Remote PC and network monitoring
➢ Tracking and location of stolen electronic files
➢ Honeypot sting operations
➢ Location and identity of unauthorized software users
➢ Theft recovery software for laptops and PCs
➢ Investigative and security software creation
➢ Protection from hackers and viruses.

#Types of Computer Forensic System (9 mark):- Following are the types of

computer forensic system.
1. Internet security systems
2. Intrusion detection systems
3. Firewall security systems
4. Biometric security systems
5. Network disaster recovery systems
6. Public key infrastructure security systems
7. Wireless network security systems

1. Internet security systems (9 mark):-Talking about internet and network security is

something that many managers and executives fear doing.
-They believe that talking about their security procedures and guidelines will make
their businesses more open to intrusion.
-Because of this lack of communication, some executives are not completely aware
of the numerous security technology advancements and developments that allow
businesses to securely take full advantage of the benefits and capabilities of the
Internet and intranets.
-Ironically, Internet security can provide a more secure solution, as well as one
that is faster and less expensive than traditional solutions to security problems of
employees photocopying proprietary information, faxing or mailing purchase orders,
or placing orders by phone.
→Internet Security System Principles and Architecture:-The First step of formulating
a corporate Internet security strategy involves crafting a high-level management
policy statement that provides an organization's security framework and context.
-The Internet security procedures that are required to protect a company's systems,
networks, transactions, and data must be specified in this policy.
-The next step is to start a systematic analysis of the assets of an organization,
determining the value of information, or the possible damage to reputation when
it is disclosed and possible risks.
-This step is no more difficult than the risk management that a corporation is already
facing every day.
-Most businesses already have clearly established what information is valuable, who
should have access to it, and who has responsibility for protecting it, as the Internet
security hierarchy in Figure shown below.

-Information such as trade secrets, vault and authorization

codes, and lock and key
Information e clearly of a mission critical nature, and
their accidental disclosure could cause severe loss
to a business or operation.
- In addition to Internet security,attention should
be given to physical security (restricting the
use of modems and
removable media and controlling access to
devices) also.
-Departmental information is typically data that is private to a particular
department, such as payroll information in finance and medical records in personnel.
-Company private information varies from company to company but typically
consists of information that should only be disclosed to employees and partners of
a company, such as policy and procedure manuals.
-Public information is information such as product information, brochures, and
catalogs that needs to be freely available to anyone.
-Customers and other interested parties are frequently given access to this
information over the Internet.
-Implementing an Internet security policy has its price.
-The more security desired, the greater the cost required to provide it.
-The cost of providing security increases with the required level of protection.
2. Intrusion detection systems (9 mark):-IDS observes network traffic for malicious
transactions and sends immediate alerts when it is observed.
-It is software that checks a network or system for malicious activities or policy
violations.
-Each illegal activity or violation is often
recorded either centrally using a SIEM system
or notified to an administration.
-IDS monitors a network or system for
malicious activity and protects a computer
network from unauthorized access.
-The intrusion detector task is to build a
predictive model (i.e. a classifier) capable of distinguishing between ‘bad
connections’ (intrusion/attacks) and ‘good (normal) connections’.

→Classification of Intrusion Detection System/types of IDS:- There are five types of

IDS: network-based, host-based, protocol-based, application protocol-based and
hybrid.
-The two most common types of IDS are: (e randu ennam matram just onnu explain
cheythal mathi)
➢ Network Intrusion Detection System (NIDS):-It is a system that analyze
incoming traffic.
-Once an attack is identified or abnormal behavior is observed, the alert can
be sent to the administrator.
➢ Host Intrusion Detection System (HIDS):-It is a system that monitors
important operating system (OS) files.

→Detection Method of IDS:-

➢ Signature-based Method:-It detects the attacks on the basis of the specific
patterns such as the number of bytes or a number of 1s or the number of 0s
in the network traffic.
-It also detects the already known malicious instruction sequence that is used
by the malware.
-The detected patterns in the IDS are known as signatures.
-Signature-based IDS can easily detect the attacks whose pattern (signature)
already exists in the system but it is quite difficult to detect new malware
attacks as their pattern (signature) is not known.
➢ Anomaly-based Method:-It was introduced to detect unknown malware
attacks as new malware is developed rapidly.
-In anomaly-based IDS there is the use of machine learning to create a
trustful activity model and anything coming is compared with that model and
it is declared suspicious if it is not found in the model.
3. Firewall security systems (9 mark):-A Firewall is a network security device that
monitors and filters incoming and outgoing network traffic based on an
organization’s security policies.
-A firewall is essentially the barrier that sits between a private internal network and
the public Internet.
- A firewall’s main purpose is to allow non-threatening traffic in and to keep
dangerous traffic out.
-A firewall is a cybersecurity tool that filters network traffic and helps users block
malicious software from accessing it.

→Types of Firewalls:- following are the types of firewalls

➢ Packet filtering:-Packet filtering firewall is used to control network access by
monitoring outgoing and incoming packets and allowing them to pass or stop
based on source and destination IP address, protocols, and ports.
-Packet firewalls treat each packet in isolation.
-They have no ability to tell whether a packet is part of an existing stream of
traffic.
-Only It can allow or deny the packets based on unique packet headers.
-Packet filtering firewall maintains a filtering table that decides whether the
packet will be forwarded or discarded.

➢ Proxy service:-A proxy server firewall caches, filters, logs, and controls
requests from devices to keep networks secure and prevent access to
unauthorized parties and cyberattacks.
-A proxy server is often considered part of a firewall, which prevents
unauthorized access and connections.
-The proxy is more of a mediator that establishes connections between users
and networks.

➢ Stateful inspection:-Stateful firewalls are able to determine the connection

state of packet, unlike Packet filtering firewall, which makes it more efficient.
 ➢ Next Generation Firewall (NGFW):-Next Generation Firewalls are being
deployed to stop modern security breaches like advance malware attacks and
application-layer attacks.
-It consists of Deep Packet Inspection which is used to protect the network
from these modern threats.

→Advantages of using Firewall:-This are the main advantages of firewall.

● Protection from unauthorized access
● Prevention of malware and other threats
● Control of network access
● Monitoring of network activity
● Enhanced privacy
● Policy enforcement
● Controlled access to the site.

4. Biometric security systems(9 mark):-It is a technology that extracts information out

of biological or behavioral patterns of a person to recognize a particular person.
-It currently uses most is physical access control like fingerprint recognition because
of its lower price.
-Biometric system is subjected to many malicious attacks which can be performed by
various forms of threats.
-Malicious attacks on a biometric machine are a security concern and degrade the
system's performances.
-Biometric system has various limitations like spoof attacks, noisy sensor data,
interclass variations, and interclass similarity, etc.
-The high attacks are relevant to any biometric system which is to be analyzed, and
countermeasures are to be taken while designing the biometric system.
-The different attacks in biometrics systems are as follow:
➢ Fake Biometric
➢ Spoofing the Feature set
➢ Template Tampering Attack
➢ Trojan horse attack etc..

→Biometric Authentication:-It is a way to verify ,beyond a doubt,that a person is

who they say they are.
-It perform this verification by checking biological or behavioral characteristics.
-For example Facial Recognition,Voice Recognition,DNA Matching,Retina Scanning etc
 →Types of Biometric System:-Physiological and Behavioural Biometric Identification
are the two primary forms of Biometric Identification.

I. Physiological:-It is a biological pattern found

on or in the human body, such
as a face, fingerprints,
iris pattern, DNA,
hand geometry, etc.
II. Behavioral:-Behavioral patterns,
however, develop over time and
become consistent
characteristics,
such as handwriting, voice, gait,
and typing rhythm.

👆
→disadvantages of Biometric System:-front ill ezhuthittunde athu
ezhuthiyalmathi
Or note ill unde (nice note annu).

5. Network disaster recovery systems(3 mark):-Modern organizations have to operate

on a 24/7 basis in order to stay competitive in the market.
-It is important to create a disaster recovery (DR) plan so as to ensure that your
business can continue to operate even during a DR event.
-However, a lot of companies forget how important network disaster recovery is
while creating DR plans.
-A network disaster recovery plan includes a set of procedures required to effectively
respond to a disaster that affects a network and causes disturbance.
-The main purpose of network disaster recovery is to ensure that business services
can be delivered to customers even if there was a network connectivity issue.
-However, disasters come in different forms and sizes, which makes it hard to predict
what their impact would be, which network components would be affected, and how
many resources would be required to restore network connectivity.

→Possible Causes of Network Failures:-Various factors can lead to network failure.

They are;
➢ Hardware failure:- Network equipment such as routers, switches, modems,
gateways, or any other device can fail and, as a result, affect the performance
of all other devices connected to them.
➢ Cascading failure:- A single network consists of multiple routers, nodes, or
switches.
 -One of those network components might become overloaded and stop
working, which can trigger a cascade of failures within a single network.
➢ Issues with the internet connection:- Failure to set up an internet connection
can cause problems with network connectivity and interrupt data transfer.
➢ Human errors:- Sometimes, network connectivity problems might be the
result of mistakes made by employees when working with network
equipment or manually configuring network components.
➢ Network attacks:- Network services can get disrupted after a cyber-attack,
whose aim is to prevent the organization from delivering its services, forcing
it to shut down.
➢ Natural or man-made disaster:- Disasters of any type can significantly
damage or even destroy your production center and virtual infrastructure,
thus causing significant business losses.
-Network Disaster Recovery Plan So Important because an organization cannot
function properly if one of its system components stops working.
-Without network services, a company cannot properly execute its business
operations and move data within the infrastructure.
-Network disaster recovery can be a challenging task because even a single error can
disrupt the entire DR process.

6. Public key infrastructure security systems (PKI):-PKI (or Public Key Infrastructure) is
the framework of encryption and cybersecurity that protects communications
between the server (your website) and the client (the users).
-PKI is essential in building a trusted and secure business environment by being able
to verify and exchange data between various servers and users.
-The most distinct feature of Public Key Infrastructure (PKI) is that it uses a pair of
keys to achieve the security service.
-The key pair is the comprises of private key and public key.
-bakki venakill google ill nokkuka

7. Wireless network security systems:-Wireless security is the protection of wireless

networks, devices and data from unwanted access and breaches.
-It involves a variety of strategies and practices designed to preserve it.
-It is a subset of network security that adds protection for a wireless computer
network.
-Without sufficient security measures, unauthorized users can easily gain access to a
wireless network, steal sensitive data, and disrupt network operations.
-To prevent unwanted access and protect data in transit, wireless connections must
be secured with strong authentication procedures, encryption protocols, access
control rules, intrusion detection and prevention systems, and other security
measures.
 -By securing wireless connections, your organization’s data is protected and you
maintain the trust of customers and partners.
-The first and one of the most important step toward securing a wireless network ,Is
the encrypt the wireless network by giving a proper password otherwise anyone can
access it.
-Enable Access control rules to determine which people or devices are permitted to
connect to the network and what degree or level of access they have.
-Securing the physical components of the wireless network (routers, access points,
and other devices), so that no one can access and tamper with them.
-Updating router’s firmware is a good move towards a secure wireless network.
-Firmware update fix know bugs and provide security updates.

___________________________________________________________________________
 ➢ Lack-of Resources: Many companies fail to make appropriate
investments in data protection until it is too late.

1.12 The Role of Back-up in Data Recovery

There are many factors that affect back-up. For example:

➢ Storage costs are decreasing: The cost per megabyte of primary

(online) storage has fallen dramatically over the past several years and continues
to do so as disk drive technologies advance.

➢ Systems have to be on-line continuously: Because systems must be

continuously online, the dilemma becomes that you can no longer take files
offline long enough to perform backup.

➢ The role of Back-up has changed: The role of backup now includes
the responsibility for recovering user errors and ensuring that good data has
been saved and can quickly be restored.

CONVENTIONAL TAPE BACK-UP IN TODAY’S MARKET

✓ A typical tape management system consists of a dedicated workstation

with the front-end interfaced to the network and the back-end controlling a
repository of tape devices. The media server runs tape management software. It
can administer backup devices throughout an enterprise and can run continuous
parallel backups and restores.

✓ An alternative to tape backup is to physically replicate or mirror all data

and keep two copies online at all times. The advantage is that the data does not
have to be restored, so there are no issues with immediate data availability.
ISSUES WITH TODAY’S BACK-UP

✓ NETWORK BACKUP creates network performance problems. Using

the production network to carry backup data, as well as for normal user

Page 16
 data access, can severely overburden today’s busy network resources.
✓ OFFLINE BACKUP affects data accessibility. The time that the host
is offline for data backup must be minimized. This requires extremely high-
speed, continuous parallel backup of the raw image of the data.
✓ LIVE BACKUPS allow data access during the backup process but
affect performance. The downside to the live backup is that it puts a tremendous
burden on the host.
✓ MIRRORING doesn’t protect against user error and replication of bad
data. Fully replicated online data sounds great, albeit at twice the cost per
megabyte of a single copy of online data.

NEW ARCHITECTURES AND TECHNIQUES ARE REQUIRED

✓ Backup at extremely high speed is required. Recovery must be available

at file level. The time that systems off-line for back-up must be eliminated.
✓ Remote hot recovery sites are needed for immediate resumption of data
access. Backup of critical data is still required to ensure against data errors and
user errors.
✓ To achieve effective backup and recovery, the decoupling of data from its storage
space is needed.

✓ It is necessary to develop techniques to journal modified pages, so that

journaling can be invoked within the primary storage device, without host
intervention.
✓ Part of the primary storage area must be set aside for data to be backed
up. This area must be as large as the largest backup block. We should have fast
nonrandom restoration of critical data.

1.13 The Data Recovery Solution

SHRINKING EXPERTISE, GROWING COMPLEXITY

a. The complex systems that have evolved over the past 30 years must be

Page 17
 monitored, managed, controlled, and optimized. But most of the bright
young graduates this term haven’t had much exposure to mainframe
concepts.

b. Backups often take place while an application is running. Application

changes take place on the fly. If an outage occurs, the company stands
to lose tens of thousands of dollars an hour.
FAILURES:
Disk storage is more reliable than ever, but hardware failures are still possible. A simple mistake
can be made by an application programmer, system programmer, or operations person. Logic
errors in programs or application of the wrong update at the wrong time can result in a system
crash or, worse. Disasters do really occurs! Floods, tornadoes, earthquakes, tsunamis, and even
terrorism can do strike. We must be ready.

BUDGETS AND DOWNTIME

We have fewer resources (people, processing power, time, and money) to do more work than
ever before, and we must keep your expenses under control. Systems must remain available to
make money and serve customers. Downtime is much too expensive to be tolerated.

RECOVERY: THINK BEFORE YOU BACK-UP

One of the most critical data-management tasks involves recovering data in the event of a
problem. You must evaluate your preparations, make sure that all resources are available in
usable condition, automate processes as much as possible, and make sure you have the right kind
of resources.

Evaluate your preparation

If all of the resources (image copies, change accumulations, and logs) are available at recovery
time, these preparations certainly allow for a standard recovery. Finding out at recovery time that
some critical resource is missing can be disastrous!
Don’t let your resources fall through the cracks
Identifying different types of conditions is critical to ensuring a successful recovery. Checking
your assets to make sure they’re ready should be part of your plan.

Page 18
 Automated Recovery

With proper planning and automation, recovery is made possible, reliance on specific personnel
is reduced, and the human-error factor is nearly eliminated.

Data integrity and your business relay on building recovery job control language (JCL). In the
event of a disaster, the Information Management System (IMS) recovery control (RECON) data
sets must be modified in preparation for the recovery.

Cleaning your RECON data sets can take hours if done manually, and it’s an error-prone process.

Make Recoveries Efficient

Multithreading tasks shorten the recovery process. Recovering multiple databases with one pass
through your log data certainly will save time. Taking image copies, rebuilding indexes, and
validating pointers concurrently with the recovery process further reduce downtime.

Take Back-ups

The first step to a successful recovery is the backup of your data. Your goal in backing up data
is to do so quickly, efficiently, and usually with minimal impact to your customers. You might
need only very brief out-ages to take instant copies of your data, or you might have intelligent
storage devices that allow you to take a snapshot of your data. Both methods call for tools to
assist in the management of resources.

BACK-UP AND RECOVERY SOLUTION

BMC software has developed a model called the Back-up and Recovery Solution (BRS) for the
Information Management System (IMS) product.

Image Copy

BRS contains an Image Copy component to help manage your image copy process.
BRS can take batch, on-line (fuzzy), or incremental image copies; Snapshot copies; or
Instant Snapshot copies.

Page 19
The Image Copy component of BRS offers a variety of powerful features: dynamic allocation of
all input and output data sets, stacking of output data sets, high performance access methods (faster
I/O), copying by volume, compression of output image copies, and database group processing---
all while interfacing with DBRC and processing asynchronously.

Change Accumulation

The BRS Change Accumulation component takes advantage of multiple engines, large virtual
storage resources, and high-speed channels and controllers that are available in many
environments.

Use of multiple tack control block (TCB) structures enables overlapping of as much processing as
possible, reducing both elapsed and CPU time.

Recovery

→ The BRS Recovery component, which functionally replaces the IMS Database Recovery
utility for null- function (DL/I) databases and data-entry databases (DEDBs), allow
recovery of multiple databases with one pass of the log and change accumulation data
sets while dynamically allocating all data sets required for recovery.

→ BRS recovers multiple databases to any point in time. BRS can determine the best choice
for a Point-in- Time (PIT) recovery. Full DBRS support includes:

RECOVERY MANAGER

→ Recovery Manager component lets you automate and synchronize recoveries

across applications and databases by creating meaningful groups of related databases and
creating optimized JCL to perform the recovery of these groups.
→ Recovery Manager component provides a positive response for the IMS
commands that are used to deallocate and start your databases.
→ Recovery Manager component fully automates the process of cleaning the RECON
data sets for restart following a disaster recovery.
→ Recovery Manager component also allows you to test your recovery strategy and

Page 20
 notifies you when media errors have jeopardized your recovery resources.
POINTER CHECKING

BRS offers the capability to verify the validity of database pointers through the Concurrent Pointer
Checking function for both full-function databases and Fast Path data-entry databases (DEDBs).

INDEX REBUILD

If indexes are ever damaged or lost, the Index Rebuild function of BRS allows you rebuild them
rather than recover them.

RECOVERY ADVISOR

The Recovery Advisor component of BRS allows you to monitor the frequency of your image
copies and change accumulations.

It helps you to determine whether all your databases are being backed-up. By using any number
of back-up and recovery tools available, you can better manage your world and be ready to
recover!

Page 21
 Unit-II
EVIDENCE COLLECTION AND DATA SEZIURE
2.1 Why Collect Evidence?

The simple reasons for collecting evidence are:

→ Future Prevention: Without knowing what happened, you have no hope of ever being
able to stop someone else from doing it again.

→ Responsibility: The attacker is responsible for the damage done, and the only way to bring
him to justice is with adequate evidence to prove his actions. The victim has a
responsibility to the community. Information gathered after a compromise can be
examined and used by others to prevent further attacks.

2.2 Collection Options

Once a compromise has been detected, you have two options:

→ Pull the system off the network and begin collecting evidence: In this case you may find
that you have insufficient evidence or, worse, that the attacker left a dead man switch that
destroys any evidence once the system detects that its offline.

→ Leave it online and attempt to monitor the intruder: you may accidentally alert the
intruder while monitoring and cause him to wipe his tracks any way necessary, destroying
evidence as he goes.

2.3 Obstacles

→ Computer transactions are fast, they can be conducted from anywhere, can be encrypted or
anonymous, and have no intrinsic identifying features such as handwriting and signatures to
identify those responsible.

Page 22
→ Any paper trail of computer records they may leave can be easily modified or destroyed,
or may be only temporary.

→ Auditing programs may automatically destroy the records left when computer
transactions are finished with them.

→ Investigating electronic crimes will always be difficult because of the ease of altering the
data and the fact that transactions may be done anonymously.

→ The best we can do is to follow the rules of evidence collection and be as assiduous as
possible.

2.4 Types of Evidence

➢ Real Evidence: Real evidence is any evidence that speaks for itself without relying on
anything else. In electronic terms, this can be a log produced by an audit function— provided
that the log can be shown to be free from contamination.

➢ Testimonial Evidence: Testimonial evidence is any evidence supplied by a witness. As

long as the witness can be considered reliable, testimonial evidence can be almost as
powerful as real evidence.

➢ Hearsay: Hearsay is any evidence presented by a person who was not a direct witness.
Hearsay is generally inadmissible in court and should be avoided.

2.5 The Rules of Evidence

1. Admissible: Admissible is the most basic rule. The evidence must be able to be used in
court.

2. Authentic: You must be able to show that the evidence relates to the incident in a relevant
way.

Page 23
3. Complete: It’s not enough to collect evidence that just shows one perspective of the
incident.

4. Reliable: Your evidence collection and analysis procedures must not cast doubt on the
evidence’s authenticity and veracity.

5. Believable: The evidence you present should be clearly understandable and believable to a
jury.

Using the preceding five rules, we can derive some basic do’s and don’ts:

• Minimize handling and corruption of original data: Once you’ve created a master copy
of the original data, don’t touch it or the original. Any changes made to the originals will
affect the outcomes of any analysis later done to copies.
• Account for any changes and keep detailed logs of your actions: Sometimes evidence
alteration is unavoidable. In these cases, it is absolutely essential that the nature, extent,
and reasons for the changes be documented.
• Comply with the five rules of evidence: Following these rules is essential to
guaranteeing successful evidence collection.
• Do not exceed your knowledge: If you ever find yourself ―out of your depth,‖ either go
and learn more before continuing (if time is available) or find someone who knows the
territory.
• Follow your local security policy: If you fail to comply with your company’s security
policy, you may find yourself with some difficulties.
• Capture as accurate an image of the system as possible: Capturing an accurate image
of the system is related to minimizing the handling or corruption of original data.
• Be prepared to testify: If you’re not willing to testify to the evidence you have collected,
you might as well stop before you start. No one is going to believe you if they can’t
replicate your actions and reach the same results.
• Work fast: The faster you work, the less likely the data is going to change. Volatile
evidence may vanish entirely if you don’t collect it in time. If multiple systems are

Page 24
 involved, work parallel.
• Proceed from volatile to persistent evidence: Always try to collect the most volatile
evidence first.
• Don’t shutdown before collecting evidence: You should never, ever shutdown a system
before you collect the evidence. Not only do you lose any volatile evidence, but also the
attacker may have trojaned the startup and shutdown scripts, plug-and-play devices may
alter the system configuration, and temporary file systems may be wiped out.
• Don’t run any programs on the affected system: The attacker may have left trojaned
programs and libraries on the system; you may inadvertently trigger something that could
change or destroy the evidence you’re looking for.

2.6 Volatile Evidence

Always try to collect the most volatile evidence first. An example an order of volatility
would be:

1. Registers and cache

2. Routing tables
3. Arp cache

4. Process table
5. Kernel statistics and modules

6. Main memory
7. Temporary file systems
8. Secondary memory
9. Router configuration
10. Network topology

2.7 General Procedure

✓ Identification of Evidence: You must be able to distinguish between evidence and junk
data

Page 25
 ✓ Preservation of Evidence: The evidence you find must be preserved as close as
possible to its original state.
✓ Analysis of Evidence: Analysis requires in-depth knowledge of what you are looking
for and how to get it.
✓ Presentation of Evidence: The manner of presentation is important, and it must be
understandable by a layman to be effective.

2.8 Collection and Archiving

Once we’ve developed a plan of attack and identified the evidence that needs to be
collected.

Logs and Logging: You should run some kind of system logging function. It is
important to keep these logs secure and to back them up periodically. Messages and logs
from programs can be used to show what damage an attacker did.

Monitoring: By monitoring we can gather statistics, watch out for irregular, and trace
where an attacker is coming from and what he is doing. Unusual activity or the sudden
appearance of unknown users should be considered definite cause for closer inspection.
You should display a disclaimer stating what monitoring is done when users log on.

2.9 Methods of Collection

There are two basic forms of collection: freezing the scene and honeypotting.

Freezing the Scene

✓ It involves taking a snapshot of the system in its compromised state. You should then start
to collect whatever data is important onto removable nonvolatile media in a standard
format.

✓ All data collected should have a cryptographic message digest created, and those digests
should be compared to the originals for verification.

Page 26
 Honeypotting

✓ It is the process of creating a replica system and luring the attacker into it for further
monitoring.
✓ The placement of misleading information and the attacker’s response to it is a good
method for determining the attacker’s motives.

2.10 Artifacts

➢ There is almost always something left behind by the attacker be it code fragments,
trojaned programs, running processes, or sniffer log files. These are known as artifacts.

➢ Never attempt to analyze an artifact on the compromised system.

➢ Artifacts are capable of anything, and we want to make sure their effects are controlled.

2.11 Collection Steps

1. Find the Evidence: Use a checklist. Not only does it help you to collect evidence, but it
also can be used to double-check that everything you are looking for is there.

2. Find the Relevant Data: Once you’ve found the evidence, you must figure out
what part of it is relevant to the case.

3. Create an Order of Volatility: The order of volatility for your system is a good
guide and ensures that you minimize loss of uncorrupted evidence.

4. Remove external avenues of change: It is essential that you avoid alterations to the
original data.

5. Collect the Evidence: Collect the evidence using the appropriate tools for the job.

6. Document everything: Collection procedures may be questioned later, so it is

important that you document everything you do. Timestamps, digital signatures, and
signed statements are all important.

Page 27
 2.12 Controlling Contamination: The Chain of Custody
Once the data has been collected, it must be protected from contamination. Originals
should never be used in forensic examination; verified duplicates should be used.

A good way of ensuring that data remains uncorrupted is to keep a chain of custody. This
is a detailed list of what was done with the original copies once they were collected.

Analysis

➢ Once the data has been successfully collected, it must be analyzed to extract the
evidence you wish to present and to rebuild what actually happened.

Time

➢ To reconstruct the events that led to your system being corrupted, you must be
able to create a timeline.
➢ Never, ever change the clock on an affected system.

Forensic Analysis of Back-ups

➢ When we analyze back-ups, it is best to have a dedicated host for the job. We need a
dedicated host which is secure, clean and isolated from any network for analyzing back-
ups.

➢ Document everything you do. Ensure that what you do is repeatable and capable of
always giving the same results.

Reconstructing the Attack

After collecting the data, we can attempt to reconstruct the chain of events leading to and
following the attacker’s break-in. We must correlate all the evidence we have gathered.
Include all of the evidence we’ve found when reconstructing the attack---no matter how small
it is.

Page 28
Searching and Seizing

There is no one methodology for performing a computer forensic investigation and analysis.

There are too many variables for to be just one way. Some of the typical variable that comes
to the mind includes operating systems; software applications; cryptographic algorithms and
applications; and hardware platforms. But moving beyond these obvious variables spring
other equally challenging variables: law, international boundaries, publicity, and
methodology.

There are a few widely accepted guidelines for computer forensic analysis:

✓ A computer forensic examiner is impartial. Our job is to analyze the media and report
our findings with no presumption of guilt or innocence.
✓ The media used in computer forensic examinations must be sterilized before each use.

✓ A true image (bit stream) of the original media must be made and used for the analysis.

✓ The integrity of the original media must be maintained throughout the entire investigation.

Before the Investigation

→ For the sake of first argument, you must have skilled technicians in-house and a top notch
lab
the right equipment, the right computer forensic tools, and so on.

→ District attorneys may require more documentation on the chain of evidence handling.

→ When you have a case arise, you know what is required and can work the case from the
inception in support of these requirements.
Methodology Development

• Define your methodology, and working according to this methodology.

• Here methodology defines a method, a set of rules: guidelines that are employed by a
discipline.

Page 29
 Document Everything

The chain of evidence is so important in computer forensic investigations. If resources

allow, have two computer forensic personnel assigned to each case every step of the way.
Important in the documentation are the times that dates steps were taken; the names of those
involved; and under whose authority were the steps taken?

Evidence Search and Seizure

Prior to search and seizure, you already have the proper documents filled as well as permission
from the authority to search and seize the suspect’s machine.

Step 1: Preparation

You should check all media that is to be used in the examination process. Document the
wiping and scanning process. Check to make sure that all computer forensic tools are licensed
for use and all lab equipment is in working order.

Step 2: Snapshot

We should photograph the scene, whether it is a room in a home or in a business. You should
also note the scene. Take advantage of your investigative skills here. Note pictures, personal
items, and the like. Photograph the actual Evidence. For example, the evidence is a PC in a
home office. Take a photograph of the monitor. Remove the case cover carefully and
photograph the internals.

Step 3: Transport

If you have the legal authority to transport the evidence to your lab, you should pack the
evidence securely. Photograph/videotape and document the handling of evidence leaving the
scene to the transport vehicle and from transport vehicle to the lab examination facility.

Step 4: Examination

You should prepare the acquired evidence for examination in your lab. There are many

Page 30
Module 03

Conducting Digital Investigation

The goal of any investigation is to uncover and present the truth. This goal is the same for all forms of
investigation whether it be in pursuit of a murderer in the physical world or trying to track a computer
intruder online.

A digital investigation is a process to answer questions about digital states and events. The basic digital
investigation process frequently occurs by all computer users when they, for example, search for a file on
their computer. They are trying to answer the question "what is the full address of the file named
important.doc?". In general, digital investigations may try to answer questions such as "does file X exist?",
"was program Y run?", or "was the user Z account compromised?".

A digital forensic investigation is a special case of a digital investigation where the procedures and
techniques that are used will allow the results to be entered into a court of law.

The digital investigation process involves formulating and testing hypotheses about the state of a computer.
We must formulate hypotheses because we cannot directly observe digital events and states and therefore
we do not know facts. We must use tools to observe the state of digital data, which makes them indirect
observations. This is similar to being told about something instead of seeing it for yourself. The methods
used to formulate and test the hypotheses can make the investigation process a scientific one.

Digital evidence is data that supports or refutes a hypothesis that was formulated during the investigation.
This is a general notion of evidence and may include data that may not be court admissible because it was
not properly or legally acquired.

Digital investigations
Digital investigations inevitably vary depending on technical factors such as the type of computing or
communications device, whether the investigation is in a criminal, civil, commercial, military, or other
context, and case-based factors such as the specific claims to be investigated.

Digital investigation process

Despite this variation, there exists enough similarity between the ways digital investigations are undertaken
that commonalities may be observed. These commonalities tend to be observed from several perspectives,
with the primary ways being process, principles, and methodology.

Methodology
• Treat every case as if it will end up in the court .
• Forensics Methodology
• Acquire the evidence without altering or damaging the origin.
• Authenticate that your recovered evidence is the same as the originally seized data.
• Analyze the data without modifying it.

Forensic Computing
The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally
acceptable.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 1 | 37
Steps for Conducting Digital Investigation
The most common steps for conducting a complete and competent digital investigation are:

1. Preparation:
2. Survey/Identification:
3. Preservation:
4. Examination and Analysis:
5. Presentation:

1. Preparation
Generating a plan of action to conduct an effective digital investigation and obtaining supporting resources
and materials.

2. Survey/Identification:
Finding potential sources of digital evidence (e.g., at a crime scene, within an organization, or on the
Internet). Because the term identification has a more precise meaning in forensic science relating to the
analysis of an item of evidence, this process can be more clearly described as survey of evidence.

3. Preservation:
Preventing changes of in situ digital evidence, including isolating the system on the network, securing
relevant log files, and collecting volatile data that would be lost when the system is turned off. This step
includes subsequent collection or acquisition.

4. Examination and Analysis:

Searching for and interpreting trace evidence. Some process models use the terms examination and analysis
interchangeably.

• Forensic examination is the process of extracting and viewing information from the evidence and
making it available for analysis.
• In contrast, forensic analysis is the application of the scientific method and critical thinking to
address the fundamental questions in an investigation: who, what, where, when, how, and why.

5. Presentation:
Reporting of findings in a manner which satisfies the context of the investigation, whether it be legal,
corporate, military, or any other.

Digital Investigation Process Models

Process models
When attempting to conceive of a general approach to describe the investigation process within digital
forensics, one should make such a process generalizable. This led to the proposal of a number of models for
describing investigations, which have come to be known as “process models.

Why Process models

Using a formalized methodology encourages a complete, rigorous investigation, ensures proper evidence
handling, and reduces the chance of mistakes created by preconceived theories, time pressures, and other
potential pitfalls.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 2 | 37
Digital Investigation Process Models
1. Physical Model
2. Staircase Model
3. Evidence Flow Model
4. Subphase Model
5. Roles and Responsibilities Model

1. Physical Model
• A computer being investigated can be considered a digital crime scene and investigations as a subset
of the physical crime scene where it is located.
• Physical evidence may exist around a server that was attached by an employee and usage evidence
may exist around a home computer that contains contraband.
• Furthermore, the end goal of most digital investigation is to identify a person who is responsible and
therefore the digital investigation needs to be tied to a physical investigation.

2. Staircase Model
Provides a practical and methodical approach to conducting an effective digital investigation (Casey &
Palmer, 2004). Digital investigators, forensic examiners, and attorneys work together to scale these steps
from bottom to top in a systematic, determined manner in an effort to present a compelling story after
reaching the final step of persuasion/testimony.

Although it is linear progression of events in Figure 6.2, the steps in this process often proceed
simultaneously and it may be necessary to take certain steps more than once at different stages of an
investigation

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 3 | 37
3. Evidence Flow Model

This model goes beyond the steps required to preserve and examine digital evidence, incorporating
nontechnical aspects of a digital investigation like authorization, notification, proof/defense, and
transportation of evidence.
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 4 | 37
The main goal of this model is to completely describe the flow of information in a digital investigation, from
the moment digital investigators are alerted until the investigation reaches its conclusion.

Evidence Flow Model

One weakness of this model is that it excludes certain steps that are present in other models such as the
return or destruction of evidence at the end of an investigation.

Furthermore, the terms used to describe each step are not clearly defined, making it difficult to compare
with other models. It excludes the preservation step present in other models because it is not considered
necessary or because it is treated as part of the collection process.

A further limitation of this model is that it does not define fundamental requirements or goals within each
step in an investigation.

4. Subphase Model
The top-level steps used in this model are preparation, incident response, data collection, data analysis,
findings presentation, and incident closure.

As a proof of concept, Beebe and Clark use the analysis process, providing three objectives-based subphases,
namely, survey, extract, and examine with the following objectives for file system analysis:

1. Reduce the amount of data to analyze

2. Assess the skill level of the suspect(s)
3. Recover deleted files
4. Find relevant hidden data
5. Determine chronology of file activity
6. Recover relevant ASCII data
7. Recover relevant non-ASCII data
8. Ascertain Internet (non-e-mail) activity history
9. Recover relevant e-mail and attachments
10. Recover relevant “personal organizer” data
11. Recover printed documents
12. Identify relevant software applications and configurations
13. Find evidence of unauthorized system modification (e.g., Trojan applications)
14. Reconstruct network-based events

The analysis of digital evidence is more commonly viewed as a separate process that involves hypothesis
testing and event reconstruction among other things.

5. Roles and Responsibilities Model

The FORZA model ascends to an even higher level of abstraction by providing a framework of roles and
responsibilities in digital investigations.

The FORZA model is based on the Zachman Framework, which was created to assist with the design,
development, and management of enterprise IT architecture.

Fundamentally, the FORZA model defines eight roles and provides six fundamental questions that each role
must address in an investigation: who, what, how, when, where, and why.

This framework is useful for ensuring that all aspects of a complex digital investigation have been assigned to
the appropriate individual(s) and that the expectations for each role are outlined. Because FORZA does not
outline the process within each role, it is necessary to reference another process model for such details.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 5 | 37
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 6 | 37
Scaffolding for digital investigations
When comparing the process models in the prior section, there are a number of discrepancies that are not
explained by variations in terminology or how the investigative process has been dissected (Separated).

These discrepancies, which include authorization and transportation, may be attributed to differences in
perspective, and are related to orthogonal concerns such as non-investigative occurrences and activities that
support the investigative process.

Although such occurrences and activities are not central to digital investigations, they provide necessary
scaffolding to help build a solid case. This scaffolding also includes accusation/alert, threshold
considerations, and case management.

Without an initial notification in the form of an accusation or alert, there is nothing to investigate. Then, in
many situations, digital investigators must obtain written authorization to proceed. In addition, digital
investigators will generally have to make some form of threshold assessment to decide what level of
attention to give a certain case relative to all of the other cases they are handling. Transportation may seem
like a minor issue until there is a problem such as lost or broken items containing digital evidence.
Verification of the accuracy and completeness of results is needed in each phase of an investigation.
Effective case management is one of the most important components of scaffolding, helping digital
investigators bind everything together into a strong case.

1. Accusation or Incident Alert

2. Authorization
3. Threshold Considerations
4. Transportation
5. Verification
6. Case Management

1. Accusation or Incident Alert

This step can be signaled by an alarm from an intrusion detection system, a system administrator reviewing
firewall logs, curious log entries on a server, or some combination of indicators from multiple security
sensors installed on networks and hosts.

This initial step can also be triggered by events in more traditional law enforcement settings. Citizens
reporting possible criminal activity will lead to investigative personnel being dispatched to a physical scene.

When presented with an accusation or automated incident alert, it is necessary to consider the source and
reliability of the information

An intrusion detection system alert may only indicate an attempted, unsuccessful intrusion or it might be a
false alarm. Therefore, it is necessary to weigh the strengths, weaknesses, and other known nuances related
to the sources and include human factors as well as digital.

In addition, to assess an accusation or alert thoroughly, some initial fact gathering is usually necessary
before launching a full-blown investigation.

2. Authorization
Computer security professionals should obtain instructions and written authorization from their attorneys
before gathering digital evidence relating to an investigation within their organization

As a rule, law enforcement should obtain a search warrant if there is a possibility that the evidence to be
seized requires a search warrant.
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 7 | 37
Treating authorization as a discrete step at the start of an investigation does not consider the need for
separate authorization to examine digital evidence or to disseminate information at the end of an
investigation.

3. Threshold Considerations
Those involved in investigative activities are usually busy with multiple cases or have competing duties that
require their attention.

Given that investigative resources are limited, they must be applied where they are needed most.

Therefore, digital investigators must establish thresholds in order to prioritize cases and make decisions
about how to allocate resources.

Threshold considerations vary with the associated investigative environment.

Applied in law enforcement environments, threshold considerations include the likelihood of missing
exculpatory evidence and seriousness of the offense. In civil, business, and military operations, suspicious
activity will be investigated but policy, regulations, and continuity of operations may be the primary concern.

• Factors that contribute to the severity of an offense include threats of physical injury, potential for
significant losses, and risk of wider system compromise or disruption.
• Within an organization, if a security breach or policy violation can be contained quickly, if there is
little or no damage, and if there are no exacerbating factors, a full investigation may not be
warranted.
• The output of this step in the investigative process is a decision that will fit into two basic categories:
o Threshold considerations are not met—No further action is required. For example, available
data and information are sufficient to indicate that there has been no wrong doing.
Document decisions with detailed justification, report, and reassign resources.
o Threshold considerations are met—Continue to apply investigative resources based on the
merits of evidence examined to this point with priority based on initial available information.
This step aims to inform about discernment based on practical as well as legal precedent
coupled with the informed experience of the investigative team.

4. Transportation
Moving evidence from the crime or incident scene back to the forensic laboratory or from one laboratory to
another carries with it significant threats, the effects of which range from loss of confidentiality to
destruction of evidence.

One should keep in mind that one rarely gets a second chance to re-collect evidence that has been lost or
rendered unusable.

When planning for movement of evidence, investigators should consider whether the evidence will be
physically in the possession of the investigator at all times, environmental factors, and the potential
consequence of chance events.

5. Verification
Reviewing the information gathered in the survey phase for mistakes or oversights can help avoid confusion,
criticisms, and missed evidence. Assessing the completeness and accuracy of acquired data and
documenting its integrity are important considerations that support authentication. It is also necessary to
verify that the results of forensic examination and analysis are correct. Approaches to verification include
hash comparison, comparing results of multiple tools, checking data at a low level, and peer review.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 8 | 37
6. Case Management
Case management plays a vital role in digital investigations, binding together all of the activities and
outcomes.

The purpose of effective case management is to ensure that a digital investigation proceeds smoothly and
that all relevant information resulting from each step of the process is captured, documented, and merged
together to create a clear and convincing picture of events relating to an offense or incident.

Without effective case management methods and supporting tools, investigative

opportunities may be missed, digital evidence may be overlooked or lost, and crucial information may not be
uncovered or may not be provided to decision makers.

Applying scientific method in Digital investigations

Although process models that define each step of an investigation can be useful for certain purposes, such as
developing procedures, they are too complex and rigid to be followed in every investigation. In practice,
most digital investigations do not proceed in a linear manner and the common steps of preparation, survey,
preservation, examination, and analysis are not neatly separated.

All steps of the investigative process are often intertwined, and a digital investigator may find the need to
revisit steps in light of a more refined understanding of the case.

The scientific method provides the necessary structure to help digital investigators complete each step of an
investigation in a repeatable manner to achieve reliable results.

In practice, digital investigators are better served by simpler methodologies that guide them in the right
direction, while allowing them to maintain the flexibility to handle diverse situations. The scientific method
provides such a simple, flexible methodology.

The scientific method begins with fact gathering and validation, and proceeds to hypothesis formation and
experimentation/ testing, actively seeking evidence that disproves the hypothesis, and revising conclusions
as new evidence emerges.

1. Formation and Evaluation of Hypotheses

2. Preparation
3. Survey
4. Preservation
5. Examination
6. Analysis
7. Reporting and Testimony

1. Formation and Evaluation of Hypotheses

From a practical viewpoint, at each stage of the investigative process a digital investigator is trying to
address specific questions and accomplish certain goals relating to the case.

These questions and goals will drive the overall digital investigation process and will influence specific tasks
within each step.

Therefore, it is important for digital investigators to have a robust and repeatable methodology within each
step to help them accomplish the goals and address the questions that are necessary to solve the case

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 9 | 37
Digital investigators are generally instructed to focus on specific issues in a case, sometimes with time
constraints or other restrictions.

For example, in order to find a missing person as quickly as possible, digital investigators may be compelled
to progress rapidly through the preparation, survey, preservation, examination, and analysis steps at the
expense of completeness and accuracy.

Carrier’s Hypothesis
Carrier’s Hypothesis Based Approach to digital forensic investigations (Carrier, 2006) provides an initial
model which bridges digital investigation practices and computer science theory, demonstrating the role of
the scientific method within a digital investigation.

Now let's see how the scientific method is applied to each step of a digital investigation (preparation,
survey, preservation, examination, and analysis), which can guide a digital investigator through almost any
investigative situation, whether it involves a single compromised host, a single network link, or an entire
enterprise

The general methodology for Investigation

1. Observation:
One or more events will occur that will initiate your investigation. These events will include several
observations that will represent the initial facts of the incident. Digital investigators will proceed from these
facts to form their investigation. For example, a user might have observed that his or her web browser
crashed when he or she surfed to a specific Web site, and that an antivirus alert was triggered shortly
afterward.

2. Hypothesis:
Based on the current facts of the incident, digital investigators will form a theory of what may have occurred.
For example, in the initial observation described earlier, a digital investigator may hypothesize that the web
site that crashed the user’s web browser used a browser exploit to load a malicious executable onto the
system.

3. Prediction:
Based on the hypothesis, digital investigators will then predict where the artifacts related to that event may
be located. Using the hypothesis, and knowledge of the general operation of web browsers, operating
systems, a digital investigator may predict that there will be evidence of an executable download in the
history of the web browser, and potentially, files related to the malware were created around the time of
the incident.

4. Experimentation/Testing:
Digital investigators will then analyze the available evidence to test the hypothesis, looking for the presence
of the predicted artifacts. In the previous example, a digital investigator might create a forensic duplicate of
the target system, and from that image extract the web browser history to check for executable downloads
in the known timeframe. Part of the scientific method is also to test possible alternative explanations—if the
original hypothesis is correct a digital investigator will be able to eliminate alternative explanations on the
basis of available evidence (this process is called falsification).

5. Conclusion:
Digital investigators will then form a conclusion based upon the results of their findings. A digital investigator
may have found that the evidence supports the hypothesis, falsifies the hypothesis, or that there were not
enough findings to generate a conclusion.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 10 | 37
This general methodology can be repeated as many times as necessary to reach conclusions at any stage of a
digital investigation.

2. Preparation
The general aim of preparing for a digital investigation is to create a plan of action to perform an effective
digital investigation, and to obtain the necessary personnel and equipment. Preparation for the preservation
step ensures that the best evidence can be preserved when the opportunity arises.

When preparing to execute a search warrant, digital investigators will create a plan to deal with the specific
location and expected evidential items.

An example of applying the scientific method to preparation for the preservation step of a digital
investigation is provided here:

Observation: gathering information about the crime scene to anticipate what number and type of computer
systems to expect, and whether full disk encryption is in use.

Hypothesis/Predication: Based on the information gathered about the crime scene, digital investigators will
form theories about the types of computer systems and internal components such as hard drive capacity and
interface (e.g., ATA, SATA, serial attached SCSI).

Experimentation/Testing: It may be possible to test some predictions about what will or will not be
encountered at the crime scene. For instance, it may be possible to glean details about internal and public
servers by examining e-mail headers and connecting to them over the Internet.

Conclusions: The outcome of this process should be a robust plan for preserving evidence at the crime
scene. In some instances, digital investigators also need to prepare for some on-scene processing of digital
evidence.

3. Survey
With a plan in hand from the preparation step, digital investigators should be well prepared to recognize
sources of digital evidence at the crime scene. The aim of the process is for digital investigators to find all
potential sources of digital evidence and to make informed, reasoned decisions about what digital evidence
to preserve at the crime scene.

Observation: A methodical inspection of the crime scene should be performed in an effort to locate the
expected items and to find unanticipated items. Carrier’s Integrated Digital Investigation Process model
encourages use of traditional approaches to searching the physical crime scene in a methodical manner.

Hypothesis: Theories should be developed about why certain expected items are not present, and why
certain unexpected items were found.

Prediction: Ideas should be considered for where missing items may be found, and which items may contain
potentially relevant data. When large quantities of computers or removable media are involved, it may be
necessary to develop theories about which ones do and do not contain potentially relevant digital evidence.

Experimentation/Testing: When digital investigators believe that certain items are not relevant to the case,
some experimentation and testing is needed to confirm this belief.

Conclusions: Based on the methodical assessment of available information, there is a high degree of
confidence that an inventory has been made of all potentially relevant sources of digital evidence at the
crime scene that need to be preserved.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 11 | 37
4. Preservation
Working from the known inventory of identified components, investigators must act to make sure that
potentially volatile items are collected or acquired in such a way that captures their current state.

Another way to put it is that proper actions must be taken to ensure the integrity of potential evidence,
physical and digital. The methods and tools employed to ensure integrity are key here. Their accuracy and
reliability as well as professional acceptance may be subject to question by opposing counsel if the case is
prosecuted

To many practitioners in digital forensics, the preservation step is where digital forensics begins. It is
generally the first stage in the process that employs commonly used tools of a particular type. The output of
this stage is usually a set of duplicate copies of all sources of digital data.

This output provides investigators with two categories of exhibits.

First, the original material is cataloged and stored in a proper environmentally controlled location, in an
unmodified state.

Second, an exact duplicate of the original material is created that will be scrutinized as the investigation
continues.

Consider examples of the scientific process applied to the preservation of common forms of digital evidence

Hard Drives
Observation: A hard drive has a SATA interface with a certain number of sectors documented on the label.

Hypothesis: A complete and accurate duplicate of the hard drive can be obtained without altering the
original.

Prediction: The resulting forensic duplicate will have the same hash value as the original hard drive.

Experimentation/Testing: Comparing the hash value of the forensic duplicate with that of the original hard
drive confirms that they are the same. However, comparing the size of the forensic duplicate with the
capacity of the hard drive reveals a discrepancy. Further experimentation is needed to determine that this
discrepancy is caused by an incorrect number of sectors being detected by the acquisition method used.
Using an alternative method to acquire data from the hard drive gives a complete and accurate duplicate of
the digital evidence.

Conclusions: There is a high degree of confidence that an accurate duplicate of all data on the hard drive
was acquired in a forensically sound manner.

Prior to attempting to preserve digital evidence, it is most effective to prepare the necessary forensic
preservation tools and techniques to handle various forms of evidence.

During the preparation step of a digital investigation, activities such as testing tools and sanitizing and/or
encrypting storage media can be performed to make preservation processes go more smoothly.

5. Examination
Forensic examination is the process of extracting and viewing information from the evidence, and making it
available for analysis.

Forensic examination of digital evidence is generally one of the most resource intensive and time-consuming
steps in a digital investigation.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 12 | 37
To produce useful results in a timely manner at different phases of an investigation, it is useful to employ
three levels of forensic examination.

Survey/Triage Forensic Inspection: Targeted review of all available media to determine which items contain
the most useful evidence and require additional processing.

Preliminary Forensic Examination: Forensic examination of items identified during survey/triage as

containing the most useful evidence, with the goal of quickly providing investigators with information that
will aid them in conducting interviews and developing leads.

In-Depth Forensic Examination: Comprehensive forensic examination of items that require more extensive
investigation to gain a more complete understanding of the offense and address specific questions.

When conducting a forensic examination, it is useful to consider Carrier’s Integrated Digital Investigation
Process model, which treats sources of digital evidence as individual crime scenes. By conceptually treating
each source of digital evidence as a crime scene, digital investigators are encouraged to apply each step of
the investigative process to each source of evidence and thereby develop a more comprehensive and
methodical approach to a forensic examination.

Examination steps
Preparation for Forensic Examinations: Prior to performing a forensic examination of digital evidence, it is
advisable to prepare a plan of action that outlines what steps will be taken and what processes will be
performed on each item of digital evidence.

Survey in Forensic Examinations: Digital investigators will generally survey each source of digital evidence,
including the contents of hard drives, mobile devices, log files, and other data to develop an overall
familiarity with the corpus delicti (a.k.a. totality of the evidence) to find items of potential relevance to the
investigation.

Forensic Examinations: Certain items within a source of digital evidence may require special processing so
that they can be examined more easily. Such special items can include mailboxes, password-protected files,
encrypted volumes, and unallocated space.

Forensic examination of digital evidence, whether it is an entire hard drive or an individual’s mailbox,
generally involves some level of recovery, harvesting, organization, search, and reduction to produce a
reduced dataset for forensic analysis.

The results can be incorporated into the analysis process.

Recovery: Data should be extracted from available sources, including items that have been deleted, hidden,
camouflaged, or that are otherwise unavailable for viewing using the native operating system and resident
file system. The objective is to recover all unavailable data whether or not they may be germane to the case
or incident. In some instances, it may also be necessary to reconstitute data fragments to recover an item.
The output provides the maximum available content for the investigators, like a complete data timeline and
information that may provide insight into the motives of an offender if concrete proof of purposeful
obfuscation is found and recorded.

Harvesting: Data and metadata (data about data) should be gathered about all recovered objects of interest.
This gathering will typically proceed with little, or no discretion related to the data content, its context, or
interpretation. Rather, the investigator will look for categories of data that can be harvested for later
analysis—groupings of data with certain class characteristics that, from experience or training, seem or are
known to be related to the major facts of the case or incident known to this point in the investigation.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 13 | 37
Organization and Search: A thorough analysis should be facilitated by organizing the reduced set of
materials from the previous step, grouping, tagging, or otherwise placing them into meaningful units. At this
stage, it may be advantageous to actually group certain files physically to accelerate the analysis stage. They
may be placed in groups using folders or separate media storage, or in some instances a database system
may be employed to simply point to the cataloged file system objects for easy, accurate reference without
having to use rudimentary search capability offered by most host operating systems.

Reduction: Irrelevant items should be eliminated, or specific items targeted in the collected data as
potentially germane to an investigation. This process is analogous to separating the wheat from the chaff.
The decision to eliminate or retain is made on the basis of external data attributes such as hashing or
checksums, type of data (after type is verified), etc. In addition, material facts associated with the case or
incidents are also brought to bear to help eliminate data as potential evidence.

Applying the scientific method to the forensic examination process can be a time-consuming and repetitive
process, but the effort is generally well spent, giving digital investigators the information, they need to
resolve a case. A less methodical or scientifically rigorous forensic examination may miss important
information or may give erroneous results.

Observation, Hypothesis:, Prediction:, Experimentation/Testing:, Conclusions:

6. Analysis
The forensic analysis process is inseparable from the scientific method. By definition, forensic analysis is the
application of the scientific method and critical thinking to address the fundamental questions in an
investigation: who, what, where, when, how, and why.

It also has the same methodology: Observation, Hypothesis:, Prediction:, Experimentation/Testing:,

Conclusions:

This step involves the detailed scrutiny of data identified, preserved, and examined throughout the digital
investigation.

The techniques employed here will tend to involve review and study of specific, internal attributes of the
data such as text and narrative meaning of readable data, or the specific format of binary audio and video
data items.

Additionally, class and individual characteristics found in this step are used to establish links, determine the
source of items, and ultimately locate the offender.

Ultimately, the information that has been accumulated during the digital investigation is combined to
reconstruct a comprehensive understanding of events relating to the crime or incident.

Methodology
Observation: Human readable (or viewable) digital data objects have substance that can be perceived as well
as context that can be reconstructed. That content and context of digital evidence may contain information
that is used to reconstruct events relating to the offense and to determine factors such as means,
motivation, and opportunity.

Hypothesis: Develop a theory to explain digital evidence.

Prediction: Based upon the hypothesis, digital investigators will then predict where they believe the
artifacts of that event will be located.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 14 | 37
Experimentation/Testing: A very general term but applied here to mean any activity used to determine
whether or not digital evidence is compatible with the working theory. These activities can include running
experiments using a specific operating system or application to learn about their behavior and associated
artifacts or loading the subject system into a virtualized environment to observe it as the user would.

Conclusions: The result of a thorough forensic analysis generally includes an investigative reconstruction
based on fusion and correlation of information.

During the investigation, data (information) have been collected from many sources (digital and nondigital).
The likelihood is that digital evidence alone will not tell the full tale. The converse is also true. The data must
be fused or brought together to populate structures needed to tell the full story.

7. Reporting and Testimony

To provide a transparent view of the investigative process, final reports should contain important details
from each step, including reference to protocols followed and methods used to seize, document, collect,
preserve, recover, reconstruct, organize, and search key evidence. The majority of the report generally deals
with the analysis leading to each conclusion and descriptions of the supporting evidence. No conclusion
should be written without a thorough description of the supporting evidence and analysis. Also, a report can
exhibit the investigator or examiner’s objectivity by describing any alternative theories that were eliminated
because they were contradicted or unsupported by evidence.

A significant amount of effort is required to prepare for questioning and to convey technical issues in a clear
manner. Therefore, this step in the process includes techniques and methods used to help the analyst
and/or domain expert translate technological and engineering details into understandable narrative for
discussion with decision makers.

Part-2

Computer Basics for Digital Investigators

Write a short note on History of Computers
Digital investigators can use sophisticated software to recover deleted files and perform advanced analysis
of computer hard disks, it is important to understand what is happening behind the scenes.

The development of the modern computer is not an easy one to trace because of the many concepts that it
combines.

Difference Engine
In the early 1820s, it was designed by Charles Babbage who is known as "Father of Modern Computer". It
was a mechanical computer which could perform simple calculations. It was a steam driven calculating
machine designed to solve tables of numbers like logarithm tables.

Analytical Engine
This calculating machine was also developed by Charles Babbage in 1830. It was a mechanical computer that
used punch-cards as input. It could solve any mathematical problem and storing information as a permanent
memory.

Tabulating Machine
It was invented in 1890, by Herman Hollerith, an American statistician. It was a mechanical tabulator based
on punch cards.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 15 | 37
In 1941, a German engineer named Konrad Zuse apparently created an electronic binary computer called the
Z3 that used old movie film to store his programs and data.

At around the same time the electronic digital Atanasoff-Berry Computer (ABC), named after its inventors,
was built with vacuum tubes, capacitors, and punch cards. Shortly after, the Electronic Numerical Integrator
and Computer (ENIAC) was created by Eckert and Mauchly.

The personal computer became possible in 1974 when Intel started selling inexpensive computer chips
called 8080 microprocessors. A single 8080 microprocessor contained all of the electronic circuits necessary
to create a programmable computer. Almost immediately, a few primitive computers were developed using
this microprocessor. By the early 1980s, Steve Jobs and Steve Wozniak were mass marketing Apple
computers and Bill Gates was working with IBM to mass market IBM personal computers.

Generations of Computers
A generation of computers refers to the specific improvements in computer technology with time. In 1946,
electronic pathways called circuits were developed to perform the counting.

First Generation Computers

The first generation (1946-1959) computers were slow, huge and expensive. In these computers, vacuum
tubes were used as the basic components of CPU and memory.

Some of the popular first generation computers are;

• ENIAC ( Electronic Numerical Integrator and Computer)

• EDVAC ( Electronic Discrete Variable Automatic Computer)
• UNIVACI( Universal Automatic Computer)

Second Generation Computers

The second generation (1959-1965) was the era of the transistor computers. These computers used
transistors which were cheap, compact and consuming less power.

Some of the popular second generation computers are;

• IBM 1620
• IBM 7094
• CDC 1604
• CDC 3600
• UNIVAC 1108

Third Generation Computers

The third generation computers used integrated circuits (ICs) instead of transistors.

Fourth Generation Computers

The fourth generation (1971-1980) computers used very large scale integrated (VLSI) circuits; a chip
containing millions of transistors and other circuit elements.

Fifth Generation Computers

In fifth generation (1980-till date) computers, the VLSI technology was replaced with ULSI (Ultra Large Scale
Integration). It made possible the production of microprocessor chips with ten million electronic
components.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 16 | 37
Short note on Basic Operation of Computers
Central Processing Unit
The CPU is the core of any computer. Everything depends on the CPU’s ability to process instructions that it
receives. So, the first stage in the boot process is to get the CPU started—reset—with an electrical pulse.

Basic Input and Output System

The BIOS deals with the basic movement of data around the computer. Every program run on a computer
uses the BIOS to communicate with the CPU.

POST (Power on self test) and CMOS (complementary metal oxide silicon) Configuration Tool
The BIOS contains a program called the POST that tests the fundamental components of the computer.
When the CPU first activates the BIOS, the POST program is initiated. To be safe, the first test verifies the
integrity of the CPU and POST program itself. The rest of the POST verifies that all of the computer’s
components are functioning properly, including the disk drives, monitor, RAM, and keyboard.

Using the CMOS configuration tool, it is possible to determine the system time, ascertain if the computer will
try to find an operating system on the primary hard drive or another disk first, and change basic computer
settings as needed.

Disk Boot
An operating system extends the functions of the BIOS and acts as an interface between a computer and the
outside world.

Most computers expect an operating system to be provided on a floppy diskette, hard disk, or compact disk.
So, when the computer is ready to load an operating system, it looks on these disks in the order specified by
the boot sequence setting.

This ability to prevent a computer from using the operating system on the hard disk is important when the
disk contains evidence. Digital investigators should not attempt to perform such actions on an evidential
computer unless they are familiar with the particular type of system.

As a result, the system booted from the evidentiary hard drive, altering date-time stamps of files and other
potentially useful data on the disk. In such situations, it is safer to remove the hard drive prior to booting the
system for documenting the system configuration.

Short Note on
Representation of Data
All digital data are basically
combinations of ones and zeros,
commonly called bits. It is often
necessary for digital investigators to
deal with data at the bit level,
requiring an understanding of how
different systems represent data.

The number 511 is represented as

00000001 11111111 on big-endian
systems. The same number is
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 17 | 37
represented as 11111111 00000001 on little-endian systems such as Intel-based computers. In other words,
big-endian architectures place the most significant bytes on the left (putting the big end first) whereas little-
endian architectures place the most significant bytes on the right (putting the little end first).

Whether little- or big-endian, this binary representation of data (ones and zeros) is cumbersome. Instead,
digital investigators often view the hexadecimal representation of data. Another commonly used
representation of data is ASCII. The ASCII standard specifies that certain combinations of ones and zeros
represent certain letters and numbers.

All digital data are basically combinations of ones and zeros, commonly called bits. It is often necessary for
digital investigators to deal with data at the bit level, requiring an understanding of how different systems
represent data.

File Formats and Carving

Many kinds of files have a distinctive structure that was designed by software developers or standards
bodies, and that can be useful for classifying and salvaging data fragments. For instance, a graphics file
format such as JPEG has a completely different structure from Microsoft Word documents, starting with the
first few bytes at the beginning of the file (the “header”), continuing into the locations where data are stored
in the main body of the file, and terminating with a few distinctive bytes at the end of the file (the “footer”).

The common headers in a JPEG image, Word document, and other file types are often referred to as file
signatures and can be used to locate and salvage portions of deleted files.

Carving in the context of digital forensics uses characteristics of a given class of files to locate those files in a
raw data stream such as unallocated clusters on a hard drive. Once the beginning and end of the file are
located, the intermediate data can be extracted into a file. This carving process can be achieved by simply
copying the data and pasting them into a file.

Storage Media and Data Hiding

[On binary systems] each data element is implemented using some physical device that can be in one of two
stable states: in a memory chip, for example, a transistor switch may be on or off; in a communications line,
a pulse may be present or absent at a particular place and at a particular time; on a magnetic disk, a
magnetic domain may be magnetized to one polarity or to the other; and, on a compact disk, a pit may be
present or not at a particular place

Although storage media come in many forms, hard disks are the richest sources of digital evidence on
computers. Understanding how hard drives function, how data are stored on them, and where data can be
hidden can help digital investigators deal with hard drives as a source of evidence.

Understanding disk drives

The architecture of a hard disk consists of several physical components that include:

• Platters
• Spindle

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 18 | 37
 • Read/write heads
• Tracks
• Sectors

Platters

Hard disks are organized as a concentric stack of

disks. An individual disk is referred to as a platter.

Each platter consists of two surfaces: a lower and an

upper surface.

Spindle

• The platters within the hard disk are

connected by a spindle that runs through the
middle of the platters.
• The spindle moves in a unidirectional manner
along its axis (either clockwise or
counterclockwise).
• The movement of the spindle causes the
platters to rotate as well.

Read/write head

• Each surface on a platter contains a read/write head that is used to read or write data onto the disk.
• The read/write heads can move back and forth along the surface of a platter. Read/write heads are
in turn connected to a single actuator arm.

Tracks

• Each surface of a platter consists of a fixed number of tracks. These are circular areas on the surface
of a platter that decrease in circumference as we move towards the center of the platter.
• Data is first written to the outermost track.

Sectors

• Each track is divided into a fixed

number of sectors. Sectors divide track
sections and store data.

Clusters and Slack space

When data are stored in hard disk, they make

cluster as a unit. So no matter the file is large or
small, there will be some unused space called
slack space in the last cluster (unless the size is
integer times as large as the cluster size).

Furthermore, the left space can not be used by

other files (even if the file is only 0 byte. It does
not allow 2 or more files to share a cluster,
because it may cause data corruption.)

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 19 | 37
What happens when you delete a file?
• When you a delete a file, it isn’t really erased – it continues existing on your hard drive, even after
you empty it from the Recycle Bin.
• This allows to recover files you’ve deleted.
• Every file is made from many bits of information.
• When you delete a file, all those bits that form it are not physically erased, and they continue to hold
the information that makes the file.
• Instead of physically deleting files, which can take a significant amount of time, especially if those
files are large, the operating system only marks the deleted files as free space.

Recovering deleted files

What happens when a file is deleted?

In many operating systems, the file's data is moved to a temporary holding area (recycle bin) where it can be
recovered or cleared and the disk space it was taking up can be reclaimed.

When emptying the recycle bin, In many cases, only the pointer record to where the file's data was located
on the physical disk is removed.

When you delete a file, Windows marks it as free space by removing only its pointer, nothing else. The
content of the file is still there, physically.

Slack - The leftover storage on a computer’s hard

disk drive when a computer file does not need all
the space it has been allocated by the operating
system.

Slack space
In typical hard drives, the computer stores files on the drive-in clusters of a certain file size.

For example, the file system on the hard drive may store data in clusters of four kilobytes. If the computer
stores a file that is only two kilobytes in a four-kilobyte cluster, there will be two kilobytes of slack space.

Slack space is an important form of evidence in the field of forensic investigation. Often, slack space can
contain relevant information about a suspect that a prosecutor can use in a trial.

For example, if a user deleted files that filled an entire hard drive cluster, and then saved new files that only
filled half of the cluster, the latter half would not necessarily be empty. It may include leftover information
from the deleted files. This information could be extracted by forensic investigators using special computer
forensic tools.

How Slack space can be used for Evidence

Computers with hard disk drives store data in a sealed unit

Unit contains a stack of circular, spinning disks called platters.

Each platter is composed of logically defined spaces called sectors

OS sectors are configured to hold no more than 512 bytes of data.

If a text file that is 400 bytes is saved to disk, the sector will have 112 bytes of extra space left over.

When the computer’s hard drive is brand new, the space in a sector that is not used (the slack space) is
blank, but it changes as the computer gets used
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 20 | 37
When a file is deleted, the operating system doesn't erase the file,

OS makes the sector the file occupied available for reallocation.

If a new file that is only 200 bytes be allocated to the original sector, the sector’s slack space will now
contain 200 bytes of leftover data from the first file in addition to the original 112 bytes of extra space.

Latent Data or Ambient Data

That leftover data, which is called latent data or ambient data, can provide investigators with clues as to
prior uses of the computer in question as well as leads for further inquiries.

Uses of data recovery

Average User:

• Recover important lost files

• Keep your private information private

Law enforcement:

• Locate illegal data

• Restore deleted/overwritten information.
• Prosecute criminals based on discovered data

Why some deleted files cannot be recovered, even if you are using an excellent file recovery
tool ?
Recovering lost files is not always possible! If Windows overwrites the space that a deleted file was
occupying, the original file can no longer be restored. That is because the content of that original file is just
not there anymore. New information was stored over its content, so the old information was destroyed.

What is Data Obfuscation / Masking?

Data obfuscation is a process to obscure
(Mask) the meaning of data as an added layer of
data protection. In the event of a data breach,
sensitive data will be useless to attackers. The
organization — and any individuals in the data — will remain uncompromised. Organizations should
prioritize obfuscating sensitive information in their data.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 21 | 37
Top data obfuscation methods
There are many different methods, each designed for specific purposes.

Obfuscation is an umbrella term for a variety of processes that transform data into another form in order to
protect sensitive information or personal data.

Three of the most common techniques used to obfuscate data are encryption, tokenization, and data
masking

Encryption
It is very secure, but you lose the ability to work with or analyze the data while it’s encrypted. The more
complex the data encryption algorithm, the safer the data will be from unauthorized access. Encryption is a
good obfuscation method if you need to store or transfer sensitive data securely.

Tokenization
It substitutes sensitive data with a value that is meaningless. However, you can map the token back to the
original data. Tokenized data supports operations like running a credit card payment without revealing the
credit card number. The real data never leaves the organization and can't be seen or decrypted by a third-
party processor.

Data masking
It substitutes realistic but false data for original data to ensure privacy. Using masked out data, testing,
training, development, or support teams can work with a dataset without putting real data at risk. Data
masking goes by many names. You may have heard of it as data scrambling, data blinding, or data shuffling.
The process of permanently stripping personally identifiable information (PII) from sensitive data is also
known as data anonymization or data sanitization. Whatever you call it, fake data replaces real data. There is
no algorithm to recover the original values of masked data.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 22 | 37
Encryption Tokenization Masking
Encryption is the method of It is a process of replacing It is a process of applying mask to
interpreting plaintext into sensitive data with non-sensitive a value.
ciphertext using an encryption data.
algorithm and a key.
One of the main use cases is to It simply ensures correct It simply ensures efficient use of
provide the confidentiality of formatting and transmission of masked data for analysis without
data-at-rest (even if the storage data thus making it less vulnerable fear of leaking private
media is negotiated or lost, to cyberattacks. information.
attackers are not able to view the
actual information as they don’t
have the keys).
It provides structured data, It is generally used to secure It is generally used to secure
including payment card numbers, credit card number or sensitive structured and unstructured fields
and unstructured data including information in payment in both non-production and
entire files and emails. processing systems, customer production environments such as
service databases, and other database backups, data mining,
structured data environments. etc.
Original sensitive data leaves the It always preserves format of data It always preserves format but
organization but in encrypted and maintain high security. there are some chances of
form. reidentification risk.
Data can be exchanged with a It is difficult for one to exchange It is easier for one to exchange
third party or receiver who has data with third parties because masked data with third parties as
the encryption key they can have access to token they cannot view original data.
database.
It scrambles data so that only It normally creates surrogate It normally protects sensitive data
authorized parties can have access value that can matched back to from being exposed to individuals
to data. original string using database. who are not authorized or do not
have access to view it.

Masking out
It is a way to create different versions of the data with a similar structure. The data type does not change,
only the value change. Data can be modified in several ways, for example shifting numbers or letters,
replacing words, and switching partial data between records.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 23 | 37
File Systems and Location of Data,
What is a File System?
A file system is a process of managing how and where data on a storage disk, It is a logical disk component
that compresses files separated into groups, which is known as directories. It is abstract to a human user
and related to a computer;

it manages a disk's internal operations.

Files and additional directories can be in the directories.

The file system enables you to view a file in the current directory as files are often managed in a hierarchy.

it contains information about file size, file name, file location fragment information, and where disk data is
stored.

Describes how a user or application may access the data.

The operations like metadata, file naming, storage management, and directories/folders are all managed by
the file system.

A file system isn't just a bookkeeping feature, though.

Space management, metadata, data encryption, file access control, and data integrity are the responsibilities
of file system too.

Everything begins with

partitioning

When partitioning is done, the

partitions should be
formatted.

Most operating systems allow you to format a partition

based on a set of file systems.

For instance, if you are formatting a partition on Windows,

you can choose between FAT32, NTFS (New Technology File
System), and exFAT file systems.

Formatting involves the creation of various data

structures and metadata used to manage files within a
partition.

These data structures are one aspect of a file system.

Types of file systems

1. Disk file systems

On the disk storage medium, a disk file system has the ability
to randomly address data within a few amounts of time.

2. Flash file systems

A flash file system is responsible for restrictions,

performance, and special abilities of flash memory.
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 24 | 37
3. Tape file systems

A tape file system is used to hold files on the tape as it is a tape format and file system.

4. Database file systems

Files are recognized by their characteristics (like a type of file, author, topic, etc.) rather than hierarchical
structured management.

5. Network file systems

A network file system offers access to files on a server. In remote network-connected computers, with the
help of local interfaces, programs are able to transparently create, manage and access hierarchical files and
directories

6. Shared disk file systems

A shared-disk file system allows the same external disk subsystem to be accessed by multiple machines, but
when the number of machines accesses the same external disk subsystem, there may be occurred collisions
in this condition; so, to prevent the collision, the file system decides which subsystem to be accessed.

Windows File Systems

Microsoft Windows employs two major file systems: NTFS, the primary format most modern versions of this
OS use by default, and FAT, which was inherited from old DOS and has exFAT as its later extension. ReFS was
also introduced by Microsoft as a new generation format for server computers starting from Windows
Server 2012.

• File Allocation Table or FAT

• New Technology File System or NTFS.
• ReFS Resilient File System

Difference In File Structure Database

File Allocation Table or FAT - File Allocation Table

New Technology File System or NTFS. - Master File Table (MFT)

Resilient File System

Terminology

• Metadata
• File Name
• Time Stamp
• Other Attributes
• File Data
• Sectors
o 512 MB of data
• Clusters
o Smallest Logical Unit of File Storage
o One or more sectors

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 25 | 37
Logical and Physical
Storage Units
Logical: Recognized by OS. E.g.,
Clusters

Physical: Recognized by a
Device, E.g., sectors

OS Stores Files in Clusters

Wasted Space Problem
Example

• File Size 2050 bytes

• One Cluster = two sectors
• Slack Space will be created

Efficiency
FAT

FAT (File Allocation Table) is one of the simplest FS types. It consists of the FS descriptor sector (boot sector
or superblock), the block allocation table and plain storage space for storing data.

The numbers in FAT12, FAT16, FAT32 stand for the number of bits used to address an FS block. This means
that FAT12 can use up to 4096 different block references, while FAT16 and FAT32 can use up to 65536 and
4294967296 accordingly.

The file system also doesn't allow creating files the size of which exceeds 4 GB. To address this issue, exFAT
was introduced, which doesn't have any realistic limitations concerning the size and is frequently utilized on
modern external hard drives and SSDs.

NTFS

NTFS (New Technology File System) was introduced in 1993 with Windows NT and is currently the most
common file system for end user computers based on Windows. Most operating systems of the Windows
Server line use this format as well.

This FS type is quite reliable thanks to journaling and supports many features, including access control,
encryption, etc. Each file in NTFS is stored as a descriptor in the Master File Table and its data content. The
Master file table contains entries with all information about them: size, allocation, name, etc.

• Smaller Cluster Size

• Less Slack Space -> Less Wasted Space

Resilient File System (ReFS)

The Resilient File System (ReFS) is Microsoft's newest file system, designed to maximize data availability,
scale efficiently to large data sets across diverse workloads, and provide data integrity with resiliency to
corruption. It seeks to address an expanding set of storage scenarios and establish a foundation for future
innovations.

• Compatibility
• Availability
• Scalability
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 26 | 37
Dealing with Password Protection and Encryption
Passwords
When data is password protected, it’s as if you’ve gathered all your data, in its original, readable form, put it
into a lock box, and locked the box with a password or passcode. The box is protected by the passcode, but if
the lock box is not particularly strong and someone is able to break into it, then getting at all your valuable
data is simple.

Windows and Mac Operating Systems: Password Protected

The most obvious, and perhaps most dangerous, example of simple, password protected data is right in front
of you: your Windows or Mac desktop or laptop. Even a novice hacker knows there are several very easy
ways to get around the OS passwords and get directly at your data:

First, there are tools readily available on the Internet that someone can use to boot your PC, read your
supposedly super-secret password, and then have unfettered access to everything – including Outlook email.

Second, there’s the brute force method: someone can simply pull the hard drive out of your PC, hook it up
to another PC and can have access to everything on the hard drive.

What is encryption?
Encryption is a way of scrambling data so that only authorized parties can understand the information. In
technical terms, it is the process of converting human-readable plaintext to incomprehensible text, also
known as ciphertext. In simpler terms, encryption takes readable data and alters it so that it appears
random. Encryption requires the use of a cryptographic key: a set of mathematical values that both the
sender and the recipient of an encrypted message agree on.

What is a key in cryptography?

A cryptographic key is a string of characters used within an encryption algorithm for altering data so that it
appears random. Like a physical key, it locks (encrypts) data so that only someone with the right key can
unlock (decrypt) it.

What are the different

types of encryption?
The two main kinds of
encryption are symmetric
encryption and asymmetric
encryption. Asymmetric
encryption is also known
as public key encryption.

What is Symmetric
Encryption?
Symmetric encryption is a
means of protecting data
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 27 | 37
using a secret key to encrypt (lock) and decrypt (unlock) it. The sender and recipient share the key or
password to gain access to the information. The key can be a word; a phrase; or a nonsensical or random
string of letters, numbers, and symbols.

How Does Symmetric Encryption Work?

In symmetric encryption, the key that encrypts a message or file is the same key that can decrypt them. The
sender of the data uses the symmetric key algorithm to encrypt the original data and turn it into cipher text.
The encrypted message is then sent to the receiver who uses the same symmetric key to decrypt or open the
cipher text or turn it back into readable form.

What is Asymmetric Encryption?:

Asymmetric Key Encryption is based on public and private key encryption techniques. It uses two different
key to encrypt and decrypt the message. It is more secure than the symmetric key encryption technique but
is much slower.

How it works

When someone wants to

send an encrypted message,
they can pull the intended
recipient's public key from a
public directory and use it
to encrypt the message
before sending it. The
recipient of the message
can then decrypt the
message using their related
private key.

Difference between symmetry and asymmetric Encryption

Symmetric Key Encryption Asymmetric Key Encryption

It only requires a single key for both encryption and It requires two keys, a public key and a private key,
decryption. one to encrypt and the other one to decrypt.
The size of cipher text is the same or smaller than The size of cipher text is the same or larger than the
the original plain text. original plain text.
The encryption process is very fast. The encryption process is slow.
It is used when a large amount of data is required to It is used to transfer small amounts of data.
transfer.
It only provides confidentiality. It provides confidentiality, authenticity, and non-
repudiation.
The length of key used is 128 or 256 bits The length of key used is 2048 or higher
In symmetric key encryption, resource utilization is In asymmetric key encryption, resource utilization is
low as compared to asymmetric key encryption. high.
Examples: 3DES, AES, DES and RC4 Examples: Diffie-Hellman, ECC, El Gamal, DSA and
RSA

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 28 | 37
What is the impact of encryption on forensic investigation?
As investigators, we are limited to the information on the device that we can access. If a hard drive is fully
encrypted, we have no easy access to the stored data and our investigative options become limited. The first
thing an investigator must do is to determine the level and extent of the encryption. Weak passwords can be
cracked, but if the user has implemented a strong password, it becomes almost impossible to access via
brute force methods. It could be that just a few files are encrypted and there could be unencrypted copies
elsewhere on the device. The user could also be a creature of habit and use the same set of passwords.
These passwords can be quickly located in easily decipherable formats throughout the system. In all cases,
though, I tell investigators that digital evidence is just one piece of the body of evidence in a case. Don’t fall
into a trap where you spend too much time trying to decrypt a potentially probative item, when valuable
unencrypted data may be found by simply continuing your examination.

What new techniques do investigators need to consider when they come across an
encrypted drive?
Identifying Encrypted Files
Identifying encrypted files is pretty easy. You try to access a file with the appropriate application and you
end up getting garbage. The first step you should take is to find out the type of file with which you are
dealing.

Decrypting Files
Let's assume you have identified one or more files that appear to be encrypted. What do you do next ? The
simple answer is to crack the encryption. The full answer is a little more complex and expensive.

Use of utilities to crack specific file types

• PKZip Cracker Decrypts ZIP archive files

• Zip Crack Decrypts ZIP archive files
• Word Unprotect Decrypts Microsoft Word documents
• WP Crack Decrypts WordPerfect documents

Brute Force Attack

The brute force attack method of decrypting files is the worst choice. It uses the same approach as brute
force password cracking. The utility tries every possible key value to see if the decryption results in an
intelligible object. This option should be your last resort.

Known Plaintext Attack

The known plaintext attack is a method of cracking encryption that uses the plaintext and the associated
ciphertext . If you have both the unencrypted and encrypted versions of a file, you can analyze the
relationship between the two and deduce the encryption key. The PkCrack utility utilizes this type of attack.
You provide an unencrypted file and an encrypted ZIP archive, and PkCrack will compare the two and
attempt to find the key used in the encryption.

Chosen Plaintext Attack

You may have access to the encryption engine, but not the key. It is possible the encryption utility allows you
to encrypt files using stored credentials without disclosing those credentials. In such cases, you may be able
to discover the encryption key using a chosen plaintext attack . In a chosen plaintext attack, you encrypt a
file of your choosing and compare it to the resulting encrypted file. After you create the plaintext and
ciphertext, the attack progresses just as the known plaintext attack.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 29 | 37
Log files, Registry, Internet traces
What is a Log File?
A log file is an event that took place at a certain time and might have metadata that contextualizes it.

Logs files are a historical record of everything and anything that happens within a system, including events
such as transactions, errors and intrusions. That data can be transmitted in different ways and can be in both
structured, semi-structured and unstructured format.

The basic anatomy of a log file includes:

• The timestamp – the exact time at which the event logged occurred
• User information
• Event information – what was the action taken

However, depending on the type of log source, the file will also contain a wealth of relevant data. For
example, server logs will also include the referred webpage, http status code, bytes served, user agents, and
more.

Where do Log Files Come From?

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 30 | 37
Types of Logs
Nearly every component in a network generates a different type of data and each component collects that
data in its own log. Because of that, many types of logs exist, including:

1. Event logs An event log is a high-level log that records information about network traffic and usage,
such as login attempts, failed password attempts, and application events.
2. Server logs A server log is a text document containing a record of activities related to a specific
server in a specific period of time.
3. System logs A system log, or syslog, is a record of operating system events. It includes startup
messages, system changes, unexpected shutdowns, errors and warnings, and other important
processes. Windows, Linux, and macOS all generate syslogs.
4. Authorization logs and access logs Authorization logs and access logs include a list of people or bots
accessing certain applications or files.
5. Change logs Change logs include a chronological list of changes made to an application or file.
6. Availability logs Availability logs track system performance, uptime, and availability.
7. Resource logs Resource logs provide information about connectivity issues and capacity limits.
8. Threat logs Threat logs contain information about system, file, or application traffic that matches a
predefined security profile within a firewall.

Log files are an important source of digital forensic evidence because they usually connect events to points
in time Indeed, log file data can be used to investigate network anomalies due to insider threats, data leaks
and misuse of IT assets. Log files can help identify network intruders.

Registry
Inside every operating system there must be some place to keep settings.

What is my current internet address? What are all the users on my system and what are their passwords?

What applications are installed? If I double click on a file with a docx extension, what application needs to
fire up to associate with that?

There are hundreds of thousands of questions like this that even the simplest individual machine must
answer, and we've got to store that somewhere

Windows uses a single storage area called the registry.

This is not a text file. It is a binary file that can only be read by a particular program called Regedit

Windows registry
The registry or Windows registry is a database of information, settings, options, and other values
for software and hardware installed on all versions of Microsoft Windows operating systems. When a
program is installed, a new subkey is created in the registry. This subkey contains settings specific to that
program, such as its location, version, and primary executable.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 31 | 37
The Windows Registry is a database where Windows and many programs store their configuration settings.

The Windows registry is a collection of several databases. There are system-wide registry settings that apply
to all users, and each Windows user account also has its own user-specific settings.

There are two ways to open Registry Editor in Windows 10:

1. In the search box on the taskbar, type regedit, then select Registry Editor (Desktop app) from the
results.
2. Right-click Start , then select Run. Type regedit in the Open: box, and then select OK.

What Is a Registry Hive?

A hive in the Windows Registry is the name given to a major section of the registry that contains registry
keys, registry subkeys, and registry values.

All keys that are considered hives begin with "HKEY" and are at the root, or the top of the hierarchy in the
registry, which is why they're also sometimes called root keys or core system hives.

Here is a list of the common registry hives in Windows:

• HKEY_CLASSES_ROOT
• HKEY_CURRENT_USER
• HKEY_LOCAL_MACHINE
• HKEY_USERS
• HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER Holds the user settings for the currently logged in user and is usually abbreviated
HKCU This is actually just a link to HKEY_USERS\<SID-FOR-CURRENT-USER>. The most important sub-key in
here is HKCU\Software, which contains user-level settings for most of your software.

HKEY_LOCAL_MACHINE All of the system-wide settings are stored here, and it is usually abbreviated as
HKLM. You’ll mostly use the HKLM\Software key to check machine-wide settings.

HKEY_USERS Stores all of the settings for all users on the system. You’ll typically use HKCU instead, but if you
need to check settings for another user on your computer, you can use this one.

HKEY_CURRENT_CONFIG Stores all of the information about the current hardware configuration. This one
isn’t used very often, and it just a link to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current

Internet traces
Accessing the Internet leaves a wide variety of information on a computer including Web sites, contents
viewed, and newsgroups accessed. For instance, some Windows systems maintain a record of accounts that
are used to connect to the Internet as shown in Figure

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 32 | 37
Web Browsing
When an individual first views a Web page, the browser caches the page and associated elements such as
images on disk—the creation and modification times are the same time as the page was viewed. When the
same site is accessed in the future, the cached file is accessed. The number of times that a given page was
visited is recorded in some Web browser history databases

What is a web browser?

A web browser takes you anywhere on the internet, letting you see text, images and video from anywhere in
the world.

The web is a vast and powerful tool

Over the course of a few decades, the internet has changed the way we work, the way we play and the way
we interact with one another.

Depending on how it’s used, it bridges nations, drives commerce, nurtures relationships, drives the
innovation engine of the future and is responsible for more memes than we know what to do with

Cookies
What Are Cookies?
Cookies are text files with small pieces of data — like a username and password — that are used to identify
your computer as you use a computer network. Specific cookies known as HTTP cookies are used to identify
specific users and improve your web browsing experience.

Data stored in a cookie is created by the server upon your connection. This data is labeled with an ID unique
to you and your computer.

Session
A session is a group of user interactions with your website that take place within a given time frame.

For example, a single session can contain multiple page views, events, social interactions, and ecommerce
transactions.

You can think of a session as the container for the actions a user takes on your site.

A single user can open multiple sessions. Those sessions can occur on the same day, or over several days,
weeks, or months. As soon as one session ends, there is then an opportunity to start a new session. There
are two methods by which a session ends:

Time-based expiration:

• After 30 minutes of inactivity

• At midnight
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 33 | 37
Campaign change:

If a user arrives via one campaign, leaves, and then comes back via a different campaign.

Difference between session and cookies

Cookie Session
Cookies are client-side files on a local Sessions are server-side files that contain user data.
computer that hold user information.
Cookies end on the lifetime set by the user. When the user quits the browser or logs out of the
programmed, the session is over.
The browser’s cookies have a maximum We can keep as much data as we like within a session,
capacity of 4 KB. however there is a maximum memory restriction of 128 MB
that a script may consume at one time.
Because cookies are kept on the local To begin the session, we must use the session start()
computer, we don’t need to run a function method.
to start them.
Cookies are not secured. Session are more secured compare than cookies.
Cookies stored data in text file. Session save data in encrypted form.

What is a web session?

Email
Short for electronic mail, e-mail or email is information stored on a computer that is exchanged between
two users over telecommunications. More plainly, e-mail is a message that may contain text, files, images, or
other attachments sent through a network to a specified individual or group of individuals.

What is an Email Protocol: Definition and Types

Email protocol is a standard method for exchanging information between email clients and email provider’s
servers like Gmail, Outlook, Yahoo, and vice versa.

Email protocols differ by function: some receive emails and send and transport emails.

Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP), for example, allow receiving
and sending emails, while Simple Message Transfer Protocol (SMTP) is responsible only for sending emails.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 34 | 37
Email protocol
Email protocol is a method by which a communication channel is established between two computers and
email is transferred between them.

When an email is transferred, a mail server and two computers are involved. One computer sends the mail
and the other one receives it.

The mail server stores the mail and lets the receiving device access it and download it if needed

POP3 stands for Post Office Protocol.

As the name suggests, it allows you to use your email inbox like a post office – emails are downloaded onto
your computer and removed from the mail server.

When accessing your emails using the POP3 protocol, a copy of the emails is created and stored locally on
your computer.

The originals are usually, but not always, removed from the mail server. In other words, emails are tied to
the specific device. Once the email is downloaded onto one device (and removed from the mail server), it
cannot be accessed by another email client or device.

IMAP stands for Internet message access protocol.

Unlike POP3, IMAP lets you log into different email clients or webmail interfaces and view the same emails
because in the IMAP setup, emails are kept on the mail server, rather on your computer.

When you access your emails using the IMAP protocol, you are essentially using the email client to connect
to your mail server and managing your emails directly on your mail server.

In this setup, your mail server rather than your local computer is the main storage source of your emails.

Because of this, IMAP makes it possible to access your emails from different devices and all changes are
synchronized with the mail server and any email client(s) you are using.

In other words, if you delete an email from one email client, it is deleted from the mail server and the action
is reflected across all devices and email clients.

Example of how POP3 and IMAP works

When you wake up and access your mail from your phone,

POP3 will download all the emails to your phone for you to view, and by doing so, all emails are removed
from the mail server

IMAP will send a copy of the emails to your phone, but leaving the originals on your mail server.

Post Office Protocol (POP3) Internet Message Access Protocol (IMAP)

POP is a simple protocol that only allows IMAP is much more advanced and allows the user to
downloading messages from your Inbox to your local see all the folders on the mail server.
computer.
In POP3 the mail can only be accessed from a single Messages can be accessed across multiple devices
device at a time.
To read the mail it has to be downloaded on the The mail content can be read partially before
local system. downloading.
The user can not organize mails in the mailbox of the The user can organize the emails directly on the mail
mail server. server.
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 35 | 37
The user can not create, delete or rename email on The user can create, delete or rename an email on
the mail server. the mail server.
It is unidirectional i.e. all the changes made on a It is Bi-directional i.e. all the changes made on the
device do not affect the content present on the server or device are made on the other side too.
server.
It does not allow a user to sync emails. It allows a user to sync their emails.
It has two modes: delete mode and keep mode. Multiple redundant copies of the message are kept
In delete mode, the mail is deleted from the mailbox at the mail server, in case of loss of message of a
after retrieval. local server, the mail can still be retrieved
In keep mode, the mail remains in the mailbox after
retrieval."

SMTP stands for Simple Mail Transfer Protocol.

SMTP is a set of communication guidelines that allow software to transmit an electronic mail over the
internet is called Simple Mail Transfer Protocol.

It is a program used for sending messages to other computer users based on e-mail addresses.

It provides a mail exchange between users on the same or different computers, and it also supports:

• It can send a single message to one or more recipients.

• Sending message can include text, voice, video or graphics.
• It can also send the messages on networks outside the internet

The main purpose of SMTP is used to set up communication rules between servers.

The servers have a way of identifying themselves and announcing what kind of communication they are
trying to perform.

They also have a way of handling the errors such as incorrect email address.

For example, if the recipient address is wrong, then receiving server reply with an error message of some
kind.

Components of SMTP

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 36 | 37
What is an Email Header?
The email header is a code snippet in an HTML email, that contains information about the sender, recipient,
email’s route to get to the inbox and various authentication details.

The email header always precedes the email body.

What purpose do email headers serve

Providing information about the sender and recipient. An email header tells who sent the email and where it
arrived. Some markers indicate this information, like “From:” — sender’s name and email address, “To:” —
the recipient’s name and email address, and “Date:” — the time and date of when the email was sent. All of
these are mandatory indicators. Other parts of the email header are optional and differ among email service
providers.

Preventing spam. The information displayed in the email header helps email service providers troubleshoot
potential spam issues. ESPs analyzes the email header, the “Received:” tag, in particular, to decide whether
to deliver an email or not.

Identifying the email route. When an email is sent from one computer to another, it transfers through
the Mail Transfer Agent which automatically “stamps” the email with information about the recipient, time
and date in the email header.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 37 | 37
Module 04

Unit 1: Cyber Crimes

Cybercrime, also called Computer Crime,
The use of a computer as an instrument to further illegal ends, such as committing fraud, trafficking in child
pornography and intellectual property, stealing identities, or violating privacy.

Cybercrime, especially through the Internet, has grown in importance as the computer has become central
to commerce, entertainment, and government.

Role of Computer in the Crime

Computers will probably be involved in crimes that no one has ever imagined

When investigating a case, it is important to know what roles the computer played in the crime..

Then tailor the investigative process to that role.

The computer (by which we mean the information resident on the computer, code as well as data) is the
target of the crime, with an intention of damaging its integrity, confidentiality, and/or availability

Many of these violations involve gaining unauthorized access to the target system (i.e., hacking into it)

The computer is a repository for information used or generated in a crime.

To store stolen password lists, credit card or calling card numbers, proprietary corporate information,
pornographic image files, or ‘‘warez’’ (pirated commercial software).

The computer is used as a tool in committing a crime

Many of the examples in this report deal with unlawful conduct that exists in the physical, off-line world—
the illegal sale of prescription drugs, controlled substances, alcohol and guns, fraud, gambling, and child
pornography.

All these crimes leave digital tracks

Investigation include searching computers that are suspected of being involved in illegal activities.

Based on the crime, Cybercrimes are classified into three broad groups.
1. Crimes against individuals – These are committed against individuals or their properties.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 1 | 18
2. Crimes against Institutions

Some examples of cyber crimes against institutions are:

3. Crimes against State

Some examples of crimes against state are:

Here are 5 that were the most damaging for enterprises in 2020.
1. Social engineering.
In 2020, almost a third of the breaches incorporated social engineering techniques, of which 90% were
phishing. Social engineering attacks include, but are not limited to, phishing emails, scareware and other
techniques — all of which manipulate human psychology to attain specific goals.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 2 | 18
2. Ransomware.
Ransomware is a data-encrypting program that demands payment to release the infected data. The overall
sum of ransom demands will have reached $1.4 billion in 2020, with an average sum to rectify the damage
reaching up to $1.45 million. Ransomware is the third most popular type of malware used in data breaches
and is employed in 22% of the cases.

3. DDoS attacks. (distributed denial-of-service )

There were 4.83 million DDoS attacks attempted in the first half of 2020 alone and each hour of service
disruption may have cost businesses as much as $100k on average.

To form a botnet needed for a coordinated DDoS attack, hackers employ devices previously compromised by
malware or hacking. Thus, every machine can be performing criminal activity with its owner being unaware.
The traffic can then be targeted against, say, AWS, which reported having prevented a 2.3`Tbps attack the
February 2020.

4. Third party software.

The top 30 ecommerce retailers in the US are connected to 1,131 third-party resources each and 23% of
those assets have at least one critical vulnerability. If one of the applications within this ecosystem is
compromised, it opens the hackers a gateway to other domains.

5. Cloud computing vulnerabilities.

The global market for cloud computing is estimated to grow 17% this year, totaling $227.8 billion. While the
pandemic lasts, the economy also witnessed a 50% increase in cloud use across all industries.

This trend is a perfect lure for hackers, who performed 7.5 million external attacks on cloud accounts in Q2
2020. Since the beginning of the year, the number of the attempted breaches grew by 250% compared to
2019. The criminals scan for cloud servers with no password, exploit unpatched systems and perform brute-
force attacks to access the user accounts. Some try to plant ransomware or steal sensitive data, whilst
others, use cloud systems for crypto jacking or coordinated DDoS attacks.

Unit 2 : Crime Types

Cybercrime is any criminal activity that involves a computer, networked device or a network.

Basics of SQL Injections

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 3 | 18
What is SQL injection (SQLi)?
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to
the application

It generally allows an attacker to view data that they are not normally able to retrieve. This might include
data belonging to other users, or any other data that the application itself is able to access.

In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or
other back-end infrastructure or perform a denial-of-service attack.

What is the impact of a successful SQL injection attack?

• A successful SQL injection attack can result in unauthorized access to sensitive data, such as
passwords, credit card details, or personal user information.
• In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading
to a long-term compromise that can go unnoticed for an extended period.

SQL injection examples

There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different
situations. Some common SQL injection examples include:

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 4 | 18
1. Retrieving hidden data, where you can modify an SQL query to return additional results.
2. Subverting application logic, where you can change a query to interfere with the application's logic.
3. UNION attacks, where you can retrieve data from different database tables.
4. Examining the database, where you can extract information about the version and structure of the
database.
5. Blind SQL injection, where the results of a query you control are not returned in the application's
responses.

1. Retrieving hidden data

Consider a shopping application that displays products in different categories. When the user clicks on the
Gifts category, their browser requests the URL:

https://insecure-website.com/products?category=Gifts

This causes the application to make an SQL query to retrieve details of the relevant products from the
database:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

This SQL query asks the database to return:

• all details (*)

• from the products table
• where the category is Gifts
• and released is 1.

The restriction released = 1 is being used to hide products that are not released. For unreleased products,
presumably released = 0.

Attack

If application doesn't implement any defenses against SQL injection attacks, we can attacker can construct
an attack like:

https://insecure-website.com/products?category=Gifts'--

This results in the SQL query:

SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1

1. Subverting application logic

Consider an application that lets users log in with a username and password. If a user submits the username
wiener and the password bluecheese, the application checks the credentials by performing the following SQL
query:

SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'

Attack

Here, an attacker can log in as any user without a password simply by using the SQL comment sequence -- to
remove the password check from the WHERE clause of the query.

For example, submitting the username administrator'-- and a blank password results in the following query:

SELECT * FROM users WHERE username = 'administrator'--' AND password = ''

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 5 | 18
SQL injection attack occurs when:

1. An unintended data enters a program from an untrusted source.

2. The data is used to dynamically construct a SQL query

The main consequences are:

1. Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a
frequent problem with SQL Injection vulnerabilities.
2. Authentication: If poor SQL commands are used to check usernames and passwords, it may be
possible to connect to a system as another user with no previous knowledge of the password.
3. Authorization: If authorization information is held in a SQL database, it may be possible to change
this information through the successful exploitation of a SQL Injection vulnerability.
4. Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes
or even delete this information with a SQL Injection attack.

SQL Injection Prevention

SQL Injection attacks are unfortunately very common, and this is due to two factors:

1. the significant prevalence of SQL Injection vulnerabilities, and

2. the attractiveness of the target (i.e., the database typically contains all the interesting / critical data
for your application).

To avoid SQL injection flaws is simple.

Developers need to either:

a) stop writing dynamic queries; and/or

b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed
query.

Primary Defenses:

• Option 1: Use of Prepared Statements (with Parameterized Queries)

• Option 2: Use of Stored Procedures
• Option 3: Allow-list Input Validation
• Option 4: Escaping All User Supplied Input

2.2 Theft of FTP password

This is another very common way to tamper with web sites.

FTP password hacking takes advantage of the fact that many webmasters store their website login
information on their poorly protected PCs.

The thief searches the victim’s system for FTP login details, and then relays them to his own remote
computer.

He then logs into the web site via the remote computer and modifies the web pages as he or she pleases.

2.3 Cross-site Scripting (XSS)

is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the
victim by including malicious code in a legitimate web page or web application.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 6 | 18
Cross site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web
application. XSS differs from other web attack vectors (e.g., SQL injections), in that it does not directly target
the application itself. Instead, the users of the web application are the ones at risk.

When you visit this web page, the script is automatically downloaded to your browser and executed.

Typically, attackers inject HTML, JavaScript, VBScript into a vulnerable application to fool you and gather
confidential information.

2.4 Virus
A Virus is a “program that is loaded onto your computer without your knowledge and runs against your
wishes

Signs of Viruses

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 7 | 18
TYPES OF VIRUSES
1. RESIDENT VIRUS
Resident viruses set up in your RAM and intrude with your system operations. They’re so sneaky that
they can even attach themselves to your anti-virus software files.

2. MULTIPARTITE VIRUS
This virus infects the entire system – multipartite viruses spread by performing unauthorized actions on
your operating system, folders, and programs.

3. DIRECT ACTION
This virus targets a specific file type, most commonly executable files (.exe), by replicating and infecting
files. Due to its targeted nature, this virus type is one of the easier ones to detect and remove.

4. BROWSER HIJACKER
Easily detected, this virus type infects your browser and redirects you to malicious websites.

5. OVERWRITE VIRUS
As the name implies, overwrite viruses overwrite file content to infect entire folders, files, and programs

6. WEB SCRIPTING VIRUS

This sneaky virus disguises itself in the coding of links, ads, images, videos, and site code. It can infect
systems when users download malicious files or visit malicious websites.

7. FILE INFECTOR
By targeting executable files (.exe), file infector viruses slow down programs and damage system files
when a user runs them.

8. NETWORK VIRUS
Network viruses travel through network connections and replicate themselves through shared resources

9. BOOT SECTOR VIRUS

One of the easier viruses to avoid, this virus hides out in a file on a USB drive or email attachment. When
activated, it can infect the system’s master boot record to damage the system

Solution
Install a security suite that protects the computer against threats such as viruses and worms

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 8 | 18
2.5 Worms
A computer worm is a type of malware that spreads copies of itself from computer to computer. A worm can
replicate itself without any human interaction, and it does not need to attach itself to a software program in
order to cause damage.

How to tell if your computer has a worm ?

If you suspect your devices are infected with a computer worm, run a virus scan immediately. Even if the
scan comes up negative, continue to be proactive by following these steps.

a. Keep an eye on your hard drive space. When worms repeatedly replicate themselves, they start
to use up the free space on your computer.
b. Monitor speed and performance. Has your computer seemed a little sluggish lately? Are some
of your programs crashing or not running properly? That could be a red flag that a worm is
eating up your processing power.
c. Be on the lookout for missing or new files. One function of a computer worm is to delete and
replace files on a computer.

How to help protect against computer worms

1. Since software vulnerabilities are major infection vectors for computer worms, be sure your computer’s
operating system and applications are up to date with the latest versions. Install these updates as soon
as they’re available because updates often include patches for security flaws.
2. Phishing is another popular way for hackers to spread worms (and other types of malware). Always be
extra cautious when opening unsolicited emails, especially those from unknown senders that contain
attachments or dubious links.
3. Be sure to invest in a strong internet security software solution that can help block these threats. A
good product should have anti-phishing technology as well as defenses against viruses, spyware,
ransomware, and other online threats.

Difference between Virus and Worm

2.6 Logic Bomb

A Logic Bomb is a piece of often-malicious code that is intentionally inserted into software. It is activated
upon the host network only when certain conditions are met.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 9 | 18
Example:

“Some dissatisfied developers have a way of ‘going out screaming’ when they leave or are terminated from a
work setting. They insert logic bombs into company systems that, upon certain events or at certain times,
execute malicious functions such as files deletions.”

2.7 E-mail bombing

An email bomb is a form of Internet abuse which is perpetrated through the sending of massive volumes of
email to a specific email address with the goal of overflowing the mailbox and overwhelming the mail server
hosting the address, making it into some form of denial-of-service attack.

An email bomb is also known as a letter bomb.

There are three ways to create an email bomb

1. Mass mailing - involves sending numerous duplicates of the same email to one email address. Because
of the simplicity of this attack, it can be easily detected by spam filters.
2. List linking - meant more to annoy rather than cause real trouble. The technique involves subscribing the
address for attack to different email list subscriptions so it would always receive spam mail from these
lists. The user then has to manually unsubscribe from each list.
3. ZIP bombing The latest twist on email bombing using ZIP archived attachments. Mail servers always
check email attachments for viruses, especially zip archives and .exe files.
The idea here is to place a text file with millions or billions of arbitrary characters or even a single letter
repeated millions of times so that the scanner would require a greater amount of processing power to
read each one.
Combining this with mass mailing techniques ups the potential for a denial-of-service attack to succeed.

2.8 DoS attack

A Denial-of-Service (DoS) attack is an attack meant to shut
down a machine or network, making it inaccessible to its
intended users. DoS attacks accomplish this by flooding
the target with traffic or sending it information that
triggers a crash. In both instances, the DoS attack deprives
legitimate users (i.e., employees, members, or account
holders) of the service or resource they expected.

2.9 Spamming
Spamming is the use of electronic messaging systems like e-mails and other digital delivery systems and
broadcast media to send unwanted bulk messages indiscriminately. The term spamming is also applied to
other media like in internet forums, instant messaging, and mobile text messaging, social networking spam,
junk fax transmissions, television advertising and sharing network spam.

2.10 Web jacking

When a Web application improperly redirects a user’s browser from a page on a trusted domain to a bogus
domain without the user’s consent, it’s called Web Jacking.

Web Jacking attack method is another type of social engineering attack method called Phishing attack, often
used to steal user data, including login credentials and credit card numbers.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 10 | 18
Web Jacking Attack Method:
1. The first step of web jacking attack method is to create a fake page of victim website for example
www.anywebsite.com/login.php.
2. The second step is to host it either on your local computer or shared hosting.
3. The third step is to send the link of a fake page to the victim.
4. The fourth step victim will open the link and enter their details and submit.
5. Last step, you will get all the details submitted by victim.

How to be safe from web jacking attack method !

1. First of all do not enter sensitive data in any link sent to you.
2. Check the URL
3. Just because the address looks Ok, don’t assume this is a legitimate site.
4. Read company name carefully, is it right or wrong.
5. check that there is http protocol or https, if http then do not enter your data.
6. If you are not sure, site is real or fake, enter a wrong username and password.
7. Use a browser with antiphising detection

2.11 Identity theft and Credit card fraud

Identity theft is the crime of obtaining the personal or financial information of another person to use their
identity to commit fraud, such as making unauthorized transactions or purchases.

Identity theft is committed in many ways and its victims are typically left with damage to their credit,
finances, and reputation.

What Are The Most Common Ways That Identity Theft or Fraud Can Happen to You?
In public places, for example, criminals may engage in "shoulder surfing"– watching you from a nearby
location as you punch in your telephone calling card number or credit card number – or listen in on your
conversation if you give your credit-card number over the telephone.

Many people respond to "spam"– unsolicited E-mail – that promises them some benefit but requests
identifying data, without realizing that in many cases, the requester has no intention of keeping his promise.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 11 | 18
In some cases, criminals reportedly have used computer technology to steal large amounts of personal data.

With enough identifying information about an individual, a criminal can take over that individual's identity to
conduct a wide range of crimes.

For example:

• False applications for loans and credit cards,

• Fraudulent withdrawals from bank accounts,
• Fraudulent use of telephone calling cards or online accounts, or
• Obtaining other goods or privileges which the criminal might be denied if he were to use his real
name

2.12 Credit card fraud

How credit card fraud happens
Credit card fraud occurs when an unauthorized person gains access to your information and uses it to make
purchases.

Here are some ways fraudsters get your information:

• Lost or stolen credit cards

• Skimming your credit card, such as at a gas station pump
• Hacking your computer
• Calling about fake prizes or wire transfers
• Phishing attempts, such as fake emails
• Looking over your shoulder at checkout
• Stealing your mail

2.13 Data diddling

Data diddling is a form of computer fraud
involving the intentional falsification of numbers
in data entry. It most often involves the inflation
or under statement of income or expenses to
benefit a company or individual when
completing tax or other financial documents.

Data is altered as it is entered into a computer

system, most often by a data entry clerk or a
computer virus.

Unlike other fraud, data diddling specifically

refers to the misrepresentation of information
during entry, and not after.

The phrase is comprised of the term data, which

is digital information, and the verb diddle, which
means to falsify or exploit

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 12 | 18
2.14 Salami attacks
The attacker uses an online database to seize the information of customers that is bank/credit card details
deducting very little amounts from every account over a period. The customers remain unaware of the
slicing and hence no complaint is launched thus keeping the hacker away from detection.

In its most basic form, a hacker simply tries making small deposits into random bank accounts by attempting
thousands of combinations of routing numbers and bank accounts.

Criminals steal money or resources from financial accounts on a system one at a time. This attack occurs
when several minor attacks combine to form a powerful attack. Because of this type of cybercrime, these
attacks frequently go undetected

2.15 Phishing
Phishing is a type of social engineering attack often used to steal user data, including login credentials and
credit card numbers.

It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant
message, or text message.

2.16 Cyber stalking

Cyberstalking refers to the use of the internet and other technologies to harass or stalk another person
online. This online harassment, which is an extension of cyberbullying and in-person stalking, can take the
form of e-mails, text messages, social media posts, and more and is often methodical, deliberate, and
persistent.

2.17 Spoofing
Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be something else in an
attempt to gain our confidence, get access to our systems, steal data, steal money, or spread malware

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 13 | 18
Spoofing attacks come in many forms, primarily:
• Email spoofing
• Website and/or URL spoofing
• Caller ID spoofing
• Text message spoofing
• GPS spoofing
• Man-in-the-middle attacks
• Extension spoofing
• IP spoofing
• Facial spoofing

2.18 Pornography
Pornography refers to the portrayal of sexual subject or matter in form of books, magazines, postcards,
photographs, sculpture, drawing, painting, animation, sound recording, writing, film, video, and video games
for the purpose of sexual excitement

Watching or possessing pornographic materials in India is legal, however, individuals should not do so in
public places. Production, publication, or distribution of pornographic materials is illegal in India.

Watching or production, publication, or distribution of child pornography is illegal and can lead to a 5-year
term of imprisonment and a Rs 40 lakh fine.

Child Pornography
According to the Ministry of Women and Child Development, child pornography is defined as “any visual
depiction of sexually explicit conduct involving a child which includes photographs, videos, digital or
computer-generated image indistinguishable from an actual child and an image created, adapted or
modified but appear to depict a child.”

Market size of the Adult & Pornographic Websites industry in the US in 2021?

The market size, measured by revenue, of the Adult & Pornographic Websites industry is $803.6m in 2021.

2.19 Defamation
Defamation is any statement that damages the reputation of another individual or party. ... A defamation
example would be if a customer accused the restaurant owner of food poisoning even though it was not
actually the restaurant's food that caused them to be ill.

2.20 Computer vandalism

The term vandalism describes the deliberate act of damaging or destroying another person or company's
property without their permission.

For example, with a computer, hardware vandalism is the act of intentionally breaking or destroying
computer hardware. For example, a student could purposely damage a laptop given to them by the school.

With the Internet, vandalism or cyber vandalism could include any of the following.

• Hacking into and defacing a website.

• Intentionally damaging or destroying a digital object.
• Post fake reviews.
• Giving bad information on a forum or wiki.
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 14 | 18
 • Cheating or creating bots to cheat in online gaming.
• Posting fake news on a social network.
• Post a virus or other malware for others to download unknowingly.

2.21 Cyber terrorism

Almost every person in the world has a vague idea of what terrorism is. Using violent means to achieve
political goals, especially by targeting innocent civilians, is a hallmark of terrorism., Nonetheless, in the last
two or three decades, the world has come to realize that terror can be inflicted on countries and
organizations, not just through guns and bombs, but also through digital networks and the internet.

These attacks can cause incalculable damage, given humanity’s dependence on the internet and information
technology.

Such attacks are referred to as Cyber terrorism. Instances of Cyber-terror have increased exponentially in the
past few decades, and Cybersecurity is forced to adapt for defending information systems, sensitive
information, and data from Cyber terrorists.

WHAT IS CYBER TERRORISM?

Information and communication technology, commonly referred to as ICT, has changed the world as we
know it but also offers plenty of scope for terror outfits to expand, recruit, and propagandize on various ICT
platforms.

The internet can be used by terrorists to finance their operations, train other terrorists, and plan terror
attacks. The more mainstream idea of Cyber terrorism also includes the hacking of government or private
servers to access sensitive information use in terror activities.

EXAMPLES OF CYBER TERRORISM

1. Introduction of viruses to vulnerable data networks.
2. Hacking of military servers to disrupt communication and steal sensitive information.
3. Defacing websites and making them inaccessible to the general public thereby causing
inconvenience and financial losses.
4. Hacking communication platforms to intercept or stop communications and make terror threats
using the internet.
5. Attacks on financial institutions to transfer money and cause terror.

2.22 Cyber warfare

Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to
damage another nation's computers or information networks through, for example, computer viruses or
denial-of-service attacks

Examples of acts that might qualify as cyberwarfare include the following:

• viruses, phishing, computer worms and malware that can take down critical infrastructure;
• distributed denial-of-service (DDoS) attacks that prevent legitimate users from accessing targeted
computer networks or devices;
• hacking and theft of critical data from institutions, governments and businesses;
• spyware or cyber espionage that results in the theft of information that compromises national
security and stability;
• ransomware that holds control systems or data hostage; and
• propaganda or disinformation campaigns used to cause serious disruption or chaos.
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 15 | 18
What are the goals of cyberwarfare?

• According to the Cybersecurity and Infrastructure Security Agency, the goal of cyberwarfare is to
"weaken, disrupt or destroy" another nation.
• To achieve their goals, cyberwarfare programs target a wide spectrum of objectives that might harm
national interests.
• These threats range from propaganda to espionage and serious disruption with extensive
infrastructure disruption and loss of life to the citizens of the nation under attack.

2.23 Hacking
Hacking refers to activities that seek to compromise digital devices, such as computers, smartphones,
tablets, and even entire networks.

And while hacking might not always be for malicious purposes, nowadays most references to hacking, and
hackers, characterize it/them as unlawful activity by cybercriminals—motivated by financial gain, protest,
information gathering (spying), and even just for the “fun” of the challenge.

How does hacking work?

Hackers breach defenses to gain unauthorized access into computers, phones, tablets, IoT devices, networks,
or entire computing systems. Hackers also take advantage of weaknesses in network security to gain access.
The weaknesses can be technical or social in nature.

Who is a Hacker?
A Hacker is a person who finds and exploits the weakness in computer systems and/or networks to gain
access. Hackers are usually skilled computer programmers with knowledge of computer security.

What is ethical hacking?

Ethical hacking involves the legal use of hacking techniques for benevolent versus malicious purposes.
Ethical hackers use penetration testing and other tactics to find software vulnerabilities and other security
weaknesses so they can be promptly addressed.

Unit 3: Types of Hackers

Hackers
In common a hacker is a person who breaks into computers, usually by gaining access to administrative
controls.

Types of Hackers

1. White Hat Hacker

2. Grey Hat Hacker
3. Black Hat Hacker

3.1 Black Hat

Black Hat hacking is a type of hacking in which hacker is a villain. Unlike all other hackers, black hat hackers
usually have extensive knowledge about computer networks and security protocols. However, they use their
skills to steal, damage the vulnerable device.

For example, if a system has a vulnerability, then black hat hacker will search for it and will break into it to
steal the information and then damage the whole system.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 16 | 18
In short, Black hat hackers are the bad guys who will never think twice to steal your credit card details to
hack into your bank account.

3.1 White Hat

White hat hackers are also known as “Ethical hackers” the working procedure of Black hat and White hat are
almost same.

But white hat hackers are the good guys who work for the companies as security specialists that get paid for
finding security holes with the help of their hacking capabilities.

There is another major difference between a Black hat and White Hat hackers. White hat hackers do
everything with permissions from the owner of the system administrator, which makes it completely legal.

White hat hacker after finding any vulnerability would disclose it to the developer, allowing them to patch
their product and improve the security before it’s compromised.

3.3 Grey Hat

Grey hat hackers are a blend of both Black hat and white hat activities, but they are less skilled compared to
the black hat or white hat. Grey hat hackers are not bad guys, they look for vulnerabilities in the system
without the permission.

If issues are found, they report it to the owner, sometimes they request a small fee for discovering and fixing
the problem if the owner doesn’t respond, they post the vulnerability in the public forum for the world to
see.

Compare the Hackers

White-Hat Hackers Black-Hat Hackers Gray-Hat Hackers
White-Hat Hacking is done by Black-Hat Hacking is done by Black Gray-Hat Hacking is done by Gray
White Hat Hackers. Hat Hackers. Hat Hackers.
White-Hat Hackers are individual Black-Hat Hackers are highly Gray-Hat Hackers work both
who finds vulnerabilities in skilled individuals who hack a Defensively and aggressively.
computer networks. system illegally.
White-Hat Hackers works for the Black -Hat Hackers are criminals Gray-Hat Hackers find issues in a
organizations and government. who violate computer security for system without the owner’s
their owner’s personal gain. permission.
In some cases, white-hat hackers Black-Hat hackers make money by Gray-Hat hackers find issues and
are paid, employees. carding and selling information to report the owner, sometimes
other criminals. requesting a small amount of
money to fix that issue.
White-Hat Hacking is legal. Black-Hat Hacking is illegal. Sometimes Gray-Hat Hackers
violate Laws.

3.4 Different types of Malwares

Malware, being one of the common causes of data breaches, is something every IT and security expert
should be concerned about. It’s a fact that many businesses will install anti-virus and forget about it, not
knowing that malware can still bypass anti-virus software and firewalls.

The word "malware" comes from the term "MALicious softWARE."

Malware is any software that infects and damages a computer system without the owner's knowledge or
permission
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 17 | 18
No anti-virus or anti-malware will protect you from ALL malware

What is malware?
Malware is an umbrella term for any piece of software that has malicious intent.

There are several types of malware and each of them has a unique way of infiltrating your computer which
may include attempts at gaining unauthorized control of your computer systems, stealing your personal
information, encrypting your important files, or causing other harm to your computers. Sometimes the
damage can be irrevocable.

Where does malware come from?

Phishing – Emails can be disguised to be coming from a fraudulent company for the sole purpose of getting
you to reveal personal information

Malicious Websites – Some websites may attempt to install malware onto your computer, usually through
popups or malicious links

Torrents – Files shared through BitTorrents are generally unsafe because you never know what to expect
until they’re downloaded

Shared Networks – A malware-infected computer on the same shared network may spread malware onto
your computer

7 Common Types of Malware

1. Trojans A Trojan (or Trojan Horse) disguises itself as legitimate software with the purpose of tricking
you into executing malicious software on your computer.
2. Spyware invades your computer and attempts to steal your personal information such as credit card
or banking information, web browsing data, and passwords to various accounts.
3. Adware is unwanted software that displays advertisements on your screen. Adware collects
personal information from you to serve you with more personalized ads.
4. Rootkits enable unauthorized users to gain access to your computer without being detected.
5. Ransomware is designed to encrypt your files and block access to them until a ransom is paid.
6. Worms A worm replicates itself by infecting other computers that are on the same network. They’re
designed to consume bandwidth and interrupt networks.
7. Keyloggers keep track of your keystrokes on your keyboard and record them on a log. This
information is used to gain unauthorized access to your accounts.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 18 | 18
Module 04

Unit 1: Cyber Laws

Defining Cyber Law

Cyber Law also called IT Law is the law regarding Information-technology including computers and internet.
It is related to legal informatics and supervises the digital circulation of information, software, information
security and e-commerce.

IT law does not consist a separate area of law rather it encloses aspects of contract, intellectual property,
privacy and data protection laws. Intellectual property is a key element of IT law. The area of software
license is controversial and still evolving in Europe and elsewhere.

Cyber Laws yields legal recognition to electronic documents and a structure to support e-filing and e-
commerce transactions and also provides a legal structure to reduce, check cyber crimes.

Importance of Cyber Law:

Just like any other law, Cyber law consists of rules that dictate how people and companies should use the
internet and computers. While other rules protect people from getting trapped in Cybercrime run by
malicious people on the internet.

If anyone breaks a cyber law, the action would be taken against that person on the basis of the type of
cyberlaw he broke, where he lives, and where he broke the law. It is most important to punish the criminals
or to bring them to behind bars, as most of the cybercrimes cross the limit of crime that cannot be
considered as a common crime.

• It covers all transaction over internet.

• It keeps eyes on all activities over internet.
• It touches every action and every reaction in cyberspace
• It dictates all actions and reactions in Cyberspace.
• All online transactions are ensured to be safe and protected
• All online activities are under watch by the Cyber law officials.
• Security for all data and property of individuals, organizations, and Government
• Helps curb illegal cyber activities with due diligence
• All actions and reactions implemented on any cyberspace has some legal angle associated with it
• Keeps track of all electronic records
• Helps to establish electronic governance

Area of Cyber Law:

Cyber laws contain different types of purposes. Some laws create rules for how individuals and companies
may use computers and the internet while some laws protect people from becoming the victims of crime
through unscrupulous activities on the internet. The major areas of cyber law include:

1. Fraud: Consumers depend on cyber laws to protect them from online fraud. Laws are made to
prevent identity theft, credit card theft and other financial crimes that happen online.
2. Copyright: The internet has made copyright violations easier. Copyright violation is an area of cyber
law that protects the rights of individuals and companies to profit from their own creative works

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 1 | 15
 3. Defamation: Defamation laws are civil laws that save individuals from fake public statements that
can harm a business or someone’s personal reputation. When people use the internet to make
statements that violate civil laws, that is called Defamation law.
4. Harassment and Stalking: When a person makes threatening statements again and again about
someone else online, there is violation of both civil and criminal laws. Cyber lawyers both prosecute
and defend people when stalking occurs using the internet and other forms of electronic
communication.
5. Freedom of Speech: Freedom of speech is an important area of cyber law. Even though cyber laws
forbid certain behaviors online, freedom of speech laws also allow people to speak their minds.
Cyber lawyers must advise their clients on the limits of free speech including laws that prohibit
obscenity. Cyber lawyers may also defend their clients when there is a debate about whether their
actions consist of permissible free speech.
6. Trade secrets: In general, trade secrets are confidential information of companies. Attempting to
leak confidential information to the public or using the same for monetary gain is a serious offense
as per Indian cyber law. The penalty for leaking or using trade secrets is as per the gravity of injury
experienced by the infringed party. It would be right to say that there is a need for cyber law to
protect trade secrets.

Advantages of Cyber Law:

Organizations are now able to carry out e-commerce using the legal infrastructure provided by the Act.

Digital signatures have been given legal validity and sanction in the Act.

It has opened the doors for the entry of corporate companies for issuing Digital Signatures Certificates in the
business of being Certifying Authorities.

It allows Government to issue notification on the web thus heralding e-governance.

It gives authority to the companies or organizations to file any form, application or any other document with
any office, authority, body or agency owned or controlled by the suitable Government in e-form by means of
such e-form as may be prescribed by the suitable Government.

The IT Act also addresses the important issues of security, which are so critical to the success of electronic
transactions.

Objectives of Cyber Law

Lawmakers have executed cyber law legal protections with the following objectives. The following features
of cyber law are making the internet a much safer place to explore.

To be a safety net against online data predators.

To ensure justice for cybercrime victims

To prevent debit card or credit card fraud. Many people have switched to digital paying methods. Cyber law
tries to make sure that victims do not have to go through the additional agony of long procedures.

To block transactions when there is any unusual activity such as the input of an incorrect password.

To ensure the safety of protected data. By knowing what cyber law is, one can easily adopt preventative
measures.

To ensure national security.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 2 | 15
Concept and scope of Jurisprudence
Jurisprudence comes from the Latin word ‘jurisprudential’ meaning “knowledge of Law”. Bentham and
Austin had provided the earliest description of this term. Since then, the spectrum of jurisprudence has
grown in many areas and now it covers the whole gamut of law, not just positive laws. It’s the study of the
basic principles of law. The judiciary’s versatility in interpreting the law to support the State’s social welfare
ends has also led to a major expansion of the jurisprudence.

Jurisprudence allows us to grasp the more abstract nature of the law. Jurisprudence is an important part of
the law that is based on different hypotheses and interpretations. Jurisprudence speaks of the relationship
between the law, culture, man, nature and other social sciences.

Jurisprudence denotes a logical and analytical study of the law. The term Jurisprudence originated from the
Latin word “Juris” and “prudentia”, which can be divided into two sections, and that is the jurisprudence that
originated from the word “jus”, meaning “law”, and the word “prudential”, meaning “prudence”,
forethought, or discretion.

Jurisprudence can also be referred to as a legal philosophy. Jurisprudence offers us an outline and a much
deeper understanding of the law and the role the law plays in society. It deals with legal logic, bodies of law
and legal frameworks.

Scope of Jurisprudence
The scope of Jurisprudence has been dealt with in the following sub-heads:

Living Law Concept & Social Engineering

In addition to the study of formal law or paper law it aims at the practical study of law. Living Law linked law
to the actual existence of society and thus promoted the empirical study of law within the context of society.
The significance in India of Living Law becomes imperative because there is a large gap between formal
legislation and norms which are prevalent in culture. An example of the difference between practicalities in
society and formal laws can be laid down in the Dowry Prohibition Act, 1961, where further changes were
made to the laws to make the offence punishable with stringent Punishments but the mischief in the society
is not curtailed

Vast Spectrum

The spectrum of jurisprudence is not limited to one or only a few legal frameworks being studied. It concerns
a comparative review of various legal systems proposing codification and institutional changes by legislation.

Directive Principles of State Policy (DPSP) and Jurisprudence

The spectrum of jurisprudence does not restrict itself to understanding and applying those principles. It
includes also the laws that are nevertheless not strictly enforceable, central in the country’s governance.

The jurisprudence also includes the fields of gender and compensatory justice (LGBT)

The marginal and underprivileged individuals of the society including LGBTQ community are given
opportunity to raise their issue in honorable courts by filling a Public Interest Litigation to support their
cause.

Basics of Cyber Space

Cyberspace is an unreal world where information is constantly transmitted through or between computers.
Cyberspace refers to the virtual computer world, and more specifically, an electronic medium that is used to

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 3 | 15
facilitate online communication. Cyberspace typically involves a large computer network made up of many
worldwide computer subnetworks that is used for communication and data exchange activities.

Cyberspace is an interactive domain made up of digital networks that is used to store, modify and
communicate information. It includes the internet, but also the other information, systems that support our
companies, infrastructure and services.

Cyberspace can be divided into a multi-layer model comprised of:

1. Physical foundations: such as land and submarine cables, and satellites that pro-vide communication
pathways, along with routers that direct information to its destination.

2. Logical building blocks: including software such as smartphone apps, operating systems, or web browsers,
which allow the physical foundations to function and communicate.

3. Information: that transits cyberspace, such as social media posts, texts, financial transfers or video
downloads. Before and after transit, this information is often stored on (and modified by) computers and
mobile devices, or public or private cloud storage services.

4. People: that manipulate information, communicate, and design the physical and logical components of
cyberspace.

Let us delve deep into understanding what Cyber space actually is. Cyberspace is where users are allowed to
share varied information, swap ideas and interact, play games, and engage in various social forums. They can
conduct business here and indulge in various activities.

Basics of IPC and CrPC

Indian Penal Code, 1860 (IPC) and the Criminal Procedure Code, 1974 (CrPC) are the laws that govern
criminal law in India. IPC is the principal criminal code of India that defines crimes and provides
punishments for almost all kinds of criminal and actionable wrongs. CrPC is the procedural law that
provides a detailed procedure for punishments under penal laws.

The Indian Penal Code, 1862

The Code covers various offences (divided into multiple categories) and the related punishments for the said
crimes. For instance, Crimes against the body (Murder, kidnapping, Culpable homicide, etc.), Crimes against
property (theft, dacoity, etc.), Economic crimes (Cheating and Counterfeiting) and various other crimes.

The Indian Penal Code is a substantive law. Substantive law is a law which defines the rights and liabilities in
civil law and crimes and punishment under the criminal law. Therefore, the Indian Penal Code is the law that
states the punishable offences along with their punishments or penalties or both. It explains all possible
crimes and their related punishments. Under this code, the punishments are divided into five major sections,
i.e. death, imprisonment for life, imprisonment in general, forfeiture of property and fine.

Criminal Procedure Code, 1973

The Code is the procedural law which provides a detailed procedure for punishments under the penal laws.
It thereby enforces and administers the Indian Penal Code and various other substantive criminal laws. The
Parliament enacted the Code on 25th January 1974 to consolidate and amend the law relating to Criminal
Procedure.

The Criminal Procedure Code is read along with the Indian Penal Code, 1862 and the Indian Evidence Act,
1872. There often exists a state of perplexity concerning the difference between the Indian Penal Code, 1862
and the Criminal Procedure Code, 1973.
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 4 | 15
Code of Criminal Procedure is procedural law. Procedural law is a law which lays down the set of procedures
for the enforcement of substantive law. Therefore, the Criminal Procedure Code is the law that describes the
overall procedure which is to be followed by the Courts in a criminal case. It deals with the set of rules that
direct the series of proceedings that take place during a criminal offence. It aims at setting up the necessary
machinery for investigating cases, arresting criminals, presenting criminals before the courts, collecting
evidence, imposing penalties or punishments on the accused, the entire procedure regarding bail, and so on.

Difference between the Indian Penal Code, 1862 and Criminal Procedure Code, 1973

IPC CRPC
The Indian Penal Code is a substantive law the Criminal Procedure Code is procedural law
The Indian Penal Code states various crimes and the Criminal Procedure Code defines the procedure
classifies them into multiple categories. The Code that the police take to investigate any violation after
also prescribes the penalties and the punishment for having committed any crime mentioned under the
the respective offences penal laws
The Indian Penal Code aims to provide a primary the Criminal Procedure Code’s main motive is to
penal code in the country for giving punishment to provide for binding procedures that must be enacted
the wrongdoers during the administration of a criminal trial
Indian Penal Code does not provides for the courts The Criminal Procedure Code, 1973 provides for the
and magistrates powers courts and Magistrate’s powers

Indian Evidence Act

Indian Evidence Act - 1872
The Indian Evidence Act, originally passed in India by the Imperial Legislative Council in 1872, during the
British Raj, contains a set of rules and allied issues governing admissibility of evidence in the Indian courts of
law.

The Indian Evidence Act, identified as Act no. 1 of 1872, and called the Indian Evidence Act, 1872, has eleven
chapters and 167 sections, and came into force 1 September 1872. At that time, India was a part of the
British Empire. Over a period of more than 150 years since its enactment, the Indian Evidence Act has
basically retained its original form except certain amendments from time to time.

Why do we need Evidence Laws?

Finding proof is a challenging task. Criminals work hard to remove all traces of evidence, and some of it may
come to light much after the case has been decided. If there are no laws governing evidence, anything may
be passed off as such.

If there are no laws governing evidence, it becomes nearly impossible to know when a case has been
definitively solved and closed. Therefore, there are strict rules that regulate the nature of evidence, the
quality and the authenticity of the evidence.

What is purpose of Indian Evidence Act?

The very objective of the Evidence Act is meted out that is the Court has to find out the truth on the basis of
the facts brought before the Court by the parties to meet the ends of justice as expeditiously as possible.

What is Proof? How does it differ from Evidence?

Evidence
Evidence refers to information or facts that help us to establish the truth or existence of something.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 5 | 15
Types of Evidence:

There are certain evidences that have been mentioned in the Indian Evidence Act, 1872 which are as follows:

1. Documentary Evidence
2. Oral Evidence
3. Primary Evidence
4. Secondary Evidence
5. Direct Evidence
6. Circumstantial or Indirect Evidence

1. Documentary Evidence: According to this provision all the documents presented in the Court for
Inspection are called Documentary Evidence.

2. Oral Evidence: Fact or material that witness records in his/her statement regarding the truth and Validity
of the Facts are called Oral Evidence. It includes that the witness has seen or heard or experienced certain
facts of the case.

3. Primary Evidence: With the help of a Documentary Evidence it can produce original document for the
Inspection of the Court.

4. Secondary Evidence: Evidence which is produced in absence of Primary Evidence is known as Secondary
Evidence. It may include photocopies, Tape- Recordings etc. Allowing secondary evidence is not illegal;

5. Direct Evidence: Direct Evidence constitutes a major part in a trial. Direct Evidence is whereby the
Witnesses expresses in his/her statement that he/she was present at the Crime and had seen the crime
being committed while describing the offence.

6. Circumstantial Evidence or Indirect Evidence Circumstantial Evidence is evidence which is used when
there the crime has not been witnessed by anyone. It basically relies on to related series of facts that
attempts to prove facts in an issue. For Example, Fingerprints in a Crime Scene.

Proof
Proof is the sum of evidence which helps to prove something. The main difference between evidence and
proof is that proof is more concrete and conclusive than evidence.

There are three primary standards of proof which are as follows:

1. Proof beyond a reasonable doubt.

2. Preponderance of the evidence
3. Clear and convincing evidence

1. Proof Beyond Reasonable Doubt This standard of proof is essential element in Criminal Prosecutions. It is
the duty of the Prosecutor to prove each element of the crime to the Jury beyond reasonable doubt in order
to convict the defendant. There should be no existence of doubt.

2. Preponderance of the Evidence This standard of proof is used in civil proceedings. This standard means
that it is more likely than not that the facts are not the same as one of the parties claim.

The Bench can use their own judgment in determining the credibility of each evidence presented and how
much each evidence weighs in order of proving the fact.

The Jury cannot be convinced of either the Plaintiff or Defendant’s side. This standard is used in civil cases,
but it can also be used in certain aspects of criminal law too.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 6 | 15
3. Clear and Convincing Evidence This standard of Proof means that the evidence presented by either of the
parties present during the trial, must be highly and substantially more likely to be true than not and the Trier
of fact must have a firm belief or conviction in its factuality.

Difference between Proof and Evidence

Proof Evidence
Proof is a sum of Evidence that proves a fact to be Evidence is material or information that a fact may
true be true
Proof is Conclusive in Nature Evidence is Suggestive in Nature
Proof has 3 primary standards of proof which the There are many types of evidence which are referred
prosecutor has to prove in order to convict the according to the situation
defendant guilty
Proof is a firm confirmation about the fact being true Evidence are raw pieces of Information or Material
after scrutinizing evidence that can be approved or disapproved.

The Act has provided definitions to certain words which play an important part in delineating the kind of
evidence that may be put forth by either party.

Definitions include:

• Admissibility
• Fact
• Relevant
• Fact in Issue

Admissibility/Admission of Evidence
This lays down the boundaries of what may be admitted as evidence. The Courts consider the evidence
gathered by the parties and decides which of them would be eligible for consideration.

When any person makes an ‘admission’ of a statement in Court, they are stating that it is a fact to be noted
for the record, and that it has some relevance to the case in issue.

Fact
Fact means and includes— (1) any thing, state of things, or relation of things, capable of being perceived by
the senses; (2) any mental condition of which any person is conscious.

For example, if it was proved that a man had lunch at a particular restaurant, then it is a fact that he was at
the place before sundown.

Fact and Opinion

For example, Ashok and Hasan were roommates for 4 years during college. If Ashok opined that Hasan was
very disciplined and pious, it would be an opinion considered as fact for this purpose.

There is a requirement that the facts be relevant to the case.

Relevant
The word relevant is used in the Act to mean both (i) admissible, and (ii) connected with the case. One fact is
said to be relevant to another when the one is connected with the other in any of the ways referred to in the
provisions of this Act relating to the relevancy of facts.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 7 | 15
Fact in Issue
A “fact in issue” forms the core of the case. It is the essence of the dispute at hand, and it consists of all the
facts, due to which or connected to which, there is disagreement between the parties.

It includes any fact from which, either by itself or in connection with another fact, there may be a
disagreement about the existence, nature and extent of any right or liability.

Example

Niteshwar Prasad was brought before a Court on the charge of murder of Venkatesh. He pleaded that he
committed it upon grave provocation because he had caught Venkatesh committing adultery with his wife.
The Court held that determining whether adultery was committed was a fact in issue.

Sources of Evidence
There are two main sources of evidence: a. Primary and b. Secondary. Primary evidence is direct evidence or
original copies of a document, secondary evidence is copies of those documents, books of account, etc.

Primary Evidence
For example, when two parties enter into a contract, each copy of the contract is primary evidence against
the party executing it.

For example, in a continuing contract, that is periodically renewed, each renewal contract is evidence of the
contract itself.

Secondary Evidence
For example, a photograph of an original document is secondary proof of the document.

For example, an oral account of a document by a person who has herself seen it is secondary proof of the
document.

Conclusion

The Indian Evidence Act, 1872 is so vast and its implications and interpretations are wide. The application of
the above Act though mostly depends upon the statutory provisions but depending upon the circumstances,
nature of the case along with the underlying principles of natural justice the application also varies hugely.
However, the very objective of the Evidence Act is meted out that is the Court has to find out the truth on
the basis of the facts brought before the Court by the parties to meet the ends of justice as expeditiously as
possible. Thus, the Rule of Evidence is not to put limitations and restrictions on the parties rather it acts as a
guiding factor for the Courts to take evidence.

Unit 2: IT Act 2000-Introduction to IT Act 2000

The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is an Act of the Indian
Parliament (No 21 of 2000) notified on 17 October 2000. It is the primary law in India dealing with
cybercrime and electronic commerce.

The bill was passed in the budget session of 2000 and signed by President K. R. Narayanan on 9 June 2000.
The bill was finalized by a group of officials headed by then Minister of Information Technology Pramod
Mahajan.

Objectives of the Act

The Information Technology Act, 2000 provides legal recognition to the transaction done via electronic
exchange of data and other electronic means of communication or electronic commerce transactions.
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 8 | 15
This also involves the use of alternatives to a paper-based method of communication and information
storage to facilitate the electronic filing of documents with the Government agencies.

Salient Features of The Information Technology Act, 2000

Digital signature has been replaced with electronic signature to make it a more technology neutral act.

It elaborates on offenses, penalties, and breaches.

It outlines the Justice Dispensation Systems for cyber-crimes.

The Information Technology Act defines in a new section that cybercafé is any facility from where the access
to the internet is offered by any person in the ordinary course of business to the members of the public.

It provides for the constitution of the Cyber Regulations Advisory Committee.

The Information Technology Act is based on The Indian Penal Code, 1860, The Indian Evidence Act, 1872, The
Bankers’ Books Evidence Act, 1891, The Reserve Bank of India Act, 1934, etc.

It adds a provision to Section 81, which states that the provisions of the Act shall have overridden effect. The
provision states that nothing contained in the Act shall restrict any person from exercising any right
conferred under the Copyright Act, 1957.

Amendments
A major amendment was made in 2008. It introduced Section 66A which penalized sending "offensive
messages".

It also introduced Section 69, which gave authorities the power of "interception or monitoring or decryption
of any information through any computer resource".

Additionally, it introduced provisions addressing - pornography, child porn, cyber terrorism and voyeurism.
The amendment was passed on 22 December 2008 without any debate in Lok Sabha. The next day it was
passed by the Rajya Sabha. It was signed into law by President Pratibha Patil, on 5 February 2009.

Amendment in IT Act
A major amendment was made in 2008. Amendment introduced the Section 66A which penalized sending of
“offensive messages”.

It also introduced the Section 69, which gave authorities the power of “interception or monitoring or
decryption of any information through any computer resource”. It also introduced penalties for child
porn, cyber terrorism and voyeurism.

Amendment was passed on 22 December 2008 without any debate in Lok Sabha. The next day it was passed
by the Rajya Sabha. It was signed by the then President (Pratibha Patil) on 5 February 2009.

The Information Technology Act, 2000 has brought amendment in four statutes vide section 91-94. These
changes have been provided in schedule 1-4.

The first schedule contains the amendments in the Penal Code. It has widened the scope of the term
“document” to bring within its ambit electronic documents.

The second schedule deals with amendments to the India Evidence Act. It pertains to the inclusion of
electronic document in the definition of evidence.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 9 | 15
The third schedule amends the Banker’s Books Evidence Act. This amendment brings about change in the
definition of “Banker’s-book”. It includes printouts of data stored in a floppy, disc, tape or any other form of
electromagnetic data storage device. Similar change has been brought about in the expression “Certified-
copy” to include such printouts within its purview.

The fourth schedule amends the Reserve Bank of India Act. It pertains to the regulation of fund transfer
through electronic means between the banks or between the banks and other financial institution.

Objectives of the Amendments in The Information Technology Act, 2000:

1. With proliferation of information technology enabled services such as e-governance, e-commerce
and e-transactions,
protection of personal data and information and implementation of security practices and
procedures relating to these applications of electronic communications have assumed greater
importance and they require harmonization with the provisions of the Information Technology Act.
2. A rapid increase in the use of computer and internet has given rise to new forms of crimes like
publishing sexually explicit materials in electronic form, video voyeurism and breach of
confidentiality and leakage of data by intermediary, e-commerce frauds like personation commonly
known as Phishing, identity theft and offensive messages through communication services.
So, penal provisions are required to be included in the Information Technology Act, the Indian Penal
Code, the Indian Evidence Act and the Code of Criminal Procedure to prevent such crimes.
3. The service providers may be authorized by the Central Government or the State Government to set
up, maintain and upgrade the computerized facilities and collect, retain appropriate service
charges for providing such services at such scale as may be specified by the Central Government or
the State Government.
4. Incorporation of Electronic Signature: To go by their aim of making the act ‘technologically neutral,
the term ‘digital signature’ has been replaced with ‘electronic signature’, as the latter represents an
umbrella term which encompasses many different types of digital marketing, while the former is a
specific type of electronic signature.
5. Fight against Cyber-terrorism: Pursuant to the 26/11 Mumbai Attacks, the amendment has
incorporated the concept of cyber terrorism and prescribed hefty punishments for it.
The scope of cybercrime under Section 66 is widened with many major additions defining various
cybercrimes along with the controversial Section 66A which penalized sending “offensive messages”.
Section 66A was later found to be in violation of one’s fundamental right to freedom of speech and
expression and thus was struck down.
6. Child Pornography: Along with reducing the term of imprisonment and increasing the fine for
publishing obscene material in electronic form, an array of sections have also been inserted under
Section 67, one among which recognizes publishing child pornography as a felonious act.
7. Cyber Cafes: Cybercrimes like sending obscene e-mails to harass individuals, identity theft, and
maliciously acquiring net banking passwords have many at times been taking place at Cyber Cafes.
Due to the lack of inclusion of ‘Cyber Cafes’ in the IT Act, they are incapable of being regulated. The
2008 amendment explicitly defines them and includes them under the term ‘intermediaries’, thus
allowing several aspects of the Act to be applicable to them.
8. Government Interception and Monitoring: The new amendment allows the government to listen in
to your phone calls, read your SMS’s and emails, and monitor the websites you visit without getting
a warrant from a magistrate. The same clause under the Telegraph Act was restricted by the
condition of public emergency or safety, but the new amendment drops all such restrictions, vastly
extending the government’s power.

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 10 | 15
Conclusion
The Information Technology (Amendment) Act, 2008 was passed to overcome some inherent shortcomings
of the original Act and with the goal to tackle various challenges in the cyber world.

As the horizons of technology widen, more amendments will be needed to tackle the existing and future
shortcomings in order to create a satisfactory, well laid-out framework which along with its plethora of
goals, deters cybercriminals.

Different Offences under IT Act 2000

The offences included in the IT Act 2000 are as follows:
1. Tampering with the computer source documents.
2. Hacking with computer system.
3. Publishing of information which is obscene in electronic form.
4. Power of Controller to give directions
5. Directions of Controller to a subscriber to extend facilities to decrypt information
6. Protected system
7. Penalty for misrepresentation
8. Penalty for breach of confidentiality and privacy
9. Penalty for publishing Digital Signature Certificate false in certain particulars
10. Publication for fraudulent purpose
11. Act to apply for offence or contravention committed outside India
12. Confiscation
13. Penalties or confiscation not to interfere with other punishments.
14. Power to investigate offences.

CONCLUSION

Due to the increase in digital technology, various offenses are increasing day by day. Therefore, the IT Act
2000 need to be amended in order to include those offenses which are now not included in the Act. In India,
cybercrime is not of high rate. Therefore, we have time in order to tighten the cyber laws and include the
offenses which are now not included in the IT Act 2000

IT ACT 2000 : Sections:S.65,S.66, S.66A, S.66B, S.66C, S.66D, S.66 E,

Section 65. Tampering with computer source documents.
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another
to conceal, destroy, or alter any computer source code used for a computer, computer program, computer
system or computer network, when the computer source code is required to be kept or maintained by law
for the time being in force, shall be punishable with imprisonment up to three years, or with fine which
may extend up to two lakh rupees, or with both.

Explanation.--For the purposes of this section, "computer source code" means the listing of programmes,
computer commands, design and layout and programme analysis of computer resource in any form.

Section 66. Hacking with computer system.

(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the
public or any person destroys or deletes or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by any means, commits hack:

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 11 | 15
(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which
may extend upto two lakh rupees, or with both.

Section 66A: Sending offensive messages through communication service, etc.

• Court Struck down this act due to violating the fundamental rights of freedom of expression

Any person who sends, by means of a computer resource or a communication device,-

a) any information that is grossly offensive or has menacing character; or

b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience,
danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently by making use
of such computer resource or a communication device,

c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or
to deceive or to mislead the addressee or recipient about the origin of such messages, shall be punishable
with imprisonment for a term which may extend to three years and with fine.

Explanation:

For the purposes of this section, terms "Electronic mail" and "Electronic Mail Message" means a message or
information created or transmitted or received on a computer, computer system, computer resource or
communication device including attachments in text, image, audio, video and any other electronic record,
which may be transmitted with the message.

Section 66B: Punishment for dishonestly receiving stolen computer resource or

communication device
Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or
having reason to believe the same to be stolen computer resource or communication device, shall be
punished with imprisonment of either description for a term which may extend to three years or with fine
which may extend to rupees one lakh or with both.

Section 66C: Punishment for Identity Theft, Misuse of Digital Signature

Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique
identification feature of any other person, shall be punished with imprisonment of either description for a
term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

Section 66D: Punishment for cheating by personation by using computer resource

Whoever, by means of any communication device or computer resource cheats by personation, shall be
punished with imprisonment of either description for a term which may extend to three years and shall also
be liable to fine which may extend to one lakh rupees.

Section 66E: Punishment for violation of privacy

Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any
person without his or her consent, under circumstances violating the privacy of that person, shall be
punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees,
or with both.

Explanation.- For the purposes of this section -

(a) “transmit” means to electronically send a visual image with the intent that it be viewed by a person or
persons;

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 12 | 15
(b) “capture”, with respect to an image, means to videotape, photograph, film or record by any means;

(c) “private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;

(d) “publishes” means reproduction in the printed or electronic form and making it available for public;

(e) “under circumstances violating privacy” means circumstances in which a person can have a reasonable
expectation that-

(i) he or she could disrobe in privacy, without being concerned that an image of his private area was being
captured; or

(ii) any part of his or her private area would not be visible to the public, regardless of whether that person is
in a public or private place.

Section 66F: Punishment for cyber terrorism

Whoever,-

(A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the
people or any section of the people by –

(i) denying or cause the denial of access to any person authorized to access computer resource; or

(ii) attempting to penetrate or access a computer resource without authorization or exceeding authorized
access; or

(iii) introducing or causing to introduce any Computer Contaminant.

and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or
destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or
services essential to the life of the community or adversely affect the critical information infrastructure
specified under section 70, or

(B) knowingly or intentionally penetrates or accesses a computer resource without authorisation or

exceeding authorised access, and by means of such conduct obtains access to information, data or computer
database that is restricted for reasons of the security of the State or foreign relations; or any restricted
information, data or computer database, with reasons to believe that such information, data or computer
database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and
integrity of India, the security of the State, friendly relations with foreign States, public order, decency or
morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of
any foreign nation, group of individuals or otherwise,

commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which
may extend to imprisonment for life’.

Sections: S.67, S.67A,S.67B,S.67C

Section 67. Publishing of information which is obscene in electronic form.
Whoever publishes or transmits or causes to be published in the electronic form, any material which is
lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons
who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or
embodied in it, shall be punished on first conviction with imprisonment of either description for a term

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 13 | 15
which may extend to three years and with fine which may extend to five lakh rupees and in the event of a
second or subsequent conviction with imprisonment of either description for a term which may extend to
five years and also with fine which may extend to ten lakh rupees.

Section 67A: Punishment for publishing or transmitting of material containing sexually

explicit act, etc. in electronic form, Information Technology Act 2000
Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material
which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of
either description for a term which may extend to five years and with fine which may extend to ten lakh
rupees and in the event of second or subsequent conviction with imprisonment of either description for a
term which may extend to seven years and also with fine which may extend to ten lakh rupees.

Exception: This section and section 67 does not extend to any book, pamphlet, paper, writing, drawing,
painting, representation or figure in electronic form-

(i) the publication of which is proved to be justified as being for the public good on the ground that such
book, pamphlet, paper, writing, drawing, painting, representation or figure is in the interest of science,
literature, art, or learning or other objects of general concern; or (ii) which is kept or used bona fide for
religious purposes.

Section 67B: Punishment for publishing or transmitting of material depicting children in

sexually explicit act, etc. in electronic form
Whoever,-

publishes or transmits or causes to be published or transmitted material in any electronic form which depicts
children engaged in sexually explicit act or conduct or

(b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or
distributes material in any electronic form depicting children in obscene or indecent or sexually explicit
manner or

(c) cultivates, entices or induces children to online relationship with one or more children for and on sexually
explicit act or in a manner that may offend a reasonable adult on the computer resource or

(d) facilitates abusing children online or

(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with
children, shall be punished on first conviction with imprisonment of either description for a term which may
extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or
subsequent conviction with imprisonment of either description for a term which may extend to seven years
and also with fine which may extend to ten lakh rupees:

Provided that the provisions of section 67, section 67A and this section does not extend to any book,
pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such
book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science,
literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bonafide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of
18 years.
M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 14 | 15
Section 67 C: Preservation and Retention of information by intermediaries, Section 67C of
Information Technology Act
(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such
manner and format as the Central Government may prescribe.

(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be
punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Complete ACT details table

Section Offence Imprisonment Fine Remarks
65 Tampering with computer source documents 3 years 2 lakh
66 Hacking with computer system 3 years 2 lakh
Court
Sending offensive messages through communication Not
66A 3 years Struck
service Specified
Down
66B Dishonestly receiving stolen device 3 years 1 lakh
66C Identity Theft, Misuse of Digital Signature 3 years 1 lakh
66D Cheating by personation 3 years 1 lakh
66E Violation of privacy 3 years 2 lakh
66F Cyber terrorism Life N/A
5 Years (1) 1 lakh (1)
67 Publishing obscene information
10 Years (2) 2 Lakh (1)
publishing or transmitting of material containing 5 Years
67A 10 lakh
sexually explicit act 7 years
publishing or transmitting of material depicting 5 years
67B 10 lakh
children in sexually explicit act 7 years
Preservation and retention of information by
67C 3 years N/A
intermediaries

M C A 3 0 2 _ C Y B E R F O R E N S I C S | P a g e 15 | 15