Cybercrime Module With Table of Content

DIPLOMA IN POLICE STUDIES
CYBER CRIME MODULE

[DPS 115]
Table of Contents
Module Compiled by...........................................................................................................4
Module Overview................................................................................................................5
UNIT 1: Cybercrime Investigation......................................................................................6
1.1 Definition of cybercrime............................................................................................6
1.2 Classification of cybercrimes....................................................................................6
1.3 Types of cybercrimes.................................................................................................7
1.4 Cybercrime Investigation...........................................................................................9
1.5 Tools for Investigating Cybercrimes.......................................................................10
UNIT 2: Internet................................................................................................................13
2.1 Definition of Internet...............................................................................................13
2.2 Uses of Internet........................................................................................................13
2.3 Abuse of Internet.....................................................................................................13
2.5 Crimes committed over the internet........................................................................13
UNIT 3: Electronic Evidence............................................................................................15
3.1 Definition of terms...................................................................................................15
3.2Areas to find electronic evidence.............................................................................15
3.3 Challenges in obtaining electronic evidence...........................................................16
3.4 General principles in electronic evidence................................................................17
UNIT 4: Dark net...............................................................................................................18
4.1 Definition of terms, dark net and deep web.............................................................18
4.2 Dark net markets......................................................................................................18
4.3 Popular dark web market places..............................................................................18
4.4 How patrons access the dark net..............................................................................18
4.5 Accessing the Internet without the TOR Browser...................................................19
4.6 Relevance of dark net..............................................................................................19
4.7 Payment and flow of funds on the dark net.............................................................19
4.8 Challenges in the investigation process...................................................................20
UNIT 5: Virtual Currencies...............................................................................................21
5.1The concept of Virtual currencies.............................................................................22
5.2 Criminal use of virtual currencies............................................................................22
5.3 Case studies.............................................................................................................22
5.4 Investigation and Prosecution challenges................................................................23
UNIT 6: Online Money Laundering..................................................................................24
6.1 Money laundering and e-payments..........................................................................25
ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 2
6.2 Online money laundering methods and techniques.................................................25
6.3 Online money laundering red flags..........................................................................26
UNIT 7: Digital Forensics.................................................................................................28
7.1 Definition of digital forensics..........................................................................28
Unique characteristics of digital forensics.....................................................................28
7.2 Considerations of electronic evidence....................................................................28
7.3 Areas to find digital data.........................................................................................28
7.4 Digital data recovery................................................................................................29
Principles of handling electronic evidence....................................................................30
UNIT 8: Cyber Security.....................................................................................................31
8.1 Key loggers.........................................................................................................33
8.2 IP address logging....................................................................................................33
8.3 Anti-key loggers and anti-forensic tools.............................................................34
8.4 Password attack techniques.....................................................................................38
8.5 Use of wire shark.....................................................................................................39
8.6 Spoofing of mac addresses, internet protocol (IP) addresses and emails..............39
8.7 Web address masking/URL masking......................................................................42
8.8 Networks scanning and sniffing..............................................................................43
UNIT 9: Mobile Forensics.................................................................................................44
9.1 Recovery of evidence from mobile phones.............................................................47
9.2 Data recovery...........................................................................................................47
9.3 System imaging.......................................................................................................48
9.4 Data analysis............................................................................................................48
9.5 Preservation of digital evidence...............................................................................49
UNIT 10: Live Forensic Investigation..............................................................................51
10.1 Definition of live forensics....................................................................................51
10.2 Recovery of evidence from a computer system and network................................51
10.3 Tools used in the recovery of evidence.................................................................52
10.4 Internet Protocol addresses tracking system..........................................................55
10.5 Email tracking........................................................................................................55
10.6 Email analysis........................................................................................................56
10.7 Social media...........................................................................................................57
UNIT 11: Legislation on cybercrime and cybersecurity..................................................63
11.1 Cybercrime Bill...............................................................................................63
11.2 Cybersecurity Bill............................................................................................63
11.3 Criminal Procedure & Evidence Act...............................................................63
11.4 Section 162 to 168 of The Criminal Law [Codification and Reform Act] Chapter
9:03................................................................................................................................63
11.5 Postal and Telecommunications Act...............................................................63
11.6 Interception of communication Act.................................................................63
11.7 The Constitution of Zimbabwe........................................................................63
11.8 Cyber conventions e.g. Budapest Convention and INTERPOL.....................63
11.9 Cyber jurisdiction (territories and boundaries.................................................63
UNIT 12 : Organised Crimes on internet.........................................................................64
12.1Definition of organised crimes...............................................................................64
12.2 Cyber terrorism......................................................................................................64
12.3 Weapons trafficking...............................................................................................64
12.4 Drug trafficking.....................................................................................................65
12.5 Human trafficking..................................................................................................65
UNIT 13: International Police Cooperation....................................................................67
13.1 Protocol that guides territorial investigations........................................................67
13.2 Police Organs to use in territorial investigations...................................................67
13.3 Compilation of Regatory files for territorial investigations..................................67
13.4 Joint Investigation Team for easy territorial investigations..................................67
REFERENCES..........................................................................................................68
Module Compiled by
Inspector Murenha P
Inspector Boka P
Seargeant Kamangira S

Module Overview
Cybercrime is criminal activity that either targets or uses a computer, a computer network
or a networked device. Cybercrime is committed by cybercriminals or hackers who want
to make money. This course module is an introduction into the Cyber Crime in the
Zimbabwe Republic Police Service. The course helps in developing an understanding of
the Cyber Crimes and how they relate to the current policing trend. This module is also
meant to lay a foundation in both the internal and external service delivery. Unit 1 is
going to focus on Cybercrime Investigation, Unit 2: Internet, Unit 3: Electronic Evidence,
Unit 4: Dark Net, Unit 5: Virtual Currencies, Unit 6: Online Money Laundering, Unit 7:
Digital Forensics, Unit 8: Cyber Security, Unit 9: Mobile Forensics, Unit 10: Live
Forensic Investigation, Unit 11: Legislation On Cybercrime And Cyber Security, Unit
12: Organized Crimes On Internet Lastly Unit 13: International Police Cooperation
concludes the module by discussing International Police Cooperation

UNIT 1: Cybercrime Investigation
Objectives
Define Cybercrime and give typical examples

List and explain Classifications of Cybercrime
List and explain Types of Cybercrime giving practical examples
Describe Cybercrime Investigation
List 2 tools used in investigating Cybercrime
1.1 Definition of cybercrime
Cybercrime is criminal activity that either targets or uses a computer, a computer network
or a networked device. Most, but not all, cybercrime is committed by cybercriminals or
hackers who want to make money.
1.2 Classification of cybercrimes

Cyber-crimes are classified based on the subject of the crime, the person or organization
against whom the crime is committed, and the temporal nature of the crimes committed
online. Based on the subject of the crime, cybercrimes are classified into three broad groups:
1. Crimes against individuals – These are committed against individuals or their

properties. Some examples are:
 Email harassment
 Cyber-stalking
 Spreading obscene material
 Unauthorized access or control over the computer system
 Indecent exposure
 Spoofing via email

 Fraud and also cheating
 Further, crimes against individual property like computer vandalism and
transmitting a virus. Also, trespassing online and intellectual property-related
crimes. Further, internet time thefts are also included.
2. Crimes against organizations
Some examples of cyber-crimes against organizations are:
 Possessing unauthorized information
 Cyber terrorism against a government organization

 Distributing pirated software
3. Crimes against society
Some examples of crimes against society are:
 Polluting the youth through indecent exposure
 Trafficking
 Financial crimes
 Selling illegal articles
 Online Gambling
 Forgery
Apart from the ones listed above, crimes like hacking, denial of service attacks, e-mail
bombing, etc. are also present in cyberspace.
1.3 Types of cybercrimes
DDoS Attacks
These are used to make an online service unavailable and take the network down by
overwhelming the site with traffic from a variety of sources. Large networks of infected
devices known as Botnets are created by depositing malware on users’ computers. The
hacker then hacks into the system once the network is down.
Botnets
Botnets are networks from compromised computers that are controlled externally by
remote hackers. The remote hackers then send spam or attack other computers through
these botnets. Botnets can also be used to act as malware and perform malicious tasks.
Identity Theft
This cybercrime occurs when a criminal gains access to a user’s personal information to
steal funds, access confidential information, or participate in tax or health insurance
fraud. They can also open a phone/internet account in your name, use your name to plan a
criminal activity and claim government benefits in your name. They may do this by
finding out user’s passwords through hacking, retrieving personal information from
social media, or sending phishing emails.
Cyber stalking
This kind of cybercrime involves online harassment where the user is subjected to a

plethora of online messages and emails. Typically cyber stalkers use social media,
websites and search engines to intimidate a user and instill fear. Usually, the cyber stalker
knows their victim and makes the person feel afraid or concerned for their safety.
Social Engineering
Social engineering involves criminals making direct contact with you usually by phone or
email. They want to gain your confidence and usually pose as a customer service agent so
you’ll give the necessary information needed. This is typically a password, the company
you work for, or bank information. Cybercriminals will find out what they can about you
on the internet and then attempt to add you as a friend on social accounts. Once they gain
access to an account, they can sell your information or secure accounts in your name.
PUPs
PUPS or Potentially Unwanted Programs are less threatening than other cybercrimes, but
are a type of malware. They uninstall necessary software in your system including search
engines and pre-downloaded apps. They can include spyware or adware, so it’s a good
idea to install an antivirus software to avoid the malicious download.
Phishing
This type of attack involves hackers sending malicious email attachments or URLs to
users to gain access to their accounts or computer. Cybercriminals are becoming more
established and many of these emails are not flagged as spam. Users are tricked into
emails claiming they need to change their password or update their billing information,
giving criminals access.
Prohibited/Illegal Content
This cybercrime involves criminals sharing and distributing inappropriate content that
can be considered highly distressing and offensive. Offensive content can include, but is
not limited to, sexual activity between adults, videos with intense violent and videos of
criminal activity. Illegal content includes materials advocating terrorism-related acts and
child exploitation material. This type of content exists both on the everyday internet and
on the dark web, an anonymous network.
Online Scams
These are usually in the form of ads or spam emails that include promises of rewards or
offers of unrealistic amounts of money. Online scams include enticing offers that are “too

good to be true” and when clicked on can cause malware to interfere and compromise
information.
Exploit Kits
Exploit kits need a vulnerability (bug in the code of a software) in order to gain control of
a user’s computer. They are readymade tools criminals can buy online and use against
anyone with a computer. The exploit kits are upgraded regularly similar to normal
software and are available on dark web hacking forums.
1.4 Cybercrime Investigation

Provided below is a brief introduction to cybercrime investigations for officers. We
describe the basic steps necessary when conducting the investigation, steps required to
identify potential digital evidence, and how to work with different kinds of digital
evidence.
Assess the Situation

As with any investigation, the officer must first determine the specific elements of the
crime and whether the laws in their jurisdiction support prosecution. For example, can the
charges be sustained even if guilt is proven? Given the many new technologies in use,
very often common law, and federal and state statutes have not caught up to the offenses.
Another factor to consider when investigating cyber-crimes is the global nature of the
Internet. It is often beneficial to consult with your prosecutor to gain additional insight
into specific crimes.
Conduct the Initial Investigation
When conducting a cybercrime investigation, normal investigative methods are still
important. Asking who, what, where, when, why and how questions is still important.
The investigator should also still ask the following questions:
 Who are the potential suspects?
 What crimes were committed?
 When were the crimes committed?
 Were these crime limited to US jurisdiction?
 What evidence is there to collect?
 Where might the physical and digital evidence be located?
 What types of physical and digital evidence were involved with the crime?
 Does any of the evidence need to be photographed/preserved immediately?
 How can the evidence be preserved and maintained for court proceedings?
Identify Possible Evidence
Digital evidence can come in many file types and sizes. For example, the evidence may
be encrypted, protected, or otherwise hidden. If your agency does not have the resources,
tools, or specific expertise necessary to identify and collect this evidence, consider
partnering with other agencies that do have these capabilities.

Secure Devices and Obtain Court Orders
In many cases, investigators may seize electronic devices without a warrant, but must
obtain a warrant in order to conduct a search on the device(s). Multiple warrants may
need to be obtained if a particular device is connected to multiple crimes. Warrants
should clearly describe all files, data, and electronic devices to be searched as specifically
as possible and seek approval to conduct analysis off-site.
Subpoenas can also be used to obtain digital evidence. Many Internet- and
communication-based companies have guides to assist law enforcement in understanding
their information sharing policies. Non-disclosure agreement (NDA) are often times
needed when law enforcement is requesting information from an Electronic Service
Provider (ESP) and they don’t want the ESP to notify the user of someone requesting
information from their account. Court order is required to compel the ESP for
information above the basic subscriber information. This could include but not limited to
message headers or IP addresses. This does not include content.
Analyze Results with Prosecutor
It will also be important to work with the prosecutor to identify the appropriate charges,
and to determine what additional information or evidence will be needed prior to filing
charges.

1.5 Tools for Investigating Cybercrimes.
Cybercrime investigation tools include tons of utilities, counting on the techniques you’re
using and therefore the phase you are transiting. However, know that the majority of
those tools are dedicated to the forensic analysis of knowledge once you have got the
evidence in hand. There are thousands of tools for every sort of cybercrime, therefore,
this is not intended to be a comprehensive list, but a fast check out a number of the
simplest resources available for performing forensic activity.
SIFT Workstation
SIFT is a forensic tool collection created to assist incident response teams and forensic
researchers examine digital forensic data on several systems.
The Sleuth Kit
Open source collection of UNIX- and Windows-based forensic tools that helps
researchers analyze disk images and recover files from those devices.
X-Ways Forensics
This software is one among the foremost complete forensic suites for Windows-based
operating systems.
CAINE

Is a cybercrime investigation application in Linux distribution used for digital forensic
analysis.
Digital Forensics Framework
Computer forensics open-source software that permits digital forensics professionals to

get and save system activity on both Windows and Linux operating systems. It allows
researchers to access local and remote devices like removable drives, local drives, remote
server file systems, and also to reconstruct VMware virtual disks. And it even helps to
examine and recover data from memory sticks including network connections, local files
and processes.
Oxygen Forensic Detective
This tool is an applications employed by security researchers and forensic professionals

to browse all the critical data in a single place.
Open Computer Forensics Architecture
Software used in pursuing the most goal of speeding up their digital crime investigations,
allowing researchers to access data from a unified and UX-friendly interface.
Bulk Extractor
An application used for extracting critical information from digital evidence data.
It works by extracting features like URLs, email addresses, MasterCard numbers and far
more from ISO disk images and directories or just files—including images, videos,
office-based and compressed files.
ExifTool
Forensic tool which is a command-line-based utility which will read, write and
manipulate metadata from several media files like images and videos.
ExifTool supports extracting EXIF from images and vídeos like GPS coordinates,
thumbnail images, file type, permissions, file size, camera type, etc.
It also allows you to save lots of the leads to a text-based format or plain HTML.
Surface Browser
Surface Browser is for detecting the complete online infrastructure of any company, and
getting valuable intelligence data from DNS records, domain names and their historical
WHOIS records, exposed subdomains, SSL certificates data and more. Analyzing the
surface of any company or name on the web is as important as analyzing local drives or
ram sticks it can cause finding critical data that would be linked to cybercrimes.
The following are the use of Surface Browser
 Get current DNS data

DNS records are an infinite source of intelligence when it involves cyber security. They
hold the key to all or any publicly exposed internet assets for web, email and other
services.
Surface Browser allows you to look at the present A, AAAA, MX, NS, SOA and TXT
records instantly:
 Analyze historical DNS records

A lot of criminals tend to vary DNS records once they commit their malicious activities
online, leaving trails of where and the way they did things at the DNS level.
No matter what sort of DNS record they used, you will explore any A, AAAA, MX, NS
SOA or TXT record; we’ve got you covered.
 Explore the WHOIS history timeline

When the attack is not directed at servers or apps but to domain names, it often involves
the WHOIS data. For this type of situation, the Surface Browser WHOIS history timeline
becomes your ally, letting you visualize any changes at registrar level for all of your
WHOIS information.
This WHOIS history allows you to jump backwards and forwards instantly, to urge exact
information about the domain registrar, WHOIS registrant, admin and technical contact
in just seconds.
 Grab full IP block data

While investigating a digital crime that involves companies, networks and particularly IP
addresses, getting the complete IP map of the involved infrastructure is critical.
Surface Browser allows you to explore single IPs also as full IP blocks, and you’ll filter
IP ranges by regional registrar or subnet size.
Once you get the complete list of IP blocks, you’ll be ready to get the complete IP count
for everyone, unique user agents, RIR, hostnames involved, hosted domains, also as open
ports.
 Explore associated domains

When investigating malware, virus, phishing domains or online frauds sometimes you’ll
be amazed to seek out that the incident you’re investigating isn’t an isolated case, but
actually associated with others and acting as a malicious network that involves many
domains.
 Visualize the complete subdomain map
Creating a curated and complete subdomain map of any and every one apex domains is
basically easy. Surface Browser Subdomain discovery feature enables you to urge all this
critical data in seconds; no manual scanning, no waiting, and its beat there.
Visualize the complete picture of all the involved subdomains for any cyber-attack, learn
where they are hosted, which IP they’re using and more.
 Access reverse IP intelligence

Reverse DNS is one among the foremost valuable hidden treasures of cyber security, as
seen in our way to use reverse DNS records to spot mass scanners blog post.
When you access this interface, you’ll be ready to get our massive store of rDNS
intelligence data in your hands, to research and relate PTR records with IP addresses
easily. You will even be ready to filter by open ports and similar records.

UNIT 2: Internet
2.1 Definition of Internet
Global system of interconnected computer networks that uses the Internet protocol suite

to communicate between networks and devices.
2.2 Uses of Internet
1. Electronic Mail.
2. World Wide Web (World Wide Web include: Research, Personal web sites, On line
shopping)
3. Threaded Conference. Systems (USENET) or network news. Users enter messages and
within a day or so, the messages are delivered to nearly every other USENET host for
everyone to read.
4. On-Line Chat Rooms.
5. Streamed Broadcast (receiving, sending audio and video)
6. Internet telephone and video telephone.
2.3 Abuse of Internet

Internet abuse refers to improper use of the internet and may include:
 Cyberbullying, use of the internet to bully and intimidate

 Cybercrime, use of computers in criminal activity
 Cybersex trafficking, the live streaming of coerced sexual acts and or rape
 Malware, software designed to harm a user's computer, including computer
viruses
 Spamming, sending unwanted advertising
 Vandalism, defacing of the Media Wiki websites
2.5 Crimes committed over the internet

Cyberbullying
Explanation of the crime of cyberbullying, which is the act of using computer networking
technology and online social networks to harass, intimidate and otherwise bully
classmates or other peers.
Sexting
Overview of the disturbingly common phenomenon known as sexting, which is the use of
text messaging or similar networking technologies to send and receive sexually explicit
messages or photographs.
Identity Theft
Collection of articles to help you detect and ultimately prevent identity theft, including
important steps to take once your identity has been stolen and methods to help protect
your personal data.

UNIT 3: Electronic Evidence
3.1 Definition of terms
Electronic evidence is any electronically stored information (ESI) that may be used as
evidence in a lawsuit or trial. Electronic evidence includes any documents, emails, or
other files that are electronically stored. Additionally, electronic evidence includes
records stored by network or Internet service providers.
3.2Areas to find electronic evidence
A computer forensics investigator seeks evidence in all the electronics on the following
list:
Computer: Digital memories don’t forget anything. A hard drive is a goldmine for
locating every file that was created, saved, downloaded, sent, or deleted to it or from it,
including documents, e-mails, images, and financial records. You can find file content
intact, as well as a lot of details about when the file was created, accessed, and edited,
and you might even be able to find prior versions. In short, a hard drive is the perfect time
machine.
Web site that was visited: Any digital device used to access the Internet can be searched
for a listing of where on the Web a user has visited and when. No one surfs anonymously.
PDA: A handheld device records a person’s life like no other device does. To find out the
where, what, with whom, and how much of a person’s life, check his PDA.
Cellphone or smart phone: As on a PDA, the information you can find on a user’s
phone can be the e-evidence you need or it can lead you toward other e-evidence. You
can find detailed logs of incoming and outgoing messages and text messages; transcripts
of text messages; address books and calendars.
E-mail: Everything, no matter how incriminating or stupid, is sent and received by e-

mail. In fact, nothing is subjected to searches more than e-mail is. It serves as truth

serum, and, for exactly that reason, the notorious connection between e-mail and jail is
usually ignored.
GPS device: Tracking technology has already been used in high-profile court cases. To
find a person’s whereabouts, check the GPS device.
Network or Internet service provider (ISP): An ISP is a fertile source of digital dirt
and details. If bytes pass through it, each network device records it.
Any device that has memory: Digital cameras, iPods, flash drives, SIM cards if it uses
memory, it might have evidence.
Chat room: Sadly, predators and other criminals hang out in chat rooms all over the
world.
MySpace, Facebook, or another social network: Full transcripts of private chats and

postings in social networks are gaining on e-mail as the primary source of e-evidence.
for a listing of where on the Web a user has visited and when. No one surfs
anonymously.
3.3 Challenges in obtaining electronic evidence.
1. A claim that the records were altered, manipulated or damaged between the time they
were created and the time they appear in court as evidence;
2. The reliability of the computer program that generated the record may be questioned;
3. the identity of the author may be in dispute: for instance, the person responsible for
writing a letter in the form of a word processing file, SMS or email may dispute they
wrote the text, or sufficient evidence has not been adduced to demonstrate the nexus
between the evidence and the person responsible for writing the communication;
4. The evidence from a social networking website might be questioned
5. It might be agreed that an act was carried out and recorded, but at issue might be that
the party introducing the evidence has failed to prove that where others might have access
to a device there was no proof to show that the message was directed to a particular
person.
6. Whether the person alleged to have used their PIN, password or clicked the 'I accept'
icon was the person that actually carried out the action.
7. The data on local area networks, and whether there is a need to obtain an image of the
complete network, if this is possible. If an image of each computer comprising the
network is taken, the issue with networked computers is to demonstrate who had access
to which computers at what time, and whether this access is audited. The security
mechanisms in place on the network will be an important consideration when proving
authenticity.
8. Data from the Internet is also subject to problems, because reliance may be placed on
data obtained from remote computers, the computer of an investigator, and perhaps
intercepted evidence.
9. Where data is being updated constantly, such as transactional data-bases, or websites
that are continually updated, this poses problems, as the relevant evidence is point-in-
time, which may be extremely difficult to obtain.
10. Authentication of information on social media sites presents its own unique set of
issues. Firstly, it can be difficult to establish the author of the document, because social
media sites often have a number people writing to the one page. Secondly, proving the
identity of an author can be difficult, since it is still possible to create an internet profile
without having to prove identity.
3.4 General principles in electronic evidence.
Principle 1
No action taken by law enforcement agencies or their agents should change data held on
a computer or storage media, which may subsequently be relied upon in court.
Principle 2
In exceptional circumstances, where a person finds it necessary to access original data
held on a computer or on storage media, that person must be competent to do so and be
able to give evidence explaining the relevance and the implications of their actions.
Principle 3
An audit trail or alternative record of all processes applied to computer-based
electronic evidence should be created and preserved. an independent third party should be
able to examine those processes and achieve the same result.
Principle 4
The person in charge of the investigation has overall responsibility for ensuring that the
law and these principles are adhered to.

UNIT 4: Dark net
4.1 Definition of terms, dark net and deep web
The dark net is part of the deep web, but it refers to websites that are specifically used for
nefarious reasons. Dark net sites are purposefully hidden from the surface net by
additional means. The dark net is occasionally used for noble reasons by Internet users
who need to operate anonymously.
Deep web refers to anything on the internet that is not indexed by and, therefore,

accessible via a search engine like Google. Deep web content includes anything behind a
paywall or requires sign-in credentials. It also includes any content that its owners have
blocked web crawlers from indexing.
4.2 Dark net markets

Dark net markets are dark web black markets that offer illicit goods for sale, often using
crypto currencies as a method of payment. Although some products for sale are legal,
illicit goods such as drugs, stolen information, and weapons are common items in these
markets.
4.3 Popular dark web market places.
In 2019 Dream Market was the most popular market by far, with over 120,000 current
trade listings, followed at one time by Wall Street Market with under 10,000 listings.
Dream Market was shut down in 2019, and Wall Street Market was seized by law
enforcement in May 2019.
4.4 How patrons access the dark net.

1. Trust your intuition. To avoid being scammed, you’ll want to protect yourself with
smart behavior on the web. Not everyone is who they seem. Staying safe requires that
you watch who you talk to and where you visit. You should always take action to
remove yourself from a situation if something doesn’t feel right.
2. Detach your online persona from real life. Your username, email address, “real
name,” password, and even your credit card should never be used anywhere else in
your life. Create brand-new throwaway accounts and identifiers for yourself if
necessary. Acquire prepaid, unidentifiable debit cards before making any purchases.
Do not use anything that could be used to identify you whether online or in real life.
3. Employ active monitoring of identify and financial theft. Many online security
services now offer identity protection for your safety. Be sure to take advantage of
these tools if they are made available to you.
4. Explicitly avoid dark web file downloads. Fear of malware infection is significantly
higher in the lawless territory that is the dark web. Real-time file scanning from an
antivirus program can help you check any incoming files in case you do opt to
download.
5. Disable ActiveX and Java in any available network settings. These frameworks
are notorious for being probed and exploited by malicious parties. Since you are
traveling through a network filled with said threats, you’ll want to avoid this risk.
6. Use a secondary non-admin local user account for all daily activities. The native
account on most computers will have full administrative permissions by default. Most
malware must take advantage of this to execute its functions. As such, you can slow
or halt the progress of exploitation by limiting the account in-use to strict privileges.
7. Always restrict access to your Tor-enableddevice. Protect your children or other
family members so they aren't at risk of stumbling across something no one should
ever see. Visit the Deep Web if you're interested, but don't let kids anywhere near it.
4.5 Accessing the Internet without the TOR Browser.

Use a VPN for added anonymity Surf the Dark net via search engines like Duck GO or
directories. The dark web was once the province of hackers, law enforcement officers,
and cyber criminals. However, new technology like encryption and the anonymization
browser software, Tor, now makes it possible for anyone to dive dark if they're interested.
4.6 Relevance of dark net.
In fact, some uses are perfectly legal and support the value of the “dark web.” On the
dark web, users can seek out three clear benefits from its use:
 User anonymity
 Virtually untraceable services and sites
 Ability to take illegal actions for both users and providers

4.7 Payment and flow of funds on the dark net.
1. Funds Flow Through Crypto currencies
The anonymity of bit coin has led the dark web market to flourish. This crypto currency
enables sellers and buyers to execute a trusted transaction without knowing each other's
identities. Each bit coin transaction is kept private by only revealing their wallet IDs.
Keeping a bit coin user's transaction private allows them to enter criminal markets and
get involved in buying illegal goods. The criminal sellers operating in the dark web
market have started to add attractive new offerings to their virtual stores.
2. The Growth of Anonymzing Networks
TOR's secured browser technology remains the largest anonymizing network, with more
than million active users connected directly to its service. The bandwidth capacity of this
network has increased from approximately gigabits per second. With this growth in the
past five years, the number of unique addresses of TOR hidden services has increased
from approximately 30,000 to 80,000. This overall growth in the TOR network has
propelled the growth of dark web markets due to its expanding user base.
3. Ransom Payouts to Cybercriminals
Ransom ware attacks have been rapidly increasing over the past few years, and I believe
one reason for this increase is the fact that cybercriminals are being paid out. These
payouts encourage cybercriminals, resulting in new ransom ware attacks with more
features. In my experience, some cyber insurance companies are also indirectly causing a
surge in these ransomware attacks because they have started to pay the ransoms, which
costs them less than remediation or backups.
4. Increasing Profitability of Dark Web Markets
The dark web's drug market has been booming in Australia, and it has proven to be
highly lucrative for the dealers. Ransom ware attacks are one of the most effective ways
to earn a large sum of money from organizations. Their earnings are increasing because
the demand is reaching new heights.
5. Organizations' Attack Surfaces Are Increasing
As organizations have rapidly moved to the digitization era, their network boundaries
have vanished. Systems are more integrated than ever before. This movement has also
increased the attack surface of organizations. With the increase in the earnings from such
attacks, cybercriminals are vying for bigger and more opportunistic attacks.
Organizations must consider investing their resources in the following to prepare

4.8 Challenges in the investigation process.
 Digital Data Threat: Growing online transactions generate bigger incentives for
cybercriminals. Besides, establishments looking to mine data—for instance, customer
information, results of product surveys, and generic market information—create
treasured intellectual property that is in itself an attractive target.
 Supply Chain Inter-connection: The supply chains are increasingly interconnected.
Companies are urging vendors and customers to join their networks. This makes a
company’s security wall thin.
 Hacking: This action is penetrating into someone’s system in unauthorized fashion to
steal or destroy data, which has grown hundred folds in the past few years. The
availability of information online makes it easier for even non-technical people to
perform hacking.
 Phishing: The easiest to execute and can produce the results with very little effort. It
is the act of sending out Fake emails, text messages and create websites to look like
they're from authentic companies.

UNIT 5: Virtual Currencies
Virtual currency is a type of unregulated digital currency that is only available in

electronic form. It is stored and transacted only through designated software, mobile or
computer applications, or through dedicated digital wallets, and the transactions occur
over the internet through secure, dedicated networks.
Virtual currency is a type of unregulated digital currency that is not issued or

controlled by a central bank. Examples include Bit coin, Lite coin, and XRP. Virtual
currency can be either centralized or decentralized.
5.1The concept of Virtual currencies
Digital currencies are currencies that are only accessible with computers or mobile
phones, as they only exist in electronic form. Since digital currencies require no
intermediary, they are often the cheapest method to trade currencies.
5.2 Criminal use of virtual currencies.
1. Lacks comprehensive regulation
The regulations over virtual currencies are not comprehensive or systematic enough,
hindering their worldwide acceptance. Lacking the supervision from a central
administrator, decentralized virtual currencies provide opportunities for illegal
transactions and money laundering.
2. Highly volatile
Out of the charge of a central bank, the value of a virtual currency is highly volatile.
Therefore, it is a less favorable tool to store value or medium of exchange. For example,
Bit coin peaked at the end of 2017 at nearly $20,000 per unit. It later dropped to around
$3,000 per unit within one year.

3. Potential security issues
Virtual currencies also raise security concerns. Despite improving encryption techniques,
the loss or leakage of authentication information is still possible and can cause great
losses to virtual currency owners.
5.3 Case studies
Today, mobile money services are available throughout much of the developing world.
Most markets have a live offering and many have multiple services. In 2007, there were
fewer than 20 mobile money services for the unbanked worldwide. Since then the number
of deployments has ballooned to over 190, with another 115 planning to launch.1 How
are these 190 services faring? Unevenly. Many mobile money services have yet to
achieve significant scale, but a collection of stand-out services appear to have figured out
the formula and are riding a steep growth trajectory. According to GSMA’s 2012 Global
Mobile Money Adoption Survey, 2 14 services qualified as Mobile Money Sprinters, the
world’s fastest growing mobile money services. What has been the formula for their
success? A number of elements need to be in place for a mobile money service to become
a sprinter, including an enabling regulatory environment, adequate levels of investment,
strong marketing, and well-managed distribution networks. Over the past year, MMU has
published case studies that examine how certain mobile money services have managed to
thrive in countries such as Zimbabwe, Pakistan and Somaliland. Together these case
studies demonstrate that mobile money success is no longer the story of just one country
or region, and by sharing these lessons with the industry, MMU hopes to accelerate the
success of more mobile money services around the globe.
MMU growth trajectories. Each has contributed a unique set of
innovations to the industry, demonstrating that a variety of approaches are
possible in different markets.
5.4 Investigation and Prosecution challenges.
INVESTIGATIVE CHALLENGES
The particular features of virtual currency systems, especially decentralized systems,

present new challenges for law enforcement. Many of the benefits that virtual currency
systems promise legitimate consumers, such as increased privacy in transactions and the
ability to send funds without an intermediary, serve as obstacles to law enforcement when
the systems are exploited for illegal purposes. Key challenges identified by law
enforcement officers dealing with virtual currency include regulatory and compliance
disparities, transaction obfuscation and anonymity, and the global nature of the systems.

Regulatory and Compliance Disparities
Criminals gravitate to services with weak or nonexistent anti-money-laundering and

customer identification programs. Those systems flourish in countries with poor
regulatory oversight and ineffective enforcement. Because of virtual currency’s unique
features, namely its lack of government backing, it falls within a regulatory gray area in
many foreign jurisdictions. Therefore, many systems do not identify or report suspicious
transactions, fail to retain customer records, and often resist cooperation with law
enforcement.
Transaction Obfuscation and Anonymity
Virtual currency transactions can be difficult to track, due in part to the structure of the
systems themselves, as well as their privacy-enhancing features. Many services allow
users to maintain higher levels of anonymity than would be permitted in a traditional
currency-based system. Even if an investigator is successful in following the transaction,
it still may be difficult to tie a virtual account to a real-world identity. This process
further is complicated by decentralized systems, where there no longer is a single
company holding customer records.
Systems’ Global Nature
The above challenges further are exacerbated by the inherently global nature of the
virtual currency ecosystem. Customers and services can transact with little regard to
national borders, creating investigative challenges and jurisdictional hurdles. Any
investigation involving substantial use of virtual currency is likely to rely on international
cooperation. However, the speed of the legal process cannot keep up with the pace of
these transactions.

UNIT 6: Online Money Laundering
Online Gambling and Online Video Games

There are many ways to money laundering through online gambling sites. ... Money
launders buy in-game inventory with illegal credit cards and then sell these inventory at a
lower price than the black market. Thus, they wash the black money they have and turn it
into clean money.
6.1 Money laundering and e-payments
Money laundering — the process of making crime proceeds legitimate — is continuing

with its all three steps: placing, layering and integration. The classical methods of money
laundering include the structuring of large amounts of money into multiple small
transactions at banks (often called as smurfing) and the use of foreign exchanges, cash
smugglers and wire transfers to move money across borders. Investing in high-value and
movable commodities such as diamonds and gold, discreetly buying and selling valuable
assets such as real estate, foreign bank accounts, and counterfeiting, gambling and shell
companies are also actively used tactics of money launderers. In addition to these,
criminals are now making use of advanced technology and the super-pervasiveness of the
internet to obscure their presence and use their ill-gotten money at will. The following are
some of the modern methods used by launderers.
E-payments
An electronic payment is a digital transaction between two parties. E-payment types

include ACH, wire and bank transfers, cards, digital wallets, mobile pay and more.
1. Credit Cards
2. Bank Transfers
3. Digital Wallet
4. Automated Clearing House (ACH)
5. E Checks via the Automated Clearing House, or ACH
6.2 Online money laundering methods and techniques

Money laundering the process of making crime proceeds legitimate is continuing with its
all three steps: placing, layering and integration. The classical methods of money
laundering include the structuring of large amounts of money into multiple small
transactions at banks and the use of foreign exchanges, cash smugglers and wire transfers
to move money across borders. The following are some of the modern methods used by
launderers.
1 Online banking with loose norms
Online banking is currently the playground of many fraudsters who are using social
engineering methods to access other people’s bank accounts in their favor. For money
laundering purposes, a criminal may transfer money directly to such victim’s account and
trick the person into sharing sensitive information such as passwords or into getting
remote access to the victim’s computer. Then, the criminal can make an unauthorized
payment from the victim’s account.
2 Business Email Compromise
This is a systematic scam in which businesses working with foreign suppliers and doing
regular wire transfers are targeted. Here, a criminal compromises legitimate business
email accounts via social engineering or computer intrusion techniques to conduct
unauthorized fund transfers. While the scheme is mostly used to defraud another out of
money, it can also be an effective tool to layer and launder money with or without the
knowledge of the victim.
3 Synthetic identity
Criminals are using a combination of real and fabricated information to open accounts for
credit cards, online deposits and loans. This crime is costing banks a lot of time and
money along with reputational degradation.
4 Anonymous online payment services
Payment methods like prepaid gift cards, prepaid debit cards and prepaid credit cards can
be purchased in a completely anonymous manner or with fictitious details. They can be
purchased via cash payment as well. The value loaded in these cards can be redeemed
online anywhere in the world without revealing the identity of the person.
5 Virtual currencies
Crypto currencies such as bit coin, due to their inherent anonymity feature, are one the
most convenient ways to wash money. These currencies are not connected to a person’s
identity and only depend on the private key connected to an account. Further, these
currencies do not have a central record-keeping system that regulators can track. In
addition, individuals, who use digital currencies, do not have to rely on intermediaries for
value transfers. Digital currency platforms often do not carry out checks for the source of
money, politically exposed persons (PEPs) and sanctions.

6.3 Online money laundering red flags.
Red flags include: A significant amount of private funding from an individual running a
cash-intensive business. The involvement of a third party private funder without an
apparent connection to the business or a legitimate explanation for their participation.
Three stages of money laundering
Money laundering has one purpose: to turn the proceeds of crime into cash or property
that looks legitimate and can be used without suspicion.
 Placement
 Layering
 Integration / Extraction
Placement
 Cash businesses – adding the cash gained from crime to the legitimate takings.
This works best in business with little or no variable costs, such as car parks, strip
clubs, tanning studios, car washes, and casinos.
 False invoicing – putting through dummy invoices to match cash lodged, making
it look like payment in settlement of the false invoice
 Smurfing – lodging small amounts of money below the AML reporting threshold
to bank accounts or credit cards, then using these to pay expenses etc.
 Trusts and offshore companies – useful for hiding the identity of the real
beneficial owners.
 Foreign bank accounts – physically taking small amounts of cash abroad, below
the customs declaration threshold, lodging in foreign bank accounts, then sending
back to the country of origin.
 Aborted transactions – funds are lodged with a lawyer or accountant to hold in
their client account to settle a proposed transaction. After a short time, the
transaction is aborted. Funds are repaid to the client from an unimpeachable
source
Layering
Layering is essentially the use of placement and extraction over and over again, using
varying amounts each time, to make tracing transactions as hard as possible.
Integration / Extraction
The final stage is getting the money out so it can be used without attracting attention from
law enforcement or the tax authorities. In this regard, criminals are often content to pay
payroll and other taxes to make the “washing” more legitimate and are often happy with a
half percentage“shrinkage” in the wash.

 Fake employees - a way of getting the money back out. Usually paid in cash and
collected
 Loans - to directors or shareholders, which will never be repaid
 Dividends - paid to shareholders of companies controlled by criminals
UNIT 7: Digital Forensics

7.1 Definition of digital forensics
Digital forensics is a branch of forensic science encompassing the recovery and
investigation of material found in digital devices, often in relation to computer
crime. Digital forensics investigations have a variety of applications.
Examples: Computer documents, emails, text and instant messages, transactions,

images and Internet histories are examples of information that can be gathered
from electronic devices and used very effectively as evidence.
Unique characteristics of digital forensics.
The main characteristics of digital evidence are,

 it is latent as fingerprints and DNA,
 can transcend national borders with ease and speed,
 highly fragile and can be easily altered,
 highly fragile and can be easily altered damaged,
 highly fragile and can be easily altered destroyed and
 highly fragile and can be easily altered time sensitive.
7.2 Considerations of electronic evidence
Digital evidence can be collected from many sources and it include computers, mobile
phones, digital cameras, hard drives, CD-ROM, USB memory sticks, cloud computers,
servers and so on. Non-obvious sources include RFID tags, and web pages which must be
preserved as they are subject to change
7.3 Areas to find digital data
Computer: Digital memories don’t forget anything. A hard drive is a goldmine for
locating every file that was created, saved, downloaded, sent, or deleted to it or from it,
including documents, e-mails, images, and financial records. You can find file content
intact, as well as a lot of details about when the file was created, accessed, and edited,
and you might even be able to find prior versions. In short, a hard drive is the perfect time
machine.

for a listing of where on the Web a user has visited and when. No one surfs anonymously.
PDA: A handheld device records a person’s life like no other device does. To find out the
where, what, with whom, and how much of a person’s life, check his PDA.
Cellphone or smart phone: As on a PDA, the information you can find on a user’s
phone can be the e-evidence you need or it can lead you toward other e-evidence. You
can find detailed logs of incoming and outgoing messages and text messages; transcripts
of text messages; address books and calendars.
E-mail: Everything, no matter how incriminating or stupid, is sent and received by e-

mail. In fact, nothing is subjected to searches more than e-mail is. It serves as truth
serum, and, for exactly that reason, the notorious connection between e-mail and jail is
usually ignored.
GPS device: Tracking technology has already been used in high-profile court cases. To
find a person’s whereabouts, check the GPS device.
Network or Internet service provider (ISP): An ISP is a fertile source of digital dirt
and details. If bytes pass through it, each network device records it.
Any device that has memory: Digital cameras, iPods, flash drives, SIM cards if it uses
memory, it might have evidence.
Chat room: Sadly, predators and other criminals hang out in chat rooms all over the
world.
MySpace, Facebook, or another social network: Full transcripts of private chats and

postings in social networks are gaining on e-mail as the primary source of e-evidence.
for a listing of where on the Web a user has visited and when. No one surfs
anonymously.
7.4 Digital data recovery

Data recovery is the process of accessing and recovering information from digital media
that is not accessible through standard means. This is a necessary service in a variety of
situations from user error and deletion, to mechanical and physical damage on your
storage device.

There are service providers who specialize in data recovery and the following is a list
 Stellar Data Recovery.

 On track.
 Drive Savers.
 Gill ware.
 Seagate In-Lab Recovery.
 Salvage Data Recovery.
 Secure Data.
 We Recover Data
Principles of handling electronic evidence.
'Forensic Examination of Digital Evidence: A Guide for Law Enforcement' was created at

the agency's request by the National Institute of Standards and Technology. It outlines
techniques for extracting digital data while preserving its integrity.
Because digital data is easily altered and it is difficult to distinguish between original data
and copies, extracting, securing and documenting digital evidence requires special
attention. The guidelines lay out the following general principles for handling digital
evidence:
 The process of collecting digital evidence should not alter it or raise questions
about its integrity.
 Examination of digital evidence should be done by trained personnel.
 All actions in processing the evidence should be documented and preserved for
review.
 Examination should be conducted on a copy of the original evidence. The original
should be preserved intact.

UNIT 8: Cyber Security
Cyber security is the practice of defending computers, servers, mobile devices, electronic
systems, networks, and data from malicious attacks. It's also known as information
technology security or electronic information security. The term applies in a variety of
contexts, from business to mobile computing, and can be divided into a few common
categories.
 Network security is the practice of securing a computer network from

intruders, whether targeted attackers or opportunistic malware.
 Application security focuses on keeping software and devices free of threats.
A compromised application could provide access to the data it’s designed to
protect. Successful security begins in the design stage, well before a program
or device is deployed.
 Information security protects the integrity and privacy of data, both in
storage and in transit.
 Operational security includes the processes and decisions for handling and
protecting data assets. The permissions users have when accessing a network
and the procedures that determine how and where data may be stored or
shared all fall under this umbrella.
 Disaster recovery and business continuity define how an organization
responds to a cyber-security incident or any other event that causes the loss of
operations or data. Disaster recovery policies dictate how the organization
restores its operations and information to return to the same operating capacity
as before the event. Business continuity is the plan the organization falls back
on while trying to operate without certain resources.
 End-user education addresses the most unpredictable cyber-security factor:
people. Anyone can accidentally introduce a virus to an otherwise secure
system by failing to follow good security practices. Teaching users to delete
suspicious email attachments, not plug in unidentified USB drives, and
various other important lessons is vital for the security of any organization.
Types of cyber threats
The threats countered by cyber-security are three-fold:
1. Cybercrime includes single actors or groups targeting systems for financial gain or to

cause disruption.
2. Cyber-attack often involves politically motivated information gathering.
3. Cyber terrorism is intended to undermine electronic systems to cause panic or fear.
Malware
Malware means malicious software. One of the most common cyber threats, malware is
software that a cybercriminal or hacker has created to disrupt or damage a legitimate
user’s computer. Often spread via an unsolicited email attachment or legitimate-looking
download, malware may be used by cybercriminals to make money or in politically
motivated cyber-attacks.
There are a number of different types of malware, including:
 Virus: A self-replicating program that attaches itself to clean file and spreads
throughout a computer system, infecting files with malicious code.
 Trojans: A type of malware that is disguised as legitimate software.
Cybercriminals trick users into uploading Trojans onto their computer where
they cause damage or collect data.
 Spyware: A program that secretly records what a user does, so that
cybercriminals can make use of this information. For example, spyware could
capture credit card details.
 Ransomware: Malware which locks down a user’s files and data, with the
threat of erasing it unless a ransom is paid.
 Adware: Advertising software which can be used to spread malware.
 Botnets: Networks of malware infected computers which cybercriminals use
to perform tasks online without the user’s permission.
SQL injection
An SQL (structured language query) injection is a type of cyber-attack used to take

control of and steal data from a database. Cybercriminals exploit vulnerabilities in data-
driven applications to insert malicious code into a database via a malicious SQL
statement. This gives them access to the sensitive information contained in the database.
Phishing
Phishing is when cybercriminals target victims with emails that appear to be from a
legitimate company asking for sensitive information. Phishing attacks are often used to
dupe people into handing over credit card data and other personal information.
Man-in-the-middle attack

A man-in-the-middle attack is a type of cyber threat where a cybercriminal intercepts
communication between two individuals in order to steal data. For example, on an
unsecure Wi-Fi network, an attacker could intercept data being passed from the victim’s
device and the network.
Denial-of-service attack
A denial-of-service attack is where cybercriminals prevent a computer system from

fulfilling legitimate requests by overwhelming the networks and servers with traffic. This
renders the system unusable, preventing an organization from carrying out vital
functions.
Cyber safety tips which protect individual or organization against cyber attacks
1. Update your software and operating system: This means you benefit from the
latest security patches.
2. Use anti-virus software: Security solutions like Kaspersky Total Security will
detect and removes threats. Keep your software updated for the best level of
protection.
3. Use strong passwords: Ensure your passwords are not easily guessable.
4. Do not open email attachments from unknown senders: These could be
infected with malware.
5. Do not click on links in emails from unknown senders or unfamiliar
websites: This is a common way that malware is spread.
6. Avoid using unsecure Wi-Fi networks in public places: Unsecure networks
leave you vulnerable to man-in-the-middle attacks.
8.1 Key loggers
 Key loggers are a type of monitoring software designed to record keystrokes

made by a user. One of the oldest forms of cyber threat,
these keystroke loggers record the information you type into a website or
application and send to back to a third party.
 Keyloggers are used to gain fraudulent access to confidential information such as

personal details, credit card data, access credentials.

8.2 IP address logging
IP logger will help you find and track the IP address of any person with just three
simple steps:
1. Shorten long link
2. Share the short link with another user
3. Grabify (grab) IP address after the user clicks on your short link
IP Tracker is a simple tool that you can use to track the IP addresses and get a detailed
information about any IP address on the Internet.
8.3 Anti-key loggers and anti-forensic tools
Anti-key loggers
An anti-keylogger (or anti–keystroke logger) is a type of software specifically designed
for the detection of keystroke logger software; often, such software will also incorporate
the ability to delete or at least immobilize hidden keystroke logger software on a
computer.
Ghostpress,
Ghostpress is a free anti-keylogger software which disables any keylogger program from

functioning in your PC. Computers can be infested with many malicious and spy
recording programs, which silently stores your credentials as keystrokes and leak them.
This freeware can easily safeguard your PC from such software.It is a simple yet very
effective anti keylogger software, which can hide keystrokes that you enter in your PC in
real-time.
Zemana AntiLogger
Zemana AntiLogger Free is another free Anti-Keylogger, which prevents a keylogger

program to record your keystrokes on a PC. It encrypts all your keystrokes and decrypts
them on to the specific program which you are currently working on.It provides an
overall protection from hidden keylogger programs, if present on a PC.
Shelter Anti-Keylogger

SpyShelter Anti-Keylogger is a free anti-keylogger product of Spyshelter software. Its
main function is to provide protection to your PC from keylogger or similar spyware
programs by working as a keylogger detector program.
KeyScrambler Personal

Keyscrambler Personal is a free and popular keypress scrambling software, which
encrypts all the keystrokes you enter in any web browser. Its only function is to encrypt
the keystrokes you type in browsers and then decrypt them back in the area where you are
typing, thus dodging keylogger programs from recording original keystrokes.
Anti-Forensic Techniques to Cover Digital Footprints
1. Encryption
Under encryption, the data is converted into an unreadable format (“encrypted data” or

“ciphertext”) using a pair of keys.The primary motive of encryption is to prevent
confidential files or data from unauthorized access. The encrypted data can be deciphered
only by using the paired-up key. This is one of the traditional methods to protect data.
Under modern cryptography methods, Data Encryption Standard (DES), Advanced
Encryption Standard (AES), are a few of the popular techniques. They use symmetric as
well as asymmetric encryption.
2. Steganography
Steganography is the act of concealing data in plain sight.

Most often, data is exchanged via an image. In this type of technique, a section of the
image is altered so that it is not identifiable easily. The processed file looks ordinary and
can go unnoticed. In the modern-day, the message is concealed using microdots and
invisible ink. There is another form, linguistic steganography, where the message is
hidden in a natural context. Steganography allows messages and even huge files to be
hidden in pictures, text, audio, and video files.
3. Tunneling
This method uses encapsulation to allow private communications to be exchanged over a

public network.The data packets will flow from public networks, thus generating no
suspicion. One of the common ways is to use a Virtual Private Network (VPN), which
encrypts the data for security reasons.To eliminate such attacks, organizations must
continuously monitor their encrypted network connections.
4. Onion Routing
The process of sending messages which are encrypted in layers, denoting layers of an
onion, is referred to as onion routing.The data packet goes through several networking
nodes where every layer of encryption gets peeled off. With the stripping of the final
layer, the message gets closer to reach its destination. The message remains anonymous
to the entire message delivery chain except the nodes placed after the source and before
the destination.One of the best practices to fight against onion routing is to use reverse
routing. This elimination process is time-consuming but can be used to defeat onion
routing.
5. Obfuscation
A technique that makes a message difficult to understand because of its ambiguous
language is known as obfuscation.This method uses jargon and in group phrases to
communicate. It could be intentional and unintentional. The primary objective of
obfuscation is to reduce the risk of exposure. It can be done by altering the signature or
fingerprint of malicious code.
6. Spoofing
The act of disguising communication to gain access to unauthorized systems or data.
Spoofing can be performed through emails, phone calls, and websites. Two most
common ways of spoofing are –
 IP Spoofing – Under IP spoofing, perpetrators use a different IP address to hide

their system’s IP address for initiating malicious activities. Generally, this type of
spoofing intends to carry out a distributed denial of service (DDoS) It can be
performed either manually or by the use of tools.
 MAC Spoofing – MAC addresses usually cannot be changed, but with technical
skills, it is not impossible. With MAC spoofing, cyber attackers use fake MAC
addresses. This is one of the difficult spoofing methods to counter.
Other types of spoofing include ARP spoofing, DNS spoofing, email spoofing, and many
more.

Forensic investigators have many tools and techniques to identify spoofing, such as
examining email headers in the case of email spoofing or investigating wireless access
point activities in case of MAC spoofing, and likewise.
8.4 Password attack techniques
Password Attack Techniques
Brute-Force Attack
While certain types of cyber-attacks use sophisticated methods, password attacks can be
relatively simple. Someone may be able to look around a co-worker’s desk to gain certain
clues that can then be used to make educated guesses about potential passwords. This is
what is known as a brute-force password attack. By using some social engineering,
hackers can learn about a user’s hobbies, family, pets, and other details that are
commonly used in insecure passwords. This may seem like an ineffective and time-
consuming method, but it is actually a favorite among hackers because of its simplicity.
Dictionary Attack
With this method, a hacker will use a program that will run through a series of likely
passwords. This technique also relies on knowing some of the psychology of the user as
well as common password variations. The dictionary method will start with common
words and then add different letters and symbols until the password is correctly guessed.
Phishing
Phishing is a bold attack that asks the user for their login information. Sometimes they
will send a slightly threatening email that scares the recipient into taking action. Other
times, they will pose as a member of the company IT team and ask for passwords. This
type of password attack can be difficult to identify before it is too late.
Credential Stuffing
When a breach in cloud security has occurred and hackers have a hold of login
information, they will use this data to try to log into other accounts. Many people use the
same name and password for multiple accounts and hackers use this to their advantage. In
this way, one data breach can lead to many more and other accounts can be
compromised.
Keylogger Attack

By installing a program on a user’s device, hackers can actually track and log keystrokes.
This allows them to easily see exactly what passwords are being used. The program is
often sent through a phishing email with a malware download.
8.5 Use of wire shark

Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets
you see what’s happening on your network at a microscopic level and is the de facto (and
often de jure) standard across many commercial and non-profit enterprises, government
agencies, and educational institutions.
8.6 Spoofing of mac addresses, internet protocol (IP) addresses and emails
MAC spoofing
Every device that’s connected to a network possesses a worldwide, unique, and physical
identification number: the Media Access Control address, or MAC for short. This burned-
in address (BIA) is virtually etched to the hardware by the manufacturer. Users are not
able to change or rewrite the MAC address. But it is possible to mask it on the software
side. This masking is what’s referred to as MAC spoofing.
 MAC addresses: distinct hardware addresses identify network interface

controllers (NIC) such as LAN cards or WLAN adapters, and are used to identify
devices in local networks. Every MAC address includes 48 bits, or 6 bytes, and is
arranged in the following pattern: 00:81:41:fe:ad:7e. The first 24 bits are the
manufacturer code assigned by the Institute of Electrical and Electronics
Engineers (IEEE), and the following 24 bits are the device number defined by the
manufacturer.
 Spoofing: in the network terminology, spoofing refers to the various methods

which can be used to manipulate the fundamental address system in computer
networks. Hackers use this method of attack to conceal their own identity and
imitate another. Other than MAC addresses, other popular targets for spoofing
attacks are the internet protocol (IP), domain name system (DNS), and address
resolution via Address Resolution Protocol (ARP). Basically, spoofing is a
resolution strategy for troubleshooting – but in most cases, it’s used for the
infiltration of foreign systems and illegal network activities instead.
Internet protocol address
IP address stands for internet protocol address; it is an identifying number that is

associated with a specific computer or computer network. When connected to the
internet, the IP address allows the computers to send and receive information.
 An internet protocol (IP) address allows computers to send and receive

information.
 There are four types of IP addresses: public, private, static, and dynamic.

 An IP address allows information to be sent and received by the correct
parties, which means they can also be used to track down a user's physical
location.
E-mail
Short for electronic mail, e-mail or email is information stored on a computer that is
exchanged between two users over telecommunications. More plainly, e-mail is a
message that may contain text, files, images, or other attachments sent through a network
to a specified individual or group of individuals.
Email Frauds
1. Hacking of the E-mail account:-
The email account of the victim is hacked by using various tools to capture the password
of the account. This can be achieved by:-
• Sending phishing emails purportedly from genuine email accounts of the email service.
The email contains links that prompt you to visit a page for updating your password and
other credentials on the pretext of some system update, data loss, technology upgrade,
regulatory compliance, etc. The links direct you to a fake page where, once you enter
your login ID and password, the same get stealthily stolen by the fraudsters.
• Sending you unsolicited/spam mails containing attachments that have malwares

embedded in them. Once such emails are opened and attachments activated the malware
gets discreetly downloaded and installed on your device. The malware could be a
keylogger that captures and sends all the keyboard taps to the fraudsters, which includes
your account passwords. The other possible malwares could be ones that capture
screenshot or read and transmit saved passwords.
• Email accounts having 2-factor authentication can also be got hacked when users share
their OTP with fraudsters after getting tricked by social engineering tools.
2. Once an email account has been hacked the criminal can misuse the account for the
following purposes:-
• Sending SOS mails to all your contacts asking for money citing some emergency such
as passport, wallet etc. getting stolen in a foreign country, etc.

• Sending offensive messages to your friends and relatives or asking for some ransom for
not sending such offensive messages.
• Sending mails to your clients and customers asking for payment of dues/remittances in
a different bank account, thus swindling with your money.
• Using the unauthorized access to your email to gain access to your other online
accounts, such as other email accounts, net-banking accounts, social media accounts, etc.
Preventive Measures
1. Use two-factor authentication. Two-factor identification requires you to enter a code

sent to you in a text message or another service to access your account after you enter
your user name and password. This makes it more difficult for a hacker to access your
information, even if they are able to crack your password.
2. Do not open SPAM mails or e-mails sent from unknown senders. Do not click on any
link sent on such mails.
3. Be cautions while opening links sent in unsolicited e-mails even if they are sent from
someone in your contact-list. Such known contacts’ email account may have been
compromised and thereafter used to sent malicious codes to unsuspecting contacts
4. Do not click on attractive and tempting links sent over a WhatsApp message or routine
SMS. They may lead you to malicious pages and cause malware intrusion on your
system/device. Hackers use social engineering to trick you in clicking the links. Don’t
fall for it.
5. Keep your e-mail password long and difficult. Password should have at least 8
characters and there should be at least one upper-case, one lower-case, one numeral and
one special character in your password.
6. Don’t store your passwords in your device. Anyone getting access to your device will
easily get to know your passwords.
7. Don’t disclose your password to anyone and keep changing it at regular intervals..
8. Always have a lock screen on your smartphone, tablet, laptop, etc protected by a PIN
or password. Do not keep your device open and unattended even for a minute, esp. in
public places and your workplace.

8.7 Web address masking/URL masking
URL masking, also known as cloaked URL forwarding, or link cloaking, uses your
domain name for your website in a different way. In this case, the domain points to a
browser with a frame which shows your website within it. No matter which page you
click on your website, the URL in your address bar stays the same. Your URL is cloaking
or masking the real address of your website, which is the server that they are hosted on.
For example, if your URL is www.MyWebsite.com, and a user clicks away from your
homepage to another page (such as your contact page), this does not change in your
address bar. On a website with a properly hosted domain, the URL in your address bar
would change with each page visited. So the contact page on your website would show as
www.MyWebsite.com/contact/. Cloaked URLs are common with free web hosts, which
let users build a site and select domains that are only pointed to pages with the frames
mentioned above.
The dangers of URL masking: for site owners and site users
First, site visitors are not able to see the direct addresses of the pages that they are visiting
on a webpage, which means they are not able to bookmark or share specific sections of a
website.
If you have content that you would like your users to share and link back to, they are
unable to because they do not have the actual URL for each page of your website.
Cloaked URLs also have negative effects on a website’s search engine rankings.
Because websites with masked URLs are hosted on servers with entirely different
addresses, search engines will crawl them on those servers, rather than the domain that
website owners or managers want them to be crawled on.
Search engines are actively punishing websites with cloaked URLs because they are
flagged for duplicate content. If you have two different sites serving exactly the same
content.Google will penalize sites with duplicate content.URL masking can be used to
create malicious websites that hide their real addresses from the users for nefarious
purposes such as phishing or malware deployment. Even if a website owner has good
intentions for using URL masking, it can also be prevented from working properly. It is
also used for a practice called click jacking, which has also been used to trick users into
performing actions such as adding likes on social media sites or adding clicks on ads,
none of which the user intended to do.
8.8 Networks scanning and sniffing
Network Scanning
“Network scanning” is the process allowing you to determine all active devices on your
network. Active scanning is when the tool sends a ping to each device on the network

and awaits a response. The scanner then looks at the responses it gets to see if there are
inconsistencies or vulnerabilities.
Network scanning can also refer to packet sniffing, or passive scanning, which captures
and tracks the traffic moving over the network in the form of data packets.
This approach looks at network information as soon as a device or system appears and
starts sending messages to the network.
UNIT 9: Mobile Forensics
Mobile device forensics is the science of recovering digital evidence from a mobile
device under forensically sound conditions using accepted methods. Mobile device
forensics is an evolving specialty in the field of digital forensics and there are stages
which need to be followed when conducting mobile forensics.

Stages of mobile forensics
Stage 1: Device Seizure
This stage pertains to the physical seizure of the device so it comes under the
management and custody of the investigator/examiner. consideration should also be
given to the legal authority or written consent to seize, extract, and search
this information.The physical condition of the device at the time of seizure ought to be
noted, ideally through digital photographic documentation and written notes, such as:
 Is the device damaged? If, yes, then document the type of damage.
 Is the device switched on or off at the time of seizure?
 What is the date and time on the device if the device is on?
 If the device is on, what apps are running in background on the device?
 If the device is on, is the device screen accessible to check for passcode and
security settings.
Seizing, handling, storing, and extracting mobile devices should follow a special route
compared to desktop and even laptop computers
Faraday bags : Storage tool for Mobile Forensics
Faraday bags are accustomed to temporarily store seized devices without powering them
down.
Keeping the device power on
When handling a seized device, it’s essential to prevent the device from powering off.
Never power off an operating device. Since mobile devices consume power even while
the display is off, the quality practice is to attach the device to a charger and place it into
a wireless-blocking Faraday bag. This may stop the mobile device from shutting down
after reaching the low-power state.

Modern Faraday Bad equipped with charging port
The procedure is very important because the extraction of additional information from a
device that was used or unlocked at least once after the last boot cycle compared to a
device that boots up in your laboratory and for which you do not know the passcode. To
illustrate the potential outcome, let’s say you seized an iPhone locked with an unknown
passcode. The iPhone happens to be jail broken, thus you can attempt to use Elcomsoft
iOS forensic Toolkit to extract data.
If the device is locked and you don’t know the passcode, you will have access to a
very limited set of data:
 Recent geo location information: Since the location database remains encrypted,
it’s only possible to extract limited location data. This limited location data is only
accessible if the device was unlocked a minimum of once after the boot has
completed. As a result, if you keep the device powered on, you will pull recent
geo location history from this device. If, however, the device shuts down and is
only powered on in the laboratory, the geo location information will stay
inaccessible till the device is unlocked.
 Incoming calls and text messages: Incoming text messages are temporarily
maintained unencrypted before the first unlock after cold boot. Once the device is
unlocked for the first time after cold boot, the messages are transferred into the
main encrypted database. This implies that acquiring a device that was never
unlocked after a cold start can only permit access to text messages received by the
device throughout the time it remained locked after the boot.
If the iPhone being acquired was unlocked a minimum of once after it had

been booted
(for example, if the device was seized during a turned-on state), you’ll be ready
to access significantly additional data. The SMS information is decrypted on
first unlock, permitting you to pull all text messages and not just those that
were received while the device remained locked.
 App and system logs (installs and updates, internet access logs, and so on).
 SQLite temp files, as well as write-ahead logs (WAL):
These WAL might include messages received by applications like Skype, Viber,
Facebook courier, and so on. Once the device is unlocked, the data is merged with the
corresponding apps main databases. When extracting a device after a cold boot, you may
only have access to notifications received after the boot.If, however, you’re extracting a
device that was unlocked a minimum of once after booting up, you’ll be able to extract
information with all messages.
Stage 2 Data Acquisition
This stage refers to various methods of extracting information from the device. The ways
of data extraction that may be used are influenced by the following:
Type of mobile device: The make, model, hardware, software, and vendor configuration.
Availability of a various set of hardware and code extraction/analysis tools at the

examiner’s disposal: there’s no tool that does it all; an examiner has to have access
to variety of tools which will assist with data extraction.
Physical state of device: Has the device been exposed to damage, such as physical,
water, or biological fluids like blood? Usually the sort of injury will dictate the
information extraction measures employed on the device.
There are many differing kinds of data extraction that determine how much data is
obtained from the device:
 Physical : Binary image of the device has the foremost potential to recover
deleted data and obtains the largest quantity of information} from the device. This
could be the most challenging type of extraction to get.
 File system : this is a illustration of the files and folders from the user area of the
device, and might contain deleted information specific to databases. This
technique will contain less information than a physical data extraction.
 Logical : This acquires the least amount of data from the device. examples of this
are call history, messages, contacts, pictures, movies, audio files, and so on. This
is mentioned as low-hanging fruit. No deleted data or source files are obtained.
Often the resulting output are a series of reports created by the extraction tool.
This is usually the simplest and fastest type of extraction.
 Photographic documentation : This method is usually used when all other data
extraction methods are exhausted. During this procedure, the examiner uses a
digital camera to photographically document the content being displayed by the
device. This is a long method when there’s an extensive quantity of information to
photograph.
Stage 3 – Data analysis
This stage of mobile device forensics entails analysis of the acquired information from
the device and its components (SIM card and memory card if present). Most mobile

forensic acquisition tools that acquire the information from the device memory can even
analyze the extracted data and provide the examiner functionality inside the tool to
perform analysis. This entails review of any non-deleted and deleted data. When
reviewing non-deleted data, it might be prudent to additionally perform a manual review
of the device to make sure that the extracted and parsed data matches what’s displayed by
the device. As mobile device storage capacities have magnified, it’s advised that a limited
subset of data records from the relevant areas be reviewed. So, as an example, if a mobile
device has over 200 call records, reviewing many call records from missed calls,
incoming calls, and outgoing calls will be checked on the device in relation to the similar
records in the extracted data.
9.1 Recovery of evidence from mobile phones
9.2 Data recovery

Seizing, handling, storing, and extracting mobile devices should follow a special route
compared to desktop and even laptop computers
Faraday bags : Storage tool for Mobile Forensics
Faraday bags are accustomed to temporarily store seized devices without powering them
down.
Keeping the device power on
When handling a seized device, it’s essential to prevent the device from powering off.
Never power off an operating device. Since mobile devices consume power even while
the display is off, the quality practice is to attach the device to a charger and place it into
a wireless-blocking Faraday bag. This may stop the mobile device from shutting down
after reaching the low-power state.

Modern Faraday Bad equipped with charging port
The procedure is very important because the extraction of additional information from a
device that was used or unlocked at least once after the last boot cycle compared to a
device that boots up in your laboratory and for which you do not know the passcode. To
illustrate the potential outcome, let’s say you seized an iPhone locked with an unknown
passcode. The iPhone happens to be jail broken, thus you can attempt to use Elcomsoft
iOS forensic Toolkit to extract data.
9.3 System imaging
A system image is a file or set of files that contains everything on a PC’s hard drive, or
just from one single partition. A system imaging program looks at the hard drive, copying
everything bit by bit. You then have a complete system image you can copy back onto a
drive to restore the system state.
9.4 Data analysis

This stage of mobile device forensics entails analysis of the acquired information from
the device and its components (SIM card and memory card if present). Most mobile
forensic acquisition tools that acquire the information from the device memory can even
analyze the extracted data and provide the examiner functionality inside the tool to
perform analysis. This entails review of any non-deleted and deleted data. When
reviewing non-deleted data, it might be prudent to additionally perform a manual review
of the device to make sure that the extracted and parsed data matches what’s displayed by
the device. As mobile device storage capacities have magnified, it’s advised that a limited
subset of data records from the relevant areas be reviewed. So, as an example, if a mobile
device has over 200 call records, reviewing many call records from missed calls,
incoming calls, and outgoing calls will be checked on the device in relation to the similar
records in the extracted data.

9.5 Preservation of digital evidence
The preservation process involves making a copy of the acquired evidence to perform
forensic tests and examinations. This practice ensures there is always an original copy of
data that has not been tampered with or mishandled. The following should be taken into
consideration to prevent loss of data before bringing to the forensic experts. Time is
highly important in preserving digital evidence.
1. Do not change the current state of the device: If the device is OFF, it must be
kept OFF and if the device is ON, it must be kept ON. Call a forensics expert before
doing anything.
2. Power down the device: In the case of mobile phones, If it is not charged, do
not charge it. In case, the mobile phone is ON power it down to prevent any data
wiping or data overwriting due to automatic booting.
3. Do not leave the device in an open area or unsecured place: Ensure that the
device is not left unattended in an open area or unsecured area. You need to
document things like- where the device is, who has access to the device, and when it
is moved.
4. Do not plug any external storage media in the device: Memory cards, USB
thumb drives, or any other storage media that you might have, should not be
plugged into the device.
5. Do not copy anything to or from the device: Copying anything to or from the
device will cause changes in the slack space of the memory.
6. Take a picture of the piece of the evidence: Ensure to take the picture of the
evidence from all the sides. If it is a mobile phone, capture pictures from all the
sides, to ensure the device has not tampered till the time forensic experts arrive.
7. Make sure you know the PIN/ Password Pattern of the device: It is very
important for you to know the login credentials of the device and share it with the
forensic experts, for them to carry their job seamlessly.
8. Do not open anything like pictures, applications, or files on the
device: Opening any application, file, or picture on the device may cause losing the
data or memory being overwritten.
9. Do not trust anyone without forensics training: Only a certified Forensics
expert should be allowed to investigate or view the files on the original device.
Untrained Persons may cause the deletion of data or the corruption of important
information.
10. Make sure you do not shut down the computer, If required Hibernate
it: Since the digital evidence can be extracted from both the disk drives and the
volatile memory. Hibernation mode will preserve the contents of the volatile
memory until the next system boot.
Police officer should Plan to Share

For the evidence to be professionally acquired by forensics investigators, the device is
either seized or a forensic copy is created at the site of the “crime” scene. Key Points to

remember to speed up the process of preserving digital evidence and ease out the
process for the authorities:
 Prepare yourself to share your authentication codes like screen patterns and
passwords.
 You may also need to share the device manuals, chargers, cables.
 Device interactions will the Internet can also be analyzed to build a complete
and most appropriate picture of overall activity.
 Have ownership of the device that you plan to submit to the police. In case you
do not have the authority or you’re not voluntarily submitting the device, then, in
that case, Police may need to seize the device under their lawful powers.
 It is easier to share external memory storage than your devices with the police
instead of giving your phone away every time, so it is recommended that you have
an external memory configured for your phone.
 Regularly back-up your phone data and retain copies of these back-ups for
future use. These will help you restore another handset or your phone if needs be at
a later today, and also can help to log a trail of incidence.
UNIT 10: Live Forensic Investigation
10.1 Definition of live forensics

 Live, or memory-based, forensics is forensic activity performed on a running
system
 The prevalence of encryption can mean that files are only readable while the
system is running
 The use of network data sources can mean that only the running system has access
to the data you want to capture
 Some data is only stored in memory, and never saved to files on the storage
devices, so it must be captured from memory while the system is live
10.2 Recovery of evidence from a computer system and network
With the understanding that computer systems and network contain potential
evidence that could be destroyed if traditional computer evidence collection
methods are employed, investigators can use the following basic steps when
collecting volatile evidence:
1. Maintain a log of all actions conducted on a running machine.
2. Photograph the screen of the running system to document its state.
3. Identify the operating system running on the suspect machine.
4. Note date and time, if shown on screen, and record with the current actual time.
5. Dump the RAM from the system to a removable storage device.
6. Check the system for the use of whole disk or file encryption.
7. Collect other volatile operating system data and save to a removable storage
device.
8. Determine evidence seizure method (of hardware and any additional artifacts
on the hard drive that may be determined to be of evidentiary value).
9. Complete a full report documenting all steps and actions taken.

10.3 Tools used in the recovery of evidence.
Autopsy
is a GUI-based open source digital forensic program to analyze hard drives and
smartphones efficiently. Autospy is used by thousands of users worldwide to investigate
what happened on the computer.
It’s widely used by corporate examiners, military to investigate, and some of the features
are.
 Email analysis
 File type detection
 Media playback
 Registry analysis
 Photos recovery from memory card
 Extract geolocation and camera information from JPEG files
 Extract web activity from a browser
 Show system events in a graphical interface
 Timeline analysis
 Extract data from Android – SMS, call logs, contacts, etc.
It has extensive reporting to generate in HTML, XLS file format.
Encrypted Disk Detector

Encrypted Disk Detector can be helpful to check encrypted physical drives. It supports
TrueCrypt, PGP, BitLocker, Safeboot encrypted volumes.
Wireshark
Wireshark is a network capture and analyzer tool to see what’s happening in your
network. Wireshark will be handy to investigate the network-related incident.
Magnet RAM Capture
You can use Magnet RAM capture to capture the physical memory of a computer and
analyze artifacts in memory.
Network Miner
An interesting network forensic analyzer for Windows, Linux & MAC OS X to detect
OS, hostname, sessions, and open ports through packet sniffing or by PCAP
file. Network Miner provides extracted artifacts in an intuitive user interface.

NMAP
NMAP (Network Mapper) is one of the most popular networks and security auditing
tools. NMAP is supported on most of the operating systems, including Windows, Linux,
Solaris, Mac OS, HP-UX, etc. It’s open-source so free.
RAM Capturer
RAM Capturer by Belkasoft is a free tool to dump the data from a computer’s volatile
memory. It’s compatible with Windows OS. Memory dumps may contain encrypted
volume’s password and login credentials for webmails and social network services.
Forensic Investigator
If you are using Splunk, then Forensic Investigator will be a convenient tool. It’s a

Splunk app and has many tools combined.
 WHOIS/GeoIP lookup
 Ping
 Port scanner
 Banner grabber
 URL decoder/parser
 XOR/HEX/Base64 converter
 SMB Share/NetBIOS viewer
 Virus Total lookup

10.4 Internet Protocol addresses tracking system.
Identify users, collect online details, get IP numbers. View, download and process
enriched IP tracker data. Open tracker records each unique user and traces their IP
address. We use an IP tracer to identify where an IP address originates from.
Details about an IP address include:
 Referrer, Exit, search term

 Browser name & Version
 Platform & Devices
 Country, Region, City
 GPS Longitude & Latitude
 Timezone & Language
 ISP, Provider or Carrier
 Company & Organization
 Area, Postal or ZIP code
 IP address & Connection type
 Display size & Orientation
10.5 Email tracking
Email tracking means monitoring opens and clicks of emails to follow up with
leads, job applicants, and partners. On the other hand, it may be referred to as
checking the metrics of your email marketing campaigns to improve their quality
and efficiency.
Examples of email tracking tools
 Snov.io
 Mail Track
 Orange box

Example for email tracking
10.6 Email analysis
E mail analysis is a digital forensic program built and designed to examine email
messages from both web & Desktop Application based email clients.
An example of email analysis

10.7 Social media
Social Media needs no introduction. It has taken over the world and our lives like
an insidious wave. It is a wave that has brought the world closer, yet not without
detrimental effects. With abundant personal information available on social media
platforms, it is now the hotbed of crimes and malicious activities. But, where
there is a crime, there is also inspection to bring justice to victims and combat
such occurrences in the future. Presenting some common social media crimes and
the science of Social Media Forensics. There is need to know how investigators
extract social media forensics evidence and engage in forensic analysis of social
networking applications on mobile devices.
Type of Social Networking Platforms
Facebook, Instagram, Twitter, Snapchat and WhatsApp are not the only social media
platforms. The classification of social media platforms is on the basis of its primary
objective of use Following are the different types of social networking platforms.
1. Social Networks
Also sometimes called “relationship networks, social networks enable people and
organizations to connect online for exchanging information and ideas.
Use: To associate with people and brands virtually.
Examples: Facebook, Twitter, WhatsApp, LinkedIn
2. Media Sharing Networks
Media sharing networks enable users and brands to search and share media online. This
includes photos, videos, and live videos.
Use: To search for and share photos, videos, live videos, and other forms of media
online.
Examples: Instagram, Snapchat, YouTube
3. Discussion Forums
One of the oldest types of social media platforms, discussion forums are an excellent
repertoire for market research. They provide a wide range of information and discussion
on various subjects.
Use: Serves as a platform to search, discuss, and exchange information, news, and

opinions.
Examples: Reddit, Quora, Digg

4. Bookmarking and Content Curation Networks
Such social networking platforms enable people to explore and discuss trending media
and content. These platforms are the epicenter of creativity for those seeking new ideas
and information.
Use: To explore, save, exchange, and discuss new and trending content and media.
Examples: Pinterest, Flipboard
5. Consumer Review Networks
Consumer review networks enable people to express their opinions/experiences about

products, services, brands, places and everything else under the sun!
Use: To search, review, and share opinions/information about brands, restaurants,

products, services, travel destinations, etc.
Examples: Yelp, Zomato, TripAdvisor
6. Blogging and Publishing Networks
Blogging/publishing networks serve as a platform for publishing online content in a way

that facilitates discovery, commenting and sharing. Publishing platforms consist of
traditional blogging platforms such as Blogger and WordPress, microblogging platforms
such as Tumblr, and even interactive platforms such as Medium.
Use: To publish, explore, and comment on content online.
Examples: WordPress, Tumblr, Medium
7. Sharing Economy Networks
It is also known as ‘collaborative economy network’. These networks enable people to

connect online for advertising, finding, sharing, trading, buying and selling of products
and services online.
Use: To find, advertise, share, and trade products and services online.
Examples: Airbnb, Uber, Task rabbit
8. Anonymous Social Networks
As the name itself states, such social networks enable users to share content
anonymously. Thus, miscreants are increasingly misusing such platforms for
cyberbullying.
Use: To anonymously spy, vent, gossip, and sometimes bully.

Examples: Whisper, Ask.fm, After School
Social Networking Platforms on Social Media Crimes
On the righteous side, one may use social media platforms to socialize and communicate
with near and dear ones. However, it is the anonymous and diverse nature of social
networking platforms that miscreants use for unethical activities. Innocent-looking
profiles can often be the masquerade for fraudsters, phishers, child predators, lechers, and
other cyber criminals.In spite of the stringent policies imposed by social media platforms,
there are fake profiles on Facebook.Additionally, the abundance of personal information
available on social networking platforms renders them a favorite of cyber criminals. After
the compromise of a profile, a hacker can access, manipulate and misuse its information
for various malicious activities. Other unscrupulous activities on such platforms include
stalking, bullying, defamation, circulation of illegal or pornographic material etc.
Following are some types of social media crimes.
1. Hacking
This happens when you are not able to log into your account because someone who has
broken into your account and taken complete control over it. Facebook is the most
hacked social networking site.
Social media hacking usually occurs when:

 One does not log out from the account, especially when using a public computer.
 Sharing of passwords with strangers either unintentionally, or as a result of social
engineering.
 Using easy to predict, or same passwords across multiple platforms.
 Hacking of one’s login email ID.
2. Photo Morphing
Photo morphing is the use of editing to change an image/shape into another without much
difficulty.Miscreants morph the images of popular figures and upload them on adult
websites or use them for blackmailing them for sexual or financial favors.

3. Offer and Shopping Scams
People are usually known to fall for such offer and shopping scams on social networking
platforms. For example, a miscreant uses a shopping offer to make a user click on a link.
Once clicked, it prompts the user to forward it to 5 people to avail the coupon. However,
the user does not get any coupon, but the cybercriminal gets his/her personal information!
4. Dating Scams
In such scams, the fraudster connects with the victim using a fake name and picture.
Once they befriend the victim, they move to a different platform for further
communication.Once they realize that the victim has fallen for them, they ﬁrst send small
gifts, and later start demanding for emergency monetary help like recharging their phone
to talk, medical reasons and more. At times, fraudsters may also record video calls or
screen, and later use them to blackmail the victim.
5. Cyberbullying
Cyberbullying is an act that involves sending or publishing obscene messages or

humiliating content online, or issuing threats to commit violent acts. It includes sending
or sharing nasty or false information about another individual for character assassination
and causing humiliation.
Example: Imposters used social media platforms such as Facebook and WhatsApp for

circulating the deadly information.
6. Link Baiting
In such scams, the fraudster sends the victim a link that entices the victim to open it. On
opening, it leads to a fake landing page which prompts the victim to enter his/her account
credentials. This provides the credentials to the cybercriminal who later uses it for illicit
activities.
Example: The victim gets a message: “Somebody just put up these pictures of you drunk
at this wild party! Check them out here!”
Immediately, the victim clicks on the enclosed link, which leads to his/her Twitter or
Facebook login page. Once the victim enters his/her account details, the cybercriminal
has the password and can take total control of the account.

Social Media Forensics or Social Network Forensics
Social media forensics involves the application of cyber investigation and digital analysis
techniques for:
 Collecting information from social networking platforms such as Facebook,
Twitter, LinkedIn etc.
 Storing,
 Analyzing, and
 Preserving the information for fighting a case in the court of law
Social Media Forensics is basically about locating the source of electronic evidence. This
is accompanied by collecting it in an unhampered way while complying with all laws.
Evidence Collection in Social Media Forensics
The simplest method of evidence collection in social media forensics is a manual

collection. It uses basic techniques such as visiting a website and/or taking a screenshot
and is quite time-consuming. On the contrary, open source tools and other commercial
forensic tools offer a quicker gathering and extraction of evidence. Additionally, since
investigators often deal with a lot of live content, they also use content archiving to
preserve the nature of the evidence.E-discovery or evidence collection needs to in
compliance with the terms of service agreement. Every social networking platform has
specified terms and conditions that define the nature of the information that an
investigator can collect and manipulate. Such conditions often inhibit investigations since
the defense may cite breach of terms of service to dishonor the evidence.

The Three Basic Stages of Social Media Forensics
Social media forensics has three basic stages for the extraction, preservation, and analysis
of electronic evidence.
1. Evidence Identification
This step involves a thorough inspection of the crime scene to locate any hardware or
software that is worthy of collection. It also includes conducting a basic search to identify
all social networking accounts linked to the subject. Furthermore, a search of all of the
subject’s families, friends and associated on social media. A forensic examiner needs to
precisely document all sources of evidence along with how and when they found it.
2. Collection
Forensic investigators use various methods to collect electronic evidence. Following are
the methods for social media evidence collection.
 Manual documentation
 Screen scrape/Screenshot
 Open source tools (HTTrack)
 Commercial tool (X1)
 Web service (Page freezer)
 Forensic recovery
 Content subpoena

UNIT 11: Legislation on cybercrime and cybersecurity
11.1 Cybercrime Bill
11.2 Cybersecurity Bill
11.3 Criminal Procedure & Evidence Act
11.4 Section 162 to 168 of The Criminal Law [Codification and Reform Act]
Chapter 9:03
11.5 Postal and Telecommunications Act.
11.6 Interception of communication Act
11.7 The Constitution of Zimbabwe
11.8 Cyber conventions e.g. Budapest Convention and INTERPOL.
11.9 Cyber jurisdiction (territories and boundaries
COPIES ARE NEED FOR THE LEGISLATION ON CYBERCRIME AND CYBER

SECURITY

UNIT 12 : Organised Crimes on internet
12.1Definition of organised crimes

Organized crime is a group of individuals, either local, national or international, that
engage in criminal enterprises for profit.
Types of organized crimes
It is involved in a broad spectrum of illegal activities: murder, extortion, drug trafficking,

corruption of public officials, gambling, infiltration of legitimate businesses, labor
racketeering, loan sharking, prostitution, pornography, tax-fraud schemes, and stock
manipulation schemes.
12.2 Cyber terrorism

Cyberterrorism is defined by U.S. Federal Bureau of Investigation as a premeditated
attack against a computer system, computer data, programs and other information with
the sole aim of violence against clandestine agents and subnational groups.
Cyberterrorism can be explained as internet terrorism. With the advent of the internet,
individuals and groups are misusing the anonymity to threaten individuals, certain
groups, religions, ethnicities or beliefs. Cyberterrorism can be broadly categorized under
three major categories:
Simple: This consists of basic attacks including the hacking of an individual system.
Advanced: These are more sophisticated attacks and can involve hacking multiple
systems and/or networks.
Complex: These are coordinated attacks that can have a large-scale impact and make use
of sophisticated tools.
Examples include attacks against critical physical infrastructure, such as water pipes,
electricity, gas, fuel, public transportation control systems, or bank payment systems,
which deny the provision of essential service for a given time, or in more severe cases,
even cause physical damage by attacking the command
12.3 Weapons trafficking
Arms trafficking or gunrunning is the illicit trade of contraband small arms and
ammunition, which constitutes part of a broad range of illegal activities often associated
with transnational criminal organizations.

Weapons trafficking is the movement or transfer of firearms, guns, weapons, parts, or
ammunition from a legal to illegal market.
Examples of Weapon trafficking

 Reactivation of neutralised weapons;
 Burglaries and thefts;
 Embezzlement of legal arms;
 The selling of legal arms on the illegal market, including the darknet;
 The reactivation of decommissioned army or police firearms;
 Conversion of gas pistols.
12.4 Drug trafficking
Drug trafficking is a global illicit trade involving the cultivation, manufacture,

distribution and sale of substances which are subject to drug prohibition laws.
Examples of drug trafficking
The most commonly trafficked drugs are cocaine, heroin, morphine, cannabis sativa
(Indian hemp) and crystal methamphetamine
12.5 Human trafficking
Human trafficking involves the use of force, fraud, or coercion to obtain some type of
labor or commercial sex act.
Elements of Human Trafficking

The Action-Means-Purpose Model can be used to describe the elements of human
trafficking. Cases that are considered severe forms of trafficking in persons involve three
elements:
1. Action, which may be the recruiting, harboring, transporting, providing, or obtaining

of an individual. Additional actions that constitute sex trafficking, but not labor
trafficking, include patronizing, soliciting, and advertising an individual.
2. Through the Means of force, fraud, or coercion. Examples of force include physical
abuse or assault, sexual abuse or assault, or confinement. Examples of fraud include false
promises of work/living conditions, withholding promised wages, or contract fraud.
Coercion may include threats of harm to self or others, debt bondage, psychological
manipulation, or document confiscation.

4. For a specific Purpose, either of compelled labor or services or commercial sex act(s).
Examples
Adults and children can be trafficked or enslaved and forced to sell their bodies
for sex. People are also trafficked or enslaved for labour exploitation,for example:
to work on a farm, factory, to work in a house as a servant, maid or nanny.

UNIT 13: International Police Cooperation
13.1 Protocol that guides territorial investigations
13.2 Police Organs to use in territorial investigations
13.3 Compilation of Regatory files for territorial investigations
13.4 Joint Investigation Team for easy territorial investigations

REFERENCES
Core Texts
Cybercrime in Zimbabwe and Globally https://pdf4pro.com
Media Institute for Southern Africa-Zim & Digital Society of Zimbabwe.
2016. Position paper on Proposed Draft Cybercrime and Cyber-security
Institute for Southern Africa – Zimbabwe. 2017.
Commentary on Cybercrime and Cyber security Bill Issue 4. [Online].
Media Institute for Southern Africa – Zimbabwe. 2017.
Commentary on Cybercrime and Cyber security Bill Issue 4. [Online].
Legal Protocols Government of Zimbabwe. 2017.
Computer Crime and Cyber Crime Bill.
The Government of Zimbabwe, Criminal Law [Codification and Reform] Act.2004
Money laundering cybercrimes
Electronic Resources
JOURNALS AND ARTICLES
Zimbabwe Republic Police Strategic Documents

Cybercrime Module With Table of Content

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybercrime Module With Table of Content

Uploaded by

Copyright:

Available Formats

DIPLOMA IN POLICE STUDIES

CYBER CRIME MODULE

ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 4

ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 5

Define Cybercrime and give typical examples

1.1 Definition of cybercrime

1.2 Classification of cybercrimes

1. Crimes against individuals – These are committed against individuals or their

ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 6

Some examples of cyber-crimes against organizations are:

 Possessing unauthorized information

 Cyber terrorism against a government organization

Some examples of crimes against society are:

 Polluting the youth through indecent exposure

1.3 Types of cybercrimes

This kind of cybercrime involves online harassment where the user is subjected to a

ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 8

1.4 Cybercrime Investigation

Assess the Situation

Identify Possible Evidence

ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 9

Analyze Results with Prosecutor

The Sleuth Kit

ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 10

Digital Forensics Framework

Computer forensics open-source software that permits digital forensics professionals to

Oxygen Forensic Detective

This tool is an applications employed by security researchers and forensic professionals

Open Computer Forensics Architecture

The following are the use of Surface Browser

 Get current DNS data

ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 11

 Analyze historical DNS records

 Explore the WHOIS history timeline

 Grab full IP block data

 Explore associated domains

 Access reverse IP intelligence

ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 12

2.1 Definition of Internet

Global system of interconnected computer networks that uses the Internet protocol suite

2.2 Uses of Internet

4. On-Line Chat Rooms.

5. Streamed Broadcast (receiving, sending audio and video)

6. Internet telephone and video telephone.

2.3 Abuse of Internet

 Cyberbullying, use of the internet to bully and intimidate

2.5 Crimes committed over the internet

ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 13

ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 14

3.1 Definition of terms

3.2Areas to find electronic evidence

E-mail: Everything, no matter how incriminating or stupid, is sent and received by e-

ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 15

MySpace, Facebook, or another social network: Full transcripts of private chats and

3.3 Challenges in obtaining electronic evidence.

3.4 General principles in electronic evidence.

ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 17

4.1 Definition of terms, dark net and deep web

Deep web refers to anything on the internet that is not indexed by and, therefore,

4.2 Dark net markets

4.3 Popular dark web market places.

4.4 How patrons access the dark net.