Professional Documents
Culture Documents
Module Compiled by
Inspector Murenha P
Inspector Boka P
Seargeant Kamangira S
Cybercrime is criminal activity that either targets or uses a computer, a computer network
or a networked device. Cybercrime is committed by cybercriminals or hackers who want
to make money. This course module is an introduction into the Cyber Crime in the
Zimbabwe Republic Police Service. The course helps in developing an understanding of
the Cyber Crimes and how they relate to the current policing trend. This module is also
meant to lay a foundation in both the internal and external service delivery. Unit 1 is
going to focus on Cybercrime Investigation, Unit 2: Internet, Unit 3: Electronic Evidence,
Unit 4: Dark Net, Unit 5: Virtual Currencies, Unit 6: Online Money Laundering, Unit 7:
Digital Forensics, Unit 8: Cyber Security, Unit 9: Mobile Forensics, Unit 10: Live
Forensic Investigation, Unit 11: Legislation On Cybercrime And Cyber Security, Unit
12: Organized Crimes On Internet Lastly Unit 13: International Police Cooperation
concludes the module by discussing International Police Cooperation
Objectives
Cybercrime is criminal activity that either targets or uses a computer, a computer network
or a networked device. Most, but not all, cybercrime is committed by cybercriminals or
hackers who want to make money.
Email harassment
Cyber-stalking
Spreading obscene material
Unauthorized access or control over the computer system
Indecent exposure
Spoofing via email
Trafficking
Financial crimes
Selling illegal articles
Online Gambling
Forgery
Apart from the ones listed above, crimes like hacking, denial of service attacks, e-mail
bombing, etc. are also present in cyberspace.
DDoS Attacks
These are used to make an online service unavailable and take the network down by
overwhelming the site with traffic from a variety of sources. Large networks of infected
devices known as Botnets are created by depositing malware on users’ computers. The
hacker then hacks into the system once the network is down.
Botnets
Botnets are networks from compromised computers that are controlled externally by
remote hackers. The remote hackers then send spam or attack other computers through
these botnets. Botnets can also be used to act as malware and perform malicious tasks.
Identity Theft
This cybercrime occurs when a criminal gains access to a user’s personal information to
steal funds, access confidential information, or participate in tax or health insurance
fraud. They can also open a phone/internet account in your name, use your name to plan a
criminal activity and claim government benefits in your name. They may do this by
ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 7
finding out user’s passwords through hacking, retrieving personal information from
social media, or sending phishing emails.
Cyber stalking
Social Engineering
Social engineering involves criminals making direct contact with you usually by phone or
email. They want to gain your confidence and usually pose as a customer service agent so
you’ll give the necessary information needed. This is typically a password, the company
you work for, or bank information. Cybercriminals will find out what they can about you
on the internet and then attempt to add you as a friend on social accounts. Once they gain
access to an account, they can sell your information or secure accounts in your name.
PUPs
PUPS or Potentially Unwanted Programs are less threatening than other cybercrimes, but
are a type of malware. They uninstall necessary software in your system including search
engines and pre-downloaded apps. They can include spyware or adware, so it’s a good
idea to install an antivirus software to avoid the malicious download.
Phishing
This type of attack involves hackers sending malicious email attachments or URLs to
users to gain access to their accounts or computer. Cybercriminals are becoming more
established and many of these emails are not flagged as spam. Users are tricked into
emails claiming they need to change their password or update their billing information,
giving criminals access.
Prohibited/Illegal Content
This cybercrime involves criminals sharing and distributing inappropriate content that
can be considered highly distressing and offensive. Offensive content can include, but is
not limited to, sexual activity between adults, videos with intense violent and videos of
criminal activity. Illegal content includes materials advocating terrorism-related acts and
child exploitation material. This type of content exists both on the everyday internet and
on the dark web, an anonymous network.
Online Scams
These are usually in the form of ads or spam emails that include promises of rewards or
offers of unrealistic amounts of money. Online scams include enticing offers that are “too
Exploit Kits
Exploit kits need a vulnerability (bug in the code of a software) in order to gain control of
a user’s computer. They are readymade tools criminals can buy online and use against
anyone with a computer. The exploit kits are upgraded regularly similar to normal
software and are available on dark web hacking forums.
Digital evidence can come in many file types and sizes. For example, the evidence may
be encrypted, protected, or otherwise hidden. If your agency does not have the resources,
tools, or specific expertise necessary to identify and collect this evidence, consider
partnering with other agencies that do have these capabilities.
In many cases, investigators may seize electronic devices without a warrant, but must
obtain a warrant in order to conduct a search on the device(s). Multiple warrants may
need to be obtained if a particular device is connected to multiple crimes. Warrants
should clearly describe all files, data, and electronic devices to be searched as specifically
as possible and seek approval to conduct analysis off-site.
Subpoenas can also be used to obtain digital evidence. Many Internet- and
communication-based companies have guides to assist law enforcement in understanding
their information sharing policies. Non-disclosure agreement (NDA) are often times
needed when law enforcement is requesting information from an Electronic Service
Provider (ESP) and they don’t want the ESP to notify the user of someone requesting
information from their account. Court order is required to compel the ESP for
information above the basic subscriber information. This could include but not limited to
message headers or IP addresses. This does not include content.
It will also be important to work with the prosecutor to identify the appropriate charges,
and to determine what additional information or evidence will be needed prior to filing
charges.
1.5 Tools for Investigating Cybercrimes.
Cybercrime investigation tools include tons of utilities, counting on the techniques you’re
using and therefore the phase you are transiting. However, know that the majority of
those tools are dedicated to the forensic analysis of knowledge once you have got the
evidence in hand. There are thousands of tools for every sort of cybercrime, therefore,
this is not intended to be a comprehensive list, but a fast check out a number of the
simplest resources available for performing forensic activity.
SIFT Workstation
SIFT is a forensic tool collection created to assist incident response teams and forensic
researchers examine digital forensic data on several systems.
Open source collection of UNIX- and Windows-based forensic tools that helps
researchers analyze disk images and recover files from those devices.
X-Ways Forensics
This software is one among the foremost complete forensic suites for Windows-based
operating systems.
CAINE
Software used in pursuing the most goal of speeding up their digital crime investigations,
allowing researchers to access data from a unified and UX-friendly interface.
Bulk Extractor
An application used for extracting critical information from digital evidence data.
It works by extracting features like URLs, email addresses, MasterCard numbers and far
more from ISO disk images and directories or just files—including images, videos,
office-based and compressed files.
ExifTool
Forensic tool which is a command-line-based utility which will read, write and
manipulate metadata from several media files like images and videos.
ExifTool supports extracting EXIF from images and vídeos like GPS coordinates,
thumbnail images, file type, permissions, file size, camera type, etc.
It also allows you to save lots of the leads to a text-based format or plain HTML.
Surface Browser
Surface Browser is for detecting the complete online infrastructure of any company, and
getting valuable intelligence data from DNS records, domain names and their historical
WHOIS records, exposed subdomains, SSL certificates data and more. Analyzing the
surface of any company or name on the web is as important as analyzing local drives or
ram sticks it can cause finding critical data that would be linked to cybercrimes.
1. Electronic Mail.
2. World Wide Web (World Wide Web include: Research, Personal web sites, On line
shopping)
3. Threaded Conference. Systems (USENET) or network news. Users enter messages and
within a day or so, the messages are delivered to nearly every other USENET host for
everyone to read.
Explanation of the crime of cyberbullying, which is the act of using computer networking
technology and online social networks to harass, intimidate and otherwise bully
classmates or other peers.
Sexting
Overview of the disturbingly common phenomenon known as sexting, which is the use of
text messaging or similar networking technologies to send and receive sexually explicit
messages or photographs.
Identity Theft
Collection of articles to help you detect and ultimately prevent identity theft, including
important steps to take once your identity has been stolen and methods to help protect
your personal data.
Electronic evidence is any electronically stored information (ESI) that may be used as
evidence in a lawsuit or trial. Electronic evidence includes any documents, emails, or
other files that are electronically stored. Additionally, electronic evidence includes
records stored by network or Internet service providers.
A computer forensics investigator seeks evidence in all the electronics on the following
list:
Computer: Digital memories don’t forget anything. A hard drive is a goldmine for
locating every file that was created, saved, downloaded, sent, or deleted to it or from it,
including documents, e-mails, images, and financial records. You can find file content
intact, as well as a lot of details about when the file was created, accessed, and edited,
and you might even be able to find prior versions. In short, a hard drive is the perfect time
machine.
Web site that was visited: Any digital device used to access the Internet can be searched
for a listing of where on the Web a user has visited and when. No one surfs anonymously.
PDA: A handheld device records a person’s life like no other device does. To find out the
where, what, with whom, and how much of a person’s life, check his PDA.
Cellphone or smart phone: As on a PDA, the information you can find on a user’s
phone can be the e-evidence you need or it can lead you toward other e-evidence. You
can find detailed logs of incoming and outgoing messages and text messages; transcripts
of text messages; address books and calendars.
GPS device: Tracking technology has already been used in high-profile court cases. To
find a person’s whereabouts, check the GPS device.
Network or Internet service provider (ISP): An ISP is a fertile source of digital dirt
and details. If bytes pass through it, each network device records it.
Any device that has memory: Digital cameras, iPods, flash drives, SIM cards if it uses
memory, it might have evidence.
Chat room: Sadly, predators and other criminals hang out in chat rooms all over the
world.
Web site that was visited: Any digital device used to access the Internet can be searched
for a listing of where on the Web a user has visited and when. No one surfs
anonymously.
1. A claim that the records were altered, manipulated or damaged between the time they
were created and the time they appear in court as evidence;
2. The reliability of the computer program that generated the record may be questioned;
3. the identity of the author may be in dispute: for instance, the person responsible for
writing a letter in the form of a word processing file, SMS or email may dispute they
wrote the text, or sufficient evidence has not been adduced to demonstrate the nexus
between the evidence and the person responsible for writing the communication;
4. The evidence from a social networking website might be questioned
5. It might be agreed that an act was carried out and recorded, but at issue might be that
the party introducing the evidence has failed to prove that where others might have access
to a device there was no proof to show that the message was directed to a particular
person.
6. Whether the person alleged to have used their PIN, password or clicked the 'I accept'
icon was the person that actually carried out the action.
7. The data on local area networks, and whether there is a need to obtain an image of the
complete network, if this is possible. If an image of each computer comprising the
network is taken, the issue with networked computers is to demonstrate who had access
to which computers at what time, and whether this access is audited. The security
ZIMBABWE REPUBLIC POLICE TRAINING ACADEMY | CYBERCRIME MODULE 16
mechanisms in place on the network will be an important consideration when proving
authenticity.
8. Data from the Internet is also subject to problems, because reliance may be placed on
data obtained from remote computers, the computer of an investigator, and perhaps
intercepted evidence.
9. Where data is being updated constantly, such as transactional data-bases, or websites
that are continually updated, this poses problems, as the relevant evidence is point-in-
time, which may be extremely difficult to obtain.
10. Authentication of information on social media sites presents its own unique set of
issues. Firstly, it can be difficult to establish the author of the document, because social
media sites often have a number people writing to the one page. Secondly, proving the
identity of an author can be difficult, since it is still possible to create an internet profile
without having to prove identity.
Principle 1
No action taken by law enforcement agencies or their agents should change data held on
a computer or storage media, which may subsequently be relied upon in court.
Principle 2
In exceptional circumstances, where a person finds it necessary to access original data
held on a computer or on storage media, that person must be competent to do so and be
able to give evidence explaining the relevance and the implications of their actions.
Principle 3
An audit trail or alternative record of all processes applied to computer-based
electronic evidence should be created and preserved. an independent third party should be
able to examine those processes and achieve the same result.
Principle 4
The person in charge of the investigation has overall responsibility for ensuring that the
law and these principles are adhered to.
The dark net is part of the deep web, but it refers to websites that are specifically used for
nefarious reasons. Dark net sites are purposefully hidden from the surface net by
additional means. The dark net is occasionally used for noble reasons by Internet users
who need to operate anonymously.
In 2019 Dream Market was the most popular market by far, with over 120,000 current
trade listings, followed at one time by Wall Street Market with under 10,000 listings.
Dream Market was shut down in 2019, and Wall Street Market was seized by law
enforcement in May 2019.
In fact, some uses are perfectly legal and support the value of the “dark web.” On the
dark web, users can seek out three clear benefits from its use:
User anonymity
Virtually untraceable services and sites
Ability to take illegal actions for both users and providers
The anonymity of bit coin has led the dark web market to flourish. This crypto currency
enables sellers and buyers to execute a trusted transaction without knowing each other's
identities. Each bit coin transaction is kept private by only revealing their wallet IDs.
Keeping a bit coin user's transaction private allows them to enter criminal markets and
get involved in buying illegal goods. The criminal sellers operating in the dark web
market have started to add attractive new offerings to their virtual stores.
TOR's secured browser technology remains the largest anonymizing network, with more
than million active users connected directly to its service. The bandwidth capacity of this
network has increased from approximately gigabits per second. With this growth in the
past five years, the number of unique addresses of TOR hidden services has increased
from approximately 30,000 to 80,000. This overall growth in the TOR network has
propelled the growth of dark web markets due to its expanding user base.
Ransom ware attacks have been rapidly increasing over the past few years, and I believe
one reason for this increase is the fact that cybercriminals are being paid out. These
payouts encourage cybercriminals, resulting in new ransom ware attacks with more
features. In my experience, some cyber insurance companies are also indirectly causing a
surge in these ransomware attacks because they have started to pay the ransoms, which
costs them less than remediation or backups.
The dark web's drug market has been booming in Australia, and it has proven to be
highly lucrative for the dealers. Ransom ware attacks are one of the most effective ways
to earn a large sum of money from organizations. Their earnings are increasing because
the demand is reaching new heights.
As organizations have rapidly moved to the digitization era, their network boundaries
have vanished. Systems are more integrated than ever before. This movement has also
increased the attack surface of organizations. With the increase in the earnings from such
attacks, cybercriminals are vying for bigger and more opportunistic attacks.
Digital currencies are currencies that are only accessible with computers or mobile
phones, as they only exist in electronic form. Since digital currencies require no
intermediary, they are often the cheapest method to trade currencies.
The regulations over virtual currencies are not comprehensive or systematic enough,
hindering their worldwide acceptance. Lacking the supervision from a central
administrator, decentralized virtual currencies provide opportunities for illegal
transactions and money laundering.
2. Highly volatile
Out of the charge of a central bank, the value of a virtual currency is highly volatile.
Therefore, it is a less favorable tool to store value or medium of exchange. For example,
Bit coin peaked at the end of 2017 at nearly $20,000 per unit. It later dropped to around
$3,000 per unit within one year.
Virtual currencies also raise security concerns. Despite improving encryption techniques,
the loss or leakage of authentication information is still possible and can cause great
losses to virtual currency owners.
Today, mobile money services are available throughout much of the developing world.
Most markets have a live offering and many have multiple services. In 2007, there were
fewer than 20 mobile money services for the unbanked worldwide. Since then the number
of deployments has ballooned to over 190, with another 115 planning to launch.1 How
are these 190 services faring? Unevenly. Many mobile money services have yet to
achieve significant scale, but a collection of stand-out services appear to have figured out
the formula and are riding a steep growth trajectory. According to GSMA’s 2012 Global
Mobile Money Adoption Survey, 2 14 services qualified as Mobile Money Sprinters, the
world’s fastest growing mobile money services. What has been the formula for their
success? A number of elements need to be in place for a mobile money service to become
a sprinter, including an enabling regulatory environment, adequate levels of investment,
strong marketing, and well-managed distribution networks. Over the past year, MMU has
published case studies that examine how certain mobile money services have managed to
thrive in countries such as Zimbabwe, Pakistan and Somaliland. Together these case
studies demonstrate that mobile money success is no longer the story of just one country
or region, and by sharing these lessons with the industry, MMU hopes to accelerate the
success of more mobile money services around the globe.
MMU growth trajectories. Each has contributed a unique set of
innovations to the industry, demonstrating that a variety of approaches are
possible in different markets.
INVESTIGATIVE CHALLENGES
Virtual currency transactions can be difficult to track, due in part to the structure of the
systems themselves, as well as their privacy-enhancing features. Many services allow
users to maintain higher levels of anonymity than would be permitted in a traditional
currency-based system. Even if an investigator is successful in following the transaction,
it still may be difficult to tie a virtual account to a real-world identity. This process
further is complicated by decentralized systems, where there no longer is a single
company holding customer records.
The above challenges further are exacerbated by the inherently global nature of the
virtual currency ecosystem. Customers and services can transact with little regard to
national borders, creating investigative challenges and jurisdictional hurdles. Any
investigation involving substantial use of virtual currency is likely to rely on international
cooperation. However, the speed of the legal process cannot keep up with the pace of
these transactions.
E-payments
1. Credit Cards
2. Bank Transfers
3. Digital Wallet
Online banking is currently the playground of many fraudsters who are using social
engineering methods to access other people’s bank accounts in their favor. For money
laundering purposes, a criminal may transfer money directly to such victim’s account and
trick the person into sharing sensitive information such as passwords or into getting
remote access to the victim’s computer. Then, the criminal can make an unauthorized
payment from the victim’s account.
This is a systematic scam in which businesses working with foreign suppliers and doing
regular wire transfers are targeted. Here, a criminal compromises legitimate business
email accounts via social engineering or computer intrusion techniques to conduct
unauthorized fund transfers. While the scheme is mostly used to defraud another out of
money, it can also be an effective tool to layer and launder money with or without the
knowledge of the victim.
3 Synthetic identity
Criminals are using a combination of real and fabricated information to open accounts for
credit cards, online deposits and loans. This crime is costing banks a lot of time and
money along with reputational degradation.
Payment methods like prepaid gift cards, prepaid debit cards and prepaid credit cards can
be purchased in a completely anonymous manner or with fictitious details. They can be
purchased via cash payment as well. The value loaded in these cards can be redeemed
online anywhere in the world without revealing the identity of the person.
5 Virtual currencies
Crypto currencies such as bit coin, due to their inherent anonymity feature, are one the
most convenient ways to wash money. These currencies are not connected to a person’s
identity and only depend on the private key connected to an account. Further, these
currencies do not have a central record-keeping system that regulators can track. In
addition, individuals, who use digital currencies, do not have to rely on intermediaries for
value transfers. Digital currency platforms often do not carry out checks for the source of
money, politically exposed persons (PEPs) and sanctions.
Red flags include: A significant amount of private funding from an individual running a
cash-intensive business. The involvement of a third party private funder without an
apparent connection to the business or a legitimate explanation for their participation.
Money laundering has one purpose: to turn the proceeds of crime into cash or property
that looks legitimate and can be used without suspicion.
Placement
Layering
Integration / Extraction
Placement
Cash businesses – adding the cash gained from crime to the legitimate takings.
This works best in business with little or no variable costs, such as car parks, strip
clubs, tanning studios, car washes, and casinos.
False invoicing – putting through dummy invoices to match cash lodged, making
it look like payment in settlement of the false invoice
Smurfing – lodging small amounts of money below the AML reporting threshold
to bank accounts or credit cards, then using these to pay expenses etc.
Trusts and offshore companies – useful for hiding the identity of the real
beneficial owners.
Foreign bank accounts – physically taking small amounts of cash abroad, below
the customs declaration threshold, lodging in foreign bank accounts, then sending
back to the country of origin.
Aborted transactions – funds are lodged with a lawyer or accountant to hold in
their client account to settle a proposed transaction. After a short time, the
transaction is aborted. Funds are repaid to the client from an unimpeachable
source
Layering
Layering is essentially the use of placement and extraction over and over again, using
varying amounts each time, to make tracing transactions as hard as possible.
Integration / Extraction
The final stage is getting the money out so it can be used without attracting attention from
law enforcement or the tax authorities. In this regard, criminals are often content to pay
payroll and other taxes to make the “washing” more legitimate and are often happy with a
half percentage“shrinkage” in the wash.
Digital evidence can be collected from many sources and it include computers, mobile
phones, digital cameras, hard drives, CD-ROM, USB memory sticks, cloud computers,
servers and so on. Non-obvious sources include RFID tags, and web pages which must be
preserved as they are subject to change
Computer: Digital memories don’t forget anything. A hard drive is a goldmine for
locating every file that was created, saved, downloaded, sent, or deleted to it or from it,
including documents, e-mails, images, and financial records. You can find file content
intact, as well as a lot of details about when the file was created, accessed, and edited,
and you might even be able to find prior versions. In short, a hard drive is the perfect time
machine.
PDA: A handheld device records a person’s life like no other device does. To find out the
where, what, with whom, and how much of a person’s life, check his PDA.
Cellphone or smart phone: As on a PDA, the information you can find on a user’s
phone can be the e-evidence you need or it can lead you toward other e-evidence. You
can find detailed logs of incoming and outgoing messages and text messages; transcripts
of text messages; address books and calendars.
GPS device: Tracking technology has already been used in high-profile court cases. To
find a person’s whereabouts, check the GPS device.
Network or Internet service provider (ISP): An ISP is a fertile source of digital dirt
and details. If bytes pass through it, each network device records it.
Any device that has memory: Digital cameras, iPods, flash drives, SIM cards if it uses
memory, it might have evidence.
Chat room: Sadly, predators and other criminals hang out in chat rooms all over the
world.
Web site that was visited: Any digital device used to access the Internet can be searched
for a listing of where on the Web a user has visited and when. No one surfs
anonymously.
Because digital data is easily altered and it is difficult to distinguish between original data
and copies, extracting, securing and documenting digital evidence requires special
attention. The guidelines lay out the following general principles for handling digital
evidence:
The process of collecting digital evidence should not alter it or raise questions
about its integrity.
Examination of digital evidence should be done by trained personnel.
All actions in processing the evidence should be documented and preserved for
review.
Examination should be conducted on a copy of the original evidence. The original
should be preserved intact.
Cyber security is the practice of defending computers, servers, mobile devices, electronic
systems, networks, and data from malicious attacks. It's also known as information
technology security or electronic information security. The term applies in a variety of
contexts, from business to mobile computing, and can be divided into a few common
categories.
Malware
Malware means malicious software. One of the most common cyber threats, malware is
software that a cybercriminal or hacker has created to disrupt or damage a legitimate
user’s computer. Often spread via an unsolicited email attachment or legitimate-looking
download, malware may be used by cybercriminals to make money or in politically
motivated cyber-attacks.
Virus: A self-replicating program that attaches itself to clean file and spreads
throughout a computer system, infecting files with malicious code.
Trojans: A type of malware that is disguised as legitimate software.
Cybercriminals trick users into uploading Trojans onto their computer where
they cause damage or collect data.
Spyware: A program that secretly records what a user does, so that
cybercriminals can make use of this information. For example, spyware could
capture credit card details.
Ransomware: Malware which locks down a user’s files and data, with the
threat of erasing it unless a ransom is paid.
Adware: Advertising software which can be used to spread malware.
Botnets: Networks of malware infected computers which cybercriminals use
to perform tasks online without the user’s permission.
SQL injection
Phishing
Phishing is when cybercriminals target victims with emails that appear to be from a
legitimate company asking for sensitive information. Phishing attacks are often used to
dupe people into handing over credit card data and other personal information.
Man-in-the-middle attack
Denial-of-service attack
Cyber safety tips which protect individual or organization against cyber attacks
1. Update your software and operating system: This means you benefit from the
latest security patches.
2. Use anti-virus software: Security solutions like Kaspersky Total Security will
detect and removes threats. Keep your software updated for the best level of
protection.
3. Use strong passwords: Ensure your passwords are not easily guessable.
4. Do not open email attachments from unknown senders: These could be
infected with malware.
5. Do not click on links in emails from unknown senders or unfamiliar
websites: This is a common way that malware is spread.
6. Avoid using unsecure Wi-Fi networks in public places: Unsecure networks
leave you vulnerable to man-in-the-middle attacks.
Anti-key loggers
An anti-keylogger (or anti–keystroke logger) is a type of software specifically designed
for the detection of keystroke logger software; often, such software will also incorporate
the ability to delete or at least immobilize hidden keystroke logger software on a
computer.
Ghostpress,
Zemana AntiLogger
Shelter Anti-Keylogger
KeyScrambler Personal
1. Encryption
2. Steganography
3. Tunneling
4. Onion Routing
The process of sending messages which are encrypted in layers, denoting layers of an
onion, is referred to as onion routing.The data packet goes through several networking
nodes where every layer of encryption gets peeled off. With the stripping of the final
layer, the message gets closer to reach its destination. The message remains anonymous
to the entire message delivery chain except the nodes placed after the source and before
the destination.One of the best practices to fight against onion routing is to use reverse
routing. This elimination process is time-consuming but can be used to defeat onion
routing.
5. Obfuscation
A technique that makes a message difficult to understand because of its ambiguous
language is known as obfuscation.This method uses jargon and in group phrases to
communicate. It could be intentional and unintentional. The primary objective of
obfuscation is to reduce the risk of exposure. It can be done by altering the signature or
fingerprint of malicious code.
6. Spoofing
The act of disguising communication to gain access to unauthorized systems or data.
Spoofing can be performed through emails, phone calls, and websites. Two most
common ways of spoofing are –
Brute-Force Attack
While certain types of cyber-attacks use sophisticated methods, password attacks can be
relatively simple. Someone may be able to look around a co-worker’s desk to gain certain
clues that can then be used to make educated guesses about potential passwords. This is
what is known as a brute-force password attack. By using some social engineering,
hackers can learn about a user’s hobbies, family, pets, and other details that are
commonly used in insecure passwords. This may seem like an ineffective and time-
consuming method, but it is actually a favorite among hackers because of its simplicity.
Dictionary Attack
With this method, a hacker will use a program that will run through a series of likely
passwords. This technique also relies on knowing some of the psychology of the user as
well as common password variations. The dictionary method will start with common
words and then add different letters and symbols until the password is correctly guessed.
Phishing
Phishing is a bold attack that asks the user for their login information. Sometimes they
will send a slightly threatening email that scares the recipient into taking action. Other
times, they will pose as a member of the company IT team and ask for passwords. This
type of password attack can be difficult to identify before it is too late.
Credential Stuffing
When a breach in cloud security has occurred and hackers have a hold of login
information, they will use this data to try to log into other accounts. Many people use the
same name and password for multiple accounts and hackers use this to their advantage. In
this way, one data breach can lead to many more and other accounts can be
compromised.
Keylogger Attack
8.6 Spoofing of mac addresses, internet protocol (IP) addresses and emails
MAC spoofing
Every device that’s connected to a network possesses a worldwide, unique, and physical
identification number: the Media Access Control address, or MAC for short. This burned-
in address (BIA) is virtually etched to the hardware by the manufacturer. Users are not
able to change or rewrite the MAC address. But it is possible to mask it on the software
side. This masking is what’s referred to as MAC spoofing.
Short for electronic mail, e-mail or email is information stored on a computer that is
exchanged between two users over telecommunications. More plainly, e-mail is a
message that may contain text, files, images, or other attachments sent through a network
to a specified individual or group of individuals.
Email Frauds
The email account of the victim is hacked by using various tools to capture the password
of the account. This can be achieved by:-
• Sending phishing emails purportedly from genuine email accounts of the email service.
The email contains links that prompt you to visit a page for updating your password and
other credentials on the pretext of some system update, data loss, technology upgrade,
regulatory compliance, etc. The links direct you to a fake page where, once you enter
your login ID and password, the same get stealthily stolen by the fraudsters.
• Email accounts having 2-factor authentication can also be got hacked when users share
their OTP with fraudsters after getting tricked by social engineering tools.
2. Once an email account has been hacked the criminal can misuse the account for the
following purposes:-
• Sending SOS mails to all your contacts asking for money citing some emergency such
as passport, wallet etc. getting stolen in a foreign country, etc.
• Sending mails to your clients and customers asking for payment of dues/remittances in
a different bank account, thus swindling with your money.
• Using the unauthorized access to your email to gain access to your other online
accounts, such as other email accounts, net-banking accounts, social media accounts, etc.
Preventive Measures
2. Do not open SPAM mails or e-mails sent from unknown senders. Do not click on any
link sent on such mails.
3. Be cautions while opening links sent in unsolicited e-mails even if they are sent from
someone in your contact-list. Such known contacts’ email account may have been
compromised and thereafter used to sent malicious codes to unsuspecting contacts
4. Do not click on attractive and tempting links sent over a WhatsApp message or routine
SMS. They may lead you to malicious pages and cause malware intrusion on your
system/device. Hackers use social engineering to trick you in clicking the links. Don’t
fall for it.
5. Keep your e-mail password long and difficult. Password should have at least 8
characters and there should be at least one upper-case, one lower-case, one numeral and
one special character in your password.
6. Don’t store your passwords in your device. Anyone getting access to your device will
easily get to know your passwords.
7. Don’t disclose your password to anyone and keep changing it at regular intervals..
8. Always have a lock screen on your smartphone, tablet, laptop, etc protected by a PIN
or password. Do not keep your device open and unattended even for a minute, esp. in
public places and your workplace.
URL masking, also known as cloaked URL forwarding, or link cloaking, uses your
domain name for your website in a different way. In this case, the domain points to a
browser with a frame which shows your website within it. No matter which page you
click on your website, the URL in your address bar stays the same. Your URL is cloaking
or masking the real address of your website, which is the server that they are hosted on.
For example, if your URL is www.MyWebsite.com, and a user clicks away from your
homepage to another page (such as your contact page), this does not change in your
address bar. On a website with a properly hosted domain, the URL in your address bar
would change with each page visited. So the contact page on your website would show as
www.MyWebsite.com/contact/. Cloaked URLs are common with free web hosts, which
let users build a site and select domains that are only pointed to pages with the frames
mentioned above.
The dangers of URL masking: for site owners and site users
First, site visitors are not able to see the direct addresses of the pages that they are visiting
on a webpage, which means they are not able to bookmark or share specific sections of a
website.
If you have content that you would like your users to share and link back to, they are
unable to because they do not have the actual URL for each page of your website.
Cloaked URLs also have negative effects on a website’s search engine rankings.
Because websites with masked URLs are hosted on servers with entirely different
addresses, search engines will crawl them on those servers, rather than the domain that
website owners or managers want them to be crawled on.
Search engines are actively punishing websites with cloaked URLs because they are
flagged for duplicate content. If you have two different sites serving exactly the same
content.Google will penalize sites with duplicate content.URL masking can be used to
create malicious websites that hide their real addresses from the users for nefarious
purposes such as phishing or malware deployment. Even if a website owner has good
intentions for using URL masking, it can also be prevented from working properly. It is
also used for a practice called click jacking, which has also been used to trick users into
performing actions such as adding likes on social media sites or adding clicks on ads,
none of which the user intended to do.
Network Scanning
“Network scanning” is the process allowing you to determine all active devices on your
network. Active scanning is when the tool sends a ping to each device on the network
Network scanning can also refer to packet sniffing, or passive scanning, which captures
and tracks the traffic moving over the network in the form of data packets.
This approach looks at network information as soon as a device or system appears and
starts sending messages to the network.
Mobile device forensics is the science of recovering digital evidence from a mobile
device under forensically sound conditions using accepted methods. Mobile device
forensics is an evolving specialty in the field of digital forensics and there are stages
which need to be followed when conducting mobile forensics.
This stage pertains to the physical seizure of the device so it comes under the
management and custody of the investigator/examiner. consideration should also be
given to the legal authority or written consent to seize, extract, and search
this information.The physical condition of the device at the time of seizure ought to be
noted, ideally through digital photographic documentation and written notes, such as:
Is the device damaged? If, yes, then document the type of damage.
Is the device switched on or off at the time of seizure?
What is the date and time on the device if the device is on?
If the device is on, what apps are running in background on the device?
If the device is on, is the device screen accessible to check for passcode and
security settings.
Seizing, handling, storing, and extracting mobile devices should follow a special route
compared to desktop and even laptop computers
Faraday bags are accustomed to temporarily store seized devices without powering them
down.
When handling a seized device, it’s essential to prevent the device from powering off.
Never power off an operating device. Since mobile devices consume power even while
the display is off, the quality practice is to attach the device to a charger and place it into
a wireless-blocking Faraday bag. This may stop the mobile device from shutting down
after reaching the low-power state.
The procedure is very important because the extraction of additional information from a
device that was used or unlocked at least once after the last boot cycle compared to a
device that boots up in your laboratory and for which you do not know the passcode. To
illustrate the potential outcome, let’s say you seized an iPhone locked with an unknown
passcode. The iPhone happens to be jail broken, thus you can attempt to use Elcomsoft
iOS forensic Toolkit to extract data.
If the device is locked and you don’t know the passcode, you will have access to a
very limited set of data:
Recent geo location information: Since the location database remains encrypted,
it’s only possible to extract limited location data. This limited location data is only
accessible if the device was unlocked a minimum of once after the boot has
completed. As a result, if you keep the device powered on, you will pull recent
geo location history from this device. If, however, the device shuts down and is
only powered on in the laboratory, the geo location information will stay
inaccessible till the device is unlocked.
Incoming calls and text messages: Incoming text messages are temporarily
maintained unencrypted before the first unlock after cold boot. Once the device is
unlocked for the first time after cold boot, the messages are transferred into the
main encrypted database. This implies that acquiring a device that was never
unlocked after a cold start can only permit access to text messages received by the
device throughout the time it remained locked after the boot.
These WAL might include messages received by applications like Skype, Viber,
Facebook courier, and so on. Once the device is unlocked, the data is merged with the
corresponding apps main databases. When extracting a device after a cold boot, you may
only have access to notifications received after the boot.If, however, you’re extracting a
device that was unlocked a minimum of once after booting up, you’ll be able to extract
information with all messages.
This stage refers to various methods of extracting information from the device. The ways
of data extraction that may be used are influenced by the following:
Type of mobile device: The make, model, hardware, software, and vendor configuration.
Physical state of device: Has the device been exposed to damage, such as physical,
water, or biological fluids like blood? Usually the sort of injury will dictate the
information extraction measures employed on the device.
There are many differing kinds of data extraction that determine how much data is
obtained from the device:
Physical : Binary image of the device has the foremost potential to recover
deleted data and obtains the largest quantity of information} from the device. This
could be the most challenging type of extraction to get.
File system : this is a illustration of the files and folders from the user area of the
device, and might contain deleted information specific to databases. This
technique will contain less information than a physical data extraction.
Logical : This acquires the least amount of data from the device. examples of this
are call history, messages, contacts, pictures, movies, audio files, and so on. This
is mentioned as low-hanging fruit. No deleted data or source files are obtained.
Often the resulting output are a series of reports created by the extraction tool.
This is usually the simplest and fastest type of extraction.
Photographic documentation : This method is usually used when all other data
extraction methods are exhausted. During this procedure, the examiner uses a
digital camera to photographically document the content being displayed by the
device. This is a long method when there’s an extensive quantity of information to
photograph.
This stage of mobile device forensics entails analysis of the acquired information from
the device and its components (SIM card and memory card if present). Most mobile
Faraday bags are accustomed to temporarily store seized devices without powering them
down.
When handling a seized device, it’s essential to prevent the device from powering off.
Never power off an operating device. Since mobile devices consume power even while
the display is off, the quality practice is to attach the device to a charger and place it into
a wireless-blocking Faraday bag. This may stop the mobile device from shutting down
after reaching the low-power state.
The procedure is very important because the extraction of additional information from a
device that was used or unlocked at least once after the last boot cycle compared to a
device that boots up in your laboratory and for which you do not know the passcode. To
illustrate the potential outcome, let’s say you seized an iPhone locked with an unknown
passcode. The iPhone happens to be jail broken, thus you can attempt to use Elcomsoft
iOS forensic Toolkit to extract data.
A system image is a file or set of files that contains everything on a PC’s hard drive, or
just from one single partition. A system imaging program looks at the hard drive, copying
everything bit by bit. You then have a complete system image you can copy back onto a
drive to restore the system state.
1. Do not change the current state of the device: If the device is OFF, it must be
kept OFF and if the device is ON, it must be kept ON. Call a forensics expert before
doing anything.
2. Power down the device: In the case of mobile phones, If it is not charged, do
not charge it. In case, the mobile phone is ON power it down to prevent any data
wiping or data overwriting due to automatic booting.
3. Do not leave the device in an open area or unsecured place: Ensure that the
device is not left unattended in an open area or unsecured area. You need to
document things like- where the device is, who has access to the device, and when it
is moved.
4. Do not plug any external storage media in the device: Memory cards, USB
thumb drives, or any other storage media that you might have, should not be
plugged into the device.
5. Do not copy anything to or from the device: Copying anything to or from the
device will cause changes in the slack space of the memory.
6. Take a picture of the piece of the evidence: Ensure to take the picture of the
evidence from all the sides. If it is a mobile phone, capture pictures from all the
sides, to ensure the device has not tampered till the time forensic experts arrive.
7. Make sure you know the PIN/ Password Pattern of the device: It is very
important for you to know the login credentials of the device and share it with the
forensic experts, for them to carry their job seamlessly.
8. Do not open anything like pictures, applications, or files on the
device: Opening any application, file, or picture on the device may cause losing the
data or memory being overwritten.
9. Do not trust anyone without forensics training: Only a certified Forensics
expert should be allowed to investigate or view the files on the original device.
Untrained Persons may cause the deletion of data or the corruption of important
information.
10. Make sure you do not shut down the computer, If required Hibernate
it: Since the digital evidence can be extracted from both the disk drives and the
volatile memory. Hibernation mode will preserve the contents of the volatile
memory until the next system boot.
With the understanding that computer systems and network contain potential
evidence that could be destroyed if traditional computer evidence collection
methods are employed, investigators can use the following basic steps when
collecting volatile evidence:
1. Maintain a log of all actions conducted on a running machine.
2. Photograph the screen of the running system to document its state.
3. Identify the operating system running on the suspect machine.
4. Note date and time, if shown on screen, and record with the current actual time.
5. Dump the RAM from the system to a removable storage device.
6. Check the system for the use of whole disk or file encryption.
7. Collect other volatile operating system data and save to a removable storage
device.
8. Determine evidence seizure method (of hardware and any additional artifacts
on the hard drive that may be determined to be of evidentiary value).
9. Complete a full report documenting all steps and actions taken.
Autopsy
is a GUI-based open source digital forensic program to analyze hard drives and
smartphones efficiently. Autospy is used by thousands of users worldwide to investigate
what happened on the computer.
It’s widely used by corporate examiners, military to investigate, and some of the features
are.
Email analysis
File type detection
Media playback
Registry analysis
Photos recovery from memory card
Extract geolocation and camera information from JPEG files
Extract web activity from a browser
Show system events in a graphical interface
Timeline analysis
Extract data from Android – SMS, call logs, contacts, etc.
Wireshark
Wireshark is a network capture and analyzer tool to see what’s happening in your
network. Wireshark will be handy to investigate the network-related incident.
You can use Magnet RAM capture to capture the physical memory of a computer and
analyze artifacts in memory.
Network Miner
An interesting network forensic analyzer for Windows, Linux & MAC OS X to detect
OS, hostname, sessions, and open ports through packet sniffing or by PCAP
file. Network Miner provides extracted artifacts in an intuitive user interface.
NMAP (Network Mapper) is one of the most popular networks and security auditing
tools. NMAP is supported on most of the operating systems, including Windows, Linux,
Solaris, Mac OS, HP-UX, etc. It’s open-source so free.
RAM Capturer
RAM Capturer by Belkasoft is a free tool to dump the data from a computer’s volatile
memory. It’s compatible with Windows OS. Memory dumps may contain encrypted
volume’s password and login credentials for webmails and social network services.
Forensic Investigator
WHOIS/GeoIP lookup
Ping
Port scanner
Banner grabber
URL decoder/parser
XOR/HEX/Base64 converter
SMB Share/NetBIOS viewer
Virus Total lookup
Identify users, collect online details, get IP numbers. View, download and process
enriched IP tracker data. Open tracker records each unique user and traces their IP
address. We use an IP tracer to identify where an IP address originates from.
Email tracking means monitoring opens and clicks of emails to follow up with
leads, job applicants, and partners. On the other hand, it may be referred to as
checking the metrics of your email marketing campaigns to improve their quality
and efficiency.
Snov.io
Mail Track
Orange box
E mail analysis is a digital forensic program built and designed to examine email
messages from both web & Desktop Application based email clients.
Facebook, Instagram, Twitter, Snapchat and WhatsApp are not the only social media
platforms. The classification of social media platforms is on the basis of its primary
objective of use Following are the different types of social networking platforms.
1. Social Networks
Also sometimes called “relationship networks, social networks enable people and
organizations to connect online for exchanging information and ideas.
Media sharing networks enable users and brands to search and share media online. This
includes photos, videos, and live videos.
Use: To search for and share photos, videos, live videos, and other forms of media
online.
3. Discussion Forums
One of the oldest types of social media platforms, discussion forums are an excellent
repertoire for market research. They provide a wide range of information and discussion
on various subjects.
Such social networking platforms enable people to explore and discuss trending media
and content. These platforms are the epicenter of creativity for those seeking new ideas
and information.
Use: To explore, save, exchange, and discuss new and trending content and media.
Examples: Pinterest, Flipboard
Use: To find, advertise, share, and trade products and services online.
As the name itself states, such social networks enable users to share content
anonymously. Thus, miscreants are increasingly misusing such platforms for
cyberbullying.
On the righteous side, one may use social media platforms to socialize and communicate
with near and dear ones. However, it is the anonymous and diverse nature of social
networking platforms that miscreants use for unethical activities. Innocent-looking
profiles can often be the masquerade for fraudsters, phishers, child predators, lechers, and
other cyber criminals.In spite of the stringent policies imposed by social media platforms,
there are fake profiles on Facebook.Additionally, the abundance of personal information
available on social networking platforms renders them a favorite of cyber criminals. After
the compromise of a profile, a hacker can access, manipulate and misuse its information
for various malicious activities. Other unscrupulous activities on such platforms include
stalking, bullying, defamation, circulation of illegal or pornographic material etc.
1. Hacking
This happens when you are not able to log into your account because someone who has
broken into your account and taken complete control over it. Facebook is the most
hacked social networking site.
2. Photo Morphing
Photo morphing is the use of editing to change an image/shape into another without much
difficulty.Miscreants morph the images of popular figures and upload them on adult
websites or use them for blackmailing them for sexual or financial favors.
People are usually known to fall for such offer and shopping scams on social networking
platforms. For example, a miscreant uses a shopping offer to make a user click on a link.
Once clicked, it prompts the user to forward it to 5 people to avail the coupon. However,
the user does not get any coupon, but the cybercriminal gets his/her personal information!
4. Dating Scams
In such scams, the fraudster connects with the victim using a fake name and picture.
Once they befriend the victim, they move to a different platform for further
communication.Once they realize that the victim has fallen for them, they first send small
gifts, and later start demanding for emergency monetary help like recharging their phone
to talk, medical reasons and more. At times, fraudsters may also record video calls or
screen, and later use them to blackmail the victim.
5. Cyberbullying
6. Link Baiting
In such scams, the fraudster sends the victim a link that entices the victim to open it. On
opening, it leads to a fake landing page which prompts the victim to enter his/her account
credentials. This provides the credentials to the cybercriminal who later uses it for illicit
activities.
Example: The victim gets a message: “Somebody just put up these pictures of you drunk
at this wild party! Check them out here!”
Immediately, the victim clicks on the enclosed link, which leads to his/her Twitter or
Facebook login page. Once the victim enters his/her account details, the cybercriminal
has the password and can take total control of the account.
Social media forensics involves the application of cyber investigation and digital analysis
techniques for:
Collecting information from social networking platforms such as Facebook,
Twitter, LinkedIn etc.
Storing,
Analyzing, and
Preserving the information for fighting a case in the court of law
Social Media Forensics is basically about locating the source of electronic evidence. This
is accompanied by collecting it in an unhampered way while complying with all laws.
Social media forensics has three basic stages for the extraction, preservation, and analysis
of electronic evidence.
1. Evidence Identification
This step involves a thorough inspection of the crime scene to locate any hardware or
software that is worthy of collection. It also includes conducting a basic search to identify
all social networking accounts linked to the subject. Furthermore, a search of all of the
subject’s families, friends and associated on social media. A forensic examiner needs to
precisely document all sources of evidence along with how and when they found it.
2. Collection
Forensic investigators use various methods to collect electronic evidence. Following are
the methods for social media evidence collection.
Manual documentation
Screen scrape/Screenshot
Open source tools (HTTrack)
Commercial tool (X1)
Web service (Page freezer)
Forensic recovery
Content subpoena
Cyberterrorism can be explained as internet terrorism. With the advent of the internet,
individuals and groups are misusing the anonymity to threaten individuals, certain
groups, religions, ethnicities or beliefs. Cyberterrorism can be broadly categorized under
three major categories:
Simple: This consists of basic attacks including the hacking of an individual system.
Advanced: These are more sophisticated attacks and can involve hacking multiple
systems and/or networks.
Complex: These are coordinated attacks that can have a large-scale impact and make use
of sophisticated tools.
Examples include attacks against critical physical infrastructure, such as water pipes,
electricity, gas, fuel, public transportation control systems, or bank payment systems,
which deny the provision of essential service for a given time, or in more severe cases,
even cause physical damage by attacking the command
Arms trafficking or gunrunning is the illicit trade of contraband small arms and
ammunition, which constitutes part of a broad range of illegal activities often associated
with transnational criminal organizations.
The most commonly trafficked drugs are cocaine, heroin, morphine, cannabis sativa
(Indian hemp) and crystal methamphetamine
Human trafficking involves the use of force, fraud, or coercion to obtain some type of
labor or commercial sex act.
2. Through the Means of force, fraud, or coercion. Examples of force include physical
abuse or assault, sexual abuse or assault, or confinement. Examples of fraud include false
promises of work/living conditions, withholding promised wages, or contract fraud.
Coercion may include threats of harm to self or others, debt bondage, psychological
manipulation, or document confiscation.
Examples
Adults and children can be trafficked or enslaved and forced to sell their bodies
for sex. People are also trafficked or enslaved for labour exploitation,for example:
to work on a farm, factory, to work in a house as a servant, maid or nanny.
Core Texts
Cybercrime in Zimbabwe and Globally https://pdf4pro.com
Media Institute for Southern Africa-Zim & Digital Society of Zimbabwe.
2016. Position paper on Proposed Draft Cybercrime and Cyber-security
Institute for Southern Africa – Zimbabwe. 2017.
Commentary on Cybercrime and Cyber security Bill Issue 4. [Online].
Media Institute for Southern Africa – Zimbabwe. 2017.
Commentary on Cybercrime and Cyber security Bill Issue 4. [Online].
Legal Protocols Government of Zimbabwe. 2017.
Computer Crime and Cyber Crime Bill.
The Government of Zimbabwe, Criminal Law [Codification and Reform] Act.2004
Money laundering cybercrimes
Electronic Resources
JOURNALS AND ARTICLES
Zimbabwe Republic Police Strategic Documents