Unit 1

Cyber forensics is a process of extracting data as proof for a crime (that involves electronic devices)
while following proper investigation rules to nab the culprit by presenting the evidence to the court.
Cyber forensics is also known as computer forensics. The main aim of cyber forensics is to
maintain the thread of evidence and documentation to find out who did the crime digitally. Cyber
forensics can do the following:
 It can recover deleted files, chat logs, emails, etc
 It can also get deleted SMS, Phone calls.
 It can get recorded audio of phone conversations.
 It can determine which user used which system and for how much time.
 It can identify which user ran which program.

Why is cyber forensics important?

Technology combined with forensics paves the way for quicker investigations and accurate results.
Below are the points depicting the importance of cyber forensics:
 Cyber forensics helps in collecting important digital evidence to trace the criminal.
 Electronic equipment stores massive amounts of data that a normal person fails to see. For
example: in a smart house, for every word we speak, actions performed by smart devices,
collect huge data which is crucial in cyber forensics.
 It is also helpful for innocent people to prove their innocence via the evidence collected online.
 It is not only used to solve digital crimes but also used to solve real-world crimes like theft
cases, murder, etc.
 Businesses are equally benefitted from cyber forensics in tracking system breaches and finding
the attackers.

The Process Involved in Cyber Forensics

1. Obtaining a digital copy of the system that is being or is required to be inspected.
2. Authenticating and verifying the reproduction.
3. Recovering deleted files (using Autopsy Tool).
4. Using keywords to find the information you need.
5. Establishing a technical report.

How did Cyber Forensics Experts work?

Cyber forensics is a field that follows certain procedures to find the evidence to reach conclusions
after proper investigation of matters. The procedures that cyber forensic experts follow are:

 Identification: The first step of cyber forensics experts are to identify what evidence is present,
where it is stored, and in which format it is stored.
 Preservation: After identifying the data the next step is to safely preserve the data and not
allow other people to use that device so that no one can tamper data.
 Analysis: After getting the data, the next step is to analyze the data or system. Here the expert
recovers the deleted files and verifies the recovered data and finds the evidence that the
criminal tried to erase by deleting secret files. This process might take several iterations to
reach the final conclusion.
 Documentation: Now after analyzing data a record is created. This record contains all the
recovered and available(not deleted) data which helps in recreating the crime scene and
reviewing it.
 Presentation: This is the final step in which the analyzed data is presented in front of the court
to solve cases.

Types of computer forensics

There are multiple types of computer forensics depending on the field in which digital investigation
is needed. The fields are:
 Network forensics: This involves monitoring and analyzing the network traffic to and from the
criminal’s network. The tools used here are network intrusion detection systems and other
automated tools.
 Email forensics: In this type of forensics, the experts check the email of the criminal and
recover deleted email threads to extract out crucial information related to the case.
 Malware forensics: This branch of forensics involves hacking related crimes. Here, the
forensics expert examines the malware, trojans to identify the hacker involved behind this.
 Memory forensics: This branch of forensics deals with collecting data from the memory(like
cache, RAM, etc.) in raw and then retrieve information from that data.
 Mobile Phone forensics: This branch of forensics generally deals with mobile phones. They
examine and analyze data from the mobile phone.
 Database forensics: This branch of forensics examines and analyzes the data from databases
and their related metadata.
 Disk forensics: This branch of forensics extracts data from storage media by searching
modified, active, or deleted files.

Techniques that cyber forensic investigators use

Cyber forensic investigators use various techniques and tools to examine the data and some of the
commonly used techniques are:
 Reverse steganography: Steganography is a method of hiding important data inside the digital
file, image, etc. So, cyber forensic experts do reverse steganography to analyze the data and
find a relation with the case.
 Stochastic forensics: In Stochastic forensics, the experts analyze and reconstruct digital
activity without using digital artifacts. Here, artifacts mean unintended alterations of data that
occur from digital processes.
 Cross-drive analysis: In this process, the information found on multiple computer drives is
correlated and cross-references to analyze and preserve information that is relevant to the
investigation.
 Live analysis: In this technique, the computer of criminals is analyzed from within the OS in
running mode. It aims at the volatile data of RAM to get some valuable information.
 Deleted file recovery: This includes searching for memory to find fragments of a partially
deleted file in order to recover it for evidence purposes.

Advantages

 Cyber forensics ensures the integrity of the computer.

 Through cyber forensics, many people, companies, etc get to know about such crimes, thus
taking proper measures to avoid them.
 Cyber forensics find evidence from digital devices and then present them in court, which can
lead to the punishment of the culprit.
 They efficiently track down the culprit anywhere in the world.
 They help people or organizations to protect their money and time.
 The relevant data can be made trending and be used in making the public aware of it.
What are the required set of skills needed to be a cyber forensic expert?

The following skills are required to be a cyber forensic expert:

 Knowledge of various technologies, computers, mobile phones, network hacks, security
breaches, etc. is required.
 The expert should be very attentive while examining a large amount of data to identify
proof/evidence.
 The expert must be aware of criminal laws, a criminal investigation, etc.
 The experts must be updated with the latest technology.
 Cyber forensic experts must be able to analyse the data, derive conclusions from it and make
proper interpretations.
 The communication skill of the expert must be good so that while presenting evidence in front
of the court, everyone understands each detail with clarity.
 The expert must have strong knowledge of basic cyber security.

Digital Evidence and Forensics

Digital evidence is information stored or transmitted in binary form that may be relied on in court. It
can be found on a computer hard drive, a mobile phone, among other place s. Digital evidence is
commonly associated with electronic crime, or e-crime, such as child pornography or credit card
fraud. However, digital evidence is now used to prosecute all types of crimes, not just e-crime. For
example, suspects' e-mail or mobile phone files might contain critical evidence regarding their intent,
their whereabouts at the time of a crime and their relationship with other suspects.

In an effort to fight e-crime and to collect relevant digital evidence for all crimes, law enforcement
agencies are incorporating the collection and analysis of digital evidence, also known as computer
forensics, into their infrastructure. Law enforcement agencies are challenged by the need to train
officers to collect digital evidence and keep up with rapidly evolving technologies such as computer
operating systems.

What is Internet Fraud?

Internet fraud involves using online services and software with access to the internet to defraud or
take advantage of victims. The term "internet fraud" generally covers cybercrime activity that takes
place over the internet or on email, including crimes like identity theft, phishing, and other hacking
activities designed to scam people out of money.

Internet scams that target victims through online services account for millions of dollars worth of
fraudulent activity every year. And the figures continue to increase as internet usage expands and
cyber-criminal techniques become more sophisticated.

Internet fraud offenses are prosecuted under state and federal law

Types of Internet Fraud

Cyber criminals use a variety of attack vectors and strategies to commit internet fraud. This includes
malicious software, email and instant messaging services to spread malware, spoofed websites that
steal user data, and elaborate, wide-reaching phishing scams.
 Internet fraud can be broken down into several key types of attacks, including:

1. Phishing and spoofing: The use of email and online messaging services to dupe victims into sharing
personal data, login credentials, and financial details.
2. Data breach: Stealing confidential, protected, or sensitive data from a secure location and moving it
into an untrusted environment. This includes data being stolen from users and organizations.
3. Denial of service (DoS): Interrupting access of traffic to an online service, system, or network to
cause malicious intent.
4. Malware: The use of malicious software to damage or disable users’ devices or steal personal and
sensitive data.
5. Ransomware: A type of malware that prevents users from accessing critical data then demanding
payment in the promise of restoring access. Ransomware is typically delivered via phishing attacks.
6. Business email compromise (BEC): A sophisticated form of attack targeting businesses that
frequently make wire payments. It compromises legitimate email accounts through social engineering
techniques to submit unauthorized payments.

To avoid hackers’ internet fraud attempts, users need to understand common examples of internet
fraud and tactics.

Email Phishing Scams

The attack aims to encourage people to click on a link that leads to a malicious or spoofed website
designed to look like a legitimate website, or open an attachment that contains malicious content.

The hacker first compromises a legitimate website or creates a fake website. They then acquire a list
of email addresses to target and distribute an email message that aims to dupe people into clicking on
a link to that website. When a victim clicks the link, they are taken to the spoofed website, which will
either request a username and password or automatically download malware onto their device, which
will steal data and login credential information. The hacker can use this data to access the user’s
online accounts, steal more data like credit card details, access corporate networks attached to the
device, or commit wider identity fraud.

Greeting Card Scams

Many internet fraud attacks focus on popular events to scam the people that celebrate them. This
includes birthdays, Christmas, and Easter, which are commonly marked by sharing greeting cards
with friends and family members via email. Hackers typically exploit this by installing malicious
software within an email greeting card, which downloads and installs onto the recipient’s device when
they open the greeting card.

Credit Card Scams

Credit card fraud typically occurs when hackers fraudulently acquire people's credit or debit card
details in an attempt to steal money or make purchases.

To obtain these details, internet fraudsters often use too-good-to-be-true credit card or bank loan deals
to lure victims
Online Dating Scams

Scammers typically create fake profiles to interact with users, develop a relationship, slowly build
their trust, create a phony story, and ask the user for financial help.

Lottery Fee Fraud

Lottery fee fraudsters typically craft emails to look and sound believable, which still results in many
people falling for the scam. The scam targets people's dreams of winning massive amounts of money,
even though they may have never purchased a lottery ticket.

The Nigerian Prince

The scam uses the premise of a wealthy Nigerian family or individual who wants to share their wealth
in return for assistance in accessing their inheritance. It uses phishing tactics to send emails that
outline an emotional backstory, then lures victims into a promise of significant financial reward. The
scam typically begins by asking for a small fee to help with legal processes and paperwork with the
promise of a large sum of money further down the line.

CYBER FORENSIC CHALLENGES

These challenges are categorized into five broad areas: hardware challenges, software challenges,
cloud forensic challenges, legal challenges and human challenges.

HARDWARE CHALLENGES - Studies suggested that some criminal suspects change the hard disk
within their devices before the Cyber Forensic expert can gain access to the device. In such cases, the
suspects use the write blockers to shift information between the two hard disks. The main effect is that
a forensic examination of the new hard disk, may not display some of the relevant evidence. On the
other hand, the evidence gathered from the new hard disk will lack consistency, and may not be
apparent. Further, the evidence gathered from a device that was reset, may accentuate the problem
since during the reset process, a small portion of the backup information is likely to have been
reinstalled. For example, different mobile devices have hard disks that have enmeshed algorithm that
are responsible for erasing the data automatically. Since the technology for collecting information
from unused devices or devices where information was deleted by a user is still under development,
there is likely to be some delays in obtaining such information.

SOFTWARE CHALLENGES - The current operating systems have been log enabled, and now
requires a Cyber Forensic expert to gather background information on the device, which includes the
information on accessibility of the application, usage of the application, and the level of information
provided by the specific user of the application. Even though the new development appears like a
progress for the different devices, the development requires some time for it to mature. Several
challenges have been reported on the application accessibility since the application and the operating
system are defined differently . For example, any alteration made on the file content may not be
tracked until it is compared with subsequent/previous file versions or, if it is compared with the
modified version of the time stamp. In case the Cyber Forensic expert suspects some manipulation on
the document, it would be a challenge to determine the extent of manipulation .
Further, some forms of applications and log information that are collected by the application or the
operating system, could be useful as evidence in certain cases. Despite the usefulness of the
application, the awareness of its use is still at an infant stage making it difficult for the Cyber Forensic
experts to ensure the effective use of the application. The high number of mobile messaging
applications available across the globe uses a software that automatically erase the information that is
shared. The main challenge here is that it will be complex for a Cyber Forensic expert to gather such
information that was deleted. Another challenge is the encryption in different mobile devices with
intention of having the information protected especially during the process of gathering data. Certain
mobile chats allow a secure connection between the sender and the receiver with no option to retrieve
the message after a set time period. Other sessions are simply saved as text messages in the phone
storage allowing anyone with the mobile phone passcode to access all stored messages. The
decryption of devices may be a challenge to some investigations where the storage or device itself is
encrypted. Not handing over mobile device PIN and passwords could lead to legal consequences in
certain countries.

CLOUD FORENSIC CHALLENGES - The data in cloud computing devices, maybe able to be
accessed everywhere hence posing another challenge to the investigators. It is a challenge for the
investigator to locate the data in a way that ensures the privacy rights of the users. The investigators
require the knowledge on anti-forensic tools, practices, and tools that help ensure that the forensic
analysis is done accordingly. Cloud-based applications also enable users to ensure that data is
accessed from various devices. For example, if one of the two devices of a single user is compromised
and both devices lead to some changes in the application, it would be difficult for the Cyber Forensic
expert to identify the real source of the change. High risks may compromise credentials and theft of
the identity in an environment that is cloud-based and lead to changes that are unknown such as the
evidence remaining unknown. In most cases, it would be difficult to examine severs of the mail and
identify the evidence of the deleted communication.

LEGAL CHALLENGES - Cyber laws and regulations in different jurisdiction vary and many do not
take into account, the complexity in collecting forensic evidence. Accessibility to private information
is likely to be considered as a violation of user privacy. On the other hand, the era of companies
giving some provision to their employees to use their individual devices in accessing the official
communication is likely to contribute to several challenges involved in data gathering. Accessing the
email of a user, for instance, using webmail and a smart mobile device together with downloading the
involved attachments is an example of theft of personal data.

HUMAN CHALLENGES - At an early stage of the investigation, the Cyber Forensic expert is
required to get involved in gathering evidence. Early engagement in the investigation process helps
the Cyber Forensic expert to be in a position to restore all the content without causing damage to the
integrity .

After opening a given case, the items that would be seized include the digital devices, software, and
other media equipment’s so as to run the investigation. In the retrieval process, the items considered
essential will be gathered so as to give the analyst everything that would be required for the
testimony. Another human-related challenge faced by Cyber Forensics is spoliation .. Spoliation
occurs when the person handling evidence fails to preserve, alters evidence, or destroys evidence that
could be useful in pending ligation .Spoliation may be caused by negligent on the part of the party
handling the litigation or handling evidence and intentional destroying evidence by the handler.

OTHER CHALLENGES - Elsewhere, in a literature-based study cyber forensic challenges are

identified and categorized into four: technical challenges, law enforcement or legal system challenges,
personal-related challenges and operational challenges. Technical Challenges were identified as vast
volume of data; bandwidth restrictions; encryption; volatility of digital evidence; incompatibility
among heterogeneous forensic techniques; the digital media’s limited lifespan; emerging devices and
technologies, sophistication of digital crimes; anti-forensics; emerging cloud forensic challenge. Legal
Challenges were identified as jurisdiction, admissibility of digital forensic techniques and tools;
prosecuting digital crimes; privacy; ethical issues; lack of sufficient support for civic prosecution or
legal criminal prosecution. Personnel-related Challenges were identified as semantic disparities in
Cyber Forensics; insufficient qualified Cyber Forensic personnel; insufficient forensic knowledge and
the reuse among personnel; strict Cyber Forensic investigator licensing requirements; and lack of
formal unified digital forensic domain knowledge.

Recovering Deleted Digital Evidence

Destroyed Evidence

In a criminal or cyber-criminal case, the attempts to destroy the evidence are very common. Such
attempts can be more or less successful depending upon the following conditions:

 Action is taken to destroy the evidence.

 Time Available to destroy the evidence.
 Type of storage device like magnetic hard drive, flash memory card, or SSD drive.

Deleted Files
Deleting files is one of the easiest, convenient, and foremost way to destroy the evidence. The
principle of file recovery of deleted files is based on the fact that Windows does not wipe the
contents of the file when it’s being deleted. Instead, a file system record storing the exact location
of the deleted file on the disk is being marked as “deleted” and the disk space previously occupied
by the deleted file is then labeled as available – but not overwritten with zeroes or other data.

 The deleted file can be retrieved by analyzing the contents of the recycle bin as they are
temporarily stored there before being erased.
 If the deleted files have no trace in the recycle bin like in case of the “Shift+Delete” command,
then, in that case, you can use commercial recovery tools to recover the deleted evidence.
 Looking for characteristic signatures of known file types by analyzing the file system and/or
scanning the entire hard drive, one can successfully recover :
 Files that were deleted by the user.
 Temporary copies of Office documents (including old versions and revisions of
such documents).
 Temporary files saved by many applications.
 Renamed files.
 Information stored in deleted files can be supplemented with data collected from other sources.

Formatted Hard Drives

Information from the formatted hard drive may be recoverable either using data carving technology
or by using commercial data recovery tools.
There are two possible ways to format a hard drive: Full Format and Quick Format.
Full Format – This initializes the disk by creating the new file system on the partition being
formatted and also checks the disk for the bad sectors. Prior to Windows Vista, a full format
operation did not zero the disk being formatted. But in case of Vista and Windows 7, a full format
operation will actually:

 Wipe the disk clean.

 Writing zeroes onto the disk.
 Reading the sectors back to ensure reliability.
Quick Format – This is never destructive except for the case of SSD. Disk format simply
initializes the disk by creating the new file system on the partition being formatted. Information
from disks cleared using a quick format method can be recovered by using one of the data recovery
tools that support data carving.

SSD Drives
The culprit in SSD is TRIM Command. According to a survey, TRIM enables SSD completely
wiped all the deleted information in less than 3 minutes. This means that the TRIM command
effectively zeros all the information as soon as it is marked as deleted by the operating system.
Traditional Methods are not useful when we try to recover deleted data from the SSD .This means
the traditional methods can be used for data recovery in SSD only when the TRIM command is not
issued or at least one of the components does not support TRIM. The components include:
 Version of Operating System
 Communication Interface
 File System

Data Carving
Carving means bit-precise and sequential examination of the entire content of the hard drive. The
concept of Data Carving is completely different from File Recovery. Carving allows:
 Identifying particular signatures or patterns that may give a clue that some interesting data can
be stored in a particular spot on the disk.
 Locating various artifacts that would not be available otherwise.
Data Carving has the following features when we are dealing with the text content:
 Text information is easiest to recover.
 Blocks containing text data are filled exclusively with numeric values belonging to a shallow
range that represents letters, numbers, and symbols.
 When carving for text data, investigators have to take various languages and text encodings into
accounts. For example, the Turkish character set differs from Latin, and neither has anything in
common with Arabic, Chinese or Korean writing.
 Different encodings must be taken into account when looking for texts in each supported
language.
 By analyzing the information read from the disk in terms of a specific language and a specific
encoding, one can typically detect text information.
In the case of Binary data:
 Binary data is much random.
 It is easy to detect the beginning and end of each text block by counting the number of
characters that do not belong to a given language/encoding combination.
 Once a set threshold is met, it is assumed that the algorithm has reached the end of a given text
block.
Limitations of Data Carving –

 Not all formats of data can be carved.

 Data Carving is based on looking for characteristic signatures or patterns.
 Some files can be a true binary file without any permanent signature in their header.
 Text-based files can be an issue in most of the cases as there is a humongous amount of plain-
text files that can be stored on a PC.
 Data Carving cannot be used in the case where special algorithms are used to fill the disk space
previously occupied with sensitive information with cryptographically strong random data.
 In case the sensitive information is not stored on a hard drive rather it is stored in RAM. In such
a case Data Carving is impossible.
 Data Carving is quite useless and impossible in SSD.
Digital Forensic Tools

The performance requirements for computers used in digital forensics are high, requiring larger
capacity hard drives, faster central processing units (CPUs), bigger memory, etc. Hardware Hardware
tools are designed primarily for storage device investigations, and they aim to keep suspect devices
unaltered to preserve the integrity of evidence.

A forensic disk controller or a hardware write blocker is a read-only device that allows the user to
read the data in a suspect device without the risk of modifying or erasing the content. Conversely, a
disk write-protector prevents the content in a storage device from being modified or erased. A hard-
drive duplicator is an imaging device that copies all files on a suspect hard drive onto a clean drive; it
can also duplicate data in flash drives or secured digital (SD) cards.

A password recovery device employs algorithms, such as brute-force or dictionary attacks, to attempt
to crack password-protected storage devices.

Windows Registry records when, where, and how a file is created, renamed, viewed, moved, or
deleted, and some applications can perform registry analysis to collect and analyze these traces.

For mobile device forensics, while the focus is primarily on mobile phones, most digital devices with
internal memory and communication ability, such as GPS devices, smartwatches, or tablets, can be
investigated with these applications. The applications focus on the suspect’s activities on a mobile
device.

#1) ProDiscover Forensic is a computer security app that allows you to locate all the data on a
computer disk. It can protect evidence and create quality reports for the use of legal procedures. This
tool allows you to extract EXIF(Exchangeable Image File Format) information from JPEG files.

#2)Sleuth Kit (+Autopsy) is a Windows based utility tool that makes forensic analysis of computer
systems easier. This tool allows you to examine your hard drive and smartphone.

#3)CAINE is a Ubuntu-based app that offers a complete forensic environment that provides a
graphical interface. This tool can be integrated into existing software tools as a module. It
automatically extracts a timeline from RAM.

#4) Acrobat PDF to Excel Convertor transfers PDF data and content right into an Excel spreadsheet.
This converted file proves helpful for tracking down cybercriminals from anywhere in the world. This
computer forensic tool supports both partial and batch conversion.

#5) Google Takeout Convertor converts archived email messages from Google Takeout along with all
attachments. This software helps investigate officers to extract, process, and interpret the factual
evidence.

#6) PALADIN is Ubuntu based tool that enables you to simplify a range of forensic tasks. This
Digital forensics software provides more than 100 useful tools for investigating any malicious
material. This tool helps you to simplify your forensic task quickly and effectively.
#7) Encase is an application that helps you to recover evidence from hard drives. It allows you to
conduct an in-depth analysis of files to collect proof like documents, pictures, etc.

#8) SIFT Workstation is a computer forensics distribution based on Ubuntu. It is one of the best
computer forensic tools that provides a digital forensic and incident response examination facility.

#9) FTK Imager is a forensic toolkit i developed by AccessData that can be used to get evidence. It
can create copies of data without making changes to the original evidence. This tool allows you to
specify criteria, like file size,

#10) Magnet RAM capture records the memory of a suspected computer. It allows investigators to
recover and analyze valuable items which are found in memory.
 Unit 2
Validation

Validation is important for laboratories so that they can be trusted to produce accurate results every
time.

Validation needs to be provided at all steps in the forensic process, including:

A. Data generation- This primarily relates to attribution and providing assurance that an identified
identity did in fact generate the data. Attribution, if possible, must identify the system generating the
data, the application creating the data, the user running the application, when the data was created, etc.
The more parameters that can be validated the more certainty that can be associated with the validity
of the data itself and the more acceptable the data will be.

B. Data collection- After data is generated, a repository must collect the data. This will require
ensuring that the data is not modified on the way to the repository and providing validation of
temporal relationships. These needs for forensics would be insufficient in terms of security, which
would also require that the data could not be read and examined in transit. A related issue is ensuring
that the data actually makes it to the repository. The loss of data is especially problematic when
considering legal admissibility and forensic analysis.

C. Data storage- Once in place at the repository, the system must provide for deletion and
modification prevention and recovery. Insertion of elements is not a concern since the level of
validation provided for authentic elements ensures that inappropriately inserted elements can be
identified. Thus, these inserted elements will in essence provide additional evidence. This again
differs from typical security and privacy issues where viewing the data may be a primary concern,
which it is not with forensics.

D. System validation- System validation is associated with data generation and requires the unique
identification of systems, identification of system restarts, identification of changed system
configuration and attributes, and validation that messages were in fact generated by the designated
system. The goal is to be able to identify when a malicious system, application, or user may be
infiltrating the network. More specifically, it must be noted when a known system’s attributes
suddenly changes substantially. Sudden changes would indicate that the system is in fact different,
whether malicious or not. This would be identified in logs when the system first connects to the data
storage repository.

E. Application validation- Application validation is similar to system validation except applied to

specific applications running on a system. As with system validation, it must be verified that the
application is expected to be sending the events and that the application itself matches known
characteristics. Application restarts, the user starting the application, and application parameter
settings can all be of critical importance in determining the validity of the events generated by the
application.

F. User validation- User validation attempts to provide validation of the users of a system as discussed
in relation to system validation. More specifically, it is important to verify the user that started the
application that is generating events and specified its parameters. Secondarily, it is important to know
other users active on the system to verify the integrity of the system as a whole.
G. Algorithm applicability- The goal of algorithm applicability is to validate that the chosen algorithm
has in fact been scientifically proven to generate correct results and to be appropriate for the given
application in digital forensics.

H. Algorithm implementation- Given that an algorithm itself has been validated, the implementation
must be similarly validated. Errors often occur in the transcription from a theoretical algorithm to an
implemented algorithm. For example, SSH uses a well established protocol for initiation of a
connection and for maintaining the security of that connection. This protocol is well validated.
However, there have been well-known bugs in the implementation of the SSH protocol that have
allowed it to be compromised.

Principles of Digital Forensics Testing

The basis of digital forensics is being able to repeat processes and obtain quality evidence. If the
results are not accurate, then it is difficult to trust the laboratory and company. Digital forensic test
results need to be repeatable and reproducible to pass as electronic evidence, according to the
National Institute of Standards and Technology (NIST).

What is Repeatable and Reproducible Evidence?

Repeatable evidence means there are always the same results when the same process is used with the
same test items, operator, and equipment inside the same laboratory. Reproducible evidence means
the same results are produced with the same methods on the same items but in a different facility with
different operators and equipment.

How Does the Daubert Standard Connect to Forensic Validation?

The Daubert Standard is a legal guide that can be used for software and tool validations. In the ruling
of Daubert v. Merrell Dow Pharmaceuticals Inc., there are five questions that influence the reliability
of a scientific method:

 Has the method undergone any empirical testing?

 Have peers reviewed the method?
 Are there standards to control the method’s operation?
 Does this method have a potential error rate?
 Has the scientific community generally accepted this method?

Data Hiding Techniques

(1) Steganography is the way to provide the security when data is transferred in the network.
Steganography word came out from Greek, literally means covered writing . It is an art of hiding
information in the way to prevent the detection of hidden messages. In this way we hide the
information through some multimedia files. These multimedia files can be audio, image or video. The
purpose of Steganography is to covert communication to hide the confidential information from
unauthorized user or the third party. In this process if the feature is visible, the point of attack is
evident thus the goal here is always to give chances to the very existence of embedded data. The
security issues and top priority to an organization dealing with confidential data the method is used
for security purpose as the burning concern is the degree of security. The security system is
categorized into two parts . Information hiding and cryptography. Information hiding has two part
steganography and watermarking. Steganagraphy further divided into two parts are as:

1.1Technical Steganography- In this technique, we use invisible ink or microdots and other sizes
reduction methods. This is a scientific method to hide data .Technical Steganography is used in the
following technique:-

a) Video Steganography: In this technique, we can easily hide large data file in the video
Steganography. Video file is generally a collection of images and sounds. Any small but otherwise
noticeable distortion might go by unobserved by humans because of the continuous flow of
information.

b)Audio Steganography: In this technique, secret messages are embedding in digital sound. The secret
message is embedded by slightly altering the binary sequence of a sound file. Existing audio
Steganography software can embed messages in WAV, AU and even MP3 sound files.

c)Text Steganography: In text Steganography the message is hidden in the text and we use the
different method to hide the message in text by changing the last bit of the message. Sometime one
sentence in ten times and use blank space in alphabet terms is used.

d) Image Steganography: In this technique, hide information; straight message insertion may encode
every bit of information in the image. The messages may also be scattered randomly throughout the
images. A number of ways exist to hide information in digital media.

e) Protocol Steganography: In this technique, Steganography can be used in the layer of OSI network
model and cover channels protocols. Steganography is referred to the techniques of embedding
information within messages and network control protocol used in network transmission. The
information is adding in TCP/IP header and sends in the network.

1.2 Linguistic Steganography- This technique hides the message within the carrier in some non-
obvious ways. It is categorized Into two ways:-

a) Semagrams: Semagrams use some symbols and signs to hide the information .

b)Open Code: This hide a message within a legitimate carrier message in the ways that are not
obvious to an unsuspecting observer .

2. In Watermarking applications, the message contains information such as owner identification and
a digital time stamp, which is usually applied for copyright protection. This is categorized into two
parts .

2.1 Fragile watermark: Fragile watermark is watermark that is readily altered when the host image is
modified thorough a liner or non-liner transformation. It is used to the authentication of image. This is
used to verify the image.

2.2 Robust Watermarking: Robust watermarks are used in copy protection applications to carry copy
and no access control information to form correct order and get the digital water marking. A digital
watermark is called perceptible if its presence in the marked signal is noticeable.
3. Steganalysis is simply the detection of steganography by a third party. This is a relatively new
field, since the new technology behind steganography is just becoming popular. There are two main
types of steganalysis:

3.1)Visual analysis tries to reveal the presence of hidden information through inspection with the
naked eye or with the assistance of a computer, which can separate the image into bit planes for
further analysis.

3.2)Statistical analysis is more powerful and successful, because it reveals the smallest alterations in
an image‟s statistical behavior. There are several statistical tests which can be run on an image:
average bytes, variations of the bytes, skew, kurtosis, average deviation and differential values.

4. Cryptography is the process of transforming plain text or original information into an

unintelligible form (cipher text) so that it may be sent over unsafe channels or communications. The
transformer process is controlled by a data string (key). Anyone getting hold of the cipher text while it
is on the unsafe channel would need to have the appropriate key to be able to get to the original
information. The authorized receiver is assumed to have that key. Cryptography is study of methods
of sending message in disguised form so that only the intended recipients can remove the disguised
message. It is the art of converting message into different form, such that no one can read them
without having access to key. The message may be converted Using code or a cipher. Cryptology is
the science underlying cryptography.

6. Echo Hiding- Hiding information in the noise of sound files is a good solution, but the information
may be erased by good compression algorithms. Information can be included by changing either the
strength or the length of the decay. Many recording software programs already include the ability to
add (or subtract) echoes from a recording. They can also change the character of the echo by
twiddling with strength of the echo and the speed at which it vanishes.

Mobile Forensics
Mobile forensics, a subtype of digital forensics, is concerned with retrieving data from an electronic
source. The recovery of evidence from mobile devices such as smartphones and tablets is the focus
of mobile forensics. Because individuals rely on mobile devices for so much of their data sending,
receiving, and searching, it is reasonable to assume that these devices hold a significant quantity of
evidence that investigators may utilize.
Mobile devices may store a wide range of information, including phone records and text messages,
as well as online search history and location data.
Uses of Mobile Forensics:
The military uses mobile devices to gather intelligence when planning military operations or
terrorist attacks. A corporation may use mobile evidence if it fears its intellectual property is being
stolen or an employee is committing fraud. Businesses have been known to track employees’
personal usage of business devices in order to uncover evidence of illegal activity. Law
enforcement, on the other hand, may be able to take advantage of mobile forensics by using
electronic discovery to gather evidence in cases ranging from identity theft to homicide.
Process of Mobile Device Forensics:
 Seizure and Isolation: Mobile device seizures are followed by a slew of legal difficulties. The
two main risks linked with this step of the mobile forensic method are lock activation and
network / cellular connectivity.
 Identification: The identification purpose is to retrieve information from the mobile device.
With the appropriate PIN, password, pattern, or biometrics, a locked screen may be opened.
 Passcodes are protected, but fingerprints are not. Apps, photos, SMSs, and messengers may all
have comparable lock features. Encryption, on the other hand, provides security that is difficult
to defeat on software and/or hardware level.
 Acquisition: Controlling data on mobile devices is difficult since the data itself is movable.
Once messages or data are transmitted from a smartphone, control is gone. Despite the fact that
various devices are capable of storing vast amounts of data, the data itself may be stored
elsewhere. For example, via the cloud. Users of mobile devices commonly utilize services such
as Apple’s iCloud and Microsoft’s One Drive, which exposes the possibility of data harvesting.
 Examination and analysis: Because data on mobile devices is transportable, it’s tough to keep
track of it. When messages or data from a smartphone are moved, control is lost. Despite the
fact that numerous devices can hold vast amounts of data, the data itself may be stored
elsewhere.
 Reporting: The document or paper trail that shows the seizure, custody, control, transfer,
analysis, and disposition of physical and electronic evidence is referred to as forensic reporting.
It is the process of verifying how any type of evidence was collected, tracked, and safeguarded.

Principles of Mobile Forensics:

The purpose of mobile forensics is to extract digital evidence or relevant data from a mobile device
while maintaining forensic integrity. To accomplish so, the mobile forensic technique must develop
precise standards for securely seizing, isolating, transferring, preserving for investigation, and
certifying digital evidence originating from mobile devices.

Search and Seizure of Electronic Evidence

As computers or other data storage devices can provide the means of committing crime or be
repository of electronic information that is evidence of a crime, the use of warrants to search for and
seize such devices is given more and more importance.

The stages of a digital crime scene search and seizure broadly are:

A. Preparation/Planning stage.

B. Collection Stage.

C. Preservation/Transportation stage.

Best Practices for search and seizure of digital evidence.

1. Preparation/Planning stage.

1.1. If the Investigating Officer (“IO”) has to seize a computer, he has to first examine whether the
computer is live or off-line. If the computer is online, it is important to make an image of the
computer and not perform any tasks on the computer. (An Image is an exact replicate of the machine,
on which further analysis can be done by the forensic teams without affecting the integrity of the
original). The Image is made with the help of forensic experts, after necessary write-blockers (devices
that ensure that nothing is written onto the drive/computer under seizure and it remains intact) Once
the image is procured, the original can be preserved, and the image can be presented in the Court (as
output of electronic evidence) after compliance of the requirements of Section 65-B of the Indian
Evidence Act (“IEA”).
1.2. Hash value generation is extremely important. Every machine/file would have a specific hash
value and specifying the hash value on the chain of custody document ensures that there is no
tampering with the machine along the way and the hash value for the image is the same even when the
same is produced in the court during the evidentiary hearings.

1.3. The certificate of Section 65-B IEA ought to made by the person producing the computer output
and incharge of the computer, and in a position to certify the integrity of the machine as well as the
output produced.

2. Collection of electronic evidence

2.1. Date of time of seizure is extremely important.

2.2. All the steps towards collection of electronic evidence should be documented clearly, step by
step.

2.3. The suspects should not be allowed to work on the terminals/computers.

3. Preservation/Transportation Stage

3.1. IO should note down the serial number of the machines clearly, not only on the Panchnama, but
also Chain of Custody document (that establishes integrity of the machine as it moves from the scene
of crime to the IO, to the Forensic Lab and then back to the Court) and the Seizure Memo.

3.2. IO should protect the device from external electric and magnetic fields. This can be achieved by
putting the devices in special bags. Also devices, wherever possible, should be put on airplane mode,
which not only conserves battery but protects the device from further tampering, or even remote
deletion.

Virtual crime
Virtual crime or in-game crime refers to a virtual criminal act that takes place in a massively
multiplayer online game or within the broader metaverse. The huge time and effort invested into such
games can lead online "crime" to spill over into real world crime, and even blur the distinctions
between the two. Some countries have introduced special police investigation units to cover such
"virtual crimes".
It is difficult to prove that there are real-life implications of virtual crime, so it is not widely accepted
as prosecutable.
To rectify this, the modern interpretation of the term "virtual" must be amended such that it carries the
traditional implication; "that is such in essence or effect, though not recognised as such in name or
according to strict definition." In this sense, it "would include those crimes that somehow evoke and
approach the effect and essence of real crime, but are not considered crimes."
In South Korea, where the number of computer game players is massive, some have reported the
emergence of gangs and mafia, where powerful players steal and demand that beginners give them
virtual money for their "protection".
Cyber Criminals and its types

Attackers are individuals or teams who attempt to exploit vulnerabilities for personal or financial
gain.

Types of Cyber Criminals:

1. Hackers: The term hacker may refer to anyone with technical skills, however, it typically refers to
an individual who uses his or her skills to achieve unauthorized access to systems or networks so as to
commit crimes. The intent of the burglary determines the classification of those attackers as
 (a). White Hat Hackers – These hackers utilize their programming aptitudes for a good and
lawful reason. These hackers may perform network penetration tests in an attempt to compromise
networks to discover network vulnerabilities. Security vulnerabilities are then reported to
developers to fix them.
 (b). Gray Hat Hackers – These hackers carry out violations and do seemingly deceptive things
however not for individual addition or to cause harm. These hackers may disclose a vulnerability
to the affected organization after having compromised their network.
 (c). Black Hat Hackers – These hackers are unethical criminals who violate network security for
personal gain. They misuse vulnerabilities to bargain PC frameworks.

2. Organized Hackers: These criminals embody organizations of cyber criminals, hacktivists,

terrorists, and state-sponsored hackers. Cyber criminals are typically teams of skilled criminals
targeted on control, power, and wealth. These criminals are extremely subtle and organized, and
should even give crime as a service. These attackers are usually profoundly prepared and well-
funded.

3. Internet stalkers: Internet stalkers are people who maliciously monitor the web activity of their
victims to acquire personal data. This type of cyber crime is conducted through the use of social
networking platforms and malware, that are able to track an individual’s PC activity with little or no
detection.

4. Disgruntled Employees: Disgruntled employees become hackers with a particular motive and also
commit cyber crimes. It is hard to believe that dissatisfied employees can become such malicious
hackers. In the previous time, they had the only option of going on strike against employers. But with
the advancement of technology there is increased in work on computers and the automation of
processes, it is simple for disgruntled employees to do more damage to their employers and
organization by committing cyber crimes. The attacks by such employees brings the entire system
down.

Cyber Terrorism –
Cyber terrorism is the use of the computer and internet to perform violent acts that result in loss of
life. This may include different type of activities either by software or hardware for threatening life
of citizens.
In general, Cyber terrorism can be defined as an act of terrorism committed through the use of
cyberspace or computer resources.
 Cyber Terrorism basically involves damaging large-scale computer networks to achieve a loss
of data and even loss of life. Hackers make use of computer viruses, spyware, malware,
ransomware, phishing, programming language scripts, and other malicious software to achieve
their purposes.
 Also, these types of cyber-attacks which often lead to criminal offenses are referred to as Cyber
Terrorism.
 Cyber Terrorism deals with creating damage to the people and their data using computer
networks intentionally in order to achieve their meaningful purpose.
 Government Agencies like the FBI (Federal Bureau of Investigations) and the CIA (Central
Intelligence Agency) in the past have detected multiple cyber attacks and cyber crimes through
terrorist organizations.
 According to the FBI, a Cyber Terrorism attack is defined as a cybercrime that may be used
intentionally to cause harm to people on large scale using computer programs and spyware.
 A cyber terrorism attack is much more harmful than a normal cybercrime because to intentional
harm to the victims and it may not cause financial damage to cause fear in society.
 In most cases, the criminals target the banking industry, military power, nuclear power plants,
air traffic control, and water control sectors for making a cyber terrorism attack for creating
fear, critical infrastructure failure, or for political advantage.

Working

The cyber terrorism attacks work in the following ways:

 They use computer viruses, worms, spyware, and trojans to target web servers and IT service
stations. They want to attack military utilities, air force stations, power supply stations to
disrupt all the services.
 They use a Denial of Service attack where the original verified user cannot access the services
for which he is authorized.
 These attacks help cyber criminals to get unauthorized access to the user’s computer using
hacking and then stealing that information to fulfill their wrong purposes.
 Ransomware helps them to hold data and information by asking for some ransom money from
the victim and they even leak the private data of the users if they don’t get the desired amount.
 They mostly use phishing-based techniques to target users using infected spam emails to steal
the user’s information and reveal that identity to everyone.
 The most popular attack used in cyber terrorism is the APT (Advanced persistent threat). They
use complex penetrating network models to hack into large-scale computer networks like in an
organization. They make themselves undetected in that organization network and then they
continuously steal information related to military equipment, national defense information, etc.

Attacks:

The cyber terrorism attacks are usually carried out as follows:

 Unauthorized access: Attackers aim to disrupt and damage all the means of access to the
service. Instead, the hacker gains unauthorized access to the important resources.
 Disruption: These attacks focus on disrupting public websites and critical infrastructure
resources to create fear within the society of massive fatalities and commotion.
 Cyberespionage: The government usually carry out some spyware operations on other
government of other country related to military equipment to gain an advantage over rival
nations in terms of military intelligence.
 Economic failure: Cybercriminals want all the technical system failures to cause a large-scale
economic failure like crashing the electricity or water systems for multiple days to create a
panic of these services within the society.

Prevention:

We can prevent situations like cyber terrorism in the following ways:

 Government must regulate all cybercriminal activities and make stricter rules regarding its
violation. They must dedicate more resources to deal with cyber threats.
 There must be more public education about these activities to the general audience. It empowers
the citizens to protect themselves from such kinds of phishing and spyware attacks.
 We must use VPNs that help us to use private and protected network setup that is difficult to
crack into by hackers.
 Use strong passwords with a strong combination of alphabets, strings, and numbers in them.
Features like two-factor authentication also play an important role in this thing.
 Don’t open unknown links, URLs, websites, and spam emails that may contain harmful infected
files in it and it may harm the entire computer system.
 Unit 3
Cyber Crime

Cybercrime or a computer-oriented crime is a crime that includes a computer and a network. The
computer may have been used in the execution of a crime or it may be the target. Cybercrime is the
use of a computer as a weapon for committing crimes such as committing fraud, identity theft, or
breaching privacy.

Cybercrime encloses a wide range of activities, but these can generally be divided into two
categories:
1. Crimes that aim at computer networks or devices. These types of crimes involve different
threats (like virus, bugs etc.) and denial-of-service (DoS) attacks.
2. Crimes that use computer networks to commit other criminal activities. These types of crimes
include cyber stalking, financial fraud or identity theft.

Classification of Cyber Crime:

1. Cyber Terrorism –
Cyber terrorism is the use of the computer and internet to perform violent acts that result in loss
of life. This may include different type of activities either by software or hardware for
threatening life of citizens.

2. Cyber Extortion –
Cyber extortion occurs when a website, e-mail server or computer system is subjected to or
threatened with repeated denial of service or other attacks by malicious hackers. These hackers
demand huge money in return for assurance to stop the attacks and to offer protection.

3. Cyber Warfare –
Cyber warfare is the use or targeting in a battle space or warfare context of computers, online
control systems and networks. It involves both offensive and defensive operations concerning to
the threat of cyber attacks, espionage and sabotage.

4. Internet Fraud –
Internet fraud is a type of fraud or deceit which makes use of the Internet and could include
hiding of information or providing incorrect information for the purpose of deceiving victims
for money or property. Internet fraud is not considered a single, distinctive crime but covers a
range of illegal and illicit actions that are committed in cyberspace.

5. Cyber Stalking –
This is a kind of online harassment wherein the victim is subjected to a barrage of online
messages and emails. In this case, these stalkers know their victims and instead of offline
stalking, they use the Internet to stalk. However, if they notice that cyber stalking is not having
the desired effect, they begin offline stalking along with cyber stalking to make the victims’
lives more miserable.

Challenges of Cyber Crime:

1. People are unaware of their cyber rights-

The Cybercrime usually happen with illiterate people around the world who are unaware about
their cyber rights implemented by the government of that particular country.
2. Anonymity-
Those who Commit cyber crime are anonymous for us so we cannot do anything to that person.

3. Less numbers of case registered-

Every country in the world faces the challenge of cyber crime and the rate of cyber crime is
increasing day by day because the people who even don’t register a case of cyber crime .

4. Mostly committed by well educated people-

The person who commits cyber crime is a very technical person so he knows how to commit
the crime and not get caught by the authorities.

5. No harsh punishment-
In Cyber crime there is no harsh punishment in every cases. But there is harsh punishment in
some cases like when somebody commits cyber terrorism.

Prevention of Cyber Crime:

Below are some points by means of which we can prevent cyber crime:
1. Use strong password –
Maintain different password and username combinations for each account and resist the
temptation to write them down. Weak passwords can be easily cracked using certain attacking
methods like Brute force attack, Rainbow table attack etc, So make them complex.

2. Use trusted antivirus in devices –

Always use trustworthy and highly advanced antivirus software in mobile and personal
computers. This leads to the prevention of different virus attack on devices.

3. Keep social media private –

Always keep your social media accounts data privacy only to your friends. Also make sure only
to make friends who are known to you.

4. Keep your device software updated –

Whenever you get the updates of the system software update it at the same time because
sometimes the previous version can be easily attacked.

5. Use secure network –

Public Wi-Fi are vulnerable. Avoid conducting financial or corporate transactions on these
networks.

6. Never open attachments in spam emails –

A computer get infected by malware attacks and other forms of cybercrime is via email
attachments in spam emails. Never open an attachment from a sender you do not know.

7. Software should be updated – Operating system should be updated regularly when it comes to
internet security. This can become a potential threat when cybercriminals exploit flaws in the
system.

CRIMINAL JUSTICE SYSTEM

Criminal justice includes all those systems, functions and government institutions which work to
maintain social control prevent and reduce crime and punish and rehabilitate those who violate the
law, also investigation and punishment of the accused of crime. Protection has been provided against
the misuse of Criminal Justice System. The necessary documents are presented in the witness court so
that he gets justice and the offender who commits the crime is punished and sent to jail or correctional
home and it is tried not to commit any such crime in future. All the corrective work is done; the
purpose of justice is to bring someone on the right path. The process of giving punishment according
to all these related institutions is called criminal justice system. Criminal justice is the delivery of
justice to those who have committed crimes. Goals include the rehabilitation of offenders, preventing
other crimes, and moral support for victims.
THE CRIMINAL JUSTICE SYSTEM CONSISTS OF THREE MAIN PARTS:
1. Law enforcement agencies, usually the police.
2. Courts and accompanying prosecution and defence lawyers.
3. Agencies for detaining and supervising offenders, such as prisons and probation agencies.
In the criminal justice system, these distinct agencies operate together as the principal means of
maintaining the rule of law within society.
RELATED TO CRIMINAL JUSTICE SYSTEM CYBER-CRIME
In any crime, the entire process from the victim to the criminal to the corrective, punitive work in the
prison comes under the Criminal Justice System that is in getting justice to the victim. On the basis of
coordination and best work morality is reached. A superior justice is reached and the criminal who has
committed the crime gets punishment in relation to his crime, by that punishment he brings necessary
improvement in his life.
According to the current cyber-crime the change in the criminal justice system was done only partly
which is not the change that is necessary. As done, there are three main parts of the criminal justice
system, first police investigation agency, second court system, third prisoner system, justice is
achieved only through these, when there are shortcomings in these mediums, then how to get
complete justice on the current cyber-crime related topic. Police is going through many problems like
Digital Evidence related difficulties and jurisdictional issues and lack of experienced experts on the
subject related to Cyber Crimes In its Police Station (Cyber Cell) and according to the traditional
court system Cybercrime itself. Jail reforms have not been able to change and reform is necessary in
the prison reform system. In Jail, there are people who commit a crime for some other purpose, but
such people learn the tendency to commit other crimes along with cyber-crime by living with other
criminals and towards crime in future. It has become extremely necessary to do corrective work in the
criminal justice system.

Cyber Fraud

Cyber Fraud is the crime committed via a computer with the intent to corrupt another individual’s
personal and financial information stored online.

Cyber fraud is the most common and threatening form of fraud which takes place internationally. The
cyber world has been expanding and growing throughout the twenty-first century, allowing fraudsters
to hack victims’ personal and financial information in a variety of ways. Fraudsters can use the
information which they gather to then financially fund themselves, or worryingly they might use this
money to fund terrorism.

Fraudsters can use the cyber world to gain access to victims’ personal identity, their online accounts
and their bank accounts. They can then use the money and information from this to fund terrorism.
The extensive and popular use of internet banking and mobile banking means there are more
opportunities than ever for criminals to commit cyber fraud. Cyber-crime and fraudsters normally try
to hack into victims’ personal and financial information online via phishing emails and viruses. If you
receive an email with an attached link which either asks you to present your bank information or to
confirm your bank account information, do not do so. The key to avoiding cyber-crime is to
understand what your bank and related bodies would ask of you, and they would never email or call
you asking for your bank information. Even if the email or the phone call sounds legitimate and
honest, you should call the bank yourself and ask them if this email originated from them or not.
Make sure you destroy all traces of your personal and financial information. If a bank has posted you
information with your bank details on, ensure that you shred this information, as a fraudster could find
this information in a bin and utilise it online to process a CNP payment. Furthermore, make sure you
protect your computer with an anti-virus software to combat any contact made between the fraudster
and your computer. If all of your preventive methods fail, you can always contact the relevant bodies
which have been established to combat cyber fraud.

Internet harassment – Cyber stalking, Cyber harassment and Cyber Bullying

Three types of Internet harassment are Cyber stalking, Cyber harassment and Cyber Bullying.

Cyber stalking: Cyber stalking is the use of the Internet, email or other electronic communications to
stalk, and generally refers to a pattern of threatening or malicious behaviours. Cyber stalking may be
considered the most dangerous of the three types of Internet harassment, based on a posing credible
threat of harm.
Many stalkers are motivated by a desire to exert control over their victims and engage in similar types
of behaviour to accomplish this end. Given the enormous amount of personal information available
through the Internet, a cyber stalker can easily locate private information about a potential victim.

The fact that cyber stalking does not involve physical contact may create the misperception that it is
more benign than physical stalking. This is not necessarily true. As the Internet becomes an ever more
integral part of our personal and professional lives, stalkers can take advantage of the ease of
communications as well as increased access to personal information. Whereas a potential stalker may
be unwilling or unable to confront a victim in person or on the telephone, he or she may have little
hesitation sending harassing or threatening electronic communications to a victim. As with physical
stalking, online harassment and threats may be a prelude to a more serious behaviour, including
physical violence.

Cyber harassment: There is no universal legal definition of cyber harassment, but it typically is
defined as repeated, unsolicited, threatening behaviour by a person or group using mobile or Internet
technology with the intent to bother, terrify, intimidate, humiliate, threaten, harass or stalk someone
else. The harassment can take place in any electronic environment where communication with others
is possible, such as on social networking sites, on message boards, in chat rooms or through email.

Cyber bullying: “Cyber bullying” is when a child, preteen or teen is tormented, threatened, harassed,
humiliated, embarrassed or otherwise targeted by another child, preteen or teen using the Internet,
interactive and digital technologies or mobile phones. It has to have a minor on both sides, or at least
have been instigated by a minor against another minor. Once adults become involved, it is plain and
simple cyber-harassment or cyber stalking.

Cyber bullying is the use of the Internet and related technologies to harm other people, in a deliberate,
repeated, and hostile manner.
It can be as simple as continuing to send e-mail or text harassing someone who has said they want no
further contact with the sender.

Email Spoofing

Email Spoofing is creating and sending an email with a modified sender's address. The sender's
address is forged in such a way that the receivers will trust the email, thinking it has been sent by
someone they know or from any trusted official source. After gaining their trust through a forged
address, the attackers can ask for sensitive information, such as personal data like bank details,social
security numbers, or organizational data like trade secrets and more.
Email Spoofing is a pretty common practice among cybercriminals because of the vulnerable and
weak email system. When you receive an email, the outgoing email servers have no way to determine
whether the sender's address is spoofed or original.
How does Email Spoofing work?

Cyber attackers perform Email Spoofing by changing the data of the email header. The email header
contains the essential information related to email. It includes data such as TO, FROM, DATE, and
SUBJECT. It also has the IP address of the sender.
For performing spoofing, the attacker needs to modify the FROM email address and the IP address. It
can be done easily through the Ratware application. A Ratware is a tool that can quickly adjust the
email header and send thousands of emails simultaneously to different recipients. The attackers also
need a Simple Mail Transfer Protocol (SMTP) server and mailing software for conducting spoofing
successfully.
As far as receivers' addresses are concerned, intruders can get them through various ways such as
data breaches, phishing, and more. People have a tendency to share their emails everywhere on the
internet, so it is not a big deal to get someone's email ID.

Why is Email Spoofing performed?

Email Spoofing is mainly conducted for the following reasons −

 Scamming − The intruders will frame an intriguing email and send it pretending to be from an
official, trusted source. The email can contain fake offers like discounts, free tickets, lottery,
and more. The receivers believing it to be from a reliable source and, in anticipation of getting
the offers, provide everything asked in the email.
 Injecting Malware − Cybercriminals can easily inject malicious programs through email
spoofing. An email can be framed and sent to users pretending from a security organization to
download and install the fake security program to safeguard their system. Users would easily
trust the sender and, for protecting their computer, install the fake security software, which is,
in fact, a malware program.
 Phishing − Spoofed email can be sent to thousands of users pretending to be from the bank or
similar organizations. It would ask them to give confidential information like internet banking
credentials or other details. Users would willingly provide all the details, thinking the sender is
a trusted one.

How to protect against Email Spoofing?

 Use spam filters to avoid scammy emails. Most modern email providers such as Gmail,
Outlook, Yahoo, and others come with built-in spam filters, but you can also install a third-
party filter for added protection.
 Thoroughly verify the legitimacy of an email that comes with unbelievable offers. You can
use the Google search or visit the official website of the senders to confirm the offer provided
in the email.
 Avoid clicking on the links sent through emails.
 Never share your confidential information over emails or phone calls, even if someone trusted
asks for it. No trusted organization asks for their customer's personal details on emails.
 Never download or open the attachments from unknown emails.

Spamming
Spam is a form of email which is used to send to different email accounts and in general contains
advertising about any product or services. But the real problem is when they contain malwares that
can damage the user’s data.
Generally, they are sent to a massive list of emails for the mail purpose that a small percentage of
users might open them and respond. They are used to such treatment because they are cheap in
infrastructure investment, not too much time consuming and simple.
Techniques Used by Spammers

 Domain Spoofing − The spammer sends an email on behalf of a known domain so the
receivers think that they know this person and open it.
 Poisoning Filters − A filter can be poisoned by adding text with the same color of the
background to reduce the scoring of the filters.
 Directory Harvesting − In directory harvesting, spammers generate email addresses by using
known email addresses from corporates or ISP (Internet Service Provider).
 Social Engineering − Spammers send promotional emails to different users such as offering
huge discounts and tricking them to fill their personal data.
 Junk Tags − Spam Words can be hidden by including invalid HTML tags within the words.
 Invalid words − Special characters are inserted in the spam words.

Anti–Spam Techniques

 Signature Based Content Filtering − Most anti-spam email companies use this type of
filtering because it checks the received email with certain patterns after saving the message to
the disk.
 Naive Bayes Spam Filtering − Bayesian filter scans the context of the e-mail when it looks
for words or character strings that will identify the e-mail as spam.
 Black Listing RBL − This is a type of database that updates the IP address and domains
based on a reputation and the system administrators who use these RBL don’t receive email
from domains that are blacklisted from this RBL.
 Sender Policy Framework − The IP address of the domain of the sender is compared with
the genuine list of the IP addresses that the domain should have and if it is not same, then that
email is dropped.

Cyber Crime Investigation Tools and Techniques

Cybercrime investigation techniques

While techniques may vary depending on the type of cybercrime being investigated, as well as who is
running the investigation, most digital crimes are subject to some common techniques used during the
investigation process.

 Background check: Creating and defining the background of the crime with known facts will
help investigators set a starting point to establish what they are facing, and how much
information they have when handling the initial cybercrime report.

 Information gathering: One of the most important things any cybersecurity researcher must
do is grab as much information as possible about the incident.A lot of national and federal
agencies use interviews and surveillance reports to obtain proof of cybercrime. Surveillance
involves not only security cameras, videos and photos, but also electronic device surveillance
that details what's being used and when, how it's being used, and all the digital behavior
involved.

 Tracking and identifying the authors: This next step is sometimes performed during the
information-gathering process, depending on how much information is already in hand. In
order to identify the criminals behind the cyber attack, both private and public security
agencies often work with ISPs and networking companies to get valuable log information
 about their connections, as well as historical service, websites and protocols used during the
time they were connected.

This is often the slowest phase, as it requires legal permission from prosecutors and a court
order to access the needed data.

 Digital forensics: Once researchers have collected enough data about the cybercrime, it's time
to examine the digital systems that were affected, or those supposed to be involved in the
origin of the attack. This process involves analyzing network connection raw data, hard
drives, file systems, caching devices, RAM memory and more. Once the forensic work starts,
the involved researcher will follow up on all the involved trails looking for fingerprints in
system files, network and service logs, emails, web-browsing history, etc.

Cyber Crime Tools

Proxy Servers and Anonymizers

Proxy server is a computer on a network which acts as an intermediary for connections with other
computers on that network. The attacker first connects to a proxy server and establishes a connection
with the target system through existing connection with proxy.

An Anonymizers or an anonymous proxy is a tool that attempts to make activity on the Internet
untraceable. It accesses the Internet on the user’s behalf, protecting personal information by hiding the
source computer’s identifying information

Phishing /Password Cracking

While checking electronic mail (E-Mail) one day a user finds a message from the bank threatening
him/her to close the bank account if he/she does not reply immediately. Although the message seems
to be suspicious from the contents of the message, it is difficult to conclude that it is a fake/false
EMail.

Password Cracking

Password is like a key to get an entry into computerized systems like a lock. Password cracking is a
process of recovering passwords from data that have been stored in or transmitted by a computer
system.

The purpose of password cracking is as follows:

Key loggers and Spywares

Keystroke logging, often called key logging, is the practice of noting (or logging) the keys struck on a
keyboard, typically in a covert manner so that the person using the keyboard is unaware that such
actions are being monitored.

1. Software Key loggers- software programs installed on the computer systems which
usually are located between the OS and the keyboard hardware, and every keystroke
is recorded.
 2. Hardware Key loggers- To install these key loggers, physical access to the computer
system is required. Hardware key loggers are small hardware devices.
3. Anti keylogger – Anti keylogger is a tool that can detect the keylogger installed on
the computer system and also can remove the tool.

Spywares

Spyware is a type of malware that is installed on computers which collects information about users
without their knowledge.

Virus and Worms

Computer virus is a program that can “infect” legitimate programs by modifying them to include a
possibly “evolved” copy of itself. Viruses spread themselves, without the knowledge or permission of
the users, to potentially large numbers of programs on many machines.

Trojan Horses

Trojan Horse is a program in which malicious or harmful code is contained inside apparently
harmless programming or data in such a way that it can get control and cause harm, for example,
ruining the file allocation table on the hard disk. A Trojan Horse may get widely redistributed as part
of a computer virus.

Backdoor

A backdoor is a means of access to a computer program that bypasses security mechanisms. A

programmer may sometimes install a backdoor so that the program can be accessed for
troubleshooting or other purposes.

SQL Injection

Structured Query Language (SQL) is a database computer language designed for managing data in
relational database management systems (RDBMS). SQL injection is a code injection technique that
exploits a security vulnerability occurring in the database layer of an application. The vulnerability is
present when user input is either filtered incorrectly for string literal escape characters embedded in
SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an
instance of a more general class of vulnerabilities that can occur whenever one programming or
scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion
attacks.

Buffer Overflow

Buffer overflow, or buffer overrun, is an anomaly where a process stores data in a buffer outside the
memory the programmer has set aside for it. The extra data overwrites adjacent memory, which may
contain other data, including program variables and program flow control data. This may result in
erratic program behavior, including memory access errors, incorrect results, program termination (a
crash) or a breach of system security.
What is a phishing attack?

Phishing is a type of social engineering attack often used to steal user data, including login credentials
and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim
into opening an email, instant message, or text message. The recipient is then tricked into clicking a
malicious link, which can lead to the installation of malware, the freezing of the system as part of
a ransomware attack or the revealing of sensitive information.An attack can have devastating results.
For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.

An organization succumbing to such an attack typically sustains severe financial losses in addition to
declining market share, reputation, and consumer trust. Depending on scope, a phishing attempt might
escalate into a security incident from which a business will have a difficult time recovering.

Phishing Techniques

Spear Phishing- While traditional phishing uses a 'spray and pray' approach, meaning mass emails are
sent to as many people as possible, spear phishing is a much more targeted attack in which the hacker
knows which specific individual or organization they are after. They do research on the target in order
to make the attack more personalized and increase the likelihood of the target falling into their trap.

Session Hijacking- In session hijacking, the phisher exploits the web session control mechanism to steal
information from the user. In a simple session hacking procedure known as session sniffing, the
phisher can use a sniffer to intercept relevant information so that he or she can access the Web server
illegally.

Email/Spam- Using the most common phishing technique, the same email is sent to millions of users
with a request to fill in personal details. These details will be used by the phishers for their illegal
activities. Most of the messages have an urgent note which requires the user to enter credentials to
update account information, change details, or verify accounts. Sometimes, they may be asked to fill
out a form to access a new service through a link which is provided in the email.

Content Injection- Content injection is the technique where the phisher changes a part of the content on
the page of a reliable website. This is done to mislead the user to go to a page outside the legitimate
website where the user is then asked to enter personal information.

Web Based Delivery- Web based delivery is one of the most sophisticated phishing techniques. Also
known as “man-in-the-middle,” the hacker is located in between the original website and the phishing
system. The phisher traces details during a transaction between the legitimate website and the user. As
the user continues to pass information, it is gathered by the phishers, without the user knowing about
it.

Phishing through Search Engines- Some phishing scams involve search engines where the user is
directed to products sites which may offer low cost products or services. When the user tries to buy
the product by entering the credit card details, it’s collected by the phishing site. There are many fake
bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites.

Vishing (Voice Phishing)- In phone phishing, the phisher makes phone calls to the user and asks the user
to dial a number. The purpose is to get personal information of the bank account through the phone.
Phone phishing is mostly done with a fake caller ID.
 Smishing (SMS Phishing)- Phishing conducted via Short Message Service (SMS), a telephone-based text
messaging service. A smishing text, for example, attempts to entice a victim into revealing personal
information via a link that leads to a phishing website.

Link Manipulation- Link manipulation is the technique in which the phisher sends a link to a malicious
website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the
website mentioned in the link. Hovering the mouse over the link to view the actual address stops users
from falling for link manipulation.

Keyloggers- Keyloggers refer to the malware used to identify inputs from the keyboard. The
information is sent to the hackers who will decipher passwords and other types of information. To
prevent key loggers from accessing personal information, secure websites provide options to use
mouse clicks to make entries through the virtual keyboard.

Malware- Phishing scams involving malware require it to be run on the user’s computer. The malware
is usually attached to the email sent to the user by the phishers. Once you click on the link, the
malware will start functioning. Sometimes, the malware may also be attached to downloadable files.

Trojan- A Trojan horse is a type of malware designed to mislead the user with an action that looks
legitimate, but actually allows unauthorized access to the user account to collect credentials through
the local machine. The acquired information is then transmitted to cybercriminals.

Ransomware- Ransomware denies access to a device or files until a ransom has been
paid. Ransomware for PC's is malware that gets installed on a user’s workstation using a social
engineering attack where the user gets tricked in clicking on a link, opening an attachment, or clicking
on malvertising.

Malvertising- Malvertising is malicious advertising that contains active scripts designed to download
malware or force unwanted content onto your computer. Exploits in Adobe PDF and Flash are the
most common methods used in malvertisements.

How to prevent phishing

 Two-factor authentication (2FA) adds an extra verification layer when logging in to sensitive
applications.
 In addition organizations should enforce strict password management policies. Employees should be
required to frequently change their passwords and to not be allowed to reuse a password for multiple
applications.
 Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure
practices, such as not clicking on external email links.
 Unit 4
Cyber Forensics Investigation Tools

Autopsy

Autopsy is a digital forensics platform and graphical interface that forensic investigators use to

understand what happened on a phone or computer. It aims to be an end-to-end, modular solution that

is intuitive out of the box. Select modules in Autopsy can do timeline analysis, hash filtering, and

keyword search. In addition, they can extract web artifacts, recover deleted files from unallocated

space, and find indicators of compromise. All of this can be done relatively rapidly.

Autopsy runs background jobs in parallel so that even if a full search takes hours, a user will know

within minutes whether targeted keywords have been found. In addition, investigators working with

multiple devices can create a central repository through Autopsy that will flag phone numbers, email

addresses, or other relevant data points.

Bulk Extractor

Bulk Extractor scans a file, directory, or disk image. It extracts information without parsing the file

system or file system structures, allowing it to access different parts of the disk in parallel, making it

faster than the average tool. The second advantage of Bulk Extractor is that it can be used to process

practically any form of digital media: hard drives, camera cards, smartphones, SSDs, and optical

drives.

The most recent versions of Bulk Extractor can perform social network forensics and extract

addresses, credit card numbers, URLs, and other types of information from digital evidence. Other

capabilities include creating histograms based on frequently used email addresses and compiling word

lists, which can be helpful for password cracking.

All extracted information can be processed either manually or with automated tools, one of which

incorporates context-specific stop lists (i.e., search terms flagged by the investigator) that remove

some human error from digital forensics investigation.

COFEE

Microsoft’s Computer Online Forensic Evidence Extractor (COFEE) is a forensic toolkit that extracts

evidence from Windows computers. The toolkit acts as an automated forensic tool during a live

analysis. It contains more than 150 features and a graphical user interface that guides an investigator
through data collection and examination and helps generate reports after extraction. Password

decryption, internet history recovery, and other data collection forms are all included in the toolkit.

Microsoft claimed that COFEE had reduced three- to four-hour tasks to under 20 minutes at the time

of its release. In addition, thousands of law enforcement agencies worldwide (including INTERPOL)

use COFEE, and Microsoft provides free technical support.

Computer Aided Investigative Environment

CAINE offers a full-scale forensic investigation platform designed to incorporate other tools and

modules into a user-friendly graphic interface. Its interoperable environment is intended to assist

investigators in all four stages of an investigation: preservation, collection, examination, and analysis.

In addition, it comes with dozens of pre-packaged modules (Autopsy, listed above, is among them).

Digital Forensics Framework

Digital Forensics Framework (DFF) is an open-source computer forensics platform built upon a

dedicated Application Programming Interface (API). Equipped with a graphical user interface for

simple use and automation, DFF guides a user through the critical steps of a digital investigation and

can be used by both professionals and amateurs alike.

The tool can be used to investigate hard drives and volatile memory and create reports about system

and user activity on the device in question.

EnCase

EnCase is considered the gold standard in forensic cybersecurity investigations, including mobile

acquisitions. It has offered forensic software to help professionals find evidence to testify in criminal

investigation cases involving cybersecurity breaches by recovering evidence and analyzing files on

hard drives and mobile phones.

It features platforms which reduces the amount of content for investigators to review to close cases

faster manually.

MAGNET RAM Capture

Analyzing a computer’s physical random access memory (RAM), MAGNET RAM Capture enables

cybersecurity investigators to recover and analyze digital artifacts stored in a computer’s memory.

Using a small memory footprint, digital forensic investigators can use the tool and minimize the

amount of overwritten memory data.

This tool can export raw memory data in raw formats which can be uploaded to other forensics

analysis tools.

Redline
Redline provides endpoint security and investigative capabilities to its users. It is mainly used to

perform memory analysis and look for infection or malicious activity signs. Still, it can also be used to

collect and correlate data around event logs, the registry, running processes, file system metadata, web

history, and network activity.

Redline has more applications in cybersecurity and other tech-driven criminal behavior where a

granular analysis is critical.

Tor

When surveillance is a security threat, applications like Tor help PC and mobile device users be

undetectable. Tor allows users to browse anonymously and prevent identity theft through increased

internet security. This is useful when users need to access websites while visiting other countries,

protect their identity, or be difficult to trace. In addition, it blocks browser plugins such as Flash, Real

Player, QuickTime, and others. Tor suggests iOS users use their Onion Browser for private browsing

that automatically closes browsing history and extra tabs.

Volatility

The Volatility Foundation is a nonprofit organization whose mission is to promote the use of memory

analysis within the forensics community. Its primary software is an open-source framework for

incident response and malware detection through volatile memory (RAM) forensics. This allows the

preservation of evidence in memory that would otherwise be lost during a system shutdown.

Written in Python and supportive of almost all 32-bit and 64-bit machines, it can sift through cached

sectors, crash dumps, DLLs, network connections, ports, process lists, and registry files.

Digital Evidence Collection

Process involved in Digital Evidence Collection:

The main processes involved in digital evidence collection are given below:
 Data collection: In this process data is identified and collected for investigation.
 Examination: In the second step the collected data is examined carefully.
 Analysis: In this process, different tools and techniques are used and the collected evidence is
analyzed to reach some conclusion.
 Reporting: In this final step all the documentation, reports are compiled so that they can be
submitted in court.

Types of Collectible Data:

The computer investigator and experts who investigate the seized devices have to understand what
kind of potential shreds of evidence could there be and what type of shreds of evidence they are
looking for. So, that they could structure their search pattern.
The investigator must pick the suitable tools to use during the analysis. Investigators can encounter
several problems while investigating the case such as files may have been deleted from the
computer, they could be damaged or may even be encrypted, So the investigator should be familiar
with a variety of tools, methods, and also the software to prevent the data from damaging during the
data recovery process.
There are two types of data, that can be collected in a computer forensics investigation:
 Persistent data: It is the data that is stored on a non-volatile memory type storage device such
as a local hard drive, external storage devices like SSDs, HDDs, pen drives, CDs, etc. the data
on these devices is preserved even when the computer is turned off.
 Volatile data: It is the data that is stored on a volatile memory type storage such as memory,
registers, cache, RAM, or it exists in transit, that will be lost once the computer is turned off or
it loses power. Since volatile data is evanescent, it is crucial that an investigator knows how to
reliably capture it.

Types of Evidence:
Collecting the shreds of evidence is really important in any investigation to support the claims in
court. Below are some major types of evidence.
 Real Evidence: These pieces of evidence involve physical or tangible evidence such as flash
drives, hard drives, documents, etc. an eyewitness can also be considered as a shred of tangible
evidence.
 Hearsay Evidence: These pieces of evidence are referred to as out-of-court statements. These
are made in courts to prove the truth of the matter.
 Original Evidence: These are the pieces of evidence of a statement that is made by a person
who is not a testifying witness. It is done in order to prove that the statement was made rather
than to prove its truth.
 Testimony: Testimony is when a witness takes oath in a court of law and gives their statement
in court. The shreds of evidence presented should be authentic, accurate, reliable, and
admissible as they can be challenged in court.

Challenges Faced During Digital Evidence Collection:

 Evidence should be handled with utmost care as data is stored in electronic media and it can get
damaged easily.
 Collecting data from volatile storage.
 Recovering lost data.
 Ensuring the integrity of collected data.
Recovering information from devices as the digital shreds of evidence in the investigation are
becoming the fundamental ground for law enforcement and courts all around the world. The
methods used to extract information and shreds of evidence should be robust to ensure that all the
related information and data are recovered and is reliable. The methods must also be legally
defensible to ensure that original pieces of evidence and data have not been altered in any way and
that no data was deleted or added from the original evidence.

Handling Preliminary Investigation

Roles of First Responder

A first responder is the first person who arrives at the crime scene for initial investigation. The
investigation process starts after collecting all the evidence from the crime scene. If the evidence
collected by the first responder is forensically sound, it is easier for the investigation team to find the
actual cause of the crime. Therefore, It is important for the first responder to collect proper evidence.

The main responsibilities of first responders are:

 Identifying the crime scene: After arriving at the crime scene, the first responder identifies
the scope of the crime scene and establishes a perimeter. Establishing a perimeter includes a
particular area depending on the networked computers, After that, the first responder starts
listing the computer systems that are involved in the incident from which he or she can collect
the evidence.
 Protecting the crime scene: In a cybercrime case, a search warrant is required for searching
and seizing digital evidence. Therefore, a first responder protects all the computers and
electronic devices and waits for the case officer in-charge.
 Preserving temporary and fragile evidence; In the case of temporary and fragile evidence
that could change or disappear, such as monitor/screen information or a running program, the
first responder does not wait for the case officer in-charge. He or she takes photographs of all
the evidence.
 Collecting complete information about the incident: For collecting the complete
information about the incident, the first responder conducts preliminary interviews of all
persons present at the crime scene and asks questions about the incident.
 Documenting all findings: The first responder starts documenting all information about the
collected evidence in the chain of custody document sheet, The chain of custody document
sheet contains information such as case no., name of the person who reported the case,
address/number, location/date/time of the evidence and a complete description of the item.
 Packaging and transporting the electronic evidence: After collecting the evidence, the first
responder labels all the evidence and places it in evidence storage bags, which protect the
evidence from sunlight and high temperature. These bags also block wireless signals so that
wireless devices cannot acquire data from the evidence. Then, the first responder transports
these packed bags to the forensics laboratory.
 Gather preliminary information at the scene: At the time of an incident, secure the crime
scene and the surrounding area to avoid any tampering of the evidence. Preliminary
information at the crime scene provides the basis for the forensics investigation, and helps in
finding the evidence easily, if there is no third-party interference at the incident scene.

The preliminary information at the incident scene offers the following details:
 The type of incident.
 Reason for the occurrence of the incident.
 The potential damage due to the incident.
 Potential evidence from scattered objects outside the attacked system.
 Details of the person who used the system last before the incident.
 People who first knew about the incident’s occurrence.
Incident Response: Different Situations

The activity the first responder performs at the incident location has a great impact over the
investigation processes and can influence the accuracy or the success of the investigation procedure.
Therefore, investigation firms need to be careful while deciding the first response team for an
incident.

1. First Response by System Administrators

The admin is responsible for monitoring and maintenance of the system and these activities can
become the basis for the investigation during the forensic evaluation and administrative actions.
Once a system administrator discovers an incident, he or she must report it according to the current
organizational incident reporting procedures. He or she should then not touch the system unless
directed to, by either the incident response team or duty manager or one of the forensic analysts
assigned to the case.
The system administrator should explain to the investigator the security protocols and procedures
followed for using the systems and storage media. The admin might have to appear for the legal
proceedings to give explanation about the measures taken during the initial shutdown or isolation of
the subject computer.

2. First Response by Laboratory Forensics staff

First response by laboratory forensic staff involves:
– Securing and evaluating the electronic crime scene
– Conducting preliminary interviews
– Documenting the electronic crime scene
– Collecting and preserving electronic evidence
– Packaging electronic evidence

3. First Responder Common Mistakes

Most of the time when a computer crime incident occurs in the organization, a system or network
administrator takes charge as a first responder at the crime scene because many organizations do not
appoint a special forensic investigator for such types of incidents. The system or network
administrator cannot handle the computer crime security incidents in a proper way because they do
not know the first responder procedure and do not have complete knowledge of forensic
investigation.
In such cases, they make the following mistakes:
 Shutting down or rebooting the victim’s computer: In this case, the system loses the
complete volatile data shuts down processes running when shutting down and rebooting.
 Assuming that some components of the victim’s computer may be reliable and usable: In
this case, using some commands on the victim’s computer may activate Trojans, malware,
and time bombs to delete vital volatile data.
 Not having access to baseline documentation about the victim’s computer.
 Not documenting the data collection process.

Incident Handling

Computer security incidents are some real or suspected offensive events related to cybercrime and
cybersecurity and computer networks. Forensics investigators or internal cybersecurity professionals
are hired in organizations to handle such events and incidents, known as incident handlers.

Incidents are categorized into three types:

 Low-level incidents: where the impact of cybercrime is low.

  Mid-level incidents: The impact of cybercrime is comparatively high and needs security
professionals to handle the situations.
 High-level events: where the impact of cybercrime is the most serious and needs security
professionals, and forensic investigators to handle the situations and analyze the scenario,
respectively.

Investigating Information Hiding

FEATURES FOR INFORMATION HIDING TECHNIQUES

Any information hiding technique shall exhibit certain characteristics:

1. Capacity – capacity refers to the amount of information that can be hidden in cover medium .
The amount of information that can be hidden is governed by the fact that information hidden
should not completely alter the original message, in order to avoid the attention of unintended
user.
2. Security – the information hiding method should provide security for data such that only the
intended user can gain access to it. In order words, it refers to the inability of un-authorized
user to detect hidden information. This is very crucial to protect the confidentiality and
sensitivity of information being sent .
3. Robustness – it refers to the amount of information that can be hidden without showing any
negative effects and destroying hidden information .
4. Perceptibility – the data hiding method should hide data in such a manner that the original
cover signal and the hidden data signal are perceptually indistinguishable.

Investigation Using Emails

Email forensics is a branch of digital forensics that focuses on the forensic analysis of email to collect
digital evidence for cybersecurity attacks and cyber incidents. It comprises an in-depth forensic
investigation of various email aspects such as Message-IDs, transmission routes, attached files and
documents, IP addresses of servers and computers, etc.

Email forensic professionals use the following techniques to examine emails and analyze the digital
evidence:

1. Email Header Analysis

Email headers contain essential information, including the name of the sender and receiver, the path
(servers and other devices) through which the message has traversed, etc.

The vital details in email headers help investigators and forensics experts in the email investigation.
For instance, the Delivered-To field contains the recipient’s email address, and the Received-By field
contains:

 The last visited SMTP server’s IP address.

 It’s SMTP ID.
 The date and time at which the email is received.
Similarly, the Received: from field provides necessary details like the sender’s IP address and
hostname. Again, such information can be instrumental in identifying the culprit and collecting
evidence.

2. Email Server Investigation

Email servers are investigated to locate the source of an email. For example, if an email is deleted
from a client application, sender’s, or receiver’s, then related ISP or Proxy servers are scanned as they
usually save copies of emails after delivery. Servers also maintain logs that can be analyzed to
identify the computer’s address from which the email originated.

3. Investigation of Network Devices

In some cases, logs of servers are not available.In such an event, investigators can refer to the logs
maintained by network devices such as switches, firewalls, and routers to trace the source of an email
message.

4. Sender Mailer Fingerprints

X-headers are email headers that are added to messages along with standard headers,
like Subject and To. These are often added for spam filter information, authentication results, etc.,
and can be used to identify the software handling the email at the client. In addition, it can be used to
find the original sender, i.e., the IP address of the sender’s computer.

5. Message-IDs

Message-ID is a unique identifier that helps forensic examination of emails across the globe. It
comprises a long string of characters that end with the Fully Qualified Domain Name (FQDN).
Message IDs are generated by client programs that send emails, such as Mail User Agents (MUA) or
Mail Transfer Agents (MTA). There are two parts of a Message-ID. One part is before @, and another
part is after @. The first part of the message-ID contains information, such as the message’s
timestamp. This information is the data regarding the time when the message was sent. The second
part of the Message-ID contains information related to FQDN.

6. Embedded Software Identifiers

Sometimes, the email software used by a sender can include additional information about the message
and attached files in the email. An in-depth analysis of these sections can reveal vital details related to
the sender, like the MAC address, Windows login username of the sender, etc.

7. Bait Tactics

The bait tactic is an email investigation technique used when the location of a suspect or
cybercriminal is unknown. In this, the investigators send the suspect an email containing an http:
“<img src>” tag. The image source is on a computer that the investigators monitor. When the suspect
opens the email, the computer’s IP address is registered in a log entry on the HTTP server that hosts
the image. The investigators can use the IP address to track the suspect. Sometimes, suspects take
preventive measures like using a proxy server to protect their identity. In that case, the IP address of
the proxy server is recorded. However, the log on the proxy server can be analyzed to track the
suspect.

8. Bulk Email Forensics

Large mailbox collections are often examined, analyzed, and used as evidence in legal cases.
Therefore, legal professionals have to work with large mailboxes in many cases.

Date and time are two attributes of emails considered necessary when they are produced as evidence
related to a case. However, emails can be forged like physical documents, and hackers may tamper
with these attributes. In addition, since an email doesn’t directly reach from the receiver to the sender,
recording its actual route with accurate timings is a tricky aspect.

9. Importance of using Hashing Algorithm

It’s a standard practice to use MD5 and SHA1 hashing algorithms in email forensics investigations.
These algorithms allow forensic investigators to preserve digital evidence from the moment they
acquire it until it is produced in a court of law. Another reason why hash values are important is that
electronic documents are shared with legal professionals and other parties during the investigation.
Therefore, ensuring that everyone has identical copies of the files is crucial.

Internet Tracking and Tracing

Electronic passage through the Internet leaves a trail that can be traced. Tracing is a process that
follows the Internet activity backwards, from the recipient to the user. As well, a user's Internet
activity on web sites can also be tracked on the recipient site (i.e., what sites are visited and how
often). Sometimes this tracking and tracing ability is used to generate email to the user promoting
a product that is related to the sites visited. User information, however, can also be gathered
covertly.

Tracking Tools

Cookies. Cookies are computer files that are stored on a user's computer during a visit to a web site.
When the user electronically enters the web site, the host computer automatically loads the file(s) to
the user's computer.

The cookie is a tracking device, which records the electronic movements made by the user at the site,
as well as identifiers such as a username and password. Commercial web sites make use of cookies to
allow a user to establish an account on the first visit to the site and so to avoid having to enter account
information (i.e., address, credit card number, financial activity) on subsequent visits. User
information can also be collected unknown to the user and subsequently used for whatever purpose
the host intends.

Cookies are files, and so can be transferred from the host computer to another computer. This can
occur legally (i.e., selling of a subscriber mailing list) or illegally (i.e., "hacking in" to a host computer
and copying the file). Also, cookies can be acquired as part of a law enforcement investigation.

Stealing a cookie requires knowledge of the file name. Unfortunately, this information is not difficult
to obtain. Cookies may be disabled by the user, however, this calls for programming knowledge that
many users do not have .

Bugs or Beacons. A bug or a beacon is an image that can be installed on a web page or in an email.
Unlike cookies, bugs cannot be disabled. They can be prominent. As examples of the latter, graphics
that are transparent to the user can be present, as can graphics that are only 1x1 pixels in size
(corresponding to a dot on a computer monitor). When a user clicks onto the graphic in an attempt to
view, or even to close the image, information is relayed to the host computer.

Information that can be gathered by bugs or beacons includes:

 the user's IP address (the Internet address of the computer)
 the email address of the user
 the user computer's operating system (which can be used to target viruses to specific operating
systems
 the URL (Uniform Record Locator), or address, of the web page that the user was visiting when the
bug or beacon was activated
 the browser that was used (i.e., Netscape, Explorer)

When used as a marketing tool or means for an entrepreneur to acquire information about the
consumer, bugs or beacons can be merely an annoyance. However, the acquisition of IP addresses and
other user information can be used maliciously. For example, information on active email addresses
can be used to send "spam" email or virus-laden email to the user.

Active X, Java Script. These computer-scripting languages are automatically activated when a site is
visited. The mini-programs can operate within the larger program, so as to create the "pop-up"
advertiser windows that appear with increasing frequency on web sites. When the pop-up graphic is
visited, user information such as described in the above sections can be gathered.

Tracing email. Email transmissions have several features that make it possible to trace their passage
from the sender to the recipient computers. For example, every email contains a section of
information that is dubbed the header. Information concerning the origin time, date, and location of
the message is present, as is the Internet address (IP) of the sender's computer.

If an alias has been used to send the message, the IP number can be used to trace the true origin of the
transmission. When the message source is a personally owned computer, this tracing can often lead
directly to the sender. However, if the sending computer serves a large community—such as a
university, and through which malicious transmissions are often routed—then identifying the sender
can remain daunting.

Depending on the email program in use, even a communal facility can have information concerning
the account of the sender.

The information in the header also details the route that the message took from the sending computer
to the recipient computer. This can be useful in unearthing the identity of the sender.

Chat rooms. Chat rooms are electronic forums where users can visit and exchange views and
opinions about a variety of issues. By piecing together the electronic transcripts of the chat room
conversations, enforcement officers can track down the source of malicious activity.
 Unit 5
Cyber Law (IT Law) in India
Cyber Law also called IT Law is the law regarding Information-technology including computers and
the internet. It is related to legal informatics and supervises the digital circulation of information,
software, information security, and e-commerce.
IT law does not consist of a separate area of law rather it encloses aspects of contract, intellectual
property, privacy, and data protection laws. Intellectual property is a key element of IT law.
Importance of Cyber Law:
1. It covers all transactions over the internet.
2. It keeps eye on all activities over the internet.
3. It touches every action and every reaction in cyberspace.

Area of Cyber Law:

Cyber laws contain different types of purposes. Some laws create rules for how individuals and
companies may use computers and the internet while some laws protect people from becoming the
victims of crime through unscrupulous activities on the internet. The major areas of cyber law
include:
1. Fraud:
Consumers depend on cyber laws to protect them from online fraud. Laws are made to prevent
identity theft, credit card theft, and other financial crimes that happen online. A person who
commits identity theft may face confederate or state criminal charges. They might also
encounter a civil action brought by a victim. Cyber lawyers work to both defend and prosecute
against allegations of fraud using the internet.

2. Copyright:
The internet has made copyright violations easier. In the early days of online communication,
copyright violations were too easy. Both companies and individuals need lawyers to bring an
action to impose copyright protections. Copyright violation is an area of cyber law that protects
the rights of individuals and companies to profit from their creative works.

3. Defamation:
Several personnel uses the internet to speak their mind. When people use the internet to say
things that are not true, it can cross the line into defamation. Defamation laws are civil laws that
save individuals from fake public statements that can harm a business or someone’s reputation.
When people use the internet to make statements that violate civil laws, that is called
Defamation law.

4. Harassment and Stalking:

Sometimes online statements can violate criminal laws that forbid harassment and stalking.
When a person makes threatening statements again and again about someone else online, there
is a violation of both civil and criminal laws. Cyber lawyers both prosecute and defend people
when stalking occurs using the internet and other forms of electronic communication.

5. Freedom of Speech:
Freedom of speech is an important area of cyber law. Even though cyber laws forbid certain
behaviors online, freedom of speech laws also allows people to speak their minds. Cyber
lawyers must advise their clients on the limits of free speech including laws that prohibit
obscenity. Cyber lawyers may also defend their clients when there is a debate about whether
their actions consist of permissible free speech.

6. Trade Secrets:
Companies doing business online often depend on cyber laws to protect their trade secrets. For
 example, Google and other online search engines spend lots of time developing the algorithms
that produce search results. They also spend a great deal of time developing other features like
maps, intelligent assistance, and flight search services to name a few. Cyber laws help these
companies to take legal action as necessary to protect their trade secrets.

7. Contracts and Employment Law:

Every time you click a button that says you agree to the terms and conditions of using a
website, you have used cyber law. There are terms and conditions for every website that are
somehow related to privacy concerns.

Advantages of Cyber Law:

 Organizations are now able to carry out e-commerce using the legal infrastructure provided by
the Act.

 Digital signatures have been given legal validity and sanction in the Act.

 It has opened the doors for the entry of corporate companies for issuing Digital Signatures
Certificates in the business of being Certifying Authorities.

 It allows Government to issue notifications on the web thus heralding e-governance.

 It gives authority to the companies or organizations to file any form, application, or any other
document with any office, authority, body, or agency owned or controlled by the suitable
Government in e-form using such e-form as may be prescribed by the suitable Government.

 The IT Act also addresses the important issues of security, which are so critical to the success
of electronic transactions.

 Cyber Law provides both hardware and software security.

Intellectual Property in Cyberspace

Intellectual Property (IP) simply refers to the creation of the mind. It refers to the possession of
thought or design by the one who came up with it. It offers the owner of any inventive design or any
form of distinct work some exclusive rights, that make it unlawful to copy or reuse that work without
the owner’s permission. It is a part of property law. People associated with literature, music,
invention, etc. can use it in business practices.
There are numerous types of tools of protection that come under the term “intellectual property”.
Notable among these are the following:
 Patent
 Trademark
 Geographical indications
 Layout Designs of Integrated Circuits
 Trade secrets
 Copyrights
 Industrial Designs

In cyberspace, sometimes one person makes a profit by using another person’s creation without the
owner’s consent. This is a violation of privacy, and it is protected by IPR. We have certain laws to
avoid violation of Intellectual Property Rights in cyberspace .
Copyright Infringement:
Copyright protection is given to the owner of any published artistic, literary, or scientific work over
his work to prohibit everyone else from exploiting that work in his name and thereby gain profit from
it.
When these proprietary creations are utilized by anyone without the permission of the owner, it leads
to copyright infringement. If copies of any software are made and sold on the internet without the
permission of the owner or even copying the content from any online source, these all are examples of
copyright infringement.
Copyright Issues in Cyberspace :
1. Linking –
It permits a Website user to visit another location on the Internet. By simply clicking on a word or
image on one Web page, the user can view another Web page elsewhere on the same server as the
original page.
Linking damages the rights or interests of the owner of the Linked webpage. It may create the
supposition that the two linked sites are the same and promote the same idea. In this way, the linked
sites can lose their income as it is often equal to the number of persons who visit their page.
2. Software Piracy –
Software piracy refers to the act of stealing software that is lawfully shielded. This stealing comprises
various actions like copying, spreading, altering, or trading the software. It also comes under the
Indian copyright act.
An example of software piracy is downloading a replica of Microsoft Word from any website other
than Microsoft to avoid paying for it as it is a paid software.
3. Cybersquatting –
Cybersquatting means unauthorized registration and use of Internet domain names that are similar to
any business’s trademarks, service marks, or company names. For example, let us consider Xyz is a
very famous company and the company hadn’t created a website yet. A cybersquatter could buy
xyz.com, looking to sell the domain to the company Xyz at a later date for a profit. The domain name
of a famous company can even be used to attract traffic and this traffic will help cybersquatters earn a
lot of money through advertising.

Trademark Issues in Cyberspace :

Trademark means a mark capable of being depicted diagrammatically and which may distinguish the
products or services of one person from those of others and will embody the form of products, their
packaging, and combination of colors. Trademark infringement refers to the unlawful use of a
trademark or service mark which can cause ambiguity, fraud, or confusion about the actual company a
product or service came from. Trademark owners can take the help of the law if they believe their
marks are being infringed.

JURISDICTION IN CYBERSPACE

‘Jurisdiction’, as applied to a particular claim or controversy, is the power to hear and determine that
controversy. The term imports authority to apply the laws, and excludes the idea of power to make the
laws. It refers to the local extent within which the court can and does exercise the right when
ascertained. The law relating to crimes would generally require that the courts within a state would
have jurisdiction to try and adjudicate upon all such offences committed by a person within the
territorial boundaries of such a court. However, the exceptions have been created where even though,
technically and strictly, the offender might not have committed the crime on the soil of the country,
yet the courts would exercise jurisdiction over such an offender.

Theories of Jurisdiction in Criminal Cases

There are six generally accepted bases of jurisdiction or theories under which a state may claim to
have jurisdiction to prescribe a rule of law over an activity.
Subjective territoriality If an activity takes place within the territory of the particular country, then
the said country has the jurisdiction to regulate and punish for such activity. For instance, section 2 of
the Indian Penal Code provides for punishment of offences committed within India.

Objective territoriality is invoked where the action takes place outside the territory of the forum
state, but the primary effect of that activity is within the forum state. Commonly known as the
‘effects’ doctrine is the situation , where the action takes place outside the territory of a country, but
the primary effect of that activity is within the said country, it assumed jurisdiction. For instance, a
person from Pakistan shoots across the border and an Indian is injured in the process. Though the
action was initiated in Pakistan, the effect was in India.

Nationality is the basis for jurisdiction where the forum state asserts the right to prescribe a law for
an action based on the nationality of the actor. For instance, the Indian Penal Code stipulates that the
provisions of the Code would also apply to any offence committed by any citizen of India in any place
without and beyond India.

Passive nationality is a theory of jurisdiction based on the nationality of the victim. Passive and
“active” nationality are often invoked together to establish jurisdiction because a state has more
interest in prosecuting an offense when both the offender and the victim are nationals of that state.

The Protective principle expresses the desire of a sovereign to punish actions committed in other
places solely because it feels threatened by those actions. This principle is invoked where the “victim”
would be the government or sovereign itself. This principle is not preferred for the obvious reason that
it can easily offend the sovereignty of another nation.

Lastly, nations also exercise a Universal jurisdiction with respect to certain offences. Sea piracy has
been, for long, a part of this jurisdiction. Any nation could have captured and punished pirates. This
form of jurisdiction has been expanded lately to include slavery, genocide, and hijacking (air piracy).
For instance, Article 105 of the United Nations Convention on the Law of the Sea stipulates that on
the high seas, or in any other place outside the jurisdiction of any State, every State may seize a pirate
ship or aircraft, or a ship or aircraft taken by piracy and under the control of pirates, and arrest the
persons and seize the property on board. It further provides that the courts of the state which carried
out the seizure may decide upon the penalties to be imposed, and may also determine the action to be
taken with regard to the ships, aircraft or property, subject to the rights of third parties acting in good
faith.