20IT84-Cyber Security & Digital Forensics

UNIT-II
1. Explain the functions and purposes of proxy servers, anonymizers and what are the
potential benefits and risks associated with their use?
A proxy server acts as an intermediary between a user's device and the internet. When a user
sends a request, it goes through the proxy server, which then forwards the request to the
internet and returns the response to the user.
Types of Proxies:
• Forward Proxy: Used by clients to access the internet indirectly, typically employed
within corporate networks to control and filter outbound traffic.
• Reverse Proxy: Sits in front of web servers and serves as a protective barrier,
intercepting requests from clients and directing them to appropriate servers.
Anonymizers:
Anonymizers are tools or services that aim to conceal a user's identity and online activity by
masking their IP address and encrypting internet traffic.
• Virtual Private Networks (VPNs): One of the most common types of anonymizers,
VPNs create a secure and encrypted connection between the user's device and a VPN
server, hiding the user's IP address and encrypting data transmitted over the network.
• Tor (The Onion Router): A network that anonymizes internet traffic by routing it
through a series of volunteer-operated servers, encrypting it multiple times to conceal
the user's identity and location.
Benefits of Proxy Server and Anonymizers:
Enhanced privacy: Mask your IP address and online activity, protecting against
tracking, targeted advertising, and surveillance.
Improved security: Filter malicious content, block harmful websites, and encrypt
sensitive data, safeguarding against online threats.
Bypass geo-restrictions: Access content unavailable in your region by masking your
location.
Risks in using Proxy Server and Anonymizers:
Misuse for malicious activities: Attackers can leverage proxies and anonymizers to
hide their identities and launch cyberattacks, conduct illegal activities, or spread
misinformation.
Potential for data breaches: If not appropriately configured or managed, proxy
servers and anonymizers could be vulnerable to data leaks or exploitation.
Performance slowdown: Routing traffic through additional servers can sometimes
lead to slower internet speeds.
 20IT84-Cyber Security & Digital Forensics

2. How can organizations detect and mitigate the use of proxy servers for malicious
activities?
Organizations can employ the following strategies to identify and mitigate the misuse of proxy
servers for malicious purposes:
Network Monitoring: Implement robust network monitoring tools to track and analyze
internet traffic, identifying patterns that may indicate malicious activities or the use of proxy
servers.
Behavioral Analysis: Utilize behavioral analysis tools to identify unusual patterns in user
behavior, which may suggest the use of proxy servers for malicious intent.
Proxy Detection Tools: Deploy specialized proxy detection tools that can identify the
presence of proxy servers and anonymizers within the network.
Access Controls: Implement strict access controls and policies to restrict the use of proxy
servers, ensuring that their deployment aligns with organizational security guidelines.
Regular Audits: Conduct regular audits of network traffic and configurations to detect any
unauthorized use of proxy servers and take corrective actions promptly.
By adopting a multi-faceted approach combining technology, policies, and monitoring,
organizations can enhance their ability to detect and mitigate potential security threats
associated with the use of proxy servers for malicious activities.
3. Explain the concept of phishing as a cybercrime technique, outline strategies for
educating and protecting individuals against phishing attacks, and identify common red
flags that can help identify phishing attempts.

Phishing refers to fraudulent attempts to steal sensitive information like login credentials,
credit card details, or personal data. Attackers craft deceptive emails, text messages, or
websites that mimic legitimate entities, such as banks, social media platforms, or even
trusted friends. These messages often create a sense of urgency or exploit curiosity to lure
victims into clicking malicious links or divulging sensitive information.
• Crafting the Bait: Attackers design emails, text messages, or websites that closely
resemble those of trusted sources. They might use logos, branding, and language
familiar to the target audience to instill a sense of legitimacy.
• Hooking the Victim: The message typically employs urgency, fear, or curiosity to
entice the victim into clicking a malicious link or downloading an infected
attachment. Common tactics include:
• Spoofing sender addresses: Emails appear to come from trusted entities
like banks or online accounts.
• Creating fake urgency: Messages warn of account closure, identity
theft, or other immediate threats to pressure quick action.
• Offering irresistible deals: Emails or texts lure victims with promises of
discounts, prizes, or exclusive offers.
• Reeling in the Catch: Once the victim clicks the malicious link or attachment, they
might be directed to a fake website that looks like the real one. Here, they're tricked
 20IT84-Cyber Security & Digital Forensics

into entering their login credentials, credit card information, or other sensitive
data. Alternatively, the attachment might install malware on their device, allowing
attackers to steal data or gain unauthorized access.
Types of Phishing Attacks:
Phishing attacks come in various forms, each targeting different vulnerabilities:
• Email Phishing: The most common type, using fraudulent emails disguised as
legitimate sources.
• Smishing: Phishing attempts via text messages, often mimicking delivery alerts or
bank notifications.
• Vishing: Phishing through phone calls, impersonating customer service
representatives or government officials.
• Whaling: Targeted attacks aimed at high-profile individuals or executives, often
involving elaborate social engineering tactics.
Protecting Yourself from Phishing:
• Think before you click: Hover over links to see the actual destination URL before
clicking. Be wary of unexpected attachments, even from seemingly familiar
senders.
• Verify sender information: Scrutinize email addresses and phone numbers for
inconsistencies or typos. Don't rely solely on sender names displayed in messages.
• Beware of urgency and scare tactics: Legitimate entities rarely use threats or
pressure tactics in their communications.
• Double-check websites: Look for suspicious URLs, typos, or inconsistencies in
website design. If unsure, access websites directly through their official channels.
• Enable two-factor authentication: This adds an extra layer of security for your
online accounts, requiring additional verification beyond passwords.
• Keep software updated: Regularly update your operating system, browser, and
antivirus software to ensure they have the latest security patches.
• Report suspicious activity: If you suspect a phishing attempt, report it to the
relevant entity (e.g., bank, social media platform) and delete the message
immediately.
4. How does password cracking contribute to cybercrime, what are the common
methods employed for password cracking, and what legal consequences do
individuals face if caught engaging in such activities?
Password cracking is a method used by cyber attackers to gain unauthorized access to
systems, accounts, or data by systematically attempting to guess or uncover passwords. It
involves using various techniques and tools to discover or decrypt passwords stored in a
system or transmitted over a network.
 20IT84-Cyber Security & Digital Forensics

Methods of Password Cracking:

• Brute Force Attack: Involves systematically trying all possible combinations of
characters until the correct password is found. While effective, this method can be time-
consuming and resource-intensive.
• Dictionary Attack: Uses pre-generated lists of common passwords, words, phrases, or
permutations based on dictionaries or wordlists to guess passwords. These attacks are
more efficient than brute force and target commonly used passwords.
• Rainbow Table Attack: Utilizes precomputed tables of hashed passwords and their
corresponding plaintext forms. Attackers compare stolen hashed passwords with
entries in these tables to find matches.
• Hybrid Attack: Combines elements of dictionary attacks with alterations, such as
adding numbers or special characters to dictionary words, to increase the chances of
success.

Legal Consequences:
Individuals caught engaging in password cracking activities may face various legal
consequences, depending on the jurisdiction and the severity of their actions. Some
common legal repercussions include:
Unauthorized Access: Engaging in password cracking to gain unauthorized access to
computer systems or networks can lead to criminal charges related to unauthorized
access, computer trespass, or computer fraud.
Violation of Anti-Hacking Laws: Many countries have specific laws addressing
unauthorized access to computer systems. Individuals involved in password cracking
may be prosecuted under these anti-hacking statutes.
Data Breach Offenses: If password cracking is used to steal or compromise sensitive
data, individuals may face charges related to data breaches, identity theft, or
unauthorized acquisition of personal information.
Software Piracy: In cases where password cracking is used to circumvent software
licenses or access proprietary information, individuals may be charged with intellectual
property violations and software piracy.
Fines and Restitution: Individuals convicted of password cracking may be required
to pay fines as a form of punishment. Additionally, courts may order restitution to
compensate victims for any financial losses incurred due to the unauthorized access.
Imprisonment:
Jail or Prison Sentences: Depending on the severity of the offense and applicable
laws, individuals convicted of password cracking may face imprisonment. The length
of the sentence will vary based on factors such as the extent of the unauthorized access,
the value of the compromised data, and the presence of any aggravating factors.

5. What best practices can individuals and organizations adopt to create and maintain
strong, secure passwords?
To create and maintain strong, secure passwords, individuals and organizations can
adopt the following best practices:

1. Use Complex Passwords:

 Create passwords that are at least 12 characters long.
 20IT84-Cyber Security & Digital Forensics

 Include a mix of uppercase and lowercase letters, numbers, and special

characters.
2. Avoid Common Words and Patterns:
 Avoid using easily guessable information, such as names, birthdays, or
dictionary words.
 Steer clear of common patterns like "123456" or "password."
3. Unique Passwords for Each Account:
 Use different passwords for each online account to minimize the impact of a
security breach on multiple accounts.
4. Password Managers:
 Consider using a password manager to generate and store complex passwords
securely. This reduces the need to remember multiple passwords.
5. Regularly Update Passwords:
 Change passwords periodically, especially for critical accounts.
 Update passwords immediately if there's a security breach or suspicion of
unauthorized access.
6. Enable Multi-Factor Authentication (MFA):
 Implement MFA whenever possible to add an extra layer of security. This
usually involves receiving a code on a secondary device or using biometric
verification.
7. Beware of Phishing Attempts:
 Be cautious of phishing emails and messages that attempt to trick users into
revealing passwords. Verify the authenticity of requests before providing
login credentials.
8. Educate Users:
 Conduct cybersecurity awareness training to educate individuals about the
importance of strong passwords and the risks associated with weak ones.
9. Encrypt Passwords:
 Store passwords using strong encryption methods to protect them in case of a
security breach.
10. Monitor Account Activity:
 Regularly review account activity and be vigilant for any suspicious logins or
unauthorized access.
11. Establish Password Policies:
 Implement organization-wide password policies that specify requirements for
complexity, length, and how often passwords should be changed.
12. Regular Software Updates:
 Keep software, operating systems, and security tools up-to-date to patch
vulnerabilities that could be exploited to gain unauthorized access.
 20IT84-Cyber Security & Digital Forensics

6. Explain the impact of keyloggers and spyware on digital security and privacy, and
outline the methods for detecting and removing these threats from individuals’ and
businesses’ systems.

Keyloggers are a type of spyware that records every keystroke entered on a keyboard,
including passwords, credit card numbers, and other sensitive information. They can be
installed on a computer system without the user’s knowledge and can be used to steal
confidential information.

Types of Keyloggers:
• Software Keyloggers: Installed as software on a computer or device, these log
keystrokes and activities, often covertly.
• Hardware Keyloggers: Physical devices inserted between the keyboard and the
computer, intercepting and recording keystrokes directly.
Spyware is a type of malicious software that secretly collects information about a user's
browsing habits, activities, and sensitive data. It can capture browsing history, passwords,
credit card details, and personal information.
Spyware often gets installed on a user's device through malicious email attachments,
infected websites, software downloads, or bundled with seemingly legitimate programs.
The impact of these digital predators keyloggers and spyware on digital security and
privacy:
Individual Threats: Stolen passwords can lead to identity theft, financial loss, and even
online harassment. Sensitive information captured by spyware can fuel blackmail, phishing
scams, and targeted attacks.
Organizational Risks: Businesses face data breaches, intellectual property theft, and
reputational damage if their systems fall prey to keyloggers or spyware. Sensitive customer
information, financial records, and internal communications can be compromised, costing
millions and eroding trust.
Proactive measures can keep individuals and organizations safe:
Individuals:
 Antivirus and anti-malware software: Keep them updated for real-time protection
against known threats.
 Strong passwords and two-factor authentication: Make it harder for stolen
credentials to be used.
 Suspicious behavior awareness: Be wary of unexpected software installations,
unusual system slowdowns, or unexplained pop-ups.
 Regular system scans: Conduct periodic anti-malware scans to detect hidden
threats.
Businesses:
 Endpoint security solutions: Invest in comprehensive solutions that monitor and
protect all devices within the network.
 Data encryption: Encrypt sensitive information at rest and in transit to render it
useless even if intercepted.
 20IT84-Cyber Security & Digital Forensics

 Regular security audits: Proactively identify and address vulnerabilities before

attackers can exploit them.
 Employee training: Educate employees on cyber hygiene best practices to
minimize the risk of human error.

7. How can you categorize the various types of viruses and worms that present cyber
threats, describe their methods of propagation, and provide real-world instances of
viruses and worms that have resulted in substantial damage?

Viruses: A virus is a malicious program that attaches itself to another program and
replicates itself, spreading through various means like infected files, emails, or network
connections.
Characteristics:
• Parasitic: Relies on a host program to function and reproduce.
• Infectious: Spreads readily to other files and systems.
• Destructive: Can delete files, corrupt data, disrupt system performance, and even
steal information.
Types of Viruses
• File Infector Viruses: Attach to executable files, spreading when the file is run.
• Macro Viruses: Target macro-enabled applications like Microsoft Word or Excel.
• Boot Sector Viruses: Infect the boot sector of hard drives, affecting system
startup.
• Polymorphic Viruses: Constantly change their code to evade detection by
antivirus software.
Worm: A worm is a self-replicating malware program that spreads across
networks, exploiting vulnerabilities in operating systems or applications.
Characteristics:
• Independent: Unlike viruses, worms don't need a host program to function.
• Network-oriented: Spreads through network connections without user
interaction.
• Resource-intensive: Can consume bandwidth and system
resources, impacting performance.

Methods of propagation for viruses and worms include:

 Email Attachments: Viruses often spread through infected email attachments,

exploiting users who download or open the files.
 Removable Media: Worms may propagate through USB drives or other removable
media, spreading when the infected media is connected to other devices.
 Network Exploitation: Worms leverage vulnerabilities in network protocols to
self-replicate and infect other connected devices.
 Drive-by Downloads: Malicious code is automatically downloaded and executed
when a user visits an infected website.
 20IT84-Cyber Security & Digital Forensics

Real-world instances of viruses and worms causing substantial damage include:

 Conficker (Worm): Detected in 2008, Conficker spread rapidly by exploiting
vulnerabilities in Windows systems, affecting millions of computers globally.
 Stuxnet (Worm): Discovered in 2010, Stuxnet targeted industrial systems,
particularly Iran's nuclear facilities, causing physical damage to centrifuges.
 Melissa (Macro Virus): Emerged in 1999, Melissa spread via infected Microsoft
Word documents, impacting email systems and causing widespread disruption.
 ILOVEYOU (Worm): Originating in 2000, ILOVEYOU spread through email and
infected millions of computers, causing significant data loss and system damage.
 WannaCry (Ransomware Worm): In 2017, WannaCry exploited a Windows
vulnerability, encrypting files on infected systems and demanding ransom
payments.

8. Differentiate between viruses and worms in the context of cyber threats, and what are
the methods for protecting yourself from viruses and worms?

Basis of
Virus Worm
Comparison

A malicious executable code attached

A form of malware that replicates itself and
to another executable file that can be
Definition can spread to different computers via
harmless or can modify or delete
network.
data.

Consume system resources and slow down

Objective Modify or delete data.
the system.

Host Requires a host to spread. Does not need a host to spread.

Harmful More harmful. Less harmful.

Detection and Antivirus software is used for Worms can be detected and removed by the
Protection protection against viruses. antivirus and firewall.

Controlled by Can’t be controlled by remote. Can be controlled by remote.

Execution Executed via executable files. Executed via weaknesses in the system.

Generally, comes from shared or Generally, comes from downloaded files or

Comes from
downloaded files. through a network connection.
 20IT84-Cyber Security & Digital Forensics

Protecting Yourself from Viruses and Worms

• Antivirus Software: Install and regularly update antivirus software to detect and remove
malware.
• System Updates: Apply software and operating system updates promptly to patch security
vulnerabilities.
• Email Security: Be cautious about opening email attachments and clicking on suspicious
links.
• Firewall: Use a firewall to filter incoming and outgoing network traffic, blocking
unauthorized access.
• Backup Data: Regularly back up your important data to ensure you can recover it in case
of an attack.
• User Awareness: Train yourself and others to recognize suspicious behavior and avoid
potential malware traps.

9. Explain how cybercriminals utilize Trojan horses and backdoors to compromise

systems.
A trojan horse is a seemingly harmless program or file that conceals malicious
code, granting attackers access to your system once activated.
Characteristics:
• Masquerade: Masked as legitimate software, games, or documents.
• Delivery Methods: Downloaded from untrusted sources, attached to
emails, embedded in pirated software.
• Payload: Steals data, installs additional malware, disrupts system functions.
Types of Trojan Horses
• Ransomware Trojans: Encrypt your data and demand payment for decryption.
• Spyware Trojans: Monitor your online activity and steal sensitive information.
• Downloader Trojans: Download additional malware onto your system, escalating
the attack.
• Banking Trojans: Hijack online banking sessions and steal financial data.
• Botnet Trojans: Turn your device into a part of a botnet for coordinated
cyberattacks.
A backdoor is a secret entry point created by attackers to bypass security measures and
gain unauthorized access to a system.
Characteristics:
• Concealed Code: Often embedded within legitimate software or firmware.
• Remote Access: Allows attackers to remotely control the compromised system.
• Difficult Detection: Hidden deep within system, evading conventional detection
methods.
How are Backdoors Installed?
• Software Vulnerabilities: Exploiting weaknesses in software or operating systems.
• Supply Chain Attacks: Compromising software development processes to infect
legitimate software.
 20IT84-Cyber Security & Digital Forensics

• Physical Access: Tampering with hardware to install hidden backdoors.

• Social Engineering: Tricking users into installing software containing backdoors.
Protecting Yourself from Trojans and Backdoors
• Antivirus and Anti-Malware Software: Use reputable security software to detect
and remove malicious programs.
• System Updates: Apply software and operating system updates promptly to patch
security vulnerabilities.
• Email Security: Be cautious about opening email attachments and clicking on
suspicious links.
• Software Download Sources: Download software only from trusted and official
sources.
• Firewall: Use a firewall to filter incoming and outgoing network traffic, blocking
unauthorized access.
• Regular Monitoring: Monitor your system for unusual activity and investigate
any suspicious processes.
10. What is steganography, and how does it enable covert communication in
cybercrimes?
Steganography is a technique employed to conceal information within another message or
object, enabling covert communication while avoiding detection. It serves as a form of
secret communication that can hide various digital content, including text, images, videos,
or audio files. In cybersecurity, steganography is utilized to safeguard sensitive data, such
as passwords or confidential information, within seemingly innocuous files or messages.

Types of Steganography:
 Image Steganography: Describes the concealment of data within images.
 Text Steganography: Explores the hiding of information within text or
documents.
 Audio Steganography: Details the method of concealing data within audio files.
How Steganography Works:
 Least Significant Bit (LSB) Modification: In digital images, altering the least
significant bit of each pixel allows the embedding of data without significantly
affecting the image's visual quality.
 Parity Encoding: Exploits redundancy in files like audio or video streams, hiding
data by modifying parity bits without impacting the file's functionality.
 Text-in-Whitespace: Extra spaces or tabs within text files can encode binary data.
Applications of Steganography:
 Cybersecurity: Used to protect sensitive information during transmission.
 Digital Watermarking: Involves embedding ownership information into digital
assets.
 Covert Communication: Enables secret communication in espionage or
intelligence operations; activists and journalists use steganography to securely
send sensitive information across monitored networks.
 20IT84-Cyber Security & Digital Forensics

 Data Exfiltration: Hackers hide stolen data, such as financial records or

intellectual property, within image files, music tracks, or video streams, making
detection challenging for traditional security measures.
 Malware Delivery: Malicious code can be concealed within seemingly harmless
files, allowing attackers to bypass security software and infect systems.

11. How does session hijacking endanger online security, and what techniques are used
in session hijacking attacks?
In the digital world, a session is a temporary connection between your device and a server,
often identified by a unique token (like a cookie or session ID) that verifies you're the
authorized user. Session hijacking is the act of stealing that token and using it to
impersonate you, taking control of your active session and potentially gaining access to
your data, accounts, or resources.
Types of session hijacking:
 Cookie hijacking: Attackers steal your session cookies through various means, like
phishing emails, malware, or sniffing unprotected Wi-Fi networks. With the
cookie, they can impersonate you on the websites that issued it.
 Session sniffing: Hackers use packet sniffing tools to capture network traffic and
steal session IDs or other sensitive information transmitted between your device
and the server.
 Man-in-the-middle attack: Attackers intercept communication between your
device and the server, eavesdropping and potentially modifying data, including
stealing your session token.
 Session sidejacking: Hackers exploit vulnerabilities in browser extensions or
website scripts to steal or manipulate session data stored on your device's local
storage.

Impacts of session hijacking:

• Identity theft: Attackers can gain access to your personal information, financial
data, and even medical records.
• Financial fraud: They can steal your money by transferring funds from your bank
account or making unauthorized purchases with your credit card.
• Data breach: They can steal sensitive data from your organization, such as
customer information or trade secrets.
 20IT84-Cyber Security & Digital Forensics

12. Describe the DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks
impact online services and infrastructure, and what are the key differences between
these two types of attacks?
Denial of Service (DoS) Attack:
Source: A single system (e.g., a compromised computer) floods the target server with
requests.
Impact: Slowdown, resource exhaustion, and potential crashes of the target server, making
it unavailable to legitimate users.
Example: Bombarding a website with requests until it can't respond to real users.
Dos Attack can be done in various ways, like:
• Ping of death: Sending oversized data packets to crash the system.
• SYN flood: Overwhelming the target with connection requests it can't handle.
• Smurf attack: Exploiting vulnerabilities in internet-connected devices to amplify
the attack.
Distributed Denial of Service (DDoS) Attack:
Source: Many compromised systems (called a botnet) simultaneously attack the target
server from varied locations.
Impact: More powerful and disruptive than DoS attacks. Can quickly overwhelm target
servers with massive traffic, leading to complete outages and infrastructure damage.
Example: A hacker uses a network of infected computers to send a flood of data to a bank's
online banking system, making it inaccessible to customers.
Difference Between DoS and DDoS Attacks:
 DoS comes from a single source, while DDoS involves multiple distributed
sources.
 DoS attacks are less intense and easier to mitigate, while DDoS attacks are often
faster, more powerful, and harder to stop.
 DoS attacks are easier to trace and block due to their single source, while DDoS
attacks are often harder to pinpoint due to their distributed nature.
 Both DoS and DDoS attacks can have significant financial and reputational
consequences for organizations.

13. Describe the role of user inputs in SQL Injection attacks and how attackers exploit
vulnerabilities in input handling mechanisms.
SQL Injection is a cyberattack where malicious SQL code is injected into a web
application's input fields, intending to manipulate the underlying database and gain
unauthorized access to sensitive data. The process involves several steps:
Identifying a Vulnerable Input Field: Attackers search for input fields in a web
application that accept user input, such as login forms or search bars.
Injecting Malicious SQL Code: Malicious SQL statements are carefully crafted and
inserted into the identified input fields instead of the expected data.
Unintentional Code Execution: The application, unknowingly, processes the input as part
of a SQL query, executing the attacker's code along with it.
 20IT84-Cyber Security & Digital Forensics

Gaining Unauthorized Access or Control: If successful, the attacker can achieve various
objectives, including retrieving sensitive data, modifying or deleting records, and
executing arbitrary commands on the database server.
Example of SQL Injection Attack:

 Consider a login form with the SQL query:

SELECT * FROM users WHERE username = '$username' AND password = '$password'
 An attacker inputs:
username' OR '1'='1' –
 The query transforms into:
SELECT * FROM users WHERE username = '' OR '1'='1' --' AND password = '$password'

The '--' comments out the rest of the query, making the password irrelevant, and the attacker
gains access without knowing the actual password.
Prevention Measures:
• Input validation and sanitization: Thoroughly check and clean all user input
before using it in SQL queries.
• Parameterized queries: Use prepared statements to prevent attackers from altering
query structure.
• Database permissions: Enforce least privilege principles to limit database access.
• Regular security testing: Scan for vulnerabilities and address them promptly.
• Secure coding practices: Follow best practices to prevent common coding
mistakes that lead to SQLi vulnerabilities.
14. Explain what a buffer overflow is in the context of cyber security and how it can be
exploited by attackers.
Buffer Overflow is a cybersecurity vulnerability that occurs when a program or process
tries to store more data in a buffer (temporary storage area) than it was intended to hold.
This extra data can overflow into adjacent memory locations, corrupting or overwriting
data, altering the program's behavior, and potentially allowing attackers to execute
malicious code.
Buffer Overflow attacks:
• Crash the program: Overwriting code with garbage data can make the program
malfunction and crash.
• Execute arbitrary code: The attacker's code can hijack program
execution, launching malware or stealing sensitive information.
• Modify program behavior: By manipulating data, the attacker can alter how the
program works, potentially gaining unauthorized access.
 20IT84-Cyber Security & Digital Forensics

Types of Buffer Overflows:

• Stack-based overflows: These exploit the program's call stack, a temporary
storage area used for function calls. Overwriting the stack can alter return
addresses, sending the program execution flow to the attacker's code.
• Heap-based overflows: These target the heap, a dynamic memory allocation
area. Overflowing the heap can overwrite data structures and program
logic, enabling attackers to manipulate the program's behavior.
Developers can implement various techniques to prevent buffer overflows:
• Input validation: Checking and limiting the size and format of user input can
prevent malicious code from being injected.
• Safe coding practices: Using secure coding languages and libraries can minimize
vulnerabilities.
• Bound checking: Implementing mechanisms to ensure data stays within allocated
buffer boundaries.
• Address space layout randomization (ASLR): Randomizing the location of
memory segments makes it harder for attackers to predict where their code will land
after an overflow.
15. Describe the role of ports in networking and how port scanning helps attackers
identify potential entry points in a target system.

In computer networking, ports are communication endpoints that enable different services
or applications to connect and exchange data. Ports are an essential part of the TCP/IP
networking model, facilitating the proper routing and delivery of data between devices.
Well-Known Ports (0-1023): Reserved for system services and commonly used
applications (e.g., HTTP on port 80, HTTPS on port 443).
Port scanning is a reconnaissance technique used by attackers to discover open ports on a
target system. By identifying open ports, attackers gain valuable information about the
services running on a system and potentially exploit vulnerabilities associated with those
services. The process involves sending connection requests to a range of ports and
analyzing the responses to determine which ports are actively listening for incoming
connections.
Types of Port Scanning:
• TCP SYN Scanning: This common technique sends a synchronization (SYN)
packet to each port and analyzes the response. An open port will respond with a
SYN-ACK packet, revealing its presence.
• UDP Scanning: This technique sends UDP packets to various ports and monitors
for responses. While less stealthy than TCP SYN scanning, it can be useful for
identifying open UDP ports used by certain services.
• Ping Sweep: This technique sends ping packets to different IP addresses within a
network range and analyzes the responses. Identifying responding hosts can
potentially reveal open ports on those systems.
 20IT84-Cyber Security & Digital Forensics

Staying Safe from Port Scanning:

• Minimize open ports: Only keep essential ports open and close unused ones to
reduce attacker opportunities.
• Run secure services: Regularly update software and services running on open
ports to mitigate known vulnerabilities.
• Implement network security measures: Firewalls and intrusion
detection/prevention systems can help filter suspicious traffic and alert
administrators to potential scanning attempts.