FCS Unit-3

Department of Computer Science & Engineering
Regulation-R18
A.Y: 2022-23 Sem-I
UNIT-III
III Year CSE
Subject: Fundamentals of Cyber Security
(18MC0CS02)
Prepared by
Mr. P. HARI SHANKAR,
Assistant Professor - CSE.
Fundamentals of Cyber
Security
UNIT-III
• Cyber Law – The Legal Perspectives: Introduction, Cybercrime and the
Legal Landscape around the World, Why do we need cyberlaws: the
indian context, the indian IT act.
• Cyber Forensics: Introduction, historical background of cyber forensics,
digital forensics science, the need for computer forensics, cyber
forensics and digital evidence, digital forensics lifecycle, challenges in
computer forensics.
Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

UNIT- Cyber Law
IIIIntroduction
🠶
🠶 cybercrime is the largest illegal industry.
🠶 Cybercrime involves massive, coordinated attacks against the information infrastructure of
a country.
paradigm for Cyber Security

UNIT- Cyber Law
IIIIntroduction
🠶
🠶 Cybercrime was broken into two categories and defined as:
🠶 1. Cybercrime in a restrictive sense (computer crime): It is referred to any illegal
behavior that is carried out by means of electronic methods targeting the security of
computer systems and the data processed by them. This can be considered as a narrow
definition of the term cybercrime.
🠶 2. Cybercrime in a general sense (computer-related crime): It is referred to any illegal
behavior that is committed by means of, or in relation to, a computer system or network,
including s uc h crimes as illegal possession, and offering or distributing information by
means of a computer system or network. This can be considered as a broader definition of
the term cybercrime.

UNIT- Cyber Law
IIIIntroduction
🠶
🠶 These definitions are complicated by the fact that a n act may be illegal in one nation but not
in another.
🠶 There are more concrete examples, including
1. Unauthorized access to computer
2. Causing damage to computer data or programs;
3. An act of computer sabotage;
4. Doing unauthorized interception of communications;
5. Carrying out computer espionage.

UNIT- Cyber Law
IIIIntroduction
🠶
🠶 In reference to the above-mentioned term unauthorized access, note that the law considers
computer trespass to be a crime. For example, according to Sections 18.2–152.4 of Virginia
State Criminal Law, computer trespass is deemed to have occurred when any person uses a
computer or computer network without authority and with the intent to:
🠶 1. Temporarily or permanently remove computer data, computer programs or computer
software from a computer or computer network;
🠶 2. cause a computer to malfunction regardless of how long the malfunction persists;
🠶 3. alter or erase any computer data, computer programs or computer software;
🠶 4. effect the creation or alteration of a financial instrument or of a n electronic transfer of
funds;
🠶 5. cause physical injury to the property of another; or make or cause to be made a n
unauthorized copy, in any form, including, but not limited to, any printed or electronic form
of computer data, computer programs or computer software residing in, communicated by
or produced by a computer or computer network shall be guilty of the crime of computer
trespass which shall be punishable as a Class 1 misdemeanor.

UNIT- Cyber Law
IIICybercrime and the Legal Landscape around the World
🠶
🠶 Crime or a n offense is “a legal wrong that can be followed by criminal proceedings which
may result into punishment”
🠶 The hallmark of criminality is that it is breach of the criminal law.
🠶 A Broad View on Cybercrime Law Scenario in the Asia-Pacific Region
🠶 Online Safety and Cybercrime Laws: Detailed Perspective on the Current Asia-Pacific
Scenario
🠶 Anti-Spam Laws in Canada
🠶 Cybercrime and Federal Laws in the US
🠶 The EU Legal Framework for Information Privacy to Prevent Cybercrime
🠶 Cybercrime Legislation in the African Region

UNIT- Cyber Law
🠶
🠶 A Broad View on Cybercrime Law Scenario in the Asia-Pacific Region
🠶 Only a few countries of the Asia-Pacific region have appropriate legal and regulatory
frameworks to meet these challenges.
🠶 Even where awareness is growing and where legislation may be adequate, capacity to use
information security technologies and related procedures as well as to protect against,
detect and respond effectively to cybercrime, and to assist other countries, is low.
🠶 As a result, published cybercrime reports may represent only a small fraction of their
incidence and there is a need for more accurate estimates of the prevalence of cybercrime

UNIT- Cyber Law
🠶
🠶 Online Safety and Cybercrime Laws: Detailed Perspective on the Current Asia-Pacific
Scenario
🠶 In the privacy arena, there are numerous regional norms, s uc h as the Asia-Pacific Economic
Co-operation (APEC) Privacy Framework and the EU’s Data Protection Directive, but a n
international consensus on the best approach to data protection regulation has not yet been
reached. However, CoE’s Convention on Cybercrime serves as the benchmark legislation.
🠶 There are nine principles to the A P E C Privacy Framework:
🠶 1. Preventing harm;
🠶 2. integrity of personal information;
🠶 3. notice;
🠶 4. security safeguards;
🠶 5. collection limitations;
🠶 6. access and correction;
🠶 7. uses of personal information;
🠶 8. accountability;
🠶 9. choice. Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC
UNIT- Cyber Law
🠶
🠶 In early 2009, the Canadian Government tabled anti-Spam legislation, Bill C-27, T e Electronic
Commerce Protection Act, to address S p a m , counterfeit websites and Spyware.
🠶 The proposed legislation also brings amendment to Canada’s Personal Information Protection and
Electronic Documents Act (PIPEDA) which covers online privacy in detail and contains many
provisions relevant to E-Mail marketing.
🠶 Basically, PIPEDA is based on the FIPs (Fair Information Practices):
🠶 1. Principle 1 – Accountability
🠶 2. Principle 2 – Identifying purposes
🠶 3. Principle 3 – Consent
🠶 4. Principle 4 – Limiting collection
🠶 5. Principle 5 – Limiting use, disclosure and retention
🠶 6. Principle 6 – Accuracy
🠶 7. Principle 7 – Safeguards
🠶 8. Principle 8 – Openness
🠶 9. Principle 9 – Individual access
🠶 10. Principle 10 – Challenging compliance
UNIT- Cyber Law
🠶
🠶 There are two laws currently being discussed in Canadian legislative assemblies:
🠶 1. Senate Bill S-220:
🠶 The bill was introduced by Senator Yoine Goldstein in early February 2009.
🠶 It is slated to become the Anti-Spam Act. It is a private member’s bill with private right of action and criminal
remedies.
🠶 2. Parliamentary Bill C-27:

🠶 The bill was tabled by the government in April 2009, with private right of action, coordination between various
enforcement agencies, civil remedies.
🠶 The Electronic Commerce Protection Act (ECPA) (aka: Bill C-27) is an Anti-Spam Act that covers E-Mail
communications, unauthorized installed applications and the alteration of data during transmission between
senders and recipients.
🠶 The bill forbids anyone from installing a program on a computer that could send an electronic message without
the consent of the owner or user

UNIT- Cyber Law
🠶
🠶 Cybercrime and Federal Laws in the US
🠶 O n 15 September 2008, the U S House of Representatives approved the bill H . R . 5938.
🠶 The amendment, as part of Senate Bill S . 2168, was meant to expand the ability of the
Federal Government to prosecute criminal of identity theft and to allow victims to seek
compensation for the victims’ efforts (time and money) spent on trying to restore their credit.
🠶 The legislation was signed by President George W. B u s h . It had provisions for a fine as well
as imprisonment up to 5 years for Spyware.
🠶 Florida Computer Crimes Act (1988 version) and a summary of the penalties
🠶 The Act specifies the following type of crimes:
🠶1. Offenses against intellectual property;

🠶2. offenses against computer equipment or supplies;
🠶3. offenses against computer users.

UNIT- Cyber Law
🠶
🠶 The EU is an economic and political union of 27
m ember states, located prim arily in Europe.
🠶 Readers can visit the link to understand the E U member countries.Also see Box 6.7 to know
the names of E U member countries.
🠶 Data protection E U legal framework addressed the principles for information management
(fairness, consent, transparency, purpose specification, data retention, security and access).

UNIT- Cyber Law
🠶
🠶 In the EU, cybercrim e law is primarily based on the
C oE’s C o nvention on C ybercrime (November 2001).
🠶 Under the convention, member states are obliged to criminalize:
🠶 1. Illegal access to computer system ;
🠶 2. Illegal interception of data to a computer system;
🠶 3. Interfering with com puter system without rights an d intentional
interferen ce with computer data without rights;
🠶 4. The use of inauthentic data with intent to put it across as authentic (data forgery);
🠶 5. Infringement of copyright-related rights online;
🠶 6. Interference with data or functioning of computer system;
🠶 7. Child pornography-related off enses possession/d istribu tion /procu ring/producing
of
child pornographic.
UNIT- Cyber Law
🠶
🠶 There is a common agreement that the African regions are in dire need for legislation to fight
cybercrime.
🠶 Africa is witnessing explosive growth in ICTs.
🠶 With this growth, however, cybercrime has also become a reality in this part of the world
too.
🠶 African countries, mostly because of inadequate action and controls to protect computers
and networks, are targets of attack.
🠶 A great deal of criminal activity is said to take place from this part of the world.

UNIT- Cyber Law
IIICybercrime and the Legal Landscape around the
🠶
World

UNIT- Cyber Law
IIIWhy do we need Cyberlaws: the Indian context
🠶
🠶 Cyberlaw is a framework created to give legal recognition to all risks arising out of the usage
of computers and computer networks.
🠶 Under the purview of cyberlaw, there are several aspects, s uc h a s , intellectual property,
d a ta protection a n d privacy, freedom of expression a n d crimes committed using
computers.
🠶 The Indian Parliament passed its first cyberlaw, the ITA 2000, aimed at providing the legal
infrastructure for E-Commerce in India.
🠶 ITA 2000 received the assent of the President of India and it has now become the law of the
land in India.
🠶 The Government of India felt the need to enact relevant cyberlaws to regulate Internet-based
computer related transactions in India.
🠶 It manages all aspects, issues, legal consequences and conflict in the world of cyberspace,
Internet or WWW.
🠶 In the Preamble to the Indian ITA 2000, it is mentioned that it is a n act to provide legal
recognition for transactions carried out by means of electronic data interchange and other
means of electronic communication, commonly referred to as electronic commerce.
UNIT- Cyber Law
IIIWhy do we need Cyberlaws: the Indian context
🠶
🠶 The reasons for enactment of cyberlaws in India are summarized below:
🠶 1. Although India possesses a very well-defined legal system, covering all possible situations
and cases that have occurred or might take place in future, the country lacks in many
aspects when it comes to newly developed Internet technology. It is essential to address this
gap through a suitable law given the increasing use of Internet and other computer
technologies in India.
🠶 2. There is a need to have some legal recognition to the Internet as it is one of the most
dominating sources of carrying out business in today’s world.
🠶 3. With the growth of the Internet, a new concept called cyberterrorism came into existence.
Cyberterrorism includes the use of disruptive activities with the intention to further social,
ideological, religious, political or similar objectives, or to intimidate any person in
furtherance of s uc h objectives in the world of cyberspace. It actually is about committing a n
old offense but in a n innovative way.
🠶 Keeping all these factors into consideration, Indian Parliament passed the Information
Technology Bill on 17 May 2000, known as the ITA 2000.
🠶 This law is based on Model UNCITRAL law for E-Commerce
UNIT- Cyber Law
IIIThe Indian IT act.
🠶
🠶 Cybercrimes and Other Related Crimes Punishable under Indian Laws
🠶 1. Under Section 65 of Indian Copyright Act any person who knowingly makes, or has in
his/her possession, any plate for the purpose of making infringing copies of any work in
which Copyright subsists is punishable with imprisonment which may extend to 2 years
with fine.
🠶 2. Sending pornographic or obscene E-Mails are punishable under Section 67 of the IT Act.
🠶 • An offense under this section is punishable on fi rst conviction with imprisonment for a term, which may
extend to 5 years and with fi ne, which may extend to 1 lakh rupees (Rs.1,00,000).
🠶 • In the event of a second or subsequent conviction, the recommended punishment is imprisonment for a term,
which may extend to 10 years and also with fi ne which may extend to 2 lakh rupees (Rs.2,00,000).
🠶 3. E-Mails that are defamatory in nature are punishable under Section 500 of the Indian
Penal Code (IPC) that recommends a n imprisonment of upto 2 years or a fi ne or both.
🠶 4. Threatening E -Mails are punishable u nder the provision s of
the IPC pertaining to criminal intimidation, insult and annoyance
(CHAPTER XXII) and extortion (CHAPTER XVII).
🠶 5. E-Mail spoofing
personation is covered
(CHAPTER under
XVII) and provisions
forgery of theXVIII).
(CHAPTER IPC with regard to fraud, cheating by
UNIT- Cyber Law
🠶
🠶 Weak Areas of the ITA 2000
🠶 As mentioned before, there are limitations too in the IT Act; those are mainly due to the
following gray areas:
🠶 1. The ITA 2000 is likely to cause a conflict of jurisdiction.
🠶 2. E-Commerce is based on the system of domain names. T e ITA 2000 does not even touch
the issues relating to domain names. Domain names have not been defi ned and the rights
and liabilities of domain name owners do not fi nd any mention in the law. T e law does not
address the rights and liabilities of domain name holders.
🠶 3. The ITA 2000 does not deal with issues concerning the protection of Intellectual Property
🠶 Rights (IPR) in the context of the online environment. Contentious yet very important issues
🠶 concerning online copyrights, trademarks and patents have been left untouched by the law,
🠶 thereby leaving many loopholes. T u s , the law lacks “Proper Intellectual Property Protection
for Electronic Information and Data” – the law misses out the issue of IPR, and makes no
provisions whatsoever for copyrighting, trade marking or patenting of electronic information
and data. However, the corresponding provisions are available under the Indian Copyright
Act. Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC
UNIT- Cyber Law
🠶
🠶 4. As the cyberlaw is evolving, so are the new forms and manifestations of cybercrimes. The
offenses defined in the ITA 2000 are by no means exhaustive. However, the drafting of the
relevant provisions of the ITA 2000 makes it appear as if the offenses detailed therein are
the only cyberoffenses possible and existing. The ITA 2000 does not cover various kinds of
cybercrimes and Internet-related crimes.
🠶 These include:
🠶 • Theft of Internet hours;
🠶 • cybertheft;
🠶 • cyberstalking;
🠶 • cyberharassment;
🠶 • cyberdefamation;
🠶 • cyberfraud;
🠶 • misuse of credit card numbers;
🠶 • chat room abuse;
🠶 • cybersquatting (not addressed directly). Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC
UNIT- Cyber Law
🠶
🠶 5. The ITA 2000 has not tackled vital issues pertaining to E-Commerce sphere like privacy
and content regulation to name a few.
🠶 6. The Information Technology Act is not explicit about regulation of Electronic Payments,
and avoids applicability of IT Act to Negotiable Instruments. The Information Technology Act
stays silent over the regulation of electronic payments gateway and rather segregates the
negotiable instruments from the applicability of the IT Act. This may have major eff ect on
the growth of E-Commerce in India.
🠶 This has led to tendencies of banking and financial sectors being irresolute in their stands.
🠶 7. IT Act does not touch upon antitrust issues.
🠶 8. T e most serious concern about the Indian Cyberlaw relates to its implementation. The
ITA 2000 does not lay down parameters for its implementation. Also, when Internet
penetration in India is extremely low and government and police officials, in general, are not
very computer savvy, the new Indian cyberlaw raises more questions than it answers. It
seems that the Parliament would be required to amend the ITA 2000 to remove the gray
areas mentioned above.
Cyber
UNIT- Forensics
IIIIntroduction
🠶
🠶 Cyberforensics plays a key role in investigation of cybercrime. “Evidence” in the case of
“cyberoffenses” is extremely important from legal perspective.
🠶 There are legal aspects involved in the investigation as well as handling of the digital
forensics evidence.
🠶 Only the technically trained and experienced experts should be involved in the
forensics
activities.

Cyber
UNIT- Forensics
IIIHistorical background of Cyber Forensics
🠶
🠶 Computer is either the subject or the object of cybercrimes or is used as a tool to commit a
cybercrime.
🠶 The earliest recorded computer crimes occurred in 1969 and 1970 when student protestors
burned computers at various universities.
🠶 Around the same time, people were discovering methods for gaining unauthorized access to
large-time shared computers.
🠶 Computer intrusion and fraud committed with the help of computers were the first crimes
to be widely recognized as a new type of crime.

Cyber
UNIT- Forensics
🠶
🠶 The Florida Computer Crimes Act was the first computer crime law to address computer
fraud and intrusion. It was enacted in Florida in 1978.
🠶 “Forensics evidence” is important in the investigation of cybercrimes.
🠶 Computer forensics is primarily concerned with the systematic “identification,”
“acquisition”, “preservation” and “analysis” of digital evidence, typically after a n
unauthorized access to computer or unauthorized use of computer has taken place; while
the main focus of “computer security” is the prevention of unauthorized access to computer
systems as well as maintaining “confidentiality”,“integrity” and “availability” of computer
systems.

Cyber
UNIT- Forensics
🠶
🠶 There are two categories of computer crime: one is the criminal activity that involves using a
computer to commit a crime, and the other is a criminal activity that has a computer as a
target.
🠶 Forensics means a “characteristic of evidence” that satisfies its suitability for admission as
fact and its ability to persuade based upon proof (or high statistical confidence level).
🠶 The goal of digital forensics is to determine the “evidential value” of crime scene and related
evidence.
🠶 The roles and contributions of the digital forensics/computer forensics experts are almost
parallel to those involved as forensics scientists in other crimes, namely, analysis of
evidence, provision of expert testimony, furnishing training in the proper recognition, and
collection and preservation of the evidence

Cyber
UNIT- Forensics
IIIDigital Forensics Science
🠶
🠶 Digital forensics is the application of analyses techniques to the reliable and unbiased
collection, analysis, interpretation and presentation of digital evidence.
🠶 There is a number of slightly varying definitions.
🠶 The term computer forensics, however, is generally considered to be related to the use of
analytical and investigative techniques to identify, collect, examine and preserve
evidence/information which is magnetically stored or encoded.

Cyber
UNIT- Forensics
🠶
🠶 The objective of “cyberforensics” is to provide digital evidence of a specific or general activity.
Following are two more definitions worth considering:
🠶 1. Computer forensics:
🠶 It is the lawful and ethical seizure, acquisition, analysis, reporting and safeguarding of
data and metadata derived from digital devices which may contain information that is
notable and perhaps of evidentiary value to the trier of fact in managerial,
administrative, civil and criminal investigations.
🠶 In other words, it is the collection of techniques and tools used to find evidence in a
computer.
🠶 2. Digital forensics: It is the use of scientifically derived and proven methods toward the
preservation, collection, validation, identification, analysis, interpretation, documentation
and presentation of digital evidence derived from digital sources for the purpose of
facilitation or furthering the reconstruction of events found to be criminal, or helping to
anticipate unauthorized actions shown to be disruptive to planned operations.

Cyber
UNIT- Forensics
🠶
🠶 In general, the role of digital forensics is to:
1. Uncover and document evidence and leads.
2. Corroborate evidence discovered in other ways.
3. Assist in showing a pattern of events (data mining has an application here).
4. Connect attack and victim computers.
5. Reveal an end-to-end path of events leading to a compromise attempt, successful or not.
6. Extract data that may be hidden, deleted or otherwise not directly available.

Cyber
UNIT- Forensics
🠶
🠶 The typical scenarios involved are:
1. Employee Internet abuse;
2. data leak/data breach – unauthorized disclosure of corporate information and data (accidental
and intentional);
3. industrial espionage (corporate “spying” activities);
4. damage assessment (following an incident);
5. criminal fraud and deception cases;
6. criminal cases (many criminals simply store information on intentionally or
computers, unwittingly) and countless others;
7. copyright violation
Using digital forensics techniques, one can:
8. Corroborate and clarify evidence otherwise discovered.
9. Generate investigative leads for follow-up and verification in other ways.
10. Provide help to verify an intrusion hypothesis.
4. Eliminate incorrect assumptions. Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC
Cyber
UNIT- Forensics
🠶 Figure shows the kind of data you “see” using forensics tools.

Cyber
UNIT- Forensics
IIIThe need for Computer Forensics
🠶
🠶 The convergence of Information and Communications Technology (ICT) advances and the
pervasive use of computers worldwide together have brought about many advantages to
mankind.
🠶 At the same time, this tremendously high technical capacity of modern
compu ters/ computing devices provides avenu es for misu se as well as opportu nities for
committing crime.
🠶 This has lead to new risks for computer users and also increased opportunities for social
harm.
🠶 The users, businesses and organizations worldwide have to live with a constant threat from
hackers who use a variety of techniques and tools to break into computer systems, steal
information, change data and cause havoc.
🠶 The widespread use of computer forensics is the result of two factors:
1. The increasing dependence of law enforcement on digital evidence
2. the ubiquity of computers that followed from the microcomputer revolution

Cyber
UNIT- Forensics
🠶
🠶 The media, on which clues related
to cybercrime reside, would vary
from case to case.
🠶 There are many challenges for the
forensics investigator becau se
storage devices are getting
miniaturized due to advances in
electronic technology;
🠶 for exam ple, external storage
devices su ch as mini hard disks
(pen drives) are available in
amazing shapes.

Cyber
UNIT- Forensics
🠶
🠶 Computer forensics services include the following:
1. Data culling and targeting;
2. Discovery/subpoena process;
3. Production of evidence;
4. Expert affidavit support;
5. Criminal/civil testimony;
6. Cell phone forensics;
7. PDA forensics.

Cyber
UNIT- Forensics
🠶
🠶 Specific client requests for forensics evidence extracting solution support include:
1. Index of fi les on hard drive;
2. Index of recovered files;
3. M S Offi ce/user generated document extraction;
4. Unique E-Mail address extraction;
5. Internet activity/history;
6. Storage of forensics image for 1 year (additional charges then apply);
7. Keywords search; 13. Conversion to PDF;
8. C h a in of custody; 14. Log extraction;
9. Mail indexing; 15. Imessaging history recovery;
10. Deleted fi le/folder recovery; 16. Password recovery;
11. Offi ce document recovery; 17. Format for forensics extracts (DVD, C D , H D D , other);
12. Metadata indexing; 18. Network acquisitions.
Cyber
UNIT- Forensics
🠶
🠶 Chain of custody means the chronological documentation trail, etc. that indicates the
seizure, custody, control, transfer, analysis and disposition of evidence, physical or
electronic.
🠶 “Fungibility” means the extent to which the components of a n operation or product can be
inter-changed with similar components without decreasing the value of the operation or
product.
🠶 C h a in of custody is also used in most evidence situations to maintain the integrity of the
evidence by providing documentation of the control, transfer and analysis of evidence.
🠶 C h a in of custody is particularly important in situations where sampling can identify the
existence of contamination and can be used to identify the responsible party.
🠶 The purpose behind recording the chain of custody is to establish that the alleged
evidence is, indeed, related to the alleged crime, that is, the purpose is to establish the
integrity of the evidence.
🠶 In the context of conventional crimes, establishing “chain of custody” is especially important
when the evidence consists of fungible goods.

Cyber
UNIT- Forensics
IIICyber Forensics and Digital Evidence
🠶
🠶 Cyberforensics can be divided into two domains:
🠶 1. Computer forensics;
🠶 2. network forensics
🠶 Network forensics is the study of network traffi c to search for truth in civil, criminal and
administrative matters to protect users and resources from exploitation, invasion of privacy
and any other crime fostered by the continual expansion of network connectivity.

Cyber
UNIT- Forensics
🠶
🠶 There are many forms of cybercrimes:
🠶 sexual harassment cases – memos, letters, E-Mails; obscene chats or
🠶 embezzlement cases – spreadsh eets, m emos, letters, E -Mails, online
banking information;
🠶 corporate espionage by way of memos, letters, E-Mails and chats;
🠶 and frauds through memos, letters, spreadsheets and E-Mails.
🠶 In case of computer crimes/cybercrimes, computer forensics helps.
🠶 Computer forensics experts know the techniques to retrieve the data from files listed in
standard directory search, hidden files, deleted files, deleted E-Mail and passwords, login
IDs, encrypted files, hidden partitions, etc.
🠶 Typically, the evidences reside on computer systems, user created files, user protected files,
computer created files and on computer networks.

Cyber
UNIT- Forensics
🠶
🠶 Computer systems have the following:
🠶 1. Logical fi le system that consists of
🠶 • File system: It includes files, volumes, directories and folders, file allocation tables (FAT)
as in the older version of Windows Operating System, clusters, partitions, sectors.
🠶 • Random access memory.
🠶 • Physical storage media: It has magnetic force microscopy that can be used to recover
data from overwritten area.
🠶 (a) Slack space: It is a space allocated to the fi le but is not actually used due to internal fragmentation and
🠶 (b) unallocated space.
🠶 2. User created files: It consists of address books, audio/video files, calendars, database fi
les, spreadsheets, E-Mails, Internet bookmarks, documents and text files.
🠶 3. Computer created files: It consists of backups, cookies, configuration files, history files,
log files, swap files, system files, temporary files, etc.
🠶 4. Computer networks: It consists of the Application Layer, the Transportation Layer, the
Network Layer, the Datalink Layer.
Cyber
UNIT- Forensics
🠶
🠶 The Rules of Evidence
🠶 “Evidence” means and includes:
1.All statements which the court permits or requires to be made before it by witnesses, in
relation to matters of fact under inquiry, are called oral evidence.
2. All documents that are produced for the inspection of the court are called documentary
evidence
🠶 Paper evidence, the process is clear and intuitively obvious. Digital evidence by its very
nature is invisible to the eye. Therefore, the evidence must be developed using tools other
than the h u m a n eye.

Cyber
UNIT- Forensics
🠶
🠶 T ere are number of contexts involved in
actually identifying a piece of digital evidence:
🠶 1. Physical context: It must be definable in its
physical form, that is, it should reside on a
specific piece of media.
🠶 Logical context: It must be identifiable as to its
logical position, that is, where does it reside
relative to the fi le system.
🠶 Legal context: We must place the evidence in
the correct context to read its meaning. T is
may require looking at the evidence as
machine language, for exam ple, American
S tandard C ode for Information Interchange
(ASCII).

Cyber
UNIT- Forensics
🠶
🠶 Following are some guidelines for the (digital) evidence collection phase:
🠶 1. Adhere to your site’s security policy and engage the appropriate incident handling and
law enforcement personnel.
🠶 2. Capture a picture of the system as accurately as possible.
🠶 3. Keep detailed notes with dates and times. If possible, generate a n automatic transcript
(e.g., on Unix systems the “script” program can be used; however, the output fi le it
generates should not be given to media as that is a part of the evidence). Notes and
printouts should be signed and dated.
🠶 4. Note the difference between the system clock and Coordinated Universal Time (UTC). For
each timestamp provided, indicate whether U TC or local time is used (since 1972 over 40
countries throughout the world have adopted U TC as their official time source).
🠶 5. Be prepared to testify (perhaps years later) outlining all actions you took and at what
times. Detailednotes will be vital.
🠶 6. Minimize changes to the data as you are collecting it. T is is not limited to content
changes; avoid updating fi le or directory access times.
🠶 7. Remove external avenues for change. Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC
Cyber
UNIT- Forensics
🠶
🠶 8. When confronted with a choice between collection and analysis you should do collection
first and analysis later.
🠶 9. Needless to say, your procedures should be implementable. As with any aspect of a n
incident response policy, procedures should be tested to ensure feasibility, particularly, in a
crisis. If possible, procedures should be automated for reasons of speed and accuracy. Being
methodical always helps.
🠶 10. For each device, a systematic approach should be adopted to follow the guidelines laid
down in your collection procedure. Speed will often be critical; therefore, where there are a
number of devices requiring examination, it may be appropriate to spread the work among
your team to collect the evidence in parallel. However, on a single given system collection
should be done step by step.

Cyber
UNIT- Forensics
🠶
🠶 11. Proceed from the volatile to the less volatile; order of volatility is as follows:
🠶 • Registers, cache (most volatile, i.e., contents lost as soon as the power is turned OFF);
🠶 • routing table, Address Resolution Protocol (ARP) cache, process table, kernel statistics,
memory;
🠶 • temporary file systems;
🠶 • disk;
🠶 • remote logging and monitoring data that is relevant to the system in question;
🠶 • physical configuration and network topology;
🠶 • archival media (least volatile, i.e., holds data even after power is turned OFF).
🠶 12. You should make a bit-level copy of the system’s media. If you wish to do forensics
analysis you should make a bit-level copy of your evidence copy for that purpose, as your
analysis will almost certainly alter file access times. Try to avoid doing forensics on the
evidence copy

UNIT- Cyber Forensics
IIIDigital Forensics Lifecycle
🠶
🠶 The cardinal rules to remember are that evidence:
1. is admissible;
2. is authentic;
3. is complete;
4. is reliable;
5. is understandable and believable.

Cyber
UNIT- Forensics
🠶
🠶 The Digital Forensics
Process

Cyber
UNIT- Forensics
🠶
🠶 The Phases in Computer Forensics/Digital Forensics
🠶 The Phases in Com puter Forensics / D igital Forensics the forensics
life cycle involves the following phases:
1. Preparation and identification;
2. storing and transporting;
3. collection and recording;
4. examination/investigation;
5. analysis, interpretation and attribution;
6. reporting;
7. testifying.

Cyber
UNIT- Forensics
🠶
🠶 To mention very briefly, the process involves the following activities:
1. Prepare: C ase briefings , engagement term s , interrogatories , spoliation
prevention, disclosure and discovery planning, discovery requests.
2. Record: Drive imaging, indexing, profiling, search plans, cost estimates, risk analysis.
3. Investigate: Triage im ages, data recovery, keyword searches , hidden data
review, communicate, iterate.
4. Report: Oral vs. written, relevant document production, search statistic reports, chain
of custody reporting, case log reporting.
5. Testify: Testimony preparation, presentation preparation, testimony.

Cyber
UNIT- Forensics
🠶
🠶 Preparing for the Evidence and Identifying the Evidence
🠶 Collecting and Recording Digital Evidence
🠶 Storing and Transporting Digital Evidence
🠶 Examining/Investigating Digital Evidence
🠶 Analysis, Interpretation and Attribution
🠶 Reporting
🠶 Testifying

Cyber
UNIT- Forensics
🠶
🠶 Precautions to be Taken when Collecting Electronic Evidence

Cyber
UNIT- Forensics
🠶

Cyber
UNIT- Forensics
🠶

Cyber
UNIT- Forensics
IIIChallenges in Computer Forensics.
🠶
🠶 Technical Challenges: Understanding the Raw Data and its Structure
🠶 The Legal Challenges in Computer Forensics and Data Privacy Issues

Cyber
UNIT- Forensics
🠶
🠶 There are two aspects of the technical challenges faced in digital forensics investigation –
one is the “ complexity” problem and the other is the “quantity” problem involved in a digital
forensics investigation.
🠶 A digital forensics investigator often faces the “complexity problem” because acquired data is
typically at the lowest and most raw format.
🠶 Non-technical people may find it too difficult to understand s u c h format. For resolving the
complexity problem, tools are useful; they translate data through one or more “layers of
abstraction” until it can be understood.
🠶 For example, to view the contents of a directory from a fi le system image, tools process the
fi le system structures so that the appropriate values are displayed.
🠶 The data that represents the fi les in a directory exist in formats that are too low level to
identify without the assistance of tools

Cyber
UNIT- Forensics
🠶
🠶 The directory is a layer of abstraction in the fi le system. Examples of non-fi le system layers
of abstraction include:
🠶 1 . A S C II;
🠶 2 . HTML Files;
🠶 3 . Windows Registry;
🠶 4 . Network Pack ets;
🠶 5 . S o u rce C o de.
🠶 Examples of abstraction layers are data reduction techniques; for example
1. Identifying known network packets using I D S signatures;
2. identifying unknown entries during log processing;
3. identifying known fi les using ha sh databases;
4. sorting fi les by their type.
Cyber
UNIT- Forensics
🠶
🠶 For Example if we are examine the FAT File system Disk
🠶 The FAT fi le system has seven layers of abstraction. The first layer uses just the partition
image as input,
🠶 assuming that the acquisition was done of the raw partition using a tool s uc h as the UNIX
“dd” tool.
🠶 This layer uses the defined Boot Sector structure and extracts the size and location values.
Examples of extracted values include:
🠶 1. S tarting location of FAT;
🠶 2. size of each FAT;
🠶 3. n u m ber of FATs;
🠶 4. number of sectors per cluster;
🠶 5. location of Root Directory

Cyber
UNIT- Forensics
🠶
🠶 The abstraction layers of the FAT file system are as follows:
🠶1. Layer 0: Raw file system image;
🠶2. Layer 1: File system image and values from Boot Sector and FAT Entry Size;
🠶3. Layer 2: FAT Area and Data Area;
🠶4. Layer 3: Starting Cluster, FAT Entries;
🠶5. Layer 4: Clusters, Raw Cluster Content and Content Type;
🠶6. Layer 5: Formatted Cluster Content;
🠶7. Layer 6: List of Clusters.

Cyber
UNIT- Forensics
🠶
🠶 Eviden ce, to be admissible in cou rt, m u st be relevant,
ma terial and competent, and its probative value must outweigh any
prejudicial effect.
🠶 There are many types of personnel involved in digital forensics/computer forensics:
🠶(a) Technicians: who carry out the technical aspects of gathering evidence
🠶(b) Policy makers: establish forensics policies that refl ect broad considerations
🠶(c) Professionals: the link between policy and execution – who must have extensive
technical skills as well as good understanding of the legal procedure

Cyber
UNIT- Forensics
🠶
🠶 Skills for digital forensics professionals are the following:
 1. Identify relevant electronic evidence associated with violations of specific laws;
 2. identify and articu late probable ca u se necessary to obtain a search
warrant and
recognize the limits of warrants;
 3. locate and recover relevant electronic evidence from computer systems using tools;
 4. recognize and maintain a chain of custody;
 5. follow a documented forensics investigation process.

FCS Unit-3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FCS Unit-3

Uploaded by

Copyright:

Available Formats

Department of Computer Science & Engineering

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

paradigm for Cyber Security

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

🠶 2. Parliamentary Bill C-27:

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

🠶1. Offenses against intellectual property;

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

Mr. P. HARI SHANKAR, Assistant Professor, CSE, GNITC

You might also like