AVS

COLLEGE OF ARTS & SCIENCE

[AUTONOMOUS]
Attur Main Road, Ramalingapuram, Salem - 106.
(Recognized under section 2(f) & 12(B) of UGC Act 1956 and
Accredited by NAAC with 'A' Grade)
(Co - Educational Institution | Affiliated to Periyar University, Salem
ISO 9001 : 2015 Certified Institution)
principal@avscollege.ac.in | www.avscollege.ac.in

Study Material
Paper Name : CYBER SECURITY
Paper Code : 23PCAE07
Batch : 2023 – 2025
Semester : II
 QUESTION PAPER PATTERN

TIME: 3 Hours Max.Marks:75

PART – A (15*1=15 MARKS)

Answer All the questions

Three questions from each unit (Multiple Choice Questions)

PART – B (2*5=10 MARKS)

Answer Any Two questions

One question from each unit

PART – C (5*10=50 MARKS)

Answer All the questions

One question from each unit (Either or Type)

AVS COLLEGE OF ARTS & SCIENCE I MCA
(Autonomous)
CYBER SEURITY

Course Objectives:

● To understand the basics of Cybercrime and Computer forensics with protecting

mechanism
● To explore the working principles of WLAN, Email and Smartphone along with security
mechanism and guidelines
● To gain the ability to understand the importance of cyber investigations with its
functioning role and learn the basics of Wi - Fi and its security measures
● To understand and learn the method of seize the digital evidence
● To learn and analyze the concepts of digital forensics with cybercrime prevention
techniques

Unit – I

Introduction to cybercrime: Classification of cybercrimes – reasons for

commission of cybercrime – malware and its type – kinds of cybercrime –
authentication – encryption – digital signatures – antivirus – firewall –
steganography – computer forensics – why should we report cybercrime –
introduction counter cyber security initiatives in India – generating secure
password – using password manager-enabling two-step verification – security
computer using free antivirus.

Unit – II

Tips for buying online: Clearing cache for browsers – wireless LAN-major issues with
WLAN-safe browsing guidelines for social networking sites – email security tips –
introduction-smartphone security guidelines – purses, wallets, smart phones –
platforms, setup and installation-communicating securely with a smartphone.

Unit – III

Cyber investigation roles: Introduction – role as a cybercrime investigator – the role

of law enforcement officers – the role of the prosecuting attorney – incident
response: introduction-post mortem versus live forensics – computer analysis for
the hacker defender program-network analysis – legal issues of intercepting Wi-Fi
transmission – Wi-Fi technology – Wi-Fi RF-scanning RF – eavesdropping on Wi-Fi –
fourth amendment expectation of privacy in WLAN.

Unit – IV

Seizure of digital information: introduction – defining digital evidence – digital evidence

seizure methodology – factors limiting the wholesale seizure of hardware – other
options for seizing digital evidence – common threads within digital evidence seizure –
determining the most appropriate seizure method– conducting cyber
investigations–demystifying computer/cyber crime – IP addresses – the explosion of
networking – interpersonal communication.

Unit – V

Digital forensics and analyzing data: introduction – the evolution of computer

forensics–phases of digital forensics-collection – examination-analysis – reporting
– Cyber crime prevention: Introduction – crime targeted at a government agency.

Text books:

1. Dr.JeetendraPande, “Introduction to Cyber Security” Published by Uttarakhand

Open University, 2017.(Chapter: 1.2-6.4,9.3-12.2)
2. Anthony reyes, Kevin o’shea, Jim steele, Jon R. Hansen, Captain Benjamin R.
Jean Thomas Ralph, “Cyber-crime investigations” - bridging the gaps between
security professionals, law enforcement, and prosecutors, 2007.(Chapter: 4, 5,
6, 7, 8, 9,10)

Reference Books:

1. Sebastian Klipper, “Cyber Security”

EinEinblickfurWirtschaftswissenschaftlerFachmedien Wiesbaden,2015
2. John G.Voller Black and Veatch, “Cyber Security” Published by John Wiley &
Sons, Inc., Hoboken, New Jersey Published simultaneously in Canada ©2014.
 Unit – I

Introduction to cybercrime:

 The internet was born around 1960‟s where its access was limited to few
scientists, researchers and the defense only. Initially the computer crime was only
confined to making a physical damage to the computer and related infrastructure.
Around 1980‟s the trend changed from causing the physical damaging to
computers to making a computer malfunction using a malicious code called virus.

 The focus of the computer crime shifted from merely damaging the computer or
destroying or manipulating data for personal benefit to financial crime. These
computer attacks are increasing at a rapid phase. Every second around 25
computers became victim to cyber attack and around 800 million individuals are
affected by it till 2013.

 According to the 2013-14 report of the standing committee on Information

Technology to the 15th LokSabha by ministry of communication and information
technology, India is a third largest number do Internet users throughout the world
with an estimated 100 million internet users as on June, 2011 and the numbers are
growing rapidly.

 There are around 22 million broadband connections in India till date operated by
around 134 major Internet Service Providers (ISPs).

 The term cyber crime is used to describe a unlawful activity in which computer or
computing devices such as smart phones, tablets, Personal Digital
Assistants(PDAs), etc. which are stand alone or a part of a network are used as a
tool or/and target of criminal activity.

 Cybercrime or a computer-oriented crime is a crime that includes a computer and

a network. The computer may have been used in the execution of a crime or it may
be the target.

 Cybercrime encloses a wide range of activities, but these can generally be

divided into two categories:

 Crimes that aim at computer networks or devices. These types of crimes involve
different threats (like virus, bugs etc.) and denial-of-service (DoS) attacks.
  Crimes that use computer networks to commit other criminal activities. These
types of crimes include cyber stalking, financial fraud or identity theft.

CLASSIFICATION OF CYBER CRIMES

The cyber criminal could be internal or external to the organization facing the
cyber attack. Based on this fact, the cyber crime could be categorized into two types:

Insider Attack:An attack to the network or the computer system by some person with
authorized system access is known as insider attack.
 It is generally performed by dissatisfied or unhappy inside employees or
contractors. The motive of the insider attack could be revenge

 The insider attack could be prevented by planning and installing internal intrusion
detection systems (IDS) in the organization.

External Attack:When the attacker is either hired by an insider or an external entity to

the organization, it is known as external attack.
 The organization which is a victim of cyber attack not only faces financial loss
but also the loss of reputation.
 Since the attacker is external to the organization, so these attackers usually scan
and gathering information.
The cyber attacks can also be classified as structure attacks and unstructured attacks
based on the level of maturity of the attacker:

 Unstructured attacks:These attacks are generally performed by amatures who

dont have any predefined motives to perform the cyber attack. Usually these
amatures try to test a tool readily available over the internet on the network of a
random company.

 Structure Attack:These types of attacks are performed by highly skilled and

experienced people and the motives of these attacks are clear in their mind.
o They have access to sophisticated tools and technologies to gain access
to other networks without being noticed by their Intrusion Detection
 Systems (IDSs).
 These types of attacks are usually performed by professional criminals
Cyber Terrorism – Cyber terrorism is the use of the computer and internet to perform
violent acts that result in loss of life. This may include different type of activities either
by software or hardware for threatening life of citizens.
Cyber Extortion – Cyber extortion occurs when a website, e-mail server or computer
system is subjected to or threatened with repeated denial of service or other attacks by
malicious hackers.
Cyber Warfare – Cyber warfare is the use or targeting in a battle space or warfare
context of computers, online control systems and networks. It involves both offensive
and defensive operations.
Internet Fraud –Internet fraud is a type of fraud or deceit which makes use of the
Internet and could include hiding of information or providing incorrect information for
the purpose of deceiving victims for money or property.
Cyber Stalking – This is a kind of online harassment wherein the victim is subjected to
a barrage of online messages and emails.
Challenges of Cyber Crime:
1. People are unaware of their cyber rights-unaware about their cyber rights
implemented by the government of that particular country.
2. Anonymity- Those who Commit cyber crime is anonymous for us so we
cannot do anything to that person.
3. Less numbers of cases registered-Every country in the world faces the
challenge of cyber crime and the rate of cyber crime is increasing day by day
because the people who even don’t register a case of cyber crime and this is
major challenge for us as well as for authorities as well.
4. Mostly committed by well educated people-Committing a cyber crime is not a
cup of tea for every individual.
Prevention of Cyber Crime:
1. Use strong password –
2. Use trusted antivirus in devices –
3. Keep social media private –
4. Keep your device software updated –
5. Use secure network –
6. Never open attachments in spam emails –
7. Software should be updated –

REASONS FOR COMMISSION OF CYBER CRIMES

 Lack of Cyber security Awareness and Education: A major contributing
factor to the rise of cybercrime in India is the lack of awareness and
education about cybersecurity.
 There are many reasons which act as a catalyst in the growth of cyber crime.
Some of the prominent reasons are:
 To hack websites in order to spread messages for a socio-political purpose.
 To attack the nation's important assets.
 To make money by hacking into banks and financial institutions.
 To gain access to business data servers to obtain critical information.
a. Money:People are motivated towards committing cyber crime is to make quick and
easy money.
b. Revenge:Some people try to take revenge with other person/organization/society/
caste or religion by defaming its reputation or bringing economical or physical loss. This
comes under the category of cyber terrorism.
c. Fun:The amateur do cyber crime for fun. They just want to test the latest tool they
have encountered.
d. Recognition:It is considered to be pride if someone hack the highly secured networks
like defense sites or networks.
e. Anonymity- Many time the anonymity that a cyber space provide motivates the
person to commit cyber crime as it is much easy to commit a cyber crime over the
cyber space and remain anonymous as compared to real world.

f. Cyber Espionage:At times the government itself is involved in cyber trespassing to

keep eye on other person/network/country. The reason could be politically,
economically socially motivated.

Reasons for the Rise of Cybercrime in India:

 Increasing Internet Penetration: India has witnessed a significant surge in
internet penetration over the past decade.
 Digital Transformation and E-commerce Boom: The digital transformation wave
in India has led to a boom in e-commerce, online banking, and digital
transactions.
 Lack of Cybersecurity Awareness and Education:
 Weak Cybersecurity Infrastructure: infrastructure is still evolving, and it faces
significant challenges in keeping up with the ever-evolving tactics of
cybercriminals.

MALWARE AND ITS TYPE

 Malware stands for “Malicious Software” and it is designed to gain access or
installed into the computer without the consent of the user. They perform
unwanted tasks in the host computer for the benefit of a third party.
  Any malicious software intended to harm or exploit any programmable device,
service, or network is referred to as malware.

 Malware is short for malicious software and refers to any software that is
designed to cause harm to computer systems, networks, or users. Malware can
take many forms.

 Malware is a program designed to gain access to computer systems, generally

for the benefit of some third party, without the user’s permission. Malware
includes computer viruses, worms, Trojan horses, ransomware, spyware, and
other malicious programs.

Why Do Cybercriminals Use Malware?

 Cybercriminals use malware, which includes all forms of malicious

software including viruses, for a variety of purposes.

 Using deception to induce a victim to provide personal information for

identity theft

 Theft of customer credit card information or other financial information

 Taking over several computers and using them to launch denial-of-service

attacks against other networks

 Using infected computers to mine for cryptocurrencies like bitcoin.

There are various types of malwares present in the Internet. Some of the
popular ones are:

 Adware: Itis a special type of malware which is used for forced advertising.
o They either redirect the page to some advertising page or pop-up an
additional page which promotes some product or event.
 Spyware: It is a special type of which is installed in the target computer with or
without the user permission and is designed to steal sensitive information from
the target machine. Mostly it gathers the browsing habits of the user and the
send it to the remote server without the knowledge of the owner of the computer.
 Browser hijacking software: There is some malicious software which are
downloaded along with the free software offered over the internet
o installed in the host computer without the knowledge of the user. This
software modifies the browsers setting and redirect links to other
unintentional sites.
 Virus: A virus is a malicious code written to damage/harm the host computer by
 deleting or appending a file,
o occupy memory space of the computer by replicating the copy of the code,
o slow down the performance of the computer, format the host machine, etc.
o It can be spread via email attachment, pen drives, digital images, e-
greeting, audio or video clips, etc.
o A virus may be present in a computer but it cannot activate itself without
the human intervention.
o Until and unless the executable file(.exe) is execute, a virus cannot be
activated in the host machine.
 Worms: They are a class of virus which can replicate themselves.
o They are different from the virus by the fact that they does not require
human intervention to travel over the network and spread from the
infected machine to the whole network.
 Trojan horse: Trojan horse is a malicious code that is installed in the host
machine by pretending to be useful software.
o The user clicks on the link or download the file which pretends to be a
useful file or software from legitimate source.
o It not only damages the host computer by manipulating the data but also it
creates a backdoor in the host computer
o Trojens neither infect the other computers in the network nor do they
replicate.
o The computers of this network which are infected by malicious code are
known as zombies.

o
A typical botnet
Scare ware: Internet has changed how we talk, shop, play etc. It has even changed the
way how the criminal target the people for ransom.
  As the user proceeds to download, a malicious code, known as scare ware is
downloaded into the host computer.
Logic Bombs: A logic bomb is a malicious program that uses a trigger to activate the
malicious code. The logic bomb remains non-functioning until that trigger event
happens.
Rootkits: A rootkit modifies the OS to make a backdoor. Attackers then use the
backdoor to access the computer distantly.
Backdoors: A backdoor bypasses the usual authentication used to access a system.
The purpose of the backdoor is to grant cyber criminals future access.
Keyloggers: Keylogger records everything the user types on his/her computer system to
obtain passwords and other sensitive information and send them to the source of the
keylogging program.
How to Know If Our Devices Are Infected With Malware?
The following are the most typical indications that malware has compromised your
computer:
 Performing poorly on the computer by execution.
 When your web browser directs you to a website you didn’t intend to visit, this is
known as a browser redirect.
 Warnings about infections are frequently accompanied by offers to buy a product
to treat them.
 Having trouble starting or shutting down your computer.
 Persistent pop-up ads.
How to Protect From Malware?
1. Update your operating system and software. Install updates as soon as they
become available
2. Never click on a popup’s link. Simply click the “X”
3. Don’t install too many apps on your devices.
4. be cautious when using the internet.
5. Do not click on unidentified links. Advantages of Detecting and Removing
Malware
6. Choose the websites you visit wisely.
7. Emails requesting personal information should be avoided. Do not click a link
in an email
How to Remove Malware?
 An antimalware tool that handles malware detection and removal is
Malwarebytes. Malware can be eliminated from Windows, macOS, Android, and
iOS operating systems.
 A user’s registry files, currently running programs, hard drives, and individual files
can all be scanned by Malwarebytes. Malware can then be quarantined and
removed if it is found. Users cannot, however, set automatic scanning schedules
 like they can with some other tools.
Advantages of Detecting and Removing Malware:
1. Improved Security
2. Prevent Data Loss
3. Protect Reputation
4. Increased Productivity:

Disadvantages of Detecting and Removing Malware:

1. Time-Consuming
2. Cost
3. False Positives
4. Difficulty
5. Risk of Data Loss

KINDS OF CYBER CRIME

 Cybercrime can be defined as “The illegal usage of any communication device to
commit or facilitate in committing any illegal act”.
 A cybercrime is explained as a type of crime that targets or uses a computer or a
group of computers under one network for the purpose of harm.
 A cybercriminal is a person who uses his skills in technology to do malicious acts
and illegal activities known as cybercrimes. They can be individuals or teams.
Various types of cyber crimes are:
 Email and internet fraud.
 Identity fraud (where personal information is stolen and used).
 Theft of financial or card payment data.
 Theft and sale of corporate data.
 Cyberextortion (demanding money to prevent a threatened attack).
 Ransomware attacks (a type of cyberextortion).
Cyber Stalking:
 It is an act of stalking, harassing or threatening someone using
Internet/computer as a medium. This is often done to defame a person and use
email, social network, instant messenger, web-posting, etc.
Child Pornography:
 It is an act of possessing image or video of a minor (under 18).
Forgery and Counterfeiting:
 It is a use of computer to forgery and counterfeiting is a document. With the
advancement in the hardware and the software.
Software Piracy and Crime related to IPRs:
 Software piracy is an illegal reproduction and distribution for personal use or
business. It comes under crime related to IPR infringement.
  Some of the other crimes under IPR infringement are: download of songs,
downloading movies, etc.
Cyber Terrorism :
 It is defined as the use of computer resources to intimidate or coerce
government, the civilian population or any segment thereof in furtherance of
political or social objectives.
Phishing :
 It is a process of acquiring personal and sensitive information of an individual via
email by disguising as a trustworthy entity in an electronic communication.
 The purpose of phishing is identity theft and the personal information like
username, password, and credit card number etc.
 Vishing(voice phishing). Another form of phishing is Smishing, in which sms is
used to lure customers.
Computer Vandalism:
 It is an act of physical destroying computing resources using physical force or
malicious code.
Computer Hacking:
 It is a practice of modifying computer hardware and software to accomplish a
goal outside the creators original purpose.
 The purpose of hacking a computer system may vary from simply
demonstrations of the technical ability, to sealing, modifying or destroying
information for social, economic or political reasons.
The hackers may be classified as:

 White Hat: white hat hackers are the persons who hack the system to find
the security vulnerabilities of a system and notify to the organizations so
that a preventive action can be taken to protect the system from outside
hackers.
o White hat hackers may be paid employee of an organization who is
employed to find the security loop-holes .
 Black Hat: in contrast to the white hat, the black hat hack the system with
ill intentions.
o They may hack the system for social, political or economically
motivated intentions. They find the security loopholes the system
 Grey Hat: Grey hat hackers find out the security vulnerabilities and report
to the site administrators and offer the fix of the security bug for a
consultancy fee.

 Blue hat: A blue hat hacker is someone outside computer security

consulting firms who is used to bug-test a system prior to its launch,
 looking for exploits so they can be closed.
Creating and distributing viruses over internet:
 The spreading of a virus can cause business and financial loss to an
organization.
 The loss includes the cost of repairing the system, cost associated with
the loss of business during downtime and cost of loss of opportunity.
Spamming:
 Sending of unsolicited and commercial bulk message over the internet is
known as spamming.
An email can be classified as spam, if it meets following criteria:
a. Mass mailing: - the email is not targeted to one particular person but to a
large number of peoples.
b. Anonymity: - The real identify of the person not known .
c. Unsolicited: - the email is neither expected nor requested for the recipient.
 These spams not only irritate the recipients and overload the network but
also waste the time and occupy the valuable memory space of the
mailbox.
Online Auction Fraud :
 There are many genuine websites who offers online auction over internet.
Web Jacking:
 The hacker gain access to a website of an organization and either blocks
it or modify it to serve political, economical or social interest.
Internet Time Thefts:
 Hacking the username and password of ISP of an individual and surfing
the internet at his cost is Internet Time Theft.
Denial of Service Attack :
 It is a cyber attack in which the network is chocked and often collapsed by
flooding it with useless traffic and thus preventing the legitimate network
traffic.

Data Diddling:
 It is a practice of changing the data before its entry into the computer
system. Often, the original data is retained after the execution on the data
is done.
 For example, DA or the basic salary of the person is changed in the payroll
data of an individual for pay calculation.
Email Spoofing :
 It is a process of changing the header information of an e-mail so that its
 original source is not identified and it appears to an individual at the
receiving end that the email has been originated from source other than
the original source.

AUTHENTICATION
 Authentication is the process of verifying a user or device before allowing
access to a system or resources. In other words, authentication means
confirming that a user is who they say they are. This ensures only those
with authorized credentials gain access to secure systems.
 Authentication is the process of verifying who someone is, whereas
authorization is the process of verifying what specific applications, files,
and data a user has access to.
The list below reviews some common authentication methods used to secure
modern systems.
1. Password-based authentication: Passwords are the most common methods
of authentication.
2. Multi-factor authentication.
3. Certificate-based authentication.
4. Biometric authentication.
5. Token-based authentication.

There are two basic types of authentication:

 Knowledge-based: Something like a password or PIN code that only the
identified user would know.
 Property-based: This means the user possesses an access card, key, key fob or
authorized device unique to them.

Factors:
 Factors include:
 (i) Something you know (e.g. password/personal identification number (PIN)).
 (ii) Something you have (e.g., cryptographic identification device, token).
 (iii) Something you are (e.g., biometric).

 It is a process of identifying an individual and ensuring that the individual.

 A typical method for authentication over internet is via username and
password.
 With the increase in the reported cases of cyber crime by identity theft
over internet, the organizations have made some additional arrangements
for authentication like One Time Password(OTP),
 
Hence two-factor authentication method and requires two type of
evidence to authentication an individual to provide an extra layer of
security for authentication.
 Some other popular techniques for two-way authentication are: biometric
data, physical token, etc. which are used in conjunction with username
and password.
 The process of giving access to an individual to certain resources based
on the credentials of an individual is known as authorization and often this
process is go hand-in-hand with authorization.
 A hybrid authentication system is used which combines both the
username and password along with hardware security measures like
biometric system, etc.
 Some of the larger organizations also use VPN (Virtual Private Network),
which is one of the methods to provide secure access via hybrid security
authentication to the company network over internet.
ENCRYPTION

 Encryption is a form of data security in which information is converted to

ciphertext. Only authorized people who have the key can decipher the code
and access the original plaintext information.
There are two encryption keys based on which different types of encryption work:
1) Symmetric: It works on a single private key; therefore it is faster than
asymmetric encryption (explained in detail in the next bullet).
2) Asymmetric: This encryption method works with two keys: one public key and
one private key.

Encryption scrambles information when it is moving from the sender to the

recipient to prevent unauthorized people, like cyber criminals, from accessing it.
 It is a technique to convert the data in unreadable form before
transmitting it over the internet.
 Only the person who have the access to the key and convert it in the
readable form and read it.
 Formally encryption can be defined as a technique to lock the data by
converting it to complex codes using mathematical algorithms.
 The code is so complex that it even the most powerful computer will take
several years to break the code.
 This secure code can safely be transmitted over internet to the destination.
The receiver, after receiving the data can decode it using the key.
 The decoding of the complex code to original text using key is known as
decryption.
 If the same key is used to lock and unlock the data, it is known as
symmetric key encryption.
 [Encryption]
 In symmetric key encryption, the after coding of data, the key is sent to the
destination user via some other medium like postal service, telephone, etc.
 Because if the key obtained by the hacker, the security of the data is
compromised.
 Key distribution is a complex task because the security of key while transmission
is itself an issue. To avoid the transfer of key a method called asymmetric key
encryption, also known as public key encryption, is used.
 The public key of every user is known to everyone but the private key is known to
the particular user, who own the key, only.

DIGITAL SIGNATURES

 A digital signature is a cryptographic output used to verify the authenticity of

data. A digital signature algorithm allows for two distinct operations: a signing
operation, which uses a signing key to produce a signature over raw data.
 A digital signature is a mathematical technique which validates the authenticity
and integrity of a message, software or digital documents.
 It is a technique for validation of data. Validation is a process of certifying the
content of a document.
 The digital signatures not only validate the data but also used for authentication.

Application of Digital Signature:

The important reason to implement digital signature to communication is:
 Authentication: Authentication is a process which verifies the identity of a
user who wants to access the system. In the digital signature, authentication
helps to authenticate the sources of messages.
 Non-repudiation: Non-repudiation means assurance of something that cannot
be denied.
 Integrity: Integrity ensures that the message is real, accurate and safeguards
from unauthorized user modification during the transmission.
Algorithms in Digital Signature:
A digital signature consists of three algorithms:
 Key generation algorithm
 Signing algorithm
 Signature verifying algorithm
The steps which are followed in creating a digital signature are:
 Select a file to be digitally signed.
 The hash value of the message or file content is calculated. This message or file
 content is encrypted by using a private key of a sender to form the digital
signature.
 Now, the original message or file content along with the digital signature is
transmitted.
 The receiver decrypts the digital signature by using a public key of a sender.
 The receiver now has the message or file content and can compute it.
 Comparing these computed message or file content with the original computed
message. The comparison needs to be the same for ensuring integrity.
Types of Digital Signature:
Different document processing platform supports different types of digital signature.
They are described below:

 Certified Signatures: The certified digital signature documents display a unique

blue ribbon across the top of the document.
 Approval Signatures: The approval digital signatures on a document can be used
in the organization's business workflow.
 Visible Digital Signature: The visible digital signature allows a user to sign a
single document digitally. This signature appears on a document in the same
way as signatures are signed on a physical document.
 Invisible Digital Signature: The invisible digital signatures carry a visual indication
of a blue ribbon within a document in the taskbar.

1. The digital signature is created by encrypting the data with the private key of
the sender. The encrypted data is attached along with the original message
and sent over the internet to the destination.
 2. The receiver can decrypt the signature with the public key of the sender. Now
the decrypted message is compared with the original message.
3. If both are same, it signifies that the data is not tempered and also the
authenticity of the sender is verified as someone with the private key(which is
known to the owner only) can encrypt the data which was then decrypted by
his public key.
4. If the data is tempered while transmission, it is easily detected by the receiver
as the data will not be verified. Moreover, the massage cannot be re-
encrypted after tempering as the private key, which is posses only by the
original sender, is required for this purpose.
5. As more and more documents are transmitted over internet, digital signatures
are essential part of the legal as well as the financial transition.
6. Its not only provides the authentication of a person and the validation of the
document, it also prevents the denial or agreement at a later stage.
1. To prevent these unpleasant situations, the digital signatures are used.

[Digital signature]

ANTIVIRUS
 Antivirus software (antivirus program) is a security program designed to prevent,
detect, search and remove viruses and other types of malware from computers,
 networks and other devices.
Most Antivirus programs will employ these four types of detection techniques:


Signature detection is a method by which an antivirus keenly scans files that
are brought into a system to analyze more likely hazardous files.
 Specific detection, which looks for known parts or types of malware or patterns
that are linked by a common codebase
 A generic the detection is a type of detection that looks for known parts or
types of malware or patterns that are related to a common codebase.
 Heuristic detection is a type of virus detection that looks for unknown
infections by spotting suspicious file structures.
Examples of Antivirus Software
The antivirus software is available in 2 types:
(i) Free: Free anti-virus software provides basic virus protection
(ii) Paid: commercial anti-virus software provides more extensive protection.

 There are verities of malicious programs like virus, worms, trojan horse, etc that
are spread over internet to compromise the security of a computer either to
destroy data stored into the computer or gain financial benefits by sniffing
passwords etc.
 To prevent these malicious codes to enter to your system, a special program
called an anti-virus is used which is designed to protect the system against virus.
 It not only prevents the malicious code to enter the system but also detects and
destroys the malicious code that is already installed into the system.
 There are lots of new viruses coming every day. The antivirus program regularly
updates its database and provides immunity to the system against these new
viruses, worms, etc.
Benefits of Antivirus Software:
1. Spam and advertisements are blocked
 2.Virus protection and transmission prevention
3. Hackers and data thieves are thwarted
4. Protected against devices that can be detached
5. To improve security from the to web, restrict website access
6. Password Protection
Disadvantages of Antivirus programs:
 Slows down system’s speed
 Popping up of Advertisements:
 Security Holes
 No customer care service

FIREWALL
 A firewall is a network security device that monitors incoming and outgoing
network traffic and decides whether to allow or block specific traffic based on a
defined set of security rules. Firewalls have been a first line of defense in
network security for over 25 years.
 Firewall can be defined as a special type of network security device or a software
program that monitors and filters incoming and outgoing network traffic based
on a defined set of security rules
 Firewalls are primarily used to prevent malware and network-based attacks.
 Firewalls have become so powerful, and include a variety of functions and
capabilities with built-in features:
1. Network Threat Prevention
2. Application and Identity-Based Control
3. Hybrid Cloud Support
4. Scalable Performance
5. Network Traffic Management and Control
6. Access Validation
7. Record and Report on Events

The importance of using firewalls as a security system is obvious; however, firewalls

have some limitations:
 Firewalls cannot stop users from accessing malicious websites, making it
vulnerable to internal threats or attacks.
 Firewalls cannot protect against the transfer of virus-infected files or software.
 Firewalls cannot prevent misuse of passwords.
 Firewalls cannot protect if security rules are misconfigured.
 Firewalls cannot protect against non-technical security risks, such as social
engineering.
 Firewalls cannot stop or prevent attackers with modems from dialing in to or out
 of the internal network.
 Firewalls cannot secure the system which is already infected.
Types of Firewall:
Depending on their structure and functionality, there are different types of firewalls.
The following is a list of some common types of firewalls:
 Proxy Firewall
 Packet-filtering firewalls
 Stateful Multi-layer Inspection (SMLI) Firewall
 Unified threat management (UTM) firewall
 Next-generation firewall (NGFW)
 Network address translation (NAT) firewalls

 The three main types of firewalls:

 packet-filtering,
 stateful inspection,
 proxy
 Firewalls provide protection against outside cyber attackers by shielding your
computer or network from malicious or unnecessary network traffic.
 It is a hardware/software which acts as a shield between an organizations
network and the internet and protects it from the threats like virus, malware,
hackers, etc.
 It can be used to limit the persons who can have access to your network and
send information to you

.
[Firewall]
 There are two type of traffic in an organization. Inbound traffic and outbound
traffic.
 Using firewall, it is possible to configure and monitor the traffic of the ports. Only
the packets from trusted source address can enter the organizations network
 and the sources which are blacklisted and unauthorized address are denied
access to the network.
 It is important to have firewalls to prevent the network from unauthorized access,
but firewall does not guarantee this until and unless it is configured correctly. A
firewall can be implemented using hardware as well as software or the
combination of both.

o Hardware Firewalls: example of hardware firewalls are routers through

which the network is connected to the network outside the organization i.e.
Internet.

o Software Firewalls: These firewalls are installed and installed on the

server and client machines and it acts as a gateway to the organizations
network.
 The firewalls can be configured to follow “rules” and “policies” and based on
these defined rules the firewalls can follow the following filtering mechanisms:
 Proxy- all the outbound traffic is routed through proxies for monitoring and
controlling the packet that are routed out of the organization.

 Packet Filtering- based on the rules defined in the policies each packet is filtered
by their type, port information, and source & destination information. The
example of such characteristics is IP address, Domain names, port numbers,
protocols etc. Basic packet filtering can be performed by routers.

 Stateful Inspection: rather than going through all the field of a packet, key
features are defined. The outgoing/incoming packets are judged based on those
defined characteristics only.
 The firewalls are an essential component of the organizations‟ network. They not
only protect the organization against the virus and other malicious code but also
prevent the hackers to use your network infrastructure to launch DOS attacks.

STEGANOGRAPHY
 Steganography is the practice of concealing information within another
message or physical object to avoid detection. Steganography can be used to
hide virtually any type of digital content, including text, image, video, or audio
content. That hidden data is then extracted at its destination.
 Steganography is the technique of hiding data within an ordinary, nonsecret
file or message to avoid detection; the hidden data is then extracted at its
destination. Steganography use can be combined with encryption as an extra
step for hiding or protecting data.
5 Types of Steganography:
  Text steganography. Text steganography conceals a secret message inside a
piece of text.
 Image steganography. In image steganography, secret information is encoded
within a digital image.
 Video steganography.
 Audio steganography.
 Network steganography.

 It is a technique of hiding secret messages in a document file, image file, and

program or protocol etc.
 Such that the embedded message is invisible and can be retrieved using special
software. Only the sender and the receiver know about the existence of the
secret message in the image.

 There are various free softwares available for Steganography. Some of the
popular ones are: QuickStego, Xiao, Tucows, OpenStego, etc.

COMPUTER FORENSICS

 Computer forensics is a field of technology that uses investigative techniques to

identify and store evidence from a computer device. Often, computer forensics is
used to uncover evidence that could be used in a court of law. Computer
forensics also encompasses areas outside of investigations.
 Computer forensics, also called digital or cyber forensics, is a field of technology
that uses investigation techniques to help identify, collect, and store evidence
 from an electronic device.
 Computer forensics findings can help cybersecurity teams speed cyber threat
detection and resolution, and prevent future cyber attacks.
 Cyber forensic is a branch of science which deals with tools and techniques for
investigation of digital data to find evidences against a crime which can be
produced in the court of law.
 It is a practice of preserving, extracting, analyzing and documenting evidence
from digital devices such as computers, digital storage media, smart phones, etc.
 The computer forensic plays a vital role in an organization as the our dependency
on computing devices and internet is increasing day-by-day.
 Digital forensic investigation is a highly skilled task which needs the expose of
various tools, techniques and guidelines for finding and recovering the digital
evidences from the crime scene or the digital equipments used in the crime.
 With digital equipments like smart phone, tablets, palmtops, smart tv, etc having
increasing processing capabilities and computation speed, the possibility of use
of these devices in cyber crime cannot be ruled out.
 In large organization, as soon as a cyber crime is detected by the incident
handling team, which is responsible for monitoring and detection of security
event on a computer or computer network.
TYPES
1.Disk Forensics: It deals with extracting raw data from the primary or secondary
storage of the device by searching active, modified, or deleted files.
2.Network Forensics: It is a sub-branch of Computer Forensics that involves
monitoring and analyzing the computer network traffic.
3.Database Forensics: It deals with the study and examination of databases and
their related metadata.
4.Malware Forensics: It deals with the identification of suspicious code and
studying viruses, worms, etc.
5.Email Forensics: It deals with emails and their recovery and analysis, including
deleted emails, calendars, and contacts.
6.Memory Forensics: Deals with collecting data from system memory (system
registers, cache, RAM) in raw form and then analyzing it for further investigation.
7.Mobile Phone Forensics: It mainly deals with the examination and analysis of
phones and smartphones and helps to retrieve contacts call logs, incoming, and
outgoing SMS, etc., and other data present in it.
Initial incident management processes are followed:
1. Preparation:The organization prepares guidelines for incident response and
assigns roles and the responsibilities of each member of the incident response
team.
2. Identification: based on the traits the incident response team verifies whether an
event had actually occurred.
3. Containment:based on the feedback from the assessment team, the future
course of action to respond to the incident is planned in this step.
4. Eradication:In this step, the strategy for the eradication or mitigate of the cause
of the threat is planned and executed.

5. Recovery:it is the process of returning to the normal operational state after

eradication of the problem.

6. Lesson Learned:if a new type of incident is encounter, it is documented so that

this knowledge can be used to handle such situations in future.
The computer forensic investigation involves the following Characteristics:
  Identify incident and evidence: This is the first step performed by the system
administrator where he tries to gather as much information as possible about the
incident. Based on this information the scope and severity of the attack is
assessed.
 Collect and preserve evidence:Various tools like Helix, WinHex, FKT Imager, etc.
are used to capture the data. Once the backup of the data is obtained, the
custody of the evidence and the backup is taken.
 Investigate: The image of the disk is restored from the backup and the
investigation is performed by reviewing the logs, system files, deleted and
updates files, CPU uses and process logs, temporary files, password protected
and encrypted files, images, videos and data files for possible stegnographic
message, etc.

 Summarize and Presentation:The summery of the incident is presented in

chronological order. Based on the investigation, conclusions are drawn and
possible cause is explained.

 While carrying out the digital forensic investigation, rules and procedure must be
applied. Specially while capturing the evidence It should be ensured that the actions
that are taken for capturing the data do not change the evidence.
 The integrity of the data should be maintained. It must be ensured that the devices
used for capturing the backup are free from contamination

Some Tools used for Investigation:

  Tools for Laptop or PC –
 COFFEE – A suite of tools for Windows developed by Microsoft.
 The Coroner’s Toolkit – A suite of programs for Unix analysis.
 The Sleuth Kit – A library of tools for both Unix and Windows.
Tools for Memory :
Volatility
Windows SCOPE

Tools for Mobile Device :

MicroSystemation XRY/XACT

Applications:
 Intellectual Property theft
 Industrial espionage
 Employment disputes
 Fraud investigations
 Misuse of the Internet and email in the workplace
 Forgeries related matters
 Bankruptcy investigations
 Issues concerned the regulatory compliance
 Advantages of Computer Forensics :

 To produce evidence in the court, this can lead to the punishment of the culprit.
 It helps the companies gather important information on their computer systems or
networks potentially being compromised.
 Efficiently tracks down cyber criminals from anywhere in the world.
 Helps to protect the organization’s money and valuable time.
 Allows extracting, process, and interpreting the factual evidence, so it proves the
cybercriminal action’s in the court.
Disadvantages of Computer Forensics:
 Before the digital evidence is accepted into court it must be proved that it is
not tampered with.
 Producing and keeping electronic records safe is expensive.
 Legal practitioners must have extensive computer knowledge.
 Need to produce authentic and convincing evidence.
 If the tool used for digital forensics is not according to specified standards,
then in a court of law, the evidence can be disapproved by justice.
 A lack of technical knowledge by the investigating officer might not offer the
desired result.

WHY SHOULD WE REPORT CYBER CRIME?

  It provides a way for organizations and businesses to document, respond, and
learn from a cyber attack.
 Some of the companies do not report a cyber crime incident because they fear
this will harm their reputation amongst its shareholders.
 Some of the data are very sensitive and its disclosure may impact their business
negatively.
 Depending on the scope of a cyber crime, the cyber crime should be reported to
nearest cyber cell of your locality, state cyber cell, central investigating agencies
like CBI, IB or the international bodies like Interpol.
Some of the addresses of the cyber coordinating units are:

INTRODUCTION COUNTER CYBER SECURITY INITIATIVES IN INDIA

INTRODUCTION
 Cyber Surakshit Bharat Initiative: This initiative was launched to raise awareness
about cyber crimes and create safety measures for Chief Information Security
Officers (CISOs) and frontline IT staff across all government departments.
Platform for Joint Cyber Crime Investigation Team.
 The National Cyber Coordination Centre (NCCC) is an operational cybersecurity
and e-surveillance agency in India. It is intended to screen communication
metadata and co-ordinate the intelligence gathering activities of other agencies.
 India's National Cyber Security Policy was established in 2013 to create a secure
and resilient cyberspace.

 With the growth of internet, the dependence on computers has increased

exponentially.
  The challenge is to protect critical information infrastructure, like civil aviation
sector, Railways‟ passenger reservation system and communication network,
port management, companies and organizations in power, oil and natural gas
sectors, banking and finance, telecom sector, etc. from cyber attacks.
COUNTER CYBER SECURITY INTIATIVES IN INDIA
Initiatives taken by The Indian Government on Cyber Security
 The Indian Computer Emergency Response Team (CERT-In).
 Cyber Surakshit Bharat.
 National Critical Information Infrastructure Protection Center (NCIIPC).
 Appointment of Chief Information Security Officers.
 Personal Data Protection Bill.
To counter cyber security attacks, Government of India have taken some initiatives
which are listed below:
1. National Counter Terrorism Center (NCTC): After 26/11 attack in 2008, suddenly
the Indian government realized the importance of Counter terrorism initiatives
and proposed National Counter Terrorism Center (NCTC) to provide intelligence
inputs to the decision makers to plan for counter terrorist activities.
 The NCTC is supposed to coordinate between various State and Central
govt. agencies and serve as a single and effective point of control and
coordination of all counter terrorism measures.
 It is modeled on the American NCTC and Britain‟s Joint Terrorism
Analysis Centre and will derive its powers from the Unlawful Activities
Prevention Act, 1967 (Mrunal, 2012).
2.National Information Security Assurance Programme (NISAP): To create the
awareness among the people in the government and critical sector organization,
CERT-In has taken an initiative called National Information Security Assurance
Programme (NISAP), to develop and implement information security policy and
information security best practices based on ISO/IEC 27001 for protection of their
infrastructure.
 CERT-in has established the facility for Computer Forensics for investigation of
cyber crimes and to provide hands on training to the law enforcement agencies
and judiciary.
 CERT-In is cooperating with defence, banks, judiciary and law enforcement
agencies in training their officials as well as extending the support in
investigation of cyber crimes
3. Computer Emergency Response Team-India (CERT-In): The Indian Computer
Emergency Response Team was created in 2004 by Department of Information
Technology.
 The purpose of creating CERT-In was to respond to computer security
incidents, report on vulnerabilities and promote effective IT security practices
throughout the country and is also responsible for overseeing administration
 of the IT act (CERT-In, 2014).
4.Indo US Cyber Security Forum (IUSCSF): The India-US Cyber Security Forum was
established in 2001 and is dedicated to protecting the critical infrastructure of the
knowledge-based economy.
 The members of the forum are various government and private sector
organizations, both from India and the United States, working under the
Forums auspices, have identified risks and common concerns in cyber
security and crafted an action-oriented work plan on securing networked
information systems.
 The Forum focuses on cyber-security, cyber-forensics and related research
and works towards enhancing co-operation among law enforcement agencies
on both sides in dealing with cyber crime.
 India Information Sharing and Analysis Centre (ISAC) and India Anti-Bot
Alliance („bot‟ refers to software that can be tasked to invade computers and
undertake malicious activities remotely on behalf of hackers) (Press
Information Bureau, 2006).
5. National Critical Information Infrastructure Protection Centre (NCIPC) of India: It is
declared as a nodal agency for the protection of critical information infrastructure of
India and is responsible for all measures including R&D for protection of critical
information infrastructure. Some of the activities that NCIIPC performs are (Chander,
2013):

a. Identification of Critical Sub-sectors

b. Study of Information Infrastructure of identified critical sub-sectors
c. Issue of Daily / Monthly cyber alerts / advisories
d. Malware Analysis
e. Tracking zombies and Malware spreading IPs
f. Cyber Forensics activities
g. Research and Development for Smart and Secure Environment.
h. Facilitate CII owners in adoption of appropriate policies, standards, best
practices for protection of CII.
i. Annual CISO Conference for Critical Sectors.
j. Awareness and training
k. 24X7 operation and helpdesk

6. National Intelligence Grid (Natgrid) project of India: It is the integrated intelligence

grid developed by C-DAC-Pune connecting databases of core security agencies of the
Government of India .

 It is a counter terrorism measure that collects and collates a host of

information from government databases including tax and bank account
 details, credit card transactions, visa and immigration records and
itineraries of rail and air travel .

 This combined data will be made available to 11 central agencies, which

are: Research and Analysis Wing, the Intelligence Bureau, Central Bureau
of Investigation, Financial intelligence unit, Central Board of Direct Taxes,
Directorate of Revenue Intelligence, Enforcement Directorate, Narcotics
Control Bureau, Central Board of Excise and Customs and the Directorate
General of Central Excise Intelligence.
7. Crime and Criminal Tracking Networks and Systems (CCTNS) project of
India: It is a project under National e-Governance Plan(NeGP) covering all 28
States and 7 .
 UTs which aim at creation of a nation-wide networking infrastructure
for evolution of IT-enabled sophisticated tracking system around
'investigation of crime and detection of criminals.
 The goals of the CCTNS are to facilitate collection, storage, retrieval,
analysis, transfer and sharing of data and information at the police
station and between the police station and the State Headquarters and
the Central Police Organizations.
 CCTNS would provide a comprehensive database for crimes and
criminals, and it would be easier for the law enforcement agencies to
track down a criminal moving from one place to another.

8. National Cyber Coordination Centre (NCCC): National Cyber Coordination
Centre is a proposed cyber security and e-surveillance agency in India.
 It is intended to screen communication metadata and co-ordinate the
intelligence gathering activities of other agencies.
 Some of the components of NCCC include a cyber attack prevention
strategy, cyber attack investigations and training, etc.
9. Botnet Cleaning Center: As a part of the Digital India programme, the
Government is setting up a centre that will detect malicious programmes like
„botnets‟ and help people remove such harmful softwares from their devices .
10.E-mail policy of Government of India: In present date Email is considered to
be as the major source of communication between individuals and
organization as well.
 The same applies to Govt. of India (GOI) as well. E-mail has become
major mode of communications for the entire government.
11.Ministry of Home Affairs (MHA): The Ministry of Home Affairs (MHA) is a
ministry of the Government of India.
 An interior ministry, it is mainly responsible for the maintenance of
internal security and domestic policy.
  Readers are advised to read annual report of the Ministry of Home
Affairs.
12.National Crime Records Bureau (NCRB): NCRB shall endeavour to empower
Indian Police with Information Technology and Criminal Intelligence to enable
them to effectively & efficiently enforce the law & improve public service
delivery.
 This shall be achieved through coordination with police forces at
National & International level, upgradation of crime analysis technology,
developing IT capability & IT enabled solutions.
13.Data Security Council of India (DSCI): Data Security Council of India (DSCI) is
a premier industry body on data protection in India, setup by NASSCOM,
committed to making the cyberspace safe, secure and trusted by establishing
best practices, standards and initiatives in cyber security and privacy.
 DSCI brings together national governments and their agencies, industry
sectors including IT-BPM, BFSI, Telecom, industry associations, data
protection authorities and think tanks for public advocacy, thought
leadership, capacity building and outreach initiatives.
 DSCI also endeavours to increase India‟s share in the global security
product and services market through global trade development
initiatives. These aim to strengthen the security and privacy culture in
the India.

GENERATING SECURE PASSWORD
 Choosing the right password is something that many people find difficult,
there are so many things that require passwords these days that
remembering them all can be a real problem.
 Perhaps because of this a lot of people choose their passwords very badly.
The simple tips below are intended to assist you in choosing a good
password.
Basics :
Use at least eight characters, the more characters the better really, but most
people will find anything more than about 15 characters difficult to remember.
Use a random mixture of characters, upper and lower case, numbers,
punctuation, spaces and symbols.
Don't use a word found in a dictionary, English or foreign.
Never use the same password twice.

Things to avoid :
Don't just add a single digit or symbol before or after a word. e.g. "apple1"
Don't double up a single word. e.g. "appleapple"
Don't simply reverse a word. e.g. "elppa"
 Don't just remove the vowels. e.g. "ppl"
Key sequences that can easily be repeated.e.g. "qwerty","asdf" etc.
Don't just garble letters, e.g. converting e to 3, L or ito 1, o to 0. as in "z3r0-10v3"

Tips:
Choose a password that you can remember so that you don't need to keep
looking it up, this reduces the chance of somebody discovering where you have
written it down.
Choose a password that you can type quickly, this reduces the chance of
somebody discovering your password by looking over your shoulder.
Bad Passwords:
 Don't use passwords based on personal information such as: name, nickname,
birthdate, wife's name, pet's name, friends name, home town, phone number,
social security number, car registration number, address etc. This includes using
just part of your name, or part of your birthdate.

Don't use passwords based on things located near you. Passwords such as
"computer", "monitor", "keyboard", "telephone", "printer", etc. are useless.

Don't ever be tempted to use one of those oh so common passwords that are easy
to remember but offer no security at all. e.g. "password", "letmein".

Never use a password based on your username, account name, computer name or
email address.
Choosing a password:
Use good password generator software.
Use the first letter of each word from a line of a song or poem.
Alternate between one consonant and one or two vowels to produce nonsense
words.eg. "taupouti".
Choose two short words and concatenate them together with a punctuation or
symbol character between the words. eg. "seat%tree"
Changing your password :
You should change your password regularly, I suggest once a month is
reasonable for most purposes.
You should also change your password whenever you suspect that somebody
knows it, or even that they may guess it, perhaps they stood behind you while you
typed it in.
Remember, don't re-use a password.

Protecting your password:

Never store your password on your computer except in an encrypted form.
Don't tell anyone your password, not even your system administrator
 Never send your password via email or other unsecured channel
Yes, write your password down but don't leave the paper lying around, lock the
paper away somewhere, preferably off-site and definitely under lock and key.
Be very careful when entering your password with somebody else in the same
room.
Remembering your password :
 Remembering passwords is always difficult and because of this many people are
tempted to write them down on bits of paper.
Use a secure password manager, see the downloads page for a list of a few that
won't cost you anything.
Use a text file encrypted with a strong encryption utility.
Choose passwords that you find easier to remember.

Bad Examples :
"fred8" - Based on the users name, also too short.

"christine" - The name of the users girlfriend, easy to guess

Good Examples :
 None of these good examples are actually good passwords, that's because
they've been published here and everybody knows them now, always choose your
own password don't just use somebody elses.
"mItWdOtW4Me" - Monday is the worst day of the week for me.

How would a potential hacker get hold of my password anyway?

There are four main techniques hackers can use to get hold of your password:
a. Steal it.
b. Guess it.
c. A brute force attack
d. A dictionary attack

USING PASSWORD MANAGER

 A password manager is a software application designed to store and manages
online credentials.
 Usually, these passwords are stored in an encrypted database and locked behind
a master password.
 passwords are meant to keep the files and data secret and safe so it is prevented
the unauthorized access, password management refers to the practices and set
of rules or principles or standards that out must follow or at least try to seek help
from in order to be a good/strong password and along with its storage and
management for the future requirements.
Methods to Manage Password:
*) There are a lot of good practices that we can follow to generate a strong password
and also the ways to manage them.
 Strong and long passwords: A minimum length of 8 to 12 characters long, also
it should contain at least three different character sets (e.g., uppercase
characters, lowercase characters, numbers, or symbols)
 Password Encryption: Using irreversible end-to-end encryption is recommended.
In this way, the password remains safe even if it ends up in the hands of
cybercriminals.
 Multi-factor Authentication (MFA): Adding some security questions and a phone
number that would be used to confirm that it is indeed you who is trying to log in
will enhance the security of your password.
 Make the password pass the test: Yes, put your password through some testing
tools that you might find online in order to ensure that it falls under the strong
and safe password category.
Avoid updating passwords frequently: Though it is advised or even made mandatory to
update or change your password as frequently as in 60 or 90 days
 We use passwords to ensure security and the confidentiality of our data. One of
the biggest modern day crimes is identity theft, which is easily accomplished
when passwords are compromised.
 A good password is hard to remember and that‟s where a password manager.
 It encrypts all the different passwords that are saved with a master password,
the only one you have to remember.
What is a password manager?
 A password manager is software that helps a user to manage passwords and
important information so that it can be accessed any time and anywhere.
 An excellent password manager helps to store information securely without
compromising safety.
Why you should use it?
 If you find it hard to remember passwords for every website and don‟t want to go
through the „Forgot password?‟ routine off and on, then a password manager is
what you are looking for. These are designed to store all kinds of critical login
information related to different websites.
How does it work?
 Password managers may be stored online or locally.
 Online password managers store information in an online cloud, which can be
accessed any time from anywhere.
 Local password managers store information on the local server, which makes
them less accessible.
 Both have their own advantages, and the manager you use would depend on your
need.
Some popular Password managers:
 The passwords are saved using different encryptions based on the services that
the companies provide.
 The best password managers use a 256-bit (or more) encryption protocol for
better security, which has been accepted by the US National Security Agency for
top secret information handling.
 If you have considered using a password manager and haven‟t decided on one,
this section features the top five.
1. KeePassX: KeePassX is an open source, cross-platform and light weight
password management application published under the terms of the GNU
General Public License.
 KeePassX stores information about user names, passwords and
other login information in a secure database.
Features
 Simple user interface: The left pane tree structure makes it easy to distinguish
between different groups and entries, while the right pane shows more detailed
information.

 Portable media access: Its portability makes it easy to use since there‟s no need
to install it on every computer.

 Search function:Searches in the complete database or in every group.

 Auto fill:There‟s no need to type in the login credentials; the application does it
whenever the Web page is loaded. This keeps it secure from key loggers.

 Password generator:This feature helps to generate strong passwords that make

it difficult for dictionary attacks. It can be customized.

 Two factor authentication: It enables the user to either unlock the database by a
master password or by a key from a removable drive.

 Adds attachments: Any type of confidential document can be added to the

database as an attachment, which allows users to secure not just passwords.
 Cross-platform support:It works on all supported platforms. KeePassX is an
open source application, so its source code can be compiled and used for any
operating system.

 Security: The password database is encrypted with either the AES encryption or
the Twofish algorithm, which uses 256-bit key encryption.

 Expiration date: The entries can be expired, based on a user defined date.

 Import and export of entries: Entries: from PwManager or Kwallet can be

imported, and entries can be exported as text files.
  Multi-language support:It supports 15 languages.

2.Clipperz: Clipperz is a Web-based, open source password manager built to store login
information securely.
 Data can be accessed from anywhere and from any device without any
installation. Clipperz also includes an offline version when an Internet
connection is not available.

Features
 Direct login: Automatically logs in to any website without typing login credentials,
with just one click.

 Offline data: With one click, an encrypted local copy of the data can be created
as a HTML page.

 No installation:Since it‟s a Web-based application, it doesn‟t require any

installation and can be accessed from any compatible browser.
 Data import:Login data can be imported from different supported password
managers.

 Security: The database is encrypted using JavaScript code on the browser and
then sent to the website. It requires a passphrase to decrypt the database
without which data cannot be accessed.

 Support: Works on any operating system with a major browser that has
JavaScript enabled.
3. Password Gorilla: Password Gorilla is an open source, cross-platform, simple
password manager and personal vault that can store login information and notes.
Features
 Portable: Designed to run on a compatible computer without being installed.

 Import of database: Can import the password database saved in the CSV format.

 Locks the database when idle:It automatically locks the database when the
computer is idle for a specific period of time.

 Security: It uses the Twofish algorithm to encrypt the database.

 Can copy credentials:Keyboard shortcuts can be used to copy login credentials

to the clipboard.
 Auto clear:This feature clears the clipboard after a specified time.

 Organises groups: Groups and sub-groups can be created to organise

passwords for different websites.
4. Gpassword Manager: Gpass word Manager is a simple, lightweight and cross-
platform utility for managing and accessing passwords. It is published under the terms
of the Apache License.

5. Password Safe: Password Safe is a simple and free open source application initiated
by Bruce Schneier and released in 2002. Now Password Safe is hosted on Source Forge
and developed by a group of volunteers.
Features
 Ease of use: The GUI is very simple, enabling even a beginner to use it.

 Multiple databases: It supports multiple databases. And different

databases can be created for each category.

 Safe decryption: The decryption of the password database is done in the

RAM, which leaves no trace of the login details in the hard drive.

 Password generator: Supports the generation of strong, lengthy

passwords.

 Advanced search: The advanced search function allows users to search

within the different fields.

 Security: Uses the Twofish algorithm to encrypt the database.

The Best Password Managers of 2024:
 Norton Password Manager: Best overall.
 NordPass: Best for businesses.
 Dashlane: Best for reliability.
 Bitwarden: Best open-source manager.
 1Password: Best for securing company secrets.
 KeePass: Best for programmers.
 Keeper: Best for scalability.
 LastPass: Best for a single-user account.

ENABLING TWO-STEP VERIFICATION

 Personal information is compromised, passwords are cracked, and lives are put
in jeopardy.
 If you ever use one password for multiple accounts, you are exponentially
increasing your vulnerability to being hacked.
 Thankfully, Google has launched its 2-step verification system: anytime an
unknown device is used to sign into your Google account, the user has to provide
a verification code in addition to the password.
 So it's not enough for hackers to just get your password; they'll also need
physical control of your phone or computer to access your account.
Step 1: Sign into your Gmail account. Click on a thumbnail of your avatar on the right
side of the top menu bar, and then click "Account" to update your settings.
Step 2: You will land on your Account Settings page. Scroll down until you find a blue
bar that says "signing in".
Step 3: In the 2-step verification section, you'll see if you already have 2-step
verification turned on. If it says "OFF," click "Edit" to set the feature up.
Step 4: You'll see a page that briefly walks through the steps of setting up 2-step
verification. Hover over the steps for more detail. Once you're ready, click "Start
setup."
Step 5: Type in your cell phone number. This will be the phone associated with your
Google account. Anytime you sign into your Google account from an unknown
device (e.g., a publiccomputer), Google will send a verification code to your phone
and you will need to enter that before you can sign in.
Step 6: Select whether you'd like to receive a text message or Google Voice call with
your verification code. Press submit. Then wait for the code to arrive to your phone
and enter it in.
Step 7: Decide whether to trust this device. If you are turning on 2-step verification
from a personal computer or trusted device, check the "trust this device" box. You
will only be asked to enter a verification code when you sign into this account once
per 30 days.
Step 8: Press OK, and you have just set up 2-step verification for your Google
account! Skip any additional steps that seem unfamiliar or confusing for now -- we
will address all of them in successive sections of this article.
Step 9: Print a list of backup verification codes and store it in a secure but
accessible place, like your wallet. If you ever need to sign into your Google account
but don't have your primary phone with you, you can enter one of these codes
instead.

 Go to your 2-step verification settings page.

 Under "How to receive codes," click on the "Show backup codes" link. Print this
page.

Method 1 of 2: Application-Specific Passwords:

Step 1: Understand the need for application-specific passwords.
Step 2: Generate application-specific passwords for your devices.
Step 3: At the top of the page, you will see a list of sites, applications and devices
to which you have granted some level of access to your account.
Step 4: Scroll down to the field at the bottom for entering the name of a device.
Enter in something that will help you remember what this application-specific
 password
Step 5: Open up the application. Go to the settings page where you enter in your
Google Account information.

Step 6: Click "Done" on your web browser once you have successfully entered the
application-specific password.
Step 7: Know how to revoke an app's access to your Gmail account. If you don't
want to use an app anymore, or you lost your phone and want to stop anyone
who has it from accessing your Gmail, simply click on the "Revoke" button in your
application-specific password settings page.
Step 8: Create new application-specific passwords for each application that you
connect your Google Account to!

Method 2 of 2: If You Lose Your Phone:

Step 1: Revoke your current application-specific passwords.
Step 2: Change your Gmail password.
Step 3: Add a backup phone number if you have a second mobile device.
Step 4: If you don't have a backup phone,
Step 5: If you get phone and change your phone number, be sure to revoke
access to your previous number on the 2-step verification settings page.

SECURING COMPUTER USING FREE ANTIVIRUS

As computers become more and more integrated in to our lives, we end up
leaving many sensitive data on our computer-from passwords, official email id, bank
account to personal notes, business plans and other confidential information.
 Avast Antivirus– Avast is one of the best free anti-virus software available
that provides a complete protection against security threats. This full-
featured antivirus package has the following feature: Built in Anti-spyware,
Anti-Rootkit, Web shield, Strong self protection, P2P and IM shield, Anti-
Virus kernel, resident protection, Network shield, Automatic update,
System integration, Windows 64 bit support, Integrated Virus Cleaner. It
can be downloaded from https://www.avast.com/index
 AVG Antivirus – AVG anti-virus free edition provides basic antivirus and
anti-spyware protection for Windows. Following features included in the
free edition: Anti-virus , anti-spyware and Safe surf feature. It can be
downloaded from http://free.avg.com/
 AviraAntiVir Personal - Avira is a comprehensive, easy to use antivirus
program, designed to reliable free of charge virus protection to home-
users. Features included are: Protection from virus worms and Trojans,
Anti-rootkit, Anti-fishing, Anti dialers. It can be downloaded from
http://www.free-av.com/
 BitDefender- Free Edition uses the same ICSA Labs certified scanning
engines found in Pro version of BitDefender , allowing you to enjoy basic
virus protection for no cost at all. Features includes: On demand Virus
Scanner and Remover and Scheduled scanning. It can be downloaded
from http://www.bitdefender.com/PRODUCT-14-en--BitDefender-Free-
Edition.html
 Blink Personal – An all-in one security suite with antivirus limited for one
year. Blink personal Security suite features – Antivirus and Anti spyware,
Anti root kit, Built-in Firewall protection and Identity protection. It can be
downloaded from http://free-antivirus.eeye.com/
 Calmwin antivirus–An open source, free Antivirus program for Windows
98/Me/2000/XP/2003 and Vista. Features include - high detection rates
for viruses and spyware; automatic downloads of regularly updated Virus
Database, Standalone virus scanner. It does not include an on-access real-
time scanner. It can be downloaded from http://www.clamwin.com/
 Comodo Antivirus - has all the functionality of a paid AV without the price
– Features includes- Detects and remove viruses from computers and
networks. On Access Scanning conducts a real-time, scheduled virus scan.
Host Intrusion Detection allows you to Intercept viruses, spyware, and
other malware before they infect your computer.Get updates of the latest
virus definitions everyday so you can stay protected against the latest
threats. It can be downloaded from http://antivirus.comodo.com/
 Moon Secure Antivirus - Aims to be the best Free Antivirus for Windows
under GPL license. It offers multiple scan engines, Net shield, Firewall, On
access, on Exec scanner and rootkits preventions plus features from
Commercial Antivirus applications. It can be downloaded from
http://sourceforge.net/projects/moonav/
 PCTools Antivirus- with PC Tools AntiVirus Free Edition you are protected
against the most nefarious cyber-threats attempting to gain access to
your PC and personal information. It protects you fromVirus, worm, Trojan
and has Smart Updates, IntelliGuard Protection, file guard and email guard.
It can be downloaded from http://www.pctools.com/free-antivirus/
 Rising Antivirus – Rising Antivirus Free Edition is a solution with no cost
to personal users for the life of the product while still provides the same
level of detection and protection capability as RISING Antivirus . It protects
your computers against all types of viruses, Trojans, worms, rootkits and
other malicious programs. Ease of use and Smartupdate technology make
it an "install and forget" product and entitles you to focus on your own jobs
with your computer. It can be downloaded from http://www.freerav.com/
 ThreatfireLite– Provides Comprehensive protection against viruses,
worms, Trojans, spyware, rootkits, keyloggers& buffer overflows. And have
 Real-time behavior-based malware detection, malware quarantine &
removal, etc. It can be downloaded from
http://www.threatfire.com/download

One Mark
1. In which of the following, a person is constantly followed/chased by another person
or group of several peoples?

a) Phishing b) Bulling c) Stalking d) Identity theft

2._______ is a type of software designed to help the user's computer detect viruses and
avoid them.
a. Malware b. Adware c. Antivirus d. Both B and C

3. Which one of the following is a type of antivirus program?

a) Quick heal Mcafee C)Kaspersky d ) All of the above
4. What is Cyber Security?
a) Cyber Security provides security against malwareb) Cyber Security provides security
against cyber-terroristsc) Cyber Security protects a system from cyber attacks d) All of the
mentioned

5. What does cyber security protect?

a) Cyber security protects criminalsb) Cyber security protects internet-connected
systemsc) Cyber security protects hackersd) None of the mentioned
6. Who is the father of computer security?
a) August Kerckhoffsb) Bob Thomasc) Robertd) Charles
7. Which of the following is defined as an attempt to steal, spy, damage or destroy
computer systems, networks, or their associated information?
a) Cyber attackb) Computer securityc) Cryptographyd) Digital hacking
8. Which of the following is a type of cyber security?
a) Cloud Securityb) Network Securityc) Application Securityd) All of the above
9. What are the features of cyber security?
a) Compliance b) Defense against internal threat c) Threat Prevention d) All of the above
10. Which of the following is an objective of network security?
a) Confidentiality b) Integrity c) Availability d) All of the above
11. Which of the following is not a cybercrime?
a) Denial of Serviceb) Man in the Middlec) Malwared) AES
12. Which of the following is a component of cyber security?
 a) Internet Of Thingsb) AIc) Databased) Attacks
13. Which of the following is a type of cyber attack?
a) Phishingb) SQL Injectionsc) Password Attackd) All of the above
14.“Cyberspace” was coined by _________
a) Richard Stallmanb) William Gibsonc) Andrew Tannenbaumd) Scott Fahlman
15.In which year has hacking become a practical crime and a matter of concern in the field
of cyber technology?
a) 1991b) 1983c) 1970d) 1964

5 & 10 Marks
1 Introduction to Cyber Crime.
2 Narrate the Classification of Cyber Crime.
3 Write the Malware & its Type.
4 Explain the Kind of Cyber Crime.
5 Write the Authentication.
6 Explain the Encryption.
7 Explicate the Digital Signature.
8 Write the Difference between Antivirus & Firewall.
9 Write about the Steganography.
10 Write the Computer Security initiatives in india.
11Write about Password Manager.

************************ UNIT –I **********************

 Unit – II
TIPS FOR BUYING ONLINE:
Online Shopping can be cheaper and more convenient for you and for businesses.
However, make sure you understand your rights and the risks before you shop online.
I. Pay securely: Don’t make any payment unless:
 You are on a secure website, and
 You can make a secure payment.
This will protect you against fraud and unauthorized credit card transactions. A secure
website address will always:
 Begin with „https://‟, not „http://‟
 Display the image of a closed padlock (usually in the bottom right corner of your
browser window).
Only make a payment if you can see both of these things. Never give out your bank
account details, credit card number or other personal details if you are not certain that
the business is a reputable trader.
II. Know the business: Only buy from websites you know and trust. Check that the
company has a physical street address and landline phone number. If the company
operates from overseas, you might have trouble getting a refund or repair.

III. Know the product: Make sure you check whether:

 The Product Is legal
 The product will work in Australia
 Any warranties or guarantees offered are valid in Australia
 The Product has an authorized repairer nearby.
IV. Check the contract: Make sure you read and understand:
 The terms and conditions of sale
 The refund policy
 The delivery details
 Returns and repairs policies, including any associated costs.
V. Check the full cost: Be aware of the full cost of your purchase. Additional costs may
include:
 Currency conversion
 Taxes
 Postage and delivery fees
 Packaging.
It might end up being cheaper to buy the product at a local shop.
VI. Protect your privacy: Only buy online if you are comfortable with a business privacy
policy. Do not give out information unless they require it to complete the sale.
Remember, if a deal sounds too good to be true, it probably is.
VII. Keep records: Always write down any reference numbers and print out copies of:
 The order form (both before and after you confirm the order)
 Receipts (can come by email or in a pop-up window).
 Always make sure all charges are correct by checking the receipt against
your:
o Credit card statement
o Merchant account statement (such as PayPal)
o Bank statement.
VIII. Online auction sites: Most online auction sites (like eBay) offer a dispute resolution
process for buyers and sellers. This should be your first step to resolve a dispute if:
You did not receive the items you bought
You did not receive payment for items you sold
You received items that were significantly different from their
description.
The eBay website has an example of this facility. The charges may be converted
from another currency.

CLEARING CACHE FOR BROWSERS

 The internet browser's cache stores certain information (snapshots) of web
pages you visit on your computer or mobile device so that they'll load more
quickly upon future visits and while navigating through websites that use the
same images on multiple pages so that you do not download the same image
multiple times.
 Occasionally, however your cache can prevent you from seeing updated content,
or cause functional problems when stored content conflicts with live content.
 We can fix many browser problems simply by clearing your cache. This article
contains instructions with screenshots on how to clear the cache for all major
browsers.
Clearing cache for Chrome Browsers above version 10:

Step 1: Open the settings on Chrome. Click the menu icon in the upper right corner
of the browser to the right. Click settings on the bottom of the menu.
Step 2: From settings, click "Show advanced settings. It's located at the very bottom
of the settings section.

Step 3: Scroll to the privacy section and click "Clear browsing data.
 Step 4: Select "Cached images and files". Uncheck all other options to avoid deleting
browser history, cookies and other things you may wish to retain. Change "Obliterate
the following items from" to "the beginning of time".

Step 5: Press "Clear browsing data". You are done!

In Chrome:
1. On your computer, open Chrome.

2. At the top right, click More .

3. Click more tools Clear browsing data.

4. At the top, choose a time range. To delete everything, select All time.
5. Next to "Cookies and other site data" and "Cached images and files," check the
boxes.
6. Click Clear data.
Clearing cache for Chrome Browsers from version 1 to 9:
Step 1: Once your browser is open, select the Tools menu (the wrench in the
upper-right corner) and select Options (Preferences on Mac).
Step 2: On the Under the Hood tab, click the Clear Browsing data button.
Step 3: Select the Empty the cache check-box.
Step 4: You can also choose the period of time you wish to delete cached
information using the Clear data from this period dropdown menu.
Step 5: Click the Clear Browsing Data button.
Clearing cache for Safari for iOS, iPhone and iPad:
Step 1: Click on Settings from the home page.
Step 2: Scroll down until you see "Safari." Click on it to bring up the option page.
Step 3: Click "Clear Cookies and Data". A popup box will appear. Click "Clear
Cookies and Data" again to confirm your choice.
Clearing cache for Safari for Mac OS x:
Step 1: Once your browser is open, click the Safari menu and select Empty Cache.
Step 2: Click Empty.
Clearing cache for Safari for windows:
Step 1: Once your browser is open, click the gear icon on the top right.
Step 2: Select "Reset Safari..." This will prompt a screen to open.
Step 3: Select "Remove all website data" at the very bottom of the prompt. Check
or uncheck any other categories you want reset.
Step 4: Click “Reset”.
Clearing cache for Internet explorer 9, 10 and 11:
Step 1: Once your browser is open, click the gear icon at the top right to open the
Settings menu. Then, select Safety and Delete Browsing History.
Step 2: Select Temporary Internet Files. You will also need to uncheck all of the
other boxes, especially Preserve Favorites website data. This option makes the
window also delete objects from websites in your Favorites folder, which is
necessary to completely clear your cache.
Step 3: Click the Delete button near the bottom of the window to perform the
operations (i.e. clear your cache by deleting temporary files).
 Step 4: Your computer will work for a moment, and then the process will be
complete. You've successfully cleared Internet Explorer 9's Cache!
Clearing cache for Internet explorer 8:
Step 1: Once your browser is open, click the Tools menu.
Step 2: Click on Delete Browsing History.
Step 3: Select Temporary Internet Files.
Step 4: Click the Delete button near the bottom of the window to delete your
temporary files (i.e. clear your cache).
Step 5: Set your cache to delete every time you close Internet Explorer. If you
want the browser to automatically clear the cache whenever you close it, close
the 'Delete Browsing History' window, select 'Internet Options' from the Tools
menu, and check the 'Delete Browsing history on exit' checkbox.
Note: IE8 has a "feature" which retains some cookies even after you clear
your cache if you do not UNCHECK the "Preserve Favorites Website Data." If you
truly need to clear your cache, you will want to uncheck this!
Clearing cache for Firefox:
Step 1: On a PC, click the "Firefox" menu in the top left corner. Next, select the
right arrow next to "History >", and click "Clear Recent History".
Step 2: Make sure "Details" is expanded, then select "Cache" from the list.
Uncheck everything else.
Step 3: In the "Time Range to Clear" drop down, select "Everything".
Step 4: Select "Clear Now". Your computer will work for a moment, and the
process will be complete. You've successfully cleared Firefox's Cache!
Clearing cache for Firefox 33:
Step 1: Click the Menu button ("hamburger button" - the one with three horizontal
lines) and then choose Options.
Step 2: Firefox for Mac: On a Mac, choose Preferences from the Firefox menu
and then continue as instructed below. With the Options window now open, click
the Privacy tab. In the History area, click the clear your recent history link.
Step 3: If you wish to clear other kinds of stored data, feel free to check the
appropriate boxes. They will be cleared with the cache in the next step.
Clearing cache for opera:
Step 1: Once your browser is open, select the "Settings" menu and click "Delete
private data".
Step 2: Make sure the "Delete entire cache" box is checked. Make sure any
unwanted categories are left unchecked.
Step 3: Press “Delete”.
Clearing cache for cleaner:
Cleaner- This is a computer maintenance tool that lets you scan and delete
browser cache and cookies. Launch it, go to Cleaner tab and make sure to check the
Temporary internet files for the browser you have.

WIRELESS LAN
 The Wireless LAN or WLAN is becoming a popular way to connect devices such
as computers these days.
 In offices and homes, WLAN has become an alternative way of communication
compared to wired LAN.
 The convenience to connect different devices is both cost effective and easily
maintainable.
 The Wikipedia says: “Wireless LANs have become popular in the home due to
ease of installation, and the increasing to offer wireless access to their
customers; often for free.”
The other factors why WLANs are becoming more acceptable are:
1. No need to be connected physically with each other through any medium such
as cables. You can roam around freely in office premises, home or around.
2. WLANs are cost effective. Cabling all the way in the offices, hotels etc are not
needed. So it‟s cheap and provides same quality of service.
3. Unreachable spots where a cable is hardly accessible, WLAN signals can reach
out such as big installations like airports. Also surfing outdoors is also
convenient. Just install the device called Access Points (AP) and you are done.
4. Less interruption and easy trouble shooting in case of failures as compared to
cabled networks.
 5. More secure as most of APs support best encryption methods which protect
them from
sniffing and other attacks.

[A typical Wireless network]

MAJOR ISSUES WITH WLAN
 WLAN are also as prone to various attacks as their counterpart wired
LNAs are. Actually WLANs are easier to hack as compared to wired LANs,
 If not properly configured, due to its easy accessibility around the
installation. No need to be in contact of physical wires to hack can be
done from anywhere.
 Major attacks include such as, Sniffing, Key cracking, DoS (Denial of
Service), De-authentication attacks, War driving etc.
Secure WLAN
Wireless Security mainly depends on these 3 factors:
 How much is your wireless network secured in terms of encryption
being used?
 Monitoring for suspicious and unusual activities.
 User awareness and education.

These are the combination of various approaches ranging from corporate to

home networks.
The three most common WLAN security threats include:
  denial of service attacks - where the intruder floods the network with messages
affecting the availability of the network resources
 spoofing and session hijacking - where the attacker gains access to network
data and resources by assuming the identity of a valid user
 eavesdropping - where unauthorized third parties intercept the data being
transmitted over the secure network
 To counter these threats, you should make every effort to configure your WLAN
correctly. You should also enable a range of security features, such as standard
authentication and encryption, alongside other access control mechanisms.
Basic WLAN security features:
 Early WLAN hardware used a number of basic security methods, including:
 Service Set Identifiers (SSIDs) - these prevent connection to access points unless
a device uses a given identifier correctly
 Media Access Control (MAC) - this involves using addresses attached to each
device to limit connection to access points
 Wired Equivalent Privacy (WEP) - WEP uses encryption keys so that only devices
with the correct key can communicate with access points
Wi-Fi at home:
 Using a Wi-Fi at home is not a luxury anymore it has become a necessity.
However, when the question of security comes into the scene,
 Protecting a home wireless network is altogether a different side of the coin as
compared to wired networks.
 Most of wireless network device vendors and Internet Service provider do not
provide any security settings by default.
Tips to secure WLAN :
1. Use most secure possible encryption: The first and most necessary step- use
industry standard encryptions.
 The old (however generally used) WEP-Wired Equivalent Privacy, has been known
to be broken. Even you use complex passwords it can be broken and decrypted
within minutes or hours. WEP uses 40 bit or 128 bits RC4 ciphers to encrypt the
channel.
  Instead use secure protocols such as WPA 2 – Wi-Fi Protected Access- 2, which
uses strong 128 bits AES ciphers and is typically considered more robust
encryption strategy available.
Attacks mitigated: WEP Key cracking, Sniffing, Capturing/Eavesdropping.
2. Use Firewall: All the wireless routers come with built-in firewalls. Enable them with all
the security features. You should block any anonymous ping requests and place
restrictions on website browsing, if required. Define additional security policies and
apply them.
Attacks mitigated: Fingerprinting, System compromise
3. Have a monitoring system in place: If you are able to detect some suspicious
activities before it penetrates your network, you can block them or take precautionary
measures. Deploy WIPS/WIDS for monitoring suspicious activities.
Attacks mitigated: Scanning, DoS
4. Don’t use default credentials: Every wireless router comes with a set of default
username/password. Sometimes, people don‟t change them and keep using them for
long time. Username and passwords are used by computers or other devices to connect
to wireless router.
 If any hacker is able to guess them, he can connect to your network easily.
Studies show that majority of users use the same combination of
username/passwords as set by manufacturers. Some default username
combinations are: admin/admin, admin/password or admin.
Attacks mitigated: Unauthorized access, War driving
5. Disable Auto-connect feature: Some devices or the computers/laptops have let this
tool manage your wireless networks or Connect automatically to available network.
 Such users having this auto-connect feature enabled are prone to Phishing
attack or Rogue AP attack.
 Attackers keep their APs alive and kicking for such kind of unsuspecting users.
They also use luring names as „Hot Spot‟, „Secure Connect‟, ‟Govt Networks‟
etc.
 The user will never suspect them and keep surfing the wireless network happily.
Also if you have not changed the default password of your router, the attacker
 will try to use this feature on their machine and automatically connect using the
easily guessable default passwords.
Attacks mitigated: Phishing, Sniffing, Rouge AP association
6. Don’t use public Wi-Fi spots to surf sensitive websites: Free and open wireless
networks available on airports, cafes, railway stations are not very secure by nature.
 They do not use any encryption to secure the channel between your laptop to the
router.
 So any information which is not by default going on HTTPS from your
laptop/smart phone is susceptible to sniffing and even more your session could
be hijacked because the unencrypted channel may leak the active session ID
used by your website.
Attacks mitigated: Sniffing, Session Hijacking.
7. Change the default SSID: Although this will not prevent hackers breaking into a
network, using a default SSID acts as an indication that the user is careless.
Attacks mitigated: War driving.
8. Restrict access by assigning static IP addresses and MAC filtering: Disable
automatic IP assigning feature and use private static IPs to the legitimate
devices you want to connect. This will help you in blocking unwanted devices
from being connected to your network.
 Also, enable MAC filtering- router remembers MAC of each and every
device connected to it and saves it as list. We can use this facility to
restrict access.
 Only a set of trusted devices can be allowed to connect. However MAC
spoofing is still possible but it raises an extra bar for your wireless
network.
9. Turn off your router when not in use: Last but not least, a little obvious, but it will
save your network from all the attacks for that time period.
Wi-Fi in a Corporate/Enterprise Network:
Due to the nature of activity and criticality of information, it is very important that
Corporate / Enterprise networks have a higher degree of security.
The following are good to have:
  Defining an adequate organization wide Information Security policy &
procedures for wireless network.
 SSID‟s should not be associated with the organization, AP vendor or any other
related information which would be easy to guess or associate with the current
organization
 Enable WPA2 Enterprise encryption with RADIUS authentication and use of EAP
protocol like EAP-TTLS, TLS etc.
 Implementation of PKI infrastructure. CA signed certificates to authenticate the
server to client and vice versa
 Filtering of clients based on unique identifier like MAC Address
 Isolated „Guest‟ wireless network with no interface / connection to the corporate
network
 Limiting the radius of Wi-Fi network by reducing the power output of the AP
 Allocating IP Address to the employee and guest machines only after successful
authentication
 Periodically changing the keys & passwords
 Use of VPN while accessing corporate information from Public Wi-Fi network.
 Implementation of Wireless IDS. Wireless IDS is a new concept.
The key features of Wireless IDS are:

 Prevention against Rogue APs

 Detection & prevention against DoS attacks
 Assistance in locating the approximate physical location of the attacker
 Assistance in enforcing the Organization’s Information Security policy on
wireless networks
 Detection of use of scanning tools like Kismet & Net Stumble.

SAFE BROWSING GUIDELINES FOR SOCIAL NETWORKING SITES:

Social Networking Sites:
 Social networking is a global revolution, enabling billions of people worldwide to
stay in touch with their friends, share experiences and photographs and
 exchange personal content. In many ways it has replaced the phone and email.
For many users, it has become a way of life.
 Various social networking sites are also valuable tools used by many companies
and individuals to extend their contacts and deliver marketing messages.
 The nature of social networking – having such a massive base of users who are
unknown to you – means that using it carries a degree of risk including
becoming a target for cyber-criminals.
The risks:
 Disclosure of private information by either yourself or friends/contacts.
 Bullying.
 Cyber-stalking.
 Access to age-inappropriate content.
 Online grooming and child abuse.
 Encountering comments that are violent, sexual, extremist or racist in nature, or
offensive activities and hateful attitudes.
 People trying to persuade or harass you into changing your basic beliefs or
ideologies, or adopt an extremist stance.
 Prosecution or recrimination from posting offensive or inappropriate comments.
With so many of us using social media today, sites like Face book, Twitter,
and LinkedIn make perfect targets for scams.
Here are our top 10 tips to stay safe on social media:
1. Use a strong password. The longer it is, the more secure it will be.
2. Use a different password for each of your social media accounts.
3. Set up your security answers. This option is available for most social media sites.
4. If you have social media apps on your phone, be sure to password protect your
device.
5. Be selective with friend requests. If you don’t know the person, don’t accept their
request. It could be a fake account.
6. Click links with caution. Social media accounts are regularly hacked. Look out
for language or content that does not sound like something your friend would
post.
 7. Be careful about what you share. Don’t reveal sensitive personal information ie:
home address, financial information, phone number. The more you post the
easier it is to have your identity stolen.
8. Become familiar with the privacy policies of the social media channels you use
and customize your privacy settings to control who sees what.
9. Protect your computer by installing antivirus software to safeguard. Also ensure
that your browser, operating system, and software are kept up to date.
10. Remember to log off when you’re done.
Always ask the questions:
1. Who can access the information I am putting online?

2. Who controls and owns the information I put into a social networking site?

3. What information about me are my contacts passing on to other people?

4. Will my contacts mind if I share information about them with other people?

5. Do I trust everyone with whom I'm connected?

6. Always make sure you use secure passwords to access social networks. If
anyone else does get into your account, they are gaining access to a lot of
information about you and about anyone else you are connected to via that social
network. Change your passwords regularly as a matter of routine.
7. Make sure you understand the default privacy settings offered by the social
networking site, and how to change them.
8. Consider using separate accounts/identities, or maybe different pseudonyms,
for different campaigns and activities. Remember that the key to using a network
safely is being able to trust its members.
9. Be careful when accessing your social network account in public internet spaces.
Delete your password and browsing history when using a browser on a public
machine.
10. Access social networking sites using https:// to safeguard your username,
password and other information you post. Using https:// rather than http:// adds
another layer of security by encrypting the traffic from your browser to your
social networking site.
 11. Be careful about putting too much information into your status updates
12. Sharing Online Content
13. Sharing Videos and Photos
14. Instant Chats
Posting Personal Details:
Social networking sites ask you for a good deal of data about yourself to
make it easier for other users to find and connect to you.
Ask yourself: is it necessary to post the following information online?
 Birth dates
 Contact phone numbers
 Addresses
 Details of family members
 Education and employment history
EMAIL SECURITY TIPS
Email is one of the most popular forms of communication, especially in the
business world. Unfortunately, it's also one of the most vulnerable to cyber-attacks. In
the 2016 US presidential elections, hackers gained access to emails from presidential
candidate Hillary Clinton's campaign and her Democratic National Committee staff.

 The stolen emails were published by Wiki Leaks, and the result was a
public relations nightmare for the Clinton campaign.

 Email security best practices are the crucial elements of your data privacy
strategy you should be aware of to protect your business. It doesn't matter
whether you manage a small office or an entire corporate network. Using
them avoids a potential data breach and prevents phishing attacks.

 Security enables the safeguarding of a business or a client's privacy. It

prevents unauthorized access to sensitive data like financial information
and important documents.

 This is where professional email security services come into play. They
help you stay ahead of the game and promote superior organizational
performance by protecting every valuable resource of the corporation.
  Email security enables the safeguarding of a business or a client's privacy.
It prevents unauthorized access to sensitive data like financial information
and important documents.

 This is where professional email security services come into play. They
help you stay ahead of the game and promote superior organizational
performance by protecting every valuable resource of the corporation.

Tips to E-Mail Security:

1. Don't open email attachments that you are not expecting, or which have come
from someone you do not know. When you open such an email, make sure that
your anti-virus software is up-to-date and pay close attention to any warnings
from your browser or email program.
2. Can use anonymity software which can help you hide your chosen email service
from anyone who might be monitoring your internet connection?
3. Can avoid getting spam (unwanted or junk email) by guarding your email address
and distributing it sparingly. Also, never open or reply to any emails you consider
to be spam, because spammers will take this as a proof of the legitimacy of the
address and will just send you more spam.
4. Should try to avoid your emails being mistaken for spam by the recipients. Spam
filters will block messages with certain words in the subject heading.
5. Beware of email scams.
6. Pay close attention if your browser suddenly gives you messages about invalid
security certificates when you attempt to access a secure webmail account.
SMARTPHONE SECURITY GUIDELINES:
 Smart phones continue to grow in popularity and are now as powerful
and functional as many computers. It is important to protect your smart
phone just like you protect your computer as mobile cyber security
threats are growing. These mobile security tips can help you reduce the
risk of exposure to mobile security threats:

1. Set PINs and passwords. To prevent unauthorized access to your phone, set a
password or Personal Identification Number (PIN) on your phone’s home screen
as a first line of defense in case your phone is lost or stolen. When possible, use
a different password for each of your important log-ins (email, banking, personal
sites, etc.).

Should configure your phone to automatically lock after five minutes or

less when your phone is idle, as well as use the SIM password capability
available on most smart phones.

2. Do not modify your smart phone’s security settings. Do not alter security
settings for convenience.

Tampering with your phone’s factory settings, jail breaking, or rooting your
phone undermines the built-in security features offered by your wireless service
and smart phone, while making it more susceptible to an attack.

3. Backup and secure your data. You should backup all of the data stored on
your phone – such as your contacts, documents, and photos.

These files can be stored on your computer, on a removal storage card, or

in the cloud. This will allow you to conveniently restore the information to your
phone should it be lost, stolen, or otherwise erased.

4. Only install apps from trusted sources. Before downloading an app, conduct
research to ensure the app is legitimate. Checking the legitimacy of an app may
include such thing as: checking reviews, confirming the legitimacy of the app
store, and comparing the app sponsor’s official website with the app store link to
confirm consistency.

Many apps from un trusted sources contain malware that once installed
can steal information, install viruses, and cause harm to your phone’s contents.
There are also apps that warn you if any security risks exist on your phone.

5. Understand app permissions before accepting them. We Should cautious

about granting applications access to personal information on your phone or
otherwise letting the application have access to perform functions on your phone.
Make sure to also check the privacy settings for each app before installing.

6. Install security apps that enable remote location and wiping. An important
security feature widely available on smart phones, either by default or as an app,
is the ability to remotely locate and erase all of the data stored on your phone,
even if the phone’s GPS is off.

In the case that you misplace your phone, some applications can activate
a loud alarm, even if your phone is on silent. These apps can also help you locate
and recover your phone when lost. Visit CTIA for a full list of anti-theft protection
apps.

7. Accept updates and patches to your smart phone’s software. We should keep
our phone’s operating system software up-to-date by enabling automatic
updates or accepting updates when prompted from your service provider,
operating system provider, device manufacturer, or application provider. By
keeping your operating system current, you reduce the risk of exposure to cyber
threats.

8. Be smart on open Wi-Fi networks. When you access a Wi-Fi network that is
open to the public, your phone can be an easy target of cybercriminals.

We should limit your use of public hotspots and instead use protected Wi-
Fi from a network operator you trust or mobile wireless connection to reduce
your risk of exposure, especially when accessing personal or sensitive
information.

Always be aware when clicking web links and be particularly cautious if

you are asked to enter account or log-in information.

9. Wipe data on your old phone before you donate, resell, or recycle it. The
smart phone contains personal data you want to keep private when you dispose
your old phone. To protect your privacy, completely erase data off of your phone
and reset the phone to its initial factory settings. Then, donate, resell, recycle, or
otherwise properly dispose of your phone.
 10. Report a stolen smart phone: The major wireless service providers, in
coordination with the FCC, have established a stolen phone database.

If your phone is stolen, you should report the theft to your local law
enforcement authorities and then register the stolen phone with your wireless
provider.

This will provide notice to all the major wireless service providers that the
phone has been stolen and will allow for remote “bricking” of the phone so that it
cannot be activated on any wireless network without your permission.

PURSES, WALLETS, SMART PHONES:

 The digital payment ecosystem has certainly been growing at a rapid

pace in recent years. And the global pandemic has also played its role in
fast-tracking the adoption of digital wallets and online payment methods
across various user segments.

 According to a report by KPMG, countries like India are expected to

witness a 78 % increase in digital payments in the upcoming months. An
increased number of users, even those living in non-metro cities have
started to make the shift to cashless transactions methods such as UPI
(Unified Payments Interface), digital wallets, Internet Banking, and more.

 However, as we gravitate towards a world of digital payments and e-

wallets, it is important to be aware of the challenges that come along.
One of the biggest challenges when it comes to digital payments and
wallets is security.

 That is why it becomes a must for consumers and businesses to remain

vigilant and take the required steps to ward off the potential threats. So,
let’s take a look at some of the established best practices which
massively enhance the security of your digital wallets and payments.

Here are 7 important tips to keep in mind for enhancing your digital wallet security:
1. Enable Passwords On Your Devices:

Enable passwords on your phones, tablets, and other devices before they can be
used. Use the benefits of additional layers of security provided by these devices. You
can use password managers to create strong and unique passwords. Adding two-factor
authentication to your device and app security will give another major boost to your
already secure device.

2. Use Secure Network Connections:

Always be aware of the kind of networks you are connected to. It's important to
be connected only to those networks which you can trust. Avoid the use of public Wi-Fi
networks. More secure Wi-Fi connections require passwords and are easily identified as
“WPA or WPA2.” Highly-insecure Wi-Fi is wide-open for anyone to connect to and may
be labeled as a “WEP” connection.

3. Install Apps From Sources You Trust:

Apps are not always what they appear to be. In fact, you could be getting more
than you bargained for. A free game might not be just a game, but an app designed to
illicitly collect personal data from you. Reading the user ratings and reviews can provide
some clues about the integrity of the app.

4. Keep Your Private Stuff Private:

Never share sensitive data with those you don’t trust. This includes when you
respond to email requests, phone inquiries or allow control to anyone you would not
normally hand over a physical wallet to. Financial service providers and support staff
will never ask for private information such as passwords or payment account numbers.

5. Keep Login Credential Secure:

Avoid writing down information used to access the digital wallets in plain view or
storing in an unprotected file. Easy access to them might result in the misuse of your
data and credentials. It is essential to store passwords in a way that prevents them
from being stolen by an attacker even if the source application, device or database is
compromised.

Now, there are several frameworks and apps also which provide built-in
functionality to help store passwords safely.

6. Create a Unique Password For Your Digital Wallet:

Avoid using the same password you use for email or social networking sites.
This increases the risk of unauthorized access. Instead, use an easily- remembered, yet
hard-to-guess password unique to your digital wallet. This will enhance your digital
wallet security.

7. Identify Who To Contact If There Are Issues, Before One Arises:

Ensure that you understand the quickest way to resolve any issues that arise and
who is responsible for any fraudulent activity on your account.

Some common scenarios to consider - your phone is lost or stolen, an individual

card stored in the wallet is lost, our account has been or may have been hacked.

A simple exercise can help illustrate this:

 Empty the content of your wallet or purse, and take account of sensitive items.
 Typically you may find: - Pictures of loved ones (~5 pictures) - Identification
cards (driver's license, membership cards, social security cards) - Insurance and
health information (~2 cards) - Money (~5 bills) - Credit/Debit cards (~3 cards)
 Now, examine the contents of your smart phone. A typical smart phone user may
find some of the above in higher quantities, and in some cases much more
valuable items:
 Pictures of loved ones (~100 pictures)
 Email applications and their passwords
 Emails (~500 emails)
 Videos (~50 videos)
 Social networking applications and their passwords
 Banking applications (with access to the bank accounts)
 Sensitive documents
 Sensitive communication records
 A live connection to your sensitive information
Platforms, Setup and Installation:
1. Platforms and Operating Systems
2. Feature Phones
3. Branded and locked smart phones
4. General Setup
5. Installing and updating applications
Communicating Securely (Through Voice and Messages) with a Smart phone:
 Secure Voice Communication
 Basic telephony
o About Anonymity: If you are conducting sensitive phone
conversations or sending sensitive SMS messages, beware of the
above tracking 'feature' of all mobile phones.
o About eavesdropping: Your phone can be set to record and
transmit any sounds within the range of its microphone without
your knowledge.
o About interception of calls: Typically, encryption of voice
communications (and of text messages) that travels through the
mobile phone network is relatively weak.
 Sending Messages Securely
 Storing Information on your Smartphone
 Sending Email from your Smartphone
 Capturing Media with your Smartphone
 Accessing the Internet Securely from your Smartphone

PLATFORMS, SETUP AND INSTALLATION

Secure Software Installation on Smart phones:

Security Considerations for Smart phones:

 Mobile phones were once simple devices capable of performing only basic
phone functions.

 With the release of newer smart phone OSs, mobile phones began to include
 advanced desktop-like features, which has caused users (and forced app
developers) to think differently about these devices.

 Whether users think of their smart phones as computers is unclear.

 Typical computer activities such as installing and updating software are present.

Current Smartphone Platforms:

 As of December 2010, iOS, Android, BlackBerry, and Symbian accounted for

approximately 92 percent of the global smart phone .

iOS :

 Apple’s iOS (originally called the iPhone OS) is based on the Mac OS.

 The iPhone, iPod Touch, and iPad all run it, letting developers easily write apps
that run on all those devices.

 iOS apps are written in Objective-C and can communicate with hardware through
a set of published APIs.

 iOS offers several abstraction layers to easily create onscreen interactive menus,
2D and 3D graphics, location services, and core OS functionality such as threads
and network sockets.

Android:

 The Open Handset Alliance’s Android platform (mainly backed by Google) is open
source Linux-based middleware that runs on top of a Linux kernel.

 Android powers a variety of smart phones, tablets, and net books from many
manufacturers.

 Linux provides hardware support, and Android provides a device-independent

API and UI.

 Since Android’s announcement and first release in October 2008, the code base
 has seen rapid development, with three major releases in 2009 alone.

 Android apps are written in Java and run in Dalvik, a custom virtual machine
(VM).

BlackBerry:

 Research in Motion (RIM) developed the BlackBerry OS.

 It runs on many BlackBerry models and has historically targeted enterprise

customers by including features such as push email and groupware support (for
example, Microsoft Exchange, Lotus, Novell GroupWise, and BES support).

 BlackBerry OS gives companies fine-grained control of devices they distribute to

employees.

 Administrators can push policies to BlackBerry devices, letting them restrict the
functionality available to users.

 For example, policy administrators might decide that apps downloaded from
third-party websites aren’t allowed but that those installed through App.

Symbian:

 Nokia’s Symbian is the most widely used smart phone OS.

 It has existed since the early 1990s and is now deployed on hundreds of smart
phone models.

 Symbian was a proprietary platform until February 2010, when Nokia open-
sourced it under the Symbian^3 branding.

 Nokia designed the OS with integrity, security, and low resources in mind, in
contrast to the gigahertz chips on newer smart phones.

 Although malware has targeted Symbian in the past, few attacks exploited
software flaws. Rather, they relied on social engineering or direct user
 manipulation.

 For example, the Caber worm repeatedly prompts users to click “yes” to allow a
malicious program to run.

Classifying Software Installation Models:

 We see three generic software installation models, classified by the level of

control the smart phone OS or hardware vendor has over software installation
and management: the walled-garden model, the guardian model, and the user
control model.

1. The Walled-Garden Model:

 This model gives the smart phone vendor full control over third-party software
installation on users’ devices.

 Users can install only software that has been approved and made available
through a vendor’s app marketplace or clearinghouse.

 The vendor can remove apps from the clearinghouse and can remotely uninstall
or disable them on users’ devices using a kill switch.

 Code signing is an essential part of this model because it provides a reliable

technical mechanism to prove that an app was accepted by the vendor and
hasn’t been modified.

 This model leaves most of the security decisions and testing up to the vendor,
giving even nontechnical users a (perhaps unfounded) worry-free smart phone
experience.

The Guardian Model:

 This model delegates security decisions to a knowledgeable third party. A variety

of entities can play this guardian role:

 The OS vendor (in which case, the guardian model becomes more similar to the
 walled-garden model), the mobile phone carrier,

 An acknowledged expert acting on behalf of a less knowledgeable group of users,

or

 An enterprise system administrator who already controls policy on other devices.

The User Control Model:

 Here, the user is responsible for all software installation and software security
decisions.

 Third-party apps are distributed to users with minimal involvement from the
phone vendor or carrier, reducing overhead costs.

 Users can install software from any source (website, memory card, or app
marketplace), understanding the risk that, because there’s no app vetting, any or
all apps could be malicious.

COMMUNICATING SECURELY WITH A SMARTPHONE:

 Digital communications are no longer just about email or browsing the

Internet securely anymore. Email is still essential, but staying connected
with your co-workers via instant messages has become increasingly
important.

 Being able to chat on social media channels anytime from wherever you
are, means our smart phones are now our primary connection point for
work play.

 Intercepting your mobile phone traffic has become an increasing problem.

This poses a problem because hackers usually have little protection when
using public Wi-Fi or cellular networks.

Some of the top ways to secure your mobile phone communication are as follows:
1. Use End-To-End Encryption:
 The first way you can secure your mobile phone communication is by using end-
to-end encryption.

 End-to-end encryption is a type of cryptography where only the sender and

receiver can read the message.

 The data itself is encrypted, so even if an attacker intercepted and successfully

decoded the message, they would not understand what it said.

 It's like having a secret code that you and your contact both know, but no one
else does. There are several ways end-to-end encryption can be applied to
prevent SMS hijacking in Man-in-the-Middle attacks.

 You could also use end-to-end encryption by encrypting all the data sent over Wi-
Fi on your mobile phone, even when connected to public networks such as coffee
shops, airports, and hotels.

 This is made possible by using Virtual Private Networks (VPNs) or secure proxy
connections.

2. Protect Your Device With Strong Passwords And Backup Everything:

 Regardless of how secure your mobile phone communication is, if you don't
protect the device itself with a strong password, it's only a matter of time before
an attacker can gain physical access to it.

 Then, extract sensitive data using micro SD card extraction or USB OTG.

 The best way to do this is by setting a solid alphanumeric password that isn't any
shorter than ten characters, but for added security, you can use both numbers
and letters or change up your pattern frequently.

 When creating this password, always ensure that it isn't based on information
about yourself, such as birthdays, anniversaries, and street names.

 These are the first things attackers try when trying to crack passwords.
  Instead, it would help mix up different characters such as numbers, capital and
lowercase letters, and symbols such as punctuation marks.

 Another way to protect your device is by preventing unauthorized access by

keeping personal files such as photos and documents in a secure password-
protected folder or on an encrypted external drive.

 You can also back up all of your data, so if something happens to the phone, you
still have all of your data which can be restored later or stored securely in the
cloud for added protection.

 To do this wirelessly, you will need to download an app called Double Backup
Contact Photos & Videos.

 The app automatically backs up all of your contacts and their photos, videos, and
other information while saving it locally on the device itself so that you aren't just
uploading everything online.

 This method works because attackers can't access local data unless they have
physical access to the device.

3. Protect Your Personal Data With Encryption & Anti-Theft Tools:

 If all of this sounds too tedious for your liking, then there are many apps
designed with security in mind that can automatically do everything for you so
that you don't have to lift a finger.

 One is called Touch ID & Pass code Lock, whose name pretty much explains how
it works as it allows users to protect their device by using either a fingerprint or
pass code.

 The password is required every time the app is opened.

 All of the apps on your device are protected, so personal photos, videos, call logs,
and text messages can't be accessed by anyone who tries to access them
without knowing your password.
  In addition to this, you should also have an anti-theft service installed, which
notifies you if someone tries turning off Report Location or Erase All Data within
the app.

 It prevents your data from being deleted remotely, along with a detailed message
that's sent directly to law enforcement.

 There aren't many security-related apps available for iOS devices.

4. Protect Your Device From Unauthorized Access:

 Even if you don't have device protection enabled, it shouldn't be too difficult to
protect your data by restricting access to unauthorized users so they can't open or
delete anything without knowing the correct password.

 You can use either a pass code or pattern lock to prevent access. Every time
someone tries accessing any of your apps or sensitive content, the pass code is
required to enter the incorrect password within the last four hours of
successfully using the app.

 Another way to prevent unauthorized access is by using the Touch ID function on

an iPhone or iPad, which acts like a fingerprint lock that can be used to unlock
information every time your device is unlocked.

 To set this up, you will need to go into Settings, tap General and then scroll down
before tapping Pass code & Fingerprint, where you should see the option for
"Fingerprints" underneath "Pass code."

 Here you can choose which fingers are allowed to be recognized or tap "Add a
fingerprint" followed by placing your finger eight times on different sections of
the home button.

UNIT II-QUESTION BANK

1 MARK QUESTIONS
1. Which of the following data is not appropriate here, if you delete cache,
cookies, and browser history?
a) Address bar predictions b) Saved passwords c) Browser plug-ins
d) Shopping cart content

2. Browser ___________ are impermanent internet files which helps the browsers
download web images, data & documents for rapid performance & viewing in the
future.
a) plug-ins b) cache c) ad-on d) history

3. ____________________ is the anticipation of unauthorized access or break to

computers or data by means of wireless networks.
a) Wireless access b) Wireless security c) Wired Security d) Wired device apps

4. ____________ is the method for keeping sensitive information in email

communication & accounts secure against unofficial access, loss, or
compromise.
a) Email security b) Email hacking c) Email protection d) Email safeguarding

5. Which of them is not a proper method for email security?

a) Use Strong password b) Use email Encryption c) Spam filters and malware
scanners
d) Click on unknown links to explore

6. There are _______ major ways of stealing email information.

a) 2 b) 3 c) 4 d) 5

7. Which of the following is not an OS for mobile?

a) Palm b) Windows c) Mango d) Android

8. Mobile Phone OS contains open APIs that may be _____________ attack.

a) useful for b) vulnerable to c) easy to d) meant for

9. ____________ is the protection of smart-phones, phablets, tablets, and other

portable tech-devices, & the networks to which they connect to, from threats &
 bugs.
a) OS Security b) Database security c) Cloud security d) Mobile security

10. Mobile security is also known as ____________

a) OS Security b) Wireless security c) Cloud security d) Database security

5 Mark & 10 Marks:

1. Explain the Tips for buying online

2. HOW to Clear cache in various browsers

3. Write about the wireless LAN and their major issues.

4. Write about the safe browsing guidelines for social networking sites

5. Narrate email security tips.

6. Explicate the smart phone security guidelines.

7. Write how to maintain the purses, wallets, smart phones.

8. Narrate platforms, setup and installation.

9. Write how to communicate securely with a smart phone.

UNIT III
CYBER INVESTIGATION ROLES:

INTRODUCTION

 In the Hewlett-Packard case, board members were leaking corporate information

outside of the company’s board room.
 HP, as a publicly traded company, had a financial responsibility to protect its
confidential business information.
  Additionally, according to business ethicist Kirk Hanson, they were obligated to
investigate these leaks under the Sarbanes-Oxley Act.
 Investigating agencies could have obtained search warrants and possibly a
wiretap court order.
 HP would have been able to obtain the information legally, sparing them
embarrassment, and avoiding the ruin of those individuals who thought they were
just doing their job.
 Additionally, cyber crime investigators from one sector need to be aware of the
needs of other sectors in order to avoid confusions and reduce tensions.
Understanding Your Role as a Cyber Crime Investigator:
 The bottom line here is that if you determine a crime is being committed, get law
enforcement involved.
 They may be able to remove the risk of injury to yourself or your company by
pursuing appropriate legal action.
o It is possible to violate the law when conducting cyber crime
investigations.
o Cyber crime investigators should be aware that their actions, on behalf
of their company, may not absolve them of criminal or civil liability if
their actions are illegal.
o Corporations should involve law enforcement in the beginning of a
criminal investigation.
o Corporate consul should consult a prosecutor prior to taking actions in
a criminal matter.
o Corporate investigators should always be cognizant of employee’s
rights when conducting investigations.
o As a corporate investigator, you may not be privy to much of the
information when visited by a law enforcement officer.
o Be cognizant that your actions can be construed as acting as an agent
of law enforcement.
The Electronic Communications Privacy Act: was passed in 1986 and governs how and
when electronic communications can be intercepted.
 It also provides definitions as to what an electronic communication is, and
describes penalties for violating the Act’s provisions.
 Although very little in this statue applies to corporations, it behooves you to read
it to obtain a better understanding of the law.
Understanding Law Enforcement Concerns:

 Cyber crime investigation is that the systems administrator or IT personnel are

the persons committing the crime, which often has been the case.
 Statistics show most crimes that occur within a corporation are usually
committed by its employees.
 As a result, IT personnel, as well as company employees, will usually experience
the following until the law enforcement official rules them out as a possible
suspect:
 Law enforcement will provide you with the smallest amount of information
 Possible.
 Sometimes officers will allow you to believe they are investigating a
different crime than the one you suspect.
 On occasion, law enforcement may ask you for unnecessary documents in
order to throw you off track from what they are investigating.
Agent of the Government
 IT personnel are routinely contacted by law enforcement.
 This contact can range from providing subscriber information to allowing
officers to forensically image a computer system.
 The courts have held that in order for a private citizen to be an agent of
the government, two conditions must exist.
o First, the person must have acted with the intent to help law
enforcement.
o Second, the government must know about the person’s
activities and either acquiesced in, or encouraged, them.
Providing the Foundation:
 One of the most important things an IT security investigator can
provide in
any case is information.
 No one understands your network setup better than you.
 Also, you know the technology involved within your organization.
 Many times law enforcement officers will not have experience with
many of the devices or systems they will come upon.

THE ROLE OF LAW ENFORCEMENT OFFICERS

 Cyber crime police officers should be cognizant of the concerns of
corporations.
 Often, this lack of understanding leads to tension and standoffs
between the two.
o Understand that companies may have privileged and
confidential information on the computers you are seizing.
o It is a wise practice to avoid victimizing your victim further
by parading your case before the media.
o It is important to understand the data retention policies and
subpoena process of a company prior to requesting their
assistance.
Understanding Corporate Concerns:
Shutting Down and Seizing Systems:
 I remember getting a call to respond to a company whose server was being
illegally accessed by remote.
 The owner of this company stated that numerous files were deleted, and that he
believed the computer had a remote access Trojan.
 I immediately invoked my forensics best practices and proceeded to shut down
the server.
  At that point, I was literally tackled by the owner who stated that the server
was a production server and could not be taken down.
Protecting Confidential and Privileged Information:
 Imagine me explaining to the law firm that I would be able to get a search
warrant and seize all the computers in their company.
 After all, this was no E-Discovery case. Additionally, I explained that getting a
search warrant and returning to their office in the middle of the day with a
bunch of police officers
 The law firm’s need to protect its confidential and privileged information and
worked with them to find a solution.
Avoiding Media:
 Going back to my media comment, companies hate being mentioned for data
breaches and cyber investigations on the five o’clock news.
 As a cyber investigator, you should attempt to avoid thrusting a company into
the limelight for your two minutes of fame.
 I found that once I showed a company that I could investigate a cyber crime
and make an arrest quietly, that company would feel comfortable contacting
me on future cases.
 Victimize the company twice, and may harm their reputation with their clients.
So, whenever possible, refrain from attracting media attention to a company
that has already been a victim.
Understanding Corporate Practices:
 Understanding a company’s corporate practices is an important step toward
easing tensions between the public and private sectors.
 Often, law enforcement gets frustrated when a company fails to turn over
documents requested,
 What law enforcement needs to understand is that respecting an employee’s
privacy as it relates to providing personal information outside of the company,
is a serious and important task of any company.
 While information may easily be circulated within a company, providing it to
outside entities may require the investigator to consult with corporate consul.
 This may also require more time and possibly additional paperwork in order to
secure the information.
 Don’t get frustrated if corporate consul requests an additional subpoena and
or search warrant.
 Secondly, officers need to understand that maintaining log files can be a
daunting task for many companies.
 So, retaining these files for long periods of time may not always be an option.
Providing the Foundation:
 As a cyber crime officer, job should be to lay the foundation of how the
crime was committed, and how the computer aided in the commission of
 this crime.
 Also attempt to explain the techniques, methodologies, and technologies,
to prosecutors, judges, and juries in simple terms.
 This will help to remove the veil of mystery behind the technology and aid
in helping build the case against the suspect.
THE ROLE OF THE PROSECUTING ATTORNEY
 Understanding your role as a prosecutor will better serve the overall legal
process
when it comes time for prosecution.
o One of the primary functions of a prosecutor is to provide guidance and
direction as it relates to the law during an investigation.
o Prosecutors should avoid directing law enforcement when investigating a
case since it may cause the loss of immunity.
o As a prosecutor, you explain to the judge and jury how technology was
used to commit a crime.
Providing Guidance:
 Prosecutors become personally involved with a case and jeopardize the
process, as well as their immunity.
 Additionally, should act as a bridge between the information gap of
technology and the judge or jury.
 It will be job to remove the mask behind the technology presented in the
case, and ease the fears of the technophobes.
Avoiding Loss of Immunity
 Prosecutors are afforded special privileges when acting on behalf of the court.
 One of the most important privileges they possess is that of immunity.
 This immunity shields them from both criminal and civil liability when acting
in their official capacity and performing related duties.
 However, when a prosecutor engages in conduct that is beyond the scope of
their responsibilities, they may place themselves in harm’s way..
 Many attorneys become emotionally involved in a case and dance close to the
line of trouble.
 Although it is extremely rare and difficult to prove a prosecutor has lost their
immunity, it is not impossible. www
 Prosecutors are afforded absolute immunity from liability for their actions
when their prosecutorial activities are directly associated with their judicial
responsibilities during the criminal process.
 This entitles them to absolute immunity from any action for damages.
Prosecutors are afforded the privilege of qualified immunity from liability
for damages due to their actions
 When performing official discretionary functions, as long as their conduct
does not violate any clearly defined statutory or constitutional rights that a
reasonable person.
  Absolute immunity is not available: when a prosecutor undertakes conduct that is
beyond the scope of his litigation- related duties.

INCIDENT RESPONSE: INTRODUCTION

 One of the fundamental misconceptions with this philosophy is that computer
forensics is the same as physical forensics.
 Computer forensics technology changes faster than traditional forensics
disciplines like ballistics, serology, and fingerprint analysis.
 The second misconception is that always collect everything at a physical
crime scene.
 In a physical forensics environment, commonly photograph the physical crime
scene and take “reasonable” precautions to ensure the evidence is not
disturbed.
 The truth is, in many cases, only collect samples from a physical crime scene.
 Nevertheless, we have accepted this methodology as best practice, and have
backed ourselves into a litigation corner.
 The evolution of technology has put us face to face with the harsh reality that
it is sometimes more advantageous to perform “Live” analysis than a
“Postmortem” one.
 The problem is that live analysis often changes evidence by writing to the
hard drive. File time stamps, Registry keys, swap files, and memory are just
some of the items that can be affected when conducting analysis on a live
computer system.

POSTMORTMEM VERSUS LIVE FORENSICS

 Conducting live investigations as a valid forensic methodology.
 The reason is in the pages that follow, will discuss the need to move away from
traditional methods of computer forensics and toward a live forensics model.
 Postmortem and live forensics is both great evidence gathering techniques.
 However, in cases where you can only conduct a postmortem forensics, the need
to look at other systems within the environment is strengthened.
 This expansion of scope to include other systems on the network will give the
better understanding of how the target system acted within its native
environment.
o In a live investigation, a system administrator can conduct an analysis
remotely.
o Imaging large volumes can be a discouraging task.
o Live forensics can be used to obtain data when encryption is in use.
o Capturing the contents of memory may provide you with the “missing
link.”
Today’s Live Methods:
o A Pre-Deployed Agent is software that is installed onto the computer
 prior to an incident.
o A boot disk can be used to contact live investigations.
Live versus Postmortem:
 Live investigations allow investigators to capture volatile information
that would not normally be present in a postmortem investigation. This
information can consist of running processes, event logs, network
information, registered drivers, and registered services.
 Running services tell us the types of services that may be running on a
computer. These services run at a much higher priority than processes,
and many users are unaware that these services actually exist.
 Viewing running processes with the associated open network ports is
one of the most important features of analyzing the system state.
 To peek into a system and correctly assess what processes are
running and what ports they may be using is critical when trying to
perform an investigative triage.
Evolution of the Enterprise:
 Conducting live investigations is really the only option you have under certain
circumstances.
 The evolution of the enterprise network work makes it difficult for system
administrators, IT security personal, and the like to be at more than one location.
 Managing IT resources at a single site can be a daunting task. Now think of the
larger corporate network schema.
 Many companies have multiple computers at a single location. Additionally,
those corporations may also have several locations in a city, country, or continent.
 In a live forensic environment, IT security personnel could log on remotely, view
running processes, dump physical memory, and make an educated guess as to
whether or not the computer should be imaged remotely, or be physically
removed from the network for further analysis.
 The investigator, using live forensics techniques, doesn’t have to physically
respond to the location to address the issue until they are satisfied with their
initial inquiry.
Evolution of Storage:
Problem 1: How are we going to fit this 630TB image into our 250GB USB2
external drive?
Problem 2: How long would it take to image a drive that size?
Problem 3:The machine cannot be shut down because the company would suffer
a financial loss.
In addition to all these issues, we must remember to make a bit-stream image,
 The use of compression could solve the preceding problems, you would be
mistaken. Compression increases the time it takes to image the server’s hard
drive because the compression algorithm needs to examine and remove the
redundant items prior to compressing them.
  Additionally, it would still be impossible to compress the larger hard drive into the
smaller USB external drive.
Encrypted File Systems:
 The use of encryption has increased during the last few years.
 Its increased use presents a unique problem to investigators when conducting
postmortem analysis.
 When encryption is applied to a data object, the contents of that object are
illegible.
 Once encrypted, the object’s contents are hidden and are pretty much impossible
to interpret.
 Encryption is applied to these data objects in one of three ways.
 The first implementation is file level encryption, in which individual files are
encrypted.
1. File Contents When the File Is Encrypted Using Access Data’s FTK
Imager.
2. Decrypt the file.
3. Best Crypt Encrypted Volume.
4. Fore#nsic image of a fully encrypted disk.
5. A File-Cleaning Operation Offered by BestCrypt
6. Image physical memory by using a network forensics tool.
7. Contents of the encrypted file are displayed in a readable format in
the lower right-hand pane.
8. Best Crypt program is running in physical memory
Today’s Live Methods:
 Several software companies presently manufacture network forensic and
investigative
software.
 Guidance Software, Technologies Pathways, Wetstone Technologies, ASR
Data, E-fense, and E Trust by CA are just some of the companies that produce
this forensic and incident response software.
 These manufacturers use a variety of methods to conduct live investigations.
o The first method employed is the Pre-Deployed Agent model, where
special software is pre-installed on a computer system prior to an
incident. It is usually hidden from the end user and is invoked once it is
connected to remotely.
o The second method currently in use is the Direct Connect model. In
this model, the target computer is directly connected to by a remote
machine and the software is pushed into memory.
o The connection remains active until the remote machine is
disconnected.
o A third method is the On Demand Connection model, where the
computer connects to the target machine and pushes the software into
memory for a specific task.
 o Once the task issued by the remote machine is completed, the
connection is immediately torn down.
o Finally, some software developers use a boot disk or an investigative
CDROM.
o During a live analysis, a disk is loaded to the live machine and a virtual
session is initiated with a set of examination tools.

Following diagram Shows Disk that allows you to conduct live forensics, as
well as investigations

[The E-fense’s HELIX Incident Response, Electronic Discovery,

and Computer Forensics Boot Disk]

COMPUTER ANALYSIS FOR THE HACKER DEFENDER PROGRAM

 Hacker Defender hides files from the user.
 Rootkit artifacts can sometimes be found in physical memory
o Hacker Defender is a popular rootkit that is capable of hiding
processes, files,
and even open ports.
o By default, when Hacker Defender is executed, it hides every file
containing the prefix “hxdef.”
 o As a result, the file “hxdef100.ini,” which is part of Hacker Defender, is
hidden as soon as Hacker Defender executes.
o This file is then hidden from all users and even Windows Explorer itself.
However, the file still exists in physical memory.
o Using live investigation techniques, you can take a memory snapshot
and identify the file “hxdef100.ini” stored in RAM
o Figures( a) and 5.1(b) show evidence of the Hacker Defender program
in the physical memory of a computer.
Figure (a) Hacker Defender in Psychical Memory Using Wetstone’s LiveWire

Figure (b) Another View of Hacker Defender in Psychical Memory Using Wetstone’s LiveWire

 As stated earlier, investigating a computer’s system state is an important part

of any investigation.
 It could help glean valuable information in a case and reduce the risk of
missing data that could prove critical to your investigation.

NETWORK ANALYSIS
 Data obtained from firewall laws, routers, intrusion detection systems, and so
on are equally important to an examiner in obtaining the big picture.
 In the Hacker Defender case presented earlier, a defense attorney may argue
that his client’s machine was compromised and could not have committed
the crime.
 A review of the firewall logs may show that the Hacker Defender activity from
this computer was blocked, making this argument about the rootkit a moot
point.
 As a live investigator, you should try to gain as much information about the
network activity as possible.
 Install a packet sniffer—with the appropriate permission, of course—and
conduct
a packet analysis of the traffic.
 Using this technique, you could determine if someone is connected to the box
before conducting an analysis on the target machine.
 Look for evidence beyond the target computer.
 Understanding the network where the system resides can help when conducting
a live investigation.
LEGAL ISSUES OF INTERCEPTING WI-FI TRANSMISSION
WiFi Technology
 WiFi is a colloquial term referring to a wireless communication
technology described in the IEEE’s 802.11 body of standards.
 WiFi covers both infrared and RF as mediums for communication—
but most WiFi devices operate in the 2.4GHz or 5GHz RF bands.
 WiFi access points use an open system architecture as their default
settings—therefore additional measures such as encryption must be
configured to control network access, authentication, and privacy.

 WiFi—an acronym for wireless fidelity (wireless)—encompasses a number of

standards that enable computers and other devices to connect wirelessly to local
area networks.
 WiFi—an acronym for wireless fidelity (wireless)—encompasses a number of
standards that enable computers and other devices to connect wirelessly to local
area networks.
 Enable two or more devices to communicate within a network. Most notable of
these standards is the 802.3 standard, the specification for Ethernet.
 The Ethernet standard describes a method of physical communication in a local
area network (LAN).
 WiFi is addressed by the IEEE as being only attributable to the 802.11b
standard—however, in practice, and in this chapter, 802.11a, 802.11b, and 802.11g
standards, as well as associated devices, are all considered WiFi.
 Information on the IEEE 802 standard can be found on the IEEE Web site at
www.ieee.org/about/802std.
Authentication and Privacy in the 802.11 Standard:

 Wireless networks are different than a physical-wired network.

 To join a physical network, one must have physical access to the network in
order to connect to it.
 Therefore, physical security plays a significant role in authenticating users in
physical network.
 Wireless networks, on the other hand, do not stay neatly contained within the
walls of a building—who’s allowed on a WLAN is handled through
authentication.
 Authentication is defined in the 802 standard as “The service used to
establish the identity of one station as a member of the set of stations
authorized to associate with another station.”
 One manner is to limit access through MAC address authentication. In this
process, the access point holds a list of authorized MAC addresses.
 Network interface cards with MAC addresses on the authorized list will be
allowed to connect to the WLAN.
 Media access control (MAC) addresses are unique numbers associated with each
network interface card,
  including wireless network interface cards—unique is a relative term here as a number of
software utilities exist to change the MAC address of a network interface card.
 Encryption is another method used to control authentication.
 Encryption controls authentication by limiting the decryption of WLAN signals.
 Authorized users must possess the appropriate secret key to decrypt the
signal—and in fact must have the proper credentials even to connect to the
access point at all.
 WEP is an acronym for Wired Equivalency Protocol. although WEP uses an
encryption algorithm to encrypt the data, the particular algorithm.
 All users on a WEP’d WiFi network share the same network key and the passage
of traffic is readily observable.
 Without a detailed cryptography discussion. Depending on the number of users
and amount of network traffic, the key may be able to be determined in as little
as a few minutes. WEP isn’t dead; it still has its uses.
 WPA (and WPA2) is an acronym for WiFi Protected Access. WPA uses the same
algorithm as WEP, but the implementation of the particular algorithm

Privacy:
 In a wired LAN, privacy is controlled by the routing of information.
 Routers and switches on a LAN control the flow of information so that devices on
a LAN get only data sent through their cable that is specifically addressed to
them or is broadcast data addressed to all devices.

UNDERSTANDING WIFI RF
 802.11 WiFi networks use an unlicensed band of the RF spectrum
set aside for industrial, scientific and medical (ISM) use.
 The ISM band generally is considered open to the general public.
 The FCC regulates the ownership of the RF spectrum. If the FCC issues a
license to a particular person or organization, the FCC must closely regulate
the output wattage of the licensee and the licensee’s neighbors to ensure that
there is no interference on either licensee’s area of coverage.
 What makes the 802.11 so available and so ubiquitous is its use of an
unlicensed portion of the radio frequency spectrum set aside for industrial,
scientific, and medical (ISM) use.
 Users of the unlicensed ISM band do not need to purchase rights or
ownership of a particular frequency.
 Cordless phones, remote car starters, baby monitors all use this small section
of unlicensed spectrum.
 Most importantly, there is no license holder that can prohibit others from
trespassing on their spectrum holdings.
 In summary, it is generally accepted that the ISM bands are open to the
general public.

SCANNING RF
  Scanning is a well-documented practice of listening to RF
transmissions.
 A specific piece of legislation made the manufacture and sale of
equipment to monitor cellular communications illegal.
 There is no legislation that criminalizes the manufacture, sale, or
possession of equipment to monitor or intercept WiFi—in fact
thesame equipment used to connect to a WiFi network is used to
monitor traffic on a WiFi network.
 The airwaves are full of signals in a variety of frequencies; television
broadcasts, emergency services radio dispatches, FM radios, pagers, and
cellular telephones are just a few of these signals.
 Technically always receiving these signals whenever the energy hits our
bodies, but in order to make sense of the signals, need special equipment to
decode or interpret the signal.
 Generally speaking, a device designed to be tunable to a wide variety of
frequencies for the intent of listening in on any communications is called a
scanner.
 There are scanners that focus on voice communications—a fire/police
scanner for example would enable someone to listen in on the
communications of their local emergency services.
 There are scanners that focus on video feeds—for example there is a
specialized scanner that attempts to listen in on security cameras that send
their images to the main security panel via a radio link.
 Some of these types of communication use more complicated protocols, or
specific codified languages, that enable two or more electronic devices to
communicate with one another.
 Digital protocols are demonstrative of this in that the analog signal (a sine
wave) is modulated to form approximately-square peaks and valleys that
represent 1’s and 0’s of a digital message.
 In 1992, it was legal to purchase scanning equipment capable of listening in
on cellular phone conversations. In 1992, Public Law 102–556,
 The Telephone Disclosure and Dispute Resolution Act, was passed,
amending the Communications Act of 1934.
 The act, which is codified at 47 U.S.C. § 302a (d), prohibits the authorization,
manufacture.
Import of scanning equipment capable of:
(A) Receiving transmissions in the frequencies allocated to the
domestic
Cellular radio telecommunications service,
(B) Readily being altered by the user to receive transmissions in such
frequencies, or
(C) Being equipped with decoders that convert digital cellular
transmissions
 to analog voice audio.
 Further, the cellular carriers themselves enhanced cell phone users’
expectation of privacy by phasing-in protocols that cause cellular phones to
hop around a group of frequencies, thus making scanning of any one
particular cellular phone or phone call very difficult.
 Therefore, any electronic monitoring of cellular telephone conversations
without appropriate legal authorization would constitute an unconstitutional
search in violation of the Fourth amendment.

EAVESDROPPING on WiFi
 A legal framework exists around the legality of both wiretaps and
unlawfully accessing computer systems—including then
Telecommunications Act,
 The Computer Fraud and Abuse Act, and the Electronic Communications
Privacy Act.
 Applicable federal statutes do not appear to govern eavesdropping on
private WiFi communications.
 Skill required to eavesdrop on WiFi transmissions is not prohibitive, and the
technology, both hardware and software.
 A number of software products are available that both find and listen in on
WiFi transmissions.
 For the most part, these software packages are completely legitimate
network analyzers used by network administrators to debug networks and to
find access points that have been installed illegitimately on the network.
 Every communication over the WAN that is not encrypted can be grabbed
from the airwaves and viewed.
 MAC authentication applies only to devices that wish to connect to the
network—limiting who connects to a network does keep the overall network
safer.
 Particularly the information on other devices on the network, but does nothing
to prevent people from intercepting unencrypted transmissions.
Legal Framework:
 The legality of WiFi eavesdropping must look at how existing laws relate to WiFi
technology.
 As we shall see, federal statutes relating to the interception of various types of
electronic communications do not appear to govern the interception of WiFi
transmissions.
The Electronic Communications Privacy Act (ECPA):
 WiFi transmissions fall within the meaning of electronic communications as
defined in the ECPA,
 Unless the signals transmitted by WiFi devices are encrypted, they are
accessible to the general public.
 Therefore, ECPA does not govern the interception of non-encrypted WiFi
signals that are not sent by a common carrier.
  WiFi transmissions would fall within the meaning of “electronic
communications” under the ECPA.
 The ECPA prohibits the interception of any electronic communications,
regardless of the physical media of transport.
 The ECPA defines electronic communication as “any transfer of signs, signals,
writing, images, sounds, data, or intelligence of any nature transmitted in
whole or in part by a wire, radio, electromagnetic, photo electronic or photo-
optical system that affects interstate or foreign commerce.
 Therefore the use of WLANs to transmit data, particularly if connected to the
Internet, would be considered “electronic communications” within the
meaning of the ECPA.
 WiFi transmissions are not scrambled or encrypted. The default setting for
802.11 standard is open system authentication with no encryption.
Telecommunications Act:
 The Telecommunications Act also does not appear to govern WiFi
interceptions because WiFi communications can be available to the general
public.
Computer Fraud and Abuse Act:
 The Computer Fraud and Abuse Act (CFAA) does not appear to apply to the
intercept of WiFi signals as the Act is focused primarily on accessing
computer systems.
 The first six major statutory violations are centered on unauthorized access
to a computer system, and the seventh concerns making threats of damage
against a protected system.
1. Intentional access to a computer with sensitive government information.
2. Intentional access to a computer, without authorization or exceeds
authorized access and obtains financial information from a financial
institution or card issuer, any U.S. government files, or information from
protected computer related to interstate or foreign commerce.
3. Intentionally, without authorization, accesses any nonpublic computer
of a department or agency of the United States.
4. Knowingly and with intent to defraud, accesses a protected computer
without authorization, or exceeds authorized access, in order to commit or
further a fraud.
5. Accesses to a protected computer and knowingly disseminates
malicious code or causes damage, reckless or otherwise, or attempted
access that would have caused loss of $5000 or more, physical harm,
modification of medical treatment, a threat to public safety, or damage to
a government system.
6. Knowingly, and with intent to defraud, traffics in any password or similar
information through which a computer may be accessed without
authorization, if—
(A) Such trafficking affects interstate or foreign commerce; or
(B) Such computer is used by or for the Government of the United
States.
 7. with intent to extort any money or other thing of value, any person who
transmits any communication containing any threat to cause damage to a
protected computer.

FOURTH AMENDMENT EXPECTATION OF PRIVACY IN WLANS

 Although Congress has chosen not to prohibit the interception of WiFi

traffic via statute,
 cyber crime investigators, as law enforcement officers, are still
prohibited by the Fourth Amendment from engaging in unreasonable
searches.
 The constitutional protection against unreasonable searches extends only to
those areas in which the subject of the search has exhibited an actual (subjective)
expectation of privacy and that expectation is one that society is prepared to
recognize as “reasonable”
 The Fourth Amendment protection of the home has never been extended to
require law enforcement officers to shield their eyes when passing by a home on
public thoroughfares”

1. Write the Cyber investigation roles.

2 . Explain the role as a cybercrime investigator.
3. Narrate the role of law enforcement officers
4. Explain the role of the prosecuting attorney
5. Explicate the post mortem versus live forensics
6. Write about the computer analysis for the hacker defender program
7. Narrate the Wi-Fi technology
8. Explain about the Wi-Fi RF
9. Write the eavesdropping on Wi-Fi
10. Explain the scanning RF
11. Is it possible to commit a crime when conducting a cyber crime
investigation?
12.Can I monitor my employees e-mails and Internet activity ?
13. How long will an ISP retain data?
 UNIT – IV
SEIZURE OF DIGITAL INFORMATION
INTRODUCTION

 Computers and digital devices are employed by the majority of people in the U.S. for
myriad business and personal uses.
 Because of the wide acceptance of computers in our daily lives, it is reasonable to
conclude that people will use a computer to assist them in the commission of crimes,
record aspects of crimes on a computer, and use computers to store the fruits of their
crimes or contraband.
  The current model of digital evidence seizure is focused on physical hardware, which is
appropriate in most situations.
 The legal framework, the established workflows of existing computer forensic best
practices, and the fear of the unknown will all play a part in determining how quickly the
digital evidence seizure methodologies are adjusted to accept other options besides
wholesale hardware seizure.
 As the author and a member of the www.syngress.com Seizure of Digital Information •
Chapter 7 135 greater crime-with-a-cyber-component-community, I hope this work
serves to create discussion between the disparate communities on the appropriateness
of both the familiar and innovative methods to seize digital evidence.
 Finally, we will discuss a number of options available for seizure of information,
including the on-scene preview of information, the seizure of data held in the computer’s
RAM, on-scene imaging of entire hard drives, and the on-scene imaging of specific data
objects.

DEFINING DIGITAL EVIDENCE

 Black’s Law Dictionary the Bible for legal definitions provides several definitions for
evidence (Nolan, 1990).
 One of the definitions reads “Testimony, writings, or material objects offered in proof of
an alleged fact or proposition.”
 I have to say it is rather refreshing to have a generally straightforward and concise legal
definition; generally, I don’t equate straightforward and concise with legal…well…
anything.
 Black’s definition of evidence as applied to digital evidence can be viewed in two ways.
 First, we can examine the computer itself as the evidence.
 Building on the view of the computer as evidence, many assert that the information on
the computer requires the original computer to view the contents.
 In other words, the original compute along the lines of how the best evidence rule
requires the “original” whenever possible may have an impact on how the information on
the computer was actually viewed by the suspect.
 A second way to view Black’s definition is that the information, or data objects,
contained on the digital storage medium are the “testimony, writings, or material objects”
offered in proof of an alleged fact.
 The next logical conclusion being that warrants can be issued for information that is
evidence of a crime—but do the courts interpret using specific files or data objects as
evidence, or should the focus be on the physical storage devices? Here, we consult the
United States Department of Justice’s Computer Crime and Intellectual Property
Section’s document titled Searching and Seizing Computers and Obtaining Electronic
Evidence in Criminal Investigations.
 Further, you may be more inclined to call your “computer forensic” efforts simple
“evidence collection” and remove the requirement for expert classification at trial.

DIGITAL EVIDENCE SEIZURE METHODOLOGY

 The proliferation of personal computers changed how computers were
 involved in criminal issues.
 In the past, computers were often used primarily as the attack platform or
target of the attack—now the more personal use of computes creates a
situation where the computer is the storehouse of evidence relating to
almost every type of crime imaginable.
 The result is that more computers are involved in some manner in crime
and that more computers need to be examined for information of
evidentiary value.
 But before they can be examined, they must be seized.
 To fill this apparent gap in need versus capability, state and local law
enforcement agents have become involved in recovering digital evidence
from a crime scene where a computer is directly involved.
 Not only are state and local investigators faced with dealing with a new
type of crime, but they are also asked to perform the seizures of digital
evidence.
 The on-scene responders/investigators often know very little about
computers and often have not been instructed on how to “properly” seize
digital information.

Over time, it became accepted to use the seizure methods focused on the
seizure of the physical hardware for the seizure of digital information.

The current manner of seizure of computer hardware expects that the

onscene responder has a general knowledge about computers—to the
level of “THIS is a keyboard, THIS is a mouse, THERE is no ‘any’ key,” and
so on.

If found, these data objects are usually included in a forensic findings
report and are printed out or copied to other media and then provided to
the investigator and prosecutors.

Figure 7.1 outlines the steps of the traditional method for seizing
computer hardware.

Pic1
SEIZURE METHODOLOGY IN DEPTH
 The fact is that the world is a messy place. Our responders need to
understand that they need to have a methodology in place that
allows them to work through more complicated scenes, such as
finding dozens of computers or dozens of pieces of removable
 media or hundreds of CDs
 The steps presented in Figure 7.2 are representative of current
seizure methodology, but the steps have been crafted to provide a
higher level guidance about approaching nonstandard seizure
scenes. Specifically, the “Seize All Hardware and Media”.
 It is also assumed that the responder has a properly drafted
warrant that identifies the information to be seized and outlines
that an offsite examination of the media may be required if the
situation makes the onscene seizure infeasible

Step 1: Digital Media Identification

 The first step is to begin to canvas the scene in an attempt to locate
the digital media that you believe has the highest probability of
containing the evidentiary information described in the warrant.
 Taking a step beyond the simple situations, one needs to also
consider removable media such as flash drives and CDs or
DVDs. Flash drives are often held as personal file cabinets and
may contain information of a personal nature.
 Look for flash drives on key chains, watches, in cameras, and
just about anywhere—flash media can be unbelievably small.
 On the other hand, the same collector may be accused of taking
pictures of children being victimized, and in this case the search
should definitely focus on small flash media–type storage cards
that could be used in a digital camera and/or be used to store
and hide coveted images. www.syngress.com Seizure of Digital
Information Chapter 7 145 425_Cyber_07.qxd 2/22/07 2:39 PM
Page 145 Documentation is part of every step, so this won’t be
the last time you see it mentioned.
 Nevertheless, it’s worth mentioning here as a reminder. While
conducting the search for digital media, it may be appropriate to
narrate your movements into a voice recorder and to
photograph the found media in place before moving it.
Step 2: Minimizing the Crime Scene by Prioritizing the Physical Media
 After all the digital media is identified, an effort must be made
to determine which storage devices or pieces of media have
the highest probability of containing the information described
in the warrant. Why? Because at some point it time, it will be
impractical to seize all the digital devices, removable media,
and storage media at a crime scene.
 At the current time, it may be possible to walk into a residence
and only find one computer and maybe a few CDs.

 The responder must make some tough decisions about

where she believes the information will most likely be found.
One suggestion is to prepare a prioritized ranking to help
decide which storage devices and pieces of media should be
seized for offsite review.

 The prioritized ranking is also critical in deciding which

devices or pieces of media are previewed on-scene—one of the
options we’ll be discussing later in this chapter
Step 3: Seizure of Storage Devices and Media
 The seizure itself is rather straightforward. After the scene is
secured and it is determined that the hardware must be seized, the
investigator begins by labeling all the connections/wires attached
to the computer.

 Be meticulous in the labeling of wires and thorough in your

documentation. It’s a good practice to label both the end of a cable
and place a matching label where the cable connects—for instance,
label a Monitor’s VGA Cable B1 and label the computer’s VGA port
as B1 '; label the monitor’s power cable plug as B2 and label the
wall outlet as B2 '.

 Photograph as many relevant objects and seizure steps as you

see fit—digital photos are basically free and can be burned to disk
and added to the case file. Don’t forget to remove the sticky labels
from the power outlets once they have been photographed.

 After the computer has been labeled, documented, and

photographed, disassemble the components and prepare the
computer case for shipment. Best practices state that an
unformatted floppy disk should be placed in the floppy drive with a
piece of evidence tape sticking out like a flag.

 The presence of the disk in the floppy drive may prevent an

accidental boot to the hard drive—but the new trend from computer
and laptop manufacturers is to omit the standard floppy drives
 entirely, so this recommendation may be deprecated over time.

 Other options available to prevent an accidental boot are to

unplug the power to the hard drive in a desktop machine and
remove the battery from a laptop. Some recommend placing
evidence tape over the external drives, including the floppy drive
and any CD/DVD drives.
FACTORS LIMITING THE WHOLESALE SEIZURE OF HARDWARE

 Earlier we contrasted the historic seizure context

versus the current context and discussed how the historic
context placed a focus on the on-scene seizure
www.syngress.com Seizure of Digital Information Chapter 7
149 425_Cyber_07.qxd 2/22/07 2:39 PM Page 149 of data
objects, as compared with the current situation where the
focus of the on-scene activities is to seize all the physical
containers.

 I suggest we are heading toward a similar

impracticality— although this time our inability to seize all
the information is based on a number of different factors,
including massively large storage arrays, whole disk
encryption, the abundance of non-evidentiary information on
media and related privacy concerns, and the time involved in
laboratory forensic analysis.

 At some point in the future, the process by which we

image entire pieces of media for forensic analysis will
become obsolete (Hosmer, 2006).

 I suggest we make the distinction those there other

options beyond wholesale seizure available to our
responders.

 We need to train our responders to have the ability to

perform on-scene data preview, full data-image, and imaging
of only the relevant data objects. Further, we need to begin
to change the wholesale seizure paradigm now—for all
responders not just the specialists—before we are faced with
a greater volume of cases we are ill prepared to address.
Size of Media
 Storage devices are getting big—very big. Now, at the end of
2006, it is quite common for a single hard drive to contain
100 gigabytes of information— roughly equivalent to a library
floor of academic journals.

 Storage is relatively cheap, and people are taking advantage

of the extra space by storing music, movies, and creating
mirrored backups (RAID 1 arrays).

 What exactly happens when the full 1.5 TB RAID and 200
DVDs are seized and brought back to the forensic laboratory
for analysis. Do you actually have the hardware and software
to acquire and process that much data? If the laboratory is
not a regional or state lab, but a small laboratory set up at the
local agency, the answer might be yes—but processing the
case might use the entire budget set aside for target drives
for the entire year for that one case.
Disk Encryption
 A number of encryption programs exist now that
provide whole disk encryption, a common one being PGP
from pgp.com.These types of encryption programs encrypt
all the data on the hard drive and are generally transparent
to the user; meaning that one password in the startup
sequence “unlocks” the contents for viewing and editing.

 Of course, looming on the horizon is the Windows

Vista operating system, purported to incorporate Bit Locker
Drive Encryption tied to the Trusted Platform Module
cryptographic chip in the higher-end versions of the
operating system.

 This would prevent an image of the drive from being

booted in another computer or viewed with a computer
forensics program.

 The use of disk encryption is forcing law enforcement

 to have other data seizure options available beyond the
seizure of physical hardware.
Privacy Concerns
 Personal computers often contain myriad information about
a person’s life, including financial, medical, and other personal
information, information related to their job (such as work
products), and even information owned by several people,
possibly a spouse, family member, or roommate.

 It’s unclear how the criminal and civil courts would view a
challenge from an impacted third party regarding the seizure of a
common computer. However, if that third party maintained a blog
or Web site, their information may be protected from seizure
under the Privacy Protection Act (PPA) (42 U.S.C. § 2000aa).

 The PPA was specifically developed to provide journalists

with protection from warrants issued to obtain information about
sources or people addressed in their publications.

 The PPA reads “…it shall be unlawful for a government

officer or employee, in connection with the investigation or
prosecution of a criminal offense, to search for or seize any work
product materials possessed by a person reasonably believed to
have a purpose to disseminate to the public a newspaper, book,
broadcast, or other similar form of public communication.”

 The PPA may not protect the person that possesses the
information if that person is suspected of committing the
criminal offenses to which the materials are related. Simply put, if
you committed a crime and you have publishable information
related to that crime on your computer, that information most
likely will not be protected under the PPA.
Delays Related to Laboratory Analysis
 If investigators of crimes involving a computer rely completely and
absolutely on their computer forensic laboratory for the processing of their
seized hardwww.syngress.com Seizure of Digital Information Chapter 7
153 425_Cyber_07.qxd 2/22/07 2:39 PM Page 153 ware in search of
 evidence, they are at the mercy of the timing dictated by the laboratory.

 From my experience, a computer forensic laboratory can process

anywhere from 30 to 60 cases per examiner per year; possibly more
depending on the types of cases they work and their equipment, but
considering most forensic laboratories are government agencies, I doubt
they are operating year after year on the most current computers available.

 To make matters worse, the increase in the size of storage media has far
outpaced the increases in processor power.

 The same $500 that could afford a 100MB drive in 1991 can now put a
750GB drive in your pocket.

 One investigator I interviewed about this type of situation described a child

pornography possession case where there was a chance that the accused
possessor was also creating and distributing images of child sexual abuse.

 Unfortunately, the investigator had no means to preview the digital

information on-scene, nor back at the department, nor did the investigator
have the ability to perform a digital information analysis in-house.
Protecting the Time of the Most Highly Trained Personnel
 Digital devices have become almost completely ubiquitous in our
current society.

 The legends of “convergence” are slowly coming true, where the

line between computers, cell pones, cameras, and so on is now fuzzy and
may disappear altogether in the future. IPv6 looms on the horizon and
promises to equip every device, from cars to toasters, with an IP address.

 How do we find the time to train our law enforcement community in

an entirely new set of skills? What is the balance between knowing
enough and making a specialist out of everyone? Determining whether
the individual data objects with evidentiary value are seized or the storage
media is seized will likely depend on the technical prowess of the
responding investigator.

 The general scenario of protecting the time of the most highly

 trained individuals so that they may focus on the most important issues
is not a new concept.

 Those trained in hazardous material response work under a

pyramidlike distribution of knowledge; the wide base of the pyramid
consists of awareness-level trained people, while the small tip of the
pyramid consists of highly trained specialists. Not only are these training
levels generally accepted within the hazardous material response
community, but they are codified in 29 CFR 1910.120(q)(6).

 The training code establishes the general level of knowledge, the

hours of required training, and what can be expected from responders
that have achieved each of the training levels.

 The seizure methodology that is developed for the knowledge level

of the non-technical responder is in direct conflict with the best possible
seizure scenario.

 Any seizure methodology adopted by an agency must be fluid

enough to allow a minimally trained responder and a highly trained
responder to both seize the digital information in the manner most
applicable to their knowledge level.

The Concept of the First Responder

  A second issue is the number of hours of training that could be
allotted for first responder training. Will the administration of an
organization allow their personnel to take a half-day course on digital
evidence seizure? Probably.

 Realistically, though, what could you cover in four hours of

instruction? I would guess the limit would be the recognition of digital
evidence. So, would a two- or three-day training be sufficient to cover
the recognition of digital evidence plus the seizure of digital information?
Possibly, but would the people attending that training still be considered
first responders or would the additional training necessitate they
become specialists in this area? I am doubtful an agency’s
administration would agree to send every line officer to a three-day
training to be first responders.

OTHER OPTIONS FOR SEIZING DIGITAL EVIDENCE

 The question remains, are there other options besides the seizure
of physical devices that are available to responders? If yes, are these
methods of seizure within the reach of anyone but the most technical
of responders? For a long time, up to and including today, many in the
forensics community place little faith in the ability of responders on-
scene to deal appropriately with the computers they may encounter.

 The direction was simply “Don’t touch the keyboard. Pull the plug
and send everything to the lab.” In many cases, the forensics side of
the house is correct to protect against the possible corruption or
destruction of data by taking this hard-line approach—particularly
based on the technology of yesterday—but at what cost? Although the
computer forensics community might have intended to do the most
good by promulgating the pull-the-plug mantra, we need to examine
how disempowering the on-scene responders may affect the overall
forensic process, from seizure through analysis to investigation and
ultimately prosecution.

 The latest Search and Seizure of Computers and Obtaining Digital

Evidence (Manual), published by the Department of Justice supports
 the proposition that the seizure of digital evidence should be an
incremental process, based both on the situation and the training level
of the responder.

 The Manual describes an incremental approach as a search

strategy (pg. 221) for the seizure of digital evidence from a functioning
company where the wholesale seizure of all the computers from the
company would be impractical.

 The Manual provides the following steps in its incremental

approach:

1. After arriving on-scene, Agents will attempt to identify a

systems administrator or similar person who would be willing to assist
law enforcement in identifying, copying and/or printing out copies of
the relevant files or data objects defined in the warrant.

2. If there are no company employees available to assist the

Agent, the Agent will ask a computer expert to attempt to locate the
computer files described in the warrant and will attempt to make
electronic copies of those files. It is assumed that if the Agent is an
expert, he/she would be able to proceed with the retrieval of the
evidence.

3. If the Agent or expert are unable to retrieve the files, or if the

onsite search proves infeasible for technical reasons, then the next
option is www.syngress.com 160 Chapter 7 • Seizure of Digital
Information 425_Cyber_07.qxd 2/22/07 2:39 PM Page 160 to create an
image of those parts of the computer that are likely to store the
information described in the warrant.

4. If imaging proves impractical or impossible for technical

reasons, then the Agent is to seize those components and storage
media that the Agent reasonably believes includes the information
described in the warrant. The Manual has a focus on Federal law
enforcement and the incremental.

RESPONDING TO A VICTIM OF A CRIME WHERE DIGITAL EVIDENCE IS INVOLVED

 There is an old saying that all politics are local politics. Although
 I’m not
Quite convinced of the particular weight of that adage, I do
believe that all
Crime is local crime.
 The Internet may have created a global community, but
Crime, even crimes committed over the Internet, will be reported
to a local
Agency.
 It is imperative that local agencies have the ability to field a
complaint
Regarding a crime with a cyber component and be able to
respond appropriately.
 I have heard horror stories where complaints of e-mail
harassment, auction
Fraud, and other crimes with a cyber component were just
ignored by a
Local agency.
 Yes, a statement was taken and a report prepared, but no follow
up investigation was conducted
SEIZURE EXAMPLE
 She believes it is a former co-worker named Sam, who
harassed Sally using non-computer has based methods
before.
 The officer follows the guidance discussed in the
“Responding to a Victim of a Crime Where Digital Evidence Is
Involved” section and instructs Sally to print off a copy of the e
-mail showing the full header information.
 Sally prints off the e-mail as substantiating proof to backup
her complaint, and the officer leaves the scene with a
statement from Sally and a copy of the harassing e-mail.
 The investigator then uses the information contained in the e-
mail header
to contact the e-mail provider, legal paperwork is sent to the
provider looking for the account holder’s information, and
finally the e-mail is traced back to Sam’s Internet service
provider (ISP) account.
 The investigator serves the warrant and finds a single
computer at Sam’s
home.
 The system is on and, according to the suspect, has a
Windows XP operating system.
 Based on the suspect’s assertion that the computer is
password- protected, and he has not given the password out
 to anyone, it is reasonable to believe that the computer is used
solely by its owner.
 At this point, the on-scene investigator is staring at a glowing
monitor with a happy desktop picture of calming fields and
clouds, but the investigator is now faced with a few tough
decisions
In line with the incremental approach described in the Manual, the investigator
may have other options available besides wholesale seizure, such as:
■ previewing information on-scene

■ Obtaining information from a running computer

■ On-scene seizure of information through the complete imaging of

The media
■ On-scene seizure of information through the imaging of a specific

data object
In the next section, we take a look at the preceding options and discuss how each
fits into the larger picture of responding to and investigating crimes with digital
evidence.

PREVIEWING ON-SCENE INFORMATION TO DETERMINE THE PRESENCE AND

LOCATION OF EVIDENTIARY DATA OBJECTS
 The on-scene responder must make conclusions about where
the information described in the warrant is most likely to be
present on the storage device or media.
 In the case of a CD or DVD, the preview is much less
complicated, as the chances of inadvertently writing to a piece
of optical media are much lower than if they were working
with magnetic-based media.
 With a CD or a DVD, the responder could use a forensics
laptop running any number of computer forensic tools to
quickly acquire and examine the contents of a CD or DVD for
review.
 A similar process could be conducted for flash-basedmedia,
although a greater level of care may need to be taken to
ensure the media is not changed. Here, flexibility is once again
a critical characteristic.
 Previewing a few pieces of optical media on-scene may be
appropriate, greater numbers of media may need to be taken
off-scene for review at the
laboratory.

IMAGING FINITE DATA OBJECTS ON-SCENE

 The data contained within the computer are reviewed at a later
date for any files or other pieces of information that can help
prove or disprove a given premise.
  From an outsider’sperspective, it would appear as if the
seizure of the entire computer is the preferred method of
obtaining the evidentiary information, but we’ve established
that imaging on-scene is fairly well accepted within the digital
investigative community.
 So, are there other options that include the seizure of a finite
number of data objects as evidence? If we can image the
entire hard drive on-scene, there is an argument that we can
image sections of it
 In our case example discussed earlier, where Sam is accused
of stalking
 Sally, let’s assume that an arrest warrant hinged on the
presence of the
Harassing e-mail on Sam’s computer.
 If the preview of the computer showed that the e-mail in
question existed on Sam’s computer, and the investigator had
the ability to image the pest file that contained the e-mail, the
investigator could take Sam into custody at this time and have
all the evidence needed to wrap up the case.

COMMON THREADS WITHIN DIGITAL EVIDENCE SEIZURE

 The landscape of potential seizure environments is
complicated and variations are nearly infinite.
 The level of knowledge of the on-scene responders includes a
wide range of skills and abilities. Because the seizure process
will be greatly impacted by the particular hardware and
software arrangements and knowledge of the on-scene
responder, it is not possible to present one correct way to
seize digital evidence, unfortunately.
 What does exist is a continuum of methods mapped against
the complexity of the scene versus the skill of the responders.
 The second thread is that you should seek the seizure method
that best
Minimizes the digital crime scene.
 If you can reasonably come up with an “area”—meaning drive,
directory, file, and so on—where you believe the evidence will
be located, it makes the most sense to look in that specific
location for the digital evidence.
 Limiting or minimizing the crime scene has different
implications based on whether the search for digital evidence
is occurring on-scene, at the station, or back at the forensic
laboratory.
 The third thread is that whatever is seized as having potential
evidentiary
 value must be authenticated by the court before it can be
admitted into the
case.
 The ability for the court to authenticate the evidence is a
significant issue
Related to digital evidence.
 Authentication is governed by the Federal Rules of Evidence
Rule 901 (28 U.S.C.), which states “The requirement of
authentication or identification as a condition precedent to
admissibility is satisfied by evidence sufficient to support a
finding that the matter in question is what its proponent
claims.”
 Evidence presented to the court can be authenticated a
number of ways,
Including the identification of distinctive characteristics or by
merely what
Type of evidence it is, as is the case for public records.
 Evidence may also be authenticated by way of testimony to
the fact that the matter in question is what it is claimed to be.

DETERMINING THE MOST APPROPRIATE SEIZURE METHOD

 There will be cases where the most appropriate action is to
seize all the physical hardware at a suspect’s location.
Perhaps it is the only option that the minimally trained
responder has at their disposal.
 It’s possible that additional keyword searches need to be
performed or items need to be carved from drive free space,
and both would be better performed in a controlled laboratory
environment.
 There are any number of reasons why the obscene responder
will choose to seize the physical container, and that’s ok! The
important point is that the most appropriate method of
seizure is chosen to match the responder’s skill level, and
that it appropriately addresses the type of crime.
 The minimization stage may provide the investigator with the
places—
computers, storage media, and so on—that have the highest
probability of
Containing the desired information.
 The second key point is that there are many computers and
laptops that do not allow for easy access to the hard
drives—which would make any attempts to image on-scene
impractical and, as a result, require seizure of the hardware.
 For example, some laptop designs require the majority of the
 laptop to be disassembled to gain access to the hard drive.
 I strongly recommend that the disassembly of laptops or other
hardware take place in a controlled laboratory or shop
environment—there are just way too many little pieces and
screws, often with unusual head designs, to be attempting a
disassembly onscene.
 In these cases, the physical seizure of the computer itself may
be required even if you came prepared to image on-scene.
 The third key point is that there may be other non digital evidence
that could reside with the physical computer.
 Items such as sticky notes can be found stuck to a monitor;
passwords or Web addresses can be written in pencil or marker
on the computer enclosure.
 Wife were amazed when bags of marijuana were found inside
the computer enclosure.

CONDUCTING CYBER INVESTIGATIONS

 We often fear most what we don’t understand. That could be said

about computers and the investigation of computer crimes. Many
investigators cringe at the mention of a computer and seek to
offload any computer-related crime to the “computer crime guy”
in their office. Although computers have been around for a few
decades, they’ve finally reached levels where it is feasible to
expect that everyone has access to a computer.
 The computer is no longer a “nice to have,” it is a “must
have.”Those who don’t own their own computers can walk into a
public library or cyber cafe to gain access to a computer. Similarly,
access to the Internet is becoming ubiquitous through
connections provided by libraries, coffee shops, computer stores,
and even fast food restaurants.
 This explosion of computer technology and acceptance has
opened up a whole new world of opportunity to the criminal
element that constantly looks for new ways to exploit people
through time proven scams and tactics. As computers become
more deeply integrated within society, it is likely that a computer
or similar type device will play a role in criminal activity.
 A basic understanding of computers is all that investigators will
need to learn that computer crime is just plain old crime
packaged up in a shiny new wrapper.

DEMYSTIFYING COMPUTER/CYBER CRIME

  Computers start to play a role in crime in situations where the
capabilities of the computer allow a person to commit that crime
or store information related to the crime.
 An e-mail phishing scam is a common example where the bad
guy generates a fictitious e-mail for the sole purpose of enticing
people to a spoofed site where they are conned into entering
sensitive personal information.
 That sensitive information is then available to the bad guy in order
to perpetrate an Identity Theft.
 In another example, a suspect might use the computer to scan
and generate fake bank checks, or create fake identification.
 In both of these cases the crime required the inherent capabilities
of the computer for its commission
 The crimes that are being committed haven’t changed, just the
manner in which they’re being committed.
 Think about it. Back before the Internet, the telephone, the
telegraph, and the Pony Express, if a person wanted to threaten to
kill someone, it was likely they would have to physically place
themselves in proximity to the person and speak that threat.
 As services and technologies developed, new ways emerged
through which a person could commit that same threatening act.
They could send a letter, a telegram, or even better, make a phone
call.
 Now we can send an e-mail or instant message (IM). Same crime;
same underlying elements and facts to be proven.
 The only change is the manner of delivery. The key to a
successful investigation of a computer crime is the development
and follow-up of case leads.
 Although many leads will dead end, it is the one that continues to
develop into further leads that can end up solving your case.
 Many believe that investigations involving
comwww.syngress.com Conducting Cyber Investigations Chapter
8 195 425_Cyber_08.qxd 2/22/07 2:40 PM Page 195 puters are
above their capabilities, but that is often not the case. By learning
and adapting some basic computer knowledge and skills, today’s
investigator can react to new technologies and still develop
workable old school leads.
IP ADDRESSES
 The basics of IP addressing in order to trace users of the Internet
to a physical location. Just as a phone number that shows up on a
caller id box from a threatening phone call can provide
investigators with a specific starting location for their
investigations, an IP address can provide that same type of lead.
 By understanding what IP addresses are, how they’re assigned,
 and who has control over them, an investigator can develop
workable case leads. IP addresses provide a connection point
through which communication can occur between two computers.
Without getting into too much detail about them, it is important
that you understand how to identify an IP address when you see
one.
 These addresses are made up of four 8-bit numbers divided by a
“.”, much like this one: 155.212.56.73. Currently the Internet
operates under the IPv4 (Internet Protocol Version 4) standard. In
IPv4 there are approximately 4 billion IP addresses available for
use over the Internet.
 That number will be expanding in the near future to about 16 billion
times that number when transition is made to IPv6. During the
birth and initial development of today’s Internet, IP addresses
primarily were assigned to computers in order for them to pass
network traffic over the Internet.
 Computers were physically very large, extremely expensive, and
pretty much limited to the organizations that controlled the
primary networks that were part of the primordial Internet. During
this time, an IP address most likely could be traced back to a
specific computer.
 There are a limited number of large organizations that own and
control most of the www.syngress.com 198 Chapter 8 •
Conducting Cyber Investigations 425_Cyber_08.qxd 2/22/07 2:40
PM Page 198 IP Addresses available with IPv4.
 The older of the three listed is the dial-up modem that required the
use of a telephone line. When users wanted to connect to the
Internet, they would plug the modem installed in their computer to
their phone line and then dial one of the access numbers provided
by the ISP.
 The dial-up modem is the slowest of the available devices that can
make the transfer of large files a painful process.
 Therefore when dealing with cases that require large file transfers
such as child pornography, it is less likely that a dial-up connection
would be used.
A distinct advantage of the dial-up modem, though, is the
portability since the connection can be made on any phone line by
dialing an appropriate access number and providing valid account
information.
 More common today is Internet service provided through TV cable
or through DSL (Digital Subscriber Line); both of these services
provide higher connection speeds making the transfer of large
files relatively easy.
THE EXPLOSION OF NETWORKING
 The router passes network traffic back and forth between the
Internet and all the home computers in the residence connected to
that network router.
 All the network traffic sent from the home computers through the
router to the Internet will be seen as coming from a single IP
address.
 The investigator who traces an IP address back to a router will
need to do more case follow-up at the location to determine if
there is more than one possible computer involved. Analysis of the
router configuration and/or logs may provide more information
about the www.syngress.com 202 Chapter 8 • Conducting Cyber
Investigations 425_Cyber_08.qxd 2/22/07 2:40 PM Page 202
computer requesting and receiving the illegal traffic as information,
such as the computer’s hostname, internal IP address, or MAC
address.
 Networks have become common place today as the cost and
implementation of computer systems has dropped dramatically.
Years ago, computer systems were very large (room size) and
extremely expensive.
 This limited the organizations that could afford to use computers
in any meaningful way. Today, computers are much more powerful
and affordable. This has allowed both companies and individuals
to purchase and use numerous computer systems to accomplish
specific needs.
 The concept of networks, much like the Internet, allows multiple
computers to become interconnected to each other in order to
share files and resources.
 The computers on the network will still need to be assigned IP
addresses in order to communicate with other computers on the
network—but the addresses assigned within a network behind a
router, or gateway, will fall into the category of internal IP
addresses.
 Unlike the external address assignments required to send and
received information on the Internet, internal IP addresses allow
computers within a network to communicate with one another.
 In order for computers on these private networks to access the
Internet, there is likely to be an established gateway that has been
assigned a single external IP address to be used by all computers
 on the network.
 NOTE Internal IP addresses can also be used to set up more than
one computer into a network environment.
HOSTNAME
 Hostnames are the system names assigned to a computer by the
system user or owner. These names are used to identify a
computer in a network in a format that is easiest to understand by
people.
 If there are multiple computers in the network, each could be given
unique identifying names making them more easily recognizable,
such as Receptionist PC or Dave’s Laptop.
 The naming choice selected might help to identify the likely
location or user of that system. If for example you were
investigating a threatening e-mail that had originated from a
computer within a network named “Jedi,” you might look for
people who have access to the network who are also fans of the
Star Wars series. Keeping in mind that the names can be changed
by the user at any time, the matching or non matching of a
hostname to a suspicious communication or activity is by no
means conclusive in itself.
MAC ADDRESS
MAC addresses are the identifying number assignment given to
NICs that provide network connectivity.
That connectivity can be wired or wireless depending on the type
of NIC present. MAC addresses are unique to every NIC and would
be most equivalent to a serial number.
This means that if an investigator is able to determine the MAC
address of the device used in the crime, then the device containing
the NIC could be identified specifically. However, just like a
hostname can be changed, MAC addresses can also be changed
through a process called MAC spoofing.
INTERPERSONAL COMMUNICATIONS
Investigators must be familiar with how these various systems
work and how one might be able to retrieve critical case
information from stored communications or fragments of previous
exchanges.
What makes the area of interpersonal communication so
important to the investigator is that people are inherently very
social; people routinely discuss their daily lives with friends and
 may even brag about crimes to others.
Being able to capture, decipher, and trace back communications to
their origin is a critical law enforcement skill.
E-MAIL
E-mail communication was present at the start of the Internet, and
has exploded over the last decade, making it more likely that
people today use email in some form or another. E-mail provides
another conduit through which people can communicate 24 hours
a day, 7 days a week.
Unlike a phone conversation that needs the recipient to answer, an
active e-mail discussion can be carried out through multiple e-
mails spread over time. Messages are sent and are held in a
waiting inbox at the convenience of the recipient, who will choose
when to read the message and how best to respond. Once an e-
mail is read, it is usually up to the receiver to decide and
www.syngress.com Conducting Cyber Investigations • Chapter 8
211 425_Cyber_08.qxd 2/22/07 2:40 PM Page 211 make the
conscious choice to delete or discard that communication.
This provides a unique opportunity to law enforcement
investigating crimes involving e-mails, since undeleted e-mails will
be viewable and previously deleted emails might be recovered
through various forensic methods. There are countless e-mail
addresses and accounts in use today.
CHAT/INSTANT MESSAGING
Chat and instant messaging is another extremely popular method
of communication. Unlike e-mail, which ends up being loaded on
an e-mail server or downloaded onto the receiver computer’s local
e-mail program, chats and instant messages are made through
direct communication between the two devices.
The devices involved exchange communications back and forth in
real-time for as long as that “window” is open. Conversations held
in chat are not saved by the applications typically used to
facilitate this method of communication.
This means that for the most part, chat and instant messaging
conversations are lost once that session ends.
SOCIAL NETWORKING AND BLOGGING
Social networking sites, such as My space and Face book, and
blogging technologies allow people a conduit through which they
can post their thoughts, ideas, and self-expression onto the
Internet instantly.
 For example, within My space, users can create an account for
themselves along with a personal Web page through which they
can express themselves in any manner in which they see fit, be it
through music, video, or written expression.
 These pages become part of a larger online community with
similarly minded individuals being able to link together into what
is referred to as a friends network. Since the information entered
at account creation has no true factual verification, it is possible
for people to create fictitious identities in order to pass
themselves off as someone they’re not.
MEDIA AND STORAGE
Media exists in numerous configurations with varying storage
capacities. Most people today are very familiar with the floppy
disk, CD-ROM, and DVD—all of which can store and contain files
of evidential value.
DVDs started reaching capacity sizes in excess of 8 gigabytes,
which meant that suspects could save illegal files that would have
filled up an entire computer hard drive just years ago on one silver
disk.
Finding just the right DVD during a search of a suspect or
residence could provide numerous evidentiary files.
A smaller segment is likely to be familiar with hard drives and
understand their role within the computer.
The trend now within media is that of portability. As if trying to
find a CD or DVD wasn’t hard enough, further technology
advances have brought about flash drives and mini smart cards.

UNIT V

DIGITAL FORENSICS AND ANALYZING DATA INTRODUCTION

Traditional digital forensics started with the seizure of a computer or some

media. The drives and media were duplicated in a forensically sound manner bit
by bit. Way back if there is such a thing in computer technology the forensic
duplication would be combed through using a hex or disk editor application.

 Later the forensic applications and suites evolved and automated some of the
processes or streamlined them.
 The forensic practitioner would undelete files, search for temporary files, recover
e-mail, and perform other functions to try and find the evidence contained on the
media.

THE EVOLUTION OF COMPUTER FORENSIC

 Traditional digital forensics started with the seizure of a computer or some

media. The drives and media were duplicated in a forensically sound manner bit
by bit.

 Way back—if there is such a thing in computer technology—the forensic

duplication would be combed through using a hex or disk editor application.
Later the forensic applications and suites evolved and automated some of the
processes or streamlined them.

 The forensic practitioner would undelete files, search for temporary files, recover
e-mail, and perform other functions to try and find the evidence contained on the
media. Today there are more user-friendly programs that present data in a GUI,
and automate much of the extremely technical work that used to require indepth
knowledge and expertise with a hex editor.

 There is also a wealth of hardware to make the practice even more conducive,
but the reality is the processes thus far have not changed that much.

 From the time of those first primordial seizures to today, a set of Best Practices
has emerged; the attempt is to provide a foundation for the work performed
under the heading Digital Forensics:

■ do not alter the original media in any way.

■ always work on a duplicate copy, not the original.

■ The examination media must be sterile as to ensure that no

residual data will interfere with the investigation data.

■ The investigator must remain impartial and report the fact.

Unlike other forensic sciences, digital forensics subject matter continues to

evolve, as do the techniques. Human fingerprints may be changing and evolve
over time, but it won’t be noticeable to the fingerprint specialists in their lifetime.
 The trace chemicals in a piece of hair may change, but the hair itself is going to
stay pretty much the same. The techniques may evolve, but the subject matter
does not noticeably. Digital evidence on the other hand continues to change as
the technology does.

PHASES OF DIGITAL FORENSICS

 Traditional digital forensics can be broken down into four phases. Some of the
work performed may overlap into the different phases, but they are very different:

■ Collection
■ Examination
■ Analysis
■ Reporting
 This includes work such as document and e-mail extraction, searching for
suspicious binaries, and data carving. Analysis is the process of using the
evidence recovered to work to solving the crime.
 The analysis is the pulling together of all the bits and pieces and deciphering
them into a story of what happened. Report is the phase where all the other
phases are documented and explained.
 The report should contain the documentation of the hardware, the tools used, the
techniques used, and the findings. All the individual phases have theirown issues
and challenges.
COLLECTION
 Traditional digital forensics best practices are to make a full bit stream copy of
the physical volume. This normally entails physically removing the hard drives
from the suspect system, and attaching the drive to another system for forensics
duplication.
 A forensic image is a bit-by-bit copy of the original media. It copies all the data on
a storage device, including unused portions, the deleted files, and anything else
that may have been on the device.
 Admissible It must conform to certain legal rules before it can be put before a
court.
■ Authentic The data must be proven to relate to the incident. This is where
additional documentation is important.
■ Complete It must be impartial and tell the entire account.
■ Reliable There can be nothing relative to the collection and handling of the
evidence that could create any doubt. Chain of Custody procedures become
crucial.
■ Believable The reports and documentation must present everything so it is
 believable and understandable by a judge or jury. Any digital evidence collected
must meet these requirements.
The next option is to move the data off via the network connection. How large
is the network link to move the data off? If the data cannot be worked onsite, do
you have the storage to transport it? Do you have the storage to work with it
later? Do you have systems powerful enough to comb and query through all the
data? Are all the systems in the same data center, or do you have to travel or
have multiple teams working simultaneously? There are a multitude of
questions, and some preplanning can be essential
EXAMINATION
 A final consideration is that data may need to be preserved in order of volatility.
The most volatile data needs to be preserved first. This applies to running
systems for the most part, but the way in which we approach live systems will
become more important in the near future; but more on that later. An example
of an order of recovery of system data according to volatility looks like this:
■ Live system information This includes memory, the routing table, ARP
cache, and a process list. The concern with live system information is that it is
difficult or impossible to image the system memory or other live data with
altering the original data.
■ Virtual memory Swap space or paging files
■ Physical disks The physical hard disks of a system
■ Backups Offline back-up media such as magnetic tape or other media:
It is extremely possibly the data you are looking for may not be on the system
today, but it was there yesterday and is on last night’s backup.