CYBER SECURITY & CRYPTOGRAPHY

UNIT -1
1.1 INTRODUCTION:
Cybercrime is not an old sort of crime to the world. It is defined as any criminal
activity which takes place on or over the medium of computers or internet or other technology
recognised by the Information Technology Act. Cybercrime is the most prevalent crime playing a
devastating role in Modern India. Not only the criminals are causing enormous losses to the society
and the government but are also able to conceal their identity to a great extent. There are number of
illegal activities which are committed over the internet by technically skilled criminals.

1.2 ORIGIN OF CYBERCRIME :

The term cyber has some interesting synonyms: fake, replicated, pretend, imitation,
virtual, computer- generated. Cyber means combining forms relating to Information Technology, the
Internet and Virtual Reality. This term owes its origin to the word "cybernetics" which deals with
information and its use; furthermore, cybernetics is the science that overlaps the fields of
neurophysiology, information theory, computing machinery and automation

1.3 Information security

Information security in a simplified manner can be described as the

prevention of unauthorised access or alteration during the time of storing data or transferring it from
one machine to another. The information can be biometrics, social media profile, data on mobile
phones etc. due to which, the research for information security covers various sectors such as
cryptocurrency and online forensics.
Information security is created to cover three objectives of confidentiality,
integrity and availability or as commonly known as CIA. Data, including personal information or
information of high value, has to be kept confidential, and it is important to block all unauthorised
access. Moving on to integrity, the stored data needs to be kept in the correct order, and hence, any
unorderly modification by an unauthorised person needs to be cancelled out immediately. Lastly, it is
imperative that the data stored can be accessed anytime by authorised personnel. A denial-of-service
attack is likely to jeopardise that action. To ensure efficient operation of information security,
organisations put in several policies such as access control policy, password policy along with data
support and operation plans. Measures can also include mantraps, network intrusion detection systems
and regulatory compliance.
1.4 Cybercriminals:
A cybercriminal is an individual who commits cybercrimes, where he/she makes use of the computer
either as a tool or as a target or as both
1. Select computer as their target
2. Uses computer as their weapon
3. Uses computer as their accessory

Types of Cyber Criminals:

1. Hackers: The term hacker may refer to anyone with technical skills, however, it typically refers
to an individual who uses his or her skills to achieve unauthorized access to systems or networks so
as to commit crimes. The intent of the burglary determines the classification of those attackers as
white, grey, or black hats.
• (a). White Hat Hackers – These hackers utilize their programming aptitudes for a good
and lawful reason. These hackers may perform network penetration tests in an attempt to
compromise networks to discover network vulnerabilities. Security vulnerabilities are
then reported to developers to fix them.
• (b). Gray Hat Hackers – These hackers carry out violations and do seemingly deceptive
things however not for individual addition or to cause harm. These hackers may disclose
a vulnerability to the affected organization after having compromised their network.
• (c). Black Hat Hackers – These hackers are unethical criminals who violate network
security for personal gain. They misuse vulnerabilities to bargain PC frameworks.
•
2. Organized Hackers: These criminals embody organizations of cyber criminals, hacktivists,
terrorists, and state-sponsored hackers. Cyber criminals are typically teams of skilled criminals
targeted on control, power, and wealth. These criminals are extremely subtle and organized, and
should even give crime as a service. These attackers are usually profoundly prepared and well-
funded.

3. Internet stalkers: Internet stalkers are people who maliciously monitor the web activity of their
victims to acquire personal data. This type of cyber crime is conducted through the use of social
networking platforms and malware, that are able to track an individual’s PC activity with little or no
detection.

4. Disgruntled Employees: Disgruntled employees become hackers with a particular motive and
also commit cyber crimes. It is hard to believe that dissatisfied employees can become such
malicious hackers.

1.5 Classification of Cyber Crime:

1. Cyber Terrorism –
Cyber terrorism is the use of the computer and internet to perform violent acts that result
in loss of life. This may include different type of activities either by software or hardware
for threatening life of citizens.In general, Cyber terrorism can be defined as an act of
terrorism committed through the use of cyberspace or computer resources.

2. Cyber Extortion
Cyber extortion occurs when a website, e-mail server or computer system is subjected to
 or threatened with repeated denial of service or other attacks by malicious hackers. These
hackers demand huge money in return for assurance to stop the attacks and to offer
protection.

u
n

3. Cyber Warfare –
Cyber warfare is the use or targeting in a battle space or warfare context of computers,
online control systems and networks. It involves both offensive and defensive operations
concerning to the threat of cyberattacks, espionage and sabotage.

4. Internet Fraud –
Internet fraud is a type of fraud or deceit which makes use of the Internet and could
include hiding of information or providing incorrect information for the purpose of
deceiving victims for money or property. Internet fraud is not considered a single,
distinctive crime but covers a range of illegal and illicit actions that are committed in
cyberspace.

5. Cyber Stalking –
This is a kind of online harassment wherein the victim is subjected to a barrage of online
messages and emails. In this case, these stalkers know their victims and instead of offline
stalking, they use the Internet to stalk. However, if they notice that cyber stalking is not
 having the desired effect, they begin offline stalking along with cyber stalking to make
the victims’ lives more miserable.

1.6 Cyber Stalking:

A cyber criminals uses the internet to consistently threaten somebody. This crime
is often perpetrated through email, social media, and the other online medium. Cyber Stalking can
even occur in conjunction with the additional ancient type of stalking, wherever the bad person
harasses the victim offline.

Types of Cyber Stalking:

• Webcam Hijacking:
Internet stalkers would attempt to trick you into downloading and putting in a malware-
infected file that may grant them access to your webcam. the method is therefore sneaky
that it’s probably you wouldn’t suspect anything strange.

• Observing location check-ins on social media:

In case you’re adding location check-ins to your Facebook posts, you’re making it
overly simple for an internet stalker to follow you by just looking through your social
media profiles.

• Catfishing:
Catfishing happens via social media sites, for example, Facebook, when internet
stalkers make counterfeit user-profiles and approach their victims as a companion of a
companion.

Protective Measures:
• Develop the habit of logging out of the PC when not in use.
• Remove any future events you’re close to attending from the social networks if they’re
recorded on online approaching events and calendars.
• Set strong and distinctive passwords for your online accounts.
• Cyber Stalkers can exploit the low security of public Wi-Fi networks to snoop on your
online activity. Therefore, avoid sending personal emails or sharing your sensitive info
when connected to an unsecured public Wi-Fi.
• Make use of the privacy settings provided by the social networking sites and keep all
info restricted to the nearest of friends.
 • Do a daily search on the internet to search out what information is accessible regarding
you for the public to check

1.7 CYBER CAFE:

A cybercafe is a type of business where computers are provided for accessing the
internet, playing games, chatting with friends or doing other computer-related tasks. In most cases,
access to the computer and internet is charged based on time. There are many internet cafes located
worldwide, and in some countries they are considered the primary form of internet access for people.

security tips for cyber cafe:

Always Logout–While checking email or logging in for chatting, always click logout/sign out.
Stay with the computer–While surfing, don’t leave the system unatteneded for any period of time.
Clear history and temporary files–Before browsing deselect AutoComplete option. Browser ->
Tools -> Internet options -> Content tab.–Tools -> Internet Option -> General Tab -> Temporary
Internet Files -> Delete files and then Delete Cookies.
Avoid online financial transactions–One should avoid online banking, shopping, etc.–Don’t
provide sensitive information such as credit card number or bank account details.
Change Passwords / Virtual Keyboard–Change password after completion of transaction.
Be alert–One have to be alert for snooping over the shoulder.
1.8 BOTNET:
A bot is a piece of malware that infects a computer to carry out commands under the remote control
of the attacker.

A botnet (short for “robot network”) is a network of computers infected by malware that are under
the control of a single attacking party, known as the “bot-herder.” Each individual machine under the
control of the bot-herder is known as a bot. From one central point, the attacking party can command
every computer on its botnet to simultaneously carry out a coordinated criminal action. The scale of
a botnet (many comprised of millions of bots) enable the attacker to perform large-scale actions that
were previously impossible with malware.
Common botnet actions include:

• Email spam
• DDoS attacks
• Financial breach
• Targeted intrusions

1.9 ATTACK VECTOR:

An attack vector is a method of achieving unauthorized network access to
launch a cyber attack. Attack vectors allow cybercriminals to exploit system vulnerabilities to gain
access to sensitive data, personally identifiable information (PII), and other valuable information
accessible after a data breach

In general, attack vectors can be split into passive or active attacks:

Passive Attack Vector Exploits :

Passive attack vector exploits are attempts to gain access or make use
of information from the system without affecting system resources, such as typosquatting, phishing,
and other social engineering-based attacks.

Active Attack Vector Exploits:

Active cyber attack vector exploits are attempts to alter a system or
affect its operation such as malware, exploiting unpatched vulnerabilities, email spoofing, man-in-
the-middle attacks, domain hijacking, and ransomware.

That said, most attack vectors share similarities:

• The attacker identifies a potential target

• The attacker gathers information about the target using social
engineering, malware, phishing, OPSEC, and automated vulnerability scanning
• Attackers use the information to identify possible attack vectors and create or use tools to
exploit them
• Attackers gain unauthorized access to the system and steal sensitive data or install malicious
code
• Attackers monitor the computer or network, steal information, or use computing resources.

1.10 Proliferation:
This means that the more devices that are connected, the more vulnerable your
network is to security threats, thus increasing your chances of malicious attacks from online
sources and malware threats.
1.11 Security Challenges in Mobile Devices:

Cellular devices are easy to carry and easy to use. Cyber criminals
often have more success on these smaller screens, where spoofs are harder to spot. Additionally, it is
more dangerous to log your company network using a mobile device. When an employee is out of the
office, the protective bubble of your on-site cybersecurity isn’t available.While there are many ways
to breach a mobile device,

most incursions tend to stem from these key threats:

Malicious Hotspots:
Here, a criminal can set up a “free” public hotspot. Sometimes, users are asked to
sign with passwords or personal information to get access. Then, thieves can monitor keystrokes until
an employee types in more sensitive information. It’s a terrible and terribly effective criminal
technique.

Man-in-the-Middle Attacks:
In this type of attack, cyber criminals interrupt the flow of data coming off your
mobile device, and use it to monitor your network or hack into your data.

Shadow IT:
What’s this, you ask? It’s when your employees use unapproved apps to
communicate with staff members, or store/create company files. When business is being conducted,
this opens your company up to risk. If the platforms they’re using get hacked, or the wrong person gets
their password, your data can be compromised.
Phishing/Spoofing:
These spam texts and emails are designed to look like they come from a co-worker
or trusted source. On a smaller screen, it can be easy to mistake these attacks are real messages.

Stolen Devices:
A missing device is the ultimate risk for your company. When a device is stolen
everything from an employee’s contacts, to their emails, to their documents could be sold to the highest
bidder.
So, as you can see, there are plenty of security challenges in mobile devices to worry about. But, with
security threats to mobile devices, countermeasures can be taken to address them directly. Let’s talk
about some of the most common ones.

1.12 Attacks on Mobile/Cell Phones:

Most common types of Wireless and Mobile Device Attacks:

➢ SMi Shing :
Smishing become common now as smartphones are widely used. SMiShing uses
Short Message Service (SMS) to send fraud text messages or links. The criminals cheat the
user by calling. Victims may provide sensitive information such as credit card information,
account information, etc. Accessing a website might result in the user unknowingly
downloading malware that infects the device.

➢ War driving:
War driving is a way used by attackers to find access points wherever they can be.
With the availability of free Wi-Fi connection, they can drive around and obtain a very
huge amount of information over a very short period of time.

➢ WEP attack:
Wired Equivalent Privacy (WEP) is a security protocol that attempted to provide a
 wireless local area network with the same level of security as a wired LAN. Since physical
security steps help to protect a wired LAN, WEP attempts to provide similar protection for
data transmitted over WLAN with encryption.WEP uses a key for encryption. There is no
provision for key management with Wired Equivalent Privacy, so the number of people
sharing the key will continually grow. Since everyone is using the same key, the criminal has
access to a large amount of traffic for analytic attacks.

➢ WPA attack:
Wi-Fi Protected Access (WPA) and then WPA2 came out as improved protocols
to replace WEP. WPA2 does not have the same encryption problems because an attacker
cannot recover the key by noticing traffic. WPA2 is susceptible to attack because cyber
criminals can analyze the packets going between the access point and an authorized user.

➢ Blue jacking:
Bluejacking is used for sending unauthorized messages to another Bluetooth
device. Bluetooth is a high-speed but very short-range wireless technology for exchanging
data between desktop and mobile computers and other devices.

➢ Replay attacks :
In Replay attack an attacker spies on information being sent between a sender
and a receiver. Once the attacker has spied on the information, he or she can intercept it and
retransmit it again thus leading to some delay in data transmission. It is also known as
playback attack.

➢ Blue snarfing :
It occurs when the attacker copies the victim’s information from his device. An
attacker can access information such as the user’s calendar, contact list, e-mail and text
messages without leaving any evidence of the attack.

➢ RF Jamming :
Wireless signals are susceptible to electromagnetic interference and radio-
frequency interference. Radio frequency (RF) jamming distorts the transmission of a
satellite station so that the signal does not reach the receiving station.

1.13 Network and Computer Attacks:

Network attacks are unauthorized actions on the digital assets within
an organizational network. Malicious parties usually execute network attacks to alter, destroy, or steal
private data. Perpetrators in network attacks tend to target network perimeters to gain access to internal
systems.
Types of Network Attacks : Modern organizations rely on the internet for communication, and
confidential data is often exchanged between networks. Remote accessibility also provides malicious
parties with vulnerable targets for data interception. These may violate user privacy settings and
compromise devices connected to the internet.
Network attacks occur in various forms. Enterprises need to ensure that they
maintain the highest cybersecurity standards, network security policies, and staff training to safeguard
their assets against increasingly sophisticated cyber threats.

DDoS :
DDoS (distributed denial of service) attacks involve deploying sprawling networks of
botnets — malware-compromised devices linked to the internet. These bombard and overwhelm
enterprise servers with high volumes of fraudulent traffic. Malicious attackers may target time-
sensitive data, such as that belonging to healthcare institutions, interrupting access to vital patient
database records.

Man-in-the-middle Attacks:

Man-in-the-middle (MITM) network attacks occur when malicious parties intercept traffic
conveyed between networks and external data sources or within a network. In most cases, hackers
achieve man-in-the-middle attacks via weak security protocols. These enable hackers to convey
themselves as a relay or proxy account and manipulate data in real-time transactions.

Unauthorized Access:

Unauthorized access refers to network attacks where malicious parties gain access to
enterprise assets without seeking permission. Such incidences may occur due to weak account
password protection, unencrypted networks, insider threats that abuse role privileges, and the
exploitation of inactive roles with administrator rights.

Organizations should prioritize and maintain the least privilege principle to avoid the risks of privilege
escalation and unauthorized access.

SQL Injection :

Unmoderated user data inputs could place organizational networks at risk of SQL
injection attacks. Under the network attack method, external parties manipulate forms by submitting
malicious codes in place of expected data values. They compromise the network and access sensitive
data such as user passwords.

There are various SQL injection types, such as examining databases to retrieve details on their version
and structure and subverting logic on the application layer, disrupting its logic sequences and function.

Network users can reduce the risks of SQL injection attacks by implementing parameterized
queries/prepared statements, which helps verify untrusted data inputs.

Recent Network Attacks :

Network attacks remain a lingering issue for organizations as they transition to remote
operations with increased reliance on confidential network communications. Recent network attacks
demonstrate that malicious parties may strike at the least expected moment. So, cyber vigilance and
security should be a priority across all industries.
Social Engineering :
According to ISACA’s State of Cybersecurity 2020 Report, social engineering is
the most popular network attack method, with 15 percent of compromised parties reporting the
technique as the vehicle of infiltration. Social engineering involves elaborate techniques in deception
and trickery techniques — phishing — that leverage users’ trust and emotions to gain access to their
private data.

Advanced Persistent Threats :

Some network attacks may involve advanced persistent threats (APTs) from a team of
expert hackers. APT parties will prepare and deploy a complex cyber-attacks program. This exploits
multiple network vulnerabilities while remaining undetected by network security measures such as
firewalls and antivirus software.

Ransomware :
In ransomware attacks, malicious parties encrypt data access channels while withholding
decryption keys, a model that enables hackers to extort affected organizations. Payment channels
usually include untraceable cryptocurrency accounts. While cybersecurity authorities discourage
paying off malicious parties, some organizations continue to do so as a quick solution in regaining data
access.
Protection from Network Attacks:
 Evolving network attacks require a modern and proactive network security solution.

1. Encrypt the data

2. Use Strong Password

3. Use Antivirus

4. Firewall

5. Update Operating System

6. Intrusion Detection Installation

7. Backup Your Data

8. Access Restricted Information

9. Appoint Security Expert

TOPICS: Introduction, Cybercrime: Definition and Origins of the Word, Cybercrime and Information
Security, Cybercriminals, Classifications of Cybercrime, Cyberstalking, Cybercafe and Cybercrimes,
Botnets. Attack Vector,· Proliferation of Mobile and Wireless Devices, Security Challenges Posed by
Mobile Devices, Attacks on Mobile/Cell Phones, Network and Computer Attacks,
 UNIT-2

Tools and Methods

2.1 PROXY SERVERS :Proxy servers work by facilitating web requests and responses
between a user and web server.

Typically, a user accesses a website by sending a direct request to its web server from a web
browser via their IP address. The web server then sends a response containing the website data
directly back to the user.

A proxy server acts as an intermediary

between the user and the web server.
Proxy servers use a different IP address
on behalf of the user, concealing the
user's real address from web servers

A standard proxy server configuration

works as follows:

1. A user enters a website's URL

into their browser.
2. The proxy server receives the
user's request.
3. The proxy server forwards the
request to the web server.
4. The web server sends a response (website data) back to the proxy server.
5. The proxy server forwards the response to the user.

Types of Proxy Servers

There are many different types of proxy servers, categorized by traffic flow, anonymity level,
application, service, IPs, and accessibility.

Below is a classification of some of the different types of proxy servers f

1. Forward Proxy Server

2. Reverse Proxy Server

3. Anonymous Proxy Servers

4. Protocol Proxy Servers

2.2 Anonymizers:
An associate degreeonymizer is an intermediate server placed between you
because the user and also the website to accesses the web site on your behalf and build your web water
sport untraceable. Anonymizers enable you to bypass net censors. associate degree anonymizer
eliminates all the distinctive info (IP address) from your system whereas you’re surf riding the net,
thereby making certain privacy. Most anonymizers will anonymize the net (HTTP:), fireplace transfer
protocol (FTP :), and gopher

To visit a page anonymously, you’ll be able to visit your most well-liked anonymizer web site, and
enter the name of the target website within the Anonymization field. Alternately, you’ll set your
browser home page to purpose to an anonymizer, so as to anonymize sequent net access. with the
exception of this, you’ll be able to like better to anonymously give passwords and different info to
sites without revealing any extra information, like your IP address.

The reasons for victimization anonyrnizers include:

• Ensuring privacy:

• Accessing government-restricted content:

• Protection against on-line attacks:

• Bypassing IDS and firewall rules:

Types of Anonymizers: Anonymizers are of two basic types; Networked anonymizers and Single-
point anonymizers.

Networked Anonymizers: A networked anonymizer 1st transfers your data through a network of
Internet-connected computers before passing it on to the web site. as a result of the data passes through
many web computers, it becomes a lot of cumbersome for anyone making an attempt to trace your data
to determine the association between you and also the anonymizer.

Advantage: Complication of the communications makes traffic analysis advanced.

Disadvantage: Any multi-node network communication incurs a point of risk of compromising
confidentiality at each node.

Single-Point Anonymizers: Single-point anonymizers 1st transfer your data through a web site before
causation it to the target website, so pass back data gathered from the targeted web site, to you via the
web site to shield your identity.

Advantage: Arms-length communication protects information address and connected distinctive info.
Disadvantage: Effects less resistance to stylish traffic analysis.
2.3 PHISHING:
Phishing involves an attacker trying to trick someone into providing sensitive account or other login
information online.

Posing as a trusted source, cyber attackers use email, phone, or text messages to dangle the bait and
acquire things like credit card information, social security numbers, passwords, and other login
credentials. Once the victim clicks a link, they can be directed to what appears to be a legitimate site
where sensitive information can be compromised — or malware can be installed

Different Types of Phishing Attacks:

Spear Phishing:
Spear phishing involves targeting a specific individual in an organization to try to steal
their login credentials. The attacker often first gathers information about the person before starting
the attack, such as their name, position, and contact details.

Vishing
Vishing, which is short for "voice phishing," is when someone uses the phone to try to steal
information. The attacker may pretend to be a trusted friend or relative or to represent them.

Email Phishing
an email phishing scam, the attacker sends an email that looks legitimate, designed to
trick the recipient into entering information in reply or on a site that the hacker can use to steal or sell
their data

HTTPS Phishing
An HTTPS phishing attack is carried out by sending the victim an email with a link to a
fake website. The site may then be used to fool the victim into entering their private information.

Pharming:
In a pharming attack, the victim gets malicious code installed on their computer. This code
then sends the victim to a fake website designed to gather their login credentials.

Pop-up Phishing:
Pop-up phishing often uses a pop-up about a problem with your computer’s security or
some other issue to trick you into clicking. You are then directed to download a file, which ends up
being malware, or to call what is supposed to be a support center.

Evil Twin Phishing:

In an evil twin attack, the hacker sets up a false Wi-Fi network that looks real. If
someone logs in to it and enters sensitive details, the hacker captures their info.

Watering Hole Phishing

In a watering hole phishing attack, a hacker figures out a site a group of users tends
to visit. They then use it to infect the users’ computers in an attempt to penetrate the network.
Whaling:
A whaling attack is a phishing attack that targets a senior executive. These individuals often
have deep access to sensitive areas of the network, so a successful attack can result in access to
valuable info.

Clone Phishing:
A clone phishing attack involves a hacker making an identical copy of a message the
recipient already received. They may include something like “resending this” and put a malicious
link in the email.

Deceptive Phishing:
Deceptive phishers use deceptive technology to pretend they are with a real company
to inform the targets they are already experiencing a cyberattack. The users then click on a malicious
link, infecting their computer.

Social Engineering:
Social engineering attacks pressure someone into revealing sensitive information by
manipulating them psychologically.

Angler Phishing;
Anglers use fake social media posts to get people to provide login info or download
malware.

Smishing: Smishing is phishing through some form of a text message or SMS.

Man-in-the-Middle (MTM) Attacks:

With a man-in-the-middle attack, the hacker gets in “the middle” of two parties and
tries to steal information exchanged between them, such as account credentials.

Website Spoofing:
With website spoofing, a hacker creates a fake website that looks legitimate. When you
use the site to log in to an account, your info is collected by the attacker.
Domain Spoofing:
Domain spoofing, also referred to as DNS spoofing, is when a hacker imitates the
domain of a company—either using email or a fake website—to lure people into entering sensitive
information. To prevent domain spoofing, you should double-check the source of every link and
email.

Image Phishing:
Image phishing uses images with malicious files in them meant to help a hacker steal
your account info or infect your computer.

Search Engine Phishing:

A search engine phishing attack involves an attacker making fake products that look
attractive. When these pop up in a search engine, the target is asked to enter sensitive information
before purchasing, which then goes to a hacker.
2.4 PASSWORD CRACKING:
A password crack is a process of identifying a forgotten or unknown
password to a computer or network resource by means of an application program. A threat actor can
also use it to gain unauthorized access to resources. Password crackers use various techniques to
recover passwords. Often, passwords will be cracked by comparing a list of words or by using an
algorithm to guess them repeatedly.
Several reasons can be given for password cracking, but the
most malign reason is in order to gain unauthorized access to a computer without the computer owner's
knowledge. Cybercrime is the result of this, such as password theft for the purpose of accessing
banking information.

Password Cracking Techniques:

Brute force:
A predetermined number of combinations of characters are manipulated until the
combination that matches the password is found.

Phishing:
An email attachment or link containing malware is used in phishing to lure users into clicking
on it. This usually involves sending a letter in a form of an official-looking email that warns to act
before it is too late
Dictionary attack: The method involves comparing a wordlist with the passwords of users.

Rainbow table attack:

Makes use of pre-computed hashes. In our example, we'll assume that our database
stores passwords as MD5 hashes. In a separate database, we can store MD5 hashes of commonly used
passwords. In this database, we can compare the password hash we have with the hashes stored in the
database. If the password hash matches the one in the database, we have the password.

Malware:
Malware such as keyloggers, which track keystrokes, or screen scrapers, which take
screenshots, are a similar means to gain access to passwords without using a password cracking tool.
Instead, they use malware such as phishing and malware called malware.

Guess: A guessing method, as its name suggests, uses passwords such as qwerty, admin, password,
etc., that are commonly used or set as default passwords. If the user don't change these default
passwords or choose them carelessly, they are more likely to be compromised.

2.6 Keyloggers and Spywares:

Keystroke logging, often called keylogging, is the practice of noting (or logging)
the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is
unaware that such actions are being monitored.
Keystroke logger or keylogger is quicker and easier way of capturing the passwords and monitoring
the victims' IT savvy behavior. It can be classified as software keylogger and hardware keylogger.
1. Software Keyloggers
Software keyloggers are software programs installed on the computer systems which
usually are located between the OS and the keyboard hardware, and every keystroke is recorded.
Software keyloggers are installed on a computer system by Trojans or viruses without the knowledge
of the user. Cybercriminals always install such tools on the insecure computer systems available in
public places and can obtain the required information about the victim very easily.
2. Hardware Keyloggers
To install these keylogers, physical access to the computer system is required.
Hardware keyloggers are small hardware devices. These are connected to the PC and/or to the
keyboard and save every keystroke into a file or in the memory of the hardware device. Cybercriminals
install such devices on ATM machines to capture ATM Cards'PINs. Each keypress on the keyboard
of the ATM gets registered by these keyloggers These keyloggers look like an integrated part of such
systems; hence, bank customers are unaware of their presence.
3. Antikey logger
Antikey logger is a tool that can detect the keylogger installed on the computer
system and also can remove the tool.
Advantages of using antikey logger are as follows:

• Firewalls cannot detect the installations of keyloggers on the systems; hence, antikey loggers
can detect installations of keylogger.
• This software does not require regular updates of signature bases to work effectively such as
other antivirus and antispy programs if not updated, it does not serve the purpose, which makes
the users at risk.
• Prevents Internet banking frauds. Passwords can be easily gained with the help of installing
keyloggers.
• It prevents ID theft
• It secures E-Mail and instant messaging/chatting.

4. Spywares
Spyware is a type of malware, that is installed on computers which collects
information about users without their knowledge. The presence of Spyware is typically hidden, from
the user, it is secretly installed on the user's personal computer. Sometimes, however, Spywares such
as keyloggers are installed by the owner of a shared, corporate or public computer on purpose to
secretly monitor other users.

2.7 Virus and Worms:

1. Virus :
A virus is a malicious executable code attached to another executable file that can be harmless or can
modify or delete data. When the computer program runs attached with a virus it performs some action
such as deleting a file from the computer system. Viruses can’t be controlled by remote. The
ILOVEYOU virus spreads through email attachments.
2. Worms :
Worms are similar to a virus but it does not modify the program. It replicates itself more and more to
cause slow down the computer system. Worms can be controlled by remote. The main objective of
worms is to eat the system resources. The WannaCry ransomware worm in 2000 exploits the Windows
Server Message Block (SMBv1) which is a resource-sharing protocol.
Difference between Worms and Virus :
Basis of
Sr.No. Comparison WORMS VIRUS
A Virus is a malicious
executable code attached to
A Worm is a form of malware that another executable file which
replicates itself and can spread to can be harmless or can modify
1. Definition different computers via Network. or delete data.
The main objective of worms is to
eat the system resources. It
consumes system resources such as
memory and bandwidth and made
the system slow in speed to such an The main objective of viruses
2. Objective extent that it stops responding. is to modify the information.
It doesn’t need a host to replicate It requires a host is needed for
3. Host from one computer to another. spreading.
4. Harmful It is less harmful as compared. It is more harmful.
Worms can be detected and
Detection and removed by the Antivirus and Antivirus software is used for
5. Protection firewall. protection against viruses.
Worms can be controlled by Viruses can’t be controlled by
6. Controlled by remote. remote.
Worms are executed via Viruses are executed via
7. Execution weaknesses in the system. executable files.
Worms generally comes from the Viruses generally comes from
downloaded files or through a the shared or downloaded
8. Comes from network connection. files.
• Hampering computer • Pop-up windows
performance by slowing linking to malicious
down it websites
• Automatic opening and • Hampering computer
running of programs performance by
• Sending of emails without slowing down it
your knowledge • After booting,
• Affected the performance starting of unknown
of web browser programs.
• Error messages • Passwords get
concerning to system and changed without
9. Symptoms operating system your knowledge
 • Installation of
Antivirus software
• Never open email
attachments
•
Keep your operating • Avoid usage of
system and system in pirated software
updated state • Keep your operating
• Avoid clicking on links system updated
from untrusted or • Keep your browser
unknown websites updated as old
• Avoid opening emails versions are
from unknown sources vulnerable to linking
• Use antivirus software to malicious
10. Prevention and a firewall websites
Internet worms, Instant messaging Boot sector virus, Direct
worms, Email worms, File sharing Action virus, Polymorphic
worms, Internet relay chat (IRC) virus, Macro virus, Overwrite
worms are different types of virus, File Infector virus are
11. Types worms. different types of viruses
Examples of viruses include
Examples of worms include Morris Creeper, Blaster, Slammer,
12. Examples worm, storm worm, etc. etc.
It does not need human action to It needs human action to
13. Interface replicate. replicate.
Its spreading speed is slower
14. Speed Its spreading speed is faster. as compared to worms.

2.8 TORJAN HORSES:

A Trojan Horse Virus is a type of malware that downloads onto a computer
disguised as a legitimate program. The delivery method typically sees an attacker use social
engineering to hide malicious code within legitimate software to try and gain users' system access with
their software.

A simple way to answer the question "what is Trojan" is it is a type of malware that typically gets
hidden as an attachment in an email or a free-to-download file, then transfers onto the user’s device.
Once downloaded, the malicious code will execute the task the attacker designed it for, such as gain
backdoor access to corporate systems, spy on users’ online activity, or steal sensitive data.

There are many types of Trojan horse viruses that cyber criminals use to carry out different actions
and different attack methods. The most common types of Trojan used include:
 • Backdoor Trojan
• Banker Trojan:
• Distributed denial-of-service (DDoS) Trojan
• Downloader Trojan
• Exploit Trojan
• Fake antivirus Trojan
• Game-thief Trojan.
• Instant messaging (IM) Trojan.
• Infostealer Trojan
• Mailfinder Trojan
• Ransom Trojan
• Remote access Trojan
• Rootkit Trojan
• Short message service (SMS) Trojan
• Spy Trojan

2.9 BACKDOORS:
In cybersecurity terms, a Backdoor Attack is an attempt to infiltrate a
system or a network by maliciously taking advantage of software's weak point.
Backdoors allow the attackers to quietly get into the system by deceiving the security protocols and
gain administrative access. It is similar to the real-life robbery in which burglars take advantage of the
loopholes in a house and get a 'backdoor' entry for conducting the theft.
After gaining high-level administrative privilege, the cyber attackers could perform various
horrendous tasks like injecting spyware, gaining remote access, hack the device, steal sensitive
information, encrypt the system through ransomware, and many more.
Backdoors are originally meant for helping software developers and testers, so they are not always
bad.

Preventing a backdoor attack:

• Use a reliable antivirus to detect, isolate, and remove viruses from your device. If you discover
a virus known to install backdoors, thoroughly check the system for any unauthorized changes.

• Follow cybersecurity news for alerts about exposed backdoors. If you are worried that a
particular device is in danger, do not connect it to any network until it has been patched.

• Regularly update your operating system and apps. Security updates close known vulnerabilities
and can prevent malware from getting a hold of your device.
2.10 Steganography:
Steganography is a method to protect secret or sensitive data from malicious
attacks to hide secret data by embedding that data within an ordinary, non-secret video, audio, image
or text file. Steganography is done through various methods where some bit of image, video or other
multimedia is replaced with plain text to create the ciphertext or hide the plain in the image, video, and
audio.
In Steganography, the
useless bits are actually replaced by
the useful bits in order to hide the
required file into any of the files or
data mentioned above. It plays a vital
role in cybersecurity by allowing
legitimate users or peers to send the
data in a highly secured way so that
it could be protected from the hacker
or malicious users who are intended
to harm or abuse the system. It can be
done using software that is available
in the market for free or paid.

2.11 SNIFFERS:
sniffing may be defined as a method of capturing or monitoring data packets traveling
through a computer network. Generally, sniffing is done between two hosts who are exchanging data
between them. Packet sniffers reside in between them and monitor every packet traveling through the
network. These packets are analyzed and captured sensitive data like usernames, passwords, email
details, IP address, hardware address, routing information, etc.
Sniffing can be performed by network administrators to isolate and troubleshoot the problems on the
network. It can also be done by someone with malicious intent to eavesdrop on network
communication and capture sensitive data like user name, password, types of websites frequently
browsed by the victim and other valuable information.

Types of sniffing:
Active Sniffing:
Sniffing in the switch is active sniffing. A switch is a point to point network device. The
switch regulates the flow of data between its ports by actively monitoring the MAC address on each
port, which helps it pass data only to its intended target. In order to capture the traffic between target
sniffers has to actively inject traffic into the LAN to enable sniffing of the traffic. This can be done in
various ways.

Passive Sniffing:
This is the process of sniffing through the hub. Any traffic that is passing through the
non-switched or unbridged network segment can be seen by all machines on that segment. Sniffers
operate at the data link layer of the network. Any data sent across the LAN is actually sent to each and
every machine connected to the LAN. This is called passive since sniffers placed by the attackers
passively wait for the data to be sent and capture them. Various types:

1. Mac sniffers: 4, Lan sniffer

2. IP sniffers: 5. Password sniffer

3. ARP sniffers: 6.Protocol sniffer:

2.12 Spoofing:
Spoofing is a sort of fraud in which someone or something forges the sender’s identity
and poses as a reputable source, business, colleague, or other trusted contact in order to obtain
personal information, acquire money, spread malware, or steal data.
Types of Spoofing:
• IP Spoofing
• ARP Spoofing - Address Resolution Protocol
 • Email Spoofing
• Website Spoofing Attack
• DNS Spoofing
Key Spoofing Phishing

Spoofing is an identity theft where a Phishing is where a person steals the

Definition person is trying to use the identity of a sensitive information of user like bank
legitimate user. account details.

Category Spoofing can be phishing in part. Phishing is not a part of spoofing.

For Spoofing, someone has to download Phishing is done using social engineering.
Way
a malicious software in user's computer.

Spoofing is done to get a new identity. Phishing is done to get confidential

Purpose
information.

IP Spoofing, Email Spoofing, URL Phone Phishing like asking OTP or getting
Examples
Spoofing. bank account details, Clone phishing.

2.13 Session Hijacking: The Session Hijacking attack consists of the exploitation of the
web session control mechanism, which is normally managed for a session token.

Because http communication uses many different TCP connections, the

web server needs a method to recognize every user’s connections. The most useful method depends
on a token that the Web Server sends to the client browser after a successful client authentication. A
session token is normally composed of a string of variable width and it could be used in different ways,
like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http
request, or yet in the body of the http requisition.

The Session Hijacking attack compromises the session token by stealing or predicting a valid session
token to gain unauthorized access to the Web Server.

The session token could be compromised in different ways; the most common are:

• Predictable session token;

• Session Sniffing;
• Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);
• Man-in-the-middle attack
• Man-in-the-browser attack
Example 1
Session Sniffing

In the example, as we can see, first the attacker uses a sniffer to capture a valid token session called
“Session ID”, then they use the valid token session to gain unauthorized access to the Web Server.

Figure 1. Manipulating the token session executing the session hijacking attack.

2.14 DoS and DDoS Attacks:

DOS Attack is a denial of service attack, in this attack a computer sends a massive amount of traffic
to a victim’s computer and shuts it down. Dos attack is an online attack that is used to make the
website unavailable for its users when done on a website. This attack makes the server of a website
that is connected to the internet by sending a large number of traffic to it.
 DDOS Attack means distributed denial of service in this attack dos attacks are done from many
different locations using many systems.

Difference between DOS and DDOS attacks:

s.no DOS DDOS

1 DDOS Stands for Distributed Denial of service

DOS Stands for Denial of service attack. attack.

2 In Dos attack single system targets the victim In DDoS multiple systems attacks the victims
system. system..

3 Victim PC is loaded from the packet of data Victim PC is loaded from the packet of data sent
sent from a single location. from Multiple location.

4 Dos attack is slower as compared to DDoS. DDoS attack is faster than Dos Attack.

5 It is difficult to block this attack as multiple

Can be blocked easily as only one system is devices are sending packets and attacking from
used. multiple locations.

6 In DOS Attack only single device is used In DDoS attack,The volumeBots are used to
with DOS Attack tools. attack at the same time.

7 DOS Attacks are Easy to trace. DDOS Attacks are Difficult to trace.

8 Volume of traffic in the Dos attack is less as DDoS attacks allow the attacker to send massive
compared to DDos. volumes of traffic to the victim network.

9 Types of DOS Attacks are: 1. Buffer Types of DDOS Attacks are: 1. Volumetric
overflow attacks 2. Ping of Death or ICMP Attacks 2. Fragmentation Attacks 3. Application
flood 3. Teardrop Attack 4. Flooding Attack Layer Attacks 4. Protocol Attack.
2.15 Buffer attack:
A buffer is a temporary area for data storage. When more gets placed by a program or system
process, the extra data overflows. It causes some of that data to leak out into other buffers, which
can corrupt or overwrite whatever data they were holding.
In a buffer-overflow attack, the extra data sometimes holds specific instructions for actions
intended by a hacker or malicious user; for example, the data could trigger a response that damages
files, changes data or unveils private information.
Attacker would use a buffer-overflow exploit to take advantage of a program
that is waiting on a user’s input. There are two types of buffer overflows: stack-based and heap-
based. Heap-based

Types of Buffer Overflow Attacks

Stack-based buffer overflows are more common, and leverage stack memory that only exists during
the execution time of a function.
Heap-based attacks are harder to carry out and involve flooding the memory space allocated for a
program beyond memory used for current runtime operations.

2.16 Attacks on Wireless Networks:

In security breaches, penetration of a wireless network through
unauthorized access is termed as wireless cracking. There are various methods that demand high level
of technological skill and knowledge, and availability of numerous software tools made it less
sophisticated with minimal technological skill to crack WLANs.
1. Sniffing: It is eavesdropping on the network and is the simplest of all attacks. Sniffing is the simple
process of intercepting wireless data that is being broadcasted on an unsecured network. Also termed
as reconnaissance technique, it gathers the required information about the active/available Wi-Fi
networks. The attacker usually installs the sniffers remotely on the victim's system and conducts
activities such as.

• Passive scanning of wireless network;

• Detection of SSID;
• Colleting the MAC address;
• Collecting the frames to crack WEP.

2. Spoofing: The primary objective of this attack is to successfully masquerade the identity by
falsifying data and thereby gaining an illegitimate advantage.
• MAC address Spoofing: It is a technique of changing an assigned media access control (MAC)
address of a networked device to a different one. This allows the attacker to bypass the access
control lists on servers or routers by either hiding a computer on a network or allowing it to
impersonate another network device.
• IP Spoofing: It is a process of creating IP packets with a forged source IP address, with the
purpose of concealing the identity of the sender or impersonating another computing system.
• Frame Spoofing: The attacker injects the frames whose content is carefully spoofed and which
are valid as per 802.11 specifications.
3. Denial of service (DoS)
4. Man-in-the-middle attack (MITM): It refers to the scenario wherein an attacker on host A inserts
A between all communications - between hosts X and Y without knowledge of X and Y.
5. Encryption cracking: It is always advised that the first step to protect wireless networks is to use
 WPA encryption. The attackers always devise new tools and techniques to deconstruct the older
encryption technology, which is quite easy for attackers due to continuous research in this field

2.17 Theft:
Identity theft is the crime of obtaining the personal or financial information of
another person to use their identity to commit fraud, such as making unauthorized transactions or
purchases. Identity theft is committed in many different ways and its victims are typically left with
damage to their credit, finances, and reputation.

Various types in theft identity:

• Criminal Identity Theft – This is a type of theft in which the victim is charged guilty
and has to bear the loss when the criminal or the thief backs up his position with the false
documents of the victim such as ID or other verification documents and his bluff is
successful.

• Senior Identity Theft – Seniors with age over 60 are often targets of identity thieves.
They are sent information that looks to be actual and then their personal information is
gathered for such use. Seniors must be aware of not being the victim.

• Driver’s license ID Identity Theft –All the information on one’s driver’s license
provides the name, address, and date of birth, as well as a State driver’s identity number.
The thieves use this information to apply for loans or credit cards or try to open bank
accounts to obtain checking accounts or buy cars, houses, vehicles, electronic equipment,
jewelry, anything valuable and all are charged to the owner’s name.

• Medical Identity Theft – In this theft, the victim’s health-related information is

gathered and then a fraud medical service need is created with fraud bills, which then
results in the victim’s account for such services.
 • Tax Identity Theft – In this type of attack attacker is interested in knowing your
Employer Identification Number to appeal to get a tax refund. This is noticeable when
you attempt to file your tax return or the Income Tax return department sends you a notice
for this.

• Social Security Identity Theft – In this type of attack the thief intends to know your
Social Security Number (SSN). With this number, they are also aware of all your personal
information which is the biggest threat to an individual.

• Synthetic Identity Theft – This theft is uncommon to the other thefts, thief combines
all the gathered information of people and they create a new identity. When this identity
is being used than all the victims are affected.
• Financial Identity Theft – This type of attack is the most common type of attack. In
this, the stolen credentials are used to attain a financial benefit. The victim is identified
only when he checks his balances carefully as this is practiced in a very slow manner.
2.18 Footprinting:
Footprinting is an ethical hacking technique used to gather as much data as possible about
a specific targeted computer system, an infrastructure and networks to identify opportunities to
penetrate them. It is one of the best methods of finding vulnerabilities.

The process of cybersecurity footprinting involves profiling organizations and collecting data about
the network, host, employees and third-party partners. This information includes the OS used by the
organization, firewalls, network maps, IP addresses, domain name system information, security
configurations of the target machine, URLs, virtual private networks, staff IDs, email addresses and
phone numbers.

There are two types of footprinting in ethical hacking:

1. Active footprinting 2. Passive footprinting

Footprinting also helps companies better understand their current security posture through analysis of
data gathered about the firewall, security configuration and more. Users can update this list
periodically and use it as a reference point during security audits.

2.19 Social Engineering:

Social engineering is the term used for a broad range of malicious activities
accomplished through human interactions. It uses psychological manipulation to trick users into
making security mistakes or giving away sensitive information.

Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended
victim to gather necessary background information, such as potential points of entry and weak security
protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and
provide stimuli for subsequent actions that break security practices, such as revealing sensitive
information or granting access to critical resources.

Social Engineering Attack Lifecycle

Social engineering attacks come in many different forms and can be performed anywhere where human
interaction is involved. The following are the five most common forms of digital social engineering
assaults.
BAITING:
As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity. They
lure users into a trap that steals their personal information or inflicts their systems with malware.

The most reviled form of baiting uses physical media to disperse malware. For example, attackers
leave the bait—typically malware-infected flash drives—in conspicuous areas where potential victims
are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has
an authentic look to it, such as a label presenting it as the company’s payroll list.

Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in
automatic malware installation on the system.

Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of baiting
consist of enticing ads that lead to malicious sites or that encourage users to download a malware-
infected application.

SCAREWARE:
Scareware involves victims being bombarded with false alarms and fictitious threats.
Users are deceived to think their system is infected with malware, prompting them to install software
that has no real benefit (other than for the perpetrator) or is malware itself. Scareware is also referred
to as deception software, rogue scanner software and fraudware..

Scareware is also distributed via spam email that doles out bogus warnings, or makes offers for users
to buy worthless/harmful services.

PRETEXTING:
Here an attacker obtains information through a series of cleverly crafted lies. The scam is
often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform
a critical task. The attacker usually starts by establishing trust with their victim by impersonating co-
workers, police, bank and tax officials, or other persons who have right-to-know authority.

The pretexter asks questions that are ostensibly required to confirm the victim’s identity,
through which they gather important personal data.

All sorts of pertinent information and records is gathered using this scam, such as social security
numbers, personal addresses and phone numbers, phone records, staff vacation dates, bank records and
even security information related to a physical plant.

PHISHING:
As one of the most popular social engineering attack types, phishing scams are
email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It
then prods them into revealing sensitive information, clicking on links to malicious websites, or
opening attachments that contain malware.
SPEAR PHISHING:
This is a more targeted version of the phishing scam whereby an attacker chooses
specific individuals or enterprises. They then tailor their messages based on characteristics, job
positions, and contacts belonging to their victims to make their attack less conspicuous. Spear
phishing requires much more effort on behalf of the perpetrator and may take weeks and months to
pull off. They’re much harder to detect and have better success rates if done skillfully.

2.20 Port Scan:

A port scan is a method for determining which ports on a network are open. As ports
on a computer are the place where information is sent and received, port scanning is analogous to
knocking on doors to see if someone is home. Running a port scan on a network or server reveals
which ports are open and listening (receiving information), as well as revealing the presence of
security devices such as firewalls that are present between the sender and the target. This technique
is known as fingerprinting. It is also valuable for testing network security and the strength of the
system’s firewall. Due to this functionality, it is also a popular reconnaissance tool for attackers
seeking a weak point of access to break into a computer.

Ports vary in their services offered. They are numbered from 0 to 65535, but certain ranges are more
frequently used. Ports 0 to 1023 are identified as the “well-known ports” or standard ports and have
been assigned services by the Internet Assigned Numbers Authority (IANA). Some of the most
prominent ports and their assigned services include:

Port 20 (udp) – File Transfer Protocol (FTP) for data transfer

Port 22 (tcp) – Secure Shell (SSH) protocol for secure logins, ftp, and port forwarding
Port 23 (tcp) – Telnet protocol for unencrypted text commutations
Port 53 (udp) – Domain Name System to translates names of all computers on internet to IP
addresses
Port 80 (tcp) – World Wide Web HTTP

A port scan sends a carefully prepared packet to each destination port number. The basic techniques
that port scanning software is capable of include:

Vanilla– the most basic scan; an attempt to connect to all 65,536 ports one at a time. A vanilla scan
is a full connect scan, meaning it sends a SYN flag (request to connect) and upon receiving a SYN -
ACK (acknowledgement of connection) response, sends back an ACK flag. This SYN, SYN-ACK,
ACK exchange comprises a TCP handshake. Full connect scans are accurate, but very easily detected
because full connections are always logged by firewalls.

SYN Scan– Also referred to as a half-open scan, it only sends a SYN, and waits for a SYN-ACK
response from the target. If a response is received, the scanner never responds. Since the TCP
connection was not completed, the system doesn’t log the interaction, but the sender has learned if
the port is open or not.
XMAS and FIN Scans– In a FIN scan, an unsolicited FIN flag (used normally to end an established
session) will be sent to a port. The system’s response to this random flag can reveal the state of the
port or insight about the firewall.

An XMAS scan simply sends a set of all the flags, creating a nonsensical interaction. The system’s
response by can be interpreted to better understand the system’s ports and firewall.

FTP Bounce Scan– allows for the sender’s location to be disguised by bouncing the packet through
an FTP server. This is also designed for the sender to go undetected.

Sweep scan– pings the same port across a number of computers to identify which computers on the
network are active. This does not reveal information about the port’s state, instead it tells the sender
which systems on a network are active. Thus, it can be used as a preliminary scan.

2.21 Enumeration:
Enumeration is utilized to gather usernames, hostname, IP addresses,
passwords, arrangements, and so on. At the point when a functioning connection with the objective
host is set up, hackers oversee the objective framework. They at that point take private data and
information. Now and again, aggressors have additionally been discovered changing the setup of the
objective frameworks. The manner in which the connection is set up to the host decides the
information or data the attacker will have the option to get to.

Process of Enumeration
Types of information enumerated by intruders:
1. Network Resource and shares
2. Users and Groups
3. Routing tables
4. Auditing and Service settings
5. Machine names
6. Applications and banners
7. SNMP and DNS details

Techniques for Enumeration:

• Extracting user names using email ID's
• Extract information using the default password
• Brute Force Active Directory
• Extract user names using SNMP
• Extract user groups from Windows
• Extract information using DNS Zone transfer
TOPICS: Proxy Servers and Anonymizers, Phishing, Password Cracking,· Keyloggers and
Spywares,Virus and Worms,· Trojan Horses and Backdoors,· Steganography, Sniffers, Spoofing,
Session Hijacking Buffer over flow, DoS and DDoS Attacks, SQL Injection, Buffer Overflow,·
Attacks on Wireless Networks, Identity Theft (ID Theft), Foot Printing and Social Engineering, Port
Scanning, Enumeration
 Unit III : Cyber Crime Investigation
TOPICS: Introduction, Investigation Tools, eDiscovery, Digital Evidence Collection, Evidence
Preservation, E-Mail Investigation, E-Mail Tracking, IP Tracking, E-Mail Recovery, Hands on Case
Studies. Encryption And Decryption Methods, Search and Seizure Of computers, Recovering Deleted
Evidences, Password Cracking.

3.1 CYBER CRIME INVESTIGATION:

Investigation of a Cybercrime is process consisting of investigating, analyzing, and recovering forensic
data for digital evidence of a crime. A cybercrime is a crime that involves a computer and a network.
The computer may have been used in the commission of a crime, or it may be the target.

3.2 INVESTIGATION TOOLS: While techniques may vary depending on the type of cybercrime
being investigated, as well as who is running the investigation, most digital crimes are subject to some
common techniques used during the investigation process.

• Background check: Creating and defining the background of the crime with known facts will
help investigators set a starting point to establish what they are facing, and how much
information they have when handling the initial cybercrime report.

• Information gathering: One of the most important things any cybersecurity researcher must
do is grab as much information as possible about the incident.

• Tracking and identifying the authors: This next step is sometimes performed during the
information-gathering process, depending on how much information is already in hand. In
order to identify the criminals behind the cyberattack,

o This is often the slowest phase, as it requires legal permission from prosecutors and a
court order to access the needed data.

• Digital forensics: Once researchers have collected enough data about the cybercrime, it's time
to examine the digital systems that were affected, or those supposed to be involved in the origin
of the attack. This process involves analyzing network connection raw data, hard drives, file
systems, caching devices, RAM memory and more. Once the forensic work starts, the involved
 researcher will follow up on all the involved trails looking for fingerprints in system files,
network and service logs, emails, web-browsing history, etc.

Some Digital forensics tools:

Kali Linux:Kali Linux is an open-source software that is maintained and funded by Offensive
Security. It is a specially designed program for digital forensics and penetration testing.
Ophcrack: This tool is mainly used for cracking the hashes, which are generated by the same files of
windows. It offers a secure GUI system and allows you to runs on multiple platforms.

EnCase:This software allows an investigator to image and examine data from hard disks and
removable disks.

SafeBack:SafeBack is mainly using for imaging the hard disks of Intel-based computer systems and
restoring these images to some other hard disks.

Data dumper:This is a command-line computer forensic tool. It is freely available for the UNIX
Operating system, which can make exact copies of disks suitable for digital forensic analysis.

Md5sum:A tool to check helps you to check data is copied to another storage successfully or not.

3.3 WHAT IS E-DISCOVERY?

E-discovery is a form of digital investigation that attempts to find evidence in email, business
communications and other data that could be used in litigation or criminal proceedings. The traditional
discovery process is standard during litigation, but e-discovery is specific to digital evidence.
How does the e-discovery process work?

The process of discovery begins when a lawsuit appears imminent, up to when digital evidence is
presented in court. Attorneys from both sides will determine the scope of e-discovery. The following
is a simple description of the e-discovery process:

1. Identification. ESI is identified by attorneys. E-discovery requests and challenges are

made.

2. Preservation. Data that is identified as potentially relevant is placed under legal hold so it
cannot be destroyed. Failure to preserve data will lead to sanctions and fines if the lost data
puts the defense at a disadvantage.

3. Collection. Data is transferred from a company to legal counsel. The legal counsel
determines the data's relevance.

4. Processing. Files are loaded into a review platform. Data is usually converted into a PDF
(Portable Document Format) or TIFF (Tag Image File Format) for court.
 5. Review. The review process assesses documents for privilege and responsiveness to
discovery requests.

6. Production. Documents are exchanged with opposing counsels.

3.4 DIGITAL EVIDENCE COLLECTION IS SIMILAR TO E-DISCOVERY:

Here are some of the major challenges that could be faced by the forensics examiner while collecting
the evidence. These are the reason why experts also want to learn how to collect digital evidence using
latest technology.

• No. of PC and extensive use of internet access can increase the difficulty during the
investigation process.
• Tools and software to trace the hacking are not easily available.
• Lack of physical evidence can make the prosecution process difficult.
• Large storage space in Terabytes can make the examination process vast and difficult.
• Must be adaptive to the present situation. For instance, any changes in technology may lead to
the up-gradation of certain techniques.

1. Identification 3.Analysation 4. Presentation

2. Reporting and Documentation 5.Preservation

3.5 EVIDENCE PRESERVATION:

Once data is acquired, the data and device need to be securely stored until they’re needed for further
investigation. Preservation is usually done in either physical or digital storage systems
• 10 Best Practices for Managing Digital Evidence (Evidence Handling Procedures)

Digital evidence management has become so critical to legal and corporate affairs that government
agencies now routinely provide guidance on the best ways to preserve digital evidence. Since most
companies do not have the resources to retain in-house evidence collection specialists

1. Document Device Condition

This is often overlooked during the identification phase. Make sure to take pictures of the device
holding the digital media you will be collecting. Document its physical condition and where it was
located.

Are there any dents or scratches? Is it wet? Are there tools nearby that could have been used to tamper
with it? Track this information in the same evidence management system as the physical device.

2. Get Forensic Experts Involved

It is important to know when to stop working with evidence and let the experts take over. Following
the best practices detailed here will allow even regular security officers, IT technicians, and office
workers to help with the collection process. But the process of preserving and analyzing data still
usually requires forensic expertise.

3. Have a Clear Chain of Custody

Document the transfer of media and digital evidence between every person and agency that comes in
contact with it. Gaps in these records can prevent evidence from being admitted in court should legal
action need to be taken. While a chain of custody can be recorded on paper, an authoritative digital
record is often more reliable.

4. Don’t Change the Power Status

Leave the device in its current power state as long as possible during evidence identification and
collection. If the device is on, leave it on. If it is off, leave it off.

Leave battery-powered devices in their current state as long as possible. Obviously, for wired devices,
such as desktop PCs, you will eventually need to turn them off for transport. For highly sensitive
investigations, it is best to bring in forensic experts before you do whenever possible.

5. Secure the Device

Ensure proper chain of custody for both hardware and data with strong physical security. Don’t store
the device in an open access area. Try not to leave it unattended when it is being worked on. Poor chain
of custody can reduce the value of evidence during proceedings.
6. Never Work on the Original Data

Sometimes data collection involves just copying readable files from media storage. But often other
metadata can be collected from devices by forensic experts. Metadata is data about the condition of
files on the device or about the device itself. Useful metadata can include how files were accessed,
whether a shutdown or delete command was issued, or whether the user tried to copy files to another
device.

Working directly on the original media will often delete valuable metadata. Professional data retrieval
and forensic services always perform their analyses and reporting on virtual copies of media whenever
possible.

7. Keep the Device Digitally Isolated

Another way to preserve metadata is to keep the device isolated from other storage systems. Keep it
off Wi-Fi and wired network connections.

Sometimes well-intentioned staff can accidentally overwrite valuable metadata if they plug in a thumb
drive attempting to copy files via conventional means for analysis. Leave the data copying to
professional forensic experts.

8. Prepare for Long-Term Storage

Consider whether off-site storage is needed for long-term evidence management, or whether an on-
site modular evidence management system can accommodate your needs. Modular systems will be
able to scale if evidence retention needs or available space change.

9. Monitor Evidence Transactions

Staff will need to periodically sign out evidence for reporting or attorney consultations. Recording all
of these transactions is essential for maintaining a proper chain of custody.

This can be difficult for most organizations that aren’t staffed with a full-time evidence manager. Even
those law enforcement agencies that do have evidence managers can’t have them on duty around the
clock. Consider whether automated evidence lockers can simplify transaction monitoring.

10. Periodically Audit Your Evidence Management Program

New electronic devices are constantly hitting the market. In particular, the advent of Internet of
Things (IoT) technology means many more types of devices now hold data. You should regularly
review your digital evidence management practices to ensure they accommodate all new types of
devices and forms of digital storage that might come into your possession.

3.6 WHAT IS EMAIL INVESTIGATION/FORENSICS?

Email forensics is a branch of digital forensics that focuses on the forensic analysis of email to collect
digital evidence for cybersecurity attacks and cyber incidents. It comprises an in-depth forensic
investigation of various email aspects such as Message-IDs, transmission routes, attached files and
documents, IP addresses of servers and computers, etc.
Email forensic professionals use the following techniques to examine emails and analyze the digital
evidence:

1. Email Header Analysis

Email headers contain essential information, including the name of the sender and receiver, the path
(servers and other devices) through which the message has traversed, etc.

The vital details in email headers help investigators and forensics experts in the email investigation.
For instance, the Delivered-To field contains the recipient’s email address, and the Received-By field
contains:

• The last visited SMTP server’s IP address.

• It’s SMTP ID.
• The date and time at which the email is received.

Similarly, the Received: from field provides necessary details like the sender’s IP address and
hostname. Again, such information can be instrumental in identifying the culprit and collecting
evidence.

2. Email Server Investigation

Email servers are investigated to locate the source of an email. For example, if an email is deleted from
a client application, sender’s, or receiver’s, then related ISP or Proxy servers are scanned as they
usually save copies of emails after delivery. Servers also maintain logs that can be analyzed to identify
the computer’s address from which the email originated.

It is worth noting that HTTP and SMTPlogs are archived frequently by large ISPs. If a log is archived,
tracing relevant emails can take a lot of time and effort, requiring decompressing and extraction
techniques. Therefore, it is best to examine the logs as soon as possible.

3. Investigation of Network Devices

In some cases, logs of servers are not available. This can happen for many reasons, such as when
servers are not configured to maintain logs or when an ISPs refuses to share the log files. In such an
event, investigators can refer to the logs maintained by network devices such as switches, firewalls,
and routers to trace the source of an email message.

4. Sender Mailer Fingerprints

X-headers are email headers that are added to messages along with standard headers,
like Subject and To. These are often added for spam filter information, authentication results, etc.,
and can be used to identify the software handling the email at the client, such as Outlook or Opera
Mail. In addition, the x-originating-IP header can be used to find the original sender, i.e., the IP address
of the sender’s computer.
5. Message-IDs

Message-ID is a unique identifier that helps forensic examination of emails across the globe. It
comprises a long string of characters that end with the Fully Qualified Domain Name (FQDN).
Message IDs are generated by client programs that send emails, such as Mail User Agents (MUA) or
Mail Transfer Agents (MTA). There are two parts of a Message-ID. One part is before @, and another
part is after @. The first part of the message-ID contains information, such as the message’s timestamp.
This information is the data regarding the time when the message was sent. The second part of
the Message-ID contains information related to FQDN.

6. Embedded Software Identifiers

Sometimes, the email software used by a sender can include additional information about the message
and attached files in the email. For example, it can be found in Multipurpose Internet Mail Extensions
(MIME) content as a Transport Neutral Encapsulation Format (TNEF) or custom header. An in-depth
analysis of these sections can reveal vital details related to the sender, like the MAC address, Windows
login username of the sender, PST file name, and much more.

7. Bait Tactics

The bait tactic is an email investigation technique used when the location of a suspect or cybercriminal
is unknown. In this, the investigators send the suspect an email containing an http: “<imgsrc>” tag.
The image source is on a computer that the investigators monitor. When the suspect opens the email,
the computer’s IP address is registered in a log entry on the HTTP server that hosts the image. The
investigators can use the IP address to track the suspect.

Sometimes, suspects take preventive measures like using a proxy server to protect their identity. In
that case, the IP address of the proxy server is recorded.

8. Bulk Email Forensics

Large mailbox collections are often examined, analyzed, and used as evidence in legal cases.
Therefore, legal professionals have to work with large mailboxes in many cases. Most email service
applications, like Outlook and Gmail, offer a dashboard embedded with several valuable functions.
However, you may not get the desired results by only using keywords in the interface.

Date and time are two attributes of emails considered necessary when they are produced as evidence
related to a case. However, emails can be forged like physical documents, and hackers may tamper
with these attributes. In addition, since an email doesn’t directly reach from the receiver to the sender,
recording its actual route with accurate timings is a tricky aspect

9. Importance of using Hashing Algorithm

MD5 and SHA1 are the two most crucial hashing algorithms used by digital forensics professionals.
It’s a standard practice to use MD5 and SHA1 hashing algorithms in email forensics investigations.
These algorithms allow forensic investigators to preserve digital evidence from the moment they
acquire it until it is produced in a court of law.

3.7 EMAIL TRACKING:

Email tracking is a method for monitoring whether the email messages is read by the intended
recipient. Most tracking technologies use some form of digitally time-stamped record to reveal the
exact time and date that an email was received or opened, as well as the IP address of the recipient.
Email tracking is useful for when the sender wants to know whether the
intended recipient actually received the email or clicked the links. However, due to the nature of the
technology, email tracking cannot be considered an absolutely accurate indicator that a message was
opened or read by the recipient.
3.8 IP TRACKING:

When you connect to the internet, your device uses an address to connect with called an IP address.
With IP tracking, every time you visit a website, the website knows what IP address you are accessing
the website from, which means your location, and in the case of businesses, company identities can be
determined. This information can be very powerful in determining the demand for your product and
services, especially for business-to-business companies.

Cookies, or behavioural targeting, allow the website you visit to place a cookie on your
browser to collect your web-browsing behaviour including time on page, clicks, and other websites
you visit. The technology is used primarily by publishers to create “audience profiles,” which are
basically a bunch of information about you.Cookies will live in your browser until you clear your
cache.
Another approach is to use cookie data to understand the individuals that visit your website, including
what department they work in or their job level. You can build an audience profile and market to more
people like them to drive relevant traffic to your website.
The best approach? Use both IP tracking and cookies simultaneously — this way, not only will you
know what companies are visiting your website, but you’ll also know what kinds of people are
visiting.
7 Best IP Address Trackers:

1. Solarwinds IP Address Manager

2. Advanced IP Scanner
3. Angry IP Scanner
4. SoftPerfect Network Scanner
5. LizardSystems Network Scanner
6. B-Labs Bopup Scanner
7. MyLanViewer Network/IP Scanner
What Are IP Grabbers?
An IP grabber is a different kind of tool mostly used for grabbing IP
addresses and collecting statistics. Put simply, an IP grabber is a third-party tool that can extract an IP
address whenever someone clicks on a specific link. IP grabbing solutions can create a specific, shortened
link. Whenever someone clicks on the URL, their real-time IP address is collected.

3.9 E-Mail Recovery

One of the most important aspects of investigating a cybercrime is the ability to
recover and analyze emails that may have been involved in the incident. Email recovery is the process
of retrieving emails that have been deleted or otherwise lost, in order to gather evidence or other
information related to a cybercrime investigation.

1. Emails are often a key source of evidence in cybercrime investigations, as they can provide
information on the perpetrators, victims, and the nature of the crime.
2. Deleted or lost emails can be recovered using a variety of methods, including server backups,
email recovery software, and forensic analysis.
3. Recovered emails can be analyzed for a range of information, including the sender, recipient,
date and time sent, and content of the email.
4. Email headers can provide valuable information in cybercrime investigations, such as the IP
address of the sender and the email client used.
5. Emails can also contain attachments, such as documents or images, that may provide additional
evidence of cybercrime.
6. Recovery of deleted or lost emails can be time-sensitive, as email servers may have retention
policies that automatically delete emails after a certain period of time.
7. Email recovery may require specialized technical knowledge and expertise, particularly in
cases where forensic analysis is necessary.
8. Chain of custody protocols must be followed when handling recovered emails to ensure that
the evidence is admissible in court.
9. Recovered emails must be analyzed in the context of other available evidence, such as
computer logs, network traffic data, and witness statements.
10. Email recovery can be a complex and time-consuming process, but it is an essential to identify
and prosecute cybercriminals.

Here are some of the most common methods:

• Email recovery software
• Server backups
• Forensic analysis
• Cloud backups
• Third-party services
• Email archives
• Metadata analysis
• Social engineering
• Network forensics
3.10 Hands on Case Studies:
Here are 10 hands-on case studies in cybercrime investigation from 2010 to 2020:

1. Target Data Breach (2013): This attack compromised the payment information of 40 million
customers and personal information of 70 million customers. Investigators determined that
attackers gained access to the network through a third-party vendor.
2. Ashley Madison Data Breach (2015): Hackers accessed the website's user database and
exposed personal information of millions of users. Investigators discovered that the hackers
had used social engineering techniques to gain access to the network.
3. Yahoo Data Breaches (2013-2014): Yahoo suffered two data breaches that exposed personal
information of billions of users. Investigators found evidence that Russian state-sponsored
hackers were involved in the attacks.
4. WannaCry Ransomware Attack (2017): This ransomware attack infected hundreds of
thousands of computers worldwide. Investigators traced the attack to North Korea and
discovered that it was likely part of a broader cyber espionage campaign.
5. Equifax Data Breach (2017): Hackers accessed sensitive personal information of 147 million
customers. Investigators determined that the attack was due to a vulnerability in the company's
web application software.
6. NotPetya Ransomware Attack (2017): This ransomware attack caused significant disruption to
businesses worldwide. Investigators attributed the attack to Russian military hackers and found
that it was part of a broader cyberwarfare campaign.
7. Twitter Bitcoin Scam (2020): Hackers gained access to high-profile Twitter accounts and
posted tweets promoting a bitcoin scam. Investigators found evidence that the hackers used
social engineering techniques to gain access to the accounts.
8. SolarWinds Supply Chain Attack (2020): This sophisticated cyber espionage campaign
targeted several US government agencies and private companies. Investigators discovered that
Russian state-sponsored hackers were responsible for the attack.
9. Garmin Ransomware Attack (2020): This ransomware attack caused significant disruption to
Garmin's services. Investigators found that the attack was likely carried out by Russian
cybercriminals.
10. Colonial Pipeline Ransomware Attack (2021): This ransomware attack targeted one of the
largest fuel pipeline operators in the US, causing widespread fuel shortages. Investigators
traced the attack to a Russian cybercriminal group known as DarkSide.
3.11 What is Data Encryption?

Data encryption is a method of protecting data by encoding it in such a way that it can only be
decrypted or accessed by an individual who holds the correct encryption key. When a person or entity
accesses encrypted data without permission, it appears scrambled or unreadable.
Or
Data encryption is the process of converting data from a readable format to a scrambled piece of
information. This is done to prevent prying eyes from reading confidential data in transit. Encryption
can be applied to documents, files, messages, or any other form of communication over a network.

How Does Data Encryption Work?

The data that needs to be encrypted is termed plaintext or cleartext. The plaintext needs to be passed
via some encryption algorithms, which are basically mathematical calculations to be done on raw
information. There are multiple encryption algorithms, each of which differs by application and
security index.

Apart from the algorithms, one also needs an encryption key. Using said key and a suitable encryption
algorithm, the plaintext is converted into the encrypted piece of data, also known as ciphertext. Instead
of sending the plaintext to the receiver, the ciphertext is sent through insecure channels of
communication.
Why Do We Need Data Encryption?

• Authentication: Public key encryption proves that a website's origin server owns the private
key and thus was legitimately assigned an SSL certificate.

• Privacy: Encryption guarantees that no one can read messages or access data except the
legitimate recipient or data owner.

• Regulatory Compliance: Many industries and government departments have rules in place that
require organizations that work with users’ personal information to keep that data encrypted.

• Security: Encryption helps protect information from data breaches, whether the data is at rest
or in transit.

TYPES OF ENCRYPTIONS :

Symmetric Encryption: Also called private-key cryptography or a secret key algorithm, this
method requires the sender and the receiver to have access to the same key. So, the recipient needs to
have the key before the message is decrypted. This method works best for closed systems, which have
less risk of a third-party intrusion.

o On the positive side, symmetric encryption is faster than asymmetric encryption.

Asymmetric Encryption: Also called public-key cryptography, this method uses two keys for the
encryption process, a public and a private key, which are mathematically linked. The user employs
one key for encryption and the other for decryption, though it doesn’t matter which you choose first.

As the name implies, the public key is freely available to anyone, whereas the private key remains with
the intended recipients only, who need it to decipher the messages. Both keys are simply large numbers
that aren’t identical but are paired with each other, which is where the “asymmetric” part comes in.

Hashing: Hashing generates a unique signature of fixed length for a data set or message. Each specific
message has its unique hash, making minor changes to the information easily trackable. Data encrypted
with hashing cannot be deciphered or reversed back into its original form. That’s why hashing is used
only as a method of verifying data.
Many internet security experts don’t even consider hashing an actual encryption method, but the line
is blurry enough to let the classification stand. The bottom line, it’s an effective way of showing that
no one has tampered with the information.

What is Decryption?
Decryption techniques is the process in which the encrypted code or data is
converted back to a form that is easily understandable and readable by a human or machine. This is
basically known as decoding encrypted data. It takes place at the receiver end. The message can be
decrypted either with the secret key or the private key.

The below diagram clearly shows the decryption technique and also the encrypted text i.e., the
ciphertext is converted back to the original message.

What are the types of Keys available?

There are some key presents that help in performing the encryption and decryption technique. Let’s
see in more detail about the keys available.
• Symmetric Key:
This key helps in performing Symmetric Encryption also known as the
Symmetric-key encryption algorithm. It uses the same cryptographic keys for performing both
the encryption of plaintext from the sender’s side and the decryption of the ciphertext on the
receiver side.
• Asymmetric Key:
Asymmetric key encryption algorithm uses two pairs of keys, which are used
for encryption. These two different keys are used for encrypting the data and for decrypting the
data. The public key is made available to anyone whereas the secret key is only made available
to the receiver side of the message. This provides more security as compared to symmetric key
encryption.
• Public Key
Public keys are the keys that are basically used to encrypt the message for the
receiver. This cryptography is an encryption system that is based on two pairs of keys.
 • Private Key
The private key usually used with the asymmetric encryption algorithm as one can
use the same key for encrypting and decrypting the data. It also may be a part of the
public/private asymmetric key pair.
• Pre-Shared Key
It also known as PSK, is a shared secret key that was earlier shared between two
different organizations or people using a secure channel before it is used.

3.12 SEARCH AND SEIZURE OF COMPUTERS:

Search and seizure of computers is a common practice in cybercrime
investigations. It involves the lawful collection and examination of electronic devices, including
computers, laptops, smartphones, and storage media, to gather evidence of criminal activity. The
process of search and seizure of computers in cybercrime investigations involves the following steps:
1. Obtaining a warrant: Before conducting a search and seizure operation, investigators must
obtain a search warrant from a court. The warrant must describe the specific location to be
searched and the items to be seized.
2. Securing the location: Once a warrant is obtained, investigators will secure the location to
prevent any tampering or destruction of evidence.
3. Identifying and seizing electronic devices: Investigators will identify and seize electronic
devices, such as computers and storage media, that are believed to contain evidence of criminal
activity. Devices are typically labeled and secured in bags or boxes to prevent damage.
4. Conducting a forensic examination: Once electronic devices are seized, forensic examiners will
conduct a thorough examination of the devices to gather evidence of criminal activity. This
may include extracting data from hard drives, analyzing network traffic, and examining deleted
files.
5. Documenting the evidence: All evidence collected during the search and seizure operation must
be thoroughly documented, including the date and time of seizure, the location of the device,
and the condition of the device when seized.
 There are various types of search and seizure methods used in cybercrime investigations,
including:

1. Physical search and seizure: This method involves physically seizing and searching computers
or other digital devices at the location where the crime was committed or where the evidence
is believed to be located. This method is often used in cases where there is a warrant or other
legal authority to search and seize the devices.

2. Remote search and seizure: This method involves accessing and searching computers or other
digital devices remotely, without physically seizing the devices. This method can be useful in
cases where the devices are located in another jurisdiction or country, or where the physical
seizure of the devices is not possible.

3. Consent search: This method involves obtaining the consent of the owner or user of the device
to search and seize the device. This method can be useful in cases where the owner or user is
cooperative and willing to allow access to the device.
 4. Emergency search and seizure: This method involves seizing and searching the device without
a warrant or consent in cases where there is an immediate threat to public safety or where
evidence is in danger of being destroyed.

3.13 RECOVERING DELETED EVIDENCES :

Digital Evidence is any information that is stored or transmitted in the
digital form that a party at court can use at the time of trial. Digital evidence can be Audio files, and
voice recordings, Address books and contact lists, Backups to various programs, including backups to
mobile devices, Browser history, Cookies, Database, Compressed archives (ZIP, RAR, etc.) including
encrypted archives, etc.

here are some common techniques for recovering deleted evidence in a cybercrime investigation:
• File carving: File carving involves using specialized software to identify and extract data
fragments from unallocated space on a storage device. This technique can be useful for
recovering deleted files or parts of files that have been partially overwritten.

• Forensic imaging: Forensic imaging involves creating a complete copy or image of a storage
device or system, including all deleted data. This technique can be useful for preserving and
analyzing the deleted data without modifying the original device.

• Data carving: Data carving involves searching for specific patterns or file types within the
storage device, such as email messages or image files. This technique can be useful for
recovering specific types of data that may have been deleted.

• Metadata analysis: Metadata analysis involves examining the metadata associated with a file,
such as creation and modification dates, to determine if the file was deleted or modified. This
technique can be useful for identifying when the file was deleted and by whom.

• Backup analysis: Backup analysis involves examining backup systems for any copies of the
deleted data. This technique can be useful if the deleted data was backed up prior to its deletion.
• Log analysis: Log analysis involves examining system logs, network logs, or application logs
for evidence of the deleted data being accessed or transmitted over the network. This technique
can be useful for identifying when and where the data was deleted.
 • Password cracking: Password cracking involves attempting to guess or crack a password to
gain access to encrypted data that may contain the deleted evidence. This technique can be
useful in cases where the deleted data was encrypted.

• Journal analysis: Some file systems, such as the NTFS file system used by Windows, maintain
a journal or log of all changes made to the file system. Journal analysis involves examining this
journal to identify when and how files were deleted, modified, or created.

• Slack space analysis: Slack space refers to the unused portion of a file cluster that may contain
fragments of deleted files. Slack space analysis involves searching for and recovering these
fragments to reconstruct deleted files.

• Registry analysis: The registry is a database used by Windows to store system configuration
information. Registry analysis involves examining the registry for evidence of deleted or
modified keys or values related to the deleted data.

• RAM analysis: Random Access Memory (RAM) is volatile memory that stores data
temporarily while a computer is in use. RAM analysis involves examining the contents of RAM
to recover deleted or modified data that may not have been saved to disk.

• Social engineering: Social engineering involves using psychological tactics to trick individuals
into revealing information or performing actions that they normally would not. Social
engineering techniques can be used to recover deleted evidence by convincing the suspect to
reveal the location or password of the deleted data.

3.14 PASSWORD CRACKING:

Password cracking is a technique used in cybercrime investigations to gain access to password-
protected data or systems. Passwords are commonly used to protect sensitive information, and in cases
where the password is unknown or forgotten, cracking the password can be a necessary step in the
investigation.
• Dictionary Attack: This method uses a pre-defined list of common passwords, words, or
phrases to guess a user's password. It works when the password is too simple or based on a
common dictionary word.

• Brute-Force Attack: This technique involves trying all possible combinations of characters to
guess the password. It is an effective method but can take a lot of time, depending on the length
and complexity of the password.

• Hybrid Attack: This method combines both the dictionary and brute-force attacks by using
variations of words and phrases from a dictionary to create different password combinations.

• Rainbow Table Attack: This technique uses pre-computed tables that contain encrypted
passwords and their corresponding plaintext values. Cybercriminals use these tables to quickly
reverse the hashed password to its original form.

• Social Engineering: This technique involves tricking users into revealing their passwords
through phishing scams, malicious websites, or other methods of deception.

• Keylogger: This technique involves installing malware on the user's device to record their
keystrokes, including their password, as they type.

• Shoulder Surfing: This technique involves observing the user as they enter their password,
either physically or remotely, to gain unauthorized access.

• Man-in-the-Middle (MITM) Attack: This technique involves intercepting communication

between the user and the server to steal their login credentials.

• Password Guessing: This technique involves guessing the password based on personal
information, such as the user's name, birthdate, or pet's name.

• Phishing: This technique involves creating a fake login page or website to steal the user's login
credentials.
 Unit IV:
COMPUTER FORENSICS AND INVESTIGATIONS

Topics: Understanding Computer Forensics, Preparing for Computer Investigations. Current

Computer Forensics Tools: Evaluating Computer Forensics Tools, Computer Forensics Software
Tools, Computer Forensics Hardware Tools, Validating and Testing Forensics Software, Face, Iris and
Fingerprint Recognition, Audio Video Analysis, Windows System Forensics, Linux System Forensics,
Graphics and Network Forensics, E-mail Investigations, Cell Phone and Mobile Device Forensics

4.1 Understanding Computer Forensics:

Computer forensics is the application of investigation and analysis techniques to

gather and preserve evidence from a particular computing device in a way that is suitable for
presentation in a court of law. The goal of computer forensics is to perform a structured investigation
and maintain a documented chain of evidence to find out exactly what happened on a computing device
and who was responsible for it.

Computer forensics -- which is sometimes referred to as computer forensic science -- essentially is

data recovery with legal compliance guidelines to make the information admissible in legal
proceedings.

Types of computer forensics:

There are various types of computer forensic examinations. Each deals with a specific aspect of
information technology. Some of the main types include the following:

• Database forensics. The examination of information contained in databases, both data and
related metadata.
• Email forensics. The recovery and analysis of emails and other information contained in email
platforms, such as schedules and contacts.
• Malware forensics. Sifting through code to identify possible malicious programs and
analyzing their payload. Such programs may include Trojan horses, ransomware or various
viruses.
• Memory forensics. Collecting information stored in a computer's random access memory
(RAM) and cache.
• Mobile forensics. The examination of mobile devices to retrieve and analyze the information
they contain, including contacts, incoming and outgoing text messages, pictures and video files.
• Network forensics. Looking for evidence by monitoring network traffic, using tools such as
a firewall or intrusion detection system.
 4.2 Preparing For Computer Investigations:
Preparing for computer investigations involves a range of steps to ensure that you
are well-equipped to carry out an investigation into potential computer-related crimes or incidents.
Here are some of the key steps involved:

1. Understand the legal and regulatory framework: It is important to have a thorough understanding
of the laws and regulations governing computer investigations in your jurisdiction. This includes
knowledge of the relevant criminal and civil laws, as well as any regulatory requirements.

2. Develop investigation policies and procedures: Establish clear and well-defined policies and
procedures for conducting computer investigations. This should include details on how evidence will
be collected, analyzed, and preserved, as well as guidelines for dealing with suspects and witnesses.

3. Assemble a team: Building a team of experienced investigators and technical experts is essential.
Investigators should have a strong understanding of computer systems, networks, and forensic
techniques. Technical experts should be skilled in areas such as digital forensics, data analysis, and
cybersecurity.

4. Obtain necessary tools and resources: You will need a range of tools and resources to carry out a
computer investigation, including hardware and software for collecting and analyzing data, specialized
forensic equipment, and access to relevant databases and information sources.

5. Conduct training and awareness programs: It is important to ensure that all members of your
investigation team are properly trained and up-to-date on the latest techniques and tools. You should
also conduct awareness programs to educate employees and other stakeholders about the importance
of computer security and the risks of cybercrime.

6. Develop relationships with relevant parties: Building relationships with law enforcement agencies,
regulatory bodies, and other relevant parties can help to facilitate investigations and ensure that you
have access to necessary resources and expertise.

7. Identify potential risks and threats: It is important to identify potential risks and threats to your
organization's computer systems and data. This includes assessing vulnerabilities, such as weak
passwords or outdated software, and identifying potential attack vectors, such as phishing emails or
malware.

8. Establish a chain of custody: It is important to establish a clear chain of custody for all evidence
collected during an investigation. This means documenting the source of the evidence, who has had
custody of it, and any changes or alterations made to it. Maintaining a clear chain of custody is essential
for ensuring the admissibility of evidence in court.
9. Develop a response plan: Having a well-defined response plan in place can help ensure a timely and
effective response to computer-related incidents. This should include procedures for identifying and
containing incidents, as well as guidelines for notifying relevant parties, such as law enforcement and
regulatory bodies.

10. Conduct risk assessments: Regularly conducting risk assessments can help identify potential
vulnerabilities and threats, and enable proactive steps to be taken to mitigate them. This should include
assessments of both technical and non-technical risks, such as human error or insider threats.

11. Ensure compliance with legal and regulatory requirements: It is important to ensure that all
computer investigations are conducted in compliance with relevant laws and regulations. This includes
requirements for obtaining warrants, data privacy, and data retention policies.

12. Stay up-to-date on emerging threats and technologies: Cybersecurity threats and technologies are
constantly evolving, so it is important to stay up-to-date on the latest trends and developments. This
can involve attending conferences and training sessions, reading industry publications, and
participating in online communities.

4.3Evaluating Computer Forensics Tools:

Computer forensics tools are designed to ensure that the information

extracted from computers is accurate and reliable. Due to the wide variety of different types of
computer-based evidence, a number of different types of computer forensics tools exist

Evaluating computer forensics tools can be a complex task, as there are a variety of factors to consider.
Here are some general steps to follow when evaluating computer forensics tools:

1. Determine your needs: First, identify what you need the tool for. Are you looking for a tool to
help you recover deleted files, analyze system logs, or conduct a full-scale forensic investigation?
Knowing your specific needs will help you narrow down your options.

2. Consider the features: Once you have a sense of your needs, consider the features of the tools
you are evaluating. Look for features such as data acquisition, analysis, and reporting capabilities.
Also, consider whether the tool supports the file systems and operating systems you are working
with.

3. Evaluate the user interface: A tool with a user-friendly interface can help you be more efficient
and productive. Look for a tool that is easy to navigate and provides clear, concise information.

4. Assess the accuracy and reliability of the tool: Accuracy and reliability are essential when it
comes to forensic investigations. Look for a tool that has a reputation for accuracy and reliability,
and read reviews from other users.
5. Consider support and training: Forensic tools can be complex, so it's essential to consider the
level of support and training that comes with the tool. Look for a tool with thorough documentation
and support resources, and consider whether training is available.

6. Evaluate the cost: Finally, consider the cost of the tool. Some tools may be more expensive than
others, but may offer more features or better support. Be sure to evaluate the value the tool offers
based on your specific needs.

4.4 Computer Forensics Hardware Tools:

Computer forensics hardware tools are specialized devices used to acquire and
analyze digital evidence from computer systems, mobile devices, and other storage media. Here are
ten examples of computer forensics hardware tools:

1. Write Blockers: Write Blockers are devices that allow the forensic examiner to read data from a
storage device without modifying the data in any way. They are used to ensure the integrity of the
data during the acquisition process.

2. Forensic Imaging Devices: Forensic imaging devices are hardware tools used to create a bit-by-bit
copy of a storage device. These devices ensure that the copy is an exact replica of the original,
including deleted files and hidden data.

3. Digital Multimeters: Digital Multimeters are tools used to measure voltage, current, and resistance.
They can be used to check the integrity of electronic devices, such as hard drives or RAM, by
measuring the voltage output.

4. JTAG Debuggers: JTAG Debuggers are hardware tools used to access the JTAG interface on
devices such as mobile phones or game consoles. They allow forensic examiners to bypass the
operating system and access low-level system information.

5. USB Write Blockers: USB Write Blockers are similar to write blockers, but specifically designed
for USB devices. They allow forensic examiners to read data from a USB device without modifying
the data.

6. Logic Analyzers: Logic Analyzers are devices used to capture and analyze digital signals. They
are used to reverse engineer and understand how digital devices work.

7. Faraday Bags: Faraday Bags are specialized bags that shield electronic devices from
electromagnetic radiation. They are used to isolate and preserve electronic evidence by preventing
remote access or accidental data deletion.

8. Portable Forensic Workstations: Portable Forensic Workstations are laptops or desktop computers
that are pre-configured with forensic software and hardware. They allow forensic examiners to
conduct on-site investigations without the need for additional equipment.
9. Network Analyzers: Network Analyzers are devices used to capture and analyze network traffic.
They are used to investigate network-based attacks and to identify network anomalies.

10. Hardware Write Blockers: Hardware Write Blockers are devices used to prevent data from being
written to a storage device. They ensure that data is only read from the storage device, preventing
accidental or intentional modifications to the data.

4.5 Computer Forensics Software Tools:

1. EnCase: One of the most popular computer forensics tools, EnCase offers advanced data recovery,
analysis, and reporting capabilities.

2. FTK (Forensic Toolkit): FTK provides a wide range of forensic capabilities, including data
acquisition, analysis, and reporting. It is known for its powerful search capabilities and
compatibility with a wide range of file systems and operating systems.

3. Autopsy: Autopsy is an open-source digital forensic platform that provides a graphical user
interface for conducting forensic investigations. It supports a wide range of file systems and offers
data carving, keyword search, and timeline analysis capabilities.

4. X-Ways Forensics: X-Ways Forensics is a comprehensive forensic tool that offers advanced data
recovery, analysis, and reporting capabilities. It is known for its speed and ability to handle large
volumes of data.

5. Cellebrite UFED (Universal Forensic Extraction Device): Cellebrite UFED is a mobile

forensics tool that allows investigators to extract data from mobile devices. It supports a wide range
of devices and offers advanced data analysis and reporting capabilities.

6. Oxygen Forensic Detective: Oxygen Forensic Detective is a mobile and cloud forensics tool that
offers advanced data extraction, analysis, and reporting capabilities. It supports a wide range of
devices and cloud services.

7. Volatility: Volatility is an open-source memory forensics tool that allows investigators to analyze
system memory for evidence. It supports a wide range of operating systems and provides advanced
analysis capabilities.

8. Sleuth Kit: Sleuth Kit is an open-source forensic tool that provides command-line utilities for
analyzing file systems and volumes. It offers data carving, keyword search, and timeline analysis
capabilities.

9. BlackLight: BlackLight is a comprehensive forensic tool that offers advanced data acquisition,
analysis, and reporting capabilities. It is known for its ease of use and compatibility with a wide
range of devices and file systems.
10. Paladin Forensic Suite: Paladin Forensic Suite is a live Linux-based forensic tool that provides a
range of forensic capabilities, including data acquisition, analysis, and reporting.

11. Access Data Forensic Toolkit (FTK) Imager: FTK Imager is a free tool that allows investigators
to create forensic images of hard drives and other media. It supports a wide range of file systems
and provides advanced analysis capabilities.

12. Wireshark: Wireshark is an open-source network protocol analyzer that allows investigators to
capture and analyze network traffic for evidence. It supports a wide range of protocols and provides
advanced analysis capabilities.

13. NetworkMiner: NetworkMiner is an open-source network forensics tool that allows investigators
to capture and analyze network traffic for evidence. It supports a wide range of protocols and
provides advanced analysis capabilities.

14. OSForensics: OSForensics is a comprehensive forensic tool that provides a range of capabilities,
including data acquisition, analysis, and reporting. It is known for its ease of use and compatibility
with a wide range of file systems and operating systems.

15. F-Response: F-Response is a remote forensic tool that allows investigators to access and analyze
remote computers and devices. It provides advanced data acquisition, analysis, and reporting
capabilities.

16. ProDiscover: ProDiscover is a comprehensive forensic tool that provides a range of capabilities,
including data acquisition, analysis, and reporting. It supports a wide range of file systems and
provides advanced analysis capabilities.

17. Magnet AXIOM: Magnet AXIOM is a comprehensive forensic tool that provides a range of
capabilities, including data acquisition, analysis, and reporting. It is known for its ease of use
and compatibility with a wide range of file systems and operating systems
4.6 Validating and Testing Forensics Software:

• Validating and testing forensics software is essential for ensuring the reliability and accuracy of
digital evidence collected during a cybercrime investigation.
• Validation involves assessing whether the software meets its intended purpose and specifications,
ensuring that it is fit for use, meets user requirements, and performs as expected.
• Testing involves evaluating the performance of the software under a variety of conditions,
identifying potential errors, weaknesses, and vulnerabilities that could affect its accuracy or
reliability.
• Testing can be done through various techniques, such as unit testing, integration testing, and system
testing.
• The validation and testing process of computer forensics software should be done in a controlled
and documented manner to ensure that the results are reliable and can withstand legal challenges.
• The software should be tested against a variety of test cases, including known data and edge cases,
to ensure that it can handle all types of data and scenarios that may be encountered during an
investigation.
• The validation and testing process of computer forensics software is an ongoing process that should
be regularly reviewed and updated to account for changes in technology, new threats, and emerging
techniques.
• It is important to ensure that the software is up-to-date and continues to provide reliable and
accurate results
Fingerprint recognition and iris scanning are the most well-known forms of biometric security.
However, facial recognition is also gaining in popularity.

Let us consider the pros and cons of all these different techniques for biometric security.

4.7 Fingerprint, Face & Iris Recognition:

4.7.1 -Fingerprint recognition

An identification system based on fingerprint recognition looks for specific characteristics in the line
pattern on the surface of the finger. The bifurcations, ridge endings and islands that make up this line
pattern are stored in the form of an image.

The disadvantage of capturing an image of an external characteristic is that this image can be replicated
– even if it is stored in encoded form. An image is still an image, after all, and can therefore be
compared. In principle, you can then generate the same code.[ Fingerprints can already be spoofed
]using relatively accessible technology. Another, by no means insignificant, point to consider is that a
finger presented for recognition does not necessarily still need to be attached to a body...
In addition, some line patterns are so similar that in practice this can result in a high false acceptance
rate.

** Fingerprints can also wear away as you get older, if you do a lot of DIY or a particular kind of
work, for example. As a result, some people may find that their fingerprints cannot be recognised (false
rejection**) or even recorded. There is even a hereditary disorder that results in people being born
without fingerprints!

On the other hand, fingerprint identification is already familiar to much of the public and is therefore
accepted by a large number of users to use as biometric security. The technology is also relatively
cheap and easy to use. It should be noted,

however, that quality can vary significantly from one fingerprint recognition system to another, with
considerable divergence between systems in terms of false acceptance and false rejection rates.

4.7.2 Facial recognition:

A facial recognition system analyses the shape and position of different parts of the face to determine
a match. Surface features, such as the skin, are also sometimes taken into account.
Facial recognition for biometric security purposes is an offshoot of face detection technology, which
is used to identify faces in complex images in which a number of faces may be present.

This technology has developed rapidly in recent years and is therefore an excellent candidate as
biometric security if a system is needed for remote recognition.

Another plus is that the technology allows ‘negative identification’, or the exclusion of faces,
making it a good deal easier to scan a crowd for suspicious individuals.

However, facial recognition also has a number of significant drawbacks. For example, the technology
focuses mainly on the face itself, i.e., from the hairline down. As a result, a person usually has to be
looking straight at the camera to make recognition possible. And even though the technology is still
developing at a rapid pace, the level of security it currently offers does not yet rival that of iris scanning
or vein pattern recognition.

4.7.3 Iris recognition:

When an iris scan is performed a scanner reads out the unique characteristics
of an iris, which are then converted into an encrypted (bar)code. Iris scanning is known to be an
excellent biometric security technique, especially if it is performed using infrared light.

However, one problem frequently encountered when the technology is introduced is

resistance from users. Quite a few people find having their eyes scanned a rather unpleasant
experience. You also have to adopt a certain position so the scanner can read your iris, which can cause
discomfort. Hygiene is another frequently cited drawback, as many systems require users to place their
chin on a chin rest that has been used by countless people before them.

Lastly, it is important to bear in mind that although iris scanning offers a high level of biometric
security, this may come at the expense of speed. Incidentally, systems have recently been developed
that can read a person’s iris from a (relatively short) distance.
4.8 Audio Video Analysis:
Audio Video Analysis is an essential aspect of cybercrime investigations,
especially those related to digital forensics. It involves analyzing multimedia content such as audio
and video files to gather evidence, identify suspects, and reconstruct events that may have occurred.

Here are some key points to understand the concept of Audio Video Analysis in Cybercrime:

1. Digital Evidence Collection: Audio Video Analysis is used to collect digital evidence from
various multimedia files, including audio and video recordings. These files can be obtained
from various sources such as cell phones, computers, and CCTV footage.

2. Audio Analysis: Audio analysis involves examining audio files to identify any anomalies, such
as splicing, editing, or tampering. This process can help determine if the audio is authentic or
has been manipulated.

3. Video Analysis: Video analysis involves analysing video footage to identify any
inconsistencies, such as jump cuts or missing frames, which may indicate tampering. It also
involves examining the metadata, which can provide valuable information such as the date and
time the video was recorded.
 4. Voice Identification: Audio Video Analysis can be used to identify voices in recordings. This
can help in identifying suspects and determining whether they were present at the scene of the
crime.

5. Facial Recognition: Video analysis can also be used for facial recognition, which can help
identify suspects who appear in video footage. Facial recognition technology can compare the
faces captured in the video with a database of known faces to identify a match.

6. Reconstruction of Events: Audio Video Analysis can be used to reconstruct events that
occurred in a particular location. By analysing CCTV footage, investigators can determine who
was present, where they were located, and what they were doing at the time of the incident.

7. Multimedia Forensics: Audio Video Analysis is an essential part of multimedia forensics,

which involves the analysis of digital media to identify evidence related to a crime. It can be
used to gather evidence related to crimes such as cyberbullying, online harassment, and etc.,

4.9 Windows System Forensics:

Windows System Forensics is the process of collecting, analyzing, and
preserving digital evidence from a Windows operating system to identify potential security breaches
or malicious activity.

• Goals: The primary goals of Windows System Forensics are to identify and analyze digital
evidence related to a security incident, establish a timeline of events, identify potential suspects
or sources of the attack, and preserve the evidence in a forensically sound manner.

• Process: The process of Windows System Forensics involves several steps, including
identification of the incident, preservation of the system, collection of evidence, analysis of
evidence, and reporting of findings.

• Identification: The first step in Windows System Forensics is identifying the incident that
requires investigation. This could be anything from a suspected security breach to a system
malfunction.

• Preservation: Once an incident has been identified, the system needs to be preserved to
prevent any changes to the data or evidence. This involves creating a forensically sound image
of the system, which can then be used for analysis.

• Collection: With the system preserved, the next step is to collect digital evidence from the
system. This involves searching for and extracting data such as log files, registry entries, and
network activity logs.
 • Analysis: Once the data has been collected, it needs to be analyzed to identify any signs of
malicious activity or security breaches. This can involve examining timestamps, file hashes,
and other metadata to establish a timeline of events.

• Reporting: Finally, the findings of the Windows System Forensics investigation need to be
reported to the appropriate stakeholders, such as management, law enforcement, or legal
counsel.

• Tools: Several tools are available to aid in the Windows System Forensics process, including
digital forensics software, network analysis tools, and data recovery software.

• Importance: Windows System Forensics is crucial for maintaining the security of a Windows
operating system and identifying potential security breaches or malicious activity. It can also
be used in legal proceedings as evidence of a cybercrime or security incident.

Overall, Windows System Forensics is a critical process for any organization looking to maintain the
security of their Windows systems and protect themselves from potential cyber threats.

There are several tools available for Windows System Forensics, including:

Encase: Widely used in the industry for Windows System Forensics. It allows for the creation of
forensically sound images of the system and can recover deleted files and recover data from
unallocated space.

FTK Imager: It can create images of physical and logical drives, and analyse data from various file
systems, including NTFS, FAT, and exFAT.

Autopsy: It includes a range of features, including file carving, keyword searching, and timeline
analysis.

Sysinternals Suite: The Sysinternals Suite is a set of advanced system utilities developed by
Microsoft. It includes tools for monitoring system activity, analyzing network connections, and
identifying malware.

Wireshark: Wireshark is a network protocol analyzer that can be used for Windows System Forensics
to analyze network traffic and identify potential security breaches or malicious activity.

RegRipper: RegRipper is a tool used for analysing Windows Registry files. It can identify changes to
the registry that may indicate a security breach or malicious activity.

Volatility: Volatility is an open-source memory forensics framework. It can analyze memory dumps
to identify running processes, network connections, and other system information.
These tools can be used to aid in the Windows System Forensics process, but they require specialized
knowledge and expertise to use effectively. It is important to use these tools in combination with best
practices in digital forensics to ensure the integrity of the evidence and the accuracy of the findings.

4.10 Linux System Forensics:

Linux Forensics
Linux forensics refers to performing forensic investigation on a Linux
operated device. To do so, the investigators should have a good understanding on the techniques
required to conduct live analysis; to collect volatile and non-volatile data, along with knowledge of
various shell commands and the information they can retrieve.

The investigators should also be aware of the Linux log files, their storage and location in the directory,
as they are the most important sources of information to trace down the attacker. This module will
walk you through the various shell commands, methods to collect volatile data, the different log files
and the information they provide.

Shall Commands:
Investigators use the shell commands in Linux for collecting information from the system. Some of
the frequently used commands include:

1. dmesg
The command dmesg is the short for display message or ‘Driver Message’. The command displays the
kernel ring buffers, which contains the information about the drivers loaded into kernel during boot
process and error messages produced at the time of loading the drivers into kernel. These messages
are helpful in resolving the restoring the device’s driver issues.

Syntax: dmesg options

dmesg | grep –i ethO (Displays hardware information of the Ethernet port eth0)

2. fsck
The command fsck, is meant for File System Consistency Check. It is a tool to check the consistency
of Linux file system and repair.

Syntax: fsck —A (Checks all configured filesystems)

3. Stat
Displays file or file system status.

Syntax: stat [OPTION]… FILE…

4. history
The command history checks and lists the Bash shell commands used. This command helps the users
for auditing purposes.

Syntax: history n (Lists the last n commands)

5. mount
The command mount causes mounting of a file system or a device to the directory structure, making
it accessible by the system.

Syntax: mount -t type device dir (Requests kernel to attach the file system found on device of type
type at the directory dir)

Linux Log Files

Log files are records of all the activities performed over an operating system. Linux
log files store information about the system’s kernel and the services running in the system. In Linux
OS, different log files hold different information, which helps the investigators to analyze various
issues during a security incident.

Investigators should learn and understand about the contents of various log files, which will help them
during security incidents and help them understand the locations they might have to look for finding
potential evidences.

Below mentioned are some locations for Linux log files, which can help the investigators to find out
the required data and resolve the issues. Additional log locations include:

/var./log/messages: Global system messages

/var/log/dmesg: Kernel ring buffer information
/var/log/cron: Information about the cron job in this file
/va 00g/user.Jog: All user level logs
/vra /log/lastlog: Recent login information
/var/log/boot.log: Information logged on system boots

Collecting Volatile Data:

1. .bash_history:
The .bash history file stores the command history. These file helps the investigator to
analyze the commands used in the terminal by the malicious user.

2. /proc:
The /proc/ directory is also known as proc file system. The directory comprises of the
order of special files that represent the current state of a kernel. Investigators can find the information
of the systems hardware and the processes running them. The proc file system acts as interface for the
internal data structures within the kernel.

3. Ps:
The command ps is the short notation for “process status”. The command is used to view
the list of processes running in the system. It provides a snapshot of the current processes along with
detailed information of user Id, CPU usage, memory usage, command name, etc. Investigators can
check for the tree to determine any suspicious processes and dependencies.
4. Swap Space:
“Linux operating system allocates certain amount of storage space on a hard disk called
Swap Space.” OS uses as the virtual memory extension of a computer’s real memory (RAM). The OS
splits physical RAM into bits/chunks of memory called pages. Having a swap space allows your
computer’s operating system to pretend that you have more RAM than you actually do. The least
recently used pages in RAM can be “swapped out” to your hard disk until they are needed later, so that
new files can be “swapped ink’ to RAM. In larger operating systems (such as IBM’s OS/390) the
swapping is called paging.

One advantage of a swap space is, the ability to organize itself as a single contiguous space so that the
system can operate it using fewer I/O operations to read or write a complete file. In general, Windows
and UNIX-based operating systems provide a default swap space of a certain size that the user or a
system administrator can change.

4.11 Graphics & Network Forensics:

4.11.1 What is Network Forensics?

Network forensics is a subcategory of digital forensics that essentially deals with the examination of
the network and its traffic going across a network that is suspected to be involved in malicious
activities, and its investigation for example a network that is spreading malware for stealing credentials
or for the purpose analyzing the cyber-attacks. As the internet grew cybercrimes also grew along with
it and so did the significance of network forensics, with the development and acceptance of network-
based services such as the World Wide Web, e-mails, and others.

With the help of network forensics, the entire data can be retrieved including messages, file transfers,
e-mails, and, web browsing history, and reconstructed to expose the original transaction. It is also
possible that the payload in the uppermost layer packet might wind up on the disc, but the envelopes
used for delivering it are only captured in network traffic. Hence, the network protocol data that enclose
each dialog is often very valuable.

For identifying the attacks investigators must understand the network protocols and applications such
as web protocols, Email protocols, Network protocols, file transfer protocols, etc.

Investigators use network forensics to examine network traffic data gathered from the networks that
are involved or suspected of being involved in cyber-crime or any type of cyber-attack. After that, the
experts will look for data that points in the direction of any file manipulation, human communication,
etc.
With the help of network forensics, generally, investigators and cybercrime experts
can track down all the communications and establish timelines based on network events logs logged
by the NCS.

Processes Involved in Network Forensics:

Some processes involved in network forensics are given below:

• Identification: In this process, investigators identify and evaluate the incident based on the
network pointers.
• Safeguarding: In this process, the investigators preserve and secure the data so that the
tempering can be prevented.
• Accumulation: In this step, a detailed report of the crime scene is documented and all the
collected digital shreds of evidence are duplicated.
• Observation: In this process, all the visible data is tracked along with the metadata.
• Investigation: In this process, a final conclusion is drawn from the collected shreds of
evidence.
• Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.

Challenges in Network Forensics:

The biggest challenge is to manage the data generated during the process.
Intrinsic anonymity of the IP.
Address Spoofing.

Advantages:
• Network forensics helps in identifying security threats and vulnerabilities.
• It analyzes and monitors network performance demands.
• Network forensics helps in reducing downtime.
• Network resources can be used in a better way by reporting and better planning.
• It helps in a detailed network search for any trace of evidence left on the network.

Disadvantage:
• The only disadvantage of network forensics is that It is difficult to implement.
4.11.2 What is Graphics Forensics:

Graphics forensics is a branch of digital forensics that involves the

examination and analysis of digital images, videos, and other visual media in order to uncover evidence
of digital manipulation, alteration, or tampering. Graphics forensics is used to support legal cases or
investigations where visual media evidence is present, such as cases of fraud, harassment,
cyberstalking, or cyberbullying.

Graphics forensic experts use specialized software tools and techniques to analyze digital images and
videos for any signs of manipulation or tampering, including:

• Pixel analysis: The analysis of individual pixels in the image or video to detect any changes
or inconsistencies.

• Metadata analysis: The examination of metadata embedded in the image or video file, such
as the creation date, author, and location data, to establish the authenticity of the image or
video.

• File format analysis: The examination of the file format and compression techniques used to
create the image or video, which can reveal signs of tampering or manipulation.

• Error level analysis: The analysis of compression artifacts in the image or video, which can
reveal areas of the image that have been edited or manipulated.

• Digital watermarking analysis: The examination of digital watermarks that may be present
in the image or video, which can help to identify the source of the image or video.

• Image recognition analysis: The use of facial recognition or object recognition technology to
identify individuals or objects in the image or video.

Graphics forensics can be used to identify a wide range of digital image and video manipulations,
including:

Photo editing: The manipulation of images to remove, add, or change objects or individuals in the
image.

Image compression: The use of compression techniques to reduce the size of an image or video, which
can sometimes result in loss of quality or alteration of the image.

Digital forgery: The creation of fake images or videos using digital editing techniques.

Tampering: The deliberate alteration of an image or video for fraudulent or malicious purposes.
 Graphics forensics is a valuable tool in legal investigations, as it can provide
concrete evidence of tampering or manipulation of visual media. It can also be used to establish the
authenticity of an image or video, which can be important in cases where the image or video is being
used as evidence.

The process of graphics forensics typically involves the following steps:

• Acquisition: The first step in graphics forensics is to acquire the digital image or media that is
being analyzed. This can be done using a variety of tools, including specialized software,
hardware, or even physical imaging devices.

• Analysis: Once the digital image has been acquired, the next step is to analyze it in order to
identify any potential evidence or information that may be relevant to the investigation or legal
proceeding. This may involve examining the image for signs of tampering, identifying the
source of the image, or extracting metadata such as time and date stamps or geolocation data.

• Interpretation: After the image has been analyzed, the graphics forensic examiner must
interpret the results and determine what they mean in the context of the investigation or legal
proceeding. This may involve using specialized software or tools to enhance the image or
extract specific features, such as facial recognition or license plate numbers.

• Reporting: Finally, the results of the analysis and interpretation are reported back to the
relevant parties, such as law enforcement officials or legal teams, in order to support their case.

Advantages of graphics forensics include:

• Ability to extract valuable information: Graphics forensics can often extract valuable
information from digital images that would otherwise be impossible to obtain through other
means.

• Provides valuable evidence: Graphics forensics can provide valuable evidence that can be
used in legal proceedings or criminal investigations.

• Can help to solve complex cases: Graphics forensics can help to solve complex cases by
providing a detailed analysis of digital images that can help investigators to piece together the
events surrounding a particular incident.
 • Enables accurate identification: Graphics forensics can help to accurately identify
individuals, objects, or locations in digital images, which can be especially useful in cases
where the image is the only evidence available.

Disadvantages of graphics forensics include:

• Requires specialized expertise: Graphics forensics requires specialized expertise and training,
which can be expensive and time-consuming to acquire.

• Limited applicability: Graphics forensics is only applicable to cases where digital images or
visual media are involved, which may limit its usefulness in certain types of investigations or
legal proceedings.

• Possibility of false positives: Graphics forensics can sometimes produce false positives or
inaccurate results, which can lead to incorrect conclusions or wasted resources.

• Difficulty in keeping up with technology: Graphics forensics can be challenging to keep up

with given the constantly evolving nature of technology and the ways in which digital images
are created and shared.

4.12 Email Investigation:

Email investigation refers to the process of examining emails to gather evidence

or uncover information related to a particular incident or investigation. It involves analyzing email
content, metadata, and other related information to understand the context of the communication and
the actions of the parties involved.

Email investigations are used in various contexts, including legal proceedings, corporate
investigations, and criminal investigations. In these cases, email investigations can be used to identify
potential wrongdoing, discover evidence of criminal activity, or uncover information that may be
relevant to a legal case.

There are various techniques and types of email investigation that can be employed in this process.
These include:

• Metadata analysis: Metadata is the information that is stored in the email header and includes
details such as the sender and recipient, time and date stamps, and other technical details.
Analyzing metadata can help investigators to identify potential leads, such as IP addresses or
email servers, that can be used to track down the source of an email.

• Content analysis: This involves examining the content of emails to identify relevant
information or evidence. Investigators may look for keywords, phrases, or other indicators that
suggest illegal activity or wrongdoing.
 • Forensic analysis: This involves using specialized tools and techniques to extract and analyze
data from email servers or individual devices. This can include recovering deleted emails,
identifying the source of emails, or tracing the path of emails through various servers and
networks.

• Social network analysis: This involves using social network analysis tools to identify
relationships and connections between individuals or organizations. This can help investigators
to identify potential co-conspirators or other individuals who may be involved in illegal
activity.

• Data visualization: This involves using graphical tools and techniques to represent and
analyze email data. This can help investigators to identify patterns or anomalies in the data that
may be relevant to the investigation.

Types of Email Investigation:

• Legal Investigation: In legal investigations, emails are often scrutinized to gather evidence
related to a legal dispute or criminal case. Investigators may analyze emails to identify patterns
of behavior, discover hidden motives, or confirm or refute witness statements.

• Corporate Investigation: In corporate investigations, emails may be examined to identify

potential fraud or other misconduct by employees or other parties. This type of investigation
may also be conducted to ensure compliance with company policies and procedures.

• Cybercrime Investigation: In cybercrime investigations, emails may be analyzed to uncover

evidence of hacking, phishing, or other cyberattacks. Investigators may also use email analysis
to identify individuals or groups involved in cybercrime or to track the movement of stolen
data.

Techniques of Email Investigation:

• Email Header Analysis: Email header analysis involves examining the metadata contained in
the email header to identify key information, such as the sender and recipient, the email server
used to send the message, and the path the email took through the internet. This information
can help investigators trace the email back to its source.

• Email Content Analysis: Email content analysis involves examining the actual content of the
email to identify relevant information, such as keywords or phrases that may be related to the
investigation.

• Forensic Analysis: Forensic analysis involves the use of specialized tools and techniques to
extract and analyze data from email servers or individual devices. This can include recovering
 deleted emails, identifying the source of emails, or tracing the path of emails through various
servers and networks.

• Social Network Analysis: Social network analysis involves using specialized tools to identify
connections and relationships between individuals or organizations. This can help investigators
to identify potential co-conspirators or other individuals who may be involved in illegal
activity.

• Data Visualization: Data visualization involves the use of graphical tools to represent and
analyze email data. This can help investigators to identify patterns or anomalies in the data that
may be relevant to the investigation.

Overall, email investigation is a complex process that requires

specialized skills and expertise. It involves a range of techniques and types of analysis that can be used
to uncover evidence and information related to a particular investigation.

4.13 Cell Phone and Mobile Device Forensics:

Mobile forensics, a subtype of digital forensics, is concerned with

retrieving data from an electronic source. The recovery of evidence from mobile devices such as
smartphones and tablets is the focus of mobile forensics. Because individuals rely on mobile devices
for so much of their data sending, receiving, and searching, it is reasonable to assume that these devices
hold a significant quantity of evidence that investigators may utilize.

Mobile devices may store a wide range of information, including phone records and text messages, as
well as online search history and location data. We frequently associate mobile forensics with law
enforcement, but they are not the only ones who may depend on evidence obtained from a mobile
device.

Cell Phone Forensics, also known as Mobile Device Forensics, refers to the process of extracting data
and information from mobile devices like smartphones, tablets, and other electronic devices with
cellular capabilities. It involves the application of scientific and technical methods to recover, analyze
and preserve digital evidence from mobile devices that can be used in legal or investigative
proceedings.

4.13.1 Techniques:
Cell Phone and Mobile Device Forensics use a wide range of techniques to extract and
analyze data from mobile devices. Some of the most common techniques include:

Physical Extraction: This technique involves making a bit-by-bit copy of the mobile device's storage
media. It includes extracting data from SIM cards, internal memory, and external storage like SD cards.
Logical Extraction: This technique involves extracting only the data that is relevant to the
investigation or analysis from the mobile device. This can be done using software tools that allow
investigators to select the specific data they need.

File Carving: This technique involves searching through the mobile device's storage media for deleted
or lost files. It involves using specialized software tools to recover data from areas of the storage media
that are not accessible through normal means.

There are two types of Cell Phone and Mobile Device Forensics, namely:

Physical Forensics: This type of forensics involves the extraction of data from the device's storage
media, including SIM cards, internal memory, and external storage devices.

Logical Forensics: This type of forensics involves the extraction of only the data that is relevant to
the investigation or analysis from the mobile device. Logical Forensics is used when the device is
locked or password-protected, and physical extraction is not possible.

Process of Mobile Device Forensics:

Seizure and Identification:

The first stage is to seize and identify the mobile device that is subject to investigation. This involves
physically securing the device and ensuring that it is properly stored and documented. The device is
then identified by collecting its unique identifier, such as the International Mobile Equipment Identity
(IMEI) number.

Preservation:
Once the device is identified, the next step is to preserve its data. This involves creating a bit-by-bit
copy of the device's storage media, either through physical or logical extraction. This ensures that the
original data on the device is not modified or destroyed during the investigation.

Analysis:
The analysis stage involves examining the data that has been extracted from the device. This can
include examining call logs, text messages, emails, photos, videos, and other files. It may also involve
using specialized software tools to recover deleted or hidden data.

Interpretation:
The interpretation stage involves analyzing the data that has been extracted and making sense of it.
This can include identifying patterns, links, and relationships between different pieces of data. It may
also involve drawing conclusions or making inferences based on the data.

Reporting:
The final stage is to report the findings of the investigation. This involves preparing a written report
that summarizes the results of the investigation and provides an objective analysis of the data. The
report may be used as evidence in legal or investigative proceedings.

Advantages:

The advantages of Cell Phone and Mobile Device Forensics include:

• It can be used to recover deleted or lost data from mobile devices.

• It can help investigators to find evidence in criminal cases or in civil litigation.

• It can provide valuable information in investigations related to cybercrime, fraud, or other

criminal activities.

• It can help companies to investigate data breaches or incidents involving the theft or loss of
company-owned mobile devices.

Disadvantages:

The disadvantages of Cell Phone and Mobile Device Forensics include:

• It can be a time-consuming process, requiring specialized equipment and expertise.

• It can be difficult to extract data from newer or more secure mobile devices.

• It can be expensive, as specialized software tools and equipment are required.

• It can be difficult to interpret the data that is extracted, and the results may not always be
conclusive.
 Unit V
Cyber Crime Legal Perspectives
Topics : Introduction,· Cybercrime and the Legal Landscape around the World, The Indian IT Act,
Challenges to Indian Law and Cybercrime Scenario in India,· Consequences of Not Addressing the
Weakness in Information Technology Act,· Digital Signatures and the Indian IT Act,· Amendments to
the Indian IT Act,· Cybercrime and Punishment,· Cyberlaw, Technology and Students: Indian
Scenario.

5.1 Cybercrime and the Legal Landscape around the World

Cybercrime refers to any illegal activity carried out over the internet or other
digital communication networks. Cybercrime can take many forms, including hacking, identity theft,
cyberbullying, online fraud, distribution of malware, and phishing attacks, among others.

• The legal landscape around cybercrime varies significantly around the world. Some countries
have strict laws and regulations that criminalize various types of cybercrime, while others have
weaker or no laws in place to combat these types of crimes.
In the United States, for example, cybercrime is punishable by law, and perpetrators can face
imprisonment, fines, and other penalties.

• The Computer Fraud and Abuse Act (CFAA) is one of the most critical pieces of legislation in
the U.S. that addresses cybercrime.
• The CFAA criminalizes various types of computer-related offenses, including hacking,
password theft, and the distribution of malware.
In the European Union, the General Data Protection Regulation (GDPR) governs the protection
and processing of personal data.

• The GDPR provides individuals with greater control over their personal data and imposes strict
penalties on companies that violate data protection regulations.
In China, the Cybersecurity Law regulates various types of cybercrime, including online fraud,
identity theft, and the spread of malicious software. The Chinese government has also established a
national cybersecurity strategy aimed at combating cybercrime and protecting national security.

International cybercrime conventions

• African Union Convention on Cyberspace Security and Personal Data Protection

• Council of Europe Convention on Cybercrime (also known as the Budapest Convention on
Cybercrime)
Some specific cybercrime law:
Africa:

• South Africa:
o Cybercrimes Act 2021 – South Africa (South Africa signed the Budapest Convention
in 2001)
o National Cybersecurity Policy Framework (‘NCPF’)

The Americas:

• The United States of America

o Cybersecurity Information Sharing Act (CISA)

Canada:

• The Personal Information Protection and Electronic Documents Act, SC 2000 c 5 (‘PIPEDA‘)
is a privacy statute, but establishes two central cybersecurity obligations for private sector
organisations in Canada. The PIPEDA requires organisations to
o notify the regulator and affected individuals of certain cybersecurity incidents, and
o adopt appropriate security safeguards.

Asia-Pacific:

• Australia :
o Privacy Principles (‘APPs‘) under the Privacy Act 1988 contain information security
obligations.
o Criminal Code Act 1995 Australia
• China has two main laws governing cybercrimes:
o the Cybersecurity Law 2016, and
o the Data Security Law of the People’s Republic of China which came into effect in
September 2021.
• India : has two laws that recognise the importance of cybersecurity:
o The Information Technology Act, 2000, and
o specific rules, like the Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules, 2011.
• Philippines has the Cybercrime Prevention Act of 2012
• Thailand has the Act on Computer Crimes

Europe

• Network and Information Security Directive

• UK – Computer Misuse Act, 2013
5.2 Information Technology Act, (India):
The Information Technology Act, 2000 also Known as an IT Act is an
act proposed by the Indian Parliament reported on 17th October 2000. This Information Technology
Act is based on the United Nations Model law on Electronic Commerce 1996 (UNCITRAL Model)
which was suggested by the General Assembly of United Nations by a resolution dated on 30th
January, 1997. It is the most important law in India dealing with Cybercrime and E-Commerce.
The main objective of this act is to carry lawful and trustworthy electronic, digital
and online transactions and alleviate or reduce cybercrimes. The IT Act has 13 chapters and 90
sections. The last four sections that starts from ‘section 91 – section 94’, deals with the revisions to the
Indian Penal Code 1860.

The IT Act, 2000 has two schedules:

• First Schedule –
Deals with documents to which the Act shall not apply.
• Second Schedule –
Deals with electronic signature or electronic authentication method.
The offences and the punishments in IT Act 2000 :
1. The offences and the punishments that falls under the IT Act, 2000 are as follows :-
2. Tampering with the computer source documents.
3. Directions of Controller to a subscriber to extend facilities to decrypt information.
4. Publishing of information which is obscene in electronic form.
5. Penalty for breach of confidentiality and privacy.
6. Hacking for malicious purposes.
7. Penalty for publishing Digital Signature Certificate false in certain particulars.
8. Penalty for misrepresentation.
9. Confiscation.
10. Power to investigate offences.
11. Protected System.
12. Penalties for confiscation not to interfere with other punishments.
13. Act to apply for offence or contravention committed outside India.
14. Publication for fraud purposes.
15. Power of Controller to give directions.

If you want to check out in deep go through this website https://eprocure.gov.in/

Sections and Punishments under Information Technology Act, 2000 are as follows :

SECTION PUNISHMENT

This section of IT Act, 2000 states that any act of destroying, altering or stealing
computer system/network or deleting data with malicious intentions without
authorization from owner of the computer is liable for the payment to be made
Section 43 to owner as compensation for damages.

This section of IT Act, 2000 states that any corporate body dealing with
sensitive information that fails to implement reasonable security practices
causing loss of other person will also liable as convict for compensation to the
Section 43A affected party.

Hacking of a Computer System with malicious intentions like fraud will be

Section 66 punished with 3 years imprisonment or the fine of Rs.5,00,000 or both.

Section 66 B, Fraud or dishonesty using or transmitting information or identity theft is

C, D punishable with 3 years imprisonment or Rs. 1,00,000 fine or both.

This Section is for Violation of privacy by transmitting image or private area

Section 66 E is punishable with 3 years imprisonment or 2,00,000 fine or both.

This Section is on Cyber Terrorism affecting unity, integrity, security,

Section 66 F sovereignty of India through digital medium is liable for life imprisonment.

This section states publishing obscene information or pornography or

transmission of obscene content in public is liable for imprisonment up to 5
Section 67 years or fine of Rs. 10,00,000 or both.
5.3 Challenges to Indian Law and Cybercrime Scenario in India
With India carving a niche for itself in the IT sector, dependence on
technology is also increasing. However, there are two things that set India aside from the players in
the big leagues, like the United States and China, and that is design and density. With Indians using
the internet for all their needs, ranging from shopping to banking, studying to storing data, cybercrimes
have also increased in proportion to usage.

Some of the Cybersecurity challenges in India are as follows:

1. Lack of uniformity in devices used for internet access – With varying income groups in India,
not everyone can afford expensive phones. In the US, Apple has over 44% market share. However, in
India the iPhones with their higher security norms are used by less than 1% of mobile users. The
widening gap between the security offered by the high-end iPhone and lower cost mobiles make it
almost impossible for legal and technical standards to be set for data protection by the regulators.

2. Lack of national level architecture for Cybersecurity – Critical infrastructure is owned by private
sector, and the armed forces have their own firefighting agencies. However there is no national security
architecture that unifies the efforts of all these agencies to be able to assess the nature of any threat and
tackle them effectively. The Prime Minister’s Office has created a position towards this cause but there
is a long way to go before India has the necessary structure in place.

3. Lack of separation – Unlike countries or states, in cyberspace there are no boundaries, thus making
the armed forces, digital assets of ONGC, banking functions, etc. vulnerable to cyber attacks from
anywhere. This could result in security breaches at a national level, causing loss of money, property
or lives. To respond to possible threats on the country’s most precious resources, there is a need for a
technically equipped multi-agency organization that can base its decisions on policy inputs and a sound
strategy.\

4. Lack of awareness – As there is no National regulatory policy in place for cybersecurity there is a
lack of awareness at both company level as well as individual level. Domestic netizens can protect and
be protected from the cyber-attacks only if there is a guided and supervised legal framework.

Some other Challenges:

• Lack of awareness and the culture of cyber security, at individual as well as organizational
level.
• Lack of trained and qualified manpower to implement the counter measures.
• No e-mail account policy especially for the defense forces, police and the security agency
personnel. ▪ Cyber-attacks have come not only from terrorists but also from neighbouring
countries contrary to our national interests.
• The minimum necessary eligibility to join the police doesn’t include any knowledge of
computers sector so that they are almost illiterate to cyber-crime.
• The speed of cyber technology changes always beats the progress of govt. sector so that they
are not able to identify the origin of these cyber-crimes.
• Promotion of Research & Development in ICTs is not up to the mark.
• Security forces and Law enforcement personnel are not equipped to address high-tech crimes.
• Present protocols are not self-sufficient, which identifies the investigative responsibility for
crimes that stretch internationally.
• Budgets for security purpose by the government especially for the training of law enforcement,
security personnel’s and investigators in ICT are less as compare to other crimes.
5.4 Consequences of Not Addressing the Weakness in IT Act
Here are some of the most significant:

• Increased Cybercrime: One of the most significant consequences of not addressing weaknesses
in the Information Technology Act is the increased risk of cybercrime. When there are
vulnerabilities in the law, it becomes easier for hackers and other cybercriminals to exploit them
and launch attacks. This could lead to everything from data breaches to identity theft to financial
fraud.

• Reduced Trust in Technology: When people don't feel confident that their personal information
is being protected, they are less likely to trust technology and the companies that use it. This could
lead to reduced adoption of new technologies and a reluctance to share personal information online.
It could also have a negative impact on the digital economy and innovation.

• Loss of Business Opportunities: Companies that don't take cybersecurity seriously are likely to
lose business opportunities. This is because customers and partners will be less likely to work with
them if they don't feel their information is being properly protected. Additionally, companies may
be less likely to invest in new technology if they don't feel it will be secure.

• Financial Loss: Cyberattacks can be costly for individuals and companies alike. For individuals,
it could mean losing access to bank accounts, credit cards, and other financial resources. For
companies, it could mean lost revenue, damage to their brand reputation, and legal liabilities.

• Legal Consequences: Finally, not addressing weaknesses in the Information Technology Act
could have legal consequences. Companies that fail to properly protect customer data could be
subject to fines, lawsuits, and other legal penalties. Individuals who engage in cybercrime could
also face legal consequences, including fines and even imprisonment.

• Damage to National Security: The failure to address weaknesses in the Information Technology
Act could also have implications for national security. Cyberattacks could be used to steal sensitive
government information, disrupt critical infrastructure, or even launch coordinated attacks against
the country.
• Reputation Damage: Companies that suffer from cyber attacks may also suffer damage to their
reputation. If news of a cyber-attack becomes public, customers may lose trust in the company's
ability to protect their information. This could result in a loss of customers and damage to the
company's brand reputation.

• Lack of Cybersecurity Awareness: If weaknesses in the Information Technology Act are not
addressed, it could lead to a lack of awareness about the importance of cybersecurity. Individuals
and companies may not take necessary precautions to protect their information, leaving them
vulnerable to cyber-attacks.

• Increase in Cybersecurity Costs: When cybersecurity is not taken seriously, it can lead to an
increase in cybersecurity costs. Companies may need to invest more in security measures such as
firewalls, intrusion detection systems, and encryption to protect their information.

• Lost Productivity: Cyber attacks can also lead to lost productivity for individuals and companies.
For individuals, it could mean lost work hours due to dealing with the aftermath of a cyber attack.
For companies, it could mean downtime for their systems, which could result in lost revenue and
productivity.

Failing to address weaknesses in the Information Technology Act

can have a wide range of consequences, so it is essential to take cybersecurity seriously and work to
address vulnerabilities in the law to protect against these potential consequences.
 DIFFERENCE BETWEEN CYBER SECURITY AND INFORMATION SECURITY

PARAMETERS CYBER SECURITY INFORMATION SECURITY

It is all about protecting information from

It is the practice of protecting the unauthorized users, access, and data
data from outside the resource on modification or removal in order to provide
Basic Definition the internet. confidentiality, integrity, and availability.

It is about the ability to protect the

use of cyberspace from cyber- It deals with the protection of data from any
Protect attacks. form of threat.

Cybersecurity to protect anything in Information security is for information

Scope the cyber realm. irrespective of the realm.

Cybersecurity deals with the danger Information security deals with the
Threat in cyberspace. protection of data from any form of threat.

Cybersecurity strikes against Cyber Information security strikes against

crimes, cyber frauds, and law unauthorized access, disclosure
Attacks enforcement. modification, and disruption.

Information security professionals are the

foundation of data security and security
professionals associated with it are
Cyber security professionals deal responsible for policies, processes, and
with the prevention of active threats organizational roles and responsibilities that
or Advanced Persistent threats assure confidentiality, integrity, and
Professionals (APT). availability.

It deals with threats that may or may

not exist in the cyber realm such as
protecting your social media It deals with information Assets and
Deals with account, personal information, etc. integrity, confidentiality, and availability.

Defense Acts as first line of defense. Comes into play when security is breached.
Examples and Inclusion of Cyber Security are as follows:

• Network Security
• Application Security
• Cloud Security
• Critical Infrastructure

Examples and inclusion of Information Security are as follows:

• Procedural Controls
• Access Controls
• Technical Controls
• Compliance Controls

5.5 Digital Signatures and the Indian IT Act

The use of electronic signatures in electronic contracts is on the rise
in India, due in part to the government’s Digital India initiative which focuses on enhancing digital
infrastructure and on transforming India into a paperless economy. Companies doing business in India
are also increasingly utilizing electronic signatures to complete their transactions.

In India, electronic and certificate-based digital signatures are regulated by the Information
Technology Act, 2000 (IT Act) and the following rules made under this Act:

• Information Technology (Certifying Authorities) Rules, 2000;

• Digital Signature (End Entity) Rules, 2015; and
• IT (Use of Electronic Records and Digital Signature) Rules, 2004.
The IT Act distinguishes between electronic signatures and certificate-based digital signatures, but
both have the same status as handwritten signatures under Indian law. Digital signatures are preferred
for certain government transactions such as e-filing with the Ministry of Corporate Affairs, and goods
and service tax filings.

Valid electronic signatures must include an electronic authentication technique or procedure specified
in the Second Schedule of the IT Act. The Second Schedule currently specifies the following e-KYC
(Know Your Customer) authentication techniques and procedures:

1. Aadhaar e-KYC (see below for additional details);

2.Other e-KYC services (e.g. e-KYC using Permanent Account Number (PAN)).

Under Indian law, reliable electronic and digital signatures carry a presumption of validity compared
to other “non-recognized” electronic signatures. However, in common with other jurisdictions, Indian
law will not consider an agreement invalid solely on the grounds that it was formed with such non-
recognised electronic signatures.

For an electronic signature to be considered reliable and presumptively valid under the IT Act:

1. It must be unique to the signatory;

2. at the time of signing, the signatory must have control over the data used to generate the electronic
signature;
3. any alteration to the affixed electronic signature, or to the document to which the signature is
affixed, must be detectable;

4. there should be an audit trail of steps taken during the signing process; and

5. The signer certificates must be issued by a certifying authority (CA) recognized by the

Note:

For e-signing processes initiated in India, Adobe applies an electronic seal using digital certificates
from eMudhra, which are recognized under the IT Act and thus carry the presumption of validity for
the completed agreement.

Judges and magistrates are familiar with the law concerning e-signatures and e-contracts, although
some local authorities insist on physical documents for keeping registers and records under statutes,
and on the use of traditional “wet signatures” for authentication.

Special considerations:

Aadhaar e-KYC

Using Aadhaar e-KYC as an e-authentication technique requires verification of the

signatory's identity using his or her Aadhaar number. According to the Aadhaar and Other Laws
(Amendment) Act, 2019, an entity may be allowed to perform Aadhaar authentication, with the
voluntary consent of the Aadhaar number holder, only if the UIDAI (Unique Identification Authority
of India) is satisfied that the requesting entity is:

• compliant with such standards of privacy and security as may be specified by regulations; and
• permitted to offer authentication services under the provisions of any other law made by
Parliament.

Accordingly, authentication using Aadhaar e-KYC services is currently only being offered to private
application service providers (ASPs) by the following two government entities:

• National Securities Depository Limited (NSDL); and

• Centre for Development of Advanced Computing (C-DAC)

Note:

Adobe has partnered with NDSL to provide Aadhaar e-KYC services to our customers worldwide. For
more information, please see https://helpx.adobe.com/sign/using/adobesign-idp-aadhaar.html
Indian Stamp Act:

The Indian Stamp Act, 1899, requires that certain documents be stamped at or before the
time of execution. Currently no laws in India prescribe a method for stamping electronic documents.
Some states such as Maharashtra, Karnataka and Delhi specifically extend the requirement for
stamping to electronic records. When stamps are accepted electronically. Adobe Acrobat Sign can be
tailored to meet those requirements.

Companies should always confirm with their internal legal team whether a document needs to be
stamped before signing and executing the document electronically. If a document is signed and
executed electronically and is required to be stamped, then the company should ensure that a physical
copy of the document is prepared and stamped. If a document is not properly stamped, then penalties
may be imposed.

Transacting with public sector entities:

The IT Act allows the use of an electronic or digital signature for (i)
filing any form, application or document with any government authority; (ii) issue of any license,
permit or approval by the government authority; and (iii) receipt or payment of money in a particular
manner, in electronic form. The government authority may create rules prescribing the manner in
which electronic records and electronic signatures are accepted for these purposes. For instance, Rule
7 of the Companies (Registration Offices and Fees) Rules, 2014 specifies that every application,
financial statement, prospectus, return, declaration, memorandum, articles, particulars of charges, or
any other particulars or document or any notice, shall be filed in computer readable electronic form in
pdf. Further, Rule 8 stipulates that an e-form must be authenticated using Digital Signature; and the
Central Board of Direct Taxes have notified procedure for filing e-TDS/ e-TCS and other forms using
digital signatures.

In addition, certain government authorities have initiated e-filing regimes and permit electronic
signatures for the following purposes:

• Digital locker self-attestation;

• Goods and sales tax returns and invoices;
• Account opening in banks and post offices;
• Application for driving license renewal and vehicle registration;
• Application for birth, caste, marriage and income certificate etc.;
 • Passport application for issuance or reissue/renewal;
• Telecom application for new connection.

Use cases that require a traditional signature

Under Indian law, the following documents must be signed with a traditional wet signature:

• A negotiable instrument (other than a cheque) as defined in section 13 of the Negotiable

Instruments Act, 1881. A negotiable instrument includes a promissory note, bill of exchange
or a cheque.
• A power-of-attorney as defined in section 1-A of the Power-of-Attorney, Act, 1882.
• A trust as defined in section 3 of the Indian Trusts Act, 1882.
• A will as defined in section 2(h) of the Indian Succession Act, 1925, including any other
testamentary disposition.
• Any contract for sale or conveyance of immovable property or any interest in such property.

In addition, notarization is carried out by a registered notary under his or her signature and seal. As a
matter of practice, this has always been carried out through a physical seal and wet signature and
requires verification of physical copies of documents.

5.6 Amendments to the Indian IT Act

The Information Technology (Amendment) Act, 2008:

• Expanded the definition of cybercrime to include offences such as identity theft, cyberstalking, and
phishing.
• Introduced new penalties for cybercrime, including imprisonment and fines.
• Established the framework for the investigation and prosecution of cybercrime in India.
• Provided for the appointment of an adjudicating officer to handle disputes related to cybercrime.
• Introduced new provisions related to the preservation and retention of electronic records.
• Mandated the use of digital signatures for online transactions.
• Made cybercrime a non-bailable offence in certain cases.
• Significance: This amendment was significant as it was the first major update to the IT Act since
its inception in 2000. It reflected the government's growing recognition of the need to address the
challenges posed by cybercrime and establish a legal framework to regulate it.

The Information Technology (Amendment) Act, 2011:

• Introduced new offences related to cyber terrorism and illegal interception of electronic
communications.
• Included provisions to regulate the use of the internet in certain circumstances and protect sensitive
personal information.
• Established new penalties for non-compliance, including imprisonment and fines.
• Introduced a new chapter on the regulation of electronic signatures.
• Provided for the establishment of the Cyber Appellate Tribunal to hear appeals related to
cybercrime.
• Introduced new provisions related to the blocking of websites and other online content.
• Defined the concept of "cyber cafes" and regulated their operations.
• Significance: This amendment was significant as it reflected the government's growing concern
over the use of technology for criminal activities and the need to protect personal information. It
also reflected a shift towards greater government control over the use of the internet in certain
circumstances.

The Information Technology (Amendment) Act, 2018:

• Established a framework for the protection of personal data, including sensitive personal data.
• Included provisions related to the storage and transfer of personal data.
• Introduced penalties for non-compliance, including imprisonment and fines.
• Established the office of the Data Protection Officer to oversee compliance with data protection
regulations.
• Introduced new provisions related to the handling of data breaches.
• Provided for the establishment of a Data Protection Authority to oversee data protection issues in
India.
• Defined the concept of "consent" and regulated its use in data processing activities.
• Significance: This amendment was significant as it reflected the government's growing recognition
of the need to protect personal data and privacy in the digital age. It also reflected the growing
importance of data as a valuable commodity and the need to regulate its use.

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules,
2021:

• Established guidelines for intermediaries, including requirements related to content takedown and
the identification of the originator of problematic content.
• Introduced a code of ethics for digital media, including provisions related to fake news and the
promotion of violence.
• Required social media platforms to appoint a grievance officer to handle complaints related to
content.
• Mandated the use of automated tools to identify and remove problematic content.
• Required digital news platforms to adhere to the Press Council of India's code of ethics.
• Provided for the establishment of a three-tiered regulatory framework to oversee digital media and
social media platforms.
• Significance: This amendment was significant as it reflected the government's growing concern
over the role of social media and other digital platforms in spreading misinformation and
promoting violence. It also reflected the government's desire to regulate these platforms more
closely to ensure their responsible use.

5.7 CYBER-CRIME AND PUNISHMENT

The faster world-wide connectivity has developed numerous online crimes and these
increased offences led to the need of laws for protection. In order to keep in stride with the changing
generation, the Indian Parliament passed the Information Technology Act 2000 that has been
conceptualized on the United Nations Commissions on International Trade Law (UNCITRAL) Model
Law.

The law defines the offenses in a detailed manner along with the penalties for each category of offence.

Cyber-crime usually includes the following −

• Unauthorized access of the computers

• Data diddling
• Virus/worms attack
• Theft of computer system
• Hacking
• Denial of attacks
• Logic bombs
• Trojan attacks
• Internet time theft
• Web jacking
• Email bombing
 • Salami attacks
• Physically damaging computer system.

The offences included in the I.T. Act 2000 are as follows −

• Tampering with the computer source documents.

• Hacking with computer system.
• Publishing of information which is obscene in electronic form.
• Power of Controller to give directions.
• Directions of Controller to a subscriber to extend facilities to decrypt information.
• Protected system.
• Penalty for misrepresentation.
• Penalty for breach of confidentiality and privacy.
• Penalty for publishing Digital Signature Certificate false in certain particulars.
• Publication for fraudulent purpose.
• Act to apply for offence or contravention committed outside India Confiscation.
• Penalties or confiscation not to interfere with other punishments.
• Power to investigate offences.

Section Offence Punishment

65 Tampering with Computer Source Imprisonment up to 3 years or fine

Code up to Rs 2 lakhs

66 Computer Related Offences Imprisonment up to 3 years or fine

up to Rs 5 lakhs

66-A Sending offensive messages through Imprisonment up to 3 years and

Communication service, etc... fine

66-B Dishonestly receiving stolen computer Imprisonment up to 3 years and/or

resource or communication device fine up to Rs. 1 lakh
66-C Identity Theft Imprisonment of either description
up to 3 years and/or fine up to Rs.
1 lakh

66-D Cheating by Personation by using Imprisonment of either description

computer resource up to 3 years and /or fine up to Rs.
1 lakh

66-E Violation of Privacy Imprisonment up to 3 years and /or

fine up to Rs. 2 lakh

66-F Cyber Terrorism Imprisonment extend to

imprisonment for Life

67 Publishing or transmitting obscene On first Conviction, imprisonment

material in electronic form up to 3 years and/or fine up to Rs.
5 lakh On Subsequent Conviction
imprisonment up to 5 years and/or
fine up to Rs. 10 lakh

67-A Publishing or transmitting of material On first Conviction imprisonment

containing sexually explicit act, etc... in up to 5 years and/or fine up to Rs.
electronic form 10 lakh On Subsequent Conviction
imprisonment up to 7 years and/or
fine up to Rs. 10 lakh

67-B Publishing or transmitting of material On first Conviction imprisonment

depicting children in sexually explicit of either description up to 5 years
act etc., in electronic form and/or fine up to Rs. 10 lakh On
Subsequent Conviction
imprisonment of either description
up to 7 years and/or fine up to Rs.
10 lakh

67-C Intermediary intentionally or Imprisonment up to 3 years and

knowingly contravening the directions fine
about Preservation and retention of
information

68 Failure to comply with the directions Imprisonment up to 2 years and/or

given by Controller fine up to Rs. 1 lakh

69 Failure to assist the agency referred to Imprisonment up to 7 years and

in sub section (3) in regard interception fine
 or monitoring or decryption of any
information through any computer
resource

69-A Failure of the intermediary to comply Imprisonment up to 7 years and

with the direction issued for blocking fine
for public access of any information
through any computer resource

69-B Intermediary who intentionally or Imprisonment up to 3 years and

knowingly contravenes the provisions fine
of sub-section (2) in regard monitor and
collect traffic data or information
through any computer resource for
cybersecurity

70 Any person who secures access or Imprisonment of either description

attempts to secure access to the up to 10 years and fine
protected system in contravention of
provision of Sec. 70

70-B ICERT to serve as national agency for Imprisonment up to 1 year and/or

incident response. Any service fine up to Rs. 1 lakh
provider, intermediaries, data centres,
etc., who fails to prove the information
called for or comply with the direction
issued by the ICERT.

71 Misrepresentation to the Controller to Imprisonment up to 2 years and/ or

the Certifying Authority fine up to Rs. 1 lakh.

72 Breach of Confidentiality and privacy Imprisonment up to 2 years and/or

fine up to Rs. 1 lakh.

72-A Disclosure of information in breach of Imprisonment up to 3 years and/or

lawful contract fine up to Rs. 5 lakh.

73 Publishing electronic Signature Imprisonment up to 2 years and/or

Certificate false in certain particulars fine up to Rs. 1 lakh

74 Publication for fraudulent purpose Imprisonment up to 2 years and/or

fine up to Rs. 1 lakh
5.8 Cyberlaw, Technology and Students: Indian Scenario
1. Cybercrime is a growing concern among students:

• Cybercrime is a serious problem in India, and students are increasingly engaging in cybercrime.
• Common cybercrimes committed by students include hacking, phishing, cyberbullying, and
online harassment.
• Cybercrime can have serious consequences for students, including legal penalties, suspension
or expulsion from school, and damage to their reputation.
• Students who engage in cybercrime may also be at risk of becoming victims of cybercrime
themselves, such as identity theft or online fraud.

2. Schools and universities have a responsibility to educate students about cyberlaw and
cybersecurity:

• Educational institutions have a responsibility to educate students about the risks and
consequences of cybercrime.
• Schools and universities can offer courses and workshops on cyberlaw and cybersecurity to
teach students about the importance of online safety.
• Educational institutions can also implement policies and procedures to prevent cybercrime and
protect students from cyber threats.
• This includes developing guidelines for safe internet use, monitoring online activity, and
reporting any suspicious behavior to the appropriate authorities.

3. The Indian IT Act provides a legal framework for cyberlaw in India:

• The Information Technology (IT) Act, 2000, is the primary legislation governing cyberlaw in
India.
• The Act defines cybercrime and provides penalties for various cyber offences.
• The Act also establishes the framework for the investigation and prosecution of cybercrime in
India.
• The Act has been amended several times to keep up with the evolving nature of cybercrime.

4. social media and online platforms pose unique challenges for students and cyberlaw:

• Social media and online platforms are increasingly popular among students, but they also pose
unique risks.
 • Cyberbullying and online harassment are common on social media, and can have serious
consequences for students.
• Social media platforms may also collect and use student data in ways that violate privacy laws.
• Educational institutions must ensure that students are aware of these risks and provide guidance
on how to use social media safely.

5. Data privacy is a growing concern among students and educators:

• The use of technology in education has increased dramatically in recent years, raising concerns
about data privacy.
• Students' personal data, including grades, test scores, and attendance records, are often stored
on school and university servers.
• Educational institutions must take steps to protect student data and ensure compliance with
data protection laws, such as the Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules, 2011.
• Educational institutions must also ensure that students' personal data is not misused by third
parties, such as advertisers or data brokers.

6. Educational institutions must stay up to date on cyberlaw and technology:

• As technology and cybercrime evolve, schools and universities must stay up to date on the
latest trends and threats.
• Educational institutions can partner with cybersecurity experts and organizations to develop
best practices and implement effective policies.
• Educational institutions should also encourage students to be responsible digital citizens and
promote ethical and responsible use of technology.
• This includes teaching students about online privacy, security, and the responsible use of social
media and other online platforms.