SAM GLOBAL UNIVERSITY, BHOPAL

FACULTY OF SCIENCE
SCHOOL OF INFORMATION TECHNOLOGY

SESSION :- 2024-2025
LAB MANUAL
BCA VI SEMESTER
CYBER SECURITY
FACULTY NAME :- Shagun Tiwari
 LIST OF EXPERIMENTS

1) Exploring Cyber Threats – Malware and Phishing

2) Information Security – Demonstrating the CIA Triad
3) Network Scanning and Packet Sniffing using Wireshark
4) Firewall and IDS/IPS Testing
5) Implementing Symmetric and Asymmetric Encryption
6) Hashing Techniques and Digital Signature Verification
7) Penetration Testing – Reconnaissance and Scanning
8) Exploitation and Reporting using Metasploit Framework
9) Cybercrime Investigation and Digital Forensics
10) Incident Response Simulation and Best Practices
 TABLE OF CONTENT
S.NO DATE EXPERIMENT TITLE MARKS/10 SIGN.

1 Exploring Cyber Threats – Malware and

Phishing

2 Information Security – Demonstrating the CIA

Triad

3 Network Scanning and Packet Sniffing using

Wireshark

4 Firewall and IDS/IPS Testing

5 Implementing Symmetric and Asymmetric

Encryption

6 Hashing Techniques and Digital Signature

Verification

7 Penetration Testing – Reconnaissance and

Scanning

8 Exploitation and Reporting using Metasploit

Framework

9 Cybercrime Investigation and Digital Forensics

10 Incident Response Simulation and Best
Practices
Unit I: Cyber Security Fundamentals
Introduction
Cybersecurity threats have become increasingly sophisticated over the years, with
malware and phishing attacks being two of the most prevalent forms. These threats
not only compromise personal data but also disrupt critical infrastructure and
business operations. Understanding how these threats operate is fundamental for
anyone involved in cybersecurity. This practical focuses on exploring the behavior,
types, and impact of malware and phishing attacks, as well as simulating them in a
safe environment for educational purposes.
Malware, short for malicious software, refers to any program or file intentionally
designed to cause harm to a computer system, network, or user. It can disrupt
normal operations, steal sensitive data, or give unauthorized access to attackers.
Phishing is a type of social engineering attack where attackers impersonate
legitimate entities to trick users into revealing sensitive information such as
usernames, passwords, or credit card numbers.

Practical 1: Exploring Cyber Threats – Malware and Phishing

Title: Exploring Cyber Threats – Malware and Phishing

Objective:

To understand and identify different types of cyber threats such as malware and phishing attacks.

To simulate basic malware behavior and a phishing scenario in a controlled environment.

Theory:

Cyber threats consist of various malicious techniques. Malware (viruses, worms, Trojans,
ransomware) refers to software specifically designed to damage, disrupt, or gain unauthorized
access to systems. Phishing involves fraudulent communications that appear to come from a
reputable source, aiming to trick individuals into revealing sensitive data. Learning these basics
helps in understanding attack methodologies and reinforces the need for robust security
measures.
Tools Used:

Kali Linux (Virtual Machine)

Python (for scripting simulation)

Social Engineering Toolkit (SET) or GoPhish

ClamAV (or any antivirus scanner)

Procedure:

1) Malware Simulation:

Open a Kali Linux virtual machine.

Create a Python script that simulates malware behavior (for example, generating multiple files
automatically):

import os

for i in range(5):

os.system(f"echo 'This is a malware simulation.' > file{i}.txt")

Execute the script and observe how files are generated.

Run an antivirus scan (e.g., using ClamAV) to see if it detects the simulated activity.

2. Phishing Demonstration:

Launch SET by typing setoolkit in the Kali terminal.

Navigate through: Social Engineering Attacks → Website Attack Vectors → Credential

Harvester Attack → Site Cloner.

Clone a sample login page (such as a generic email login) and send a test phishing email (only in
a secure, lab-controlled network).

Observe the capture of dummy credentials on the cloned site.

Result:

The malware simulation created unwanted files automatically, demonstrating how unauthorized
scripts might operate.

The phishing demo successfully captured test credentials, reinforcing the idea that users are
vulnerable to social engineering if security awareness is lacking.
Practical 2: Information Security – Demonstrating the CIA Triad

Information security is the practice of protecting digital and physical data from unauthorized
access, modification, destruction, or disclosure. A foundational concept in this field is the CIA
Triad, which stands for Confidentiality, Integrity, and Availability. These three principles form the
backbone of all information security policies and practices, ensuring that data is secure,
trustworthy, and accessible when needed.

Confidentiality ensures that sensitive information is only accessible to authorized individuals. It

prevents unauthorized users, whether internal or external, from accessing data they are not
permitted to see. Methods used to maintain confidentiality include encryption, authentication
mechanisms like usernames and passwords, and access control systems.

Integrity refers to the accuracy and trustworthiness of data. It ensures that information remains
unaltered during storage or transmission, except by authorized individuals. Integrity is crucial in
situations where the accuracy of data can have serious consequences—such as financial records,
academic transcripts, or software code. To maintain data integrity, systems use cryptographic
hash functions, digital signatures, and checksums. These methods detect unauthorized changes
to data and alert administrators to potential tampering or corruption.

Availability ensures that information and systems are accessible to authorized users when
needed. This principle is especially important for systems that must be operational around the
clock, such as banking services or emergency response systems. Availability can be disrupted by
technical failures, natural disasters, or cyberattacks like Denial of Service (DoS) attacks. To
maintain availability, organizations implement redundancy (e.g., backup servers), failover
systems, and regular maintenance schedules.

This practical involves demonstrating each component of the CIA Triad in a hands-on lab
environment. For confidentiality, students might use encryption tools to protect files and observe
how unauthorized access is blocked. For integrity, they might create a file, apply a hash function,
then alter the file to see how the hash changes.

Title: Information Security – Demonstrating the CIA Triad

Objective:

To understand the core principles of the CIA Triad (Confidentiality, Integrity, Availability).
To demonstrate file encryption and integrity verification as practical implementations of these
principles.

Theory:

The CIA Triad forms the cornerstone of information security:

Confidentiality: Ensuring information is accessible only to those authorized.

Integrity: Guaranteeing that information remains unaltered during storage or transmission.

Availability: Ensuring information is accessible to authorized users when needed.

Applying encryption (to maintain confidentiality) and hashing (to verify integrity) are two practical
techniques derived from this model.

Tools Used:

GPG or AES encryption tools

MD5/SHA256 hash tools (available via Linux command line)

Linux Terminal

Procedure:

1) File Encryption:

Encrypt a sample file using GPG:

gpg --symmetric --cipher-algo AES256 sample.txt

Enter a passphrase and create an encrypted file (sample.txt.gpg).

2) Integrity Verification:

Generate a hash for the original file:

sha256sum sample.txt > sample.txt.hash

Modify the file (edit a line) and generate a new hash.

Compare the two hash files to verify if any integrity breach occurred.

Result:

The file encryption process successfully concealed the content from unauthorized access.

Hash comparison clearly indicated whether the file’s content was altered, thereby enforcing the
principle of integrity.
Unit II: Network Security
Network scanning and packet sniffing are essential techniques used in cybersecurity to analyze,
monitor, and secure network communications. These processes help identify vulnerabilities,
detect unauthorized devices, and understand how data moves across a network. This practical
introduces students to two key tools and techniques: network scanning, which discovers active
hosts and services, and packet sniffing, which captures and analyzes network traffic. The tool
primarily used here is Wireshark, a powerful and widely used packet analysis software.

Network scanning involves probing a network to find out what systems are active, what services
are running, and what vulnerabilities may exist. Tools like Nmap (Network Mapper) are commonly
used for this purpose. By scanning IP addresses and ports, an analyst can determine whether a
system is online, which ports are open, and what services are available. This is particularly useful
for identifying misconfigured devices, outdated software, or unauthorized systems within a
network.

Practical 3: Network Scanning and Packet Sniffing using Wireshark

Title: Network Scanning and Packet Sniffing using Wireshark

Objective:

To capture and analyze live network traffic, thereby understanding how data packets, including
sensitive information, traverse the network.

Theory:

Packet sniffing involves capturing data packets on a network. Tools like Wireshark allow security
analysts to inspect packets transmitted over various protocols (HTTP, DNS, FTP) and identify
potential vulnerabilities or data leaks. This is critical for diagnosing network issues and detecting
unauthorized data exfiltration.

Tools Used:

Wireshark

A network adapter capable of promiscuous mode

A test system generating network traffic (web browsing, file transfers)

Procedure:
1) Launch Wireshark and select the appropriate network interface.

2) Begin packet capture.

3) Generate network traffic by accessing various websites.

4) Filter the captured data by protocols such as HTTP or DNS.

5) Analyze packet details including source/destination IP addresses and packet payloads.

Result:

Network traffic was captured in real time.

Analysis revealed key details such as unencrypted HTTP transmissions, highlighting the need for
encryption on sensitive networks.

Practical 4: Firewall and IDS/IPS Testing

Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) are critical components of
network security architecture. They act as gatekeepers, monitoring and controlling the flow of
traffic to and from a network based on predefined security rules. This practical focuses on
understanding how firewalls and IDS/IPS systems function, and how to test their effectiveness in
protecting against unauthorized access and malicious activity.

A firewall is a network security device or software that enforces access control policies. It filters
incoming and outgoing network traffic based on rules such as IP addresses, port numbers, and
protocols. There are two main types of firewalls: network-based and host-based. Network
firewalls protect entire segments, whereas host-based firewalls operate on individual machines.
Firewalls can be either stateless, filtering traffic based on static rules, or stateful, which track
active connections and make filtering decisions based on context.

A properly configured firewall prevents common attacks like port scanning, unauthorized access,
or outbound data leaks. For instance, a rule can be set to block all traffic from a suspicious IP
address or to allow only HTTP/HTTPS traffic to a web server.

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) add another layer of
defense. While a firewall blocks traffic based on rules, an IDS monitors network traffic for patterns
of known threats or anomalies. It generates alerts when suspicious activity is detected. An IPS, by
contrast, can actively block or quarantine malicious traffic in real time. IDS/IPS systems use
techniques such as signature-based detection (matching known attack patterns) and anomaly-
based detection (detecting unusual behavior).

In this practical, students are introduced to tools such as pfSense, Snort, or Suricata to simulate
firewall and IDS/IPS behavior. The exercise may involve creating custom firewall rules to block
specific types of traffic and then testing the rules using tools like Nmap or Metasploit. Similarly,
students can simulate attacks like port scanning, brute-force login attempts, or malformed packet
injection and observe how the IDS/IPS reacts—logging or blocking the suspicious traffic.

Through testing, students learn the importance of correct configuration, tuning sensitivity levels,
and managing false positives. They also understand how to monitor logs and alerts for signs of
intrusion attempts.

Title: Firewall and IDS/IPS Testing

Objective:

To understand how firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) work to block
unauthorized access and detect intrusions.

Theory:

A firewall filters incoming and outgoing network traffic based on a set of security rules. An IDS/IPS
monitors network traffic for suspicious behavior and takes action against possible attacks. These
systems together form a defensive barrier for network security.

Tools Used:

pfSense (as a firewall solution)

Snort or Suricata (for IDS/IPS)

VirtualBox or VMware for hosting virtual network environments

Procedure:

Set up a pfSense firewall in a virtual environment.

Configure basic firewall rules to allow only specific types of traffic.

Install and configure Snort for intrusion detection.

Simulate an attack (e.g., port scan using Nmap) from a secondary VM.

Monitor pfSense and Snort logs to check if the attack is detected and blocked.
Result:

The firewall successfully filtered traffic based on the predefined rules.

The IDS detected the simulated attack, demonstrating its ability to monitor and alert for
suspicious activities.

Unit III: Cryptography

Encryption is a fundamental concept in cybersecurity, used to protect data from unauthorized
access by converting it into unreadable form. Only those with the correct cryptographic key can
decrypt the data and access its original form. This practical focuses on understanding and
implementing symmetric and asymmetric encryption techniques, both of which play a crucial role
in ensuring secure communication, data privacy, and integrity.

Symmetric encryption uses a single key for both encryption and decryption. This means that the
sender and the receiver must both possess the same secret key and keep it confidential. It is fast
and suitable for encrypting large volumes of data, such as files or disk drives. Common symmetric
algorithms include:

AES (Advanced Encryption Standard) – widely used for its strong security and efficiency.

DES (Data Encryption Standard) – older and now considered insecure due to its small key size.

Blowfish and ChaCha20 – alternatives used in lightweight or high-performance environments.

The main drawback of symmetric encryption is key distribution. If the key is intercepted during
exchange, the entire security of the communication is compromised.

Asymmetric encryption, also known as public-key cryptography, solves this problem by using a
pair of keys: a public key (used to encrypt data) and a private key (used to decrypt it). The public
key can be shared openly, while the private key is kept secret by the owner. Well-known
asymmetric algorithms include:

RSA (Rivest-Shamir-Adleman) – one of the earliest and most widely used public-key algorithms.

ECC (Elliptic Curve Cryptography) – offers similar security with smaller key sizes and faster
performance.

ElGamal – often used in digital signatures.

Asymmetric encryption is typically slower than symmetric encryption, but it enables secure key
exchange and is widely used in protocols like HTTPS, SSL/TLS, and email encryption (e.g., PGP).

Practical 5: Implementing Symmetric and Asymmetric Encryption

Title: Implementing Symmetric and Asymmetric Encryption

Objective:

To learn encryption methods by implementing both symmetric (AES) and asymmetric (RSA)
algorithms to secure communication.

Theory:

Symmetric encryption uses the same key for both encryption and decryption (e.g., AES), which is
fast but requires secure key exchange. Asymmetric encryption uses a public key for encryption
and a private key for decryption (e.g., RSA), offering improved security over unsecured channels
but at a slower speed. Combining both can provide secure and efficient data protection.

Tools Used:

Python (for scripting encryption examples)

OpenSSL command-line tool

Procedure:

1) Symmetric Encryption (AES):

Encrypt a text file using OpenSSL:

openssl enc -aes-256-cbc -in sample.txt -out sample.txt.enc -k "password"

Decrypt the file:

openssl enc -d -aes-256-cbc -in sample.txt.enc -out sample_decrypted.txt -k "password"

2) Asymmetric Encryption (RSA):

Generate an RSA key pair:

openssl genrsa -out private.pem 2048

openssl rsa -in private.pem -pubout -out public.pem

Encrypt a file using the public key:

openssl rsautl -encrypt -inkey public.pem -pubin -in sample.txt -out sample.txt.enc

Decrypt using the private key:

openssl rsautl -decrypt -inkey private.pem -in sample.txt.enc -out sample_decrypted.txt

Result:

The AES process successfully encrypted and decrypted the file using a shared password.

The RSA method secured the file using a public/private key mechanism, thereby demonstrating
both encryption approaches.

Practical 6: Hashing Techniques and Digital Signature Verification

Hashing and digital signatures are essential cryptographic tools used in cybersecurity to ensure
data integrity, authenticity, and non-repudiation. While encryption focuses on confidentiality,
hashing and digital signatures are primarily concerned with ensuring that data has not been
altered and verifying the identity of the sender.

A hash function takes input data of any size and produces a fixed-size string of characters, usually
in hexadecimal format. This output is called a hash value or message digest. Hash functions are
one-way, meaning the original input cannot be reconstructed from the hash, and they are
deterministic, so the same input will always produce the same output. Additionally, even a small
change in input should produce a significantly different hash—a property called the avalanche
effect.

Common cryptographic hash algorithms include:

• MD5: Fast but no longer secure due to collision vulnerabilities.

• SHA-1: Also deprecated due to security weaknesses.

• SHA-256 and SHA-3: Current standards offering strong security and used in blockchain, file
integrity checks, and more.

Hashing is used in many areas, including verifying file downloads, storing passwords securely
(with added salts), and detecting data tampering.
Digital signatures build on hashing by using asymmetric encryption. When a sender wants to sign
a message, they first hash the data and then encrypt the hash with their private key. The result is
the digital signature, which is sent along with the original message. The recipient can then verify
the signature by:

1. Decrypting the signature with the sender’s public key to retrieve the hash.

2. Hashing the received message again.

3. Comparing both hashes—if they match, the signature is valid.

This process ensures data integrity (the message hasn’t been altered), authenticity (it came from
the claimed sender), and non-repudiation (the sender can’t deny sending it).

In this practical, students use tools like OpenSSL, GPG, or built-in Python libraries to:

• Generate hashes of text and files.

• Observe how changing a single character changes the hash.

• Create and verify digital signatures using a public/private key pair.

Title: Hashing Techniques and Digital Signature Verification

Objective: To study hashing algorithms for data integrity and utilize digital signatures to verify
authenticity.

Theory:

Hashing creates a unique fixed-size string (hash) from any data input. Even a minor change in data
changes the hash. Digital signatures use cryptographic techniques (usually based on RSA) to sign
and verify digital documents, ensuring that data has not been tampered with.

Tools Used:

OpenSSL

HashCalc or Linux commands (sha256sum, md5sum)

Procedure:

1) Hash Generation:
Generate a SHA256 hash of a file:

sha256sum sample.txt > sample_hash.txt

2) Digital Signature:

Sign the file using your private key:

openssl dgst -sha256 -sign private.pem -out sample.sig sample.txt

Verify the signature using the public key:

openssl dgst -sha256 -verify public.pem -signature sample.sig sample.txt

Result:

The hash value remains consistent if the file is unaltered.

The digital signature verification confirmed the authenticity and integrity of the file.

Unit IV: Ethical Hacking

Penetration testing, or ethical hacking, is a proactive approach to identifying and addressing
security weaknesses before malicious attackers can exploit them. This practical focuses on the
initial stages of a penetration test: reconnaissance and scanning, which are critical for gathering
information about a target system or network.

Reconnaissance (or recon) is the first phase where ethical hackers collect as much information as
possible about a target. This step is crucial because it forms the foundation for later exploitation.
Reconnaissance is typically divided into two types:

• Passive Reconnaissance: Involves collecting data without interacting directly with the
target system. This may include using public sources such as WHOIS databases, DNS
records, websites, social media, and public IP information.

• Active Reconnaissance: Involves directly interacting with the target through methods like
ping sweeps or port scans, which may be detectable.

Tools used for reconnaissance include Google Dorking, Shodan, theHarvester, and Maltego. These
tools help identify IP ranges, domain names, email addresses, and more.
Once sufficient information is collected, the next phase is scanning. Scanning involves probing the
target to discover open ports, active services, operating systems, and potential vulnerabilities.
The goal is to map the target’s attack surface.

There are several types of scanning:

• Network Scanning: Identifies active devices and systems.

• Port Scanning: Determines which ports are open and which services are running.

• Vulnerability Scanning: Detects known security flaws in systems or applications.

Tools commonly used in this phase include:

• Nmap: A powerful tool for network discovery and security auditing.

• Nikto: A web server scanner that detects outdated software and security
misconfigurations.

• Netcat and Masscan: For high-speed port scanning and network analysis.

Practical 7: Penetration Testing – Reconnaissance and Scanning

Title: Penetration Testing – Reconnaissance and Scanning

Objective: To perform network reconnaissance and vulnerability scanning as part of penetration

testing.

Theory:

Penetration testing involves probing systems for weaknesses. Reconnaissance gathers

information (e.g., target IPs, open ports), and scanning uses tools to identify vulnerabilities that
attackers might exploit. This process helps organizations fix flaws before malicious actors can take
advantage.

Tools Used:

Nmap

Kali Linux

Wireshark (for traffic observation)

Procedure:

1) Use Nmap to scan the target network:

nmap -sS -O -sV <target_ip>

2) Record open ports, service versions, and operating system details.

3) Use Wireshark simultaneously to capture any unusual traffic during the scan.

4) Document the vulnerabilities uncovered during scanning.

Result:

Detailed network scan results showing active ports, services, and potential vulnerabilities.

Information collected during reconnaissance can be used to plan remediation.

Practical 8: Exploitation and Reporting using Metasploit Framework

The exploitation phase of penetration testing involves actively targeting and exploiting identified
vulnerabilities to gain unauthorized access to systems, data, or applications. In this practical,
students use the Metasploit Framework, one of the most powerful and widely used open-source
tools for penetration testing and exploitation.

Metasploit provides a comprehensive platform for developing, testing, and executing exploit code
against a remote target machine. It offers a wide array of pre-built exploits, payloads, and auxiliary
modules that allow security professionals and ethical hackers to simulate real-world attacks. The
goal of this phase is not to harm the system but to understand how vulnerabilities can be abused
and how organizations can defend against them.

An exploit is a piece of code or a method used to take advantage of a security flaw. A payload is
the code that runs on the target once the exploit is successful—often giving the attacker control
of the system. Examples of payloads include command shells, reverse shells, or Meterpreter
sessions (Metasploit's advanced payload offering post-exploitation tools).

A basic exploitation workflow in Metasploit includes:

1. Selecting an exploit (e.g., a known vulnerability in Windows or a web application).

2. Configuring the payload (e.g., reverse TCP shell).

3. Setting target parameters (IP address, port).

 4. Launching the exploit and gaining access.

5. Post-exploitation activities, such as privilege escalation, system enumeration, or data

extraction.

In a controlled lab setup, students perform ethical exploitation of a vulnerable system (e.g.,
Metasploitable or DVWA). They use Metasploit to scan, select an exploit, configure a payload,
and execute the attack. Once access is gained, they may explore directories, take screenshots, or
dump password hashes—always within legal and educational boundaries.

Title: Exploitation and Reporting using Metasploit Framework

Objective: To exploit a known vulnerability on a test system and generate a concise report
detailing the steps and findings.

Theory:

The exploitation phase involves taking advantage of discovered vulnerabilities. Metasploit

simplifies this by providing ready-made exploits and payloads. Post-exploitation, reporting is
critical to document the methods, vulnerabilities, and remediation recommendations.

Tools Used:

Kali Linux

Metasploit Framework

A vulnerable test machine (e.g., Metasploitable2)

Procedure:

1) Launch msfconsole on Kali Linux.

2) Use Metasploit modules (e.g., exploit/unix/ftp/vsftpd_234_backdoor) to target vulnerabilities.

3) Set required options (target IP, payload) and execute the exploit.

4) If successful, document the process, including screenshots, commands used, and the shell or
access gained.

5) Write a short report describing the vulnerability exploited and remediation strategies.

Result:
Successful exploitation of a known vulnerability.

A detailed report generated which includes information needed for remediation.

Unit V: Cyber Laws and Incident Response

Cybercrime investigation and digital forensics are essential fields within cybersecurity, aimed at
detecting, preserving, analyzing, and presenting digital evidence in the event of a cyber incident
or crime. This practical introduces students to the foundational concepts, tools, and procedures
involved in investigating cybercrimes and conducting forensic analysis on digital systems.

A cybercrime can include activities such as hacking, data theft, identity fraud, cyberbullying,
ransomware attacks, and unauthorized access to systems. When such an incident occurs,
investigators must follow strict procedures to ensure the integrity and admissibility of digital
evidence.

Digital forensics is the science of identifying, acquiring, examining, and reporting on digital data
in a legally acceptable manner. The process typically follows a structured methodology:

1. Identification – Recognizing potential sources of digital evidence, such as hard drives,

email accounts, log files, or mobile devices.

2. Preservation – Ensuring that data is not modified or destroyed. This involves creating
forensic images (bit-by-bit copies) of drives or devices.

3. Analysis – Extracting and examining relevant information using forensic tools. This
includes recovering deleted files, analyzing timestamps, or identifying unauthorized
access.

4. Documentation and Reporting – Recording all findings, procedures, and tools used.
Reports must be clear, accurate, and able to stand up in court.

Practical 9: Cybercrime Investigation and Digital Forensics

Incident response is the structured approach an organization follows to detect, contain, and
recover from cybersecurity incidents. These incidents may include malware outbreaks, data
breaches, denial-of-service attacks, or insider threats. This practical focuses on simulating a
security incident and applying industry best practices for effective response and recovery.

An incident response plan (IRP) outlines how a team identifies and mitigates security threats to
minimize damage and ensure business continuity. The goal is not only to resolve the incident but
also to learn from it and improve future preparedness.

The incident response lifecycle typically consists of six key phases:

1. Preparation – Establishing policies, procedures, communication plans, and tools before an

incident occurs. This includes setting up a trained incident response team and ensuring
systems are patched and monitored.

2. Identification – Detecting and confirming whether an event is a security incident. This is

done by analyzing logs, alerts, and user reports.

3. Containment – Taking immediate steps to isolate the affected systems and prevent further
spread. Containment strategies may be short-term (e.g., disconnecting a compromised
device) or long-term (e.g., network segmentation).

4. Eradication – Removing the root cause of the incident, such as deleting malware or
disabling unauthorized accounts.

5. Recovery – Restoring normal operations, which may involve restoring systems from clean
backups, testing them for stability, and monitoring for re-infection.

6. Lessons Learned – Conducting a post-incident review to identify what worked, what

didn’t, and how to strengthen defenses moving forward.

Title: Cybercrime Investigation and Digital Forensics

Objective: To practice digital forensic techniques for investigating cybercrimes by recovering

deleted files and analyzing system artifacts.

Theory:

Digital forensics involves the recovery, investigation, and analysis of material found in digital
devices. It plays a crucial role in cybercrime investigations by preserving evidence in a legally
admissible format. Investigators use tools to recover deleted files and assess system logs and
browser histories.

Tools Used:
Autopsy or FTK Imager

dd (for disk imaging)

Linux forensic tools

Procedure:

1) Create a disk image of a compromised system:

dd if=/dev/sda of=/mnt/forensic_image.dd bs=4M

2) Load the image into Autopsy for analysis.

3) Recover deleted files and analyze web browsing history, USB logs, and system event logs.

4) Document your findings in a forensic report.

Result:

Successfully recovered deleted files and uncovered evidence of user activity.

The forensic report provided a clear timeline of events and evidence that could be used in further
investigation.

Practical 10: Incident Response Simulation and Best Practices

Title: Incident Response Simulation and Best Practices

Objective: To simulate a cyber incident (e.g., ransomware attack) and develop an incident
response plan that aligns with current cyber laws and best practices.

Theory:

An effective incident response plan includes preparation, detection, containment, eradication,

and recovery. Cyber laws (such as the IT Act, GDPR, and HIPAA) govern how organizations should
handle data breaches and cyber incidents. This practical prepares you for real-world response
scenarios by simulating an incident and developing a corresponding action plan.

Tools Used:

Incident response frameworks and checklists

Documentation tools (Word processor for report generation)

Virtual lab environment to simulate attacks

Procedure:

1) Create a simulated scenario (e.g., a ransomware attack on a corporate system).

2) Outline the incident response phases:

Preparation: Update policies, run security training.

Detection: Monitor systems using SIEM tools.

Containment: Isolate affected systems.

Eradication: Remove malware using antivirus/malware removal tools.

Recovery: Restore systems from clean backups.

3) Generate a detailed incident response plan.

4) Map relevant cyber laws and discuss compliance (e.g., GDPR reporting requirements, IT Act
guidelines).

5) Present your findings and recommended best practices in a formal report.

Result:

A comprehensive incident response plan was developed and tested via simulation.

The exercise highlighted the importance of timely action and legal compliance in handling cyber
incidents
VIVA QUESTIONS AND ANSWERS

General Cybersecurity

1). What is cybersecurity?

Cybersecurity refers to the practice of protecting systems, networks, and data from digital attacks.
These attacks often aim to access, modify, or destroy sensitive information or disrupt services.
Cybersecurity involves tools, technologies, and practices such as firewalls, encryption, and
intrusion detection systems.

2). What is the CIA triad?

The CIA Triad stands for Confidentiality, Integrity, and Availability. It represents the three primary
principles of information security. Confidentiality ensures data privacy, integrity ensures data
accuracy, and availability ensures that information is accessible to authorized users when needed.

3). How does a firewall enhance security?

A firewall monitors and filters incoming and outgoing traffic based on security rules. It creates a
barrier between trusted internal networks and untrusted external sources, helping to block
malicious traffic and unauthorized access attempts.

4). What are malware and its types?

Malware is any malicious software designed to harm, exploit, or disable computers. Types include
viruses, worms, Trojans, ransomware, spyware, and adware. Each type has a unique behavior, but
all can compromise system security.

5). Define phishing and how it works.

Phishing is a social engineering attack where attackers trick users into revealing sensitive
information like passwords or credit card numbers, often through fake emails or websites. Victims
are usually lured by urgent messages or offers.

Encryption & Cryptography

6). What is encryption?

Encryption converts data into unreadable code to prevent unauthorized access. Only someone
with the correct key can decrypt it. It protects data confidentiality in transit and at rest.
7). Difference between symmetric and asymmetric encryption?

Symmetric encryption uses one key for both encryption and decryption, while asymmetric
encryption uses a public-private key pair. Symmetric is faster but less secure in key exchange;
asymmetric provides secure communication.

8). What is AES encryption?

AES (Advanced Encryption Standard) is a symmetric key encryption algorithm used worldwide for
secure data transmission. It supports key sizes of 128, 192, and 256 bits and is known for its speed
and security.

9). What is RSA algorithm used for?

RSA is an asymmetric encryption algorithm used for secure data exchange, digital signatures, and
encryption. It relies on the mathematical difficulty of factoring large prime numbers.

10). What is a digital signature?

A digital signature is a cryptographic technique that verifies the authenticity and integrity of
digital messages or documents. It uses the sender's private key and is validated with their public
key.

Network Security
11). What is network scanning?

Network scanning identifies active devices, open ports, and running services in a network. Tools
like Nmap help find vulnerabilities, aiding both attackers (in reconnaissance) and defenders (in
securing networks).

12). What is port scanning?

Port scanning involves probing ports on a host to identify open or closed ones. It helps determine
which services are running and if there are any exploitable weaknesses.

13). How does Wireshark work?

Wireshark is a packet-sniffing tool used to capture and analyze network traffic in real time. It helps
in protocol analysis, troubleshooting, and detecting anomalies or intrusions.

14). What are packets in networking?

Packets are small units of data transmitted over a network. Each packet contains control
information and the data payload. They’re essential for reliable data transmission.

15). Why is packet analysis important?

Packet analysis reveals network activity, helps detect suspicious behavior, and is crucial in
identifying data breaches, malware activity, and protocol misuse.

Attack & Defense

16). What is penetration testing?

Penetration testing is an authorized attempt to exploit system vulnerabilities. It simulates a real

attack to assess the security posture and helps identify weaknesses before attackers do.

17). What is reconnaissance in ethical hacking?

Reconnaissance is the first stage of ethical hacking where information about a target system is
collected. It includes passive and active methods like DNS queries or network scans.

18). Explain vulnerability scanning.

It’s an automated process to identify known vulnerabilities in systems or applications. Tools like
Nessus or OpenVAS are used for regular security assessments.

19). What is Metasploit used for?

Metasploit is a penetration testing framework that helps in developing and executing exploits. It
allows testers to simulate attacks and evaluate system vulnerabilities.

20). What is payload in exploitation?

A payload is the part of an exploit that performs the intended malicious action after the system
is compromised, such as opening a backdoor or executing commands.

Forensics & Cybercrime

21). What is digital forensics?

Digital forensics involves the identification, preservation, analysis, and presentation of electronic
evidence. It is used in cybercrime investigations and legal proceedings.

22). What is the chain of custody?

Chain of custody refers to the documentation of evidence handling from collection to

presentation in court. It ensures evidence is authentic and untampered.

23). What is FTK Imager?

FTK Imager is a digital forensic tool used to create exact copies (images) of hard drives or storage
devices, allowing investigators to analyze data without altering the original.

24). What is a disk image?

A disk image is a bit-by-bit copy of a storage device. It’s used in forensics to analyze data without
touching the original device, preserving evidence integrity.

25). What is Autopsy used for?

Autopsy is an open-source forensic platform used to investigate hard drives and recover deleted
files, emails, browser history, and other digital evidence.

Incident Response & Management

26). What is incident response?

Incident response is a structured process for managing and mitigating cyberattacks. It includes
preparation, detection, containment, eradication, recovery, and post-incident review.

27). What is a SIEM tool?

SIEM (Security Information and Event Management) tools collect and analyze log data from
multiple sources in real-time to detect security incidents.

28). Define containment in incident response.

Containment involves isolating affected systems or networks to prevent further damage or spread
of the attack. It can be temporary or permanent depending on the situation.

29). Why is post-incident analysis important?

Post-incident analysis helps in understanding how the attack occurred, what went wrong, and
how to improve defenses to prevent future incidents.

30). What are security playbooks?

Playbooks are predefined procedures for responding to specific types of cyber incidents. They
help teams respond quickly and consistently during high-pressure situations.

Policy, Ethics & Best Practices

31). What is a security policy?

A security policy is a formal document that outlines how an organization protects its assets and
data. It includes rules for acceptable use, access control, and incident handling.

32). What is social engineering?

Social engineering manipulates individuals into divulging confidential information or performing

unsafe actions, often bypassing technical security measures entirely.

33). What is multi-factor authentication (MFA)?

MFA requires users to provide multiple verification factors—like a password, OTP, or fingerprint—
to enhance login security beyond just a password.

34). What is data integrity?

Data integrity means data remains accurate and unaltered during storage, transmission, or
processing. It is critical for trustworthy systems and transactions.

35). What is access control?

Access control ensures that only authorized individuals can view or use certain resources. It
includes mechanisms like role-based access, authentication, and authorization.

Current Trends & Real-World Awareness

36). What is ransomware?

Ransomware is a type of malware that encrypts a victim’s data and demands payment (usually in
cryptocurrency) to restore access. It is one of the most damaging forms of attack today.

37). What is zero-day vulnerability?

A zero-day is an unknown security flaw with no patch available, making it highly dangerous.
Attackers exploit it before developers can fix it.

38). What is phishing-as-a-service (PhaaS)?

PhaaS is a dark web business model where attackers rent phishing kits or platforms to carry out
phishing attacks without deep technical knowledge.

39). What is endpoint security?

Endpoint security refers to securing end-user devices like laptops, smartphones, and desktops,
which are often entry points for cyberattacks.

40). Why is cybersecurity awareness important?

Most cyberattacks exploit human error. Cybersecurity awareness educates users on identifying
threats, practicing safe behaviors, and reducing risks, making it a key defense layer.