UNIT - I

Introduction of Cybercrime: Types, The Internet spawns crime, Worms versus viruses,
Computers' roles in crimes, Introduction to digital forensics, Introduction to Incident -
Incident Response Methodology –Steps - Activities in Initial Response, Phase after
detection of an incident.

Computer Forensics:

Computer forensics is the application of investigation and analysis techniques to gather and
preserve evidence from a particular computing device in a way that is suitable for presentation in
a court of law.

The goal of computer forensics is to perform a structured investigation while maintaining a

documented chain of evidence to find out exactly what happened on a computing device and
who was responsible for it.

Cyber Crime:

Cybercrime is a crime that involves a computer and a network. The computer may have been
used in the commission of a crime, or it may be the target.

Cybercrimes can be defined as:

Cybercrime is defined as a crime where a computer is the object of the crime or is used as a tool
to commit an offense. A cybercriminal may use a device to access a user’s personal information,
confidential business information, government information, or disable a device. It is also
a cybercrime to sell or elicit the above information online.

(or)

"Offences that are committed against individuals or groups of individuals with a criminal motive
to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the
victim directly or indirectly, using modern telecommunication networks such as Internet
(networks including chat rooms, emails, notice boards and groups) and mobile phones
(Bluetooth/SMS/MMS)".

Cybercrime may threaten a person or a nation's security and financial health. Issues surrounding
these types of crimes have become high-profile, particularly those regarding hacking, copyright
infringement, unwarranted mass-surveillance, sextortion, pornography, and child grooming.
Types of Cyber Crime:

The following are the different types of cyber crimes:

1. DDoS Attacks
2. Botnets
3. Identity Theft
4. Cyber stalking
5. Social Engineering
6. PUPs
7. Phishing
8. Prohibited/Illegal Content
9. Online Scams
10. Exploit Kits

1. DDoS Attacks:
These are used to make an online service unavailable and take the network down
by overwhelming the site with traffic from a variety of sources. Large networks of
infected devices known as Botnets are created by depositing malware on user's
computers. The hacker then hacks into the system once the network is down.

2. Botnets:
Botnets are networks from compromised computers that are controlled externally
by remote hackers. The remote hackers then send spam or attack other computers through
these botnets. Botnets can also be used to act as malware and perform malicious tasks.

3. Identity Theft:
This cybercrime occurs when a criminal gains access to a user’s personal
information to steal funds, access confidential information, or participate in tax or health
insurance fraud. They can also open a phone/internet account in your name, use your
name to plan a criminal activity and claim government benefits in your name. They may
do this by finding out user’s passwords through hacking, retrieving personal information
from social media, or sending phishing emails.

4. Cyber stalking:
This kind of cybercrime involves online harassment where the user is subjected to
a plethora of online messages and emails. Typically cyber stalkers use social media,
websites and search engines to intimidate a user and instill fear. Usually, the cyber stalker
knows their victim and makes the person feel afraid or concerned for their safety.
5. Social Engineering:
Social engineering involves criminals making direct contact with you usually by
phone or email. They want to gain your confidence and usually pose as a customer
service agent so you’ll give the necessary information needed. This is typically a
password, the company you work for, or bank information. Cybercriminals will find out
what they can about you on the internet and then attempt to add you as a friend on social
accounts. Once they gain access to an account, they can sell your information or secure
accounts in your name.

6. PUPs:
PUPS or Potentially Unwanted Programs are less threatening than other
cybercrimes, but are a type of malware. They uninstall necessary software in your system
including search engines and pre-downloaded apps. They can include spyware or adware,
so it’s a good idea to install an antivirus software to avoid the malicious download.

7. Phishing:
This type of attack involves hackers sending malicious email attachments or
URLs to users to gain access to their accounts or computer. Cybercriminals are becoming
more established and many of these emails are not flagged as spam. Users are tricked into
emails claiming they need to change their password or update their billing information,
giving criminals access.

8. Prohibited/Illegal Content:
This cybercrime involves criminals sharing and distributing inappropriate content
that can be considered highly distressing and offensive. Offensive content can include,
but is not limited to, sexual activity between adults, videos with intense violent and
videos of criminal activity. Illegal content includes materials advocating terrorism-related
acts and child exploitation material. This type of content exists both on the everyday
internet and on the dark web, an anonymous network.

9. Online Scams:
These are usually in the form of ads or spam emails that include promises of
rewards or offers of unrealistic amounts of money. Online scams include enticing offers
that are “too good to be true” and when clicked on can cause malware to interfere and
compromise information.

10. Exploit Kits:

Exploit kits need a vulnerability (bug in the code of a software) in order to gain
control of a user’s computer. They are readymade tools criminals can buy online and use
against anyone with a computer. The exploit kits are upgraded regularly similar to normal
software and are available on dark web hacking forums.
WORMS Vs VIRUSES:

VIRUS:
viruses require an active host program or an already-infected and active operating
system in order for viruses to run, cause damage and infect other executable files or
documents.
Viruses are typically attached to an executable file or a word document. They
often spread via P2P file sharing, infected websites, and email attachment downloads.
Once a virus finds its way onto your system, it will remain dormant until the infected host
file or program is activated, which in turn makes the virus active enabling it to run and
replicate on your system.
Viruses can be divided according to the method that they use to infect a computer:

1. File viruses
2. Boot sector viruses
3. Macro viruses
4. Script viruses

WORMS:
worms are stand-alone malicious programs that can self-replicate and propagate
via computer networks, without human help.
Worms, don't need a host program in order for them to run, self-replicate and
propagate. Once a worm has made its way onto your system, usually via a network
connection or as a downloaded file, it can then make multiple copies of itself and spread
via the network or internet connection infecting any inadequately-protected computers
and servers on the network. Because each subsequent copy of a network worm can also
self-replicate, infections can spread very rapidly via the internet and computer networks.

Most known computer worms are spread in one of the following ways:

1. Files sent as email attachments

2. Via a link to a web or FTP resource
3. Via a link sent in an ICQ or IRC message
4. Via P2P (peer-to-peer) file sharing networks
5. Some worms are spread as network packets. These directly penetrate the
computer memory, and the worm code is then activated.

Computer worms can exploit network configuration errors (for example, to copy
themselves onto a fully accessible disk) or exploit loopholes in operating system and
application security. Many worms will use more than one method in order to spread
copies via networks.
DIGITAL FORENSICS:

Digital Forensics is defined as the process of preservation, identification, extraction, and

documentation of computer evidence which can be used by the court of law.

It is a science of finding evidence from digital media like a computer, mobile phone, server, or
network.

It provides the forensic team with the best techniques and tools to solve complicated digital-
related cases.

OBJECTIVES OF COMPUTER FORENSICS:

Here are the essential objectives of using Computer forensics:

 It helps to recover, analyze, and preserve computer and related materials in such a
manner that it helps the investigation agency to present them as evidence in a court of
law.

 It helps to postulate the motive behind the crime and identity of the main culprit.

 Designing procedures at a suspected crime scene which helps you to ensure that the
digital evidence obtained is not corrupted.

 Data acquisition and duplication: Recovering deleted files and deleted partitions from
digital media to extract the evidence and validate them.

 Helps you to identify the evidence quickly, and also allows you to estimate the potential
impact of the malicious activity on the victim

 Producing a computer forensic report which offers a complete report on the investigation
process.

 Preserving the evidence by following the chain of custody.

PROCESS OF DIGITAL FORENSICS

Digital forensics entails the following steps:

 Identification
 Preservation
 Analysis
 Documentation
 Presentation

Identification
It is the first step in the forensic process. The identification process mainly includes things like
what evidence is present, where it is stored, and lastly, how it is stored (in which format).
Electronic storage media can be personal computers, Mobile phones, PDAs, etc.

Preservation
In this phase, data is isolated, secured, and preserved. It includes preventing people from using
the digital device so that digital evidence is not tampered with.

Analysis
In this step, investigation agents reconstruct fragments of data and draw conclusions based on
evidence found. However, it might take numerous iterations of examination to support a specific
crime theory.
Documentation
In this process, a record of all the visible data must be created. It helps in recreating the crime
scene and reviewing it. It Involves proper documentation of the crime scene along with
photographing, sketching, and crime-scene mapping.

Presentation
In this last step, the process of summarization and explanation of conclusions is done.
However, it should be written in a layperson's terms using abstracted terminologies. All
abstracted terminologies should reference the specific details.

TYPES OF DIGITAL FORENSICS:

Disk Forensics:
It deals with extracting data from storage media by searching active, modified, or deleted files.

Network Forensics:
It is a sub-branch of digital forensics. It is related to monitoring and analysis of computer
network traffic to collect important information and legal evidence.

Wireless Forensics:
It is a division of network forensics. The main aim of wireless forensics is to offers the tools
need to collect and analyze the data from wireless network traffic.

Database Forensics:
It is a branch of digital forensics relating to the study and examination of databases and their
related metadata.

Malware Forensics:
This branch deals with the identification of malicious code, to study their payload, viruses,
worms, etc.

Email Forensics
Deals with recovery and analysis of emails, including deleted emails, calendars, and contacts.

Memory Forensics:
It deals with collecting data from system memory (system registers, cache, RAM) in raw form
and then carving the data from Raw dump.

Mobile Phone Forensics:

It mainly deals with the examination and analysis of mobile devices. It helps to retrieve phone
and SIM contacts, call logs, incoming, and outgoing SMS/MMS, Audio, videos, etc.
CHALLENGES FACED BY DIGITAL FORENSICS:

Here, are major challenges faced by the Digital Forensic:

 The increase of PC's and extensive use of internet access
 Easy availability of hacking tools
 Lack of physical evidence makes prosecution difficult.
 The large amount of storage space into Terabytes that makes this investigation job
difficult.
 Any technological changes require an upgrade or changes to solutions.

Example Uses of Digital Forensics

In recent time, commercial organizations have used digital forensics in following a type of cases:
 Intellectual Property theft
 Industrial espionage
 Employment disputes
 Fraud investigations
 Inappropriate use of the Internet and email in the workplace
 Forgeries related matters
 Bankruptcy investigations
 Issues concern with the regulatory compliance

Advantages of Digital forensics

The following are advantages of Digital forensics
 To ensure the integrity of the computer system.
 To produce evidence in the court, which can lead to the punishment of the culprit.
 It helps the companies to capture important information if their computer systems or
networks are compromised.
 Efficiently tracks down cybercriminals from anywhere in the world.
 Helps to protect the organization's money and valuable time.
 Allows to extract, process, and interpret the factual evidence, so it proves the
cybercriminal action's in the court.
INTRODUCTION TO INCIDENT:

Computer security incidents are some real or suspected offensive events that are related to cyber
crime and cyber security as well as computer networks. Forensics investigator or internal cyber
security professionals are hired in organizations to handle such events and incidents which are
known as incident handlers.

Incidents are categorized into three types:

 Low-level incidents: where the impact of cybercrime is low.

 Mid-level incidents: where the impact of cybercrime is comparatively high and need
security professionals to handle the situations.

 High-level events: where the impact of cybercrime is the most serious and need security
professionals as well as forensic investigators to handle the situations and analyze the
scenario, respectively.

INCIDENT RESPONSE METHODOLOGY:

Computer security incidents are often complex, multifaceted problems. Just as with any complex
engineering problem, we use a “black box” approach. We divide the larger problem of incident
resolution into components and examine the inputs and outputs of each component.
In this methodology, there are seven major components of incident response:

 Pre-incident preparation: Take actions to prepare the organization and the Computer
Security Incident Response Team(CSIRT) before an incident occurs.
 Detection of incidents: Identify a potential computer security incident.
 Initial response: Perform an initial investigation, recording the basic details surrounding
the incident, assembling the incident response team, and notifying the individuals who
need to know about the incident.
 Formulate response strategy: Based on the results of all the known facts, determine the
best response and obtain management approval. Determine what civil, criminal,
administrative, or other actions are appropriate to take, based on the conclusions drawn
from the investigation.
 Investigate the incident: Perform a thorough collection of data. Review the data
collected to determine what happened, when it happened, who did it, and how it can be
prevented in the future.
 Reporting Accurately: report information about the investigation in a manner useful to
decision makers.
 Resolution: Employ security measures and procedural changes, record lessons learned,
and develop long-term fixes for any problems identified.
ACTIVITIES IN INITIAL RESPONSE:

The initial response to a computer security incident may be more important than later technical
analysis of the computer system because of the actions taken by incident response team
members. Actions taken by the incident response team impact subsequent laboratory
examinations of the computer and/or media. Of most importance is that the first responder act
appropriately.

The individuals involved with detecting an incident actually begin the initial response phase. The
details surrounding the incident are documented by whoever detected the incident or by an
individual who was notified that the incident may have occurred (for example, help desk or
security personnel).

The control of the response should be forwarded to the Computer Security Incident Response
Team (CSIRT) early in the process to take advantage of the team’s expertise; the more steps in
the initial response phase performed by the Computer Security Incident Response Team
(CSIRT), the better. Typically, the initial response will not involve touching the affected
system(s).

The data collected during this phase involves reviewing network-based and other evidence.
This phase involves the following tasks:

 Interviewing system administrators who might have insight into the technical details of
an incident.
 Interviewing business unit personnel who might have insight into business events that
may provide a context for the incident.
 Reviewing intrusion detection reports and network-based logs to identify data that would
support that an incident has occurred.
 Reviewing the network topology and access control lists to determine if any avenues of
attack can be ruled out.

At a minimum, the team must verify that an incident has actually occurred, which systems are
directly or indirectly affected, which users are involved, and the potential business impact.

The team should verify enough information about the incident so that the actual response will be
appropriate. It may be necessary to initiate network monitoring at this stage, simply to confirm
an incident is occurring. The key here is determining how much information is enough before
formulating your overall response strategy.