INTRODUCTION TO CYBER CRIME

INTRODUCTION
As the name says, "cyber" means computer and "crime" means something unfair and illegal, which
collectively means a crime executed using computer technologies. It could be that the computer
may be involved in the crime or a target of a big one. This could harm someone's privacy and
finances.

It comprises a wide range of crimes such as cyber fraud, financial scams, cybersex trafficking, ad
scams, etc. Many privacy concerns refer to cyber crime when the privacy is intercepted and
disclosed. The World Economic Forum 2020 Global Risk Report confirmed that organized
cybercrime bodies are joining forces to execute criminal activities online. This also affects global
GDP and the world economy as financial scams related activities are more notable and popular in
the cyber world.

Cybercrime Types
1. Cyber Fraud
This refers to an act of stealing E-data or gaining unlawful use of another computer system. This
usually involves accessing a computer without permission or authorization.
The forms of computer fraud involve
 Hacking of a computer
 Sending malicious codes such as viruses
 Installing malware, suspicious software or spyware to steal data
 Phishing to perform scams on finance or banking details
 Identity Theft
 Sending hoax (seems to be good but, in reality, aren't) emails
 Data Mining
This could usually cause monetary or identity harm.

2. Cyberterrorism
The act of terrorism is executed using computer technologies such as cyberspace or other computer
resources. Acts of large-scale disruption mainly of computer networks connected to the internet
using computer viruses and malware software. Government and IT specialists have recorded much
increase in cyber terrorism since the early 2000s.
This could include-
 Phishing
 Hardware methods
 Programming scripts
 Threats such as
o Rape threats
 o Death threats
o Harm to Mental health threats
 Malicious software

3. Ad Fraud
Ad fraud particularly refers to a scam that uses ads as sense or a tool for baiting people for amazing
opportunities. These got popularity in the cyber world as they are less likely to be prosecuted and
are the most earnable.
These are mainly classified into three categories:-
 Identity fraud is when the criminal changes his identity which seems to be a known
organization, and inflates the audience. This category includes traffic from bots. Cookie
stuffing, falsifying etc., are some examples.
 Attribution fraud-in this, the criminal tries to look like the real users by copying their
clicks, conversations, etc.). This includes- hijacked devices, use of infected users (through
malware) etc.
 Ad fraud services are related to all hosting services and online infrastructure. These
services can include creating spam websites, link-building services, hosting services, fraud
campaigns etc.

4. Cybersex Trafficking
Victims are threatened, tortured and transferred to "cybersex traffickers' dens". This refers to the
transportation of victims and then the live streaming of coerced sexual acts or rape on the webcam.
The criminal use social media networks, videoconferences, dating pages, online chat rooms, and
the dark web to show up the victims being deceived. They use online payment services to conceal
their identities.
An estimated almost 6.3 million people are the victims of cybersex trafficking. These numbers also
include children too. An example is the 2018-20 Nth room case in South Korea.

5. Computer as a Target
As told before, in cybercrimes, computers can be used both as a target or as a tool to breach the
user's data. A computer can be targeted when the criminal has the technical knowledge and knows
how to hack the user's system and steal the data. People are not much prepared to combat these
crimes as these are new in existence. These crimes are mostly done by criminals who are alone, not
with an organization.
These include-
 Computer Viruses
 Malware
 Denial Services Attack

6. Computer as a Tool
When criminals use their systems to attack the user's target, it is referred to as "a tool". These
crimes generally do not need technical expertise from the criminal's side. These crimes generally
exploit the victim's or user's psychological health by traumatizing, making threats, scamming, and
blackmailing them. These include-
 Fraud and id theft
 Information warfare
 Phishing scams
  Spam
 Harassment and threats
 Unsolicited sending of bulk emails
 Creating fake links to net banking

7. Drug Trafficking
Dark web or darknet markets are used to buy and sell drugs online. Some criminals use encrypted
messaging software to communicate with drug mules. The dark web site "silk road" was the first
major online marketplace of drugs. It was permanently shut down by the FBI in 2014. These
markets got a major rise in recent years. There are many ways in which darknet markets can
financially drain individuals-
 Virtual Private Networks (VPN)
 Tails
 Tor browser
To hide their online presence.

How to Prevent Being the Victims of These Crimes?

 Use strong passwords
 Keep your software updated
 Manage your social media settings
 Be aware of scams and online fraud
 The right use of a VPN
 Be updated on major security suits
 Know what to do when you become a victim

Cybercrime: Definition and origins of the word

DEFINITION OF CYBER CRIME

Cybercrime may be defined as “Any unlawful act where computer or communication device or
computer network is used to commit or facilitate the commission of a crime”.

Two Main Types of Cybercrimes

Most cybercrime falls under two main categories:
 Criminal activity that targets computers.
 Criminal activity that uses computers.
Cybercrime that targets computers often involves malware like viruses.
Cybercrime that uses computers to commit other crimes may involve using computers to spread
malware, illegal information or illegal images.

Origins of the word

 One of the most high-profile banking computer crimes happened in 1970. The top teller at
New York's Union Dime Savings Bank's Park Avenue branch stole over $1.5 million from
hundreds of accounts.
 A hacker organization known as MOD (Masters of Deception) is accused of stealing
passwords and technical data from Pacific Bell, Nynex, and other telephone providers, as
well as six major credit bureaus and two major colleges. Damage was substantial; one firm,
Southwestern Telephone, alone incurred losses of $370,000.
  In 2006, the Russian Business Network (RBN) was registered as an online site. Most of its
operations were initially legal, but, it appears that the creators quickly realized that it was
more profitable to host illegal activity and began leasing their services to criminals. The
RBN has been dubbed "the worst of the bad" by VeriSign. It provides site hosting and
internet access to a wide range of illicit and unpleasant operations, with individual activities
generating up to $150 million in a single year. It specialized in and sometimes
monopolized, reselling personal identity theft.
 In January 2012, Zappos.com suffered a security breach that exposed up to 24 million
customers' credit card details, personal information, and billing and delivery addresses.
 Unlawful access to camera sensors, microphone sensors, phonebook contacts, all internet-
enabled apps, and metadata on mobile phones running Android and iOS appears to have
been allowed by Israeli spyware, which was determined to be in use in at least 46 countries
across the world. Journalists, aristocrats, and government officials were among those
attacked. Previous reports of Israeli weapons companies meddling with international
networks and smartphones have been eclipsed by the 2018 incident. On March 2, 2010,
Spanish authorities detained three individuals suspected of infecting over 13 million
computers worldwide. According to investigators, the "botnet" of infected computers
comprised PCs within more than half of the Fortune 1000 businesses and more than 40
major banks.

CYBERCRIME
What is Computer Crime?
Computer crime is an act that describes a large category of offenses, which is also known as hi-
tech crime, e-crime, cybercrime, or electronic crime. It is performed by a computer user who has
great knowledge about hacking. The hacker tries to gain unauthorized access to any particular
account, personal information or steals a company's or individual's private information. In some
cases, hackers can corrupt the computer or data files that can be very harmful to you.

On the basis of the person, situation, and individual frame of reference, the term computer crime
has different meanings. For example, there are different communities like network administrators,
private security, law enforcement, or prosecutors, but the investigation of computer crime does not
need these communities. However, conventional or physical borders do not restrict computer crime
as it is by its very nature.

The first definitional categories for computer crime are presented by Donn Parke, who is generally
cited as the author. A higher-level definition to the term computer abuse was described by him,
computer crime can be any event involving an planned act where a unauthorize person or offender
wants to gain related to computers, but a victim suffered or could have suffered a loss.

Expanding on Parker's definitions Robert Taylor and company describe four major categories of
computer crime:
1. The computer as a target: Computers can be the target of an illegal activity, which means
the attacker has to main objective to deny the owners or legal users of the system to their
data or computer. Unleashing a virus through email is one of the most common crimes at
the time of targeting computers. An example of this category (computer as a target) is a
 Denial-of-Service attack or a virus. A virus is referred to destroy your system's data or even
a computer system, which is a computer program
2. The computer as an instrument of the crime: In this category, a computer is used to
accomplish complex financial schemes to defraud or use to gain some information or data,
which data is further used for any illegal activity. For case, a computer system can be used
by a hacker to steal personal information, which can be used for the criminal objective.
3. The computer as incidental to a crime: The computer may be incidental to a crime that
means it can only facilitate the crime but may not the primary instrument of it. For
example, the trading of child pornography and money laundering.
4. Crimes associated with the prevalence of computers: This category comprises of the
actions such as software piracy, intellectual property theft, and other crimes against the
computer industry.

Examples of computer crimes

In modern times, there are various kinds of computer crime available, which are discussed below:
 Child pornography: Child pornography is an example of computer crimes, which is a
form of child sexual exploitation.
 Cracking: Another example of computer crime is cracking, in which the cracker decodes
or breaks the codes that are designed to protect data. A cracker is an individual who uses a
script or program to decipher codes or breakdown security systems for illegal activities.
The program or script, which is used to break the security, is known as crack.
 Copyright violation: If anyone steals another person's copyrighted data, it is also a type of
computer crime.
 Cyber terrorism: In this category, the attacks come, like blackmailing, hacking, threats
towards a person or business to gain unauthorized access to perform illegal activities.
 Cybersquatting: Cybersquatting is a term, which is also referred to as domain squatting
and typo squatting that is used to set up a domain of another person or company and hold it
for resale at a premium price.
 Cyberbully or Cyberstalking: Cyberstalking is a kind of attack in which anyone harasses
or stalks other persons online by posting inappropriate or unwanted things about them.
 Creating Malware: Malware is malicious software that is installed on your computer
without your consent as it uses deceptive and unethical tactics. It is designed to watch
browsing habits, delete software, or even open someone's computer to attack. For case,
sometimes you mistakenly run software on your computer when you are visiting a website
and get an unrequested download.
 Denial of Service attack: A DoS attack, which stands for denial of service attack, is a kind
of computer crime in which an attacker sends an abnormally high number of requests to the
victim that is led to the network slow down or fail. These requests cannot be served as
normal requests.
 Doxing: It is another type of attack when someone shares another person's personal
information with anyone without their consent. The personal information may be in the
form of someone's full name, address, history, password, and other identifying information.
 Espionage: Espionage is the act of spying on a person or business to obtain secret or
confidential information. A person who performs these kinds of activities is known as a spy
or espionage agent. Espionage agents can work in company or independent operations to
uncover agencies or other secret information.
 Fraud: Fraud is the use of computers, internet services, or devices to manipulating data or
defraud people or organizations; for example, to participate in credit card fraud or to
transfer money to an account, changing banking records. Examples of illegal computer
activities include: social engineering, DDoS, viruses, and phishing attacks are used to gain
unauthorized access to another fund.
 Harvesting: A harvester is a software, also known as a web harvester, that is designed to
gather account or account-related information of others, or it is also used to parse large
amounts of data. For instance, large numbers of web pages may be processed by a web
harvester to take out names, phone numbers, email addresses, account names from the
website.
 Human trafficking: It is one of the serious crimes, which is an act of participating in
buying or selling other humans. Basically, it graves a violation of human rights. There are
thousands of men, women, and children who become a victim of traffickers. Approximately
all countries in the world become a victim of attackers.
 Identity theft: Identity theft is an act to be a person you are not that one. In this category,
attackers try to gain information illegally about someone else. Attackers or thieves can try
to information such as phone number, credit card numbers, full name, maiden name, social
security number, passwords, etc.
 Illegal sales: It is an act of purchasing or selling illicit goods online, such as psychotropic
substances, drugs, guns, and more.
 Intellectual property theft: It is a category of property where a human creates something
by using their own mind. In this case, if anyone steals practical or conceptual information
that is created by other persons or organizations, it comes under intellectual property theft,
which is known as a crime. Trade secrets, copyrights, trademarks, and patents are well-
known types of intellectual property.
 Phishing or vishing: It is a term that is used to deceive individuals or groups to obtain
secret information about that person. For that, they create web pages designed to gather
personal information like a credit card, online bank, password, or other private information.
They also do so with the help of sending emails.
 Salami slicing: Generally, it can be defined as stealing small amounts of money from each
transaction that builds into a large sum of illegally gained money.
 Scam: A scam is a term that is used to trick people into believing something, which is not
actually true. For example, people start a fraud scheme or business through which they gain
money from an unsuspecting person. Online scams have increased because the world is
more connected to the network. And, it depends on you to keep careful yourself from these
kinds of online scams
 Slander: A slander is an act of posting libel against another organization or person.
 Software piracy: Generally, it describes illegally copying, distributing, or using software
without ownership or legal rights. Today, most of the software may have installed on one
computer to use as it is purchased as a single-user license. If you share that software with
anyone or copy it on multiple computer devices without purchasing multiple licenses, it is
illegal and comes under software piracy.
 Spamming: Spam is an e-mail distributed process that is used to promote a specific
product or a scam to obtain other people's money by sending unsolicited e-mail to
thousands and sometimes millions of people without their consent. It describes junk e-mail
on the Internet that is also known as UCE (unsolicited commercial e-mail), mass e-mail
marketing, and bulk e-mail.
  Spoofing: Generally, the term spoof describes hacking or deception that means to deceive a
system by imitating another person, computer, hardware device. You do that bypassing
security measures. IP spoofing is one of the well-known spoofing's.
 Typosquatting: Cybersquatting is a term used to describe a domain that is a misspelling of
another domain. Generally, it is also known as domain squatting and typo squatting that
means a company or individual knowingly buys a domain and holds it resale at a premium
price.
 Unauthorized access: When someone tries to access a system, server, program, and
service by using an illegal method or someone else's account information. Basically,
unauthorized access means accessing a system on which you have no permission to access.
For the case, you have a Gmail account, and someone kept guessing a password or
username for your account and accessed this account, which is considered unauthorized
access.
 Wiretapping: Wiretapping is the surreptitious electronic monitoring device that is used to
connect a device to a phone line to listen to conversations.

INFORMATION SECURITY
Information security is a set of practices designed to carry private data secure from unauthorized
access and alteration for the duration of storing or transmitting from one location to another.
Information security is designed and carried out to protect the print, digital, and other private,
sensitive, and private data from unauthorized persons. It can be used to secure data from being
misused, acknowledgment, destruction, alteration, and disruption.
Computer networks are connected in daily transactions and communication inside the government,
private, or corporates that needs security. The most common and easy method of protecting
network support is assigning it with a unique name and a corresponding password.
The network security includes −
 Protection − The user needs to be capable of configuring their devices and networks
accurately.
 Detection − The user should detect whether the configuration has been modified or get a
notification if there are some issues in the network traffic.
 Reaction − After detecting the issues, the user should acknowledge them and should return
to a protected position as rapidly as available.

Network security works with more than one layer of protection at the edge and in among the
network. All the security layers implement some techniques and follow specified policies. Only the
authorized users will get access to the network resources, and the unauthorized users will be
blocked from guiding exploits and malicious activities.

There are various services of information security which are as follows −

Message Confidentiality − Message confidentiality or privacy defines that the sender and the
receiver expect confidentiality. The transmitted message should make sense to only the
predetermined receiver. When a user connects with the bank, they predict that the communication
is completely confidential.
Message Integrity − Message integrity defines that the data should appear at the receiver
accurately as they were sent. There should be no changes for the duration of the transmission,
neither by chance nor maliciously. As increasingly monetary exchanges appear over the web,
integrity is crucial.
Message Authentication − Message authentication is a service that furthers message integrity. In
message authentication the receiver is required to be certain of the sender's identity and that an
imposter has not sent the message.
Message Nonrepudiation − Message nonrepudiation defines that a sender should not be able to
deny sending a message that they send. The burden of data falls on the receiver.
Entity Authentication − In entity authentication, the entity or user is documented previous to
access to the system resources. For instance, a student who is required to access the university
resources is required to be authenticated during the logging phase. This is to assure the interests of
the university and the student.

WHO ARE CYBERCRIMINALS?

A threat in cybersecurity is a malicious activity by an individual or organization to corrupt or steal
data, gain access to a network, or disrupts digital life in general. The cyber community defines the
following threats available today:

Malware
Malware means malicious software, which is the most common cyber attacking tool. It is used by
the cybercriminal or hacker to disrupt or damage a legitimate user's system. The following are the
important types of malware created by the hacker:
 Virus: It is a malicious piece of code that spreads from one device to another. It can clean
files and spreads throughout a computer system, infecting files, stoles information, or
damage device.
 Spyware: It is a software that secretly records information about user activities on their
system. For example, spyware could capture credit card details that can be used by the
cybercriminals for unauthorized shopping, money withdrawing, etc.
 Trojans: It is a type of malware or code that appears as legitimate software or file to fool
us into downloading and running. Its primary purpose is to corrupt or steal data from our
device or do other harmful activities on our network.
  Ransomware: It's a piece of software that encrypts a user's files and data on a device,
rendering them unusable or erasing. Then, a monetary ransom is demanded by malicious
actors for decryption.
 Worms: It is a piece of software that spreads copies of itself from device to device without
human interaction. It does not require them to attach themselves to any program to steal or
damage the data.
 Adware: It is an advertising software used to spread malware and displays advertisements
on our device. It is an unwanted program that is installed without the user's permission. The
main objective of this program is to generate revenue for its developer by showing the ads
on their browser.
 Botnets: It is a collection of internet-connected malware-infected devices that allow
cybercriminals to control them. It enables cybercriminals to get credentials leaks,
unauthorized access, and data theft without the user's permission.

Phishing
Phishing is a type of cybercrime in which a sender seems to come from a genuine organization
like PayPal, eBay, financial institutions, or friends and co-workers. They contact a target or targets
via email, phone, or text message with a link to persuade them to click on that links. This link will
redirect them to fraudulent websites to provide sensitive data such as personal information,
banking and credit card information, social security numbers, usernames, and passwords. Clicking
on the link will also install malware on the target devices that allow hackers to control devices
remotely.

Man-in-the-middle (MITM) attack

A man-in-the-middle attack is a type of cyber threat (a form of eavesdropping attack) in which a
cybercriminal intercepts a conversation or data transfer between two individuals. Once the
cybercriminal places themselves in the middle of a two-party communication, they seem like
genuine participants and can get sensitive information and return different responses. The main
objective of this type of attack is to gain access to our business or customer data. For example, a
cybercriminal could intercept data passing between the target device and the network on an
unprotected Wi-Fi network.

Distributed denial of service (DDoS)

It is a type of cyber threat or malicious attempt where cybercriminals disrupt targeted servers,
services, or network's regular traffic by fulfilling legitimate requests to the target or its surrounding
infrastructure with Internet traffic. Here the requests come from several IP addresses that can make
the system unusable, overload their servers, slowing down significantly or temporarily taking them
offline, or preventing an organization from carrying out its vital functions.

Brute Force
A brute force attack is a cryptographic hack that uses a trial-and-error method to guess all
possible combinations until the correct information is discovered. Cybercriminals usually use this
attack to obtain personal information about targeted passwords, login info, encryption keys, and
Personal Identification Numbers (PINS).

SQL Injection (SQLI)

SQL injection is a common attack that occurs when cybercriminals use malicious SQL scripts for
backend database manipulation to access sensitive information. Once the attack is successful, the
malicious actor can view, change, or delete sensitive company data, user lists, or private customer
details stored in the SQL database.

Domain Name System (DNS) attack

A DNS attack is a type of cyberattack in which cyber criminals take advantage of flaws in the
Domain Name System to redirect site users to malicious websites (DNS hijacking) and steal data
from affected computers. It is a severe cybersecurity risk because the DNS system is an essential
element of the internet infrastructure.

Latest Cyber Threats

The following are the latest cyber threats reported by the U.K., U.S., and Australian governments:

Romance Scams
The U.S. government found this cyber threat in February 2020. Cybercriminals used this threat
through dating sites, chat rooms, and apps. They attack people who are seeking a new partner and
duping them into giving away personal data.

Dridex Malware
It is a type of financial Trojan malware identifies by the U.S. in December 2019 that affects the
public, government, infrastructure, and business worldwide. It infects computers through phishing
emails or existing malware to steal sensitive information such as passwords, banking details, and
personal data for fraudulent transactions. The National Cyber Security Centre of the United
Kingdom encourages people to make sure their devices are patched, anti-virus is turned on and up
to date, and files are backed up to protect sensitive data against this attack.
Emotet Malware
Emotet is a type of cyber-attack that steals sensitive data and also installs other malware on our
device. The Australian Cyber Security Centre warned national organizations about this global
cyber threat in 2019.
The following are the system that can be affected by security breaches and attacks:
 Communication: Cyber attackers can use phone calls, emails, text messages, and
messaging apps for cyberattacks.
 Finance: This system deals with the risk of financial information like bank and credit card
detail. This information is naturally a primary target for cyber attackers.
 Governments: The cybercriminal generally targets the government institutions to get
confidential public data or private citizen information.
 Transportation: In this system, cybercriminals generally target connected cars, traffic
control systems, and smart road infrastructure.
 Healthcare: A cybercriminal targets the healthcare system to get the information stored at a
local clinic to critical care systems at a national hospital.
 Education: A cybercriminals target educational institutions to get their confidential
research data and information of students and employees.
CLASSIFICATION OF CYBER CRIMES
Classification Of Cyber Crimes Cyber crimes can be classified in to 4 major categories as the
following:
(1) Cyber crime against Individual
(2) Cyber crime Against Property
(3) Cyber crime Against Organization
(4) Cyber crime Against Society

(1) Against Individuals

(i) Email spoofing : A spoofed email is one in which the e-mail header is forged so that the mail
appears to originate from one source but actually has been sent from another source.
(ii) Spamming : Spamming means sending multiple copies of unsolicited mails or mass e-mails
such as chain letters.
(iii) Cyber Defamation : This occurs when defamation takes place with the help of computers
and/or the Internet. E.g. someone publishes defamatory matter about someone on a website or
sends e-mails containing defamatory information.
(iv) Harassment & Cyber stalking : Cyber Stalking Means following an individual's activity over
internet. It can be done with the help of many protocols available such as e- mail, chat rooms, user
net groups.

(2) Against Property

(i) Credit Card Fraud : As the name suggests, this is a fraud that happens by the use of a credit
card. This generally happens if someone gets to know the card number or the card gets stolen.
(ii) Intellectual Property crimes : These include Software piracy: Illegal copying of programs,
distribution of copies of software. Copyright infringement: Using copyrighted material without
proper permission. Trademarks violations: Using trademarks and associated rights without
permission of the actual holder. Theft of computer source code: Stealing, destroying or misusing
the source code of a computer.
(iii) Internet time theft : This happens by the usage of the Internet hours by an unauthorized person
which is actually paid by another person.

(3) Against Organisations

(i) Unauthorized Accessing of Computer: Accessing the computer/network without permission
from the owner. It can be of 2 forms: a) Changing/deleting data: Unauthorized changing of data. b)
Computer voyeur: The criminal reads or copies confidential or proprietary information, but the
data is neither deleted nor changed.
(ii) Denial Of Service : When Internet server is flooded with continuous bogus requests so as to
denying legitimate users to use the server or to crash the server.
(iii) Computer contamination / Virus attack : A computer virus is a computer program that can
infect other computer programs by modifying them in such a way as to include a (possibly
evolved) copy of it. Viruses can be file infecting or affecting boot sector of the computer. Worms,
unlike viruses do not need the host to attach themselves to.
(iv) Email Bombing : Sending large numbers of mails to the individual or company or mail servers
thereby ultimately resulting into crashing.
(v) Salami Attack : When negligible amounts are removed & accumulated in to something larger.
These attacks are used for the commission of financial crimes.
(vi) Logic Bomb : It is an event dependent program. As soon as the designated event occurs, it
crashes the computer, release a virus or any other harmful possibilities.
(vii) Trojan Horse : This is an unauthorized program which functions from inside what seems to
be an authorized program, thereby concealing what it is actually doing.
(viii) Data diddling : This kind of an attack involves altering raw data just before it is processed by
a computer and then changing it back after the processing is completed.
(4) Against Society
(i) Forgery : Currency notes, revenue stamps, mark sheets etc. can be forged using computers and
high quality scanners and printers.
(ii) Cyber Terrorism : Use of computer resources to intimidate or coerce people and carry out the
activities of terrorism.
(iii) Web Jacking : Hackers gain access and control over the website of another, even they change
the content of website for fulfilling political objective or for money

CYBERCRIME: THE LEGAL PERSPECTIVES

In the first comprehensive presentation of computer crime, Computer Crime: Criminal Justice
Resource Manual (1979), computer-related crime was defined as: any illegal act for which
knowledge of computer technology is essential for a successful prosecution. International legal
aspects of computer crimes were studied in 1983. In that study, computer crime was defined as:
encompasses any illegal act for which knowledge of computer technology is essential for its
perpetration.

Globalized information systems accommodate an increasing number of transnational offenses. The

network context of cybercrime makes it one of the most globalized offenses of the present and the
most modernized threats of the future. This problem can be resolved in two ways: 1) To divide
information systems into segments bordered by state boundaries 2) To incorporate the legal system
into an integrated entity. The first solution is impractical.

Cybercrimes: An Indian Perspective

India has the second highest number of Internet users in the world (in 2017). Most of the Internet
access happen from cyber cafes. The age group of most of Indian Internet users is between 18 and
35 years. It is reported that compared to the year 2006, cybercrime under the Information
Technology (IT) Act recorded a whopping 50% increase in the year 2007. A point to note is that
the majority of offenders were under 30 years. The Indian government is doing its best to control
cybercrimes. For example, Delhi Police have trained 100 of its officers in handling cybercrime and
placed them in its Economic Offences Wing.

Cybercrime and the Indian ITA 2000

In India, the Information Technology Act, ITA 2000 was enacted after the United Nation General
Assembly Resolution A/RES/51/162 in January 30, 1997 by adopting the Model Law on Electronic
Commerce adopted by the United Nations Commission on International Trade Law. This was the
first step toward the Law relating to E-Commerce at international level to regulate an alternative
form of commerce and to give legal status in the area of E-Commerce.
It was enacted taking into consideration UNICITRAL model of Law on Electronic Commerce
(1996). Cybercrimes are punishable under two categories: the ITA 2000 and the Indian Penal Code
(IPC). A total of 207 cases of cybercrime were registered under the IT Act in 2007 compared to
142 cases registered in 2006. Under the IPC too, 339 cases were recorded in 2007 compared to 311
cases in 2006. There are noteworthy provisions under the ITA 2000, which is said to be undergoing
key changes very soon (refer Table 1.7 in page 34).

A Global Perspective on Cybercrimes

In Australia, cybercrime has narrow statutory meaning as used in the Cyber Crime Act 2001, which
details offenses against computer data and systems. In the Council of Europe’s (CoE) Cyber Crime
Treaty, cybercrime is used as an umbrella term to refer to an array of criminal activity including
offenses against computer data and systems, computer-related offenses, content offenses and copy-
right offenses.

The Spam legislation scenario mentions “none” about India as far as E-mail legislation in India is
concerned. The legislation refers to India as a “loose” legislation, although there is a mention in
Section 67 of ITA 2000. About 30 countries have enacted some form of anti-spam legislation.
There are also technical solutions by ISPs and end-users.

Inspite of this, so far there has been no significant impact on the volume of spam. Spam is used to
support fraudulent and criminal activities. As there are no national boundaries to such crimes under
cybercrime realm, it requires international cooperation between those who seek to enforce anti-
spam laws.
 CYBER OFFENSES

HOW CRIMINALS PLAN THEM –INTRODUCTION

 Technology is a “double-edged sword” as it can be used for both good and bad purposes
 People with the tendency to cause damages or carrying out illegal activities will use it for bad
purpose.
 Computers and tools available in IT are also used as either target of offense.
 In today’s world of Internet and computer networks, a criminal activity can be carried out across
national borders.
 Chapter 1 provided an overview of hacking, cyber terrorism, network intrusions, password
sniffing, computer viruses, etc. They are the most commonly occurring crimes that target the
computer.
 Cybercriminal use the World Wide Web and Internet to an optimum level for all illegal activities to
store data, contacts, account information, etc.
 The criminals take advantage of the widespread lack of awareness about cybercrimes and cyber
laws among the people who are constantly using the IT infrastructure for official and personal
purposes.
 People who commit cybercrimes are known as “Crackers” (Box 2.1).

Box 2.1 | Hackers, Crackers and Phreakers

Hacker: A hacker is a person with a strong interest in computers who enjoys learning and
experimenting with them. Hackers are usually very talented, smart people who understand
computers better than others. The term is often confused with cracker that defines someone who
breaks into computers (refer to Box 2.2).
Brute force hacking: It is a technique used to find passwords or encryption keys. Brute force
hacking involves trying every possible combination of letters, numbers, etc., until the code is
broken.
Cracker: A cracker is a person who breaks into computers. Crackers should not be confused
with hackers. The term “cracker” is usually connected to computer criminals. Some of their
crimes include vandalism, theft and snooping in unauthorized areas.
Cracking: It is the act of breaking into computers. Cracking is a popular, growing subject on the
Internet. Many sites are devoted to supplying crackers with programs that allow them to crack
computers. Some of these programs contain dictionaries for guessing passwords. Others are
used to break into phone lines (called “phreaking”). These sites usually display warnings such
as “These files are illegal; we are not responsible for what you do with them.”
 Cracker tools: These are programs used to break into computers. Cracker tools are widely
distributed on the Internet. They include password crackers, Trojans, viruses, war dialers and
worms.
Phreaking: This is the notorious art of breaking into phone or other communication
systems. Phreaking sites on the Internet are popular among crackers and other criminals.
War dialer: Program automatically dials phone numbers looking for computers on the other
end. It catalogs numbers so that the hackers can call back and try to break in. An attacker would
look to exploit the vulnerabilities in the networks, most often so because the networks are not
adequately protected.

 The categories of vulnerabilities that hackers typically search for are the following:
o Inadequate border protection (border as in the sense of network periphery);
o remote access servers (RASs) with weak access controls;
o application servers with well-known exploits;
o misconfigured systems and systems with default configurations.
 To help the reader understand the network attack scenario, Fig. 2.2 illustrates a small network
highlighting specific occurrences of several vulnerabilities described above.

Box 2.2 | What Color is Your Hat in the Security World?

 A black hat is also called a “cracker” or “dark side hacker.” Such a person is a malicious or
criminal hacker. Typically, the term “cracker” is used within the security industry. However,
the general public uses the term hacker to refer to the same thing. In computer terminology, the
meaning of “hacker” can be much broader. The name comes from the opposite of “white hat
hackers.”
A white hat hacker is considered an ethical hacker. In the realm of IT, a “white hat hacker”
is a person who is ethically opposed to the abuse of computer systems. It is said that the term is
derived from American western movies, where the protagonist typically wore a white cowboy
hat and the antagonist typically wore a black one. As a simplified explanation, a “white hat”
generally focuses on securing IT systems, whereas a “black hat” (the opposite) would like to
break into them, so this sounds like an age-old game of a thief and a police.

A brown hat hacker is one who thinks before acting or committing a malice or non-malice
deed. A grey hat commonly refers to a hacker who releases information about any exploits or
security holes he/she finds openly to the public. He/she does so without concern for how the
information is used in the end (whether for patching or exploiting).

Categories of Cybercrime
Cybercrime can be categorized based on the following:
1. The target of the crime and
2. whether the crime occurs as a single event or as a series of events.
Cybercrime can be targeted against individuals (persons), assets (property) and/or
organizations (government, business and social).
1. Crimes targeted at individuals: The goal is to exploit human weakness such as greed and
naivety. These crimes include financial frauds, sale of non-existent or stolen items, child
pornography (explained in Section 1.5.13, Chapter 1), copyright violation, harassment, etc. with
the development in the IT and the Internet; thus, criminals have a new tool that allows them to
expand the pool of potential victims. However, this also makes difficult to trace and apprehend the
criminals.
2. Crimes targeted at property: This includes stealing mobile devices such as cell phone, laptops,
personal digital assistant (PDAs), and removable medias (CDs and pen drives); transmitting
harmful programs that can disrupt functions of the systems and/or can wipe out data from hard
disk, and can create the malfunctioning of the attached devices in the system such as modem, CD
drive, etc.

3. Crimes targeted at organizations: Cyber terrorism is one of the distinct crimes against
organizations/ governments. Attackers (individuals or groups of individuals) use computer tools
and the Internet to usually terrorize the citizens of a particular country by stealing the private
information, and also to damage the programs and fi les or plant programs to get control of the
network and/or system (see Box 2.3).
4. Single event of cybercrime: It is the single event from the perspective of the victim. For example,
unknowingly open an attachment that may contain virus that will infect the system (PC/laptop).
This is known as hacking or fraud.
5. Series of events: This involves attacker interacting with the victims repetitively. For example,
attacker interacts with the victim on the phone and/or via chat rooms to establish relationship first
and then they exploit that relationship to commit the sexual assault.
 Box 2.3 | Patriot Hacking
Patriot hacking[1] also known as Digital Warfare, is a form of vigilante computer systems’
cracking done by individuals or groups (usually citizens or supports of a country) against a real
or perceived threat. Traditionally, Western countries, that is, developing countries, attempts to
launch attacks on their perceived enemies.
Although patriot hacking is declared as illegal in the US, however, it is reserved only for
government agencies [i.e., Central Intelligence Agency (CIA) and National Security Agency
(NSA)] as a legitimate form of attack and defense. Federal Bureau of Investigation (FBI) raised
the concern about rise in cyber attacks like website defacements (explained in Box 1.4,
Chapter1) and denial-of-service attacks (DoS – refer to Section 4.9, Chapter 4), which adds as
fuel into increase in international tension and gets mirrored it into the online world.

After the war in Iraq in 2003, it is getting popular in the North America, Western Europe and
Israel. These are countries that have the greatest threat to Islamic terrorism and its
aforementioned digital version.
The People’s Republic of China is allegedly making attacks upon the computer networks of the
US and the UK. Refer to Box 5.15 in Chapter 5. For detailed information visit
www.patriothacking.com

HOW CRIMINALS PLAN THE ATTACKS

 Criminals use many methods and tools to locate the vulnerabilities of their target.
 The target can be an individual and/or an organization.
 Criminals plan passive and active attacks
 Active attacks are usually used to alter the system (i.e., computer network) whereas
passive attacks attempt to gain information about the target.
 Active attacks may affect the availability, integrity and authenticity of data whereas
passive attacks lead to violation of confidentiality.

The following phases are involved in planning cybercrime:

1. Reconnaissance (information gathering) is the first phase and is treated as passive attacks.
2. Scanning and scrutinizing the gathered information for the validity of the information as well as
to identify the existing vulnerabilities.
3. Launching an attack (gaining and maintaining the system access).

Reconnaissance (reconnaissance= 9 ఘa)

 The literal meaning of “Reconnaissance” is an act of finding something or somebody
(especially to gain information about an enemy or potential enemy).
 In the world of “hacking,” reconnaissance phase begins with “Footprinting” – this is the
preparation toward pre-attack phase, and involves accumulating data about the target’s
environment and computer architecture to find ways to intrude into that environment.
 Footprinting gives an overview about system vulnerabilities and provides a judgment about
possible exploitation of those vulnerabilities.
 The objective of this preparatory phase is to understand the system, its networking ports and
services, and any other aspects of its security that are needful for launching the attack.
 Thus, an attacker attempts to gather information in two phases: passive and active attacks. Let us
understand these two phases.
 Passive Attacks
A passive attack involves gathering information about a target without his/her (individual’s
or company’s) knowledge. It can be as simple as watching a building to identify what time
employees enter the building premises. However, it is usually done using Internet searches or by
Googling (i.e., searching the required information with the help of search engine Google) an
individual or company to gain information.
1. Google or Yahoo search: People search to locate information about employees.
2. Surfing online community groups like Orkut/Facebook will prove useful to gain the information
about an individual.
3. Organization’s website may provide a personnel directory or information about key employees, for
example, contact details, E-Mail address, etc. These can be used in a social engineering attack to
reach the target (see Section 2.3).
4. Blogs, newsgroups, press releases, etc. are generally used as the mediums to gain information
about the company or employees.
5. Going through the job postings in particular job profiles for technical persons can provide
information about type of technology, that is, servers or infrastructure devices a company maybe
using on its network.

Active Attacks
An active attack involves probing the network to discover individual hosts to confirm the
information (IP addresses, operating system type and version, and services on the network)
gathered in the passive attack phase. It involves the risk of detection and is also called “Rattling
the doorknobs” or “Active reconnaissance.” Active reconnaissance can provide confirmation to
an attacker about security measures in place (e.g., whether the front door is locked?), but the
process can also increase the chance of being caught or raise a suspicion.

Scanning and Scrutinizing Gathered Information

Scanning is a key step to examine intelligently while gathering information about the
target.
The objectives of scanning are as follows:
1. Port scanning: Identify open/close ports and services. Refer to Box 2.5.
2. Network scanning: Understand IP Addresses and related information about the computer
network systems.
3. Vulnerability scanning: Understand the existing weaknesses in the system.

Attack (Gaining and Maintaining the System Access)

After the scanning and enumeration, the attack is launched using the following steps:
1. Crack the password.
2. exploit the privileges.
3. execute the malicious commands/applications.
4. hide the files (if required).
5. cover the tracks – delete the access logs, so that there is no trail illicit activity.

SOCIAL ENGINEERING
 Social engineering is the “technique to influence” and “persuasion to deceive” people to obtain the
information or perform some action.
 Social engineers exploit the natural tendency of a person to trust social engineers’ word, rather than
exploiting computer security holes.
 It is generally agreed that people are the weak link in security and this principle makes social
engineering possible.
 A social engineer usually uses telecommunication (i.e., telephone and/or cell phone) or Internet to
get them to do something that is against the security practices and/or policies of the organization.
 Social engineering involves gaining sensitive information or unauthorized access privileges by
building inappropriate trust relationships with insiders.
 It is an art of exploiting the trust of people, which is not doubted while speaking in a normal
manner.
 The goal of a social engineer is to fool someone into providing valuable information or access to
that information.
 Social engineer studies the human behavior so that people will help because of the desire to be
helpful, the attitude to trust people, and the fear of getting into trouble.
 The sign of truly successful social engineers is that they receive information without any suspicion.
 A simple example is calling a user and pretending to be someone from the service desk working on
a network issue; the attacker then proceeds to ask questions about what the user is working on,
what file shares he/she uses, what his/her password is, and so on… (see Box 2.6).

Box 2.6 | Social Engineering Example

Mr. Joshi: Hello?
The Caller: Hello, Mr. Joshi. This is Geeta Thomas from Tech Support. Due to some disk space
constraints on the file server, we will be moving few user’s home directories to another disk.
This activity will be performed tonight at 8:00 p.m. Your account will be a part of this move and
will be unavailable temporarily.
Mr. Joshi: Ohh … okay. I will be at my home by then, anyway.
Caller: Great!!! Please ensure to log off before you leave office. We just need to check a
couple
of things. What is your username?
Mr. Joshi: Username is “pjoshi.” None of my files will be lost in the move, right?
Caller: No sir. But we will have to check your account to ensure the same. What is the
password of that account?
Mr. Joshi: My password is “ABCD1965,” all characters in upper case.
Caller: Ok, Mr. Joshi. Thank you for your cooperation. We will ensure that all the files are
there.
Mr. Joshi: Thank you. Bye.
Caller: Bye and have a nice day.

Classification of Social Engineering Human-Based Social Engineering

 Human-based social engineering refers to person-to-person interaction to get the
required/desired information.
 An example is calling the help desk and trying to find out a password.
1. Impersonating an employee or valid user:
 “Impersonation” is perhaps the greatest technique used by social engineers to deceive people.
 Social engineers “take advantage” of the fact that most people are basically helpful, so it seems
 harmless to tell someone who appears to be lost where the computer room is located, or to
let someone into the building who “forgot” his/her badge, etc., or pretending to be an employee
or valid user on the system.
2. Posing as an important user:
 The attacker pretends to be an important user – for example, a Chief Executive Officer (CEO) or
high-level manager who needs immediate assistance to gain access to a system.
 The attacker uses intimidation so that a lower-level employee such as a help-desk worker will help
him/her in gaining access to the system. Most of the low-level employees will not ask any
question to someone who appears to be in a position of authority.
3. Using a third person:
 An attacker pretends to have permission from an authorized source to use a system. This trick is
useful when the supposed authorized personnel is on vacation or cannot be contacted for
verification.
4. Calling technical support:
 Calling the technical support for assistance is a classic social engineering example.
 Help-desk and technical support personnel are trained to help users, which makes them good prey
for social engineering attacks.
5. Shoulder surfing:
 It is a technique of gathering information such as usernames and passwords by watching over a
person’s shoulder while he/she logs into the system, thereby helping an attacker to gain access to
the system.
6. Dumpster diving:
 It involves looking in the trash for information written on pieces of paper or computer
printouts.
 This is a typical North American term; it is used to describe the practice of rummaging through
commercial or residential trash to find useful free items that have been discarded.
 It is also called dumpstering, binning, trashing, garbing or garbage gleaning.
 “Scavenging” is another term to describe these habits.
 In the UK, the practice is referred to as “ binning” or “skipping” and the person doing it is a
“binner” or a “skipper.”

Computer-Based Social Engineering

 Computer-based social engineering refers to an attempt made to get the required/desired
information by using computer software/Internet.
 For example, sending a fake E-Mail to the user and asking him/her to re-enter a password in a
webpage to confirm it.
1. Fake E-Mails:
 The attacker sends fake E-Mails (see Box 2.7) to users in such that the user finds it as a real e-
mail.
 This activity is also called “Phishing”.
 It is an attempt to attract the Internet users (netizens) to reveal their personal information, such as
usernames, passwords and credit card details by impersonating as a trustworthy and legitimate
organization or an individual.
 Banks, financial institutes and payment gateways are the common targets.
 Phishing is typically carried out through E-Mails or instant messaging and often directs users to
enter details at a website, usually designed by the attacker with abiding the look and feel of the
original website.
 Thus, Phishing is also an example of social engineering techniques used to fool netizens.
 The term “Phishing” has been evolved from the analogy that Internet scammers are using E-Mails
attract to fish for passwords and financial data from the sea of Internet users (i.e., netizens).
 The term was coined in 1996 by hackers who were stealing AOL Internet accounts by scamming
passwords without the knowledge of AOL users.
 As hackers have a tendency of replacing “f” with “ph,” the term “Phishing” came into being.
2. E-Mail attachments:
 E-Mail attachments are used to send malicious code to a victim’s system, which will automatically
(e.g., keylogger utility to capture passwords) get executed.
 Viruses, Trojans, and worms can be included cleverly into the attachments to entice a victim to
open the attachment.
3. Pop-up windows:
 Pop-up windows are also used, in a similar manner to E-Mail attachments. Pop-up windows with
special offers or free stuff can encourage a user to unintentionally install malicious software.

CYBERSTALKING
 The dictionary meaning of “stalking” is an “act or process of following prey stealthily – trying to
approach somebody or something.”
 Cyberstalking has been defined as the use of information and communications technology,
particularly the Internet, by an individual or group of individuals to harass another individual,
group of individuals, or organization.
 The behavior includes false accusations, monitoring, transmission of threats, ID theft, damage to
data or equipment, solicitation of minors for sexual purposes, and gathering information for
harassment purposes.
 Cyberstalking refers to the use of Internet and/or other electronic communications devices to
stalk another person.
 It involves harassing or threatening behavior that an individual will conduct repeatedly, for
example, following a person, visiting a person’s home and/or at business place, making phone
calls, leaving written messages, or vandalizing against the person’s property. As the Internet has
become an integral part of our personal and professional
lives, cyberstalkers take advantage of ease of communication and an increased access to personal
information available with a few mouse clicks or keystrokes.

Types of Stalkers
There are primarily two types of stalkers.
1. Online stalkers:
 They aim to start the interaction with the victim directly with the help of the Internet.
 E-Mail and chat rooms are the most popular communication medium to get connected with the
victim, rather than using traditional instrumentation like telephone/cell phone.
 The stalker makes sure that the victim recognizes the attack attempted on him/her.
 The stalker can make use of a third party to harass the victim.
2. Offline stalkers:
 The stalker may begin the attack using traditional methods such as following the victim, watching
the daily routine of the victim, etc.
 Searching on message boards/newsgroups, personal websites, and people finding services or
websites are most common ways to gather information about the victim using the Internet.
 The victim is not aware that the Internet has been used to perpetuate an attack against them.
 Cases Reported on Cyberstalking

 The majority of cyberstalkers are men and the majority of their victims are women.
 Some cases also have been reported where women act as cyberstalkers and men as the victims as
well as cases of same-sex cyberstalking.
 In many cases, the cyberstalker and the victim hold a prior relationship, and the cyberstalking
begins when the victim attempts to break off the relationship, for example, ex-lover, ex-spouse,
boss/subordinate, and neighbor.
 However, there also have been many instances of cyberstalking by strangers.

How Stalking Works?

It is seen that stalking works in the following ways:
3. Personal information gathering about the victim: Name; family background; contact details such
as cell phone and telephone numbers (of residence as well as office); address of residence as well
as of the office; E-Mail address; date of birth, etc.
4. Establish a contact with victim through telephone/cell phone. Once the contact is established, the
stalker may make calls to the victim to threaten/harass.
5. Stalkers will almost always establish a contact with the victims through E-Mail. The letters may
have the tone of loving, threatening or can be sexually explicit. The stalker may use multiple
names while contacting the victim.
6. Some stalkers keep on sending repeated E-Mails asking for various kinds of favors or threaten the
victim.
7. The stalker may post the victim’s personal information on any website related to illicit services
such as sex-workers’ services or dating services, posing as if the victim has posted the
information and invite the people to call the victim on the given contact details (telephone
numbers/cell phone numbers/E-Mail address) to have sexual services. The stalker will use bad
and/or offensive/attractive language to invite the interested persons.
8. Whosoever comes across the information, start calling the victim on the given contact details (
telephone/cell phone nos), asking for sexual services or relationships.
9. Some stalkers subscribe/register the E-Mail account of the victim to innumerable pornographic and
sex sites, because of which victim will start receiving such kind of unsolicited E-Mails.

Real-Life Incident of Cyberstalking Case Study

The Indian police have registered first case of cyberstalking in Delhi – the brief account of the
case has been mentioned here. To maintain confidentiality and privacy of the entities involved,
we have changed their names.
 Mrs. Joshi received almost 40 calls in 3 days mostly at odd hours from as far away as Kuwait,
Cochin, Bombay, and Ahmadabad.
 The said calls created havoc in the personal life destroying mental peace of Mrs. Joshi who
decided to register a complaint with Delhi Police.
 A person was using her ID to chat over the Internet at the website www.mirc.com, mostly in the
Delhi channel for four consecutive days.
 This person was chatting on the Internet, using her name and giving her address, talking in
obscene language.
 The same person was also deliberately giving her telephone number to other chatters
encouraging them to call Mrs. Joshi at odd hours.
 This was the first time when a case of cyberstalking was registered.
 Cyberstalking does not have a standard definition but it can be defined to mean threatening,
unwarranted behavior, or advances directed by one person toward another person using Internet
and other forms of online communication channels as medium.

Box 2.8 | Cyberbullying

The National Crime Prevention Council defi nes Cyberbullying as “when the Internet,
cell phones or other devices are used to send or post text or images intended to hurt or embarrass
another person.”
www.StopCyberbullying.org, an expert organization dedicated to Internet safety,
security, and privacy defi nes cyberbullying as “a situation when a child, tween, or teen is
repeatedly ‘tormented, threatened, harassed, humiliated, embarrassed, or otherwise targeted’ by
another child, tween, or teen using text messaging, E-Mail, instant messaging, or any other type
of digital technology.”
The practice of cyberbullying is not limited to children and, while the behavior is
identified by the same definition in adults, the distinction in age groups is referred to as
cyberstalking or cyberharassment when perpetrated by adults toward adults.
Source: http://en.wikipedia.org/wiki/Cyber-bullying (2 April 2009).

CYBERCAFE AND CYBERCRIMES

 In February 2009, Nielsen survey on the profile of cybercafes users in India, it was found that 90%
of the audience, across eight cities and 3,500 cafes, were male and in the age group of 15–35 years;
52% were graduates and postgraduates, though almost over 50% were students.
 Hence, it is extremely important to understand the IT security and governance practiced in the
cybercafes.
 In the past several years, many instances have been reported in India, where cybercafes are known
to be used for either real or false terrorist communication.
 Cybercrimes such as stealing of bank passwords and subsequent fraudulent withdrawal of money
have also happened through cybercafes.
 Cybercafes have also been used regularly for sending obscene mails to harass people.
 Public computers, usually referred to the systems, available in cybercafes, hold two types of risks.
 First, we do not know what programs are installed on the computer – that is, risk of malicious
programs such as keyloggers or Spyware, which maybe running at the background that can capture
the keystrokes to know the passwords and other confidential information and/or monitor the
browsing behavior.
 Second, over-the-shoulder surfing can enable others to find out your passwords. Therefore, one
has to be extremely careful about protecting his/her privacy on such systems, as one does not know
who will use the computer after him/her.
 Indian Information Technology Act (ITA) 2000, does not define cybercafes and interprets
cybercafes as “network service providers” referred to under the Section 79, which imposed on
them a responsibility for “due diligence” failing which they would be liable for the offenses
committed in their network.
 Cybercriminals prefer cybercafes to carry out their activities.
 The criminals tend to identify one particular personal computer (PC) to prepare it for their
use.
 Cybercriminals can either install malicious programs such as keyloggers and/or Spyware or
launch an attack on the target.
 Cybercriminals will visit these cafes at a particular time and on the prescribed frequency, maybe
 alternate day or twice a week.
 A recent survey conducted in one of the metropolitan cities in India reveals the following facts:

1. Pirated software(s) such as OS, browser, office automation software(s) (e.g., Microsoft Office) are
installed in all the computers.
2. Antivirus software is found to be not updated to the latest patch and/or antivirus signature.
3. Several cybercafes had installed the software called “Deep Freeze” for protecting the computers
from prospective malware attacks. Deep Freeze can wipe out the details of all activities carried out
on the computer when one clicks on the “restart” button. Such practices present challenges to the
police or crime investigators when they visit the cybercafes to pick up clues after the Interet
Service Provider (ISP) points to a particular IP address from where a threat mail was probably sent
or an online Phishing attack was carried out, to retrieve logged files.
4. Annual maintenance contract (AMC) found to be not in a place for servicing the computers; hence,
hard disks for all the computers are not formatted unless the computer is down. Not having the
AMC is a risk from cybercrime perspective because a cybercriminal can install a Malicious Code
on a computer and conduct criminal activities without any interruption.
5. Pornographic websites and other similar websites with indecent contents are not blocked.
6. Cybercafe owners have very less awareness about IT Security and IT Governance.
7. Government/ISPs/State Police (cyber cell wing) do not seem to provide IT Governance guidelines
to cybercafe owners.
8. Cybercafe association or State Police (cyber cell wing) do not seem to conduct periodic visits to
cybercafes – one of the cybercafe owners whom we interviewed expressed a view that the police
will not visit a cybercafe unless criminal activity is registered by filing an First Information Report
(FIR). Cybercafe owners feel that police either have a very little knowledge about the technical
aspects involved in cybercrimes and/or about conceptual understanding of IT security. There are
thousands of cybercafes across India.

In the event that a central agency takes up the responsibility for monitoring cybercafes, an
individual should take care while visiting and/or operating from cybercafe. Here are a few tips for
safety and security while using the computer in a cybercafe:
1. Always logout:
2. Stay with the computer:
3. Clear history and temporary files:
4. Be alert:
5. Avoid online financial transactions:
6. Change passwords:
7. Use Virtual keyboard:
8. Security warnings:

Botnets: The Fuel for Cybercrime

Botnet

 The dictionary meaning of Bot is “(computing) an automated program for doing some particular
task, often over a network.”
 Botnet is a term used for collection of software robots, or Bots, that run autonomously and
automatically.
 The term is often associated with malicious software but can also refer to the network of computers
 using distributed computing software.
 In simple terms, a Bot is simply an automated computer program One can gain the control of
computer by infecting them with a virus or other Malicious Code that gives the access.
 Computer system maybe a part of a Botnet even though it appears to be operating normally.
 Botnets are often used to conduct a range of activities, from distributing Spam and viruses to
conducting denial-of-service (DoS) attacks.
 A Botnet (also called as zombie network) is a network of computers infected with a malicious
program that allows cybercriminals to control the infected machines remotely without the users’
knowledge.
 “Zombie networks” have become a source of income for entire groups of cybercriminals. The
invariably low cost of maintaining a Botnet and the ever diminishing degree of knowledge required
to manage one are conducive to the growth in popularity and, consequently, the number of Botnets.
 If someone wants to start a “business” and has no programming skills, there are plenty of “Bot for
sale” offers on forums.
 ‘encryption of these programs’ code can also be ordered in the same way to protect them from
detection by antivirus tools.
 Another option is to steal an existing Botnet. Figure 2.8 explains how Botnets create business.
 One can reduce the chances of becoming part of a Bot by limiting access into the system.
 Leaving your Internet connection ON and unprotected is just like leaving the front door of the
house wide open.

One can ensure following to secure the system:

1. Use antivirus and anti-Spyware software and keep it up-to-date:
2. Set the OS to download and install security patches automatically:
3. Use a firewall to protect the system from hacking attacks while it is connected on the Internet: A
firewall is a software and/or hardware that is designed to block unauthorized access while
permitting authorized communications.
4. Disconnect from the Internet when you are away from your computer:
5. Downloading the freeware only from websites that are known and trustworthy:
6. Check regularly the folders in the mail box – “sent items” or “outgoing” – for those messages you
did not send:
7. Take an immediate action if your system is infected:

Box 2.9 | Technical Terms

Malware: It is malicious software, designed to damage a computer system without the
owner’s informed consent. Viruses and worms are the examples of malware.
Adware: It is advertising-supported software, which automatically plays, displays, or
downloads advertisements to a computer after the software is installed on it or while the
application is being used. Few Spywares are classifi ed as Adware.
Spam: It means unsolicited or undesired E-Mail messages
Spamdexing: It is also known as search Spam or search engine Spam. It involves a number of
methods, such as repeating unrelated phrases, to manipulate the relevancy or prominence of
resources indexed by a search engine in a manner inconsistent with the purpose of the indexing
system.
 DDoS: Distributed denial-of-service attack (DDoS) occurs when multiple systems flood the
bandwidth or resources of a targeted system, usually one or more web servers. These systems
are compromised by attackers using a variety of methods.
Attack Vector

 An “attack vector” is a path, which an attacker can gain access to a computer or to a network
server to deliver a payload or malicious outcome.
 Attack vectors enable attackers to exploit system vulnerabilities, including the human element.
 Attack vectors include viruses, E-Mail attachments, webpages, pop-up windows, instant
messages, chat rooms, and deception. All of these methods involve programming (or, in a few
cases, hardware), except deception, in which a human operator is fooled into removing or
weakening system defenses.
 To some extent, firewalls and antivirus software can block attack vectors.
 However, no protection method is totally attack-proof.
 A defense method that is effective today may not remain so for long because attackers are
constantly updating attack vectors, and seeking new ones, in their quest to gain unauthorized
access to computers and servers. Refer to Box 2.10.
 The most common malicious payloads are viruses (which can function as their own attack
vectors), Trojan Horses, worms, and Spyware.
 If an attack vector is thought of as a guided missile, its payload can be compared to the warhead in
the tip of the missile.
 In the technical terms, payload is the necessary data being carried within a packet or other
transmission unit – in this scenario (i.e., attack vector) payload means the malicious activity that
the attack performs.
 From the technical perspective, payload does not include the “overhead” data required to get the
packet to its destination. Payload may depend on the following point of view: “What constitutes
it?” To a communications layer that needs some of the overhead data to do its job, the payload is
sometimes considered to include that part of the overhead data that this layer handles. The attack
vectors described here are how most of them are launched.

1. Attack by E-Mail: The content is either embedded in the message or linked to by the message.
Sometimes attacks combine the two vectors, so that if the message does not get you, the attachment
will. Spam is almost always carrier for scams, fraud, dirty tricks, or malicious action of some kind.
Any link that offers something “free” or tempting is a suspect.
2. Attachments (and other files): Malicious attachments install malicious computer code. The code
could be a virus, Trojan Horse, Spyware, or any other kind of malware. Attachments attempt to
install their payload as soon as you open them.
3. Attack by deception: Deception is aimed at the user/operator as a vulnerable entry point. It is not
just malicious computer code that one needs to monitor. Fraud, scams, and to some extent Spam,
not to mention viruses, worms and such require the unwitting cooperation of the computer’s
operator to succeed. Social engineering are other forms of deception that are often an attack vector
too.
4. Hackers: Hackers/crackers are a formidable attack vector because, unlike ordinary Malicious
Code, people are flexible and they can improvise. Hackers/crackers use variety of hacking tools,
heuristics, Cyberoffenses: How and social engineering to gain access to computers and online
accounts. They often install a Trojan Horse to commandeer the computer for their own use.
5. Heedless guests (attack by webpage): Counterfeit websites are used to extract personal
 information. Such websites look very much like the genuine websites they imitate. One may think
he/she is doing business with someone you trust. However, he/she is really giving their personal
information, like address, credit card number, and expiration date. They are often used in
conjunction with Spam, which gets you there in the first place. Pop-up webpages may install
Spyware, Adware or Trojans.
6. Attack of the worms: Many worms are delivered as E-Mail attachments, but network worms use
holes in network protocols directly. Any remote access service, like file sharing, is likely to be
vulnerable to this sort of worm. In most cases, a firewall will block system worms. Many of these
system worms install Trojan Horses.
7. Malicious macros: Microsoft Word and Microsoft Excel are some of the examples that allow
macros. A macro does something like automating a spreadsheet, for example. Macros can also be
used for malicious purposes. All Internet services like instant messaging, Internet Relay
Chart(IRC), and P2P fi le-sharing networks rely on cozy connections between the computer and
the other computers on the Internet. If one is using P2P software then his/her system is more
vulnerable to hostile exploits.
8. Foistware (sneakware): Foistware is the software that adds hidden components to the system
with cunning nature. Spyware is the most common form of foistware. Foistware is partial- legal
software bundled with some attractive software. Sneak software often hijacks your browser and
diverts you to some “revenue opportunity” that the foistware has set up.
9. Viruses: These are malicious computer codes that hitch a ride and make the payload. Nowadays,
virus vectors include E-Mail attachments, downloaded files, worms, etc.

Box 2.10 | Zero-Day Attack

A zero-day (or zero-hour) attack[17] is a computer threat which attempts to exploit computer
application vulnerabilities that are unknown to anybody in the world (i.e., undisclosed to the
software vendor and software users) and/or for which no patch (i.e., security fi x) is available.
Zero-day exploits are used or shared by attackers before the software vendor knows about the
vulnerability.
Sometimes software vendors discover the vulnerability but developing a patch can take time.
Alternatively, software vendors can also hold releasing the patch reason to avoid the flooding
the customers with numerous individual updates. A “zero-day” attack is launched just on or
before the first or “zeroth” day of vendor awareness, reason being the vendor should not get any
opportunity to communicate/distribute a security fix to users of such software. If the
vulnerability is not particularly dangerous, software vendors prefer to hold until multiple updates
(i.e., security fixes commonly known as patches) are collected and then release them together
as a package. Malware writers are able to exploit zero-day vulnerabilities through several
different attack vectors.

Zero-day emergency response team (ZERT): This is a group of software engineers who
work to release non-vendor patches for zero-day exploits. Nevada is attempting to provide
support with the Zeroday Project at www.zerodayproject.com, which purports to provide
information on upcoming attacks and provide support to vulnerable systems. Also, visit the
weblink http://www.isotf.org/zert to get more information about it.

Cloud Computing
 The growing popularity of cloud computing and virtualization among organizations have made it
possible, the next target of cybercriminals.
 Cloud computing services, while offering considerable benefits and cost savings, move servers
outside the organizations security perimeter, which make it easier for cybercriminals to attack
these systems.
 Cloud computing is Internet (“cloud”)-based development and use of computer technology
(“computing”).
 The term cloud is used as a metaphor for the Internet, based on the cloud drawing used to depict
the Internet in computer networks.
 Cloud computing is a term used for hosted services delivered over the Internet.
 A cloud service has three distinct characteristics which differentiate it from traditional hosting:

1. It is sold on demand – typically by the minute or the hour;

2. It is elastic in terms of usage – a user can have as much or as little of a service
as he/she wants at any given time;
3. The service is fully managed by the provider – a user just needs PC and Internet connection.
Significant innovations into distributed computing and virtualization as well as improved
access speed over the Internet have generated a great demand for cloud computing.

Why Cloud Computing?

The cloud computing has following advantages.
1. Applications and data can be accessed from anywhere at any time. Data may not be held on a
hard drive on one user’s computer.
2. It could bring hardware costs down. One would need the Internet connection.
3. Organizations do not have to buy a set of software or software licenses for every employee and
the organizations could pay a metered fee to a cloud computing company.
4. Organizations do not have to rent a physical space to store servers and databases. Servers and
digital storage devices take up space. Cloud computing gives the option of storing data on
someone else’s hardware, thereby removing the need for physical space on the front end.
5. Organizations would be able to save money on IT support because organizations will have to
ensure about the desktop (i.e., a client) and continuous Internet connectivity instead of servers
and other hardware. The cloud computing services can be either private or public.

Types of Services
Services provided by cloud computing are as follows:
6. Infrastructure-as-a-service (IaaS): It is like Amazon Web Services that provide virtual
servers with unique IP addresses and blocks of storage on demand. Customers benefit from an
Application Programmable Interface (API) from which they can control their
servers. As customers can pay for exactly the amount of service they use, like for electricity or
water, this service is also called utility computing.
7. Platform-as-a-service (PaaS): It is a set of software and development tools hosted on the
provider’s servers. Developers can create applications using the provider’s APIs. Google Apps
is one of the most famous PaaS providers. Developers should take notice that there are not any
interoperability standards; therefore, some providers may not allow you to take your application
and put it on another platform.
8. Software-as-a-service (SaaS): It is the broadest market. In this case, the provider allows the
customer only to use its applications. The software interacts with the user through a user
interface. These applications can be anything from Web-based E-Mail to applications such as
 Twitter or Last.fm.

Cybercrime and Cloud Computing

 Nowadays, prime area of the risk in cloud computing is protection of user data. Although cloud
computing is an emerging field, the idea has been evolved over few years.
 Risks associated with cloud computing environment are as follows
9. Elevated user access-Any data processed outside the organization brings with it an inherent
level of risk
10. Regulatory compliance-Cloud computing service providers are not able and/or not willing to
undergo external assessments.
11. Location of the data-User doesn’t know where the data is stored or in which country it is hosted.
12. Segregation of data-Data of one organization is scattered in different locations
13. Recovery of the data-In case of any disaster, availability of the services and data is critical.
14. Information security- violation reports Due to complex IT environment and several customers
logging in and logging out of the hosts, it becomes difficult to trace inappropriate and/or illegal
activity
15. Long-term viability- In case of any major change in the cloud computing service provider (e.g.,
acquisition and merger, partnership breakage), the service provided is at the stake.
INTRODUCTION TO DIGITAL FORENSICS
INTRODUCTION
Computer Forensics is a scientific method of investigation and analysis in order to gather
evidence from digital devices or computer networks and components which is suitable for
presentation in a court of law or legal body. It involves performing a structured investigation
while maintaining a documented chain of evidence to find out exactly what happened on a
computer and who was responsible for it.

TYPES
 Disk Forensics: It deals with extracting raw data from the primary or secondary storage of
the device by searching active, modified, or deleted files.
 Network Forensics: It is a sub-branch of Computer Forensics that involves monitoring and
analyzing the computer network traffic.
 Database Forensics: It deals with the study and examination of databases and their related
metadata.
 Malware Forensics: It deals with the identification of suspicious code and studying viruses,
worms, etc.
 Email Forensics: It deals with emails and their recovery and analysis, including deleted
emails, calendars, and contacts.
 Memory Forensics: Deals with collecting data from system memory (system registers,
cache, RAM) in raw form and then analyzing it for further investigation.
 Mobile Phone Forensics: It mainly deals with the examination and analysis of phones and
smartphones and helps to retrieve contacts, call logs, incoming, and outgoing SMS, etc.,
and other data present in it.
CHARACTERISTICS
 Identification: Identifying what evidence is present, where it is stored, and how it is stored
(in which format). Electronic devices can be personal computers, Mobile phones, PDAs,
etc.
 Preservation: Data is isolated, secured, and preserved. It includes prohibiting unauthorized
personnel from using the digital device so that digital evidence, mistakenly or purposely, is
not tampered with and making a copy of the original evidence.
 Analysis: Forensic lab personnel reconstruct fragments of data and draw conclusions based
on evidence.
 Documentation: A record of all the visible data is created. It helps in recreating and
reviewing the crime scene. All the findings from the investigations are documented.
 Presentation: All the documented findings are produced in a court of law for further
investigations.
PROCEDURE:
The procedure starts with identifying the devices used and collecting the preliminary evidence
on the crime scene. Then the court warrant is obtained for the seizure of the evidence which
leads to the seizure of the evidence. The evidence are then transported to the forensics lab for
further investigations and the procedure of transportation of the evidence from the crime scene
to labs are called chain of custody. The evidence are then copied for analysis and the original
evidence is kept safe because analysis are always done on the copied evidence and not the
original evidence.
The analysis is then done on the copied evidence for suspicious activities and accordingly, the
findings are documented in a nontechnical tone. The documented findings are then presented in
a court of law for further investigations.
APPLICATIONS
 Intellectual Property theft
 Industrial espionage
 Employment disputes
 Fraud investigations
 Misuse of the Internet and email in the workplace
 Forgeries related matters
 Bankruptcy investigations
 Issues concerned the regulatory compliance
Advantages of Computer Forensics :
 To produce evidence in the court, which can lead to the punishment of the culprit.
 It helps the companies gather important information on their computer systems or networks
potentially being compromised.
 Efficiently tracks down cyber criminals from anywhere in the world.
 Helps to protect the organization’s money and valuable time.
 Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal
action’s in the court.
Disadvantages of Computer Forensics :
 Before the digital evidence is accepted into court it must be proved that it is not tampered
with.
 Producing and keeping electronic records safe is expensive.
 Legal practitioners must have extensive computer knowledge.
 Need to produce authentic and convincing evidence.
 If the tool used for digital forensics is not according to specified standards, then in a court
of law, the evidence can be disapproved by justice.
 A lack of technical knowledge by the investigating officer might not offer the desired result

WHAT IS FORENSIC SCIENCE?

The term forensic science involves forensic (or forensis, in Latin), which means a public
discussion or debate. In a more modern context, however, forensic applies to courts or the
judicial system. Combine that with science, and forensic science means applying scientific
methods and processes to solving crimes.
From the 16th century, when medical practitioners began using forensic science to writings in the
late 18th century that revealed the first evidence of modern pathology, to the formation of the first
school of forensic science in 1909; the development of forensic science has been used to uncover
mysteries, solve crimes, and convict or exonerate suspects of crime for hundreds of years.
The extraordinary scientific innovations and advancements in forensic science have allowed it to
become a highly developed science that involves a number of disciplines and thousands of
forensic scientists specializing in everything from DNA and botany to dentistry and toolmarks.
The Application of Forensic Science
The field of forensic science draws from a number of scientific branches, including physics,
chemistry, and biology, with its focus being on the recognition, identification, and evaluation of
physical evidence. It has become an essential part of the judicial system, as it utilizes a broad
spectrum of sciences to achieve information relevant to criminal and legal evidence.
Forensic science may prove the existence of a crime, the perpetrator of a crime, or a connection
to a crime through the:
 Examination of physical evidence
 Administration of tests
 Interpretation of data
 Clear and concise reporting
 Truthful testimony of a forensic scientist
Forensic science has become an integral part of many criminal cases and convictions, with
objective facts through scientific knowledge serving both defense and prosecution arguments.
The testimony of forensic scientists has become a trusted component of many civil and criminal
cases, as these professionals are concerned not with the outcome of the case; only with their
objective testimony based purely on scientific facts.

WHAT IS DIGITAL FORENSIC

Digital Forensics is a branch of forensic science which includes the identification, collection,
analysis and reporting any valuable digital information in the digital devices related to the
computer crimes, as a part of the investigation. In simple words, Digital Forensics is the
process of identifying, preserving, analyzing and presenting digital evidences. The first
computer crimes were recognized in the 1978 Florida computers act and after this, the field of
digital forensics grew pretty fast in the late 1980-90’s. It includes the area of analysis like
 storage media, hardware, operating system, network and applications. It consists of 5 steps at

high level:
1. Identification of evidence: It includes of identifying evidences related to the digital crime
in storage media, hardware, operating system, network and/or applications. It is the most
important and basic step.
2. Collection: It includes preserving the digital evidences identified in the first step so that
they doesn’t degrade to vanish with time. Preserving the digital evidences is very important
and crucial.
3. Analysis: It includes analyzing the collected digital evidences of the committed computer
crime in order to trace the criminal and possible path used to breach into the system.
4. Documentation: It includes the proper documentation of the whole digital investigation,
digital evidences, loop holes of the attacked system etc. so that the case can be studied and
analysed in future also and can be presented in the court in a proper format.
5. Presentation: It includes the presentation of all the digital evidences and documentation in
the court in order to prove the digital crime committed and identify the criminal.

Branches of Digital Forensics:

 Media forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of audio, video and image evidences during the
investigation process.
 Cyber forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a cyber
crime.
 Mobile forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a crime
committed through a mobile device like mobile phones, GPS device, tablet, laptop.
 Software forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a crime
related to softwares only.
USES OF DIGITAL FORENSIC
Application of Digital Forensics
Digital Forensics is a branch of forensic science that deals with digital evidences in solving a
crime under the regulations of law. With the wide availability and use of various digital media
and devices, and social media there are various branches of digital forensics such as mobile
forensics, network forensics, database forensics, email forensics, etc. With increasing digital
crime in each branch, digital forensics has wide applicability.
The major applications of digital forensics are
o Crime Detection- There are various malwares and malicious activities that happen over
digital media and networks, such as phishing, spoofing, ransomware, etc.
o Crime Prevention- There are various cyber crimes that happen due to lack of security or
existing unknown vulnerabilities, such as zero-day vulnerability. Hence, cyber forensics
helps in finding out these vulnerabilities and avoiding such crimes to occur.
o Crime Analysis- This is the main application of digital forensics. It involves- [2]
o Preservation- This process involves protecting the crime scene and the digital evidence or
setup from further manipulation and photographing and video graphing the crime scene,
for future reference. Also this process involves stopping any ongoing command that may
be linked to the crime.
o Identification- This process involves identifying the digital media and devices that can
serve as the potential evidence.
o Extraction- This process involves the imaging of the digital evidence, (to maintain the
authenticity of the original evidence), for further analysis.
o Documentation- This involves maintaining the chain of custody and documenting all the
evidence collected from the crime scene.
o Interpretation- This involves making of a report by the digital forensic expert about the
analysis conducted on the digital evidence using various tools such as FTK (for imaging
and mounting of evidences),Sleuth Kit and Autopsy (analyzes disk images and recover
files from them) etc. and presenting it in the court of law. The conclusion is based on the
evidence collected and reconstructing data fragments.
Challenges in Digital Forensics
The major challenges faced by digital forensic professionals are the growing number and size of
evidence to be analyzed and the cybercriminals being equally equipped with anti-forensic tools
to erase that digital evidence or to produce a delay in the digital evidence generation process.
Few of the current challenges in the field of digital forensics are listed as follows-[3]
o Digital Media types- There are various digital devices used these days. The technique
used for one specific device cannot be used for some other device because of the different
characteristics of each device. Moreover, the digital forensic expert must be equipped
with the use of software for analysis and also the device being analysed.
o Online Disks- The large firms store their data on online disks. These generate a huge
amount of data on online disks, and thus, imaging of such huge data takes a lot of time
and also requires the firm to shut their services until the imaging is complete.
o Anonymity of the IP- This is one of the big challenge to cyber forensics. IP address
allows network identification and location addressing of a device connected to a network.
However, IP address can easily be spoofed by cybercriminals and hence can become a
hindrance in the address location of the device. Similar to IP address spoofing, there is
MAC address and email address spoofing as well that becomes a challenge for the digital
forensic expert.
o Anti- Digital Forensic- This is used by cybercriminals and also used legitimately by
individuals who want to protect their privacy. Anti-digital forensics is a set of techniques
and measures used to slow down or incapacitate the process of investigation by
manipulating, erasing, or obscuring the data. One of the most commonly used anti-digital
forensic techniques is RootKit that has been used by cybercriminals for years to hide the
activities of the malicious code.
o Testing and Validation- With the cybercriminals getting more equipped, there is always a
need to update the software to efficiently analyze the evidences and also provide valid
results that can be made admissible in the court of law, like the use of Virtual Machines.
It is a forensic investigation tool that allows the investigators to clone the image from the
target computer, virtually, but when the image is booted on a machine with different
hardware, it installs the missing drivers and thus makes the image a modified one, thus
renders it inadmissible in the court of law.
LOCARD’S EXCHANGE PRINCIPLE
The application of Locard’s Exchange Principle to a cyber crime, we take the example of identity
theft where someone’s identity is stolen and the perpetrator intends to use the stolen information
for doing crime again.
Let us further suppose the perpetrator steals the identity through the use of a Trojan horse and
keyboard logger ( "stupid key logger" is most popular with hackers )on the victim’s computer.
One could contend that during this type of cyber crime Locard’s Exchange Principle does not
apply because a human is not at the crime scene & there is no trace evidence from the human on
the computer or digital media at the scene. However, in actuality there may be lots of #Digital-
evidences such as the Trojan horse itself, changed passwords, digital logs, and so on. Thus,there
is a trace "at, to, and from," the scene. It may involve finding the trace evidence at other physical
locations than just the one scene of the crime. Additionally , if an unauthorized user gains access
to an unsecured system to ex-filtrate information to a remote site, he will, on the surface, leave
no direct evidence because no files were altered. However, if file access logs were maintained, a
record will be made of the file access and subsequent network transmission. Even if no log of the
files are kept, a side-channel analysis of disk activity, system calls, and network operations may
be available as evidence. Even if theses are also not available then network logs at the ISP level
might provide evidence related to the unauthorized access, even if the exfiltrated data itself
cannot be identified , but in both cases it remains behind for an investigator to discover.

SCIENTIFIC METHOD
The Nine Phases of Digital Forensics
There are nine steps that digital forensic specialists usually take while investigating digital
evidence.
1. First Response

As soon as a security incident occurs and is reported, a digital forensic team jumps into action.
2. Search and Seizure
The team searches devices involved in the crime for evidence and data. Investigators seize the
devices to make sure the perpetrators can’t continue to act.
3. Evidence Collection

After seizing the devices, professionals collect the data using forensic methods to handle the
evidence.
4. Securing of the Evidence

Investigators store evidence in a safe environment. In the secure space, the data can be
authenticated and proved to be accurate and accessible.
5. Data Acquisition

The forensic team retrieves electronically stored information (ESI) from the devices.
Professionals must use proper procedure and care to avoid altering the data and sacrificing the
integrity of the evidence.
6. Data Analysis

Team members sort and examine the authenticated ESI to identify and convert data that is useful
in court.
7. Evidence Assessment

Once ESI is identified as evidence, investigators assess it in relation to the security incident. This
phase is about relating the data gathered directly to the case.
8. Documentation and Reporting

This phase happens once the initial criminal investigation is done. Team members report and
document data and evidence in accordance with the court of law.
9. Expert Witness Testimony

An expert witness is a professional who works in a field related to the case. The expert witness
affirms that the data is useful as evidence and presents it in court.
ROLE OF THE FORENSIC EXAMINER IN THE JUDICIAL SYSTEM
A Digital Forensic Examiner job is to help in the investigation of crimes and cyber-attacks.
Digital forensic examiners are primarily responsible for retrieving, organizing, and protecting
digital evidence in cybercrime investigations. Information can be recovered from computers and
other electronic storage devices by a digital forensic examiner. The Digital Forensic Examiner
job description includes keeping track of evidence so that it can be used in court. They conduct
or participate in suspect or victim interviews. In addition, before criminal trials, the Digital
Forensic Examiner job description includes assisting in the preparation of evidence. They may
provide recommendations to other investigators on the importance of digital evidence.
Mentoring
The Digital Forensic Examiner job is to oversee the junior or less experienced scientists and
interns. They mentor them and assign the tasks. A Digital Forensic Examiner job is to mentor
and provide specific comments on specific forensic interviews, participate in group discussions,
generate suitable research linked to the subject of forensic interviewing, and continue to improve
people skills.
Assessment

A Digital Forensic Examiner is in charge of conducting investigations. An assessment is a useful

tool for assessing criminal investigations and conditions.
Documentation

The Digital Forensic Examiner job description includes recording his or her findings and
submitting a report to the court. The forensic analysis of suspicious documents is part of digital
forensic documentation analysis.
Types of a Digital Forensic Examiner
Forensic Psychologist: This expertise focuses on detecting criminals through questioning
criminals and relevant evidence to assist in determining motives and mental states. They focus
on issues including the ability to stand trial, provide information, and make significant
judgments. They also assess mental illness in relation to criminal risk.
Forensic Scientist: Forensic scientists investigate crime scenes, conduct scientific analysis, and
give factual evidence that can be presented in court. To find clues and assist police
investigations, they use cutting-edge technologies and scientific concepts.
Forensic Anthropologist: Forensic Anthropologists evaluate age, gender, nationality, and other
traits that distinguish a crime victim by examining human bones and structural abnormalities.

LABS AND TOOLS

Forensic Laboratories
Forensic Lab Components
Forensic science requires an understanding of all the scientific disciplines, including biology,
chemistry, and physics. A full-service forensic science laboratory requires professionals who
understand the influence of each discipline on the specific circumstances of crime scenes, as well
as the principles of the scientific method. The scientific method, first developed in the 17th
century, is a problem-solving method that involves observation, asking questions, and finding
answers supported by evidence gathered from testing and experimenting.
Crime scene investigation is a classic application of the scientific method since investigators
must test and analyze various scenarios as they answer the question of how a crime is committed
and who the likely perpetrator is. In addition to standard scientific equipment, specific equipment
to analyze bodily fluids, hairs, fibers, paint samples, fingerprints, weapons ballistics, foot, and
tire tracks, and more is necessary.
Another component of a forensic lab is access to databases developed and maintained by national
and regional law enforcement agencies and colleges or universities. Forensic investigators use
databases to pinpoint answers to questions about evidence collected from the crime scene. Some
databases contain specific records of fingerprints, DNA, stolen guns, and crimes committed.
Investigators access these to identify potential suspects.
Forensic Lab Services
A forensic lab provides a wide variety of services, including:
 Collection and processing of physical evidence from crime scenes
 DNA/Serology analysis
 Analysis of chemistry of substances seized in controlled substance arrests
 Analysis of evidence from firearms
 Examination and analysis of latent prints of fingers, hands, and feet at crime scenes
 Toxicology testing of blood, urine, and other bodily fluids collected from suspects and
victims to identify the presence of alcohol, illegal drugs, or other ingested substances
DNA/Serology Analysis

The forensic analytical tools of DNA/Serology identification involve collecting and identifying
fluids from crime or death scenes. Fluids present at the scene need to be identified as human or
non-human. Forensic scientists specializing in serology determine what type of human fluid
samples are present and if any diseases are present. The fluids can be blood, urine, sweat, saliva,
semen, or even breast milk. Once the fluid is identified, serological forensic scientists can isolate
and identify the DNA in the sample. DNA (deoxyribonucleic acid) is the genetic information
present in all human tissue. DNA is unique to every individual, which makes it a valuable tool
for identifying victims and suspects.
The technology of DNA analysis first became available in 1986. There were many initial
challenges to DNA evidence, but as the technology has improved, it's become widely accepted as
a means of identifying likely criminal suspects and excluding those unlikely to have
involvement. Many cold cases have been solved, and accused offenders have been cleared
through DNA evidence.
Today, law enforcement officials enter DNA profiles of those involved in criminal activity into
the Combined DNA Index System, known as CODIS. The CODIS database helps generate leads
in cases where human biological evidence has been collected. It combines results of DNA
screenings from the Convicted Offender database, including sexual offenses, and the Forensic
Index database, which includes DNA information collected from all crime scenes. Forensic labs
enter DNA profiles collected from crime scenes into the CODIS database and search for
matches, enabling law enforcement to match crime scenes and individuals at the local, state, and
federal levels.

Policies and Procedures

Policy
The Forensic Laboratory policy for issuing confidentiality agreements shall be that:
1.
All Forensic Laboratory employees must be issued with, and sign, a confidentiality
agreement (agreements are normally issued at time of recruitment and form a part of the
contract of employment).
2.
No employee shall be allowed access to Forensic Laboratory and Client information
or information processing systems without signing the agreement.
3.
The Forensic Laboratory confidentiality agreement must define the undertakings to which
an employee agrees with respect to maintenance of confidentiality and information
security.
The confidentiality agreement is subject to periodic reviews by the Human Resources
Department as follows:
•
reviews must be conducted following changes to:
•
job roles;
•
legislation;
•
the Forensic Laboratory policy on Information Security.
•
any changes to the confidentiality agreement must be implemented by the Human
Resources Department with suitable input from the General Counsel or specialized
external legal sources.

Procedures
Digital forensics entails the following steps:
 Identification
 Preservation
 Analysis
 Documentation
 Presentation
EXPLORE MORELearn Java Programming with Beginners Tutorial08:32Linux Tutorial for
Beginners: Introduction to Linux Operating...01:35What is Integration Testing Software Testing
Tutorial03:04What is JVM (Java Virtual Machine) with Architecture JAVA...02:24How to write
a TEST CASE Software Testing Tutorial01:08Seven Testing Principles Software
Testing05:01Linux File Permissions Commands with Examples13:29How to use Text tool in
Photoshop CC Tutorial08:32What is NoSQL Database Tutorial02:00Important Linux
Commands for Beginners Linux Tutorial15:03
 Process of Digital
Forensics
Let’s study each in detail
Identification

It is the first step in the forensic process. The identification process mainly includes things like
what evidence is present, where it is stored, and lastly, how it is stored (in which format).
Electronic storage media can be personal computers, Mobile phones, PDAs, etc.
Preservation

In this phase, data is isolated, secured, and preserved. It includes preventing people from using
the digital device so that digital evidence is not tampered with.
Analysis

In this step, investigation agents reconstruct fragments of data and draw conclusions based on
evidence found. However, it might take numerous iterations of examination to support a specific
crime theory.
Documentation

In this process, a record of all the visible data must be created. It helps in recreating the crime
scene and reviewing it. It Involves proper documentation of the crime scene along with
photographing, sketching, and crime-scene mapping.
Presentation

In this last step, the process of summarization and explanation of conclusions is done.
However, it should be written in a layperson’s terms using abstracted terminologies. All
abstracted terminologies should reference the specific details

QUALITY ASSURANCE
Digital forensic examinations require an examiner to apply a wide range of techniques to
retrieve data, and frequently examiners must interpret data to offer an expert opinion on what
the data mean. These opinions can affect the outcomes of investigations, prosecutions, or
other remedies. It is therefore essential that organizations have a management system to
engender confidence in the quality of forensic work performed. The quality management
system is the consolidation of practices and procedures used to ensure the quality of the work
and products that the organization produces.
Administrative Review—All digital forensic examination reports must be administratively
reviewed for consistency with agency policy and for editorial correctness.
Technical Review—At least 10 percent of final digital forensic examination reports must be
technically reviewed by another qualified digital forensic examiner (peer reviewed) before the
reports are published.
The reviewing examiner may be from the same or a different organization. The purpose of the
technical review is to ensure the following:
 The report is clear and understandable.
 The procedures performed were adequately documented and forensically sound.
 The exam documentation was sufficiently detailed to enable reproduction of the results.
 The interpretations and conclusions of the examiner were reasonable, supported by the
examination documentation, and scientifically valid.
Validation Testing—Acquiring digital data for forensic examination is a critical phase of the
forensic process. Forensic personnel will often have only one opportunity to obtain the data,
and using untested tools could unintentionally alter the data. To the extent possible,
organizations should ensure the tools they use to acquire digital evidence are validated to
operate as intended and accurately acquire the data. The validation testing may be performed
by the organization or other reputable entity (for example, another digital forensic laboratory).
The organization performing the validation test must document the test, including the
requirements that were tested, the expected results, and the actual results of the testing. To
comply with this standard, the organization must be able to produce the report if requested.
Review of Quality System—An organization should review its quality management system at
least once every 3 years to ensure the system is meeting the quality needs of the organization.

DIGITAL FORENSIC TOOLS

FEATURED DIGITAL FORENSICS AND CYBERSECURITY TOOLS

Autopsy
Autopsy is a digital forensics platform and graphical interface that forensic investigators use to
understand what happened on a phone or computer. It aims to be an end-to-end, modular solution
that is intuitive out of the box. Select modules in Autopsy can do timeline analysis, hash
filtering, and keyword search. In addition, they can extract web artifacts, recover deleted files
from unallocated space, and find indicators of compromise. All of this can be done relatively
rapidly.
Autopsy runs background jobs in parallel so that even if a full search takes hours, a user will
know within minutes whether targeted keywords have been found. In addition, investigators
working with multiple devices can create a central repository through Autopsy that will flag
phone numbers, email addresses, or other relevant data points.
Developed by the same team that created The Sleuth Kit, a library of command line tools for
investigating disk images, Autopsy is an open-source solution, available for free in the interests
of education and transparency. Unfortunately, the latest version is written in Java, and it is
currently only available for Windows.
Bulk Extractor
Bulk Extractor scans a file, directory, or disk image. It extracts information without parsing the
file system or file system structures, allowing it to access different parts of the disk in parallel,
making it faster than the average tool. The second advantage of Bulk Extractor is that it can be
used to process practically any form of digital media: hard drives, camera cards, smartphones,
SSDs, and optical drives.
The most recent versions of Bulk Extractor can perform social network forensics and extract
addresses, credit card numbers, URLs, and other types of information from digital evidence.
Other capabilities include creating histograms based on frequently used email addresses and
compiling word lists, which can be helpful for password cracking.
All extracted information can be processed either manually or with one of four automated tools,
one of which incorporates context-specific stop lists (i.e., search terms flagged by the
investigator) that remove some human error from digital forensics investigation. The software is
available for free for Windows and Linux systems.
COFEE
Microsoft’s Computer Online Forensic Evidence Extractor (COFEE) is a forensic toolkit that
extracts evidence from Windows computers. Developed in 2006 by a former Hong Kong police
officer turned Microsoft executive, the toolkit acts as an automated forensic tool during a live
analysis. It contains more than 150 features and a graphical user interface that guides an
investigator through data collection and examination and helps generate reports after extraction.
Password decryption, internet history recovery, and other data collection forms are all included
in the toolkit.
Microsoft claimed that COFEE had reduced three- to four-hour tasks to under 20 minutes at the
time of its release. In addition, thousands of law enforcement agencies worldwide (including
INTERPOL) use COFEE, and Microsoft provides free technical support.
In November 2009, COFEE was leaked onto multiple torrent sites. So while it is possible—
though incredibly tricky—for criminals to build around the features in COFEE, it is also possible
for the average citizen to now get a look at what was once the industry standard across the world
for digital forensics.
Computer Aided Investigative Environment
CAINE offers a full-scale forensic investigation platform designed to incorporate other tools and
modules into a user-friendly graphic interface. Its interoperable environment is intended to assist
investigators in all four stages of an investigation: preservation, collection, examination, and
analysis. In addition, it comes with dozens of pre-packaged modules (Autopsy, listed above, is
among them). Developed on Linux, the tool is entirely open source and available for free.
Digital Forensics Framework
Digital Forensics Framework (DFF) is an open-source computer forensics platform built upon a
dedicated Application Programming Interface (API). Equipped with a graphical user interface for
simple use and automation, DFF guides a user through the critical steps of a digital investigation
and can be used by both professionals and amateurs alike.
The tool can be used to investigate hard drives and volatile memory and create reports about
system and user activity on the device in question. The DFF was developed with the three main
goals of modularity (allowing for changes to the software by developers), scriptability (allowing
for automation), and genericity (keeping the operating-system agnostic to help as many users as
possible). The software is available for free on GitHub.
DumpZilla
DumpZilla performs browser analysis, specifically of Firefox, Iceweasel, and Seamonkey clients.
In addition, it allows for the visualization and customized search and extraction of cookies,
downloads, history, bookmarks, cache, add-ons, saved passwords, and session data.
Developed in Python, it works under Linux and Windows 32/64 bit systems and DumpZilla is
available for free from the developer’s website. While this was created as a standalone tool, its
specific nature and lean packaging make it a vital component of future digital forensics suites.
EnCase
The recipient of SC Magazine’s “Best Computer Forensic Solution” award for ten consecutive
years, EnCase is considered the gold standard in forensic cybersecurity investigations, including
mobile acquisitions. Since 1998, EnCase has offered forensic software to help professionals find
evidence to testify in criminal investigation cases involving cybersecurity breaches by recovering
evidence and analyzing files on hard drives and mobile phones.
Offering a comprehensive software lifecycle package from triage to final reports, EnCase also
features platforms such as OpenText Media Analyzer, which reduces the amount of content for
investigators to review to close cases faster manually. With four site license options for small
companies; federal, state, and local law enforcement; consulting organizations; and colleges and
universities, it offers criminal justice evidence analysis through just a few clicks.
ExifTool
ExifTool is a platform-independent system for reading, writing, and editing metadata across
various file types. Of particular interest to the digital investigator is the reading of metadata,
which can be achieved through command-line processes or a simple GUI. For example,
investigators can drag and drop different files, such as a PDF, or a JPEG, and learn when and
where the file was created—a crucial component in establishing a chain of evidence.
The software itself is lightweight and quick, making it an ideal inclusion in future digital
forensics suites and easy to use. ExifTool is updated regularly and is available for both Windows
and OSx from the developer’s website.
FTK Imager
For tools such as The Sleuth Kit by Autopsy to work correctly, original digital copies of hard
drives must be preserved before evidence can be extracted. Enter FTK Imager, a free tool that
analyzes images of a drive and preserves the original integrity of the evidence without affecting
its original state.
This tool can read all operating systems and enables users to recover files that have been deleted
from digital recycle bins. In addition, it can parse XFS files and create hashes of files to check
data integrity.
MAGNET RAM Capture
Analyzing a computer’s physical random access memory (RAM), MAGNET RAM Capture
enables cybersecurity investigators to recover and analyze digital artifacts stored in a computer’s
memory. Using a small memory footprint, digital forensic investigators can use the tool and
minimize the amount of overwritten memory data.
This tool can export raw memory data in raw formats (.DMP, .RAW, .BIN), which can be
uploaded to other forensics analysis tools such as Magnet AXIOM and Magnet IEF. This free
tool supports several versions of Windows operating systems.
Nagios
Considered by many as a standard network monitoring tool for large organizations, Nagios helps
cybersecurity professionals monitor computer networks in real-time. In addition, the Nagios
platform alerts network security professionals via email or text message if a security threat
occurs.
Nagios supports standard enterprise-level network services such as ICMP, POP3, SMTP, and
HTTP. It is compatible with Linux, Windows, server, application, SNMP, and log monitoring
services and integrates with third-party addons. Free trials are available.
Redline
Initially a product of Mandiant, but later taken over by FireEye, a cybersecurity firm, Redline is
a freeware tool that provides endpoint security and investigative capabilities to its users. It is
mainly used to perform memory analysis and look for infection or malicious activity signs. Still,
it can also be used to collect and correlate data around event logs, the registry, running processes,
file system metadata, web history, and network activity.
Offering much more technical and under-the-hood capability than most digital forensics
investigations necessitate, Redline has more applications in cybersecurity and other tech-driven
criminal behavior where a granular analysis is critical. Redline currently only functions on
Windows-based systems, but it is regularly updated by FireEye for optimum performance and
can be downloaded for free on the FireEye website.
SIFT Workstation
The SANS Investigative Forensics Toolkit (SIFT) is a collection of open-source incident
response and forensics technologies designed to perform detailed digital investigations in various
settings. The toolkit can securely examine raw disks and multiple file formats in a secure, read-
only manner that does not alter the evidence it discovers.
SIFT is flexible and compatible with expert witness format (E01), advanced forensic format
(AFF), and raw evidence formats. Built on Ubuntu, it incorporates many separate tools
(including some on this list, such as Autopsy and Volatility) and puts them at an investigator’s
disposal. SIFT is available for free and updated regularly.
SNORT
SNORT is an open-source network security tool that performs three tasks: sniffs for packets, logs
packets, and has comprehensive network intrusion features. Because it is open-source, it can be
downloaded and used for personal ($29.99 per year) and professional ($399 per year)
applications.
SNORT helps IT security professionals analyze network security vulnerabilities and prevent
them from happening. When a network intrusion occurs, cybersecurity professionals are notified
while the software blocks security intrusions.
Tor
When surveillance is a security threat, applications like Tor help PC and mobile device users be
undetectable. Tor allows users to browse anonymously and prevent identity theft through
increased internet security. This is useful when users need to access websites while visiting other
countries, protect their identity, or be difficult to trace. In addition, it blocks browser plugins
such as Flash, Real Player, QuickTime, and others. Finally, while it works on the iOS platform,
Tor suggests iOS users use their Onion Browser for private browsing that automatically closes
browsing history and extra tabs.
Tor’s mission is to “advance human rights and freedoms by creating and deploying free and
open-source anonymity and privacy technologies, supporting their unrestricted availability and
use, and furthering their scientific and popular understanding.”
Volatility
The Volatility Foundation is a nonprofit organization whose mission is to promote the use of
memory analysis within the forensics community. Its primary software is an open-source
framework for incident response and malware detection through volatile memory (RAM)
forensics. This allows the preservation of evidence in memory that would otherwise be lost
during a system shutdown.
Written in Python and supportive of almost all 32-bit and 64-bit machines, it can sift through
cached sectors, crash dumps, DLLs, network connections, ports, process lists, and registry files.
The tool is available for free, and the code is hosted on GitHub.
Wireshark
Wireshark is the world’s most-used network protocol analysis tool, implemented by
governments, private corporations, and academic institutions worldwide. As the continuation of a
project that began in 1998, Wireshark lets a user see what is happening on a network at the
microscopic level. By capturing network traffic, users can then scan for malicious activity.
Captured network data can be viewed on a graphical user interface on Windows, Linux, OSx,
and several other operating systems. The data can be read from Ethernet Bluetooth, USB, and
several others, while the output can be exported to XML, PostScript, CSV, or plain text.
Wireshark’s applications remain primarily in cybersecurity, but there are digital forensics
investigation applications. Less about the smoking gun than the breadcrumb trail, Wireshark can
point an investigator in the direction of malicious activity so that it can be tracked down and
investigated.

Collecting Evidence

In the early 80s PCs became more popular and easily accessible to the general population, this
also led to the increased use of computers in all fields and criminal activities were no exception
to this. As more and more computer-related crimes began to surface like computer frauds,
software cracking, etc. the computer forensics discipline emerged along with it. Today digital
evidence collection is used in the investigation of a wide variety of crimes such as fraud,
espionage, cyberstalking, etc. The knowledge of forensic experts and techniques are used to
explain the contemporaneous state of the digital artifacts from the seized evidence such as
computer systems, storage devices (like SSDs, hard disks, CD-ROM, USB flash drives, etc.),
or electronic documents such as emails, images, documents, chat logs, phone logs, etc.

CRIME SCENES AND COLLECTING EVIDENCE

Process involved in Digital Evidence Collection:

The main processes involved in digital evidence collection are given below:
 Data collection: In this process data is identified and collected for investigation.
 Examination: In the second step the collected data is examined carefully.
 Analysis: In this process, different tools and techniques are used and the collected evidence
is analyzed to reach some conclusion.
 Reporting: In this final step all the documentation, reports are compiled so that they can be
submitted in court.

Types of Collectible Data:

The computer investigator and experts who investigate the seized devices have to understand
what kind of potential shreds of evidence could there be and what type of shreds of evidence
they are looking for. So, that they could structure their search pattern. Crimes and criminal
activities that involve computers can range across a wide spectrum; they could go from trading
illegal things such as rare and endangered animals, damaging intellectual property, to personal
data theft, etc.
The investigator must pick the suitable tools to use during the analysis. Investigators can
encounter several problems while investigating the case such as files may have been deleted
from the computer, they could be damaged or may even be encrypted, So the investigator
should be familiar with a variety of tools, methods, and also the software to prevent the data
from damaging during the data recovery process.
There are two types of data, that can be collected in a computer forensics investigation:
 Persistent data: It is the data that is stored on a non-volatile memory type storage device
such as a local hard drive, external storage devices like SSDs, HDDs, pen drives, CDs, etc.
the data on these devices is preserved even when the computer is turned off.
 Volatile data: It is the data that is stored on a volatile memory type storage such as
memory, registers, cache, RAM, or it exists in transit, that will be lost once the computer is
turned off or it loses power. Since volatile data is evanescent, it is crucial that an
investigator knows how to reliably capture it.
Types of Evidence:

Collecting the shreds of evidence is really important in any investigation to support the claims
in court. Below are some major types of evidence.
 Real Evidence: These pieces of evidence involve physical or tangible evidence such as
flash drives, hard drives, documents, etc. an eyewitness can also be considered as a shred
of tangible evidence.
 Hearsay Evidence: These pieces of evidence are referred to as out-of-court statements.
These are made in courts to prove the truth of the matter.
 Original Evidence: These are the pieces of evidence of a statement that is made by a
person who is not a testifying witness. It is done in order to prove that the statement was
made rather than to prove its truth.
 Testimony: Testimony is when a witness takes oath in a court of law and gives their
statement in court. The shreds of evidence presented should be authentic, accurate, reliable,
and admissible as they can be challenged in court.
Challenges Faced During Digital Evidence Collection:

 Evidence should be handled with utmost care as data is stored in electronic media and it
can get damaged easily.
 Collecting data from volatile storage.
 Recovering lost data.
 Ensuring the integrity of collected data.
Recovering information from devices as the digital shreds of evidence in the investigation are
becoming the fundamental ground for law enforcement and courts all around the world. The
methods used to extract information and shreds of evidence should be robust to ensure that all
the related information and data are recovered and is reliable. The methods must also be legally
defensible to ensure that original pieces of evidence and data have not been altered in any way
and that no data was deleted or added from the original evidence.
DOCUMENTING THE SCENE

Digital Crime Scène Documentation In recent years an important progress has been achieved in
the digital documentation of crime scenes. Processing and documentation have been made more
efficient and now provide complete, 360 degree, and even 3D documentation of the crime scene.
The documentation of the digital crime scene involves properly documenting the digital evidence
when it is found. The exact copy of the system has the same role as the sketches and video of a
physical crime scene. Each piece of digital evidence that is found during the analysis of the
image must be clearly documented [13]. A record of all visible data must be created, which helps
in recreating the scene and reviewing it at time. This is particularly important when the forensic
specialist has to give a testimony in a court, which could be several months after the
investigation [6]. For example, a file can be documented using its full file name path, the clusters
in the file system that it uses, and the sectors on the disk that it uses. Network data can be
documented with the source and target addresses at various network layers. Finally, the need
requires proper documentation of the digital crime scene and physical crime scene perspectives.
And different forms of camera/video photography, graphics are used, and notes are made on the
document and all relevant information relating to the crime scene. Documentation at the scene is
also the starting point for the chain-custody. Table (3) gives a comparison between the physical
crime scene documentation and digital crime scene documentation
CHAIN OF CUSTODY
Chain of Custody refers to the logical sequence that records the sequence of custody,
control, transfer, analysis and disposition of physical or electronic evidence in legal cases.
Each step in the chain is essential as if broke, the evidence may be rendered inadmissible.
Thus we can say that preserving the chain of custody is about following the correct and
consistent procedure and hence ensuring the quality of evidence.
In this article, we will be discussing-
1. What Chain of Custody entails in Digital Forensics.
2. Importance of maintaining Chain of Custody.
3. Chain of Custody Process.
4. The Chain of Custody Form.
5. Procedure to establish the Chain of Custody
6. How Chain of Custody can be assured?
Let’s get started with each section in detail.
What the Chain of Custody entails in Digital Cyber Forensics?

If you are in the field of Cyber Security, you will be at one point in your career will be
involved in Digital Forensics. One of the concepts that is most essential in Digital Forensics
is the Chain of Custody.
The chain of custody in digital cyber forensics is also known as the paper trail or forensic
link, or chronological documentation of the evidence.
 Chain of custody indicates the collection, sequence of control, transfer and analysis.
 It also documents details of each person who handled the evidence, date and time it
was collected or transferred, and the purpose of the transfer.
 It demonstrates trust to the courts and to the client that the evidence has not
tampered.
Digital evidence is acquired from the myriad of devices like a vast number of IoT devices,
audio evidence, video recordings, images, and other data stored on hard drives, flash drives,
and other physical media.
Importance of maintaining Chain of Custody?

Importance to Examiner:
 To preserve the integrity of the evidence.
 To prevent the evidence from contamination, which can alter the state of the
evidence.
 In case you obtained metadata for a piece of evidence but unable to extract any
meaningful information from the metadata. In such a case, the chain of custody helps
to show where possible evidence might lie, where it came from, who created it, and
the type of equipment used. This will help you to generate an exemplar and compare
it to the evidence to confirm the evidence properties.
Importance to the Court: If not preserved, the evidence submitted in the court might be
challenged and ruled inadmissible.
Chain of Custody Process

In order to preserve digital evidence, the chain of custody should span from the first step of
data collection to examination, analysis, reporting, and the time of presentation to the
Courts. This is very important to avoid the possibility of any suggestion that the evidence
has been compromised in any way.
Let’s discuss each stage of the chain of custody in detail:
1. Data Collection: This is where chain of custody process is initiated. It involves
identification, labeling, recording, and the acquisition of data from all the possible
relevant sources that preserve the integrity of the data and evidence collected.
2. Examination: During this process, the chain of custody information is documented
outlining the forensic process undertaken. It is important to capture screenshots
throughout the process to show the tasks that are completed and the evidence
uncovered.
3. Analysis: This stage is the result of the examination stage. In the Analysis stage,
legally justifiable methods and techniques are used to derive useful information to
address questions posed in the particular case.
4. Reporting: This is the documentation phase of the Examination and Analysis stage.
Reporting includes the following:
 Statement regarding Chain of Custody.
 Explanation of the various tools used.
 A description of the analysis of various data sources.
 Issues identified.
 Vulnerabilities identified.
 Recommendation for additional forensics measures that can be taken.
The Chain of Custody Form

In order to prove a chain of custody, you’ll need a form that lists out the details of how the
evidence was handled every step of the way. The form should answer the following
questions:
  What is the evidence?: For example- digital information includes the filename, md5
hash, and Hardware information includes serial number, asset ID, hostname, photos,
description.
 How did you get it?: For example- Bagged, tagged or pulled from the desktop.
 When it was collected?: Date, Time
 Who has handle it?
 Why did that person handled it?
 Where was it stored?: This includes the information about the physical location in
which proof is stored or information of the storage used to store the forensic image.
 How you transported it?: For example- in a sealed static-free bag, or in a secure
storage container.
 How it was tracked?
 How it was stored?: For example- in a secure storage container.
 Who has access to the evidence?: This involves developing a check-in/ check-out
process.
The CoC form must be kept up-to-date. This means every time the best evidence is handled
off, the chain of custody form needs to be updated.
Procedure to establish the Chain of Custody

In order to assure the authenticity of the chain of custody, a series of steps must be
followed. It is important to note that the more information Forensic expert obtains
concerning the evidence, the more authentic is the created chain of custody. You should
ensure that the following procedure is followed according to the chain of custody for
electronic devices:
 Save the original material
 Take photos of the physical evidence
 Take screenshots of the digital evidence.
 Document date, time, and any other information on the receipt of the evidence.
 Inject a bit-for-bit clone of digital evidence content into forensic computers.
 Perform a hash test analysis to authenticate the working clone.
How can the Chain of Custody be assured?
A couple of considerations are involved when dealing with digital evidence and Chain of
Custody. We shall discuss the most common and globally accepted and practiced best
practices.
1. Never ever work with the Original Evidence: The biggest consideration that needs
to be taken care of while dealing with digital evidence is that the forensic expert has
to make a full copy of the evidence for forensic analysis. This cannot be overlooked
as when errors are made to working copies or comparisons need to be done, then, in
that case, we need an original copy.
2. Ensuring storage media is sterilized: It is important to ensure that the examiner’s
storage device is forensically clean when acquiring the evidence. Suppose if the
examiner’s storage media is infected with malware, in that case, malware can escape
into the machine being examined and all of the evidence will eventually get
compromised.
3. Document any extra scope: During the process of examination, it is important to
document all such information that is beyond the scope of current legal authority and
later brought to the attention of the case agent. A comprehensive report must contain
following sections:
 Identity of the reporting agency.
 Case identifier.
 Case investigator.
 Identity of the submitter.
 Date of receipt.
 Date of report.
 Descriptive list of items submitted for examination: This includes the serial
number, make, and model.
 Identity and signature of the examiner
 Brief description of steps taken during the examination: For example- string
searches, graphics image searches, and recovering erased files.
 Results.
 4. Consider the safety of the personnel at the scene: It is very important to ensure
that the crime scene is fully secure before and during the search. In some cases, the
examiner may only be able to do the following while onsite:
 Identify the number and type of computers.
 Interview the system administrator and users.
 Identify and document the types and volume of media: This includes
removable media also.
 Determine if a network is present.
 Document the information about the location from which the media was
removed.
 Identify offsite storage areas and/or remote computing locations.
 Identify proprietary software.
 Determine the operating system in question.
The Digital evidence and Digital Chain of Custody are the backbones of any action taken by
digital forensic specialists. In this article, we have examined the seriousness of the digital
evidence and what it entails and how slight tampering with the digital evidence can change
the course of the forensic expert’s investigation.

cloning
Hard disk forensic cloning, also known as disk imaging, is the process of creating an exact copy,
or “image,” of a hard disk drive (HDD) or other digital storage media. This process is commonly
used in forensic investigations to preserve the original data on a suspect’s hard drive while also
allowing for a separate, write-protected copy to be examined and analyzed.
The process of forensic cloning begins with the acquisition of the original hard drive or storage
media. This can be done in a number of ways, including physically removing the drive from the
computer, connecting the drive to a forensic workstation via a write-blocker, or connecting to the
drive over a network.
Once the original drive is connected, a forensic cloning software is used to create a bit-by-bit
copy of the entire drive, including all of the data, metadata, and unallocated space. This copy is
known as an “image” and it is an exact replica of the original drive. The image is then saved to a
separate storage device, such as an external hard drive or a network-attached storage device.
It is important to note that the process of forensic cloning must be done in a forensically sound
manner to maintain the integrity of the evidence. This means that the process must be done in a
way that does not alter the original data in any way, and that the process is properly documented
and verified.
Once the forensic cloning process is complete, the image can be used for various analysis and
investigation purposes. For example, the image can be examined using forensic software tools to
recover deleted files, recover lost data, or identify patterns of use. Additionally, the image can be
used to create virtual machines or emulators, to run the clone and examine the data in a
controlled environment.
Overall, hard disk forensic cloning is an essential process in digital forensics, as it allows for the
preservation and examination of digital evidence while maintaining the integrity of the original
data.

LIVE STREAM VERSUS DEAD SYSTEM

METHODS OF ACQUISITION
In most computer forensic examinations, the next step is to make an exact copy of the data
residing on the evidence hard disk (or other electronic digital storage device). The need to create
such a copy is consistent with the essential concern not to change the evidence. There are two
type of methodology can be followed for acquiring the image of digital evidences such as
follows [2]:
A. Live Acquisition
B. Dead/Offline Acquisition
II.A Live Acquisition
When the investigator is to confiscate a live system there are some issues to consider before
cutting the power. A live system refers to system that are up and running where information may
be altered as data is continuously processed [3].. There is a lot of information of evidentiary
value that could be found in a live system. Switching it off may cause loss of volatile data such
as running processes, network connections and mounted file systems. In contrast, leaving a
computer running may cause evidence to be altered or deleted. The investigator therefore needs
to decide what alternative is best in a given situation. Another approach is to use specialized
tools to extract volatile data from the computer before shutting it down In Live Acquisition
Technique is real world live digital forensic investigation process. for example a common
approach to live digital forensic involves an acquisition tool into read only mode in system. then
attaching writable media or disk to system and using the tool to start Live imaging in that tool by
using Graphic User Interface(GUI) if available or use Command Line Interface(CUI) [2].
Myth #1
A Digital Forensics Practitioner conducting live forensics upon a system will inevitably alter
that system in some manner, thus live forensics cannot be conducted as a truly forensic process
[8].
Reality:
While true that conducting live forensics upon a system will inevitably alter that system in some
manner, the flawed statement, here, is that this precludes the process from being a truly forensic
process. In fact, there is no such requirement levied by the Court. In almost every other forensic
discipline, we destroy or adulterate the evidence during the collection and analysis process
Dead/Offline Acquisition
Dead system forensic can produce some information, they can’t recover everything. In order to
create a forensic image of an entire disk, best practice dictates that the imaging process should
not alter any data on the disk and that all data, metadata and unallocated space be included [1].

Traditionally, forensic investigators accomplish this by powering down the system and removing
the disk (or disks) in order to connect it to a forensic workstation or hardware or software write-
blocker to create the image [3]. This is referred to as dead imaging. A write-blocker, as its name
implies, will prevent any data from being written to the disk, allowing read access only.
Removing a disk from a running system prevents any further changes due to normal system
operations or process and user interactions. Using a write-blocker during evidence acquisition
preserves the integrity of the file metadata, such as timestamps that may be relevant to the
investigation
Dead systems are systems that are switched off and no data processing is taking place. To retain
the integrity of the data it is often considered appropriate to cut the power supply to the
computer, but this will have other implications

Hashing
What is Hashing?
Hashing is a programming technique in which a string of characters (a text message, for
instance) is converted into a smaller, fix-sized value, also known as a hash value. This hash value
is always unique and has a fixed length, representing the original string. However, the hash value
can’t be used to recover the original message. This ensures privacy and security while sharing
the message.
Hashing is generally used to index and access items in a database since finding a shorter hash
value of the item is faster than finding the original data directly. In digital forensics, however,
hash values are calculated with the help of a hashing algorithm to ensure eDiscovery integrity.

What is a Hashing Algorithm?

An algorithm used in hashing is called the hash function. The value returned by this function is
called a hash value. Hash values are a fast, robust, and computationally efficient way to compare
the contents of files under forensic investigation. Each hashing algorithm uses a specific number
of digits to store a unique “thumbprint” or a “digital fingerprint” of the file contents. Just as
fingerprints are considered a unique biometric modality, the hash value generated by a hash
function provides a unique characteristic of contents under forensic investigation. The unique
hash value can be extracted for a single file, a group of files, or even entire disk space. This is a
crucial process for deduplication and empirical evidence verification in ediscovery and forensic
investigation. The following are some characteristics of hash functions:
 Hash functions are complex one-way functions, meaning you cannot reverse a hashing
process to extract original data from a hash value. Reverse engineering is not possible,
given a hash value.
 The hash value size is permanently fixed, and it’s independent of the input data size.
 Two different input files cannot produce the same hash value.
  Hash values don’t depend on the name of the file. Even if the file names are different and
their contents are identical, it will produce the same hash values corresponding to these
files.
 Different hash functions will produce different hash values corresponding to the same
contents in the respective files.
 Some hash functions are more secure than others. For example, the MD5 hashing
algorithm can be cracked with a fair amount of computational power. Hence, two
different files having different contents can be created to produce the same MD5 hash
value. This scenario is called a hash collision.

Figure 1: Working of a
Hashing Algorithm
Mathematically, a hash function T also called the transformation function, takes a variable-sized
input x and returns a fixed-size string, called a hash value y . Here, y=T(x)
The fundamental features of a hash function are as follows:
 The input string x can be of any length.
 Output string y has a fixed length.
 For any given x, T(x) is easy to compute, given the mathematical steps.
 T(x) is a one-way function and is collision-free.
Collision-free hash functions can be classified into two categories: strong collision-free hash
functions and weak collision-free hash functions.
A strong collision-free hash function T is the one, in which, it is computationally infeasible to
find two messages a and b, where T(a)=T(b). Given a weak collision-free hash function, it is
computationally difficult to find a message a not equal to b, such that T(a)= T(b).
MD5 and SHA1 Hashing Algorithms
MD5 and SHA1 are the two most popular hashing algorithms used by digital forensics
professionals today.
MD5: MD5 or Message-Digest algorithm 5 is a hashing algorithm that was created by Ron
Rivest to replace the previous hashing algorithm MD4. MD5 is the fifth and latest version of the
original hashing algorithm MD and it creates hash values of 128 bits.
SHA1: SHA1 or Secure Hash Algorithm 1 is another popular hashing algorithm that is modeled
after MD5. It is more powerful than MD5 and produces hash values of 160 bits.
The following are the main differences between MD5 and SHA1 hashing algorithms:

Differentiating Factor MD5 SHA1

Length of hash value 128 bits 160 bits

Security level Moderate High

Speed Fast Slow

Algorithm complexity Simple Complex

Let us take a sample string which we enter in an MD5 hashing algorithm and obtain its hash
value:
String Input: Sam is eating apple
Hash Value: 387f51d0ccbab6be677275c9933c250e
Now, let’s modify the string by just one character:
String Input: Sam is eating apples
Hash Value: c77426fb082c588cfe5583f7eee73309
You can see that appending just one character to the input string changes the entire hash value.
This demonstrates the security quotient of hash functions.
The use of MD5 and SHA1 hashing algorithms is a standard practice in digital forensics. These
algorithms allow forensic investigators to preserve digital evidence from the moment they
acquire it, till the time it’s produced in court. There are many email forensics and eDiscovery
software available. Stellar Email Forensic is one such software, that allows extensive and hassle-
free case management during criminal investigations. One of the advanced features of this
software is deleted email recovery.

F
igure 2: MD5 and SHA1 hash values corresponding to emails.
Stellar Email forensic is state-of-the-art software that allows forensic analysis of emails
effectively and efficiently. Stellar Email forensic automatically calculates hash values
corresponding to individual emails in the entire mailbox data under consideration.

Computer Forensic Report Format

The main goal of Computer forensics is to perform a structured investigation on a computing

device to find out what happened or who was responsible for what happened, while
maintaining a proper documented chain of evidence in a formal report. Syntax or template of
a Computer Forensic Report is as follows :
1. Executive Summary :
Executive Summary section of computer forensics report template provides background
data of conditions that needs a requirement for investigation. Executive Summary or the
Translation Summary is read by Senior Management as they do not read detailed report.
This section must contain short description, details and important pointers. This section
could be one page long. Executive Summary Section consists of following :
 Taking account of who authorized the forensic examination.
 List of the significant evidences in a short detail.
 Explaining why a forensic examination of computing device was necessary.
 Including a signature block for the examiners who performed the work.
 Full, legitimate and proper name of all people who are related or involved in case, Job
Titles, dates of initial contacts or communications.

2. Objectives :
Objectives section is used to outline all tasks that an investigation has planned to
complete. In some cases, it might happen that forensics examination may not do a full
fledged investigation when reviewing contents of media. The prepared plan list must be
discussed and approved by legal council, decision makers and client before any forensic
analysis. This list should consist tasks undertaken and method undertaken by an examiner
for each task and status of each task at the end of report.

3. Computer Evidence Analyzed :

The Computer Evidence Analyzed section is where all gathered evidences and its
interpretations are introduced. It provides detailed information regarding assignment of
evidence’s tag numbers, description of evidence and media serial numbers.

4. Relevant Findings :
This section of Relevant Findings gives summary of evidences found of probative
Value When a match is found between forensic science material recovered from a crime
scene e.g., a fingerprint, a strand of hair, a shoe print, etc. and a reference sample
provided by a suspect of case, match is widely considered as strong evidence that suspect
 is source of recovered material. However, probative value of evidence can vary widely
depending on way in which evidence is characterized and hypothesis of its interest. It
answers questions such as “What related objects or items were found during investigation
of case ?”.

5. Supporting Details :
Supporting Details is section where in-depth analysis of relevant findings is done. ‘How
we found conclusions outlined in Relevant Findings?’, is outlined by this section. It
contains table of vital files with a full path name, results of string searches, Emails/URLs
reviewed, number of files reviewed and any other relevant data. All tasks undertaken to
meet objectives is outlined by this section. In Supporting Details we focus more on
technical depth. It includes charts, tables and illustrations as it conveys much more than
written texts. To meet outlined objectives, many subsections are also included. This
section is longest section. It starts with giving background details of media analyzed. It is
not easy to report number of files reviewed and size of hard drive in a human
understandable language. Therefore, your client must know how much data you wanted to
review to arrive at a conclusion.

6. Investigative Leads :
Investigative Leads performs action items that could help to discover additional
information related to the investigation of case. The investigators perform all outstanding
tasks to find extra information if more time is left. Investigative Lead section is very
critical to law enforcement. This section suggests extra tasks that discovers information
needed to move on case. e.g. finding out if there are any firewall logs that date any far
enough into past to give a correct picture of any attacks that might have taken place. This
section is important for a hired forensic consultant.

7. Additional Subsections :
Various additional subsections are included in a forensic report. These subsections are
dependent on clients want and their need. The following subsections are useful in specific
cases :
  Attacker Methodology –
Additional briefing to help reader understand general or exact attacks performed is
given in this section of attacker methodology. This section is useful in computer
intrusion cases. Inspection of how attacks are done and what bits and pieces of attacks
look like in standard logs is done here.
 User Applications –
In this section we discuss relevant applications that are installed on media analyzed
because it is observed that in many cases applications present on system are very
relevant. Give a title to this section, if you are investigating any system that is used by
an attacker .e.g Cyber Attack Tools.
 Internet Activity –
Internet Activity or Web Browsing History section gives web surfing history of user
of media analyzed. The browsing history is also useful to suggest intent, downloading
of malicious tools, unallocated space, online researches, downloading of secure
deleted programs or evidence removal type programs that wipe files slack and
temporary files that often harbor evidence very important to an investigation.
 Recommendations –
This section gives recommendation to posture client to be more prepared and trained
for next computer security incident. We investigate some host-based, network-based
and procedural countermeasures are given to clients to reduce or eliminate risk of
incident security

MOBILE DEVICE FORENSICS

Mobile forensics, a subtype of digital forensics, is concerned with retrieving data from an
electronic source. The recovery of evidence from mobile devices such as smartphones and
tablets is the focus of mobile forensics. Because individuals rely on mobile devices for so
much of their data sending, receiving, and searching, it is reasonable to assume that these
devices hold a significant quantity of evidence that investigators may utilize.
Mobile devices may store a wide range of information, including phone records and text
messages, as well as online search history and location data. We frequently associate mobile
forensics with law enforcement, but they are not the only ones who may depend on evidence
obtained from a mobile device.
Uses of Mobile Forensics:

The military uses mobile devices to gather intelligence when planning military operations or
terrorist attacks. A corporation may use mobile evidence if it fears its intellectual property is
being stolen or an employee is committing fraud. Businesses have been known to track
employees’ personal usage of business devices in order to uncover evidence of illegal activity.
Law enforcement, on the other hand, may be able to take advantage of mobile forensics by
using electronic discovery to gather evidence in cases ranging from identity theft to homicide.
Process of Mobile Device Forensics:
 Seizure and Isolation: According to digital forensics, evidence should always be
adequately kept, analyzed, and accepted in a court of law. Mobile device seizures are
followed by a slew of legal difficulties. The two main risks linked with this step of the
mobile forensic method are lock activation and network / cellular connectivity.
 Identification: The identification purpose is to retrieve information from the mobile
device. With the appropriate PIN, password, pattern, or biometrics, a locked screen may
 be opened. Passcodes are protected, but fingerprints are not. Apps, photos, SMSs, and
messengers may all have comparable lock features. Encryption, on the other hand,
provides security that is difficult to defeat on software and/or hardware level.
 Acquisition: Controlling data on mobile devices is difficult since the data itself is
movable. Once messages or data are transmitted from a smartphone, control is gone.
Despite the fact that various devices are capable of storing vast amounts of data, the data
itself may be stored elsewhere. For example, data synchronization across devices and apps
may be done either directly or via the cloud. Users of mobile devices commonly utilize
services such as Apple’s iCloud and Microsoft’s One Drive, which exposes the possibility
of data harvesting. As a result, investigators should be on the lookout for any signs that
data may be able to transcend the mobile device from a physical object, as this might have
an impact on the data collecting and even preservation process.
 Examination and analysis: Because data on mobile devices is transportable, it’s tough to
keep track of it. When messages or data from a smartphone are moved, control is lost.
Despite the fact that numerous devices can hold vast amounts of data, the data itself may
be stored elsewhere.
 Reporting: The document or paper trail that shows the seizure, custody, control, transfer,
analysis, and disposition of physical and electronic evidence is referred to as forensic
reporting. It is the process of verifying how any type of evidence was collected, tracked,
and safeguarded.
Principles of Mobile Forensics:

The purpose of mobile forensics is to extract digital evidence or relevant data from a mobile
device while maintaining forensic integrity. To accomplish so, the mobile forensic technique
must develop precise standards for securely seizing, isolating, transferring, preserving for
investigation, and certifying digital evidence originating from mobile devices.
The process of mobile forensics is usually comparable to that of other fields of digital
forensics. However, it is important to note that the mobile forensics process has its own
unique characteristics that must be taken into account. The use of proper methods and
guidelines is a must if the investigation of mobile devices is to give positive findings.
CELLULAR NETWORKS
Cellular networks
There are a number of different communication technologies that most users are at least
somewhat familiar with but are tied to particular ‘Generations’ of devices and their associated
networks- GSM (Global System for Mobiles) and CDMA (Code Division Multiple Access) were
commonplace during the 2G and 3G era, LTE (Long Term Evolution) for 4G, and 5G-NR for 5G
networks that are still being rolled out. Starting with 4G, most major vendors globally converted
over to the LTE standard, allowing for far less fragmentation of device compatibility. We’re
going to be referring to a presentation from the National Institute for Standards and Technology
on “LTE Security- How Good Is It?” for a considerable amount of the breakdown of
functionality.
Access to LTE Networks as a rule is provided through a series of mesh-style base stations which
send and receive signals from user devices which then forward requests onto a backend core
network. The core network itself processes authentication and subscriber services along with
connecting users to the rest of the Internet.

Much like the OSI model, the cellular stack provides connectivity from the physical layer all the
way up through application, with TCP/IP doing its own thing and not really lining up properly
with the standards. TCP/IP however does sit on top of the packet data convergence protocol
(PDCP), which provides header compression and radio encryption.
The IMSI (International Mobile Subscriber Identity) is a unique id for every subscriber. While
you might think at first glance that it would just be the user’s phone number, it actually has
nothing to do with it. This is usually a 15 digit numeric value stored on the UICC (Universal
Integrated Circuit Card), which can be considered a next-gen SIM (Subscriber Identification
Module) card. The IMSI contains three separate values- 3 digits comprising the MCC (Mobile
Country Code), 2 to 3 digits for the MNC (Mobile Network Code), and then the MSIN (Mobile
Subscription Identification Number) from the provider itself.
The UICC operates the same conceptually as a smart card- providing a basis for encrypting
communications and authentication. This is far from the only encryption method used for
protecting data transfers and calls, as the Authentication and Key Agreement (AKA) protocol is
first used to authenticate devices to the network, and only after this has been completed are the
crypto keys for encrypting calls generated. As we go up the Cellular Stack, multiple 128-bit and
256-bit keys are used to help protect both internal communications and user traffic.
Once traffic has been received by the base stations from the user, IPsec protects communications
on the backend from the base stations to the core network, both of which use PKI certificates to
authenticate to each other. Problems come into play however when data has to abide by legacy
rules such as the GSM downgrading noted above. This also means that services that exploit
elements that cannot be updated or the human factor could still gain access to user data despite
strong protections. Let’s quickly go over a few of these Potential Security Issues.
2FA via SMS
Multiple methods have been revealed over the years that allow unauthorized users to gain access
to text messages. Sometimes this has been by obtaining access via employees at the cellular
provider, 3rd party services that can operate without verification, or malicious apps with elevated
permissions.
Because of this, 2FA (2 Factor Authentication) via SMS is considered potentially insecure and
exploitable to the point where it is recommended to use any alternative to this system.
Compromised Wi-Fi networks
If a user connects to a compromised Wi-Fi network, most of the protections on the Cellular
Network will not apply because it’s not being used. Making sure that Wi-Fi is turned off
whenever leaving a safe area is critical for users to avoid accidentally connecting to a network
that they don’t want to.
Out of support devices
The supported lifetime for most mobile devices is significantly less than that of their desktop or
laptop counterparts. This means that security updates may possibly stop being received by user
devices just a few years after the initial release of the device. If users continue to use these
devices long after this date, they run the risk of having their devices exploited through any
number of means.
While purchasing new devices and moving over to them can be difficult, the benefits outweigh
the potential costs.
App leaks
App developers do not have unlimited resources. They put together a product, ship it out and try
to get it approved and on their respective stores as quickly as possible. This means that some
legitimate apps may have higher than intended permissions, which would give them access to a
significant amount of non-essential data, but without adequate protections for that data because
they didn’t need it in the first place. Because of this, other apps that have been installed may be
able to sniff around for this information and send it off to third parties.
Being careful about what apps we permit on our devices and regularly updating the ones we do
have are both excellent ideas. What we can also do though is audit App Permissions on a regular
basis and see what apps have been granted which permissions. Removing permissions from apps
may cause unexpected errors, but least privilege is worth investigating when it comes to sensitive
information.
Social engineering
Social Engineering in the modern age can involve sending SMS messages, emails, phone calls,
browser popups, full screen ads and more to users with prompts ranging to polite requests to
threatening legal action if they don’t do some specific action. This could potentially convince
users to give whatever information they are being asked for to a 3rd party that definitely should
not have access to it, and cost them dearly as a result.
Some protections have been built into Mobile OS’s already, along with spam protection and
caller id’s flagging potentially suspicious numbers. These bad callers can then be sent to
voicemail directly without the user having to deal with it

OPERATING SYSTEMS
What are the types of Operating systems?
The most popular types of Operating Systems are Windows, Linux, Mac, iOS, and Android.
Windows
 Windows is a widely used OS designed by Microsoft. The file systems used by Windows include
FAT, exFAT, NTFS, and ReFS. Investigators can search out evidence by analyzing the
following important locations of the Windows:
 Recycle Bin: This holds files that have been discarded by the user. When a user deletes files, a
copy of them is stored in recycle bin. This process is called “Soft Deletion.” Recovering files
from recycle bin can be a good source of evidence.
 Registry: Windows Registry holds a database of values and keys that give useful pieces of
information to forensic analysts. For example, see the table below that provides registry keys and
associated files that encompasses user activities on the system.

Cell phone evidence

Students should understand data types before the collection of data from a mobile device. The
common data types include contacts list, call log, SMS, images, audio, video, GPS data, and apps
data. Also, both current and deleted data types can be extracted from a mobile device.
 Call Detail Records (CDRs): Service providers frequently use CDRs to improve network
performance. However, they can provide useful information to investigators, as well. CDRs can
show:
 Call started and ended date/time
 The terminating and originating towers
 Whether the call was outgoing or incoming
 Call time duration
 Who was called and who made the call
Almost all service providers retain these important records for a certain time. The forensic
specialist can collect these records if he requires. However, the collection of this information
depends on the policies of the concerned state. Every state has different laws in this regard.
Global Positioning System (GPS): GPS data is an excellent source of empirical evidence. If the
suspect has an active mobile device at the crime scene, GPS can pinpoint his location as well as
his criminal acts. GPS also locates the movements of the suspect from a crime scene to the
hideout. Furthermore, it helps in finding phone call logs, images, and SMS messages. Presently,
a GPS system includes 27 satellites in operation.
App Data: Many apps store and access data the user is not aware of. In fact, many apps seek
permission during the installation process to access these data. For example, photo or video
editing apps request permission to access media files, camera, and GPS for navigation. This data
can be a primary source of evidence to the court.
SMS: Text messaging is a widely used way of communication. Text messages leave electronic
records of dialogue that can be presented in the court as evidence. They include the relevant
information such as:
 Date/time of each message
 Phone number of sender and receiver
Photos and Videos as Evidence: They can be a tremendous source of evidence, but their
relevance to crime and authentication is crucial.

Cell phone Forensic Tools.

Data acquisition is that the method of gathering information from mobile devices and their
associated media. This method reduces the possibilities of information loss thanks to injury or
battery depletion throughout storage and transportation. Mobile device identification is necessary
at the start of the forensic examination. The identification method includes understanding of the
type of mobile phone, its operating system, and alternative essential characteristics to create a
legal copy of the mobile device’s content.
There are several tools and techniques available in mobile forensics. However, the selection of
tools and techniques throughout an investigation depends on the type of mobile device and its
associated media.
How do you gather data from mobile devices?
The data can be gathered from mobile devices in two ways that, namely, physical acquisition and
logical acquisition.
Physical Acquisition, also called aa a physical memory dump, it is a technique for capturing all
the information from the memory chips on the mobile device. It permits the forensic tool to
gather remnants of deleted data. Initially, the received information is in raw format and can't be
read. Later on, some strategies are applied to convert that information into a human readable
form.
Logical Acquisition, or logical extraction, could be a technique for extracting the files and
folders without any of the deleted data from a mobile device. However, some vendors describe
logical extraction narrowly because the ability to assemble a specific data type, like picture, call
history, text messages, calendar, videos, and ringtones. A software application is used to create a
copy of the files. For instance, iTunes backup is used to make a logical image of AN iPhone or
iPad.
What data types are you able to collect from a mobile device?
Students should understand data types before the collection of information from a mobile device.
The common data types include contacts list, call log, SMS, images, audio, video, GPS data, and
apps data. Also, both current and deleted data types can be extracted from a mobile device.
Call Detail Records (CDRs): Service providers oft use CDRs to boost network performance.
However, they can provide useful information to investigators, as well. CDRs can show:
 Call started and all ended date/time
  The terminating and originating towers
 Whether the call was outgoing or incoming
 Call time period
 Who was called and who made the call?
Almost all service providers retain these important records for an exact time. The forensic
professionals will collect these records if he needs. However, the gathering of this information
depends on the policies of the concerned state. Each state has totally different laws during this
regard.
Global Positioning System (GPS): GPS data is an excellent source of empirical proof. If the
suspect has an active mobile device at the crime scene, GPS will pinpoint his location as well as
his criminal acts. GPS additionally locates the movements of the suspect from crime scene to the
hiding place. Furthermore, it helps in finding call logs, images, and SMS. Presently, a GPS
system includes approx. 27 satellites operative.
App Data: Several apps store and access data the user isn't aware of it. In fact, several apps seek
permission throughout the installation method to access these data. For instance, photo or video
editing apps request permission to access media files, camera, and GPS for navigation. This data
can be a primary source of evidence to the court.
SMS: Text messaging is a widely used way of communication. Text messages leave electronic
records of dialogue that can be presented within the court as proof. They include the relevant
information such as:
 Date/time of every message
 Phone number of sender and receiver
Photos and Videos as Evidence: They can be a tremendous source of proof, however their
relevance to crime and authentication is crucial.
What tools & techniques are commonly used in mobile forensics?
Forensic software application is regularly developing new techniques for the extraction of
information from several cellular devices. The two most common techniques are physical and
logical extraction. Physical extraction is completed through JTAG or cable connection, whereas
logical extraction happens via Bluetooth, infrared, or cable connection.
There are various types of tools available for mobile forensic purposes. They can be categorized
as open source, commercial, and non-forensic tools. Each non-forensic and forensic tools
frequently use the equivalent techniques and protocols to interact with a mobile device.
Tools Classification System: Forensic analysts must understand the many types of forensic
tools. The tools classification offers a framework for forensic analysts to check the acquisition
techniques used by totally different forensic tools to capture data.
Manual Extraction
The manual extraction technique permits investigators to extract and view data through the
device’s touchscreen or input device. At a later stage, this data is documented photographically.
Furthermore, manual extraction is long and involves an excellent chance of human error. For
instance, the data may be accidentally deleted or modified throughout the examination. Popular
tools for manual extractions include:
 Project-A-Phone
 Fernico ZRT
 EDEC Eclipse
Logical Extraction
In this technique, the investigators connect the cellular device to a digital forensic workstation or
hardware via Bluetooth, Infrared, RJ-45 cable, or USB cable. The computer—using a logical
extraction tool—sends a series of commands to the mobile device. As a result, the specified
knowledge is collected from the phone’s memory and sent back to the digital forensic
workstation for analysis purposes. The tools used for logical extraction include:
 XRY Logical
 Oxygen rhetorical Suite
 Lantern
Hex Dump
A hex dump, also known as physical extraction, extracts the raw image in binary format from the
mobile device. The forensic professionals connect the device to a digital forensic workstation
and pushes the boot-loader into the device, that instructs the device to dump its memory to the
computer. This method is cost-efficient and provides more information to the investigators,
including the recovery of phone’s deleted files and unallocated space. The common tools used
for hex dump include:
  XACT
 Cellebrite UFED Physical analyser
 Pandora’s Box
Chip-Off
The chip-off technique permits the examiners to extract information directly from the memory of
the cellular device. They remove the phone’s memory chip and create its binary image. This
method is costly and needs an ample data of hardware. Improper handling may cause physical
damage to the chip and renders the data impossible to retrieve. The popular tools and
equipment’s used for chip-off include:
 iSeasamo Phone Opening Tool
 Xytronic 988D Solder Rework Station
 FEITA Digital inspection station
 Chip Epoxy Glue Remover
 Circuit Board Holder