Unit 3 - Evidence Recovery

Ch - 7 (Sec 7.5)

1. Overview

Data recovery tools are essential in digital forensics for retrieving deleted, corrupted, or
inaccessible data from various storage media. They support investigations by recovering
evidence without altering the original data.

2. Recuva

Definition

Recuva is a user-friendly data recovery tool used to retrieve deleted files from different
kinds of storage media.

Key Features

• Recovers accidentally deleted files, including:

o Pictures

o Music

o Documents

o Videos

o Emails

• Supports multiple storage types:

o Memory cards

o USB flash drives

o External hard drives

o Rewriteable media

• Deep Scan Mode

o Performs advanced scanning of disk sectors

o Finds traces of files that normal scan misses

• Secure Overwriting (File Shredding)

o Ensures permanent deletion

o Uses industry-standard & military-grade deletion algorithms

 o Prevents recovered files from being restored again

Usage in Forensics

• Useful for retrieving recently deleted evidence

• Can also securely erase files when preventing data leakage is essential

3. ByteBack

Developer

• Created by Tech Assist Inc.

Description

ByteBack is a data recovery and investigative forensic tool used for cloning drives,
recovering files, and repairing disk structure.

Key Features

• Quick cloning / imaging of physical sectors

o Essential for forensic imaging

• Automated file recovery

o Includes undeleting previously deleted files

• Automatic repair of partitions & boot records

o Fixes corrupted system areas

• Recovery of individual files from volumes

o Useful when recovering selective evidence

• Drive wiping

o Overwrites every sector of a drive quickly

• Raw data media editor

o Allows investigators to view and search raw disk data

• Write-blocking support

o Prevents modification of original evidence

• CRC & MD5 checksum calculation

o Verifies integrity of cloned copies

 o Ensures forensic soundness of data imaging

Usage in Forensics

• Ideal for disk imaging, repairing corrupt disks, and performing integrity-verified
copies in forensic investigations.

4. IsoBuster

Definition

IsoBuster is a highly specialized data recovery tool capable of recovering data from a wide
range of storage media using multiple file systems.

Supported Media

• CD, DVD, Blu-ray Disc (BD)

• HDD, SSD

• Flash drives, USB sticks

• Memory cards (SD, MMC, CF)

• Diskettes

Supported File Systems

• NTFS

• FAT (FAT12/16/32)

• UDF

• HFS

• ISO

• IFO/VOB (optical disc formats)

• File signature scanning (useful when file system is corrupted)

Key Features

• Recovers inaccessible or lost data from:

o Damaged media

o Corrupted disks

o Partially unreadable optical discs

• Very easy to use and supports deep-level data extraction

Usage in Forensics

• Best suited for:

o Optical media recovery

o Damaged or partially unreadable media

o Recovery based on file signatures (useful when file system fails)

5. Comparative Summary

Feature / Tool Recuva ByteBack IsoBuster

Recovers
✔ ✔ ✔
Deleted Files

Deep Scan ✔ Limited ✔ (signature scan)

Secure
✔ ✔ (drive wipe)
Overwrite

Forensic
✔ (CRC & MD5)
Integrity Hashing

Disk Imaging Limited ✔ ✔ (ISO, sectors)

File System Very Wide (NTFS, UDF, FAT,

Basic Basic
Support ISO, etc.)

Simple recovery for Professional forensic Recovering data from

Best Use Case
common users investigations damaged or optical media

Ch- 9 (Sec 9.5 (autopsy tool))

1. Introduction to Autopsy

Definition

Autopsy is an open-source digital forensic analysis tool used to investigate disk images, local
disks, and logical files.
Version 4.5.0 (Windows) includes dependencies such as The Sleuth Kit (TSK) and Java.

Purpose

Used for:
 • File system analysis

• Recovering deleted files

• Timeline analysis

• Extracting user activity

• Reporting forensic findings

2. Key Operations in Autopsy

Autopsy workflow includes:

1. Creating a case

2. Adding a data source (image / local disk / logical files)

3. Configuring ingest modules

4. Analysis basics

5. Ingest inbox monitoring

6. Timeline creation

7. Reporting

3. Creating a Case

• Start via Create New Case on the home screen or File menu.

• New Case Wizard collects:

o Case name

o Base directory for storing case results

o Case number

o Examiner details

• Autopsy creates a case directory with its internal database and report folders.

4. Adding a Data Source

A data source = where data comes from (image, disk, logical files).
A case can have one or multiple data sources.
Data Source Types

1. Disk Image

• Supports E01 and raw/dd images.

• Only the first segment of a split image needs to be selected.

2. Local Disk

• Choose from detected system disks.

• Requires Administrator Mode for full file visibility.

• Adds a snapshot of metadata; file contents may update if disk is active.

3. Logical Files / Folders

• Add individual files or directories.

• Folders are added recursively (includes subfolders).

Options for Faster Ingest

• Skip unallocated space scanning

• Useful when dealing with deleted file recovery (slower if enabled)

Autopsy starts automatic analysis after adding data sources.

5. Ingest Modules

Ingest modules run in the background and analyze files in priority order (user folders first).

Common Ingest Modules

1. Recent Activity

o Extracts browser history, bookmarks, cookies, downloads

o Runs RegRipper on registry hive

2. Hash Lookup

o Uses hash databases to mark:

▪ Known good files (bypass)

▪ Known bad files (malicious)

o Supports NIST NSRL hash set

o Can configure databases using Advanced settings

 3. Keyword Search

o Searches for keywords in files

o List of keywords configurable

o Searches continue during ingest (real-time updates)

4. Archive Extractor

o Extracts ZIP, RAR, and other archives

5. Exif Image Parser

o Extracts metadata from images (EXIF)

6. Thunderbird Parser

o Parses email from Mozilla Thunderbird

Settings

• Each ingest module can be enabled/disabled

• Keyword lists & hash lists can be configured

6. Analysis Basics (GUI Navigation)

Autopsy GUI contains several nodes:

Main Nodes

1. Data Source

o Shows all data sources added

2. Image Nodes

o Displays disk structure

3. Logical File Sets

o Shows applied logical files

4. Views Node

o Views data by type or timeline

5. Results Node

o Shows output from Ingest modules

File Display Sections

 • Upper right: List of files (details view or thumbnail view)

• Lower right: File content (text view, image view, hex view)

Useful Features

• Right-click file → show original location

• Tag/bookmark files for report inclusion

• Keyword search box for quick keyword scanning

• Thumbnails for images/video preview

7. Ingest Inbox

• Displays real-time alerts from ingest modules.

• Keeps track of which messages are read.

• Helps investigator revisit recent findings.

• Clicking an entry jumps to:

o Results node

o File location on disk

8. Timeline Analysis

• Accessed via Tools → Make Timeline.

• Presents file events chronologically.

• Useful to reconstruct:

o User activity

o File modifications

o Malware events

o Access timestamps

(Currently in basic/beta form)

9. Reporting

• Generate Report button generates final output.

 • Supported formats:

o HTML

o XLS

• Stored in Reports folder inside the case directory.

• Can be exported to external folders.

10. Example Forensic Use Cases

1. Web Artifacts

• Use Recent Activity ingest.

• Check under:

o Results → Extracted Data

o Finds cookies, history, bookmarks, downloads

2. Known Bad Hash Files

• Enable Hash Lookup ingest.

• Check:

o Results → Hashset Hits

• Ingest Inbox shows new bad file detections.

• Right-click to find file path and related files.

3. Media (Images/Videos)

• Navigate to:

o File Types → Images/Videos

• Use thumbnail viewer for previews.

11. Analysis of Deleted Files (Practical Example)

Steps:

1. Run Autopsy in Administrator Mode.

2. Create New Case.

3. Enter case info, case number, examiner name.

 4. Add data source → Select Type = Logical Disk.

5. Choose the removable or logical drive.

6. Select ingest modules (example: Recent Activity only).

7. View progress as Autopsy analyzes data.

8. Once complete:

o Disk contents appear in tree format

o Deleted files marked with X

o Expand directories to locate deleted items

Ch - 8 (Sec 8.2.2)

Introduction

Digital evidence is extremely fragile and can be easily altered, damaged, or destroyed.
Therefore, Investigating Officers (IOs) must follow strict precautionary measures before
acquiring digital evidence at the crime scene to maintain integrity, admissibility, and chain of
custody.

1. Understanding the Crime Scene

Digital evidence can be found at:

• Homes with personal computers and devices

• Cyber cafés with multiple public machines

• Organizations/Companies with networked systems, servers, CCTV, etc.

Before seizure, the IO must analyse the technical details of:

• Systems/computers

• Electronic devices

• Networking infrastructure

2. Key Principle: “Do NOT Change the State”

Since digital evidence is perishable, the IO must:

• Not turn ON a system that is OFF

 • Not turn OFF a system that is ON
Changing state can:

• Modify system logs

• Trigger OS processes

• Alter timestamps
This may destroy or contaminate crucial evidence.

3. Information to Collect at the Scene

A. At a House

The IO gathers details on:

• Type of Internet connection (wired/wireless)

• Number of systems

• Whether systems are connected to the Internet

• Permanent storage: HDD, SSD, internal drives

• Removable storage: USB, memory cards

• Peripheral devices: routers, printers, scanners, modems

B. At Cyber Cafés / Organizations

Additional details include:

• CCTV footage

• Management software logs

• Network topology, shared systems

• Details of user accounts, login logs

4. Preservation Notice

A Preservation Notice is served by the IO to prevent tampering.

It may include:

• Stop access to Electronic Communication Devices (ECD)

• Stop access to email accounts (prevents deletion of emails)

 • Preserve log information
Ensures data remains unchanged until seizure.

5. SOP: Standard Operating Procedure at Crime Scene

1. Quarantine the ECD

• Isolate the Electronic Communication Device

• Prevent individuals from touching/using it

• Protect against:

o Physical damage

o Data corruption

o Remote wiping/hacking

2. Ascertain the Status of the ECD

• Identify whether the device is:

o LIVE (Switched ON)

o POWERED OFF

• If LIVE:

o Photograph the screen and visible state

o Record running applications, active windows, etc.

• Never power ON an OFF device—this alters evidence.

3. Disconnect from Internet/Network

Disconnect the device as early as possible to prevent:

• Remote access

• Remote wiping

• Malware activity

• Automatic updates
Caution for mobile phones:
 • Switching to airplane mode or removing SIM can sometimes alter internal data.

• Handle carefully to avoid loss of volatile data.

4. Power Off Non-Portable Devices

• For desktops, servers, routers:

o Proper shutdown after documentation

• For mobile/portable devices:

o Avoid sudden changes that modify volatile data

5. Seize Devices with Power Accessories

• Seize electronic devices along with their power cords, chargers, adapters
This ensures:

• Future access without damaging data

• Ability to power devices in controlled forensic labs

Ch - 7 (Sec 7.3)

Key Concepts

• Drive Imaging = Creating an exact bit-by-bit copy of storage media.

• Validation = Ensuring copied data matches original using CRC, hashing (MD5, SHA-1,
SHA-256).

• Imaging tools can be hardware-based or software-based.

• Important forensic needs:

o Capture MBR, unallocated space, slack space, file system metadata.

o Maintain chain of custody and data integrity.

Major Tools & Their Features (Exam Focus)

1. Intelligent Computer Solutions – Image Master Solo Forensics Hard Drive Duplicator

Type: Hardware Duplicator

Key Features:
 • Creates raw image of entire HDD including:

o MBR

o Unallocated space

o All files

• Very fast because:

o No OS/software → direct controller-level duplication

• Can copy multiple suspect drives → aggregated copying

• Portable and easy to use

Drawback:

• Writes raw data directly to target media → no image file format

• Requires later imaging in lab for forensic image file creation.

2. Norton Ghost

Type: Imaging Software

Features:

• Creates image files for full drive or partition

• Includes CRC32 verification to detect data errors

• Good general backup tool

Forensic Concern:

• Some versions:

o Copy only active files

o Do not copy unallocated space

Not fully forensically sound (misses potential evidence).

3. Symantec Ghost

Type: Backup & Imaging Software

Features:

• Takes reliable PC backups including OS, apps, critical data

Drawback:
 • Filters out what it considers "unused space"
Forensically unsound since it ignores unallocated space and slack.

4. Safeback

Type: Forensic Bit-Stream Imaging Software

Used By: Law Enforcement Agencies
Features:

• Creates bit-stream backups

• Guarantees precision using mathematical CRC

• Copies:

o Entire drive

o File slack

o Disk slack

• Images can be written to:

o Tape

o HDD

o CD-ROM

o DVD
Highly reliable forensic tool.

5. EnCase Forensic Imager

Type: Forensic Imaging + Analysis Tool

Features:

• Based on trusted EnCase forensic technology

• Supports acquisition from:

o Hard drives

o Tablets

o Removable media

• Allows viewing:
 o Folder structures

o Metadata

o File contents

• Maintains evidence integrity

• Free, portable (runs via USB), no installation required

Capabilities:

• Preview drives before imaging

• Full reporting:

o Disk geometry

o Hash values

o Incriminating files list

• Supports multiple OS:

o Windows, MAC OS, Linux, Solaris

Search Capabilities:

• Keyword search (active files + slack + unallocated space)

• Sorting files by:

o Name

o Extension

o Creation/Access time

6. FTK Imager (AccessData)

Type: Free forensic imaging tool

Features:

• Creates bit-stream forensic images

• Collects:

o Volatile data (RAM)

o Drive data

• Supports:
 o Pre-analysis

o Keyword search

• Frequently used for quick acquisition and evidence preview.

7. X-Ways Forensic (XWF)

Type: Full forensic suite

Capabilities:

• Disk cloning and imaging

• RAM and virtual memory acquisition

• RAID management

• Supports numerous file systems

Powerful and efficient forensic platform.

8. DriveSpy

Type: DOS-based imaging tool

Features:

• Only 125 KB; fits on floppy

• Provides MS-DOS command line + extra forensic commands

Capabilities:

• Disk-to-disk copying

• Create MDS hash

• Copy sector ranges

• Search drive

• Disk wiping
Lightweight and portable.

9. Forensic Replicator (Paraben)

Type: Windows-based forensic imaging

Features:

• Supports many electronic and removable media

 • Can compress and split images for storage efficiency

10. SMART Acquisition Workshop (SAW)

Type: Standalone Imaging Utility

Features:

• Creates forensic images

• Supports:

o Windows

o Mac

o Linux devices

11. SMART (ASR Data)

Components:

1. SMART Acquisition — imaging

2. SMART Authentication — verification

Features:

• Full imaging + validation suite

• Ensures image integrity

12. WinHex

Type: Hex editor + disk tool

Features:

• Disk editing & management

• Recovery of lost/damaged files

• Forensic examiners use it for:

o Hex-level analysis

o Partition analysis
Powerful tool for low-level forensic work.
 Key Summary

Forensic
Tool Key Strength Limitation
Sound?

Image Master
Yes (raw) Fast hardware duplication No image file created
Solo

Misses unallocated
Norton Ghost Partially CRC32 validation
space

Symantec Ghost No Good backups Filters unused space

Safeback Yes Full bit-stream + CRC Traditional interface

Industry standard, cross-

EnCase Imager Yes Requires training
platform

FTK Imager Yes Free, RAM collection Limited deep analysis

X-Ways Yes Full forensic suite Paid

DriveSpy Yes Lightweight DOS tool Basic UI

Forensic
Yes Compression & splitting Windows Only
Replicator

SMART Tools Yes Acquisition + authentication Niche usage

WinHex Yes Hex-level editing Expert tool

Unit 4 - Investigation
Ch - 5 (Sec 5.2.4, 5.2.5)

5.2.4 Computer Forensics Investigations

Overview

Computer forensics investigation is a systematic, multi-phase process designed to identify,

preserve, analyze, and present digital evidence in a legally acceptable manner. The
investigation typically proceeds through three major phases, each requiring technical
expertise and strict adherence to forensic principles.
Phases of Cybercrime Investigation

1. Preliminary Analysis & Information Gathering

• Initial engagement with the crime scene (physical or digital).

• The investigator performs:

o Basic assessment of the incident.

o Identification of potential evidence sources.

o Initial documentation and observations.

• Purpose: establish the scope of the investigation and prevent evidence tampering.

2. Forensic Copy Acquisition & Recovery

• A bit-stream copy (forensic image) of the digital media is made.

• Original data is never analyzed directly—only the copy is used.

• This phase ensures:

o Preservation of integrity.

o Reproducibility of analysis.

• Recovery of deleted, hidden, or damaged data also occurs here.

3. Detailed Analysis & Reporting

• Comprehensive examination of the forensic image.

• Identification of:

o Artifacts

o Logs

o Traces of malicious activity

o Relevant files and metadata

• Final output: detailed forensic report summarizing methods, tools, findings, and
conclusions.

Requirements for Investigators

A forensic investigator must possess:

• Extensive knowledge of digital systems, networks, file structures.

 • Practical skill with forensic tools and methods.

• Understanding of legal requirements, including evidence handling and admissibility.

5.2.5 Steps in Forensic Investigation

Core Principle: Evidence Integrity

• Every step must ensure integrity and authenticity of evidence.

• Evidence must remain:

Untampered, traceable, reproducible, and legally admissible.

Flow of Forensic Investigation (Step-by-Step)

1. Crime Reporting

• Investigation formally begins when:

o A crime is reported, or

o A complaint is filed.

2. Initial Legal and Administrative Actions

When a complaint is received, the following may be required:

a) Notice to Preserve Evidence

• Issued when evidence is controlled by a third party (e.g., service providers).

• Prevents deletion or alteration of critical data.

b) Filing of FIR (First Information Report)

• Applicable in criminal cases.

• Official record to begin formal investigation.

c) Obtaining a Search Warrant

• Required when evidence is located at a place not freely accessible.

• Ensures legal compliance during evidence seizure.

3. First Responder / CERT Procedures

The first person or team to arrive at the scene conducts immediate stabilization and initial
examination.

Box 5.1: First Responder

• Could be:

o Network administrator

o Law enforcement officer

o Investigating officer

o Forensic lab personnel

• Responsibilities:

o Identify electronic crime devices (ECDs).

o Secure and protect evidence.

o Ensure that evidence is not modified, erased, or damaged.

o Conduct preliminary evidence collection safely.

o Maintain admissibility and forensic soundness.

Box 5.2: Computer Emergency Response Team (CERT/CSIRT)

• Specialized team for handling computer security incidents.

• Origin: Carnegie Mellon University (1988) after major Internet attacks.

• Key functions:
 o Incident response & mitigation.

o Coordinating recovery actions.

o Analyzing attack patterns.

o Supporting forensic investigations.

4. Evidence Seizure at Crime Scene

Key activities:

• Photographing the crime scene thoroughly.

• Labelling and marking all evidence.

• Preparing necessary documentation.

• Interviewing:

o Witnesses

o Suspects (if applicable)

• If evidence is complex or beyond investigator’s expertise:

o Third-party experts may be involved.

• All evidence collection must observe a strict Chain of Custody.

5. Transport of Evidence

• Evidence must be:

o Numeroed

o Packed securely

o Transported safely to the forensic laboratory

6. Forensic Laboratory Procedures

Once in the lab, the following steps occur:

a) Bit-Stream Copy Creation

• Two forensic copies (images) are made.

• Hash values (MD5/SHA) are computed for:

o Original evidence
 o Forensic copies

• Both must match to confirm integrity.

b) Chain of Custody Maintenance

• Tracks who handled evidence, when, where, and why.

c) Secure Storage of Original Evidence

• Original media is stored in a tamper-proof and restricted location.

d) Analysis of Forensic Copy

• Detailed scientific analysis conducted using specialized tools.

e) Preparation of Forensic Report

Report includes:

• Investigation methods

• Tools used

• Extracted evidence

• Interpretation of findings

f) Presentation to Client or Authority

• Report is shared with relevant stakeholders (court, police, organization).

7. Court Testimony (If Required)

• The forensic investigator may appear as an expert witness.

• Responsibilities include:

o Explaining technical findings clearly.

o Demonstrating expertise.

o Defending the methods and evidence integrity.

Role of Forensic Investigator

A competent investigator should be able to:

a) Assess Extent of Crime

• Determine severity and nature of damage.

b) Recover Critical Data

• Extract information from various electronic crime devices (ECDs).

c) Collect Evidence Properly

• Must follow forensic standards and legal guidelines.

d) Maintain Integrity

• Preserve authenticity of evidence at all stages.

e) Conduct Thorough Analysis

• Examine all potential data paths, logs, artifacts.

f) Avoid Bias

• Consider all possible scenarios before concluding.

g) Prepare Clear Reports

• Logical, comprehensive, reproducible documentation.

h) Testify in Court

• Present findings in a clear, authoritative manner.

Ch - 6 (Sec 6.1.1, 6.1.2)

6.1.1 Types of Digital Evidence

Digital evidence refers to any data that can establish facts in an investigation and is obtained
from electronic devices. It generally exists in two major forms:

1. Volatile Evidence

• Definition: Data that changes frequently and disappears when power is turned off.

• Characteristics:

o Temporary

o Stored in active memory or dynamically updated areas

o Easily lost if not collected immediately

• Examples:

o Running processes

o Contents in RAM
 o Active network connections

o Clipboard contents

o System caches

• Importance: Must be captured early due to its high rate of volatility.

2. Non-Volatile Evidence

• Definition: Data that remains intact even when the electronic device is powered off.

• Characteristics:

o Stable and persistent

o Easier to preserve

o Usually found on permanent storage media

• Examples:

o Hard disk data

o SSD/USB storage

o Logs

o System files

o Deleted files (recoverable)

• Importance: Supports reconstruction of events over longer periods.

6.1.2 Evidence Collection Procedure

Digital evidence collection must be systematic, reliable, and legally admissible. It involves
five phases, each ensuring integrity and accuracy.

PHASE 1: Identification of Evidence

• Determine where evidence is located within the electronic communication device

(ECD).

• Identify relevant data versus irrelevant or junk data.

• Understand:

o What information exists

o How it is stored

o Whether it is relevant to the case

• Order of volatility must guide evidence collection to minimize loss.

• Only authorized and trained personnel should handle evidence.

 • Correct tools and techniques must be used for acquisition.

Box 6.1: Chain of Custody (Critical Concept)

The chain of custody is a documented trail describing how evidence was obtained, handled,
stored, transferred, and presented.
It ensures that digital evidence is trustworthy and has not been altered.

Minimum Requirements for Proper Chain of Custody

1. No data should be added, modified, or deleted.

2. Evidence must be duplicated exactly and completely.

3. Duplication must follow reliable, validated forensic processes.

4. All storage media must be safe, sealed, and secure.

Purpose:
Ensures evidence is admissible and credible in court by maintaining integrity from collection
to presentation.

PHASE 2: Preservation of Evidence

Preservation ensures that evidence remains unaltered from the moment of collection.

Key Practices:

• Evidence is stored in storage media such as CDs, tapes, or external drives.

• Media must be labeled with:

o Date and time of collection

o Identity of the collector

 o Tools/software used

o Expected contents

• Evidence should be protected against:

o Tampering

o Environmental damage

o Unauthorized access

Creating Forensic Copies

• Typically two copies are made:

o Master Copy (sealed in presence of suspect/owner and stored securely)

o Working Copy (used for analysis)

• Master copy is opened only with court approval.

Documentation

• Every step of collection must be documented.

• Any change must be recorded, explained, and justified.

PHASE 3: Analysis of Evidence

Once preserved, the evidence undergoes detailed analysis to extract meaningful

information.

Requirements for Analysis:

• Should be performed on a clean, isolated, and secure forensic workstation.

• Every action during analysis must be documented for reproducibility.

Objectives of Analysis:

• Reconstruct chain of events.

• Interpret stored data to identify:

o Methods used in the crime

o Motive and intent

o Timeline of activities

• Validate results with:

 o Investigation techniques

o Physical evidence

o Scientific methods

Key Activities:

• Experimenting with all possible scenarios.

• Correlating digital evidence with other investigative data.

• Ensuring results can withstand courtroom examination.

PHASE 4: Presentation of Evidence

The evidence must be presented in a clear, non-technical manner to:

• Judges

• Lawyers

• Jury

• Other non-technical stakeholders

Presentation Must Be:

• Accurate

• Logical

• Understandable to a layperson

• Supported by proper documentation

Information Required in a Seizure Memo (for Court Admissibility)

This documentation is crucial for proving that evidence was collected properly.

1. Details of the complainant with date and time

2. Name of Investigating Officer (IO) and team

3. Case number and applicable law sections

4. Reason for conducting search and seizure

5. List of ECDs seized with full specifications

6. Network diagram of crime scene (if applicable)

7. Applications active on the device (if ON at the time)

8. Access control policies active at the time

9. Detailed steps used for evidence collection

10. Chain of custody documentation

11. Date and time of collection

12. Place of seizure

13. Names of witnesses present

Ch- 5 (Sec 5.10.9 – 5.10.12)

5.10.9 Tracing Email Messages

Tracing an email refers to identifying the origin, route, and authenticity of a suspicious
email. It helps investigators determine whether a cybercrime or violation has been
committed.

Step 1: Preliminary Examination of the Suspicious Email

• Read the email carefully to determine:

o Any criminal intent

o Malicious attachments

o Suspicious links

• Check whether attachments were opened or executed.

• Examine the email header thoroughly.

• Extract and record sender’s IP address from header fields like:

o “Received:” lines

o “X-Originating-IP”

• The header helps track:

o Sending mail server

o Sender’s location

o Intermediate hops

Step 2: Identify the Email Server & Trace IP Address

• From the header, identify the server through which the email was sent.

• Use WHOIS lookup to gather details about the sender’s IP.

• IP and domain lookups help determine:

o Ownership of the IP

o Geographical region

o Service provider/contact details

• WHOIS Lookup Tools (Regional Databases):

o ARIN – American Registry of Internet Numbers

o APNIC – Asia Pacific Network Information Centre

o RIPE – European Network Coordination Centre

o LACNIC – Latin America & Caribbean

o AFRINIC – Africa

Table 5.3 Examples of WHOIS Databases

• APNIC — [Link]

• ARIN — [Link]

• RIPE — [Link]

• Korean NIC — [Link]

• DE-NIC (Germany) — [Link]

• Russian RIPN — [Link]

…etc.

These help investigators pinpoint the source or find which database contains details for a
specific IP.

Step 3: Verification Using Logs

Because sender information in headers may be fake or manipulated:

• Verify details using:

o Router logs

o Firewall logs

o Email server logs

Router Logs

• Record incoming & outgoing network traffic

• Useful to see if the suspicious email entered the network

Firewall Logs

• Can filter email traffic

• Show whether the email passed through the network

If necessary, investigators may trace the entire route the email traversed (hops).

5.10.10 Email Servers and Their Examination

Email servers are critical for forensic investigation because they store logs, databases,
and message histories.

Characteristics of Email Servers

• Run a server OS with an email application (e.g., Exchange, Zimbra, Sendmail).

• Store emails as:

o Database files

o Flat files

• Maintain logs that may include:

o Content of emails

o Sender’s IP

o Date/time of sending/receiving

o Login details

Important Points

• Logs can be continuous (non-stop) or circular (older logs overwritten).

• Deleted emails can often be recovered from the server similar to hard disk recovery.

• The network administrator must be contacted promptly to secure log data.

Examination of a UNIX Email Server

Important files and their roles:

1. /etc/[Link]

• Contains configuration of the Sendmail server

• Helps locate directories storing mail logs and rules

2. /etc/[Link]

• Contains system log configurations

• Shows where all log files are stored

3. /var/log/maillog

• Contains details of:

o SMTP and POP3 transactions

o IP addresses

o Timestamps

o Email transfers and delivery status

Examination of a Microsoft Exchange Server

Microsoft Exchange uses a database-driven storage system.

Key File Types

1. .edb files (Extensible Storage Engine Database)

o Stores MAPI (Messaging API) data

o Handles mailbox data

2. .stm files (Streaming Data Files)

o Store non-MAPI data

o e.g., attachments, multimedia

Other Components

• Transaction logs

o Record every change before committing to the database

• Checkpoint files

o Track the last committed transaction

• Temporary files & logs (e.g., RES#.log)

o Used for recovery and email activity analysis

These components help reconstruct deleted emails, message flow, and server activity.

5.10.11 Email Forensics Tools

Email forensics tools simplify investigation by extracting email artifacts without deep
server knowledge.

Common Tools:

1. FINAL EMAIL

• Scans email databases

• Recovers deleted emails

• Supports many email client formats

2. FTK (Forensic Toolkit)

• Multi-purpose forensic suite

• Filters files related to email

• Finds:

o PST (Outlook) files

o OST files

o Server-based email logs

• Helps analyze headers, attachments, and timestamps

5.10.12 Tracking Emails

Tracking helps determine whether an email was opened/read by the recipient.

Using ReadNotify (Example Service)

Step 1:
Register an email ID with the Readnotify service.

Step 2:
When sending an email, append [Link] to the recipient’s address.

• This modification stays hidden from the recipient.

Step 3:
When the recipient opens the email:

• A tracking report is sent to the investigator

• Tracking details are also stored on the Readnotify server

Tracking Information Returned May Include:

• When email was opened

• Location/IP address of recipient

• Device details

• Number of times email read

• Whether it was forwarded

Case Study Summary (Box 5.6)

Case 1: Email Extortion & Impersonation

• Pranab Mitra impersonated multiple identities:

o Fake female email ID: “Rit Basu”

o Another fake ID “Ruchira Sengupta”

• Trapped businessman Ninawe in emotional and intimate conversations

• Later used emotional blackmail and threats of suicide

• Classic example of:

o Fake identity creation

o Social engineering

o Email-based extortion

Demonstrates importance of:

• Header analysis

• Log verification

• Identifying patterns of deception

Ch- 7 (Sec 7.8)

7.8 FORENSIC TOOLS FOR ENCRYPTION / DECRYPTION

Digital forensic investigators frequently encounter encrypted files, disks, and containers.
Specialized tools help detect encryption, perform live acquisition, or recover access. Two
major tools discussed:

1. VeraCrypt

Type: Free, open-source, on-the-fly disk encryption tool

Origin: Based on TrueCrypt 7.1a
Developer: IDRIX

Key Features

• On-the-fly encryption (OTFE): Data is automatically encrypted/decrypted during

read/write operations, without user intervention.

• Encrypted containers: Can create a virtual encrypted disk stored inside a single file.

• Full-disk/partition encryption: Can encrypt entire partitions or full hard drives.

• Pre-boot authentication: Essential for encrypting system drives; ensures

unauthorized users cannot access OS.

• Improved security over TrueCrypt:

o Hardened against brute-force attacks with improved key derivation functions.

o Introduces longer iteration counts, making password cracking extremely

difficult.

• Performance remains unaffected during use; only initial mounting may have slight
delay.

Importance in Forensics

• Investigators commonly face VeraCrypt-encrypted volumes during searches.

• Access typically requires live acquisition, memory dumps, or user cooperation

because brute-forcing is highly impractical.

2. Encrypted Disk Detector (EDD)

Type: Free, command-line tool

Purpose: Identify encrypted volumes during incident response.

Key Capabilities

• Detects encryption signatures for:

 o TrueCrypt

o PGP

o BitLocker

• Helps determine whether:

o A live acquisition is needed (to capture keys stored in RAM)

o Evidence will be lost if the system is powered off

• Analyzes local physical drives

• If no encrypted signature is found, it displays:

o OEM ID

o Volume labels

o Other partition information

Forensic Importance

• Early detection of encryption prevents evidence loss.

• Crucial in real-time situations where shutting down a machine may permanently lock
critical evidence.

Ch- 8 (Sec 8.2.3)

1. Authority to Conduct Search & Seizure

Under the IT Act 2000 (Amended 2008)

• Only a competent authority can conduct searches.

• As per the IT Act:

o Any police officer not below the rank of Deputy Superintendent of Police
(DSP) can investigate offences under this Act.

• Section 80, IT Act 2000 (Amended 2008):

o Any police officer not below the rank of Police Inspector, or

o Any officer of central or state government authorized by the Central

Government

o May:

▪ Enter any public place

▪ Search persons
 ▪ Arrest without warrant

▪ But this is only when the person is reasonably suspected of:

▪ Having committed,

▪ Being in the process of committing, or

▪ Being about to commit

any offence under the IT Act.

Reasonability Requirement

• Search and arrest must be based on reasonable suspicion, not arbitrary

assumptions.

2. Role of Witnesses During Search

• The competent authority must call two witnesses to observe and certify the search.

• Witnesses should preferably be computer literate, especially when dealing with

digital evidence, to understand the nature of devices seized.

• The person in charge of the premises where the search occurs

(owner/employee/administrator) must also be allowed to witness the search.

3. Principles of Valid Seizure

According to forensic standards:

Seizure must be:

1. Justified – There should be a valid legal reason for taking the Electronic
Communication Device (ECD).

2. Appropriate – The device must be connected to the offence or necessary for

investigation.

3. Proportionate – The evidentiary value must outweigh the intrusion caused by the
seizure.

This ensures fairness, prevents over-seizure, and protects the rights of individuals while
still allowing evidence collection.

4. Start of Seizure Process

• Begins with the preservation of digital evidence.

• Involves:

o Seizing ECDs (e.g., computers, mobiles, storage media)

o Taking custody of them to prevent tampering or loss.

Sequence of Events

1. Complaint lodged at cybercrime cell.

2. Investigation formally begins.

3. A team led by the Investigating Officer (IO) conducts search and seizure.

4. Two witnesses must be present.

5. The IO may request assistance from a Forensic Examiner (FE) if technical challenges
arise.

5. Steps in Crime Scene Investigation (Based on Fig. 8.3)

Step 1: Identification & Securing the Crime Scene

• IO pinpoints the exact location where the incident occurred.

• Scene is secured to prevent:

o Evidence destruction

o Unauthorized access

o Environmental damage (water, heat, tampering)

Step 2: Documentation of the Crime Scene

• IO creates a report that accurately reflects the scene at the moment of arrival.

• Includes:

o Notes

o Photographs

o Videos

o Sketches

o Details of devices, cables, screens, logs, and ambient conditions

Step 3: Collection of Evidence

• IO gathers:

o Physical evidence such as:

▪ User manuals

▪ Handwritten passwords

▪ Login credentials

▪ Notes or printouts

o Digital evidence held in:

▪ Computers

▪ USB drives

▪ Mobile phones

▪ Network devices

▪ Routers

• Collection must follow chain-of-custody protocols.

Step 4: Labelling & Documentation

• Every item collected is:

o Assigned a unique evidence number

o Properly labeled (date, time, location, description)

o Fully logged in the evidence documentation sheet

• Metadata and condition of devices noted for later examination.

Step 5: Packaging & Transportation to Court

• Evidence is:

o Sealed in protective, tamper-proof packaging.

o Packed to prevent physical or electromagnetic damage.

o Transported carefully to the court or forensic lab.

• IO produces all evidence before court as part of the judicial process.

Ch - 7 (Sec 7.9)
7.9 FORENSIC TOOLS FOR PASSWORD RECOVERY

Password recovery is vital in forensic work to unlock encrypted disks, applications,

documents, and mobile devices. Tools typically use GPU acceleration, dictionary attacks,
brute-force attempts, rainbow tables, and memory acquisition.

1. Passware Kit Forensic

Type: Commercial, comprehensive password recovery solution

Strength: One of the most widely used forensic password recovery suites.

Key Features

1. Supports 200+ file types

o Office docs, archives, encrypted disks, etc.

2. Disk decryption

o Can decrypt full disks including drives encrypted with TrueCrypt, BitLocker,
FileVault, etc.

3. Scans network and local PC

o Finds all password-protected items automatically.

4. Memory acquisition

o Captures RAM images which may contain live encryption keys.

5. Searches Windows Desktop Search database

o Retrieves electronic evidence in minutes.

6. Distributed password recovery

o Uses multiple machines/GPUs to speed up cracking.

7. Runs from USB

o No installation needed on the target PC, maintaining forensic integrity.

Forensic Value

• High cracking speed, wide compatibility, and evidence acquisition make it essential
during encrypted system investigations.

2. ElcomSoft Tools
ElcomSoft provides a collection of powerful password recovery and mobile forensic
tools.

(a) ElcomSoft Password Recovery Bundle (Forensic Edition)

• Comprehensive suite of recovery tools bundled together.

• Unlocks:

o Documents

o Archives

o Encrypted containers (TrueCrypt/BitLocker/others)

(b) ElcomSoft Distributed Password Recovery

• Performs high-speed password attacks using:

o GPU acceleration

o Distributed computing

• Recovers:

o Encryption keys

o Document passwords

o System passwords

(c) ElcomSoft Mobile Forensic Bundle

• Performs:

o Physical & logical acquisition of mobile devices

o Over-the-air extraction (cloud, backups)

• Breaks:

o Mobile backup passwords (iOS, Android)

o Encrypted backup files

• Analyzes:

o Application data

o Messages

o Contacts

o Device artifacts
(d) ElcomSoft Cloud eXplorer

• Extracts comprehensive data from Google cloud accounts, including:

o Location history

o Contacts

o Chrome activity

o Search history

o Hangouts messages

o Google Keep notes

o Calendar events

o Stored images

Forensic Importance

• Critical for mobile forensics, especially when device access is restricted or locked.

• Cloud extraction helps investigators bypass phone-level encryption.

3. Ophcrack

Type: Free, open-source Windows password cracker

Technique: Rainbow table–based attack

Key Features

• Uses time-memory trade-off (Hellman’s algorithm improved)

• Extremely fast for alphanumeric passwords

• Claims 99.9% recovery success for such passwords

• Includes:

o GUI interface

o Multi-platform support (Windows, Linux, Mac)

• Works well on older Windows versions (XP, Vista, 7)

Limitations

• Cannot crack long or complex passwords including symbols efficiently.

• Not effective against strong hashing algorithms with salts (e.g., Windows 10+).
 Forensic Value

• Fast and efficient for legacy systems or simple passwords.

• Often included in forensic boot CDs.

QUICK COMPARISON TABLE

Tool Purpose Strengths Forensic Usage

Encountered on
Strong security, OTFE, suspect machines;
VeraCrypt Disk encryption
full-disk encryption requires keys for
access

Detect Fast detection,

Helps decide
EDD encrypted indicates if live
acquisition strategy
volumes acquisition needed

Password 200+ file types,

Passware Industry-standard
recovery + disk memory acquisition,
Kit Forensic forensic suite
decryption distributed cracking

GPU acceleration, Extensive mobile &

ElcomSoft Password &
cloud extraction, password evidence
Tools mobile recovery
mobile forensics retrieval

Windows
Rainbow tables, Cracks simple
Ophcrack password
extremely fast Windows passwords
recovery

Unit 5 - Cyber Crimes and Cyber Laws

IPC sections - 43, 65, 66A - 66F, 67, 67A, 67B, 72

1. SECTION 43 – Penalty and Compensation for Damage to Computer Systems

Applicability

• Civil offence (not criminal).

• Covers unauthorized access, damage, data theft, and manipulation of computer

resources.
 • Punishment: Compensation (damages) to the affected person.

Offences under Section 43

If any person without permission of the owner:

(a) Accesses / secures access to computer, system, network, or resource.

(b) Downloads, copies, or extracts:

• Data

• Databases

• Information

• From system or removable media

(c) Introduces computer contaminant or virus.

(d) Damages / causes damage to:

• Computer

• System

• Network

• Data or programs

(e) Disrupts the functioning of a computer system/network.

(f) Denies authorized access (DoS).

(g) Provides assistance in unauthorized access.

(h) Charges another person’s account by tampering or manipulation.

(i) Destroys, alters, or diminishes information in any computer resource.

(j) Steals, conceals, or alters computer source code with intent to cause damage.

Penalty

• Damages by way of compensation (no imprisonment; civil liability).

Important Definitions (Explanation to Section 43)

Computer Contaminant

A set of instructions designed to:

• Modify / destroy / record / transmit data

 • Or disrupt normal functioning of computer systems

Computer Database

Formally prepared representation of information, knowledge, facts, images, audio, video

intended for computer use.

Computer Virus

Instruction/program that:

• Destroys or degrades computer resources

• Self-replicates by attaching to another program

• Activates upon an event

Damage

Includes:

• Destroying

• Altering

• Deleting

• Adding

• Modifying

• Rearranging computer resources

Computer Source Code

Listing of programs, commands, design, layout, analysis—in any form.

2. SECTION 65 – Tampering with Computer Source Documents

Offence

Knowingly or intentionally:

• Concealing

• Destroying

• Altering

• Or causing another person to do so

When source code is required to be kept by law.

Punishment
 • Imprisonment: Up to 3 years

• Fine: Up to ₹2 lakh

• Or both

Definition

Computer source code = programs, commands, design, layout, analysis.

3. SECTION 66A – Omitted by Supreme Court (Shreya Singhal Case)

(You may still need to know its content for theory questions.)

Earlier Covered

Punishment for sending:

• Grossly offensive messages

• Menacing messages

• False information causing annoyance or hatred

Status

Struck down as unconstitutional in 2015.

4. SECTION 66B – Dishonestly Receiving Stolen Computer Resource

Offence

Receiving or retaining:

• Stolen computer resource

• Stolen communication device

With knowledge or reasonable belief.

Punishment

• Imprisonment: Up to 3 years

• Fine: Up to ₹1 lakh

• Or both

5. SECTION 66C – Identity Theft

Offence

Fraudulent or dishonest use of:

• Electronic signature

• Password

• Unique identification feature (OTP, biometric, PIN)

Punishment

• Imprisonment: Up to 3 years

• Fine: Up to ₹1 lakh

6. SECTION 66D – Cheating by Personation Using Computer Resource

Offence

Using computer or communication device to cheat by pretending to be someone else.

Punishment

• Imprisonment: Up to 3 years

• Fine: Up to ₹1 lakh

7. SECTION 66E – Violation of Privacy

Offence

Intentionally capturing, publishing, or transmitting images of private areas without consent

under circumstances violating privacy.

Definition of Private Area

• Genitals

• Pubic area

• Buttocks

• Female breast

Punishment

• Imprisonment: Up to 3 years

• Fine: Up to ₹2 lakh
 • Or both

Important Terms

• Capture: photo, video, record

• Transmit: send electronically

• Publish: make available publicly

• Circumstances violating privacy: situations where a person expects privacy

8. SECTION 66F – Cyber Terrorism

Offence Categories

(1)(A) Acts intended to threaten national security or create terror

Includes:

• Denying authorized access

• Unauthorized penetration into computer resource

• Introducing computer contaminant

AND
Causing:

• Death or injury

• Damage/destruction of property

• Disruption of essential services

• Impact on critical information infrastructure (CII)

(1)(B) Unauthorized access to restricted data that threatens national security

Includes access to:

• State security data

• Foreign relations data

• Restricted information

• Sensitive government databases

Punishment

• Imprisonment for Life

9. SECTION 67 – Publishing or Transmitting Obscene Material Online

Offence

Publishing/transmitting material that:

• Is lascivious

• Appeals to prurient interest

• Corrupts or depraves the viewer

Punishment

• First conviction: Up to 3 years + fine up to ₹5 lakh

• Subsequent conviction: Up to 5 years + fine up to ₹10 lakh

10. SECTION 67A – Publishing or Transmitting Sexually Explicit Material

Offence

Sexually explicit act or conduct in electronic form.

Punishment

• First conviction: Up to 5 years + fine up to ₹10 lakh

• Subsequent conviction: Up to 7 years + fine up to ₹10 lakh

11. SECTION 67B – Child Pornography, Online Child Abuse

Offences

Includes:

• Publishing or transmitting sexually explicit content involving children

• Creating, collecting, browsing, downloading, distributing such content

• Enticing or inducing children online

• Facilitating abuse

• Recording abuse involving children

Punishment

• First conviction: Up to 5 years + fine up to ₹10 lakh

 • Subsequent conviction: Up to 7 years + fine up to ₹10 lakh

Exceptions

For public good:

• Science

• Literature

• Art

• Learning

• Heritage or religious purposes

Definition

Child = person under 18 years.

12. SECTION 72 – Breach of Confidentiality and Privacy

Offence

Any person who gains access to:

• Electronic record

• Book

• Register

• Correspondence

• Information

• Document
Under powers of the IT Act, and discloses it without consent.

Penalty

• Fine up to ₹5 lakh

EXAM-TIME QUICK SUMMARY

Section Covers Punishment

43 Unauthorized access & damage Compensation

Section Covers Punishment

65 Tampering with source code 3 yrs + ₹2 lakh

66A Offensive messages Omitted

66B Receiving stolen computer resource 3 yrs + ₹1 lakh

66C Identity theft 3 yrs + ₹1 lakh

66D Cheating by personation 3 yrs + ₹1 lakh

66E Violation of privacy 3 yrs + ₹2 lakh

66F Cyber terrorism Imprisonment for life

67 Obscene material 3/5 yrs + ₹5/10 lakh

67A Sexually explicit content 5/7 yrs + fine

67B Child pornography 5/7 yrs + fine

72 Breach of confidentiality Fine up to ₹5 lakh

Ch- 14 (Sec 14.5)

1. Overview of U.S. Cybercrime Laws

U.S. cybercrime laws fall into two categories:

A. Substantive Cybercrime Laws

These define and criminalize acts such as:

• Hacking

• Unauthorized access

• Online identity theft

• Child pornography

• Cyber fraud

• Intellectual property violations

• Online gambling
(See Table 14.8—summary of key statutes.)
B. Procedural Cybercrime Laws

Define how electronic data may be:

• Preserved

• Accessed

• Intercepted

• Disclosed
(See Table 14.9—laws for electronic evidence, intercepts, and pen registers.)

Key procedural statutes:

Statute Purpose

18 U.S.C. §§ 2510–2522 Interception of wire/oral/electronic communications

18 U.S.C. §§ 2701–2712 Stored communication access and disclosure

18 U.S.C. §§ 3121–3127 Pen registers and trap-and-trace devices

2. Computer Fraud and Abuse Act (CFAA) — 18 U.S.C. §1030

2.1 Origin

• First federal computer crime law: 1984

• Initial limitations:

1. Only unauthorized access was illegal—not misuse.

2. Did not criminalize harmful use of computers.

2.2 Amendments

• 1994: added provisions for malicious code (viruses, worms)

• Revised to cover:

o Transmission of harmful code

o Damage to systems

o Unauthorized use

• Continually amended until 2008.

3. Seven Major Offenses Under CFAA (Section 1030(a))

1. §1030(a)(1)

Unauthorized access to obtain:

• National security information

• Foreign relations data

• Restricted nuclear data

Penalty: up to 10 years (20 years for repeat).

2. §1030(a)(2)

Unauthorized access to obtain:

• Financial records

• Consumer data

• Information from U.S. government or protected computers

Focus: Confidentiality of data.

3. §1030(a)(3)

Trespassing on federal government computers

(no requirement to obtain data).

4. §1030(a)(4)

Computer fraud:

• Access + intent to defraud

• Gain of value > $5000 considered felony.

5. §1030(a)(5)

Covers hacking + malicious code (most used section):

• (A) Intentional damage via transmission

• (B) Reckless damage

• (C) Negligent damage

Examples of qualifying harms:

• $5000+ loss

• Alteration of medical data

• Threat to public health/safety

6. §1030(a)(6)
Trafficking in passwords or similar access tools.

7. §1030(a)(7)

Extortion via threats to computers or data.

4. Case Examples (Box Summaries)

Box 14.8 – Viral Attack (Ransomware: CryptoLocker)

• Medical Practice hit with ransomware

• Files encrypted across network drives

• Recovery involved offsite backups, AV cleanup

• Led to major downtime and system upgrades

Box 14.9 – Financial Crime (Bitcoin Theft on Tor)

• Defendant stole users’ Bitcoin by:

o Fake login pages

o Port-forwarding through his server

• Used bitcoin tumbling to hide traces

Box 14.10 – Hacking (Yahoo 2012 Data Dump)

• 200M user records for sale by hacker "Peace"

• Data included MD5-hashed passwords, usernames, DOB

• Sold for 3 bitcoins

5. Cyber Stalking Laws

18 U.S.C. §2261A — Federal Stalking

• Amended to include interactive computer service

• Problem: requires physical travel across state lines, making it unsuitable for typical
online stalking.

18 U.S.C. §875(c) — Threats via Interstate Communication**

• Covers threats to kidnap or injure

• Does not cover general harassment without explicit threats.

47 U.S.C. §223 — Obscene/Harassing Telephone Communications**

• Applies to:

o Phone calls

o Texts

• Does not apply to:

o Email

o Social media

o Online platforms

6. Cyber Terrorism Laws

Department of Homeland Security (DHS)

Created: 2003
Duties include:

• Protecting against cyber terrorism

• Preserving constitutional freedoms

• Investigating digital threats

Patriot Act

Allows intelligence gathering on:

• Communications

• Electronic activity
for preventing terrorism.

7. Electronic Communications Privacy Act (ECPA), 1986

Key Functions

• Protects privacy of stored and transmitted electronic communications

• Prohibits:

o Unauthorized interception

o Unauthorized access

o Improper disclosure
 • Applies to communications affecting interstate or foreign commerce

Amendment: CALEA (1994)

• Requires ISPs to enable lawful electronic surveillance

• Still requires a court warrant

Case Examples

Box 14.12: Privacy violation due to misdirected SMS

Box 14.13: Major U.S. identity theft scam ($13M)

8. Cyber Security Enhancement Act (CSEA)

Major Impacts

• Increased penalties under CFAA (up to 20 years for serious harm)

• Reduced privacy protections:

1. ISPs may voluntarily give user data to government agents without a warrant if
serious crime suspected.

2. ISPs may allow interception of communications from trespassers without

warrant.

Also:

• Increased penalties for cellular interceptors.

9. Digital Millennium Copyright Act (DMCA), 1998

Prohibitions

1. Circumventing access control technologies

2. Making/selling tools designed to bypass copyright protection

3. Removing digital rights management (DRM) info

Exemptions

• Law enforcement

• Government use

• Parental filtering technology

ISP Safe-Harbor Protections

No liability if ISP:

• Has no control over content

• Does not profit from infringement

• Removes material quickly upon notice (notice-and-takedown)

• Stores temporary cached copies only

Case: Apple vs Microsoft (Box 14.14)

• Dispute over GUI ownership

• Court ruled in Microsoft’s favor (merger doctrine applied)

10. Other Traditional Laws Used Against Cybercrime

10.1 Economic Espionage Act (EEA), 1996

Criminalizes theft of trade secrets, including acts like:

• Downloading

• Uploading

• Copying

• Transmitting
When done knowingly and without authorization.

10.2 Wire Fraud / National Stolen Property Act

Used when digital actions facilitate traditional fraud.

10.3 Fraudulent Online Identity Sanctions Act (FOISA)

• Increases penalties if:

o A domain is registered with false info AND used for crimes.

10.4 Computer Software Privacy and Control Act (CSPCA)

Targets:

• Spyware

• Adware
Requires:

• User consent

• Uninstall option
10.5 State Laws

Example: Virginia Internet Policy Act (1999)

Includes:

• Computer crime penalties

• Encryption in criminal activity

• Child pornography controls

(Box 14.15: Child pornography ring case)

11. Summary Table of U.S. Cyber Laws

Cybercrime Applicable Law

Hacking CFAA §1030

Malicious code CFAA §1030(a)(5), CSEA

Privacy violations ECPA, CALEA

Cyber stalking §2261A, §875(c), 47 USC 223 (limited)

Copyright infringement DMCA, EEA

Child pornography Federal criminal statutes + state laws

Identity theft EEA, wire fraud, CFAA

Cyber terrorism DHS, PATRIOT Act