22CS6307 - CYBER FORENSICS AND

INFORMATION SECURITY

1|22CS6307 - CYBER FORENSICS AND INFORMATION SECURITY

2|22CS6307 - CYBER FORENSICS AND INFORMATION SECURITY
 UNIT I - INTRODUCTION TO CYBER CRIME AND FORENSICS

Introduction to Traditional Computer Crime, Traditional problems associated with Computer

[Link] of ECD and ICT in Cybercrime - Classification of Cyber Crime. The Present and future
of Cybercrime - Cyber Forensics -Steps in Forensic Investigation - Forensic Examination Process -
Types of CF techniques - Forensic duplication and investigation - Forensics Technology and Systems
- Understanding Computer Investigation – Data Acquisition

Traditional Computer Crime

Definition:
Traditional computer crime refers to illegal activities that exploit computer systems and
networks, often involving unauthorized access, data breaches, fraud, and identity theft. These
crimes typically involve the use of computers to commit offenses that have existed before the
digital era but have evolved with technology.

Types of Traditional Computer Crimes

1. Hacking – Unauthorized access to computer systems or networks to steal, manipulate,

or destroy data.
o Example: A hacker gaining access to a company's database to steal customer
information.
2. Identity Theft – Using someone’s personal information (such as social security
numbers or banking details) without permission for fraudulent purposes.
o Example: Criminals using stolen credit card information to make purchases.
3. Phishing and Social Engineering – Deceptive tactics to trick individuals into
revealing confidential information.
o Example: Fake emails pretending to be from banks to steal login credentials.
4. Malware Attacks – Deploying malicious software such as viruses, ransomware,
spyware, and worms to damage or exploit systems.
o Example: Ransomware locking users out of their files unless a ransom is paid.
5. Online Fraud – Any fraudulent activity carried out over the internet, such as e-
commerce fraud, investment scams, and lottery fraud.
o Example: Fake online stores selling non-existent products.
6. Cyberstalking and Online Harassment – Using digital platforms to harass, threaten,
or intimidate individuals.
o Example: Sending repeated threats via email or social media.
7. Intellectual Property Theft – Unauthorized use, reproduction, or distribution of
copyrighted software, music, movies, or books.
o Example: Downloading pirated software or movies illegally.
8. Denial of Service (DoS) Attacks – Overloading a website or server to make it
unavailable to legitimate users.
o Example: A cybercriminal flooding a website with excessive traffic, causing it
to crash.

3|22CS6307 - CYBER FORENSICS AND INFORMATION SECURITY

 9. Espionage and Data Breaches – Unauthorized access to confidential information for
competitive or political advantage.
o Example: Corporate spies hacking into a competitor’s system to steal trade
secrets.
10. Financial and Banking Crimes – Digital theft involving online banking systems,
credit card fraud, and ATM hacking.

 Example: Cloning debit/credit cards to withdraw money fraudulently.

Challenges in Combating Traditional Computer Crimes

1. Anonymity of Cybercriminals – Attackers can hide their identity using proxies,

VPNs, and encrypted communication.
2. Jurisdictional Issues – Cybercrimes often cross national borders, making law
enforcement complicated.
3. Rapid Evolution of Cyber Threats – Criminals continuously develop new attack
methods, making prevention difficult.
4. Lack of Awareness – Many individuals and organizations do not take cybersecurity
seriously, increasing vulnerabilities.
5. Difficulty in Gathering Digital Evidence – Data can be altered, deleted, or hidden,
making investigations complex.

Prevention and Countermeasures

1. Strong Cybersecurity Measures – Using firewalls, antivirus software, and intrusion

detection systems.
2. User Awareness and Education – Training individuals and employees on best
practices to prevent cyber threats.
3. Legal Frameworks and Regulations – Enforcing cyber laws to prosecute offenders.
4. Regular System Updates and Patching – Keeping software updated to prevent
security vulnerabilities.
5. Multi-Factor Authentication (MFA) – Enhancing security by requiring multiple
verification steps.

Traditional Problems Associated with Computer Crime

Computer crime presents numerous challenges, especially as technology evolves. Some of the
key traditional problems associated with computer crime include:

1. Anonymity of Cybercriminals

 Attackers use VPNs, proxies, Tor networks, and encrypted communication to hide their
identity.
 Tracking down offenders is difficult as they can operate from any part of the world.

4|22CS6307 - CYBER FORENSICS AND INFORMATION SECURITY

2. Jurisdiction Issues

 Cybercrime often crosses international borders, making law enforcement complex.

 Different countries have varying cyber laws, making it hard to prosecute offenders effectively.

3. Lack of Digital Evidence

 Unlike physical crimes, digital evidence is easily altered, deleted, or hidden.

 Proving cybercrime in court requires extensive forensic investigation.

4. Rapid Evolution of Cyber Threats

 Hackers and cybercriminals constantly develop new attack methods, making traditional
security measures ineffective.
 Zero-day vulnerabilities (unknown security flaws) are exploited before they can be patched.

5. Financial and Economic Losses

 Cybercrimes such as identity theft, online fraud, and ransomware attacks lead to significant
financial losses.
 Businesses suffer reputation damage after a data breach, affecting customer trust.

6. Lack of Awareness and Poor Cyber Hygiene

 Many users and organizations fail to implement strong security measures.

 Weak passwords, phishing attacks, and unpatched software increase the risk of cyberattacks.

7. Insider Threats

 Employees or individuals with internal access may misuse their privileges for financial or
personal gain.
 Insider attacks are harder to detect because they involve trusted personnel.

Role of ECD (Electronic Crime Detection) and ICT (Information and

Communication Technology) in Cybercrime
1. Electronic Crime Detection (ECD)

ECD refers to the technologies, methods, and tools used to detect, analyze, and prevent
cybercrimes.

Key Components of ECD:

 Intrusion Detection Systems (IDS) – Monitors network traffic for suspicious activities.
 Firewalls and Security Filters – Blocks unauthorized access to systems.
 Digital Forensics – Recovers and analyzes digital evidence to investigate cybercrimes.
 Machine Learning & AI – Detects patterns in cyberattacks and prevents threats proactively.

Example:

5|22CS6307 - CYBER FORENSICS AND INFORMATION SECURITY

  AI-based fraud detection in banking systems identifies suspicious transactions in real time.

2. Information and Communication Technology (ICT) in Cybercrime

ICT plays a dual role in cybercrime—it enables cybercriminal activities but also helps in
cybersecurity measures.

How ICT Enables Cybercrime:

 The internet provides a global platform for cybercriminals to operate.

 Social media and email are exploited for phishing and misinformation campaigns.
 Cloud computing can be used to store stolen data anonymously.

How ICT Helps in Fighting Cybercrime:

 Cybersecurity software protects systems from malware and hacking.

 Big Data Analysis helps detect patterns of cyber threats.
 Blockchain Technology enhances secure transactions and data integrity.
 Encryption and Authentication improve data security in communication.

Classification of Cybercrime

Cybercrimes can be categorized based on the nature of the crime and the target of the attack.
The major classifications include:

1. Cyber Crimes Against Individuals

These crimes target individuals, affecting their privacy, financial security, or mental well-
being.

a) Identity Theft & Financial Fraud

 Phishing – Fraudulent emails or messages trick users into revealing personal information.
 Credit/Debit Card Fraud – Unauthorized access to banking details for illegal transactions.
 SIM Card Cloning – Duplicate SIMs are used to intercept OTPs and hack accounts.

b) Cyberstalking & Harassment

 Online Harassment & Bullying – Continuous sending of threatening or abusive messages.
 Doxxing – Publicly exposing someone’s personal details (address, phone number, etc.).
 Revenge Porn – Sharing explicit images/videos without consent.

c) Distribution of Illegal Content

 Child Exploitation & Pornography – Sharing explicit content involving minors.
 Hate Speech & Defamation – Spreading false or offensive content online.

6|22CS6307 - CYBER FORENSICS AND INFORMATION SECURITY

2. Cyber Crimes Against Organizations

These crimes affect businesses, government entities, and corporations.

a) Hacking & Unauthorized Access

 Corporate Espionage – Gaining unauthorized access to a competitor’s confidential data.
 Insider Threats – Employees leaking sensitive data for personal gain.
 Website Defacement – Altering a website’s appearance or content maliciously.

b) Ransomware & Cyber Extortion

 Ransomware Attacks – Encrypting an organization’s files and demanding ransom for
decryption.
 DDoS Attacks (Distributed Denial of Service) – Overloading a system with traffic to make it
unavailable.

c) Intellectual Property Theft & Software Piracy

 Copyright Infringement – Unauthorized use or distribution of copyrighted materials.
 Piracy – Illegal downloading and sharing of movies, music, and software.

3. Cyber Crimes Against Government & National Security

These crimes involve threats to a country’s security, infrastructure, or critical institutions.

a) Cyber Terrorism & Espionage

 Terrorist Communication & Recruitment – Using the internet to radicalize and recruit
members.
 State-Sponsored Hacking – Governments spying on other nations through cyber attacks.
 Cyber Warfare – Disrupting national infrastructure (power grids, defense systems).

b) Election & Political Manipulation

 Fake News & Disinformation – Spreading false narratives to influence public opinion.
 Hacking Political Databases – Gaining unauthorized access to political party databases.

4. Cyber Crimes Against Society

These crimes have widespread consequences affecting multiple individuals and organizations.

a) Online Scams & Fraud

 Ponzi Schemes – Fraudulent investment schemes that promise high returns.
 Lottery & Fake Job Scams – Tricking users into paying money for fake prizes or job offers.

7|22CS6307 - CYBER FORENSICS AND INFORMATION SECURITY

b) Drug & Human Trafficking via Dark Web
 Dark Web Markets – Selling illegal drugs, weapons, and human trafficking services.

c) Cyber Vandalism & Misinformation

 Spreading Fake News – Causing panic or manipulating social/political opinions.
 Social Media Manipulation – Bots and fake accounts used to amplify propaganda.

The Present and Future of Cybercrime

Cybercrime has become one of the most significant threats in today's digital world, affecting
individuals, businesses, and governments. The rapid advancement of technology has led to
increasingly sophisticated cyber threats. Let's explore the current landscape of cybercrime
and what the future holds.

🔍 Present State of Cybercrime

1. Increasing Frequency and Sophistication

 Cybercriminals are using Artificial Intelligence (AI) and Machine Learning (ML) to
automate attacks.
 Advanced Persistent Threats (APTs) target organizations over long periods to steal sensitive
data.
 Ransomware attacks have skyrocketed, targeting hospitals, banks, and even government
agencies.

2. Rise of Financial and Cryptocurrency Crimes

 Cryptojacking: Hackers secretly use victims' computers to mine cryptocurrency.
 Dark Web Transactions: Illegal trades (weapons, drugs, personal data) are facilitated via
cryptocurrencies.
 Online Payment Frauds: Phishing and card cloning scams continue to rise.

3. Growth of Cyber Warfare and Espionage

 Nation-State Attacks: Countries are using cybercrime for intelligence gathering and
disruption.
 Election Hacking & Fake News: Political manipulation through social media disinformation
campaigns.

4. Increasing Attacks on Critical Infrastructure

 Cybercriminals target power grids, water supply, healthcare systems, and transport
networks.
 IoT Vulnerabilities: Weak security in smart devices leads to large-scale Distributed Denial of
Service (DDoS) attacks.

8|22CS6307 - CYBER FORENSICS AND INFORMATION SECURITY

5. Data Privacy Breaches and Identity Theft
 Massive Data Leaks: Social media and e-commerce platforms suffer frequent breaches.
 Deepfake Technology: AI-generated fake videos are being used for fraud and misinformation.

🔮 Future of Cybercrime

1. AI-Powered Cybercrime
 Automated Phishing Attacks: AI can create more convincing fake emails and messages.
 Deepfake Social Engineering: Cybercriminals will use AI to manipulate videos and audio for
scams.
 AI-Powered Malware: Self-learning malware that adapts and evades detection.

2. Quantum Computing and New Threats

 Breaking Encryption: Future quantum computers could break today's encryption methods,
making sensitive data vulnerable.
 New Cybersecurity Algorithms: Companies will need to develop post-quantum
cryptography to counteract threats.

3. Evolution of Ransomware and Cyber Extortion

 Ransomware attacks will become more targeted and destructive.
 Double Extortion: Hackers not only encrypt files but also threaten to leak stolen data.
 Ransomware-as-a-Service (RaaS): Cybercriminals will offer ready-made ransomware tools
for others to use.

4. IoT and Smart Device Exploitation

 5G and IoT Growth: More smart devices mean more potential vulnerabilities.
 Home Automation Attacks: Hackers may control smart homes and vehicles for ransom.

5. Metaverse and Virtual Crime

 Cybercriminals will find new ways to steal digital assets and identities in the metaverse.
 VR and AR Security Risks: Data from virtual reality devices can be hacked and misused.

6. Stronger Global Cybersecurity Measures

 Stricter Cyber Laws: Governments will introduce tougher regulations and penalties.
 Cybersecurity AI & Automation: AI-driven defense mechanisms will detect and respond to
threats faster.
 International Collaboration: Countries will need to work together to combat cyber warfare
and global cybercrime networks.

9|22CS6307 - CYBER FORENSICS AND INFORMATION SECURITY

Cyber Forensics: An Overview
🔍 What is Cyber Forensics?

Cyber Forensics, also known as Digital Forensics, is the process of collecting, analyzing, and
preserving digital evidence from electronic devices to investigate cybercrimes. It helps law
enforcement agencies and organizations detect, prevent, and prosecute cybercriminals.

📌 Steps in Cyber Forensic Investigation

1. Identification
 Detecting cybercrime incidents.
 Identifying affected digital devices (computers, mobile phones, networks, cloud storage).

2. Preservation
 Isolating and securing the compromised system.
 Creating a forensic image (exact copy) of the data to prevent tampering.

3. Collection
 Gathering evidence like log files, emails, deleted files, malware, metadata from devices.
 Using forensic tools to extract data safely.

4. Examination
 Analyzing system logs, emails, and network traffic.
 Identifying malicious files, unauthorized access, and hidden data.

5. Analysis
 Reconstructing events leading to the crime.
 Determining the source and method of attack.
 Establishing a timeline of activities.

6. Documentation & Reporting

 Preparing a detailed report of findings.
 Maintaining a chain of custody for legal proceedings.

7. Presentation
 Presenting evidence in court in a legally admissible format.
 Expert testimony by forensic investigators.

10 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔎 Types of Cyber Forensics

1. Computer Forensics
 Examining computer systems for malware, unauthorized access, deleted files, and
encryption.

2. Network Forensics
 Investigating cyberattacks by analyzing network logs, firewall records, and traffic
monitoring.

3. Mobile Forensics
 Extracting data from smartphones, SIM cards, and apps to trace cybercriminal activities.

4. Cloud Forensics
 Investigating data stored on cloud platforms (Google Drive, AWS, Azure) to detect data
breaches.

5. Database Forensics
 Analyzing databases, transactions, and logs to track fraud or unauthorized access.

6. Malware Forensics
 Identifying and analyzing viruses, ransomware, Trojans, and spyware used in cyberattacks.

🛠️ Forensic Tools & Techniques

🔹 Popular Cyber Forensic Tools

 Autopsy & Sleuth Kit – Open-source forensic software for disk imaging and file recovery.
 EnCase – Used for in-depth digital evidence collection and analysis.
 FTK (Forensic Toolkit) – Helps recover deleted files and analyze registry entries.
 Wireshark – Network packet analysis tool to detect cyber intrusions.
 Volatility – Memory forensics tool to detect malware in RAM.

🔹 Techniques Used

 Data Carving – Recovering deleted or hidden files.

 Steganography Analysis – Detecting hidden messages in images, videos, or audio.
 Hashing & Checksums – Ensuring data integrity by comparing file hashes.
 Log Analysis – Examining system and network logs to trace cybercriminals.

11 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
⚖️ Legal & Ethical Considerations in Cyber Forensics

 Chain of Custody – Ensuring digital evidence remains untampered.

 Data Privacy Laws – Adhering to GDPR, IT Act 2000, and Cyber Laws.
 Ethical Hacking & Investigation – Conducting forensic investigations within legal
boundaries.

🚀 Future of Cyber Forensics

 AI & Machine Learning in Forensics – Automating threat detection and analysis.

 Blockchain Forensics – Tracking cryptocurrency transactions in cybercrimes.
 Cloud & IoT Forensics – Investigating cyberattacks on smart devices and cloud platforms.

Steps in Forensic Investigation

A forensic investigation is a structured process used to collect, analyze, and present digital
evidence to support legal or security-related cases. Below are the key steps involved in digital
forensic investigations:

🔍 1. Identification

 Detecting the cybercrime incident.

 Identifying compromised systems, devices, or data.
 Determining the scope and impact of the security breach.

🔹 Example: Detecting unauthorized access to a company’s server.

📌 2. Preservation

 Securing and isolating affected systems to prevent further damage.

 Creating forensic copies (disk imaging) of digital evidence.
 Ensuring the chain of custody is maintained for legal proceedings.

🔹 Example: Taking a bit-by-bit copy of a suspect’s hard drive to prevent evidence tampering.

📂 3. Collection

 Extracting digital evidence from various sources:

o Computers, mobile devices, servers, network logs, cloud storage, etc.
 Gathering metadata, deleted files, logs, and encrypted data.
 Using forensic tools to collect unmodified evidence.

12 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Example: Retrieving deleted emails from a suspect’s computer.

🕵️ 4. Examination

 Filtering and organizing collected data for further analysis.

 Recovering hidden, deleted, or encrypted files.
 Identifying malware, unauthorized access, or suspicious activity.

🔹 Example: Using Wireshark to examine network traffic logs for unusual connections.

📊 5. Analysis

 Reconstructing the sequence of events.

 Identifying who, what, when, where, and how the attack occurred.
 Correlating different data points to find patterns.

🔹 Example: Analyzing timestamps to determine when a hacker accessed the system.

📝 6. Documentation & Reporting

 Preparing a detailed forensic report with findings.

 Maintaining records of evidence, tools used, and investigative steps.
 Presenting conclusions in a format suitable for legal proceedings.

🔹 Example: Generating a forensic timeline showing the exact time of intrusion.

⚖️ 7. Presentation & Legal Proceedings

 Presenting evidence in court or to stakeholders.

 Providing expert testimony if needed.
 Ensuring evidence is legally admissible.

🔹 Example: A forensic investigator testifying in court about a cyber fraud case.

Forensic Examination Process

The Forensic Examination Process is a systematic approach used in digital forensics to
extract, analyze, and interpret digital evidence while ensuring its integrity and legal
admissibility. This process is crucial in cybercrime investigations, data breaches, and legal
proceedings.

13 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔍 Steps in the Forensic Examination Process

1️⃣ Preparation & Planning

 Understand the scope of the investigation.
 Identify the systems and devices involved.
 Determine the legal and procedural requirements.
 Select the appropriate forensic tools and techniques.

🔹 Example: A company suspects an insider data breach; forensic investigators plan to analyze
employee computers and network logs.

2️⃣ Data Acquisition (Evidence Collection)

 Secure and isolate the digital device to prevent tampering.
 Create a forensic image (exact copy) of the storage device.
 Use write-blockers to prevent modifications to original evidence.
 Maintain the chain of custody for legal integrity.

🔹 Example: Cloning a suspect’s hard drive using tools like FTK Imager or EnCase to
preserve data.

3️⃣ Data Examination & Recovery

 Extract and recover deleted, encrypted, or hidden files.
 Analyze log files, metadata, emails, and internet history.
 Perform keyword searches for relevant information.
 Use specialized tools to detect malware, ransomware, or suspicious files.

🔹 Example: Using Autopsy or Sleuth Kit to recover deleted emails in a fraud investigation.

4️⃣ Analysis & Correlation

 Establish a timeline of events based on timestamps.
 Correlate different data points to find relationships between files, users, and system activities.
 Use hashing techniques (SHA-256, MD5) to verify data integrity.
 Identify who, what, when, where, and how the incident occurred.

🔹 Example: Analyzing access logs to determine when an unauthorized user entered a system.

14 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
5️⃣ Documentation & Reporting
 Document all findings in a structured forensic report.
 Include screenshots, recovered files, and log analysis.
 Maintain detailed notes on investigative steps and tools used.
 Ensure the report is legally sound and understandable.

🔹 Example: Generating a timeline report showing when a hacker exfiltrated confidential data.

6️⃣ Presentation & Legal Considerations

 Present findings in court or legal proceedings.
 Provide expert testimony if needed.
 Ensure all evidence follows legal standards for admissibility.

🔹 Example: A forensic analyst testifying in court that a suspect deleted incriminating files
just before an arrest.

🛠️ Forensic Tools Used in Examination

 FTK (Forensic Toolkit) – File recovery and analysis

 Autopsy & Sleuth Kit – Open-source forensic analysis
 Wireshark – Network traffic monitoring
 Volatility – Memory (RAM) forensics
 EnCase – Comprehensive forensic imaging and analysis

⚖️ Importance of Forensic Examination

✅ Helps law enforcement solve cybercrimes

✅ Ensures legal admissibility of digital evidence
✅ Detects fraud, hacking, data breaches, and insider threats
✅ Maintains data integrity and authenticity

Types of Cyber Forensics (CF) Techniques

Cyber Forensics (CF) involves various techniques to collect, analyze, and preserve digital
evidence for legal and investigative purposes. Below are the major types of cyber forensic
techniques used in digital investigations:

15 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
1️⃣ Disk Forensics

🔹 Definition: Involves analyzing hard drives, SSDs, and other storage devices to retrieve
deleted, encrypted, or hidden files.

🔹 Key Techniques:

 Disk Imaging (creating exact copies of storage media)

 File System Analysis (analyzing FAT, NTFS, etc.)
 Deleted File Recovery (using forensic tools like FTK Imager)

🔹 Example: Recovering deleted emails from a suspect’s hard drive.

2️⃣ Network Forensics

🔹 Definition: Investigates network traffic to detect cyber threats, intrusions, and unauthorized
access.

🔹 Key Techniques:

 Packet Capture & Analysis (using Wireshark)

 Intrusion Detection System (IDS) Logs analysis
 IP Address Tracking & Correlation

🔹 Example: Analyzing a hacker's activities through server logs.

3️⃣ Memory (RAM) Forensics

🔹 Definition: Examines volatile memory (RAM) for active processes, encryption keys, and
malware footprints.

🔹 Key Techniques:

 Memory Dump Analysis (using Volatility)

 Detecting Running Processes
 Extracting Encryption Keys

🔹 Example: Identifying malware running in system memory.

4️⃣ Mobile Forensics

🔹 Definition: Recovers data from smartphones, tablets, and other mobile devices.

16 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Key Techniques:

 SIM & Call Log Analysis

 Deleted Message & Chat Recovery
 GPS & Location Tracking

🔹 Example: Extracting WhatsApp messages from a suspect’s phone.

5️⃣ Cloud Forensics

🔹 Definition: Investigates cybercrimes involving cloud storage and cloud-based services.

🔹 Key Techniques:

 Cloud Log Analysis

 Multi-Tenant Data Tracking
 Data Synchronization Forensics

🔹 Example: Investigating unauthorized access to Google Drive or AWS accounts.

6️⃣ Email Forensics

🔹 Definition: Examines emails for phishing attacks, fraud, and insider threats.

🔹 Key Techniques:

 Header Analysis (checking sender, recipient, and routing path)

 Metadata & Attachment Inspection
 Spam & Phishing Detection

🔹 Example: Tracing the origin of a phishing email in a cyber fraud case.

7️⃣ Malware Forensics

🔹 Definition: Analyzes malicious software (malware, ransomware, viruses) to understand its

behavior and impact.

🔹 Key Techniques:

 Reverse Engineering (disassembling malware code)

 Sandbox Analysis (executing malware in an isolated environment)
 Signature-based & Behavioral Analysis

🔹 Example: Examining a ransomware attack on a corporate server.

17 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
8️⃣ IoT Forensics

🔹 Definition: Investigates security breaches in Internet of Things (IoT) devices like smart
cameras, home assistants, and industrial sensors.

🔹 Key Techniques:

 Firmware Analysis (checking device software for vulnerabilities)

 Network Traffic Monitoring
 Sensor Data Investigation

🔹 Example: Investigating unauthorized access to a smart home security system.

9️⃣ Social Media Forensics

🔹 Definition: Analyzes social media accounts for cyberbullying, online fraud, and identity
theft.

🔹 Key Techniques:

 Profiling & Timeline Analysis

 Post & Comment Metadata Extraction
 Deep Web & Dark Web Tracking

🔹 Example: Identifying cyberstalking activities through Facebook and Twitter logs.

Forensic Duplication and Investigation

Forensic duplication and investigation are critical steps in digital forensics to ensure data
integrity, evidence preservation, and accurate analysis during an investigation.

🔹 1. Forensic Duplication (Imaging)

📌 What is Forensic Duplication?

Forensic duplication, also known as disk imaging, is the process of creating an exact bit-by-
bit copy of digital evidence, such as hard drives, USBs, RAM, or cloud storage, while
ensuring that the original data remains unaltered.

🛠️ Key Techniques in Forensic Duplication

18 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
1️⃣ Physical Imaging – Capturing the entire disk, including deleted files and unallocated space.
2️⃣ Logical Imaging – Extracting only active and allocated files.
3️⃣ Live Imaging – Capturing memory (RAM) and running processes on a live system.
4️⃣ Hashing & Verification – Generating hash values (MD5, SHA-256) to ensure integrity.
5️⃣ Write-Blocking – Using hardware/software write blockers to prevent altering evidence.

🔧 Tools Used for Forensic Duplication

 FTK Imager – Creates forensic disk images.

 dd (Linux Command) – Performs raw disk duplication.
 Autopsy & Sleuth Kit – Open-source forensic imaging tools.
 EnCase – Enterprise-grade forensic tool.

🛑 Why is Forensic Duplication Important?

✅ Prevents tampering or corruption of original evidence.

✅ Allows multiple investigators to work on the same copy without altering the original.
✅ Ensures legal admissibility in court.

🔹 2. Forensic Investigation

📌 What is Forensic Investigation?

Forensic investigation is the process of analyzing duplicated evidence to uncover

cybercrimes, fraud, or security breaches.

🔍 Key Steps in Forensic Investigation

1️⃣ Identification – Identifying digital evidence sources (hard drives, emails, logs, etc.).
2️⃣ Data Extraction – Recovering files, deleted data, and logs.
3️⃣ Analysis – Examining timestamps, IP addresses, logs, and user actions.
4️⃣ Correlation – Linking multiple data sources to identify patterns.
5️⃣ Reporting – Documenting findings with legal reports.

🔧 Tools Used in Forensic Investigation

 Wireshark – Analyzing network traffic.

 Volatility – Extracting data from RAM.
 Autopsy – Recovering deleted files.
 Kali Linux Forensic Tools – Penetration testing & cyber investigations.

🚨 Example of a Forensic Investigation Case

Scenario: A company suspects insider data theft.

 Investigators create a forensic image of the employee's laptop.

19 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  They analyze browser history, USB logs, and deleted files.
 They find evidence of unauthorized file transfers to an external drive.
 A detailed forensic report is submitted for legal action.

Forensics Technology and Systems

Forensics technology and systems play a crucial role in enabling digital forensics
professionals to efficiently collect, preserve, analyze, and report digital evidence. These
technologies help investigators detect, track, and understand cybercrimes, data breaches, and
other digital incidents.

🔹 1. Digital Forensic Tools

Digital forensic tools help professionals in data acquisition, analysis, and evidence
verification. They allow forensic investigators to extract information from storage devices,
memory, logs, and networks without altering the original evidence.

📌 Types of Forensic Tools

1.1. Imaging & Cloning Tools

 FTK Imager: A tool for creating bit-for-bit copies of data, preserving the original evidence's
integrity.
 dd (Linux): A command-line utility used for raw data copying and cloning.
 EnCase: An enterprise-level tool for creating, managing, and analyzing forensic images.

1.2. Data Recovery Tools

 R-Studio: Used for recovering deleted files from hard drives, USBs, or network storage
devices.
 Recuva: A tool for recovering deleted files from storage media.
 TestDisk: Open-source software for partition recovery and file retrieval.

1.3. Network Forensic Tools

 Wireshark: A network traffic analyzer that captures and inspects data packets.
 X1 Social Discovery: A tool for analyzing social media and online communications during
investigations.
 NetFlow Analyzer: Used for network traffic analysis to detect intrusions or data exfiltration.

🔹 2. Forensics Technology Systems

Forensic technology systems are specialized software and hardware platforms that integrate
various forensic tools to streamline the analysis and reporting of digital evidence.

20 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
📌 Types of Forensics Technology Systems

2.1. Forensic Workstations

 Description: A forensic workstation is a dedicated computer equipped with various forensic
tools for data collection, analysis, and reporting.
 Key Features:
o Write-blockers to prevent alteration of data.
o High-performance storage for storing large volumes of data.
o Security features to protect evidence integrity.
 Example Systems:
o Magnet Axiom: A system for advanced digital evidence analysis across computers,
mobile devices, and the cloud.
o Cellebrite UFED: A mobile forensic solution for data extraction and analysis from
smartphones and tablets.

2.2. Forensic Data Storage Systems

 Description: These systems store forensic images, recovered data, and reports in a secure and
easily accessible manner.
 Key Features:
o Encryption to protect sensitive data.
o Redundant storage to prevent data loss.
o Automated backup systems for ensuring data recovery.
 Example Systems:
o HPE Nimble Storage: An enterprise-level storage solution for secure digital evidence
management.
o Veritas NetBackup: A backup solution used in data retention during forensic
investigations.

2.3. Cloud Forensics Systems

 Description: Cloud forensics involves analyzing data stored in the cloud, such as emails, logs,
and user activities, especially with the rise of cloud computing.
 Key Features:
o Data acquisition tools for cloud-based data.
o Access control logs to track cloud service usage.
o Data migration tools for transferring cloud data to forensic systems.
 Example Systems:
o Oxygen Forensics Cloud Extractor: Extracts data from cloud storage and social
media accounts.
o Cloud Forensic Toolkit (CFT): A tool for extracting evidence from cloud
environments.

🔹 3. Forensic Databases & Repositories

Forensic investigators rely on databases and repositories to manage, analyze, and query large
amounts of digital evidence. These systems provide fast access to evidence and metadata,
aiding in the investigation process.

21 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
📌 Key Features of Forensic Databases

 Centralized evidence storage for all case files.

 Advanced search functions to query specific data, such as IP addresses, file names, and user
activity.
 Case management features to organize and track investigative progress.
 Example Systems:
o CASELOOK: A digital evidence repository that supports data storage and analysis
for law enforcement.
o X1 Investigator: A platform that searches and indexes large datasets for quick
forensic investigation.

🔹 4. Forensic Investigation Management Systems

These systems assist investigators in managing the entire process, from evidence collection to
reporting, in a structured and systematic manner.

📌 Key Features

 Case tracking and status updates.

 Automated report generation.
 Integration with other forensic tools.
 Example Systems:
o Cellebrite UFED integrates various tools for mobile device forensics.
o Magnet Axiom integrates data from multiple sources, including mobile devices,
computers, and cloud environments.

🔹 5. Forensic Cybersecurity Systems

These systems help in identifying cybercrime threats, malware, and vulnerabilities. They also
assist in intrusion detection and response.

📌 Key Features

 Real-time threat monitoring.

 Intrusion Detection Systems (IDS) to track unusual activity.
 Malware analysis and removal tools.
 Example Systems:
o CrowdStrike: A cloud-native endpoint protection platform for detecting threats.
o FireEye: A network security solution used to track and mitigate cyber threats.

Understanding Computer Investigation

A computer investigation is a systematic and methodical approach to identifying, collecting,
analyzing, and preserving digital evidence related to computer crimes, such as hacking, fraud,
or data theft. It involves the use of digital forensic techniques to gather and examine data

22 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
stored in or processed by computers and electronic devices to uncover criminal activity or
policy violations.

🔹 Key Aspects of Computer Investigation

📌 1. Types of Computer Crimes Investigated

1️⃣ Hacking and Unauthorized Access: Accessing systems, networks, or data without
permission.
2️⃣ Cyber Fraud and Identity Theft: Engaging in fraudulent activities, often involving
financial transactions or stealing personal information.
3️⃣ Data Theft: Stealing sensitive data, such as intellectual property, trade secrets, or
confidential documents.
4️⃣ Malware Distribution: Investigating the spread of malicious software such as viruses,
worms, or ransomware.
5️⃣ Child Exploitation and Pornography: Examining cases of illegal content involving minors.
6️⃣ Cyberbullying and Harassment: Digital harassment or bullying through platforms such as
social media or messaging apps.

📌 2. Computer Investigation Process

A computer investigation generally follows a structured process to ensure thoroughness and

maintain the integrity of the evidence:

2.1. Planning and Preparation

 Case Review: Understand the scope of the investigation and determine what to look for (e.g.,
logs, files, emails, etc.).
 Team Coordination: Involves assigning roles to different investigators and experts (e.g.,
forensic analysts, legal advisors).
 Legal Considerations: Ensure proper authorization and warrants (if necessary) for searching
and collecting evidence.

2.2. Evidence Collection

 Identifying Evidence: Locate relevant digital devices (computers, smartphones, external

storage devices, etc.) that may contain evidence.
 Data Acquisition: Use write-blockers to prevent any alteration of evidence during the
collection process. Forensic tools (e.g., FTK Imager, dd) are used to create bit-for-bit copies
(images) of the data.
 Chain of Custody: Maintain detailed records to document the movement and handling of
evidence to ensure admissibility in court.

23 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
2.3. Preservation of Evidence

 Forensic Imaging: Create exact copies (images) of digital storage devices to preserve original
evidence.
 Data Integrity: Use cryptographic hashing techniques (e.g., MD5, SHA-1) to verify that the
data hasn’t been altered during the investigation.
 Secure Storage: Store evidence in secure locations (e.g., encrypted storage) to protect its
confidentiality.

2.4. Analysis

 File Recovery: Use forensic tools to recover deleted files, data fragments, and hidden files that
may be relevant to the investigation.
 Data Interpretation: Analyze recovered data for signs of criminal activity, such as
unauthorized access, email correspondence, and malware.
 Log Analysis: Review system and network logs to trace the actions of the perpetrator and
identify key evidence, such as login attempts or data transfers.
 Password Cracking: If necessary, forensic tools like John the Ripper can be used to recover
encrypted or password-protected files.

2.5. Reporting and Documentation

 Creating a Forensic Report: Document the findings of the investigation, including evidence
collected, analysis performed, and conclusions.
 Presentation of Findings: Present the results in a clear, concise manner suitable for both
technical and non-technical audiences, including stakeholders or legal authorities.
 Court Testimony: Forensic experts may be required to testify about their findings in legal
proceedings.

📌 3. Tools and Techniques Used in Computer Investigation

3.1. Forensic Tools

 EnCase: A powerful forensic tool for disk imaging, analysis, and reporting.
 FTK (Forensic Toolkit): Used for disk analysis, file carving, and keyword searching.
 X1 Social Discovery: A tool to analyze social media content and online communications.
 Volatility: A tool for memory analysis and capturing live evidence from RAM.
 Wireshark: Network analysis tool used to monitor and capture network traffic for cybercrime
investigations.

3.2. Techniques

 Data Carving: Recovering fragmented files from unallocated space on a disk.

 Steganography Analysis: Detecting hidden data or messages in images, audio, or other file
formats.
 Rootkit Detection: Identifying malware that hides its presence on a system.

📌 4. Challenges in Computer Investigation

24 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
4.1. Volatility of Evidence

 Digital evidence can change or disappear quickly (e.g., logs overwritten, files deleted, cloud-
based data automatically syncing), which can affect its integrity if not collected in time.

4.2. Encryption and Password Protection

 Encrypted data and password-protected files can be a barrier to investigators. Techniques

like password cracking or using decryption tools are often needed, but may not always be
successful.

4.3. Large Data Volumes

 Digital investigations often deal with massive amounts of data from multiple devices, making
it challenging to identify relevant evidence.

4.4. Privacy Concerns

 Investigators must respect privacy laws and protect sensitive personal information. They
need to follow legal protocols to ensure compliance with data protection laws (e.g., GDPR,
HIPAA).

4.5. Evolving Technology

 Rapid advancements in technology, including cloud storage, mobile apps, and encryption
techniques, make it difficult to stay up-to-date with the latest tools and strategies for computer
investigations.

🔹 5. Legal and Ethical Considerations in Computer Investigation

 Warrants and Authorization: Investigators must ensure they have the proper legal authority
(search warrants or consent) before collecting evidence.
 Chain of Custody: Maintain an unbroken chain of custody to ensure evidence is admissible
in court.
 Data Privacy Laws: Comply with national and international data privacy laws and regulations
to protect individuals' privacy rights.
 Ethical Considerations: Investigators must act in an ethical manner, ensuring that the
investigation is impartial and does not violate civil liberties.

Data Acquisition in Computer Forensics

Data acquisition in the context of computer forensics refers to the process of collecting digital
evidence from computers, mobile devices, storage media, or network environments in a
forensically sound manner. This ensures the integrity of the data is maintained throughout the
collection process and is admissible in a court of law.

25 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Key Principles of Data Acquisition

📌 1. Forensic Integrity

The most critical principle is to ensure that the data is collected without altering, modifying, or
damaging it. This is achieved using tools like write-blockers and following protocols that
maintain the integrity of the evidence.

📌 2. Chain of Custody

The chain of custody is a documentation system that tracks the evidence's handling, from
collection through analysis and presentation. Each time evidence is handled or transferred, it is
logged to ensure its integrity and authenticity.

📌 3. Preservation of Data

Preserving the original data is crucial. Investigators make bit-for-bit copies of the storage
media, which ensures that the original evidence remains intact and can be used for further
analysis.

🔹 Types of Data Acquisition Methods

📌 1. Live Data Acquisition

Live acquisition refers to collecting data from a running system while it is powered on. This
method is typically used when the evidence exists in volatile memory (e.g., RAM) or when live
network data is relevant.

Key Considerations for Live Acquisition

 RAM Analysis: Collecting volatile data (e.g., running processes, open files, network
connections) from a computer's RAM can provide evidence of current activities, such as
malware infections or network intrusions.
 System State: Ensure that the system is not tampered with during data collection. Special tools
(e.g., FTK Imager, X1 Social Discovery) allow live data acquisition without altering the
evidence.
 Preserving Volatile Evidence: Volatile evidence is time-sensitive and may be lost if not
collected immediately.

Live Data Tools

 FTK Imager
 X1 Social Discovery
 Helix3: Used for acquiring live data from running systems.

📌 2. Static Data Acquisition

26 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
Static acquisition involves collecting data from powered-off devices, such as hard drives,
USB sticks, or CD/DVDs. This method is typically used to acquire data that is stored on non-
volatile storage media.

Key Considerations for Static Acquisition

 Write-Blocking Devices: Before starting the acquisition, forensic investigators use write-
blockers to ensure that no data is written to the storage media while it is being acquired.
 Data Integrity: Investigators create a forensic image (a bit-for-bit copy) of the storage media,
which is later analyzed to extract relevant information.
 Data Recovery: Static acquisition tools can be used to recover deleted or hidden data.

Static Data Tools

 dd (Linux): A popular tool for creating exact copies of data in forensic investigations.
 EnCase: A comprehensive tool for disk imaging and analysis.
 FTK Imager: A tool used for creating forensic images of storage media, including hard
drives, mobile devices, and cloud storage.

🔹 Types of Digital Evidence Collected During Acquisition

📌 1. File Systems and Data

 File Metadata: Date created, modified, accessed, etc.

 Deleted Files: Recovered deleted files, even if they are no longer visible to the user.
 File Fragments: Pieces of files that can be reconstructed.
 Hidden Files: Files that are concealed using techniques like steganography.

📌 2. Memory (RAM) Data

 Processes and Applications: Running processes and programs, including malware.

 Encryption Keys: Cryptographic keys that may be stored in memory.
 Network Connections: Details about current network activity, such as open ports or active
connections.

📌 3. Log Files

 System Logs: Event logs, access logs, and security logs from the operating system and
applications.
 Network Logs: Logs showing network traffic, access times, and data transfers.

📌 4. Mobile Devices Data

 SMS/MMS: Text messages, including multimedia messages.

 Call Logs: Outgoing and incoming calls, with timestamps.
 Location Data: GPS or cell tower data that can show the physical location of the device.

27 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Forensic Acquisition Tools

Forensic tools are critical in ensuring that the acquisition process is performed in a forensically
sound manner, allowing the evidence to remain intact for further analysis. Here are some
widely used tools for data acquisition:

📌 1. FTK Imager

A well-known forensic tool used for acquiring bit-for-bit copies of storage media and creating
forensic images. FTK Imager supports file previews, hashing, and evidence preservation.

📌 2. EnCase

EnCase is a comprehensive forensic toolset used for data collection, analysis, and reporting.
It supports acquisition from various devices and can create forensic images of storage devices.

📌 3. X1 Social Discovery

Primarily used for social media and cloud data acquisition. It is designed to acquire digital
evidence from a variety of platforms, including Facebook, Twitter, and Google accounts.

📌 4. Write Blockers

Hardware tools like Wiebetech's Forensic Duplicator or Logicube's Forensic Field Kit are
used to block write access to the evidence device while the acquisition is taking place.

📌 5. FTK (Forensic Toolkit)

A toolkit that allows investigators to acquire, analyze, and report on digital evidence from a
variety of devices. It has integrated tools for file recovery, evidence acquisition, and
investigation reporting.

🔹 Challenges in Data Acquisition

📌 1. Data Volatility

Certain data types, such as those stored in RAM, are highly volatile and will be lost once the
system is powered off. Live acquisition is necessary to preserve this type of evidence.

📌 2. Encryption

Encrypted devices and files pose a challenge in data acquisition, requiring special decryption
techniques or access credentials.

📌 3. Large Data Volumes

28 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
With modern systems storing vast amounts of data, acquiring and processing it efficiently
becomes a challenge. Forensic investigators need tools capable of handling large-scale data.

📌 4. Privacy and Legal Considerations

It is critical to ensure that the data acquisition process complies with local laws, including
privacy laws such as GDPR and HIPAA, to prevent the unintentional exposure of personal or
privileged data.

29 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 UNIT II - EVIDENCE COLLECTION AND FORENSICS TOOLS

Processing Crime and Incident Scenes – Digital Evidence - Sources of Evidence -Working with
File Systems. - Registry - Artifacts - Current Computer Forensics Tools: Software/ Hardware
Tools- Forensic Suite - Acquisition and Seizure of Evidence from Computers and Mobile Devices -
Chain of Custody- Forensic Tools

Processing Crime and Incident Scenes in Digital Forensics

When dealing with a digital crime or security incident, investigators follow a structured
approach to collect, analyze, and preserve digital evidence. The goal is to ensure that
evidence remains authentic, admissible in court, and untampered throughout the
investigation process.

1. Steps in Processing a Crime/Incident Scene

Step 1: Securing and Documenting the Scene

 Ensure the crime scene is safe and prevent unauthorized access.

 Identify potential digital evidence, such as computers, USB drives, mobile phones, CCTV
footage, and cloud accounts.
 Document the scene with photos, notes, and a chain of custody log to track evidence
handling.
 Prevent data tampering by using write-blockers or forensic imaging tools.

Step 2: Identifying and Collecting Digital Evidence

 Types of digital evidence include:

o Hard drives, SSDs, and USB devices.
o Cloud storage accounts like Google Drive and Dropbox.
o Network logs, firewall logs, and router configurations.
o Mobile phone data (call logs, messages, social media activity).
 Forensic imaging:
o Instead of working on the original device, investigators create a forensic copy (bit-
by-bit image).
o Tools like FTK Imager, EnCase, and dd (Linux) are used for imaging.
o To ensure integrity, investigators verify files using hash functions (MD5, SHA-256).

Step 3: Preserving Digital Evidence

 Use write blockers to prevent accidental modifications.

 Store evidence securely, using encryption when necessary.
 Maintain a detailed chain of custody to track who handled the evidence and when.

Step 4: Analysis and Investigation

 File System Analysis:

30 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 o Recover deleted files, analyze timestamps, and detect hidden files.
o Look for system logs, malware traces, and unauthorized access.
 Memory Forensics:
o Capture RAM dumps to analyze running processes and open network connections.
 Network Forensics:
o Examine network traffic, Wi-Fi logs, and packet captures (PCAP files).

Step 5: Reporting and Legal Considerations

 Prepare a forensic report with findings, timestamps, and logs.

 Present findings in court, ensuring compliance with digital forensics standards.
 Follow relevant cyber laws like the IT Act, GDPR, or CFAA.

2. Key Challenges in Processing Digital Evidence

 Encryption and Password Protection: Locked devices require specialized decryption

techniques.
 Data Volatility: RAM data disappears after power loss, making timely collection crucial.
 Cloud Storage: Evidence stored remotely may require legal requests for access.
 Anti-Forensics: Criminals may use tools to erase or modify evidence traces.

3. Tools Used in Digital Crime Scene Processing

 Disk Imaging: FTK Imager, Autopsy, dd (Linux).

 Memory Forensics: Volatility, Redline.
 Network Analysis: Wireshark, Snort (Intrusion Detection System).
 Mobile Forensics: Cellebrite UFED, Oxygen Forensic Suite.

Digital Evidence in Cyber Forensics

Digital Evidence refers to any information stored or transmitted in digital form that can
be used in legal investigations. It is crucial in cybercrime cases, fraud detection, and forensic
investigations.

1. Characteristics of Digital Evidence

 Volatile – Can be altered or deleted easily.

 Intangible – Exists in electronic form (files, logs, emails).
 Duplicable – Can be copied without affecting the original.
 Time-sensitive – Some data (RAM, network logs) disappear quickly.
 Requires Authentication – Hash values (MD5, SHA-256) verify integrity.

31 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
2. Types of Digital Evidence

a) Computer-Based Evidence

 Hard drives (HDD, SSD)

 Deleted files and metadata
 System logs and event logs
 Software and program traces

b) Mobile Device Evidence

 Call logs and messages

 GPS location history
 Installed apps and browsing history
 Cloud backups (Google Drive, iCloud)

c) Network Evidence

 Packet captures (PCAP files)

 Router logs, firewall logs
 VPN usage records
 Wi-Fi connection history

d) Cloud & Online Evidence

 Social media posts (Facebook, Instagram, Twitter)

 Email communication (Gmail, Outlook)
 Cloud storage data (Google Drive, Dropbox)
 Digital transactions and cryptocurrencies

e) IoT and Emerging Evidence Sources

 Smart home devices (Alexa, Google Home)

 Wearables (smartwatches, fitness trackers)
 Surveillance systems (CCTV, smart doorbells)

3. Collection and Preservation of Digital Evidence

Step 1: Identification

 Locate potential evidence sources.

 Secure and isolate the device/network.

Step 2: Collection

 Use write-blockers to prevent data modification.

32 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Create forensic images (bit-by-bit copies).
 Record metadata (timestamps, file paths).

Step 3: Preservation

 Store evidence securely using encryption.

 Maintain a chain of custody document.

Step 4: Analysis

 Recover deleted data using forensic tools.

 Examine logs for suspicious activity.
 Detect unauthorized access or malware.

Step 5: Documentation and Reporting

 Prepare a forensic report with findings.

 Ensure data is admissible in court.

4. Tools for Digital Evidence Analysis

Computer Forensics Tools

 Autopsy – Open-source forensic suite.

 EnCase – Industry-standard forensic tool.
 FTK (Forensic Toolkit) – File recovery and password cracking.

Network Forensics Tools

 Wireshark – Captures and analyzes network packets.

 Snort – Intrusion detection system.

Memory Forensics Tools

 Volatility – RAM analysis and process tracking.

 Redline – Malware and live memory investigation.

Mobile Forensics Tools

 Cellebrite UFED – Extracts data from mobile devices.

 Oxygen Forensics – Mobile and cloud data analysis.

5. Challenges in Handling Digital Evidence

 Encryption and Password Protection – Locked devices require decryption techniques.

 Data Tampering – Attackers may modify logs or erase files.

33 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Cloud-Based Evidence – Requires legal access requests.
 Jurisdiction Issues – Data stored in different countries complicates investigations.

6. Legal Considerations for Digital Evidence

 Admissibility in Court – Must follow forensic procedures to be valid.

 Compliance with Cyber Laws
o IT Act (India)
o GDPR (Europe)
o CFAA (USA)
 Chain of Custody – Ensures evidence integrity and authenticity.

Sources of Digital Evidence in Cyber Forensics

Digital evidence comes from various sources, ranging from computer systems to cloud
storage and IoT devices. Understanding these sources helps investigators identify, collect,
and analyze evidence effectively in cybercrime cases.

1. Categories of Digital Evidence Sources

A. Computer-Based Evidence

Digital devices store vast amounts of data that can be crucial in an investigation.
Common sources include:

 Hard Drives & SSDs – Stores system files, documents, and logs.
 Deleted Files & Metadata – Can reveal hidden or erased information.
 Windows Registry – Tracks installed programs, USB connections, and user activity.
 Log Files & Event Logs – Records system errors, user logins, and application usage.
 Clipboard & Temporary Files – May contain sensitive copied data.

B. Mobile Device Evidence

Smartphones and tablets store personal and communication data.

Key sources include:

 Call Logs & Contacts – Record of incoming, outgoing, and missed calls.
 Text Messages & IM Apps – WhatsApp, Telegram, Signal chats.
 Location Data (GPS History) – Tracks a user’s movements.
 Installed Applications – Banking, social media, and encrypted messaging apps.
 Cloud Backups (Google Drive, iCloud) – Stores files, photos, and app data remotely.

C. Network-Based Evidence

34 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
Network activity leaves traces that can be analyzed for forensic purposes.
Important sources include:

 Router Logs – Contains IP addresses, MAC addresses, and connection timestamps.

 Firewall Logs – Tracks blocked and allowed network traffic.
 Packet Captures (PCAP Files) – Captures real-time data packets using tools like Wireshark.
 VPN & Proxy Logs – Helps track users trying to mask their identity.
 Email Servers – Stores sent, received, and deleted emails.

D. Cloud & Online Services

Cloud storage and web-based applications hold digital evidence that may be difficult to
access.
Primary sources include:

 Cloud Storage (Google Drive, Dropbox, OneDrive) – Contains files, backups, and logs.
 Social Media (Facebook, Instagram, Twitter, LinkedIn) – Posts, messages, and shared
media.
 Email Accounts (Gmail, Outlook, Yahoo) – Inbox, spam folder, and metadata.
 Online Transactions (PayPal, Bitcoin, Banking Apps) – Transaction records, fraud activity.
 Remote Desktop Services (RDP, SSH Logs) – Evidence of unauthorized access or hacking
attempts.

E. Internet of Things (IoT) Devices

IoT devices continuously collect and transmit data, which can be used as evidence.
Notable sources include:

 Smart Home Assistants (Alexa, Google Home) – Voice commands and activity logs.
 Smartwatches & Fitness Trackers – Step count, heart rate, GPS location.
 CCTV & Security Cameras – Video footage with timestamps.
 Smart Cars (GPS, Black Box Data) – Records speed, navigation routes, and driver activity.

2. How Investigators Use These Sources

Investigators analyze digital evidence to:

✅ Track cybercriminal activities (hacking, fraud, identity theft).
✅ Reconstruct timelines of events based on log data.
✅ Identify communication between suspects.
✅ Retrieve deleted or hidden files.
✅ Prove or disprove alibis using GPS and call logs.

3. Challenges in Collecting Digital Evidence

 Encryption & Password Protection – Many files and devices are locked.
 Data Volatility – RAM and network data can disappear quickly.

35 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Cloud Jurisdiction Issues – Data stored in different countries requires legal procedures.
 Tampering & Anti-Forensics – Attackers may erase logs, modify timestamps, or use
steganography.

4. Tools for Collecting Digital Evidence

 Disk Imaging – FTK Imager, Autopsy, dd (Linux).

 Network Forensics – Wireshark, Snort (IDS).
 Memory Forensics – Volatility, Redline.
 Mobile Forensics – Cellebrite UFED, Oxygen Forensic Suite.

Working with File Systems in Digital Forensics

A file system is the method used by an operating system to store, retrieve, and organize files
on a storage device. Understanding how file systems work is crucial in digital forensics, as
different file systems store data differently and have unique forensic implications.

1. Common File Systems and Their Forensic Importance

A. Windows File Systems

1. FAT (File Allocation Table) – FAT12, FAT16, FAT32, exFAT

 Used in USB drives, memory cards, older Windows systems.

 Simple structure, but lacks file journaling and security features.
 Deleted files can be easily recovered unless overwritten.

2. NTFS (New Technology File System)

 Default file system for modern Windows OS.

 Supports file journaling, permissions, encryption (EFS).
 Stores metadata in Master File Table (MFT), useful in forensics.
 Shadow Copies & Change Journals help in tracking file modifications.

B. Linux File Systems

1. Ext (Ext2, Ext3, Ext4)

 Ext4 is the most common Linux file system.

 Uses journaling, which helps in recovering deleted files.
 Stores metadata in inodes, crucial for tracking file history.

2. XFS and Btrfs

36 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Advanced Linux file systems with snapshot and compression features.
 Btrfs stores multiple copies of metadata, making it resilient to corruption.

C. MacOS File Systems

1. HFS+ (Hierarchical File System Plus)

 Older MacOS file system, now replaced by APFS.

 Supports journaling but lacks modern security features.

2. APFS (Apple File System)

 Default for modern macOS, iPhones, and iPads.

 Uses snapshots, encryption, and space-sharing between volumes.
 More difficult to recover deleted files due to SSD encryption and TRIM.

D. Other File Systems

 ReFS (Resilient File System) – Used in Windows Servers, resistant to corruption.

 ISO 9660 / UDF – Used in CDs, DVDs, and Blu-ray discs.
 ZFS – Advanced file system with built-in error correction and snapshots.

2. Digital Forensic Techniques for File Systems

A. File Recovery and Analysis

 Recover deleted files from NTFS, Ext4, FAT, and HFS+ using forensic tools.
 Examine metadata (timestamps, file attributes) to reconstruct file history.
 Identify hidden, encrypted, or corrupted files.

B. Journaling and Log Analysis

 NTFS Change Journal tracks file modifications.

 Ext3/Ext4 journals can help recover partially deleted files.
 HFS+ journaling assists in tracking file system changes.

C. Master File Table (MFT) Analysis (NTFS)

 MFT contains metadata for every file, including deleted files.

 Forensic tools can extract MFT records to recover lost data.

D. Inode Analysis (Ext File System)

 Inodes store file attributes, size, and location.

37 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Deleted files may still have intact inode information.

E. SSD and TRIM Challenges

 TRIM commands erase deleted data permanently on SSDs.

 File recovery is harder compared to HDDs due to wear-leveling algorithms.

3. Tools for File System Forensics

 Autopsy / Sleuth Kit – Open-source forensic suite for NTFS, FAT, Ext, HFS+.
 FTK Imager – Disk imaging and file recovery.
 EnCase – Commercial tool for deep forensic analysis.
 TestDisk – Recovers lost partitions and deleted files.
 PhotoRec – Specializes in recovering photos and multimedia files.

4. Challenges in File System Forensics

 Encryption – APFS, BitLocker, and LUKS can make data inaccessible.

 SSD TRIM Commands – Permanently erases deleted files.
 Anti-Forensic Techniques – File wiping, steganography, and data obfuscation.
 Cloud Storage – Files may be stored remotely, complicating acquisition.

Windows Registry in Digital Forensics

The Windows Registry is a centralized database that stores system settings, user
preferences, application data, and hardware configurations. In digital forensics, it is a critical
source of evidence as it logs user activity, connected devices, installed software, and more.

1. Structure of the Windows Registry

The Registry consists of five main hives, each storing specific information:

Hive Name Location Purpose

Stores file
HKEY_CLASSES_ROOT SYSTEM\CurrentControlSet\Control\Session
Manager
associations and
(HKCR)
COM objects.

HKEY_CURRENT_USER Stores settings

[Link] for the logged-in
(HKCU)
user (recent files,

38 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 Hive Name Location Purpose

network shares,
etc.).

Contains system-
HKEY_LOCAL_MACHINE wide settings,
SYSTEM, SAM, SECURITY, SOFTWARE
(HKLM) drivers, installed
programs.

Stores settings
HKEY_USERS (HKU) C:\Users\Username\[Link] for all users on
the system.

Stores hardware
HKEY_CURRENT_CONFIG
Dynamic (not stored in a file) and driver
(HKCC)
settings.

2. Important Registry Keys in Digital Forensics

A. User Activity and Login Information

 Last Login Time:

o HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\L
ogonUI
 User Account Names:
o HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
 Recently Accessed Files:
o HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentD
ocs
 Typed URLs (Internet Explorer & Edge):
o HKCU\Software\Microsoft\Internet Explorer\TypedURLs

B. USB Device and External Storage History

 Connected USB Devices:

o HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
 Mounted Devices (Drive Letters):
o HKLM\SYSTEM\MountedDevices
 Last Connected Time for USBs:
o HKLM\SYSTEM\CurrentControlSet\Enum\USB

C. Installed and Executed Applications

 Installed Software List:

o HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
 Recently Opened Programs (RunMRU):
o HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
 Programs Set to Run at Startup:
o HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

39 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
D. Network and Internet Forensics

 Wi-Fi Connection History:

o HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces
 MAC Address and IP Information:
o HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa
ces
 VPN and Proxy Settings:
o HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings

3. How Investigators Use Registry Data

✅ Track User Login and Logout Activity – Identify active accounts and last login times.
✅ Detect File and Program Usage – Analyze recent documents and executed programs.
✅ Investigate USB and External Device Use – Find evidence of data transfer.
✅ Analyze Internet and Network History – Recover browsing history, Wi-Fi connections,
and VPN use.
✅ Check Malware and Persistence Mechanisms – Locate registry entries modified by
malware.

4. Tools for Windows Registry Forensics

Tool Name Purpose

Regedit (Built-in) Manually view and edit the Windows Registry.

RegRipper Extract and analyze forensic registry data.

FTK Imager Extract registry hives for offline analysis.

Autopsy/Sleuth Kit Analyze Windows Registry as part of forensic imaging.

Registry Explorer (Eric Zimmerman’s Tool) Advanced registry analysis with timestamp extraction.

5. Challenges in Registry Forensics

 Registry Modification by Malware – Attackers may alter keys to hide traces.

 Data Tampering – Logs can be deleted, but some traces may remain in system backups.
 Encrypted Registry Data – Some sensitive registry keys may be encrypted.
 Live vs. Offline Analysis – Investigators must decide whether to analyze a system live or
extract registry files for offline examination.

40 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
6. Legal and Forensic Considerations

 Ensure Chain of Custody – Maintain logs of registry file extractions.

 Verify Integrity – Use hash values (MD5, SHA-256) to confirm no alterations.
 Follow Legal Compliance – Ensure digital evidence is collected lawfully (GDPR, IT Act, CFAA).

Artifacts in Digital Forensics

Digital artifacts are pieces of data left behind by user activities, applications, or system
processes. These artifacts help forensic investigators track user behavior, data access,
program execution, and external device usage.

1. Types of Digital Artifacts

A. User Activity Artifacts

Artifacts that record user interactions with the system, applications, and files.

 Recent Documents & Files – C:\Users\Username\Recent

 Clipboard Data – HKEY_CURRENT_USER\Software\Microsoft\Clipboard
 Recycle Bin Records – C:\$[Link]
 Prefetch Files (.pf) – Tracks recently executed programs (C:\Windows\Prefetch)
 LNK Files (Shortcuts) – Keeps metadata about accessed files

B. Internet and Browser Artifacts

Web browsing history, cookies, cache, and saved passwords.

 Browsing History – Chrome (History file in SQLite DB), Firefox ([Link])

 Cookies – C:\Users\Username\AppData\Local\Google\Chrome\User
Data\Default\Cookies
 Cache & Temporary Internet Files – C:\Users\Username\AppData\Local\Temp
 DNS Cache – Tracks domain name resolutions (ipconfig /displaydns)

C. Network and Communication Artifacts

Logs of network connections, Wi-Fi usage, and communication apps.

 Wi-Fi Connection History –

HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces
 IP Address and MAC Logs –
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
 Chat Logs (WhatsApp, Telegram, Signal) – Stored in app-specific databases ([Link]
for WhatsApp)

D. USB and External Device Artifacts

41 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
Evidence of USB storage, external hard drives, and connected devices.

 USB Connection History – HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

 Mounted Drives – HKLM\SYSTEM\MountedDevices
 Last Accessed Removable Storage –
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

E. System and Application Artifacts

Artifacts related to operating system logs, startup applications, and software usage.

 Windows Event Logs – C:\Windows\System32\winevt\Logs\

 Installed Applications –
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
 Startup Programs – HKCU\Software\Microsoft\Windows\CurrentVersion\Run

F. Mobile Device Artifacts

Digital evidence found on smartphones and tablets.

 Call Logs & Contacts – Stored in SQLite databases.

 SMS & Messaging Apps – Found in [Link] for WhatsApp, Telegram cache.
 Location Data (GPS History) – Google Maps Timeline, [Link] (iOS).

2. How Digital Artifacts Help in Investigations

✅ Determine user actions – Opened files, executed programs, deleted items.

✅ Track browsing and communication history – Websites visited, chat logs, emails.
✅ Identify external devices used – USB history, mounted drives.
✅ Reconstruct events from log files – Startup sequences, crashes, security logs.
✅ Recover deleted data – From Recycle Bin, registry hives, and forensic imaging.

3. Tools for Analyzing Artifacts

Tool Name Purpose

Autopsy / Sleuth Kit File system analysis, artifact extraction.

FTK Imager Image and registry analysis.

RegRipper Windows Registry artifact extraction.

Volatility Memory forensics (RAM dump analysis).

Wireshark Network traffic analysis.

Bulk Extractor Extracts emails, credit card numbers, URLs from raw data.

42 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
4. Challenges in Digital Artifact Analysis

 Encrypted Artifacts – Some logs and app data are encrypted.

 Anti-Forensics Techniques – Attackers may wipe logs, use steganography.
 Cloud Storage – Many artifacts are stored remotely (Google Drive, iCloud).
 Time Stamping Issues – Some artifacts may have manipulated timestamps.

Current Computer Forensics Tools: Software & Hardware

Computer forensics tools are essential for collecting, analyzing, and preserving digital
evidence from computers, mobile devices, and networks. These tools can be broadly
categorized into software tools (used for forensic analysis) and hardware tools (used for
data acquisition and recovery).

1. Software Tools for Computer Forensics

Forensic software tools help investigators analyze hard drives, recover deleted data,
examine registry entries, and track user activities.

A. Disk Imaging and Data Recovery Tools

These tools create forensic copies of storage devices to ensure the original data remains
unaltered.

Tool Name Purpose

FTK Imager Creates forensic images of hard drives, USBs, and memory dumps.

Autopsy (Sleuth
Open-source tool for disk analysis, file recovery.
Kit)

Commercial tool for creating images, recovering files, and analyzing digital
EnCase Forensic
evidence.

dd / dcfldd Command-line Linux tools for bit-by-bit disk imaging.

OSForensics Finds deleted files, extracts browser history, and analyzes disk images.

B. Memory Forensics Tools (RAM Analysis)

RAM forensics helps in extracting active processes, passwords, encryption keys, and
malware traces.

43 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 Tool Name Purpose

Volatility Open-source memory forensics tool for analyzing RAM dumps.

Belkasoft RAM Capture Captures live memory for forensic analysis.

Rekall Framework Advanced memory forensic analysis tool.

C. Network Forensics Tools

These tools help monitor and analyze network traffic for signs of malicious activity or
unauthorized access.

Tool Name Purpose

Wireshark Captures and analyzes network packets.

NetworkMiner Extracts files, credentials, and metadata from network traffic.

Xplico Reconstructs network sessions (emails, VoIP calls, web pages).

D. Windows Registry and Artifact Analysis Tools

The Windows registry and system artifacts store crucial evidence about user activity,
connected devices, and application usage.

Tool Name Purpose

RegRipper Extracts and analyzes forensic data from the Windows Registry.

Registry Explorer Advanced registry analysis with timestamp extraction.

ShellBags Explorer Analyzes Windows ShellBag artifacts to track file and folder access.

E. Mobile Device Forensics Tools

These tools help extract SMS, call logs, app data, and deleted files from mobile phones and
tablets.

Tool Name Purpose

Cellebrite UFED Industry-standard tool for mobile data extraction.

MOBILedit Forensic Extracts phone contacts, messages, and call logs.

44 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 Tool Name Purpose

Magnet AXIOM Recovers mobile and computer data, cloud storage logs.

Oxygen Forensic Suite Analyzes data from iOS, Android, and cloud services.

F. Password Cracking and Decryption Tools

These tools help recover encrypted data, passwords, and locked accounts.

Tool Name Purpose

John the Ripper Brute-force and dictionary attack password cracking.

Hashcat GPU-based password recovery tool.

Ophcrack Recovers Windows passwords from hashed data.

Elcomsoft Forensic Suite Recovers passwords from mobile and cloud data.

2. Hardware Tools for Computer Forensics

Forensic hardware tools are designed for safe data acquisition, analysis, and recovery from
various digital devices.

A. Write Blockers (Prevent Data Tampering)

Write blockers ensure that data from storage devices can be accessed without modifying
the original evidence.

Tool Name Purpose

Tableau Forensic Bridge (T8-R2) Hardware write blocker for HDDs and SSDs.

CRU WiebeTech USB WriteBlocker USB device forensic write blocker.

B. Data Recovery and Imaging Devices

These tools assist in cloning, repairing, and extracting data from damaged or encrypted
storage media.

Tool Name Purpose

Logicube Falcon-NEO High-speed forensic disk imaging device.

45 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 Tool Name Purpose

Atola Insight Forensic Data recovery from damaged hard drives.

DeepSpar Disk Imager Recovers data from failing or bad-sector hard drives.

C. Mobile Forensics Hardware

Specialized hardware for extracting and analyzing data from smartphones, SIM cards, and
GPS devices.

Tool Name Purpose

Cellebrite Touch2 Mobile phone data extraction and forensic analysis.

XRY Mobile Device Kit Extracts call logs, SMS, and app data from mobile devices.

Paraben Device Seizure Mobile forensics hardware for extracting data from locked phones.

D. Live Forensics and Incident Response Kits

These tools allow on-the-spot forensic analysis without shutting down the system.

Tool Name Purpose

Remote forensic data acquisition over

F-Response
networks.

Kali Linux Forensic Mode Bootable Linux OS with forensic tools.

Caine (Computer Aided Investigative

Linux forensic toolkit for live investigations.
Environment)

3. Challenges in Using Forensic Tools

 Data Encryption & Anti-Forensics – Attackers may use BitLocker, VeraCrypt, or Tails OS to
hide data.
 Cloud Storage & Remote Evidence – Cloud data acquisition requires legal authorization.
 SSD TRIM & Data Loss – Deleted files on SSDs may be permanently erased.
 Steganography & Hidden Files – Malicious actors may hide data within images or videos.
 Time-Sensitive Evidence – RAM and volatile data require immediate acquisition before
power loss.

46 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
4. Choosing the Right Forensic Tool

🔹 For Disk Imaging → FTK Imager, EnCase

🔹 For Memory Analysis → Volatility, Rekall
🔹 For Network Forensics → Wireshark, NetworkMiner
🔹 For Mobile Forensics → Cellebrite, Oxygen Forensics
🔹 For Registry & Windows Artifacts → RegRipper, ShellBags Explorer

Forensic Suite in Digital Forensics

A Forensic Suite is a collection of multiple forensic tools bundled together to assist

investigators in digital forensics. These suites provide a comprehensive solution for data
acquisition, analysis, recovery, and reporting.

Forensic suites typically include tools for:

✔ Disk Imaging & Recovery – Extracting and analyzing storage devices.
✔ Memory Forensics – Investigating RAM for active processes and malware.
✔ Network Analysis – Capturing and analyzing network traffic.
✔ Registry & Artifact Analysis – Extracting system and user activity logs.
✔ Mobile Forensics – Recovering data from phones and tablets.
✔ Password Cracking & Decryption – Recovering encrypted files and accounts.

1. Popular Forensic Suites

A. Commercial Forensic Suites

These are enterprise-level solutions used by law enforcement, cybersecurity professionals,

and forensic investigators.

Forensic Suite Features

Industry-standard tool for forensic imaging, file recovery, and

EnCase Forensic
analysis.

FTK (Forensic Toolkit) by Disk imaging, registry analysis, password recovery, email
AccessData investigation.

Recovers data from computers, mobile devices, and cloud

Magnet AXIOM
services.

Mobile forensics suite for data extraction from iOS & Android
Cellebrite UFED
devices.

X1 Social Discovery Collects and analyzes social media and cloud-based data.

47 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 Forensic Suite Features

Oxygen Forensic Suite Extracts mobile data, call logs, messages, and GPS history.

Paraben E3 Suite Handles mobile, computer, and cloud forensics in one package.

B. Open-Source & Free Forensic Suites

These suites are widely used by cybersecurity professionals and forensic researchers.

Forensic Suite Features

Open-source forensic tool for disk imaging, file carving, and

Autopsy (Sleuth Kit)
artifact analysis.

Caine (Computer Aided Linux-based forensic suite with tools for disk recovery, registry
Investigative Environment) analysis, and network forensics.

Bootable forensic OS with tools like Volatility, Wireshark, and

Kali Linux Forensic Mode
Hashcat.

Digital forensic toolkit with tools for file system analysis,

SIFT Workstation (by SANS)
memory forensics, and malware investigation.

DEFT (Digital Evidence & Forensic Ubuntu-based forensic suite with tools for network, mobile,
Toolkit) and disk analysis.

2. Features of a Forensic Suite

✅ Disk Imaging & Recovery – Create forensic copies of HDDs, SSDs, USB drives.
✅ Memory Analysis – Recover passwords, encryption keys, and running processes.
✅ Email & Chat Forensics – Extract data from Outlook, Gmail, WhatsApp, Telegram.
✅ Windows Registry & Artifacts Analysis – Track USB devices, user logins, deleted files.
✅ Network & Cloud Forensics – Monitor network packets, analyze cloud storage logs.
✅ Mobile & IoT Forensics – Extract data from smartphones, smartwatches, GPS devices.
✅ Password Cracking & Hash Analysis – Recover lost or encrypted data.
✅ Report Generation – Generate forensic investigation reports for legal purposes.

3. Why Use a Forensic Suite?

🔹 Efficiency – Combines multiple tools into a single platform.

🔹 Legal Compliance – Ensures proper chain of custody and evidence handling.
🔹 Automated Analysis – Speeds up investigations with AI-based forensic tools.

48 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Cross-Device Support – Works with computers, mobile phones, cloud storage, and IoT
devices.

4. Choosing the Right Forensic Suite

🔹 For Law Enforcement → EnCase, FTK, Cellebrite UFED

🔹 For Enterprise Cybersecurity → Magnet AXIOM, Paraben E3, X1 Social Discovery
🔹 For Open-Source Investigators → Autopsy, Kali Linux, SIFT Workstation
🔹 For Mobile Forensics → Oxygen Forensic Suite, Cellebrite, MOBILedit

Acquisition and Seizure of Evidence from Computers and Mobile

Devices
1. Introduction to Digital Evidence Acquisition

Acquisition and seizure of evidence from computers and mobile devices is a critical process
in digital forensics. It involves identifying, collecting, preserving, and analyzing
electronic data while ensuring the integrity and admissibility of evidence in a court of law.

🛑 Key Principles:
✅ Maintain Chain of Custody (proper documentation).
✅ Ensure data integrity (use write-blockers, hashing).
✅ Follow legal procedures (search warrants, privacy laws).
✅ Avoid contaminating evidence (proper shutdown & imaging methods).

2. Seizure of Evidence from Computers

When collecting evidence from computers, forensic investigators must ensure that they
follow proper procedures to prevent data loss or corruption.

A. Pre-Seizure Considerations

🔹 Obtain legal authorization (warrant or consent).

🔹 Identify data storage locations (HDD, SSD, USB, cloud).
🔹 Check for encryption (BitLocker, VeraCrypt).
🔹 Document system details (hardware, OS, running processes).

B. On-Site Computer Seizure

There are two main approaches for handling a powered-on computer:

1️⃣ If the computer is powered OFF → Do not turn it ON!

49 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Remove the hard drive & create a forensic image using tools like FTK Imager.
 Use a write blocker to prevent altering data.
 Store the hard drive in anti-static bags.

2️⃣ If the computer is powered ON → Decide based on encryption risk.

 If encryption is suspected → Capture live RAM using Volatility, Belkasoft RAM Capture.
 If no encryption → Perform a proper shutdown and proceed with disk imaging.

C. Acquisition of Digital Evidence from Computers

Forensic imaging creates an exact copy of storage devices without modifying the original
data.

🔹 Forensic Imaging Tools:

Tool Name Purpose

FTK Imager Creates forensic disk images (E01, RAW, AFF formats).

EnCase Forensic Industry-standard imaging & analysis.

Autopsy/Sleuth Kit Open-source disk analysis tool.

dd / dcfldd (Linux) Bit-by-bit disk imaging command-line tool.

🔹 Write Blockers (Prevents Data Modification):

Hardware Write Blocker Purpose

Tableau Forensic Bridge Prevents modification while imaging.

CRU WiebeTech USB WriteBlocker USB write-blocker for external storage.

3. Seizure of Evidence from Mobile Devices

Mobile forensics involves extracting data from smartphones, tablets, and smart devices.
This is more challenging due to encryption, cloud storage, and locked devices.

A. Pre-Seizure Considerations

🔹 Check for passcodes, biometric locks (face/fingerprint recognition).

🔹 Identify the operating system (Android, iOS).
🔹 Prevent remote wiping (use a Faraday bag to block network signals).
🔹 Document the device model, IMEI, installed apps.

B. On-Site Mobile Device Seizure

50 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
1️⃣ If the device is powered ON:

 Enable Airplane Mode to prevent remote access.

 Use a Faraday Bag to block network communication.
 Check for encrypted storage and secure login details.

2️⃣ If the device is powered OFF:

 Do not power it ON unless necessary (it might trigger security features like remote wipe).
 Secure the device in an anti-static evidence bag.

C. Acquisition of Digital Evidence from Mobile Devices

There are three types of data extraction from mobile devices:

🔹 Logical Extraction – Extracts user-accessible data (contacts, messages, call logs).
🔹 File System Extraction – Recovers deleted data and app storage files.
🔹 Physical Extraction – Full bit-by-bit copy of the device (bypasses passcodes &
encryption).

🔹 Mobile Forensic Tools:

Tool Name Purpose

Cellebrite UFED Extracts data from iOS & Android devices.

Oxygen Forensic Suite Recovers messages, call logs, GPS history.

Magnet AXIOM Mobile, cloud, and computer data extraction.

MOBILedit Forensic Extracts phone contacts, messages, and media.

4. Chain of Custody in Digital Forensics

Maintaining a proper Chain of Custody is crucial to ensure the evidence is legally

admissible.

A. Chain of Custody Documentation

Every time evidence is handled, document:

✔ Who collected the evidence (investigator’s name).
✔ Where and when it was collected.
✔ How it was transported and stored.
✔ Who accessed it and for what purpose.

🔹 Example of Chain of Custody Form:

51 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 Date & Time Evidence Description Collected By Reason for Access Signature

2025-02-17 10:00 AM Laptop (Dell, Serial #12345) Rajagopal T K P Forensic Imaging Signed

5. Challenges in Digital Evidence Acquisition

🚨 Encryption & Locked Devices – Strong encryption (BitLocker, iOS FileVault) makes
data extraction difficult.
🚨 Cloud Storage – Data is often stored remotely (Google Drive, iCloud) and may require
legal authorization.
🚨 Anti-Forensics Techniques – Suspects may use secure delete, steganography, or
wiping tools.
🚨 Data Volatility – RAM and temporary files are lost if the system is powered off.
🚨 Legal & Privacy Issues – Seizing evidence without proper authorization may result in
inadmissible evidence in court.

6. Best Practices for Digital Evidence Acquisition

✅ Use Write-Blockers – Prevents modifying data.

✅ Document Everything – Maintain a detailed chain of custody.
✅ Use Forensic Imaging Tools – Always acquire a forensic copy, never work on the
original.
✅ Secure Evidence Storage – Store collected data in tamper-proof, encrypted drives.
✅ Follow Legal Guidelines – Obtain necessary warrants and approvals before evidence
collection.

Chain of Custody in Digital Forensics

1. What is Chain of Custody?

The Chain of Custody (CoC) is a documented process that tracks the handling, transfer,
and storage of digital evidence from the moment it is collected until it is presented in court. It
ensures that the evidence remains authentic, untampered, and legally admissible.

✅ Purpose of Chain of Custody:

🔹 Prevent tampering, modification, or loss of evidence.
🔹 Establish credibility in court.
🔹 Ensure accountability for everyone handling the evidence.

52 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
2. Importance of Chain of Custody

🔍 Legal Admissibility – Courts require proof that evidence was properly handled.
🔍 Evidence Integrity – Protects against accidental or intentional changes.
🔍 Audit Trail – Tracks every interaction with the evidence.
🔍 Avoids Defense Challenges – Prevents claims of evidence contamination.

3. Chain of Custody Process

A. Collection of Evidence

🔹 Identify and label all digital evidence (hard drives, USBs, mobile devices).
🔹 Take photographs and document details (make, model, serial number).
🔹 Use write blockers to prevent data modification.
🔹 Record the date, time, and location of collection.

B. Documentation & Logging

Every time the evidence is transferred, it must be documented in a Chain of Custody form.

🔹 What should be recorded?

✔ Date & Time of collection and transfer.
✔ Description of the evidence (e.g., "Dell Laptop, Serial #12345").
✔ Who collected it (investigator name).
✔ Who handled or transferred it (all individuals involved).
✔ Purpose of access (e.g., forensic imaging, analysis).
✔ Signatures of responsible individuals.

C. Storage & Security

🔹 Store evidence in tamper-proof containers.

🔹 Use Faraday bags for mobile devices to block remote access.
🔹 Secure digital evidence in forensic labs with controlled access.
🔹 Maintain hash values (MD5, SHA-256) to verify integrity.

D. Analysis & Investigation

🔹 Any forensic analysis must be performed on a forensic copy, not the original.
🔹 Maintain detailed logs of forensic activities.
🔹 Generate reports with timestamps of every action taken.

E. Presentation in Court

53 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 The Chain of Custody report is presented in court to prove evidence authenticity.
🔹 Investigators must testify about the evidence collection and handling process.

4. Sample Chain of Custody Form

Purpose of
Date & Time Evidence Description Collected By Received By Signature
Access

2025-02-17 Laptop (Dell, Serial Rajagopal T K Digital Forensics Imaging &

Signed
10:00 AM #12345) P Lab Analysis

2025-02-18 Forensic Cybercrime Malware

USB Drive (16GB) Signed
02:30 PM Analyst Division Analysis

2025-02-19 Smartphone (iPhone Digital Forensics

Investigator Data Extraction Signed
11:45 AM 13) Lab

5. Best Practices for Maintaining Chain of Custody

✅ Use a Standardized CoC Form – Every transfer must be documented.

✅ Seal Evidence Properly – Use evidence bags with tamper-proof seals.
✅ Use Digital Hashing – Compute MD5/SHA-256 hash to detect any modifications.
✅ Limit Access – Only authorized personnel should handle evidence.
✅ Train Investigators – Proper handling and documentation procedures must be followed.

6. Common Mistakes & Challenges

🚨 Incomplete Documentation – Missing timestamps or signatures.

🚨 Improper Storage – Exposure to unauthorized access.
🚨 No Hash Verification – Evidence could be altered without detection.
🚨 Forgetting Legal Procedures – Seizing evidence without proper authorization.

Forensic Tools in Digital Forensics

Forensic tools are essential for collecting, analyzing, and preserving digital evidence while
ensuring its integrity and admissibility in court. These tools help investigators examine
computers, mobile devices, networks, and cloud environments for digital evidence.

54 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
1. Categories of Forensic Tools

Forensic tools can be classified into hardware and software tools based on their purpose
and functionality.

A. Software-Based Forensic Tools

🔹 Used for imaging, data recovery, analysis, and reporting.

🔹 Can be open-source or commercial.

B. Hardware-Based Forensic Tools

🔹 Used for write-blocking, disk duplication, and secure storage.

🔹 Ensures data integrity by preventing modifications.

2. Commonly Used Digital Forensic Tools

A. Disk Imaging & Data Acquisition Tools

Used to create a bit-by-bit copy of digital storage devices to preserve evidence.

Tool Name Purpose Type

FTK Imager Creates forensic disk images (E01, RAW) Freeware

EnCase Forensic Industry-standard disk imaging & analysis Commercial

dd / dcfldd Linux command-line tool for disk cloning Open-source

Autopsy/Sleuth Kit Disk analysis & forensic imaging Open-source

B. Mobile Forensics Tools

Used for extracting data from Android, iOS, and other mobile devices.

Tool Name Purpose Type

Cellebrite UFED Extracts data from locked & encrypted mobile devices Commercial

Oxygen Forensic Suite Recovers messages, call logs, GPS data Commercial

Magnet AXIOM Extracts & analyzes mobile, cloud, and computer data Commercial

MOBILedit Forensic Extracts SMS, call history, contacts, and deleted data Commercial

55 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
C. Memory & RAM Forensics Tools

Used for capturing and analyzing volatile memory (RAM) to detect running processes,
malware, and encryption keys.

Tool Name Purpose Type

Volatility Extracts data from RAM dumps (malware, passwords) Open-source

Belkasoft RAM Capture Captures live RAM for forensic analysis Freeware

Rekall Memory forensics framework for Windows, Linux, macOS Open-source

D. File System & Registry Analysis Tools

Used to analyze file systems, registry changes, and hidden data in storage devices.

Tool Name Purpose Type

Autopsy/Sleuth Kit Examines file system artifacts, deleted files Open-source

X-Ways Forensics Advanced file system analysis & registry tracking Commercial

RegRipper Extracts & analyzes Windows Registry data Open-source

Redline Identifies malicious activity in file systems & logs Freeware

E. Network Forensics Tools

Used for monitoring, capturing, and analyzing network traffic to detect cyber threats.

Tool Name Purpose Type

Wireshark Captures & analyzes network traffic packets Open-source

NetworkMiner Extracts files, emails, and metadata from network traffic Freeware

Xplico Network packet analysis & data extraction Open-source

TCPDump Command-line tool for live packet capturing Open-source

F. Email & Internet Artifacts Analysis Tools

Used for investigating emails, browser history, and web-based artifacts.

56 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 Tool Name Purpose Type

MailXaminer Extracts & analyzes email data (PST, MBOX, OST) Commercial

Belkasoft Evidence Center Recovers chat history, browser activity Commercial

Browser History Examiner Examines web browser history, cookies, cache Freeware

G. Password & Decryption Tools

Used for cracking passwords, decrypting files, and recovering lost credentials.

Tool Name Purpose Type

John the Ripper Cracks password hashes (Windows, Linux) Open-source

Hashcat High-performance password recovery tool Open-source

Elcomsoft Forensic Suite Recovers passwords from encrypted files & devices Commercial

H. Anti-Forensics & Malware Analysis Tools

Used for detecting rootkits, malware, and anti-forensic activities.

Tool Name Purpose Type

GMER Detects hidden rootkits & processes Freeware

VirusTotal Online tool for malware analysis Freeware

Cuckoo Sandbox Automated malware behavior analysis Open-source

YARA Identifies malware signatures & patterns Open-source

3. Hardware-Based Forensic Tools

These tools assist in acquiring and preserving evidence securely without modifying the
original data.

Hardware Tool Purpose

Tableau TX1 Forensic Imager High-speed forensic disk duplication

CRU WiebeTech Forensic Write Blocker Prevents modifications while imaging

57 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 Hardware Tool Purpose

Faraday Bags Blocks wireless signals for mobile evidence protection

Logicube Falcon High-performance forensic disk imaging device

4. Best Practices for Using Forensic Tools

✅ Use Write Blockers – Prevents modification of evidence.

✅ Create Forensic Images – Always work on a copy, not the original.
✅ Validate Evidence Integrity – Use MD5/SHA-256 hashing to verify data integrity.
✅ Follow Chain of Custody – Document every step from collection to analysis.
✅ Use Multiple Tools – Cross-verify results with different forensic tools.

58 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 UNIT III - ANALYSIS AND VALIDATION

Validating Forensics Data – Data Hiding Techniques – Performing Remote Acquisition – Network
Forensics – Email Investigations – Cell Phone and Mobile Devices Forensics - Analysis of Digital
Evidence - Admissibility of Evidence - Cyber Laws in India

Validating Forensics Data

1. What is Data Validation in Digital Forensics?

Validating forensic data ensures that digital evidence has not been altered and remains
authentic, reliable, and admissible in court. It involves verifying that the collected data is
accurate, complete, and unmodified throughout the forensic investigation.

✅ Why is it important?
🔹 Prevents tampering or accidental modification of evidence.
🔹 Ensures credibility and admissibility in legal proceedings.
🔹 Confirms that forensic tools and processes are working correctly.

2. Methods of Validating Forensic Data

A. Hashing (Cryptographic Hash Functions)

A hash function generates a unique fingerprint (hash value) for a file or storage device.
Any change to the data will result in a completely different hash value.

🔹 Common hashing algorithms:

✔ MD5 (Message Digest 5) – 128-bit hash (commonly used but weaker).
✔ SHA-1 (Secure Hash Algorithm 1) – 160-bit hash (prone to collisions).
✔ SHA-256 (Secure Hash Algorithm 256-bit) – More secure and widely used.

🔹 Process:
1️⃣ Generate a hash of the original evidence (before analysis).
2️⃣ After forensic analysis, recalculate the hash and compare it with the original.
3️⃣ If the hashes match, the data is untampered and valid.

B. Write Blockers (Hardware & Software)

🔹 Write blockers prevent modifications to the original data by making storage devices
read-only.
🔹 Used in forensic imaging to ensure that no accidental changes occur.

59 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
✅ Hardware Write Blockers: Tableau TX1, CRU WiebeTech, Logicube.
✅ Software Write Blockers: USB WriteProtector, Forensic Explorer.

C. Forensic Imaging & Bit-by-Bit Copy Verification

🔹 Instead of working on the original evidence, forensic investigators create a forensic image
(exact bit-by-bit copy).
🔹 The hash of the forensic image should match the original storage device's hash.

Tools for forensic imaging:

✔ FTK Imager – Creates forensic disk images.
✔ dd / dcfldd – Linux command-line forensic imaging tools.
✔ EnCase Forensic – Commercial forensic suite for disk imaging.

D. Cross-Validation Using Multiple Tools

🔹 Use multiple forensic tools to ensure consistency in analysis results.

🔹 Example: If Autopsy detects a deleted file, verify it using EnCase or FTK Imager.

✅ If all tools produce the same results, the data is authentic and valid.

E. Chain of Custody Documentation

🔹 Keep a detailed record of evidence handling, including who accessed the data and when.
🔹 Helps prove that evidence has not been altered during investigation.

Chain of Custody Form Example:

Date & Evidence Collected Received

Purpose Hash Value
Time Description By By

2025-02- Digital
Hard Drive Rajagopal
17 10:00 Forensics Imaging 5f4dcc3b5aa765d61d8327deb882cf99
(1TB, WD) TKP
AM Lab

✅ If the hash remains unchanged throughout, data integrity is confirmed.

F. Timestamp & Metadata Verification

60 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Check file timestamps, metadata, and logs to ensure no unauthorized modifications.
🔹 Tools for metadata validation:
✔ ExifTool – Extracts metadata from images, documents, and videos.
✔ Plaso (log2timeline) – Examines system logs for timeline validation.
✔ Sleuth Kit – Checks timestamps on files and partitions.

3. Common Validation Errors & How to Avoid Them

🚨 Hash Mismatch – Recalculate and check if the forensic image was properly created.
🚨 Write Protection Failure – Always use write blockers to prevent accidental changes.
🚨 Tool Discrepancies – Cross-verify findings using multiple forensic tools.
🚨 Incomplete Chain of Custody – Document every step properly.

4. Best Practices for Forensic Data Validation

✅ Always use hash verification (MD5/SHA-256) before and after analysis.

✅ Work only on forensic images, not the original evidence.
✅ Use write blockers to prevent accidental data modification.
✅ Cross-validate with multiple tools to confirm findings.
✅ Maintain a detailed chain of custody for all evidence.

Data Hiding Techniques in Digital Forensics

Data hiding is a cybersecurity and forensic concern where individuals conceal information
within digital files, storage devices, or network traffic to evade detection. Cybercriminals
often use steganography, encryption, obfuscation, and anti-forensic methods to hide
evidence of malicious activity.

🔍 Why is Data Hiding Important in Forensics?

✅ Criminals hide data to evade detection and avoid evidence collection.
✅ Forensic investigators must identify, recover, and analyze hidden data.
✅ Data hiding is used in malware, cybercrimes, espionage, and digital fraud.

1. Common Data Hiding Techniques

A. Steganography (Hiding Data Inside Files)

🔹 Steganography is the practice of hiding information inside images, videos, audio files, or
text without altering the original file’s appearance.

61 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Unlike encryption, steganography does not change the format of the file, making it
harder to detect.

🔍 Example Methods:
✔ LSB (Least Significant Bit) Steganography – Hides data in the least significant bits of an
image.
✔ Audio Steganography – Embeds secret data within sound waves.
✔ Video Steganography – Hides data inside video frames.

🛠️ Tools Used:
🔹 OpenStego – Hides text in images.
🔹 StegHide – Embeds files in audio or image files.
🔹 SilentEye – Cross-platform steganography tool.

B. File System-Based Data Hiding (Slack Space, Alternate Data Streams)

🔹 Hiding data inside unused storage space of a file system.

1️⃣ Slack Space

✔ Slack space is the unused space at the end of a file cluster.
✔ Hidden data can be stored in slack space without modifying the original file.

2️⃣ Alternate Data Streams (ADS) (NTFS File System)

✔ NTFS allows files to have multiple data streams (hidden files inside another file).
✔ Example: Hiding a secret message inside a text file.

✅ Forensics Solution: Use tools like ADS Spy, LADS (List Alternate Data Streams), and
EnCase to detect ADS.

C. Encryption (Concealing Data with Cryptographic Techniques)

🔹 Encryption converts readable data into ciphertext, making it inaccessible without a key.

🔍 Example Encryption Techniques:

✔ AES (Advanced Encryption Standard) – Used for strong encryption.
✔ RSA (Rivest-Shamir-Adleman) – Public-key cryptography for securing messages.
✔ VeraCrypt – Open-source encryption tool for hidden disk volumes.

✅ Forensics Solution: Use Volatility, EnCase, and Passware Kit to detect encrypted data.

62 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
D. Data Obfuscation (Making Data Difficult to Read or Analyze)

🔹 Obfuscation involves modifying data or code to make it unreadable without altering

its execution.
🔹 Used in malware, spyware, and cyberattacks to hide malicious behavior.

🔍 Example Obfuscation Methods:

✔ Base64 Encoding – Converts data into ASCII characters.
✔ Code Obfuscation – Hides source code by renaming variables/functions.
✔ Whitespace Obfuscation – Hides data within text formatting.

✅ Forensics Solution: Use YARA rules, deobfuscation scripts, and malware analysis
tools like IDA Pro, Ghidra, or CyberChef.

E. Hidden Partitions & Virtual Machines (VMs)

🔹 Attackers use hidden partitions or VMs to store illegal data without detection.

🔍 Example Techniques:
✔ Hiding data inside a Linux LVM partition.
✔ Using VirtualBox or VMware to run hidden systems.
✔ Using encrypted hidden volumes (VeraCrypt Hidden OS).

✅ Forensics Solution: Use disk partition analysis tools like Autopsy, FTK, and
DiskCryptor to find hidden storage.

F. Network-Based Data Hiding (Covert Channels, Tunneling)

🔹 Attackers hide data inside network traffic to evade detection.

🔍 Example Methods:
✔ DNS Tunneling – Hiding data inside DNS queries.
✔ Covert Channels – Using unused fields in network packets to transfer hidden data.
✔ Tor & Dark Web – Concealing network activity.

✅ Forensics Solution: Use Wireshark, Snort IDS, and Zeek to analyze network traffic.

63 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
2. How Forensic Investigators Detect Hidden Data

🔎 Techniques Used by Investigators:

✅ Steganalysis Tools – Detect hidden messages in media files.
✅ File Carving – Recover hidden or deleted files from storage.
✅ Hash Analysis – Compare known file hashes with forensic databases.
✅ Memory Forensics – Use Volatility to find encryption keys and hidden processes.
✅ Reverse Engineering – Analyze obfuscated code using Ghidra or IDA Pro.

Performing Remote Acquisition in Digital Forensics

1. What is Remote Acquisition?

🔍 Remote acquisition is the process of collecting digital evidence from a target system
over a network without physically accessing the device. This technique is widely used in
corporate investigations, cybercrime cases, and incident response when physical access to
a suspect's machine is not possible.

✅ Why is it important?
✔ Investigates cybercrimes, insider threats, and unauthorized activities remotely.
✔ Helps large organizations monitor employee activity and detect data leaks.
✔ Reduces risk of alerting suspects before evidence is collected.
✔ Used for cloud forensics, remote employee monitoring, and server investigations.

2. Types of Remote Acquisition

A. Live Remote Acquisition

🔹 Involves collecting real-time data from an active system.

🔹 Captures RAM contents, running processes, network connections, and volatile data.
🔹 Used in cyberattacks, malware analysis, and memory forensics.

✅ Example Tools:
✔ FTK Imager – Captures live RAM and disk images remotely.
✔ Volatility Framework – Extracts volatile memory data.
✔ X-Ways Capture – Performs live system imaging.

B. Dead Remote Acquisition

64 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Collects data from a powered-off system or disk image.
🔹 Prevents data modification and ensures evidence integrity.
🔹 Used in corporate forensic investigations, compliance audits, and legal cases.

✅ Example Tools:
✔ EnCase Enterprise – Remotely acquires and analyzes disk images.
✔ RDP (Remote Desktop Protocol) & SSH – Secure remote access for forensic collection.
✔ F-Response – Provides remote forensic access to hard drives and RAM.

C. Cloud-Based Remote Acquisition

🔹 Acquires data from cloud services (Google Drive, AWS, Microsoft 365, etc.).
🔹 Collects log files, user activity, email records, and stored files.

✅ Example Tools:
✔ Magnet AXIOM Cloud – Extracts cloud-based evidence.
✔ AWS CloudTrail – Monitors cloud activity logs.
✔ Google Takeout – Downloads account data for forensic analysis.

3. Steps to Perform Remote Acquisition

Step 1: Establish a Secure Connection

🔹 Use VPN, SSH, RDP, or forensic tunneling tools to securely connect to the target
system.
🔹 Ensure encryption to prevent man-in-the-middle (MITM) attacks.

Example Command (SSH Remote Login):

ssh investigator@[Link]

✅ Best Practice: Use TLS encryption and two-factor authentication for security.

Step 2: Verify and Authenticate the Target System

🔹 Confirm the IP address, hostname, and user credentials.

🔹 Use system fingerprinting tools (nmap, psinfo) to ensure you are accessing the correct
device.

65 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
Step 3: Acquire Volatile Data (RAM, Network Activity, Running Processes)

🔹 Use live memory acquisition tools before shutting down the system.
🔹 Capture running processes, network connections, and encryption keys.

Step 4: Acquire Non-Volatile Data (Hard Drive, Logs, Registry, Cloud Storage)

🔹 Use disk imaging tools to create a forensic copy of the hard drive.
🔹 Ensure hash verification (MD5/SHA-256) to maintain integrity.

Step 5: Hash Verification & Integrity Check

🔹 Calculate MD5/SHA-256 hashes before and after acquisition to ensure data integrity.

Step 6: Document & Store Evidence Securely

🔹 Maintain a Chain of Custody record for legal admissibility.

🔹 Store forensic images in a secure evidence locker (write-protected storage).

✅ Example Chain of Custody Record:

Source
Date & Time Investigator Method Used Hash (SHA-256)
Device

2025-02-17 Rajagopal T K Laptop FTK Imager

5f4dcc3b5aa765d61d8327deb882cf99
10:00 AM P (Dell) (Remote)

4. Challenges in Remote Acquisition

🚨 Network Latency – Large forensic images take time to transfer.

🚨 Encryption & Anti-Forensics – Encrypted files require password cracking or key
extraction.
🚨 Legal & Privacy Issues – Remote access laws vary by country; always obtain legal
approval.
🚨 Detection by Attackers – Cybercriminals may detect forensic tools and erase evidence.

✅ Solution: Use covert forensic tools and collect logs from SIEM (Security Information
and Event Management) systems.

66 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
5. Best Tools for Remote Acquisition

🔹 FTK Imager (Forensic Toolkit) – Remote disk imaging & memory capture.
🔹 EnCase Enterprise – Remote forensic investigation suite.
🔹 F-Response – Provides remote forensic access to hard drives and RAM.
🔹 Magnet AXIOM Cloud – Cloud-based data collection.
🔹 Volatility – Extracts forensic artifacts from RAM dumps.

Network Forensics: Investigating Cybercrimes Through Network Traffic

1. What is Network Forensics?

🔍 Network forensics is the process of capturing, analyzing, and investigating network

traffic to detect cybercrimes, security breaches, and unauthorized activities. It helps forensic
investigators track attackers, recover lost data, and provide digital evidence.

✅ Why is Network Forensics Important?

✔ Detects intrusions, malware, and insider threats.
✔ Investigates data breaches, DoS (Denial-of-Service) attacks, and phishing scams.
✔ Helps organizations monitor real-time network activity.
✔ Provides legal evidence for cybersecurity incidents.

2. Sources of Network Evidence

Network forensics relies on data from multiple sources, including:

A. Network Traffic Logs

✔ Captured using packet sniffers (Wireshark, tcpdump).

✔ Includes source & destination IP addresses, ports, and protocols.

B. Firewall & IDS/IPS Logs

✔ Firewalls log blocked & allowed connections.

✔ Intrusion Detection Systems (IDS) like Snort & Zeek detect attacks.

C. NetFlow & Network Metadata

✔ NetFlow captures high-level summaries of network activity.

✔ Used for detecting anomalies & tracking large data transfers.

67 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
D. Server & Application Logs

✔ Web server logs (Apache, Nginx) – Track website access attempts.

✔ Email server logs (SMTP, IMAP, POP3) – Investigate phishing and spam.

E. Cloud & VPN Logs

✔ Cloud providers (AWS, Azure, Google Cloud) log user activity.

✔ VPN logs help identify remote access to networks.

3. Network Forensics Process

Step 1: Capture Network Traffic (Data Collection)

🔹 Use packet capturing tools to monitor network activity.

🔹 Capture logs from firewalls, IDS/IPS, and cloud services.

Example Command (Using tcpdump to Capture Packets):

sudo tcpdump -i eth0 -w [Link]

✅ Forensics Tip: Always store captured data in pcap (packet capture) format for analysis.

Step 2: Analyze Network Traffic

🔹 Investigate IP addresses, protocols, and suspicious activities.

🔹 Look for malware signatures, unauthorized access, and data exfiltration.

Example: Analyzing Packets with Wireshark

✔ Apply filters (e.g., http, [Link] == 80) to focus on relevant data.
✔ Check for unusual IP addresses, excessive failed logins, or suspicious downloads.

✅ Forensics Tip: Use Zeek (Bro IDS) for automated network traffic analysis.

Step 3: Correlate Events & Identify Attacks

🔹 Compare logs from firewalls, IDS, and system logs to identify attack patterns.
🔹 Use Threat Intelligence sources (e.g., VirusTotal, AlienVault) to check for malicious IPs.

68 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
Step 4: Extract and Reconstruct Evidence

🔹 Recover hacked emails, chat logs, and stolen data from network traffic.
🔹 Reconstruct web browsing history, VoIP calls, and file transfers.

Step 5: Report & Secure the Evidence

🔹 Generate detailed forensic reports for legal proceedings.

🔹 Maintain a Chain of Custody to ensure evidence integrity.

✅ Forensics Tip: Always hash (MD5/SHA-256) captured logs before storing them.

4. Types of Network Attacks & Forensic Detection

Network forensics helps detect various cyber threats, including:

A. Denial-of-Service (DoS) & Distributed DoS (DDoS) Attacks

✔ Attackers flood a server with traffic to overload and crash it.

✔ Forensic detection: Check sudden spikes in traffic & multiple requests from the same
IP.

B. Malware & Ransomware Attacks

✔ Malicious software steals data, encrypts files, or spreads via networks.

✔ Forensic detection: Identify connections to command & control (C2) servers.

C. Data Exfiltration (Unauthorized Data Transfers)

✔ Hackers steal sensitive data via FTP, HTTP, DNS tunneling, or encrypted traffic.
✔ Forensic detection: Monitor large outbound data transfers & abnormal DNS requests.

D. Man-in-the-Middle (MITM) Attacks

✔ Attackers intercept communication between two parties to steal data.

✔ Forensic detection: Check ARP cache, duplicate MAC addresses, and fake SSL
certificates.

69 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
5. Best Tools for Network Forensics

🔹 Wireshark – Packet analysis & deep packet inspection.

🔹 Zeek (Bro IDS) – Detects network anomalies & attacks.
🔹 Snort – Intrusion detection system (IDS).
🔹 Tcpdump – Command-line packet capturing.
🔹 ELK Stack (Elasticsearch, Logstash, Kibana) – Log analysis & visualization.
🔹 NetworkMiner – Extracts metadata & credentials from network traffic.
🔹 Xplico – Web traffic reconstruction.

6. Challenges in Network Forensics

🚨 High Volume of Data – Large networks generate terabytes of logs.

🚨 Encrypted Traffic – Attackers use VPNs & SSL encryption to hide.
🚨 Zero-Day Attacks – Unknown threats bypass security tools.
🚨 Legal & Privacy Issues – Monitoring user activity must comply with laws (e.g., GDPR).

Email Investigations in Digital Forensics

1. What is an Email Investigation?

🔍 Email investigation is a process in digital forensics where investigators analyze email

communications to uncover evidence related to fraud, cybercrime, phishing, insider
threats, and data breaches. It involves retrieving, analyzing, and verifying email data
from mail servers, client devices, and network logs.

✅ Why are Email Investigations Important?

✔ Helps identify cybercriminals and track fraudulent activities.
✔ Detects phishing, email spoofing, and social engineering attacks.
✔ Recovers deleted or hidden emails as forensic evidence.
✔ Investigates corporate espionage and data leaks.

2. Sources of Email Evidence

Email forensics relies on multiple sources, including:

A. Email Headers

70 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
✔ Contain sender/receiver details, timestamps, IP addresses, and routing information.
✔ Help detect email spoofing and phishing attacks.

B. Email Body & Attachments

✔ Email text can reveal threats, fraud, or criminal intent.

✔ Attachments may contain malware, hidden messages, or financial fraud documents.

C. Mail Server Logs

✔ Store records of sent, received, and failed emails.

✔ Used to track suspicious email traffic & unauthorized access.

D. Client Email Applications

✔ Outlook, Thunderbird, Gmail, and Apple Mail store emails locally.

✔ Investigators analyze PST, OST, MBOX, and EML files for forensic evidence.

E. Network Packet Captures (PCAP Files)

✔ Captures email traffic over SMTP, POP3, IMAP, and webmail.

✔ Helps recover emails intercepted during transmission.

3. Email Investigation Process

Step 1: Identify & Secure Email Evidence

🔹 Extract email data from mail servers, local email clients, and network logs.
🔹 Preserve evidence using forensic tools (FTK Imager, EnCase, MailXaminer).

✅ Forensics Tip: Always calculate hash values (MD5/SHA-256) to maintain email

integrity.

Step 2: Analyze Email Headers

🔹 Email headers help trace the origin, routing, and authenticity of an email.
🔹 Look for IP addresses, timestamps, and metadata to detect fraud.

🔍 Example: Extracting Email Headers in Gmail

1️⃣ Open the email → Click More Options (⁝) → Select Show Original
2️⃣ Copy and analyze the header using Email Header Analyzer Tools

71 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔍 Example: Extracting Email Headers in Outlook
1️⃣ Open the email → Click File → Properties
2️⃣ Copy the Internet Headers section for analysis

✅ Forensics Tip: Use MxToolbox ([Link] to

analyze headers.

Step 3: Verify Sender Information

🔹 Check if the "From" address is forged using SPF, DKIM, and DMARC records.
🔹 Compare sender's IP address with known threat databases.

🔍 Example: Checking SPF, DKIM & DMARC Records (Command Line)

nslookup -type=txt [Link]

✅ Forensics Tip: Mismatch in SPF/DKIM records indicates possible spoofing.

Step 4: Investigate Attachments & Links

🔹 Scan email attachments for malware (e.g., PDFs, ZIP files, Word macros).
🔹 Inspect embedded links for phishing attempts.

🔍 Example: Scanning Attachments for Malware

✔ Use VirusTotal ([Link] to scan attachments.
✔ Analyze files with Autopsy, FTK, or X-Ways Forensics.

✅ Forensics Tip: Never open suspicious attachments on a live system; use sandboxing
tools like Cuckoo Sandbox.

Step 5: Recover Deleted Emails

🔹 Use forensic tools to recover deleted or hidden emails.

🔹 Investigate local email storage (PST, OST, MBOX files).

🔍 Example: Extracting Emails from Outlook PST Files

✔ Use [Link] (Inbox Repair Tool) to recover Outlook emails.
✔ Use MailXaminer or EnCase for advanced recovery.

✅ Forensics Tip: Email providers store backups, so investigators can request legal access to
deleted emails.
72 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
4. Common Email Threats & Forensic Detection

A. Phishing Attacks

✔ Cybercriminals impersonate legitimate companies to steal credentials.

✔ Forensic detection: Check email headers, SPF/DKIM/DMARC failures, and malicious
links.

🔍 Example: Detecting Phishing Links in Emails

✔ Hover over the URL in the email to check for mismatched domains.
✔ Use [Link] or VirusTotal to analyze links.

✅ Forensics Solution: Use email filters & multi-factor authentication (MFA) to prevent
phishing.

B. Email Spoofing (Fake Senders)

✔ Attackers send emails pretending to be someone else.

✔ Forensic detection: Analyze email headers and verify IP addresses.

🔍 Example: Checking Email Header for Spoofing

Look for "Received-SPF: Fail" in the email header.

✅ Forensics Solution: Implement DMARC policies to block spoofed emails.

C. Business Email Compromise (BEC) Fraud

✔ Attackers use social engineering & email fraud to steal money.

✔ Forensic detection: Investigate email header inconsistencies and unauthorized access
logs.

✅ Forensics Solution: Train employees to detect email fraud and confirm wire transfers
via phone calls.

D. Ransomware & Malware via Emails

✔ Attackers send infected attachments (PDFs, Word Macros, ZIP files).

✔ Forensic detection: Analyze attachments and check execution logs.

73 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
✅ Forensics Solution: Use sandboxing tools & endpoint security solutions
(CrowdStrike, SentinelOne).

5. Best Email Forensic Tools

🔹 MailXaminer – Advanced email forensics & investigation tool.

🔹 FTK Imager – Extracts email data from disk images.
🔹 Xplico – Recovers emails from network traffic captures.
🔹 Wireshark – Captures and analyzes email traffic over SMTP/POP3/IMAP.
🔹 Google Takeout – Exports Gmail data for forensic analysis.
🔹 EnCase Forensic – Recovers deleted emails and attachments.
🔹 Email Header Analyzer (MxToolbox) – Traces email sender & detects spoofing.

6. Challenges in Email Forensics

🚨 Encrypted Emails – Attackers use PGP, SSL, and TLS encryption.

🚨 Deleted & Hidden Emails – Some emails are permanently erased from servers.
🚨 Fake Sender Addresses – Email spoofing makes tracking real senders difficult.
🚨 Legal & Privacy Issues – Accessing emails may require court orders & legal
approvals.

✅ Solution: Use legal frameworks (ECPA, GDPR, CCPA) and cooperate with email
service providers.

Cell Phone and Mobile Device Forensics

1. What is Mobile Device Forensics?

📱 Mobile device forensics is the process of retrieving, analyzing, and preserving digital
evidence from smartphones, tablets, and other mobile devices. It helps investigators collect
call logs, messages, emails, location data, app activity, and deleted files to solve
cybercrimes and legal cases.

✅ Why is Mobile Forensics Important?

✔ Tracks criminal activities (fraud, hacking, harassment, etc.)
✔ Recovers deleted messages, call logs, and multimedia files
✔ Detects GPS locations and social media activity
✔ Analyzes malware, data breaches, and insider threats

74 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
2. Sources of Mobile Device Evidence

Digital evidence can be collected from multiple sources, including:

A. Internal Storage (Flash Memory & SIM Card)

✔ Stores contacts, messages, call history, photos, and system logs

✔ Forensic extraction tools can recover deleted data

B. Mobile Applications & Cloud Storage

✔ WhatsApp, Signal, Telegram, Facebook, Instagram, Snapchat, etc.

✔ Cloud backups (Google Drive, iCloud) store chats, media, and documents

C. Network Logs & GPS Data

✔ Call logs, mobile towers, Wi-Fi connections, and Bluetooth logs

✔ GPS locations, geotagged photos, and route history

D. Removable Storage (SD Cards & USB OTG)

✔ Stores videos, documents, app data, and encrypted files

✔ SD cards can be forensically imaged and analyzed

3. Mobile Forensics Process

Step 1: Seize and Secure the Device

🔹 Prevent remote wiping or data loss by placing the phone in airplane mode.
🔹 Use Faraday bags or signal-blocking tools to prevent network access.
🔹 Document chain of custody to ensure evidence integrity.

✅ Forensics Tip: Always take photos of the device before starting extraction.

Step 2: Extract Data from the Mobile Device

There are three main types of data extraction methods:

A. Logical Extraction (Standard Backup Data)

✔ Retrieves contacts, messages, call logs, media files

✔ Uses official APIs & backup tools (e.g., ADB for Android, iTunes for iOS)

75 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
B. File System Extraction (App Data & Logs)

✔ Accesses internal file structures of apps and system logs

✔ Requires forensic tools (UFED, Magnet Axiom, XRY, Oxygen Forensic Suite)

C. Physical Extraction (Bit-by-Bit Clone of Storage)

✔ Recovers deleted files, hidden partitions, and system artifacts

✔ Uses chip-off or JTAG techniques for damaged or locked devices

✅ Forensics Tip: Always generate MD5/SHA-256 hash values for extracted data.

Step 3: Analyze and Recover Evidence

🔹 Extract call logs, messages, and emails

🔹 Recover deleted files, images, and videos
🔹 Analyze GPS location history & Wi-Fi connections
🔹 Decrypt secured chats & encrypted app data

Step 4: Recover Deleted Messages & Files

✔ SMS, WhatsApp, Telegram, and Signal store data in SQLite databases

✔ Deleted messages may still be recovered if not overwritten

Step 5: Extract Location & Social Media Activity

✔ Recover Google Maps location history & Wi-Fi logs

✔ Extract social media chats and multimedia files

4. Mobile Device Threats & Forensic Detection

A. Mobile Malware & Spyware

✔ Attackers use trojans, keyloggers, and remote access tools (RATs)

✔ Forensic detection: Analyze installed apps, permissions, and network activity

B. SIM Swapping & Call Spoofing

76 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
✔ Hackers clone SIM cards to take control of accounts
✔ Forensic detection: Check for unauthorized SIM changes & call forwarding logs

✅ Forensics Solution: Use 2FA apps (Google Authenticator) instead of SMS-based

authentication.

C. Data Exfiltration via Cloud Backups

✔ Criminals may upload stolen data to Google Drive or iCloud

✔ Forensic detection: Analyze cloud storage logs & data transfers

✅ Forensics Solution: Request legal access to cloud backup data from service providers.

D. Deleted & Hidden Data

✔ Files, messages, and logs can be hidden or disguised

✔ Forensic detection: Analyze metadata & recover deleted records

🔍 Example: Recovering Deleted Files from SD Card Using Autopsy

✔ Use Autopsy or FTK Imager to scan hidden & deleted files.

✅ Forensics Solution: Mobile forensic tools like Magnet Axiom & UFED can recover
deleted chats & app data.

5. Best Mobile Forensic Tools

🔹 Cellebrite UFED – Advanced data extraction & decryption tool.

🔹 Oxygen Forensic Suite – Extracts messages, calls, GPS, and app data.
🔹 Magnet Axiom – Mobile & cloud forensics.
🔹 XRY by MSAB – Secure extraction & analysis of mobile evidence.
🔹 MVT (Mobile Verification Toolkit) – Detects Pegasus spyware.
🔹 Elcomsoft Phone Breaker – Extracts cloud-stored mobile data.
🔹 Autopsy – Recovers deleted files from SD cards.

6. Challenges in Mobile Forensics

🚨 Encryption & Password Protection – Many devices use strong encryption (FileVault,
Secure Enclave, Samsung Knox).
🚨 Remote Wiping & Cloud Backups – Attackers can delete data remotely.

77 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🚨 Multiple Operating Systems (iOS, Android, HarmonyOS) – Different forensic
techniques are needed for each OS.
🚨 Legal & Privacy Concerns – Investigators need legal approval to access personal
mobile data (GDPR, CCPA, ECPA).

✅ Solution: Use chip-off and JTAG techniques for encrypted devices & obtain legal
warrants for cloud data access.

Analysis of Digital Evidence in Computer Forensics

1. What is Digital Evidence Analysis?

📂 Digital evidence analysis is the process of examining, extracting, and interpreting

digital data to uncover forensic evidence. It helps investigators solve cybercrimes, fraud,
hacking incidents, and data breaches by analyzing data from computers, mobile devices,
emails, cloud storage, and networks.

✅ Why is Digital Evidence Analysis Important?

✔ Helps recover deleted, hidden, or encrypted files
✔ Identifies malware, hacking attempts, and cyber threats
✔ Traces email fraud, social media activity, and unauthorized access
✔ Provides legally admissible digital evidence for investigations

2. Types of Digital Evidence

Digital evidence can come from various sources, including:

A. File System Evidence

✔ Documents, images, videos, and databases stored on hard drives, SSDs, USBs, and cloud
storage.
✔ Includes hidden, deleted, and encrypted files.

B. Network Evidence

✔ Logs from firewalls, routers, and intrusion detection systems (IDS).

✔ Captured packets showing network traffic, data transfers, and suspicious connections.

C. Email & Chat Evidence

✔ Investigating phishing attacks, email fraud, and business email compromise (BEC).
✔ Extracting deleted emails, metadata, and attachments.

78 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
D. Registry & Log Files

✔ Windows Registry contains startup programs, installed software, and USB device
history.
✔ System logs track user activity, error messages, and security breaches.

E. Mobile Device Evidence

✔ Call logs, text messages, WhatsApp, Telegram, and Signal chat history.
✔ GPS location data, cloud backups, and social media accounts.

F. Malware & Rootkit Evidence

✔ Detects Trojan horses, spyware, ransomware, and keyloggers.

✔ Analyzes process execution, system modifications, and network connections.

3. Digital Evidence Analysis Process

Step 1: Evidence Collection & Imaging

🔹 Capture disk images using forensic tools like FTK Imager, Autopsy, and EnCase.
🔹 Use Write Blockers to prevent data tampering.

🔍 Example: Creating a Forensic Disk Image using FTK Imager

1️⃣ Open FTK Imager → Select Create Disk Image
2️⃣ Choose Source Drive → Select E01 or RAW Format
3️⃣ Start the imaging process and calculate hash values (MD5/SHA-256)

✅ Forensics Tip: Always preserve original evidence and analyze only copies.

Step 2: File System & Metadata Analysis

🔹 Extract documents, deleted files, and hidden data.

🔹 Analyze metadata (timestamps, file owner, modification history).

🔍 Example: Extracting Metadata from a File (Linux Terminal)

stat [Link]

✅ Forensics Tip: Use ExifTool or Autopsy to extract metadata from photos, PDFs, and
videos.

79 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
Step 3: Recovering Deleted & Hidden Data

🔹 Analyze unallocated space and slack space for deleted files.

🔹 Use Autopsy, Recuva, or TestDisk to recover lost data.

🔍 Example: Recovering Deleted Files from a Drive Using Autopsy

1️⃣ Open Autopsy → Load the disk image
2️⃣ Select File Analysis → Check Deleted Files & MFT Records

✅ Forensics Tip: Deleted files remain on disk until overwritten. Use forensic tools to
restore them.

Step 4: Analyzing Windows Registry & System Logs

🔹 Registry stores USB device history, browser activity, and startup programs.
🔹 Windows Event Logs track user logins, security alerts, and software crashes.

🔍 Example: Checking USB Device History in Windows Registry

reg query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

✅ Forensics Tip: Use Registry Explorer & Event Log Explorer to analyze registry
changes.

Step 5: Network Traffic & Packet Capture Analysis

🔹 Analyze PCAP files for suspicious network activity.

🔹 Detect malicious IPs, data exfiltration, and command & control (C2) connections.

🔍 Example: Using Wireshark to Capture Network Traffic

1️⃣ Open Wireshark → Select Network Interface
2️⃣ Start Packet Capture → Apply filters (e.g., http, [Link] == 443)
3️⃣ Analyze suspicious connections & malware activity

✅ Forensics Tip: Look for anomalous traffic, encrypted connections, and unauthorized
logins.

Step 6: Email & Social Media Investigation

🔹 Extract email headers, attachments, and message content.

🔹 Recover deleted chats from WhatsApp, Facebook, and Telegram databases.

80 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔍 Example: Extracting Email Headers (Gmail)
1️⃣ Open email → Click More Options (⁝) → Select Show Original
2️⃣ Analyze headers for IP addresses, SPF/DKIM validation, and routing details.

✅ Forensics Tip: Use MxToolbox ([Link] to

analyze email headers.

4. Best Digital Forensics Tools

🔹 Autopsy – Open-source digital forensics tool for file recovery & analysis.
🔹 FTK Imager – Captures forensic disk images and extracts deleted files.
🔹 Wireshark – Network packet capture & traffic analysis tool.
🔹 Volatility – Memory forensics tool for analyzing RAM dumps.
🔹 EnCase Forensic – Industry-standard tool for full forensic investigations.
🔹 Oxygen Forensics – Extracts mobile device data and social media activity.
🔹 Bulk Extractor – Scans disk images for email addresses, credit card numbers, and hidden
data.

5. Challenges in Digital Evidence Analysis

🚨 Data Encryption & Anti-Forensics – Attackers use BitLocker, VeraCrypt, and

rootkits to hide evidence.
🚨 Cloud Storage & Remote Wiping – Criminals may delete files remotely or use cloud
backups.
🚨 Large Data Volumes – Hard drives and mobile devices store terabytes of data.
🚨 Legal & Privacy Concerns – Investigators need court orders to access personal digital
evidence.

✅ Solution: Use advanced decryption tools (Passware, Elcomsoft) and comply with legal
frameworks (ECPA, GDPR, CCPA).

Admissibility of Digital Evidence in Court

1. What is Admissibility of Digital Evidence?

⚖️ Admissibility refers to whether digital evidence can be legally presented in court. For
digital evidence to be admissible, it must be relevant, authentic, reliable, and collected
legally.

✅ Why is Admissibility Important?

✔ Ensures fair trial and justice

81 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
✔ Prevents tampered or false evidence
✔ Ensures compliance with legal standards

📌 Example: If a cybercriminal's chat messages are used in court, investigators must prove
the chats are authentic, unaltered, and legally obtained.

2. Legal Requirements for Admissibility

Digital evidence must meet four key legal standards:

A. Relevance

✔ Evidence must be directly related to the case.

✔ Example: A hacker’s IP address & login history are relevant in a cybercrime case.

B. Authenticity

✔ Investigators must prove that the evidence is genuine and not altered.
✔ Hashing techniques (MD5, SHA-256) confirm data integrity.
✔ Example: Email headers & metadata prove whether an email was really sent by the
suspect.

C. Reliability

✔ Evidence must be collected and stored properly using forensic tools.

✔ Forensic imaging & write blockers prevent data modification.
✔ Example: Hard drive images taken with FTK Imager or EnCase are reliable because they
ensure no data tampering.

D. Legality

✔ Evidence must be collected following legal procedures (Search Warrants, Privacy

Laws).
✔ Illegally obtained evidence (e.g., hacking into a suspect’s phone without a warrant) is
not admissible in court.
✔ Example: Investigators need a court order before accessing WhatsApp messages or
cloud backups.

✅ Forensics Tip: Always document Chain of Custody to prove evidence was not
tampered with.

82 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
3. Legal Frameworks & Standards

Different countries have specific laws governing digital evidence:

United States

📜 Federal Rules of Evidence (FRE)

✔ Rule 901: Requires authentication of digital evidence.
✔ Rule 702: Experts must prove the evidence is reliable.

📜 Electronic Communications Privacy Act (ECPA)

✔ Restricts unauthorized access to emails, messages, and cloud data.

📜 Computer Fraud and Abuse Act (CFAA)

✔ Criminalizes hacking and data breaches.

India

📜 Indian Evidence Act, Section 65B

✔ Requires digital evidence (emails, chats, etc.) to be certified before use in court.
✔ Example: WhatsApp chats must be printed & signed by an authorized officer.

📜 Information Technology Act (2000)

✔ Regulates cybercrimes, hacking, and digital fraud.

United Kingdom

📜 Police and Criminal Evidence Act (PACE 1984)

✔ Ensures digital evidence is properly handled and not tampered with.

📜 General Data Protection Regulation (GDPR)

✔ Protects user privacy and restricts illegal data access.

4. Chain of Custody & Digital Evidence Handling

📌 Chain of Custody is a detailed record of who collected, stored, and analyzed the
evidence. It prevents tampering and ensures evidence integrity.

Steps in Chain of Custody

83 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
1️⃣ Seizure: Collect digital evidence legally (with a search warrant).
2️⃣ Imaging: Create a forensic copy (bit-by-bit image) using tools like FTK Imager,
EnCase.
3️⃣ Hashing: Calculate MD5/SHA-256 hash values to ensure integrity.
4️⃣ Storage: Securely store evidence in a forensic lab (locked and access-controlled).
5️⃣ Analysis: Examine the evidence using forensic tools (Autopsy, Wireshark, Volatility).
6️⃣ Presentation: Submit forensic reports and testify in court.

✅ Forensics Tip: Any break in Chain of Custody can result in evidence being rejected in
court.

5. Challenges in Admitting Digital Evidence

🚨 Tampering & Alteration: Data can be modified, deleted, or manipulated.

🚨 Encryption & Privacy Laws: Many criminals use end-to-end encryption (WhatsApp,
Signal).
🚨 Data Volatility: RAM & cache memory are lost when a system is shut down.
🚨 Jurisdiction Issues: Data stored on foreign servers (Google, iCloud) requires
international cooperation.

✅ Solution: Use forensic best practices, encryption breaking tools, and proper legal
documentation.

Cyber Laws in India

1. Introduction to Cyber Laws in India

📜 Cyber laws are legal frameworks that regulate cybercrimes, digital transactions, data
protection, and online activities in India. These laws ensure safe and secure cyberspace for
individuals, businesses, and the government.

✅ Why Are Cyber Laws Important?

✔ Protects against hacking, identity theft, cyber fraud, and data breaches
✔ Regulates e-commerce, digital signatures, and online transactions
✔ Defines penalties for cybercrime and privacy violations

2. Key Cyber Laws in India

A. Information Technology Act, 2000 (IT Act, 2000)

84 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
📌 The Information Technology Act, 2000 is India’s primary law governing cyber
activities. It was introduced to regulate electronic commerce, cybercrime, and digital
security.

✔ Recognizes electronic records and digital signatures

✔ Defines cybercrime offenses and their punishments
✔ Establishes rules for data protection and privacy
✔ Empowers the government to block or remove online content

📌 Amendments: The IT Act was amended in 2008 to include stricter penalties for
cybercrimes and introduce new sections on data protection and cybersecurity.

3. Major Offenses & Penalties Under the IT Act, 2000

Cybercrime Section Penalty

Hacking & Data Theft Section 43, 66 Up to 3 years imprisonment or ₹5 lakh fine

Identity Theft Section 66C Up to 3 years imprisonment and ₹1 lakh fine

Cyber Terrorism Section 66F Life imprisonment

Publishing Obscene Content Section 67 Up to 5 years imprisonment and ₹10 lakh fine

Cyber Stalking Section 66A (repealed) Declared unconstitutional by Supreme Court

Phishing & Online Fraud Section 66D Up to 3 years imprisonment and ₹1 lakh fine

Data Privacy Violation Section 72 Up to 2 years imprisonment or ₹1 lakh fine

✅ Forensics Tip: Cybercrime cases require proper digital evidence collection (logs,
emails, IP addresses) under Indian Evidence Act Section 65B.

4. Important Cyber Law Regulations in India

A. Personal Data Protection Bill (PDP Bill, 2019)

📌 A proposed law for data privacy & protection (similar to GDPR in Europe).
✔ Regulates collection, storage, and processing of personal data
✔ Requires companies to get user consent before using personal data
✔ Establishes Data Protection Authority (DPA) for enforcement

📌 Current Status: Expected to be replaced by the Digital Personal Data Protection Act,
2023 (DPDP Act).

85 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
B. Indian Penal Code (IPC) & Cybercrime

📌 The IPC also applies to cybercrimes, including:

✔ Cyber Fraud & Cheating – IPC Section 420
✔ Defamation & Online Harassment – IPC Section 499, 500
✔ Threats & Intimidation Online – IPC Section 506

C. Right to Privacy (Under Article 21 of the Indian Constitution)

📌 In Justice K.S. Puttaswamy v. Union of India (2017), the Supreme Court ruled that
privacy is a fundamental right.
✔ Ensures protection of personal data online
✔ Prevents unlawful surveillance & data misuse

D. CERT-In Guidelines (2022)

📌 The Computer Emergency Response Team (CERT-In) mandates:

✔ Mandatory reporting of cyber incidents within 6 hours
✔ VPN providers & cloud services must store user logs for 5 years
✔ Regulates cybersecurity policies for companies & government agencies

5. Cybercrime Investigation in India

A. Cybercrime Reporting & Enforcement

🔹 Cyber Crime Police Stations – Every state in India has special cybercrime cells.
🔹 National Cyber Crime Reporting Portal – Citizens can report online frauds, hacking,
and harassment at [Link].
🔹 Forensic Labs & Digital Evidence – Investigators use EnCase, FTK, and Wireshark
for digital forensics.

6. Challenges in Cyber Law Enforcement

🚨 Lack of Awareness – Many people don’t know how to report cybercrimes.

🚨 Cross-Border Cybercrimes – Hackers operate from foreign countries making it difficult
to track them.
🚨 Weak Data Protection Laws – India lacks a strong privacy law like GDPR.

86 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🚨 Dark Web & Encryption – Criminals use Tor, VPNs, and encrypted messaging to hide
activities.

✅ Solution: India needs stronger data protection laws, better cyber forensics training,
and international cooperation.

87 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 UNIT IV - INFORMATION SECURITY

What is Information and why should be protect it? - Information Security - Threats - Frauds,
Thefts, Malicious Hackers, Malicious Code, Denial-of-Services Attacks and Social Engineering -
Vulnerability – Types - Risk – an introduction - Business Requirements - Information Security
Definitions - Security Policies - Tier1 (Origination-Level), Tier2 (Function Level), Tier3
(Application/Device Level) – Procedures - Standards – Guidelines

What is Information and Why Should We Protect It?

1. What is Information?

📂 Information is processed data that has meaning and value. It can be written, digital,
verbal, or visual and is used for communication, decision-making, and business operations.

✅ Examples of Information:
✔ Personal Information: Name, address, phone number, Aadhaar number
✔ Financial Information: Bank details, credit card numbers, UPI transactions
✔ Business Information: Trade secrets, customer databases, project files
✔ Government Information: National security data, defense plans, legal records

2. Why Should We Protect Information?

Information is valuable, and if it falls into the wrong hands, it can lead to fraud, identity
theft, financial losses, or national security threats.

A. Prevent Identity Theft & Fraud

🔹 Cybercriminals can steal personal details (Aadhaar, PAN, passwords) to commit fraud.
🔹 Example: Phishing emails trick people into giving their bank login credentials.

B. Ensure Business Security & Competitiveness

🔹 Businesses must protect trade secrets, customer data, and financial records.
🔹 Example: A hacker stealing customer data from a company can cause huge losses.

C. Maintain National Security

🔹 Governments store classified defense & intelligence data that needs protection.
🔹 Example: Unauthorized access to military or nuclear plans can be a security threat.

D. Avoid Legal & Financial Penalties

88 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Data protection laws (IT Act, GDPR, DPDP Act 2023) require organizations to
protect user data.
🔹 Companies that fail to protect data face legal fines and reputational damage.

✅ Example: If a bank leaks customer details, it can be fined under the IT Act, 2000.

3. How Can We Protect Information?

✅ Use strong passwords & multi-factor authentication

✅ Encrypt sensitive data before storing or transmitting it
✅ Keep software & antivirus updated to prevent cyberattacks
✅ Avoid sharing personal information on untrusted websites or social media
✅ Follow data protection laws & cybersecurity policies

Information Security (InfoSec)

1. What is Information Security?

🛡 Information Security (InfoSec) refers to protecting data from unauthorized access,

misuse, modification, or destruction. It ensures that information remains confidential,
intact, and available to authorized users.

✅ Key Objectives of Information Security (CIA Triad):

✔ Confidentiality – Prevents unauthorized access to sensitive data.
✔ Integrity – Ensures data is not altered or corrupted.
✔ Availability – Ensures data is accessible when needed.

2. Why is Information Security Important?

🚨 Data breaches and cyberattacks can cause financial loss, identity theft, and
reputational damage.

🔹 Protects Personal Data – Prevents identity theft, fraud, and privacy violations.
🔹 Secures Business Information – Prevents hacking, ransomware, and data leaks.
🔹 Ensures Legal Compliance – Avoids legal penalties under laws like the IT Act 2000,
GDPR, and DPDP Act 2023.
🔹 Maintains National Security – Protects government and defense data from cyber
threats.

📌 Example: If a hacker steals customer credit card details from an e-commerce website, it
can cause financial fraud and legal consequences.

89 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
3. Types of Information Security Threats
Threat Description Example

Unauthorized access to a system or

Hacking A hacker steals banking credentials
network

Fraudulent emails trick users into

Phishing Fake Paytm SMS asks for OTP
revealing personal data

Viruses, ransomware, and spyware Ransomware locks files until a

Malware
infect systems payment is made

Manipulating people into sharing A scammer pretends to be IT support

Social Engineering
confidential data to get login details

Employees or insiders leak sensitive A former employee leaks business

Insider Threats
data trade secrets

Denial-of-Service Overloading a website to make it Hackers crash a government portal

(DoS) Attacks unavailable during elections

✅ Forensics Tip: Cybersecurity teams use firewalls, encryption, and security audits to
defend against these threats.

4. Information Security Measures & Best Practices

✅ Use Strong Passwords – Create unique passwords and enable multi-factor

authentication (MFA).
✅ Encrypt Sensitive Data – Use AES-256 encryption to protect confidential information.
✅ Install Firewalls & Antivirus – Prevents malware and hacking attempts.
✅ Keep Software Updated – Patch vulnerabilities in Windows, Linux, and Android.
✅ Use Secure Networks – Avoid public Wi-Fi or use a VPN for security.
✅ Access Control & User Permissions – Restrict access to sensitive files based on roles.
✅ Backup Data Regularly – Protect against ransomware and accidental deletion.
✅ Train Employees on Cybersecurity – Prevent human errors like clicking on phishing
emails.

📌 Example: Banks use firewalls, OTP authentication, and biometric security to protect
customer transactions.

90 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
5. Information Security Laws & Compliance
Law/Standard Region Purpose

IT Act, 2000 🇮🇳 India Regulates cybercrime and digital transactions

DPDP Act, 2023 🇮🇳 India Protects personal data & privacy

GDPR 🇪🇺 EU Ensures user data protection and privacy

ISO 27001 🌍 Global International standard for information security

HIPAA 🇺🇸 USA Protects healthcare data security

✅ Compliance with these laws is mandatory for businesses handling sensitive data.

6. Cybersecurity Frameworks for Information Security

📌 Organizations follow cybersecurity frameworks to protect information:

🔹 NIST Cybersecurity Framework – Used for risk assessment & security best practices.
🔹 Zero Trust Security Model – Assumes no one is trusted inside or outside a network.
🔹 SOC (Security Operations Center) – Monitors threats 24/7 using SIEM tools (Splunk,
QRadar).

✅ Forensics Tip: Cybersecurity experts use penetration testing & ethical hacking to find
security weaknesses before hackers do.

Cybersecurity Threats
1. What Are Cybersecurity Threats?

🚨 Cybersecurity threats are potential dangers that can harm computer systems, networks,
or data. These threats come from hackers, malware, insider attacks, and cybercriminals
aiming to steal information, cause damage, or disrupt operations.

✅ Why Are Threats Dangerous?

✔ Can lead to data breaches, financial loss, identity theft, or system failures
✔ Affect individuals, businesses, and governments
✔ Some threats are invisible (spyware, trojans) and remain hidden for months

91 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
2. Types of Cybersecurity Threats
Threat Type Description Example

Malware (Malicious Software designed to damage or gain

Viruses, Trojans, Ransomware
Software) unauthorized access

Fake emails or messages trick users Fraudulent bank emails asking for
Phishing
into revealing sensitive data login details

Malware that encrypts files and

Ransomware WannaCry, Locky ransomware
demands payment for decryption

Unauthorized access to a system or A hacker steals credit card details

Hacking
network from an e-commerce site

Manipulating people into revealing Fake IT support calls asking for

Social Engineering
confidential information passwords

Denial-of-Service (DoS) Flooding a website or network with

Attack on government websites
& DDoS Attacks traffic to make it unavailable

Man-in-the-Middle Intercepting communication between Fake Wi-Fi hotspots capturing

(MITM) Attack two parties login credentials

Attacks that exploit unknown Exploiting a bug in Windows

Zero-Day Exploits
software vulnerabilities before a patch is released

Employees leaking or misusing A former employee selling

Insider Threats
sensitive data customer data

Advanced Persistent Long-term cyberattacks by nation- Cyber espionage attacks on

Threats (APTs) states or criminal groups defense organizations

✅ Forensics Tip: Cybersecurity experts use firewalls, IDS/IPS (Intrusion Detection &
Prevention Systems), and AI-based threat detection to defend against these attacks.

3. Common Cybersecurity Threat Examples

A. Malware (Viruses, Worms, Trojans, Spyware, Ransomware)

🔹 Viruses & Worms: Infect files and spread across systems.

🔹 Trojans: Disguised as legitimate software but contain hidden threats.
🔹 Spyware: Secretly collects user data and sends it to hackers.
🔹 Ransomware: Encrypts files and demands a ransom payment to restore access.

📌 Example: The WannaCry ransomware attack (2017) affected 150+ countries,

encrypting hospital and business data.

92 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
B. Phishing Attacks

🔹 Attackers send fake emails, messages, or websites to steal passwords or credit card
details.
🔹 Types of Phishing:
✔ Email Phishing – Fake emails from banks or companies
✔ Spear Phishing – Targeted attacks on specific individuals (CEO, CFO)
✔ Vishing – Voice phishing using fake calls
✔ Smishing – SMS-based phishing

📌 Example: A fake PayPal email asks users to log in, but the link leads to a fraudulent
website.

C. Denial-of-Service (DoS) & DDoS Attacks

🔹 Hackers overload a website with fake traffic, causing downtime.

🔹 DDoS (Distributed Denial-of-Service) uses multiple infected devices (botnets) to
amplify the attack.

📌 Example: In October 2016, a DDoS attack on Dyn DNS took down major websites like
Twitter, Reddit, and Netflix.

D. Man-in-the-Middle (MITM) Attacks

🔹 Hackers intercept communication between two parties to steal or modify data.

🔹 Happens on unsecured public Wi-Fi networks or using fake HTTPS websites.

📌 Example: A hacker creates a fake Starbucks Wi-Fi, capturing login credentials of

customers.

E. Insider Threats

🔹 Employees or contractors steal or misuse sensitive data.

🔹 Can be malicious (intentional theft) or negligent (accidental leaks).

📌 Example: A disgruntled employee copies customer records and sells them on the dark
web.

93 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
4. How to Protect Against Cyber Threats?

✅ Use Strong Passwords & Multi-Factor Authentication (MFA) – Prevent unauthorized

access.
✅ Keep Software Updated – Install security patches to fix vulnerabilities.
✅ Enable Firewalls & Antivirus – Blocks malware and hacking attempts.
✅ Avoid Public Wi-Fi or Use VPN – Prevents MITM attacks.
✅ Beware of Phishing Emails & Links – Verify sender details before clicking.
✅ Encrypt Sensitive Data – Protects information from theft.
✅ Perform Regular Backups – Defends against ransomware attacks.

📌 Example: Companies like Google, Amazon, and banks use AI-driven threat detection
to monitor security risks.

5. Cybersecurity Tools for Threat Detection

🔹 Antivirus Software – Windows Defender, Kaspersky, McAfee

🔹 Firewalls – Cisco ASA, Palo Alto, Fortinet
🔹 Intrusion Detection Systems (IDS/IPS) – Snort, Suricata
🔹 Endpoint Security – CrowdStrike, Symantec, Sophos
🔹 SIEM (Security Information & Event Management) – Splunk, IBM QRadar

✅ Forensics Tip: Cybercrime investigators use digital forensics tools (EnCase, FTK,
Autopsy) to analyze hacking incidents.

Cyber Frauds: Types, Examples, and Prevention

1. What is Cyber Fraud?

🔴 Cyber fraud is a deceptive act using digital technology to steal money, sensitive data, or
personal information. It is a type of cybercrime where hackers, scammers, or fraudsters
exploit vulnerabilities in online systems, banking networks, and personal devices.

✅ Why is Cyber Fraud Dangerous?

✔ Can result in financial loss, identity theft, and legal issues
✔ Affects individuals, businesses, and governments
✔ Hard to trace, as fraudsters use fake identities, VPNs, and encrypted communications

94 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
2. Types of Cyber Frauds
Fraud Type Description Example

Fraudulent emails/messages trick users Fake Paytm/SBI login page asking

Phishing
into revealing data for credentials

Fraudsters steal personal data to commit Using stolen Aadhaar/PAN to take

Identity Theft
crimes loans

Unauthorized transactions using stolen Card skimming at ATMs, fake OTP

Credit Card Fraud
card details calls

Online Banking Hacking or tricking users into revealing Fake customer support calls asking
Fraud bank details for OTP

Fake shopping websites steal money or Fraudulent Flipkart/Amazon

E-commerce Fraud
deliver fake products lookalike sites

Social Media Impersonation and fraud through Scammers posing as friends asking
Scams Facebook, Instagram, WhatsApp for money

Loan & Fake loan offers or investment schemes

Ponzi schemes, Bitcoin scams
Investment Scams promising high returns

Fake job offers demanding advance "Work from home" fraud asking for
Job Frauds
payments registration fees

Mobile network fraud leading to

SIM Swap Fraud Hackers clone your SIM to intercept OTPs
bank account hacking

Lottery & Gift Fake lottery winnings trick users into "You won $1 million! Pay ₹10,000 to
Scams paying fees claim"

✅ Forensics Tip: Cybercrime investigators use IP tracking, digital footprints, and

financial forensics to trace online fraudsters.

3. Common Cyber Fraud Examples

A. Phishing Scams

🔹 Fraudsters send fake emails, SMS, or WhatsApp messages pretending to be from a bank,
Paytm, or government agencies.
🔹 They ask for passwords, OTPs, or card details through fake websites.

📌 Example: A victim gets a fake SBI email asking them to update KYC by clicking a link,
which steals their login credentials.

95 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
B. Identity Theft & Financial Frauds

🔹 Hackers steal Aadhaar, PAN, bank details and use them to open fraudulent accounts or
apply for loans.
🔹 Methods Used:
✔ Data breaches (hacked company databases)
✔ Fake KYC verification calls
✔ Stolen documents from social media

📌 Example: A fraudster steals Aadhaar details and applies for a personal loan in the
victim’s name.

C. Online Banking & Credit Card Frauds

🔹 Fraud Techniques:
✔ Fake customer care calls asking for OTPs
✔ Card skimming at ATMs (hidden card readers)
✔ Malware stealing banking passwords

📌 Example: A scammer calls pretending to be from ICICI Bank, asks for OTP, and
empties the victim’s account.

D. E-commerce & Fake Shopping Scams

🔹 Fake websites mimic Amazon, Flipkart, Myntra and sell cheap or fake products.
🔹 Fraudsters ask for prepayment and never deliver the product.

📌 Example: A person orders an iPhone from a fake website, but receives a brick inside
the package.

E. Social Media Scams & WhatsApp Frauds

🔹 Scammers hijack Facebook/WhatsApp accounts and message contacts for money.

🔹 Romance scams: Fraudsters pretend to be foreign businessmen/soldiers and ask victims
for money.

📌 Example: A scammer hacks a WhatsApp account and sends messages saying “I need
urgent ₹5️,000” to all contacts.

96 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
4. How to Protect Yourself from Cyber Frauds?

✅ Never share OTPs, passwords, or PINs over calls, emails, or SMS.

✅ Verify sender details before clicking on links in emails or messages.
✅ Use strong, unique passwords and enable multi-factor authentication (MFA).
✅ Check website URLs carefully (avoid fake Amazon/Flipkart lookalikes).
✅ Monitor bank transactions regularly for unauthorized activity.
✅ Do not trust job offers that ask for advance payments.
✅ Avoid public Wi-Fi for banking transactions to prevent hacking.
✅ Report frauds immediately to banks and cybercrime police.

📌 Example: The Indian Cybercrime Portal ([Link]) allows victims to

report frauds online.

5. Laws & Legal Actions Against Cyber Fraud

Law/Act Description

IT Act, 2000 (India) Regulates cybercrime, hacking, and online fraud

IPC Sections 419 & 420 Punishes cheating and identity fraud

DPDP Act, 2023 Protects personal data from unauthorized access

RBI Guidelines Protects customers from banking fraud

✅ Cyber police & financial forensics teams investigate fraud cases using IP tracking,
digital evidence, and financial transaction monitoring.

6. What to Do If You Are a Victim of Cyber Fraud?

🚨 Step 1: Report the fraud to your bank and block transactions immediately.
🚨 Step 2: File a complaint on the Cyber Crime Portal: [Link]
🚨 Step 3: Report to local police or cyber cell with evidence (screenshots, emails,
transaction details).
🚨 Step 4: Monitor your bank accounts and credit reports for further fraud attempts.

✅ Forensics Tip: If fraudsters use Bitcoin or cryptocurrency, tracking them is difficult,

but investigators analyze the blockchain transaction history for leads.

97 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
Cyber Theft: Types, Examples, and Prevention
1. What is Cyber Theft?

🔴 Cyber theft is the act of stealing money, personal data, or intellectual property using
digital technology. Cybercriminals use hacking, phishing, malware, and identity theft to
steal confidential information from individuals, businesses, and governments.

✅ Why is Cyber Theft Dangerous?

✔ Can result in financial loss, identity fraud, or reputational damage
✔ Affects bank accounts, credit cards, and digital assets (e.g., cryptocurrency, NFTs)
✔ Hard to trace, as criminals use dark web, VPNs, and encrypted tools

2. Types of Cyber Theft

Theft Type Description Example

Stealing personal information for Using stolen Aadhaar to apply for

Identity Theft
fraudulent activities a loan

Unauthorized access to bank accounts, ATM card skimming, online

Financial Theft
credit cards, and wallets banking fraud

Stealing sensitive information from Hacking company databases and

Data Theft
individuals or companies selling user data

Intellectual Property Unauthorized copying of patents,

Software piracy, movie leaks
Theft software, and creative works

Hacking wallets, exchanges, or using

Cryptocurrency Theft Fake Bitcoin investment scams
phishing scams

Cloning a SIM card to gain access to Hacker ports a victim’s SIM and
SIM Swap Fraud
banking OTPs steals money

Social Media Account Hijacking Instagram, Facebook, or Twitter Selling hacked accounts on the
Theft accounts for fraud dark web

Cybercriminals encrypt files and demand

Ransomware Attacks WannaCry, LockBit ransomware
ransom for decryption

✅ Forensics Tip: Cyber investigators use IP tracking, forensic analysis, and blockchain
tracing to identify cyber thieves.

98 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
3. Common Cyber Theft Examples

A. Identity Theft

🔹 Cybercriminals steal Aadhaar, PAN, SSN, or passport details to commit fraud.

🔹 Can be used for fake loan applications, illegal transactions, or opening bank accounts.

📌 Example: A scammer uses a victim’s Aadhaar card to apply for a ₹5️ lakh personal loan.

B. Financial Theft (Online Banking & Credit Card Fraud)

🔹 Hackers steal credit card details or online banking credentials to transfer funds.
🔹 Techniques Used:
✔ Fake customer care calls asking for OTPs
✔ ATM skimming (hidden devices in ATMs)
✔ Malware stealing banking passwords

📌 Example: A hacker steals debit card details and makes unauthorized purchases on
Flipkart.

C. Data Theft (Corporate & Personal Data Breaches)

🔹 Hackers break into databases of companies, hospitals, or governments and steal

confidential information.
🔹 Stolen data is sold on the dark web for identity fraud or blackmail.

📌 Example: In 2023, a major data breach leaked personal details of 1 billion Indian
citizens.

D. Cryptocurrency Theft

🔹 Scammers hack Bitcoin wallets, fake crypto investment platforms, or steal private
keys.
🔹 Blockchain transactions are hard to reverse, making recovery difficult.

📌 Example: A phishing email tricks a victim into revealing their MetaMask wallet
password, leading to a crypto theft of ₹1️0 lakh.

99 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
E. Ransomware Attacks

🔹 Hackers encrypt data and demand a ransom in Bitcoin to restore access.

🔹 Major businesses, hospitals, and banks have been targeted.

📌 Example: The WannaCry ransomware attack (2017) infected 300,000+ computers

worldwide.

4. How to Protect Against Cyber Theft?

✅ Use strong passwords & enable multi-factor authentication (MFA).

✅ Never share OTPs, PINs, or personal details over phone or email.
✅ Regularly monitor bank transactions and credit reports.
✅ Avoid public Wi-Fi for banking or financial transactions.
✅ Use antivirus software & update devices to prevent malware attacks.
✅ Be cautious of emails asking for sensitive information.
✅ Secure your cryptocurrency wallets with hardware security keys.

📌 Example: Companies like Google, Amazon, and banks use AI-based fraud detection
systems to prevent cyber theft.

5. Cyber Theft Laws & Legal Actions

Law/Act Description

IT Act, 2000 (India) Covers hacking, data theft, and online fraud

IPC Section 378 Defines theft and prescribes punishment

IPC Section 420 Punishes cheating and fraud

DPDP Act, 2023 Protects personal data from cybercriminals

RBI Guidelines Protects customers from financial fraud

✅ Cyber police use digital forensics tools (FTK, EnCase, Cellebrite) to investigate cyber
theft cases.

6. What to Do If You Are a Victim of Cyber Theft?

🚨 Step 1: Report the incident to your bank and block transactions immediately.
🚨 Step 2: File a complaint on the Cyber Crime Portal: [Link]
🚨 Step 3: Report to local police or cyber cell with evidence (emails, bank statements).

100 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🚨 Step 4: Enable fraud alerts on bank accounts and credit cards to detect suspicious
activities.

✅ Forensics Tip: Cybercrime investigators analyze IP addresses, transaction logs, and

dark web activity to track cyber thieves.

Malicious Code: Types, Effects, and Prevention

1. What is Malicious Code?

🔴 Malicious code is any software or script created with the intent to harm, steal, or disrupt
computer systems. It includes viruses, worms, Trojans, ransomware, spyware, and other
cyber threats. Malicious code can steal data, damage files, spy on users, or take control of
systems without the user's knowledge.

✅ Why is Malicious Code Dangerous?

✔ Steals sensitive information (passwords, banking details, personal data)
✔ Damages files & software (deletes or corrupts important data)
✔ Slows down or crashes systems (consumes CPU and memory resources)
✔ Spreads rapidly (through emails, downloads, or network vulnerabilities)
✔ Can be used for cyber espionage, fraud, or ransom demands

2. Types of Malicious Code

Malicious Code
Description Example
Type

ILOVEYOU virus
Viruses Attaches to files and spreads when executed
(2000)

Worms Self-replicating malware that spreads through networks Morris Worm (1988)

Disguised as legitimate software but performs malicious

Trojan Horses Fake antivirus scams
actions

Ransomware Encrypts files and demands payment for decryption WannaCry (2017)

Spyware Secretly records user activity (keystrokes, webcam, etc.) Pegasus spyware

Adware Unwanted software that displays intrusive ads Fireball adware

Hides malware deep inside the system, making it hard to

Rootkits Sony BMG rootkit
detect

Time-delayed
Logic Bombs Triggers malicious actions at a specific time or event
malware

101 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 Malicious Code
Description Example
Type

Zeus Trojan
Keyloggers Captures everything typed on a keyboard
keylogger

Infects multiple systems to create a network of zombie

Botnets Mirai botnet (2016)
computers

✅ Forensics Tip: Investigators use sandboxing, memory analysis, and reverse

engineering to analyze malicious code.

3. How Malicious Code Spreads

📌 A. Phishing Emails & Links – Fake emails trick users into downloading malware.
📌 B. Infected Software Downloads – Malware is hidden inside free software or pirated
apps.
📌 C. USB Devices & External Drives – Malware spreads through infected pen drives.
📌 D. Network Vulnerabilities – Hackers exploit security flaws in software and websites.
📌 E. Fake Ads & Pop-Ups – Clicking on malicious ads (malvertising) can install malware.

📂 Example: A fake Google Chrome update installs spyware on a victim’s PC.

4. Real-World Examples of Malicious Code Attacks

A. WannaCry Ransomware (2017)

🔹 Affected over 300,000 computers in 150+ countries by encrypting files and demanding
Bitcoin payments.
📌 Spread through an unpatched Windows vulnerability (EternalBlue).

B. Pegasus Spyware

🔹 A powerful spyware used for covert surveillance via mobile devices.

📌 Used to spy on journalists, politicians, and activists worldwide.

C. Mirai Botnet Attack (2016)

102 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Infected IoT devices (CCTV cameras, routers) and launched DDoS attacks.
📌 Took down major websites like Twitter, Netflix, and PayPal.

5. How to Protect Against Malicious Code?

✅ Use trusted antivirus software (Norton, McAfee, Kaspersky).

✅ Keep software and operating systems updated (patch security flaws).
✅ Never download attachments or click links from unknown emails.
✅ Enable firewalls and network security settings.
✅ Use strong passwords & multi-factor authentication (MFA).
✅ Avoid using pirated software or unofficial downloads.
✅ Regularly back up important files to external drives or cloud storage.

📌 Example: Companies use endpoint protection systems to detect and block malware in
real time.

6. Cyber Laws & Legal Actions Against Malicious Code

Law/Act Description

IT Act, 2000 (India) Punishes hacking, malware distribution, and cyber fraud

IPC Section 66 Covers cybercrimes related to data theft and hacking

GDPR & DPDP Act, 2023 Protects user data from cyber threats

Computer Fraud & Abuse Act (USA) Criminalizes unauthorized access to systems

CERT-In (India) Monitors and responds to cybersecurity threats

✅ Digital forensics teams use malware analysis tools (Wireshark, IDA Pro, Volatility)
to track malicious code.

7. What to Do If Your System is Infected?

🚨 Step 1: Disconnect from the internet immediately to stop further infection.

🚨 Step 2: Run a full system scan using updated antivirus software.
🚨 Step 3: Delete suspicious files or programs.
🚨 Step 4: Restore from a clean backup if files are encrypted.
🚨 Step 5: Report cyber incidents to [Link].

103 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
✅ Forensics Tip: Investigators analyze system logs, network traffic, and malware signatures
to trace the source of infections.

Denial-of-Service (DoS) Attack: A Complete Guide

1. What is a Denial-of-Service (DoS) Attack?

🔴 A Denial-of-Service (DoS) attack is a cyberattack where hackers flood a website,

network, or system with massive amounts of traffic or requests, making it slow or
completely unavailable to legitimate users.

🔹 DoS attacks do not steal data but can cause financial losses, reputation damage, and
service disruptions.

✅ Example: A hacker sends millions of fake login requests to an e-commerce website,

crashing the server and making online shopping impossible.

2. Types of DoS Attacks

Attack Type Description Example

Buffer Overflow Sends more data to a system than it can handle, Hacker floods a server with
Attack causing it to crash. large packets of data.

Abuses the TCP handshake process by sending

SYN Flood Fake connection requests
excessive SYN requests without completing
Attack overload the system.
connections.

Sends oversized ICMP (ping) packets to crash the Malformed packets force a
Ping of Death
target device. system reboot.

Spoofs an IP address and floods a network with A hacker sends fake broadcast
Smurf Attack
ICMP requests, overloading systems. ping requests to amplify traffic.

UDP Flood Overwhelms a system by sending a high volume Gaming servers are attacked to
Attack of UDP packets to random ports. slow down gameplay.

Application Targets web applications by sending massive A bot sends millions of fake
Layer DoS HTTP requests, exhausting server resources. login attempts.

✅ Forensics Tip: Investigators analyze network logs, IP addresses, and packet traffic to
trace DoS attacks.

104 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
3. What is a Distributed Denial-of-Service (DDoS) Attack?

🔴 A Distributed Denial-of-Service (DDoS) attack is an advanced version of a DoS attack.

Instead of a single hacker, thousands of compromised devices (botnets) attack a target at
the same time.

📌 Example:

 Mirai Botnet (2016) infected IoT devices (CCTV cameras, routers) and launched a DDoS
attack on major websites like Twitter, Netflix, and PayPal.

✅ DDoS attacks are more dangerous than DoS attacks because they involve multiple
sources, making it harder to stop.

4. How Do Hackers Launch DoS & DDoS Attacks?

📌 A. Using Botnets – Hackers infect devices (PCs, smartphones, IoT devices) with malware
and create a network of bots to launch an attack.
📌 B. Renting DDoS Services – Cybercriminals use DDoS-for-hire services to attack
websites.
📌 C. Sending Malicious Packets – Hackers send fake requests or oversized data packets
to crash a system.
📌 D. Exploiting Network Vulnerabilities – Attackers find weaknesses in a server’s
security and flood it with traffic.

✅ Forensics Tip: Experts use tools like Wireshark, Snort, and Splunk to detect unusual
traffic spikes and analyze attack patterns.

5. Real-World Examples of DoS & DDoS Attacks

A. GitHub DDoS Attack (2018)

🔹 One of the largest DDoS attacks in history.

🔹 Attack peaked at 1.3 Tbps, overwhelming GitHub’s servers.

B. Estonia Cyberattack (2007)

🔹 A massive DDoS attack targeted government websites, banks, and media in Estonia.
🔹 Believed to be state-sponsored cyber warfare.

105 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
C. AWS DDoS Attack (2020)

🔹 Amazon Web Services (AWS) suffered a huge DDoS attack of 2.3 Tbps, one of the
largest ever recorded.

✅ DDoS attacks can shut down governments, corporations, and financial institutions!

6. How to Protect Against DoS & DDoS Attacks?

✅ Use Firewalls & Intrusion Prevention Systems (IPS) – Filters and blocks suspicious
traffic.
✅ Deploy Load Balancers – Distributes traffic evenly across servers.
✅ Enable Rate Limiting – Limits the number of requests per second.
✅ Monitor Traffic with DDoS Detection Tools – Detects unusual spikes in network traffic.
✅ Use Cloud-Based DDoS Protection (Cloudflare, Akamai, AWS Shield) – Protects
against massive attacks.
✅ Keep Software & Systems Updated – Patches security vulnerabilities.
✅ Block Suspicious IPs & Use Geofencing – Prevents traffic from high-risk regions.

📌 Example: Banks & e-commerce platforms use AI-based DDoS protection to

automatically detect and block attacks in real time.

7. Cyber Laws & Legal Actions Against DoS Attacks

Law/Act Description

IT Act, 2000 (India) Punishes cyberattacks, including DoS/DDoS

IPC Section 66F Covers cyber terrorism and large-scale attacks

Computer Fraud & Abuse Act (USA) Criminalizes unauthorized access and cyberattacks

GDPR & DPDP Act, 2023 Protects personal data from cyber threats

CERT-In (India) Monitors and responds to cyber incidents

✅ Digital forensics teams analyze attack logs, trace botnets, and use AI-driven threat
intelligence to stop DoS attacks.

8. What to Do If You Are Under a DoS/DDoS Attack?

🚨 Step 1: Immediately inform your IT/security team.

🚨 Step 2: Enable firewall and DDoS protection services.

106 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🚨 Step 3: Use a content delivery network (CDN) to absorb traffic surges.
🚨 Step 4: Block malicious IPs using firewalls.
🚨 Step 5: Contact your hosting provider or cloud service (AWS, Cloudflare, Akamai)
for additional protection.
🚨 Step 6: Report cyber incidents to [Link].

✅ Forensics Tip: Experts analyze server logs, capture network packets, and trace
botnets to track the source of an attack.

Attacks and Social Engineering: A Complete Guide

1. What Are Cyber Attacks?

🔴 Cyber attacks are malicious attempts to damage, disrupt, or gain unauthorized access
to computer systems, networks, or data. Attackers use various hacking techniques to steal
sensitive information, spread malware, or take control of systems.

✅ Why Are Cyber Attacks Dangerous?

✔ Steal sensitive data (passwords, banking details, personal files)
✔ Cause financial losses (fraud, ransomware demands)
✔ Disrupt businesses & services (DDoS attacks, data breaches)
✔ Compromise national security (cyber warfare, espionage)

📌 Example: In 2021, the Colonial Pipeline attack (ransomware) disrupted the U.S. fuel
supply, causing economic damage.

2. Types of Cyber Attacks

Attack Type Description Example

Deceptive emails trick users into revealing Fake "Bank Login" email steals
Phishing
passwords or downloading malware. credentials.

Malware encrypts files and demands payment WannaCry ransomware attack

Ransomware
to unlock them. (2017).

DDoS (Denial-of- Overloads a website/server with fake traffic,

Mirai botnet attack (2016).
Service) making it unavailable.

Man-in-the-Middle Hacker intercepts communication between Unsecured public Wi-Fi used to

(MitM) two parties to steal data. steal passwords.

Injects malicious SQL code into websites to Attack on user login forms to
SQL Injection
steal or manipulate databases. extract credentials.

107 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 Attack Type Description Example

Hackers exploit unknown software Log4j vulnerability exploited in

Zero-Day Exploit
vulnerabilities before they are patched. 2021.

Tricking people into revealing confidential Hacker pretends to be IT

Social Engineering
information. support to steal credentials.

Automated guessing of passwords using trial- Dictionary attack on email

Brute Force Attack
and-error methods. accounts.

✅ Forensics Tip: Cybersecurity teams use log analysis, penetration testing, and intrusion
detection systems (IDS) to identify and prevent attacks.

3. What is Social Engineering?

🛑 Social engineering is a technique used by hackers to manipulate people into giving up

confidential information, such as passwords, banking details, or personal data. Instead of
hacking computers, attackers exploit human psychology to gain access.

📌 Example: An attacker calls an employee pretending to be from the IT department and

asks for their login credentials.

✅ Why is Social Engineering Dangerous?

✔ Bypasses technical security – No need for malware or hacking tools.
✔ Targets human weaknesses – Uses fear, urgency, or trust to deceive victims.
✔ Difficult to detect – Victims often don’t realize they’ve been tricked.

4. Types of Social Engineering Attacks

Attack Type Description Example

Fake emails or websites trick users "Your account has been compromised!
Phishing
into entering credentials. Click here to reset your password."

Targeted phishing attacks

CEO receives a fake email from "banking
Spear Phishing customized for a specific
support" requesting urgent verification.
individual.

Vishing (Voice Attackers use phone calls to trick Fake IRS agent calls demanding immediate
Phishing) victims into giving information. payment.

Smishing (SMS Fraudulent text messages with "Your Amazon account has been locked!
Phishing) malicious links. Click here to reset your password."

108 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 Attack Type Description Example

Creating a fake scenario to "I’m from IT support, I need your password

Pretexting
manipulate a victim. to fix an issue."

Leaving infected USB drives or files "Free movie download" files contain
Baiting
for victims to access. malware.

Tailgating Physically following an authorized Attacker sneaks into an office building

(Piggybacking) person into a restricted area. behind an employee.

Offering something in exchange for "Fill out this survey and get a free gift
Quid Pro Quo
sensitive data. card!"

✅ Forensics Tip: Organizations use security awareness training and phishing

simulations to educate employees about social engineering risks.

5. How Social Engineering Attacks Work

Step 1: Research (Reconnaissance)

🔍 Attackers collect information about their target using:

 Social media (LinkedIn, Facebook, Twitter)

 Company websites and employee directories
 Public records and leaked databases

Step 2: Building Trust

🤝 The attacker pretends to be someone trustworthy (bank employee, IT support, colleague)

to gain confidence.

📌 Example: A hacker calls an employee, saying, "I’m from HR, and I need your employee
ID for payroll verification."

Step 3: Attack Execution

🎯 The attacker tricks the victim into giving up sensitive information or clicking on a
malicious link.

📌 Example: An employee receives a fake email saying, "Your password will expire soon.
Click here to reset it."

109 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
Step 4: Exploitation & Damage

💥 The attacker steals sensitive data, installs malware, or gains unauthorized access to
systems.

📌 Example: A hacker steals login credentials and accesses confidential business data.

6. Real-World Social Engineering Attacks

A. Twitter Bitcoin Scam (2020)

🔹 Hackers manipulated Twitter employees into giving access to high-profile accounts

(Elon Musk, Bill Gates, Apple).
🔹 Fake tweets were posted, asking for Bitcoin payments.

B. CEO Fraud (Business Email Compromise)

🔹 Attackers impersonate CEOs or executives to trick employees into making fraudulent

wire transfers.
🔹 Companies lost over $26 billion to these scams from 2016-2021.

📌 Example: A fake email from "CEO" asks an employee to send urgent payments.

C. Google & Facebook Phishing Attack (2013-2015)

🔹 A scammer tricked employees into paying $100 million to a fake company.

🔹 He impersonated a real vendor using fake invoices and emails.

✅ Social engineering can cause massive financial and reputational damage!

7. How to Prevent Social Engineering Attacks?

✅ Verify Requests – Always confirm identities before sharing sensitive information.

✅ Think Before Clicking – Avoid clicking on suspicious links in emails or messages.
✅ Use Multi-Factor Authentication (MFA) – Adds an extra security layer for logins.
✅ Educate Employees & Individuals – Regular security awareness training.
✅ Check Website URLs – Ensure websites are legitimate before entering credentials.

110 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
✅ Report Suspicious Activity – Inform IT/security teams about phishing attempts.
✅ Use Strong Passwords & Security Policies – Prevent unauthorized access.

📌 Example: Banks send security alerts reminding customers they never ask for passwords
via phone or email.

8. Cyber Laws & Legal Actions Against Attacks

Law/Act Description

IT Act, 2000 (India) Covers cybercrimes, including phishing and fraud.

IPC Section 66D Punishes impersonation and fraud in cyber activities.

GDPR & DPDP Act, 2023 Protects personal data from social engineering attacks.

Computer Fraud & Abuse Act (USA) Criminalizes unauthorized access and cyber fraud.

CERT-In (India) Investigates cyber threats and security incidents.

✅ Digital forensics teams analyze phishing emails, fake websites, and attacker IPs to
track cybercriminals.

Vulnerability in Cybersecurity: A Complete Guide

1. What is a Vulnerability?

🔴 A vulnerability is a weakness or flaw in a system, network, software, or process that

attackers can exploit to gain unauthorized access or cause damage.

✅ Why Are Vulnerabilities Dangerous?

✔ Allow hackers to break into systems (unauthorized access)
✔ Expose sensitive data (passwords, personal data, financial info)
✔ Enable malware infections (ransomware, trojans, spyware)
✔ Disrupt business operations (denial-of-service attacks)

📌 Example: A vulnerability in Microsoft Windows (EternalBlue) was exploited in the

WannaCry ransomware attack (2017), affecting thousands of computers worldwide.

2. Types of Vulnerabilities

A. Software Vulnerabilities

111 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
📌 Flaws in software code that allow attackers to exploit security weaknesses.

🔹 Example:

 Buffer Overflow – A program writes more data than expected, allowing hackers to inject
malicious code.
 SQL Injection – Attackers manipulate databases through unsecured web forms.
 Zero-Day Vulnerabilities – Newly discovered software flaws that developers haven’t
patched yet.

✅ Prevention: Regular software updates and patches.

B. Network Vulnerabilities

📌 Weaknesses in network security that allow unauthorized access to data and systems.

🔹 Example:

 Weak Encryption – Unsecured Wi-Fi networks allow hackers to intercept data.

 Unpatched Firewalls & Routers – Old firmware versions can be exploited.
 Denial-of-Service (DoS) Attack Risks – Attackers overload servers, causing shutdowns.

✅ Prevention: Use firewalls, VPNs, and secure network configurations.

C. Hardware Vulnerabilities

📌 Physical security weaknesses that attackers exploit to gain access to devices.

🔹 Example:

 USB Attacks – Malicious USB devices infect computers when plugged in.
 Side-Channel Attacks – Hackers extract sensitive data from hardware chips.
 BIOS/UEFI Exploits – Malware infecting system firmware to gain deep access.

✅ Prevention: Use security policies for hardware access and encrypted storage.

D. Human & Social Engineering Vulnerabilities

📌 Weaknesses in human behavior that allow attackers to manipulate people into revealing
confidential information.

🔹 Example:

112 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Phishing Attacks – Fake emails trick users into revealing credentials.
 Weak Passwords – Easily guessable passwords lead to account takeovers.
 Insider Threats – Employees leaking data or clicking malicious links.

✅ Prevention: Cybersecurity training, multi-factor authentication (MFA), and strong

password policies.

E. Physical Security Vulnerabilities

📌 Lack of physical safeguards that enable attackers to access restricted areas or devices.

🔹 Example:

 Tailgating – Unauthorized persons entering a secure facility by following employees.

 Unsecured Devices – Laptops or USB drives left unattended.
 Surveillance Blind Spots – Areas without CCTV monitoring.

✅ Prevention: Biometric authentication, security badges, and locked storage.

3. Common Cybersecurity Vulnerabilities

Vulnerability Description Example

Missing security updates make WannaCry ransomware exploited old

Unpatched Software
systems vulnerable. Windows vulnerabilities.

Simple passwords are easy to "123456" and "password" are commonly

Weak Passwords
guess or crack. hacked.

Fake emails trick users into

Phishing Attacks Attackers use fake bank login pages.
revealing credentials.

Systems with default settings are Routers with "admin/admin" login

Default Configurations
easy to hack. credentials.

Misconfigured Cloud Exposed cloud storage allows data Misconfigured AWS S3 buckets led to
Services leaks. massive data breaches.

Lack of Data Unencrypted data is easily Hackers steal plaintext credit card
Encryption readable if stolen. details.

Employees accidentally or Disgruntled employees leaking

Insider Threats
intentionally expose data. confidential documents.

✅ Forensics Tip: Digital forensics experts analyze logs, network traffic, and access records
to detect vulnerabilities and cyber threats.

113 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
4. How Are Vulnerabilities Exploited? (Attack Process)

Step 1: Reconnaissance (Information Gathering)

🔍 Attackers scan networks, websites, and software for known vulnerabilities.

📌 Example: A hacker finds an unpatched WordPress website with outdated plugins.

Step 2: Exploiting the Vulnerability

💥 Once a weakness is found, attackers inject malicious code or gain unauthorized access.

📌 Example: An attacker exploits a SQL Injection vulnerability to extract user passwords

from a database.

Step 3: Gaining Control (Privilege Escalation)

🎯 Attackers elevate their access rights to take full control of a system.

📌 Example: Malware gains administrator access to disable security settings.

Step 4: Data Theft or Damage

📂 Attackers steal, encrypt, or delete sensitive data.

📌 Example: Ransomware encrypts all files and demands payment to unlock them.

5. How to Prevent Vulnerabilities?

✅ Patch & Update Software – Regularly install security updates.

✅ Use Strong Passwords – Implement complex passwords and multi-factor authentication
(MFA).
✅ Secure Networks – Use firewalls, VPNs, and encrypted Wi-Fi.
✅ Conduct Penetration Testing – Simulate attacks to find and fix vulnerabilities.
✅ Monitor Logs & Alerts – Use SIEM (Security Information & Event Management) tools.
✅ Train Employees – Teach cybersecurity best practices to prevent phishing and social
engineering.

114 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
✅ Apply the Principle of Least Privilege (PoLP) – Limit user access to only what is
necessary.

📌 Example: The Equifax Data Breach (2017) happened because of an unpatched Apache
Struts vulnerability, exposing 147 million records.

6. Vulnerability vs. Threat vs. Risk

Term Definition Example

Outdated software with unpatched

Vulnerability A security weakness that can be exploited.
security flaws.

A potential danger that can exploit Hackers using phishing emails to steal
Threat
vulnerabilities. credentials.

The likelihood of a threat successfully A company with weak passwords is at

Risk
exploiting a vulnerability. high risk of cyber attacks.

✅ Forensics Tip: Security teams use vulnerability scanning tools like Nessus and
OpenVAS to detect and fix vulnerabilities before they are exploited.

7. Real-World Vulnerability Exploits

A. Log4j Vulnerability (2021) – Remote Code Execution (RCE)

🔹 A critical flaw in Apache Log4j allowed attackers to execute arbitrary code on millions
of servers.
🔹 Hackers used this to deploy malware, steal data, and launch DDoS attacks.

B. Heartbleed Bug (2014) – Data Leakage

🔹 A vulnerability in OpenSSL encryption exposed sensitive data from servers.

🔹 Attackers could read passwords, credit card details, and encryption keys.

C. SolarWinds Supply Chain Attack (2020) – Malware Insertion

🔹 Hackers compromised SolarWinds software updates, infecting government and

corporate networks.
🔹 Used for espionage and data theft.

115 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
✅ Lesson: Keeping software updated and monitoring for suspicious activity is critical.

Risk – An Introduction & Business Requirements

1. What is Risk?

🔴 Risk is the potential for loss or damage when a threat exploits a vulnerability. In
business and cybersecurity, risk is the likelihood that an event will cause financial loss, data
breaches, or reputational damage.

✅ Formula for Risk:

Risk = Threat × Vulnerability × Impact

📌 Example:

 A company using weak passwords (vulnerability) is at risk of a hacker attack (threat),

leading to data loss and financial loss (impact).

2. Why is Risk Management Important?

✔ Prevents financial loss – Reduces costs from cyberattacks and fraud.

✔ Protects reputation – Avoids negative publicity from data breaches.
✔ Ensures compliance – Meets legal and regulatory standards.
✔ Improves decision-making – Identifies risks before they become major problems.
✔ Enhances business continuity – Minimizes disruptions from security incidents.

📌 Real-World Example:
In 2017, Equifax lost $700M due to a data breach caused by unpatched software. Proper
risk management could have prevented this.

3. Types of Business Risks

A. Financial Risk

🔹 Risks related to financial loss, market changes, or economic downturns.

📌 Example: Stock market crashes, inflation, or fraud affecting revenue.

B. Operational Risk

116 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Risks from internal business operations, including system failures or human errors.
📌 Example: Supply chain disruptions due to logistics failure.

C. Compliance & Legal Risk

🔹 Risks from violating laws, regulations, or industry standards.

📌 Example: GDPR non-compliance can result in hefty fines.

D. Cybersecurity Risk

🔹 Risks from cyber threats, data breaches, or hacking attempts.

📌 Example: Phishing attacks leading to unauthorized access.

E. Strategic Risk

🔹 Risks from poor business decisions, changing markets, or competition.

📌 Example: Kodak failed to adapt to digital photography and lost market dominance.

4. Business Requirements for Risk Management

A. Risk Identification

✅ Recognize potential threats to the business.

📌 Example: Identifying weak security protocols in IT systems.

B. Risk Assessment & Analysis

✅ Determine the likelihood and impact of risks.

📌 Example: A bank assesses fraud risks in online transactions.

C. Risk Mitigation Strategies

✅ Implement preventive measures to reduce risk.

📌 Example: Installing firewalls to prevent unauthorized access.

117 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
D. Risk Monitoring & Response

✅ Continuously track risks and respond to incidents.

📌 Example: SIEM tools detect suspicious network activity.

E. Compliance & Regulatory Requirements

✅ Ensure legal compliance with industry standards.

📌 Example: ISO 27001 for information security management.

Information Security – Definitions & Key Concepts

1. What is Information Security?

🔒 Information Security (InfoSec) refers to the process of protecting data and

information systems from unauthorized access, misuse, modification, or destruction.

✅ Primary Goals of Information Security (CIA Triad):

1. Confidentiality – Ensuring only authorized users have access to information.

2. Integrity – Maintaining the accuracy and trustworthiness of data.
3. Availability – Ensuring information is accessible when needed.

📌 Example: A bank secures customer data by using encryption (confidentiality), secure

backups (integrity), and redundant servers (availability).

2. Key Information Security Definitions

A. Threat

🔹 Any potential danger that can exploit a vulnerability to cause harm.

📌 Example: A hacker attempting to break into a system.

B. Vulnerability

🔹 A weakness in a system that can be exploited by threats.

📌 Example: Unpatched software allows attackers to gain unauthorized access.

118 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
C. Risk

🔹 The probability that a threat will exploit a vulnerability and cause damage.
📌 Example: If an organization stores passwords in plain text, there is a high risk of data
theft.

D. Attack

🔹 An intentional action taken to harm a system or steal data.

📌 Example: Phishing emails trick users into revealing their passwords.

E. Security Controls

🔹 Measures used to protect information from threats.

📌 Example: Firewalls, encryption, and multi-factor authentication (MFA).

F. Authentication

🔹 The process of verifying a user’s identity before granting access.

📌 Example: Logging into an email account using a password and OTP.

G. Encryption

🔹 Converting data into an unreadable format to protect it from unauthorized access.

📌 Example: HTTPS encrypts web traffic to secure online transactions.

H. Firewall

🔹 A security device/software that blocks unauthorized access to a network.

📌 Example: Windows Defender Firewall prevents hackers from entering a system.

I. Malware

119 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Malicious software designed to harm or exploit systems.
📌 Example: Ransomware encrypts files and demands a ransom for decryption.

J. Intrusion Detection System (IDS)

🔹 A system that monitors network traffic for suspicious activities.

📌 Example: Snort IDS detects unusual login attempts and alerts administrators.

3. Importance of Information Security

✔ Protects Sensitive Data – Prevents identity theft and financial loss.

✔ Ensures Business Continuity – Avoids disruptions due to cyberattacks.
✔ Maintains Trust – Customers trust businesses that protect their information.
✔ Ensures Compliance – Meets regulations like GDPR, HIPAA, and ISO 27001.

📌 Example: Organizations use multi-factor authentication (MFA) and strong encryption

to safeguard sensitive customer data.

Security Policies – Tiers, Procedures, Standards & Guidelines

Security policies help organizations maintain data security, regulatory compliance, and
risk management. They are structured in three tiers based on their scope and applicability.

1. Security Policy Tiers

🔹 Tier 1: Organization-Level Security Policies

📌 High-level security policies that apply to the entire organization. These define the overall
security vision, responsibilities, and risk management strategies.

✅ Key Aspects:

 Defines the organization's security objectives and goals.

 Covers risk management, compliance, and governance.
 Provides a framework for lower-tier policies.

📌 Example:

120 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Information Security Policy: Defines security roles, access control rules, and compliance
requirements (ISO 27001, GDPR).
 Incident Response Policy: Outlines how to identify, report, and respond to security
incidents.

🔹 Tier 2: Function-Level Security Policies

📌 Policies for specific departments, business units, or functions within an organization.

These ensure that each function aligns with the overall security strategy.

✅ Key Aspects:

 Focuses on specific business areas like IT, HR, Finance, and Legal.
 Establishes department-level security requirements.
 Defines access control, data handling, and employee security training.

📌 Example:

 HR Security Policy: Defines how employee data is stored, accessed, and protected.
 IT Security Policy: Specifies firewall configurations, network security, and backup
protocols.

🔹 Tier 3: Application/Device-Level Security Policies

📌 Policies for specific applications, software, or devices used within an organization.

These address technical security controls and configurations.

✅ Key Aspects:

 Defines password policies, encryption methods, and authentication protocols.

 Covers endpoint security, mobile device management (MDM), and application access
controls.
 Enforces data protection techniques such as firewalls, intrusion detection, and logging.

📌 Example:

 Cloud Security Policy: Defines rules for using cloud services like AWS, Azure, and Google
Cloud.
 Device Security Policy: Specifies rules for company-issued laptops, phones, and IoT devices.

2. Procedures, Standards & Guidelines

🔹 Procedures

121 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
📌 Step-by-step instructions on how to implement security policies in day-to-day
operations.

✅ Key Aspects:

 Defines how to enforce policies in specific situations.

 Ensures consistency and compliance across the organization.
 Provides detailed steps for handling incidents, system updates, or data access requests.

📌 Example:

 Incident Response Procedure: Steps to identify, contain, eradicate, and recover from a
cyberattack.
 User Access Request Procedure: Defines how employees can request access to IT systems.

🔹 Standards

📌 Mandatory security rules that define technical and operational security requirements.

✅ Key Aspects:

 Ensures uniform security practices across systems and departments.

 Specifies minimum security configurations, encryption levels, and compliance
requirements.
 Aligns with industry standards like ISO 27001, NIST, CIS, and PCI-DSS.

📌 Example:

 Password Standard: Minimum password length of 12 characters with special characters,

numbers, and uppercase/lowercase letters.
 Network Security Standard: All devices must use AES-256 encryption for data transmission.

🔹 Guidelines

📌 Best practices and recommendations that help employees follow security policies
effectively. Unlike standards, guidelines are not mandatory but are highly recommended.

✅ Key Aspects:

 Provides suggestions for improving security based on industry best practices.

 Helps employees and IT teams make security-conscious decisions.
 Can be customized based on business needs.

📌 Example:

122 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Phishing Awareness Guideline: Employees should verify sender details and avoid clicking
on suspicious links in emails.
 Software Update Guideline: Recommends updating all software and operating systems
regularly.

3. Summary Table
Category Description Example

High-level policies for the entire Information Security Policy,

Tier 1: Organization-Level
organization Incident Response Policy

Policies for specific departments or HR Security Policy, IT Security

Tier 2: Function-Level
business units Policy

Tier 3: Security rules for specific applications, Cloud Security Policy, Device
Application/Device-Level systems, or devices Security Policy

Step-by-step instructions for Incident Response Steps, Access

Procedures
implementing security policies Control Procedures

Mandatory security requirements and Minimum Password Length,

Standards
configurations Encryption Standards

Best practices for following security Phishing Awareness, Software

Guidelines
policies effectively Update Best Practices

123 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
 UNIT V - ACCESS CONTROL
User Identity and Access Management - Account Authorization - Access and Privilege
Management - System and Network Access Control - Operating Systems Access Controls -
Monitoring Systems Access Controls - Intrusion Detection System - Event Logging

User Identity and Access Management (IAM)

1. What is Identity and Access Management (IAM)?

🔐 Identity and Access Management (IAM) is a framework of policies, processes, and

technologies that ensures the right individuals have appropriate access to the right
resources at the right time.

✅ Key Objectives of IAM:

 Verify user identity before granting access.

 Restrict access based on roles and permissions.
 Monitor and audit user activities for security compliance.

📌 Example:

 When logging into an online banking system, users must enter their username, password,
and a One-Time Password (OTP) for authentication.

2. Components of IAM

🔹 1. Identification

📌 Users must provide unique credentials to identify themselves.

✅ Example: Username, employee ID, email address.

🔹 2. Authentication

📌 Confirms that the user is who they claim to be.

✅ Example: Passwords, biometrics (fingerprint, face recognition), OTPs.

🔹 3. Authorization

📌 Defines what a user can and cannot access.

✅ Example: A finance employee can access financial records, but a marketing employee
cannot.

124 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 4. Accountability (Logging & Auditing)

📌 Tracks and logs all user activities for security monitoring.

✅ Example: A company uses SIEM (Security Information and Event Management)
tools to track login attempts and detect anomalies.

3. Types of Access Control Models

🔹 1. Role-Based Access Control (RBAC)

📌 Access is granted based on user roles within the organization.

✅ Example: A manager has access to sensitive files, but a junior employee does not.

🔹 2. Mandatory Access Control (MAC)

📌 Access is assigned by security policies and administrators, not by users.

✅ Example: Government agencies use MAC to classify data as Confidential, Secret, or
Top Secret.

🔹 3. Discretionary Access Control (DAC)

📌 The data owner decides who can access their resources.

✅ Example: A team leader can grant or deny access to project files.

🔹 4. Attribute-Based Access Control (ABAC)

📌 Access is granted based on user attributes such as location, time, or device type.
✅ Example: A user can only log in from company-approved devices during work hours.

4. IAM Technologies & Methods

🔹 Single Sign-On (SSO)

📌 Allows users to log in once and access multiple applications.

✅ Example: Logging into Google automatically grants access to Gmail, Drive, and
YouTube.

🔹 Multi-Factor Authentication (MFA)

📌 Requires two or more verification methods for security.

✅ Example: Using a password and an OTP sent to a mobile phone.

125 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 Privileged Access Management (PAM)

📌 Restricts access to highly sensitive accounts (e.g., system administrators).

✅ Example: A root user in Linux has limited access to prevent security risks.

🔹 Identity Federation

📌 Allows users to log in using credentials from another system (e.g., social media
accounts).
✅ Example: "Log in with Facebook or Google" on third-party websites.

🔹 Biometric Authentication

📌 Uses fingerprints, facial recognition, or voice for identity verification.

✅ Example: Unlocking a smartphone using Face ID.

5. Challenges in IAM

🔴 Weak Passwords: Users often create easy-to-guess passwords.

✅ Solution: Enforce password complexity policies and MFA.

🔴 Insider Threats: Employees may misuse their access.

✅ Solution: Implement role-based access controls (RBAC) and activity monitoring.

🔴 Phishing Attacks: Hackers steal user credentials via fake emails.

✅ Solution: Train employees on security awareness and use email filtering tools.

🔴 Managing Remote Access: Employees working remotely pose security risks.

✅ Solution: Use VPNs and conditional access for remote users.

6. Best Practices for IAM Implementation

✔ Implement the Least Privilege Principle – Give users the minimum access they need to
perform their job.
✔ Enforce Multi-Factor Authentication (MFA) – Prevents unauthorized access even if
passwords are stolen.
✔ Use Strong Password Policies – Require long, complex passwords and periodic changes.
✔ Monitor and Audit User Activities – Detect and respond to suspicious activities using
SIEM tools.
✔ Revoke Access for Ex-Employees Immediately – Prevents unauthorized access after
termination.

126 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
Account Authorization
1. What is Account Authorization?

🔐 Account Authorization is the process of granting or restricting access to specific

resources after a user has been authenticated. It ensures that a user only has permissions
appropriate to their role and cannot access unauthorized data or systems.

✅ Key Differences Between Authentication and Authorization:

Feature Authentication 🆔 Authorization 🔑

Purpose Confirms identity Grants access rights

User logs in (e.g., password, System checks if the user has permission to access
Process
biometrics) resources

A manager can approve leave requests, but an intern

Example Entering a password or OTP
cannot

📌 Example Scenario:

 When logging into an online banking account, authentication verifies the user's identity.
 Authorization determines whether the user can view balances, transfer money, or access
admin controls.

2. Authorization Models

🔹 1. Role-Based Access Control (RBAC)

📌 Access is assigned based on job roles within an organization.

✅ Example:

 HR Staff can access employee records, but IT Staff cannot.

 A regular employee cannot edit payroll data, but an HR Manager can.

🔹 2. Attribute-Based Access Control (ABAC)

📌 Access is granted based on attributes like location, device, or time of access.

✅ Example:

127 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  A remote employee can only access company files from a corporate laptop.
 Employees can only log in during working hours (9 AM - 6 PM).

🔹 3. Mandatory Access Control (MAC)

📌 Strictly enforced policies that do not allow users to change access rights.

✅ Example:

 Government agencies classify data as Confidential, Secret, or Top Secret, and only
authorized personnel can access it.

🔹 4. Discretionary Access Control (DAC)

📌 The data owner decides who gets access.

✅ Example:

 A team leader can share or restrict access to a project folder.

 A Google Drive owner decides who can view or edit a document.

3. Authorization Mechanisms

🔹 1. Access Control Lists (ACLs)

📌 Defines who can access what in a system.

✅ Example:

 A firewall ACL blocks certain users from accessing specific servers.

 File permissions in Linux (read, write, execute) define what users can do with files.

🔹 2. JSON Web Tokens (JWTs) for API Authorization

📌 Used for web applications and APIs to authorize users.

✅ Example:

 When logging into a website, a JWT token is issued to the user.

 The token is sent with every API request to verify access rights.

128 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 3. OAuth 2.0 for Third-Party Authorization

📌 Allows users to grant limited access to third-party apps without sharing passwords.

✅ Example:

 "Log in with Google" on a website.

 A user authorizes Spotify to access their Facebook profile without giving login details.

🔹 4. Multi-Factor Authorization (MFA)

📌 Requires additional verification before granting access.

✅ Example:

 A banking app asks for a password and an OTP (One-Time Password).

 A cloud service requires fingerprint authentication before accessing sensitive data.

4. Challenges in Authorization

🔴 Over-privileged Users: Employees often have more access than needed, increasing
security risks.
✅ Solution: Implement least privilege access (LPA) to restrict unnecessary permissions.

🔴 Unauthorized Data Access: Hackers may exploit weak authorization policies to steal
sensitive data.
✅ Solution: Use role-based access control (RBAC) and multi-factor authentication
(MFA).

🔴 Broken Authorization Attacks: Cybercriminals bypass authorization mechanisms to gain

admin access.
✅ Solution: Regularly audit user permissions and implement secure session management.

5. Best Practices for Secure Authorization

✔ Enforce the Principle of Least Privilege (PoLP) – Users should have the minimum
access necessary.
✔ Use Multi-Factor Authentication (MFA) – Adds an extra security layer beyond
passwords.
✔ Implement Role-Based Access Control (RBAC) – Assign permissions based on job

129 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
functions.
✔ Regularly Review and Revoke Permissions – Remove access for ex-employees or
inactive users.
✔ Monitor and Audit Authorization Logs – Track access attempts for suspicious activity.

Access and Privilege Management

1. What is Access and Privilege Management?

🔐 Access and Privilege Management refers to controlling and monitoring user access to
systems, applications, and data based on predefined roles, permissions, and security
policies.

✅ Why is it Important?

 Prevents unauthorized access to sensitive information.

 Reduces the risk of insider threats and cyberattacks.
 Ensures compliance with security regulations (e.g., GDPR, HIPAA).

📌 Example:
A regular employee should not have access to modify payroll data, but an HR manager
should.

2. Key Concepts of Access and Privilege Management

🔹 1. Authentication vs. Authorization

Feature Authentication (Who are you?) 🆔 Authorization (What can you access?) 🔑

Purpose Confirms user identity Grants specific access rights

Process Uses passwords, biometrics, MFA Uses roles, policies, access controls

Example Logging into a system Viewing or modifying financial records

🔹 2. Least Privilege Principle (PoLP)

📌 Users should have only the minimum access necessary to perform their job.

✅ Example:

 A customer service representative can view customer data but cannot edit or delete it.
 A marketing intern cannot access confidential company reports.

130 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 3. Role-Based Access Control (RBAC)

📌 Access is assigned based on job roles rather than individual users.

✅ Example:

 HR Team – Can access employee records but not financial transactions.

 IT Team – Can manage servers and network security settings.

🔹 4. Privileged Access Management (PAM)

📌 Special security measures for highly sensitive accounts (e.g., system administrators, root
users).

✅ Example:

 System administrators need privileged access to configure servers, but not to access payroll
data.
 Privileged accounts require multi-factor authentication (MFA) and monitoring.

🔹 5. Discretionary Access Control (DAC) vs. Mandatory Access Control (MAC)

Type Description Example

DAC (Discretionary The data owner decides A Google Drive owner shares a file with
Access Control) who gets access. specific users.

MAC (Mandatory Access is strictly enforced Government agencies classify documents as

Access Control) by security policies. Confidential, Secret, or Top Secret.

3. Access Management Methods

🔹 1. Multi-Factor Authentication (MFA)

📌 Requires two or more verification steps before granting access.

✅ Example: Password + OTP or Biometric + Security Question.

🔹 2. Single Sign-On (SSO)

131 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
📌 Allows users to log in once and access multiple applications.
✅ Example: Logging into Google gives access to Gmail, Drive, and YouTube.

🔹 3. Just-in-Time (JIT) Access

📌 Provides temporary access when needed and revokes it after use.

✅ Example: A contractor is given database access for one day.

🔹 4. Attribute-Based Access Control (ABAC)

📌 Grants access based on user attributes (e.g., location, device type).

✅ Example: A remote worker can only access files from a company-approved laptop.

4. Challenges in Access and Privilege Management

🔴 Over-Privileged Accounts: Users often have more access than necessary, increasing
security risks.
✅ Solution: Implement least privilege access (PoLP) and role-based access control
(RBAC).

🔴 Insider Threats: Employees may misuse their access for personal gain.
✅ Solution: Use Privileged Access Management (PAM) and monitor privileged users.

🔴 Weak Passwords and Credentials Theft: Hackers exploit weak authentication methods.
✅ Solution: Enforce strong passwords and MFA (Multi-Factor Authentication).

🔴 Unauthorized Access After Employee Exit: Former employees may still have system
access.
✅ Solution: Implement automatic access revocation upon termination.

5. Best Practices for Secure Access and Privilege Management

✔ Implement Role-Based Access Control (RBAC): Assign permissions based on job

functions.
✔ Use Multi-Factor Authentication (MFA): Adds an extra security layer.
✔ Enforce Least Privilege Access (PoLP): Give only necessary permissions.
✔ Monitor and Audit User Activities: Track who accesses what and when.
✔ Use Privileged Access Management (PAM): Protect highly sensitive accounts.
✔ Regularly Review and Update Access Rights: Remove inactive users.
✔ Enable Single Sign-On (SSO) with Conditional Access: Restrict access based on risk
factors (e.g., login location, device security).

132 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
Operating Systems Access Controls
1. What is Operating System Access Control?

🔐 Operating System (OS) Access Control is a security mechanism that restricts and
regulates user access to system resources, data, and applications based on identity, role, and
security policies.

✅ Why is it Important?

 Prevents unauthorized access to system files and applications.

 Protects user data from tampering or theft.
 Ensures compliance with security standards like ISO 27001, HIPAA, and NIST.

📌 Example:
A regular user cannot modify system configuration files, but an administrator can.

2. Key Types of OS Access Control

🔹 1. Discretionary Access Control (DAC)

📌 The data owner decides who can access resources.

✅ Features:

 Users can grant or revoke access permissions.

 Based on Access Control Lists (ACLs).

✅ Example:

 A Windows user can share a file and decide who gets read/write access.

🔴 Risk: If a user account is hacked, attackers can change permissions and gain
unauthorized access.

🔹 2. Mandatory Access Control (MAC)

📌 Access is controlled by security policies, not users.

✅ Features:

 Enforces strict rules based on security levels (e.g., Top Secret, Confidential).

133 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Used in military and government systems.

✅ Example:

 A classified document in a government system is accessible only to authorized personnel.

🔴 Risk: Not flexible—users cannot modify access settings.

🔹 3. Role-Based Access Control (RBAC)

📌 Access is assigned based on user roles instead of individuals.

✅ Features:

 Users are grouped into roles (e.g., Admin, HR, Finance).

 Access permissions are predefined for each role.

✅ Example:

 HR staff can access employee records, but IT admins cannot.

🔴 Risk: If roles are not properly assigned, users might get more access than needed.

🔹 4. Attribute-Based Access Control (ABAC)

📌 Access is granted based on user attributes like location, device, and time.

✅ Example:

 A remote worker can access files only from a company-approved laptop.

 A doctor can access patient data only during work hours.

🔴 Risk: Complex to set up and manage.

3. Access Control Mechanisms in Operating Systems

🔹 1. User Authentication

📌 Ensures only authorized users can log in.

✅ Methods:

134 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Passwords & PINs (Basic authentication)
 Multi-Factor Authentication (MFA) (e.g., Password + OTP)
 Biometric Authentication (Fingerprint, Face ID)

🔴 Risk: Weak passwords can be easily hacked.

🔹 2. File and Folder Permissions

📌 Controls who can read, write, or execute files.

✅ Permission Types:

 Read (r) – View file contents.

 Write (w) – Modify file contents.
 Execute (x) – Run executable files.

✅ Example:

 A regular user can read system files but cannot modify them.

🔴 Risk: Misconfigured permissions can expose sensitive data.

🔹 3. Access Control Lists (ACLs)

📌 Lists specific users and their allowed permissions for files, directories, or applications.

✅ Example (Linux ACL Command):

setfacl -m u:john:rwx [Link] # Grants "john" read, write, execute

permissions

🔴 Risk: Overcomplicated ACLs can cause access control issues.

🔹 4. Privileged Access Management (PAM)

📌 Restricts admin and root privileges to only trusted users.

✅ Example:

 Linux "sudo" command restricts root access:

 sudo apt update # Allows temporary admin access

135 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Windows UAC (User Account Control) asks for admin approval before making system
changes.

🔴 Risk: If admin accounts are hacked, attackers can control the system.

🔹 5. Session Timeouts & Auto-Logout

📌 Logs out users after inactivity to prevent unauthorized access.

✅ Example:

 A banking system logs out users after 10 minutes of inactivity.

🔴 Risk: If the timeout is too short, it frustrates users.

🔹 6. Audit Logs & Monitoring

📌 Tracks who accessed what and when.

✅ Example (Linux log command):

cat /var/log/[Link] # Shows login attempts

🔴 Risk: If logs are not monitored, security incidents can go undetected.

4. Best Practices for OS Access Control

✔ Use Multi-Factor Authentication (MFA): Prevents unauthorized logins.

✔ Apply Least Privilege Principle (PoLP): Users get only the permissions they need.
✔ Regularly Update and Patch OS: Fixes security vulnerabilities.
✔ Use Role-Based Access Control (RBAC): Assign permissions based on job roles.
✔ Enable File Encryption: Protects sensitive data from unauthorized access.
✔ Monitor User Activities with Logs: Detects suspicious access attempts.
✔ Implement Time-Based Access Control: Restricts access to work hours only.
✔ Restrict Admin Privileges: Limit root/sudo access to trusted users.

136 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
Monitoring System Access Controls
1. What is System Access Control Monitoring?

🔍 System Access Control Monitoring refers to the continuous tracking, auditing, and
analyzing of user activities and system access to detect unauthorized access, security
breaches, or policy violations.

✅ Why is it Important?

 Prevents unauthorized access to sensitive data.

 Detects and alerts on suspicious activities (e.g., repeated failed logins).
 Ensures compliance with security policies (ISO 27001, GDPR, HIPAA, etc.).
 Helps in forensic investigations by maintaining detailed access logs.

📌 Example:
A banking system monitors login attempts, flags unusual behavior (e.g., logins from
different countries within minutes), and triggers security alerts.

2. Key Components of Access Control Monitoring

🔹 1. User Authentication Monitoring

📌 Tracks who logs in, when, and from where.

✅ Monitored Events:

 Failed login attempts (potential brute force attack).

 Login from an unusual location/IP address.
 Multiple login attempts from different devices in a short time.

✅ Example (Linux command to check login attempts):

cat /var/log/[Link] | grep "Failed password"

🔴 Risk: If not monitored, hackers can try thousands of passwords without detection.

🔹 2. Privileged Access Monitoring

📌 Monitors admin/root access to prevent abuse.

✅ Security Measures:

 Track sudo/root commands in Linux.

137 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
  Log Windows Admin actions using Event Viewer.
 Alert if a user gains unexpected admin privileges.

✅ Example (Linux command to check sudo usage):

cat /var/log/[Link] | grep "sudo"

🔴 Risk: If privileged accounts are compromised, attackers can control the system.

🔹 3. File and Data Access Monitoring

📌 Tracks who accessed, modified, or deleted files.

✅ Monitored Events:

 Unauthorized access to confidential files.

 Mass deletion or encryption (indicates ransomware attack).
 File permission changes (could be a security misconfiguration).

✅ Example (Linux command to track file access):

auditctl -w /etc/passwd -p wa -k password_change

ausearch -k password_change

🔴 Risk: If a hacker gains access to a sensitive file and exfiltrates data, it can lead to data
breaches.

🔹 4. Network Access Monitoring

📌 Tracks who is connecting to the network and what data is being transmitted.

✅ Security Measures:

 Monitor remote access (VPN, SSH, RDP).

 Detect unusual network traffic spikes (indicates data exfiltration).
 Use Intrusion Detection Systems (IDS) to spot malicious activities.

✅ Example (Check network connections in Linux):

netstat -an | grep ESTABLISHED

🔴 Risk: If a hacker gets remote access, they can steal data or install malware.

138 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 5. USB and Peripheral Device Monitoring

📌 Prevents data theft via external devices (USB, external HDDs).

✅ Security Measures:

 Block unauthorized USB devices.

 Log file transfers to removable media.
 Monitor data copied to cloud storage.

✅ Example (Linux command to check USB connections):

dmesg | grep -i usb

🔴 Risk: Insiders may use USB devices to steal sensitive data.

🔹 6. Security Logs and Audit Trails

📌 Maintains detailed logs of user activities for security audits.

✅ Security Measures:

 Store logs in a centralized system (SIEM – Security Information and Event Management).
 Enable real-time alerts for suspicious activities.
 Perform regular log analysis to detect hidden threats.

✅ Example (Windows Event Viewer for Access Logs):

Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4624}

🔴 Risk: If logs are not monitored, attacks can go undetected for months.

3. Best Practices for System Access Control Monitoring

✔ Enable Multi-Factor Authentication (MFA): Reduces unauthorized access.

✔ Use Role-Based Access Control (RBAC): Restricts permissions based on job roles.
✔ Monitor and Alert on Failed Logins: Prevents brute force attacks.
✔ Log All Admin and Root Access Actions: Detects privilege misuse.
✔ Implement Intrusion Detection Systems (IDS): Alerts on malicious activities.
✔ Regularly Review Security Logs: Identifies unusual patterns.
✔ Use Endpoint Security Solutions: Blocks unauthorized USB and file transfers.
✔ Automate Log Analysis with SIEM Tools: Speeds up threat detection.

139 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
Intrusion Detection System (IDS)
1. What is an Intrusion Detection System (IDS)?

🚨 An Intrusion Detection System (IDS) is a security tool that monitors network traffic,
system activities, and logs to detect suspicious behavior, cyberattacks, or policy
violations.

✅ Why is it Important?

 Detects unauthorized access attempts before a breach occurs.

 Identifies malware, DoS attacks, and insider threats.
 Alerts administrators in real-time about potential threats.
 Helps forensic investigations by recording intrusion attempts.

📌 Example:
If an IDS detects multiple failed login attempts from an unknown IP, it triggers an alert for
potential brute-force attack.

2. Types of Intrusion Detection Systems (IDS)

🔹 1. Network-Based IDS (NIDS)

📌 Monitors network traffic for suspicious activities.

✅ How it Works:

 Installed on network gateways or firewalls.

 Analyzes packets, IP addresses, and protocols.
 Detects attacks like DDoS, Man-in-the-Middle (MitM), and SQL injection.

✅ Example NIDS Tools:

 Snort 🛡 (Open-source, widely used).

 Suricata ⚡ (Fast and multi-threaded).
 Zeek (Bro IDS) 📡 (Advanced network monitoring).

🔴 Limitations:

 Cannot detect attacks from inside the system (e.g., insider threats).

🔹 2. Host-Based IDS (HIDS)

140 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
📌 Monitors system logs, files, and applications on a single device.

✅ How it Works:

 Installed on servers or endpoints (e.g., Windows/Linux machines).

 Detects unauthorized file modifications, rootkits, malware, and privilege escalations.
 Analyzes system logs, registry changes, and user activities.

✅ Example HIDS Tools:

 OSSEC 🖥️ (Open-source, real-time monitoring).

 Tripwire 🔍 (Detects file integrity changes).
 AIDE 🛡 (Linux-based file monitoring).

🔴 Limitations:

 Cannot detect network-based attacks.

🔹 3. Signature-Based IDS

📌 Detects attacks by comparing traffic with known attack signatures.

✅ How it Works:

 Uses a database of attack patterns (like antivirus software).

 Efficient at detecting known threats (e.g., malware, viruses).

✅ Example Tools:

 Snort (Uses signature rules to detect threats).

🔴 Limitations:

 Cannot detect new/zero-day attacks.

🔹 4. Anomaly-Based IDS (Behavioral IDS)

📌 Uses AI/ML to detect unusual activity instead of relying on known attack patterns.

✅ How it Works:

 Learns "normal" behavior (e.g., typical user logins, traffic patterns).

 Alerts when unusual activity occurs (e.g., a user accessing files at 3 AM).

141 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
✅ Example Tools:

 Zeek (Bro IDS) (Detects anomalies in network traffic).

 Wazuh (Behavior-based endpoint monitoring).

🔴 Limitations:

 Can generate false positives (normal activity may be flagged as a threat).

3. IDS vs. IPS (Intrusion Prevention System)

Feature IDS (Intrusion Detection System) IPS (Intrusion Prevention System)

Function Detects and alerts on attacks Detects and blocks attacks

Response Passive (only alerts, does not stop) Active (automatically prevents threats)

Monitors traffic after reaching the Sits inline to block threats before reaching the
Placement
network network

Example Snort, Zeek, OSSEC Suricata, Cisco IPS, Palo Alto IPS

✅ Best Practice:

 Use IDS for monitoring and IPS for blocking.

4. Best Practices for IDS Implementation

✔ Deploy both NIDS and HIDS for complete security.

✔ Use signature-based IDS for known threats and anomaly-based IDS for new threats.
✔ Regularly update IDS signatures to detect the latest attacks.
✔ Enable real-time alerts for quick response.
✔ Analyze logs daily to identify trends and false positives.
✔ Integrate IDS with SIEM tools (e.g., Splunk, ELK Stack) for better log analysis.
✔ Set up honeypots to detect attackers early.

Event Logging in Cybersecurity

1. What is Event Logging?

📝 Event logging is the process of recording system activities, security incidents, and user
actions to help monitor, analyze, and detect potential threats. These logs are stored in log
files and can be used for troubleshooting, security auditing, and forensic investigations.

142 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
✅ Why is Event Logging Important?

 Tracks security incidents (failed logins, file modifications, malware activity).

 Helps detect insider threats (unauthorized access attempts).
 Supports forensic investigations after a cyberattack.
 Ensures compliance with regulations (ISO 27001, GDPR, HIPAA, etc.).

📌 Example:
A banking system logs all user transactions and alerts administrators if an account is
accessed from a suspicious IP address.

2. Types of Event Logs

🔹 1. System Logs (Syslogs)

📌 Records operating system events, like reboots, shutdowns, and hardware failures.

✅ Examples:

 Linux/macOS: /var/log/syslog, /var/log/messages

 Windows: Event Viewer → System Logs

✅ Command to Check System Logs (Linux):

cat /var/log/syslog | tail -20

🔴 Risk: If system logs are disabled, critical failures may go unnoticed.

🔹 2. Security Logs

📌 Tracks login attempts, failed authentications, privilege escalations, and security

alerts.

✅ Examples:

 Linux/macOS: /var/log/[Link] (Login attempts)

 Windows: Event Viewer → Security Logs

✅ Command to Check Security Logs (Linux):

cat /var/log/[Link] | grep "Failed password"

🔴 Risk: If an attacker tries brute force, security logs help detect unauthorized attempts.

143 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
🔹 3. Application Logs

📌 Stores error messages, warnings, and debugging information from applications.

✅ Examples:

 Web servers log HTTP requests and errors (e.g., [Link], [Link]).
 Databases log query executions and failed connections.

✅ Command to Check Web Server Logs (Apache):

cat /var/log/apache2/[Link] | tail -10

🔴 Risk: If application logs are missing, tracking bugs or security flaws becomes difficult.

🔹 4. Network Logs

📌 Monitors incoming and outgoing network connections to detect suspicious traffic.

✅ Examples:

 Firewall logs: Blocked IPs, denied connections.

 IDS/IPS logs: Intrusion alerts (Snort, Suricata).

✅ Command to Check Open Network Connections (Linux):

netstat -an | grep ESTABLISHED

🔴 Risk: If an attacker establishes a reverse shell, network logs can help trace the source.

🔹 5. Audit Logs

📌 Provides a detailed history of user activities and system changes for compliance
auditing.

✅ Examples:

 Who accessed a file?

 Who changed system configurations?

✅ Command to Check File Access Logs (Linux AuditD):

144 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
auditctl -w /etc/passwd -p wa -k password_change
ausearch -k password_change

🔴 Risk: If a malicious insider modifies critical files, audit logs can track the changes.

3. Event Logging on Different Platforms

🔹 Linux Event Logging

 Syslog: /var/log/syslog, /var/log/messages

 Authentication logs: /var/log/[Link]
 Kernel logs: /var/log/[Link]

📌 Example (Check Login Attempts in Linux):

cat /var/log/[Link] | grep "session opened"

🔹 Windows Event Logging

📌 Uses Windows Event Viewer to track security events, system logs, and application logs.

✅ Key Event IDs in Windows Security Logs:

 4624 – Successful Login

 4625 – Failed Login Attempt
 4672 – Privileged Access Granted

📌 Example (Check Failed Login Attempts in PowerShell):

Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4625}

4. Centralized Logging with SIEM

Security Information and Event Management (SIEM) tools collect, analyze, and correlate
logs from multiple sources for better security monitoring.

✅ Popular SIEM Tools:

 Splunk 🔍 (Advanced log analysis & visualization).

 ELK Stack (Elasticsearch, Logstash, Kibana) 📊 (Open-source log management).
 Graylog ⚡ (Real-time log monitoring).
 Wazuh 🛡 (SIEM + HIDS for threat detection).

📌 Example (Sending Linux Logs to SIEM using Rsyslog):

145 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y
echo "*.* @@siem-server:514" >> /etc/[Link]
systemctl restart rsyslog

🔴 Risk: Without centralized logging, analyzing attacks across multiple systems becomes
difficult.

5. Best Practices for Event Logging

✔ Enable event logging on all critical systems.

✔ Regularly review logs for suspicious activities.
✔ Use log rotation to prevent excessive disk usage.
✔ Secure log files (prevent unauthorized modifications).
✔ Integrate logs with SIEM for real-time monitoring.
✔ Set up alerts for critical security events.
✔ Retain logs for at least 6 months (for forensic investigations).

146 | 2 2 C S 6 3 0 7 - C Y B E R F O R E N S I C S A N D I N F O R M A T I O N S E C U R I T Y