The document provides a comprehensive overview of cyber forensics, detailing its purpose, processes, and various types, such as network and mobile forensics. It also discusses the relationship between cybersecurity and cybercrime, classification of cyber crime, traditional computer crime challenges, and the steps involved in forensic investigations. Key concepts include data recovery methods, digital evidence handling, and the importance of maintaining evidence integrity for legal proceedings.

1. CYBER FORENSICS
UNIT 1

2. INTRODUCTION TO CYBER CRIME
AND FORENSICS
Introduction to Traditional Computer Crime, Traditional
problems associated with Computer Crime. Role of ECD and
ICT in Cybercrime - Classification of Cyber Crime. The
Present and future of Cybercrime - Cyber Forensics -Steps in
Forensic Investigation - Forensic Examination Process - Types
of CF techniques - Forensic duplication and investigation -
Forensics Technology and Systems - Understanding Computer
Investigation – Data Acquisition.

3. What is Cyber Forensics?
Cyber forensics is a process of extracting data as proof for a
crime (that involves electronic devices) while following
proper investigation rules to nab the culprit by presenting the
evidence to the court.
 Cyber forensics is also known as computer forensics.
The main aim of cyber forensics is to maintain the thread of
evidence and documentation to find out who did the crime
digitally.

4. USE
• It can recover deleted files, chat logs, emails, etc
• It can also get deleted SMS, Phone calls.
• It can get recorded audio of phone conversations.
• It can determine which user used which system and for
how much time.
• It can identify which user ran which program.

5. The Process Involved in Cyber Forensics
1. Obtaining a digital copy of the system that is being or is
required to be inspected.
2. Authenticating and verifying the reproduction.
3. Recovering deleted files (using Autopsy Tool).
4. Using keywords to find the information you need.
5. Establishing a technical report.

6. Types of computer forensics
• Network forensics: This involves monitoring and analyzing the
network traffic to and from the criminal’s network. The tools used
here are network intrusion detection systems and other automated
tools.
• Email forensics: In this type of forensics, the experts check the
email of the criminal and recover deleted email threads to extract
out crucial information related to the case.
• Malware forensics: This branch of forensics involves hacking-
related crimes. Here, the forensics expert examines the malware,
trojans to identify the hacker involved behind this.

7. • Memory forensics: This branch of forensics deals with
collecting data from the memory(like cache, RAM, etc.) in
raw and then retrieve information from that data.
• Mobile Phone forensics: This branch of forensics generally
deals with mobile phones. They examine and analyze data
from the mobile phone.
• Database forensics: This branch of forensics examines and
analyzes the data from databases and their related metadata.
• Disk forensics: This branch of forensics extracts data from
storage media by searching modified, active, or deleted files.

8. Relationship between cybersecurity and
cyber forensics
• Cybersecurity aims to project electronic assets from breach; whereas
cyber forensics explains how a policy became violated and who was
responsible for it.

17. INTRODUCTION TO TRADITIONAL
COMPUTER CRIME
1. Cyberspace and Criminal Behavior
Cyberspace may be defined as the indefinite place where
individuals transact and communicate.
It is the place between places.
Virtual computer world that is used to facilitate online
communication.

18. 2. Clarification of Terms
 Computer Crime
 Denote any criminal act which has been facilitated by computer use.
 Include both internet and non-internet activity.
 Example include
 Theft of components
 Counterfeiting
 Digital piracy or copyright infringement
 Hacking
 Child pornography

19. Computer related crime
• A broad term used to encompass those criminal activities in
which a computer was peripherally involved.
• Examples include traditional bookmaking and theft.

20. Digital Crime
A term used to refer to any criminal activity which involves
the unauthorized access, dissemination, manipulation,
destruction or corruption of electronically stored data.
Cybercrime
A specific term used to refer to any criminal activity which
has been committed through or facilitated by the Internet.

21. TRADITIONAL PROBLEM ASSOCIATED
WITH COMPUTER CRIME
Physicality and Jurisdictional Concerns:
 The lack of physical boundaries and the removal of traditional
jurisdictional demarcations allows perpetrators to commit
multinational crimes with little fear of judicial sanctions.
 Criminals can cross international boundaries without the use of
passports or official documentation.
 Cybercrime is facilitated by international connections that enable
individuals to commit criminal activity in England while settling in
their office in India.
 Does not require transportation, physical storage capability or
labour, all of which increase the potential for discovery and
enforcement.

22. Perceived insignificance, stereotypes and incompetence
Investigators and administrators have displayed great reluctance
to pursue computer criminals.
A lack of knowledge coupled with general apathy toward cyber
criminality has resulted in an atmosphere of indifference.
Many stereotype computer criminals as non-threatening, socially
challenged individuals and fail to see the insidious nature of
computer crime.

31. Electronic Communication Data (ECD)
Communication Medium:
• ECD encompasses various forms of digital communication, including
emails, instant messages, social media posts, VoIP(Voice over Internet
Protocol) calls, and more.
• These communication channels serve as vehicles for cybercriminals to
propagate malware, conduct phishing attacks, and engage in social
engineering.
Data Theft
• ECD often contains valuable information such as personal data,
financial records, intellectual property, and confidential business
information.
• Cybercriminals target ECD through techniques like hacking, data
breaches, or interception of communications to steal sensitive data for
financial gain, espionage, or identity theft.

32. • ECD leaves behind digital footprints that can serve as
evidence in cybercrime investigations.
• Law enforcement agencies and cybersecurity professionals
analyze ECD to reconstruct cyber attacks, trace the origin of
malicious activities, and identify perpetrators.
• Cybercriminals exploit vulnerabilities in ECD protocols,
software applications, and network infrastructure to infiltrate
systems, gain unauthorized access, and exfiltrate sensitive
data.
• Common vulnerabilities include unpatched software, weak
authentication mechanisms, and insecure network
configurations.

33. Information and Communication Technology (ICT)
• ICT stands for Information and Communication Technology, which
encompasses a broader range of technologies including computers,
networks, telecommunications, and the Internet.
• Cybercriminals leverage ICT infrastructure to orchestrate(secretly)
cyber-attacks, distribute malware and communicate with collaborators
anonymously.
• ICT platforms are used to distribute malware, such as viruses, worms,
Trojans, and ransomware, to target systems and networks.
• Cybercriminals establish command and control infrastructure using
ICT platforms to remotely control compromised devices, coordinate
botnets, and exfiltrate stolen data.
• This infrastructure enables cybercriminals to maintain persistence,
evade detection, and monetize their activities.

34. • ICT tools and techniques, such as virtual private networks (VPNs),
anonymous proxies, and encryption protocols, are used by
cybercriminals to anonymize their online activities, obfuscate their
digital footprints, and encrypt communication channels to evade
detection and surveillance.
• ECD and ICT play critical roles in facilitating cybercrime by providing
the communication channels, infrastructure, and tools necessary for
cybercriminal activities.

35. CLASSIFICATION OF CYBER CRIME

36. 1. Malware-Based Crimes:
- Viruses: Malicious software programs that infect computers and replicate themselves to spread to other
systems.
- Worms: Self-replicating malware that spreads across networks without human intervention.
- Trojans: Malware disguised as legitimate software to deceive users and perform unauthorized actions.
- Ransomware: Malware that encrypts files or locks the system, demanding a ransom for decryption or system
access.
- Spyware: Software designed to secretly monitor and collect information from a computer or network.
2. Network-Based Crimes:
- Denial-of-Service (DoS) Attacks: Deliberate attempts to disrupt or overload a computer system or network,
rendering it inaccessible to legitimate users.
- Distributed Denial-of-Service (DDoS) Attacks: Coordinated attacks from multiple sources to overwhelm a
target system or network.
- Packet Sniffing: Unauthorized interception and monitoring of network traffic to capture sensitive information
such as passwords or financial data.
3. Identity Theft and Fraud:
- Phishing: Deceptive techniques used to trick individuals into revealing sensitive information such as login
credentials or financial details.
- Identity Theft: Unauthorized use of someone else's personal information to commit fraud or other crimes.
- Credit Card Fraud: Unauthorized use of credit card information to make fraudulent transactions or purchases.

37. 4. Data Breaches:
- Unauthorized Access: Illegitimate access to computer systems, networks, or databases to steal or manipulate data.
- Data Theft: Theft of sensitive information, including personal data, financial records, intellectual property, or
trade secrets.
- Insider Threats: Malicious activities carried out by individuals with authorized access to systems or data, such as
employees or contractors.
5. Cyber Extortion and Threats:
- Ransomware: Malware that encrypts files or locks systems, demanding payment for decryption or system access.
- Cyber Threats: Intimidation, harassment, or extortion conducted online to coerce individuals or organizations into
taking specific actions or providing payment.
6. Cyber Harassment and Abuse:
- Cyberbullying: Harassment, intimidation, or defamation carried out through digital communication channels, such
as social media, messaging apps, or email.
- Online Stalking: Persistent surveillance, monitoring, or harassment of individuals online, often involving threats
or invasive behavior.
7. Cyber Espionage and Cyber Warfare:
- State-Sponsored Attacks: Covert cyber operations conducted by governments or state-sponsored groups for
espionage, sabotage, or political purposes.
- Industrial Espionage: Theft of proprietary information, trade secrets, or intellectual property for competitive
advantage or economic gain.

38. 8. Online Child Exploitation:
- Child Pornography: Production, distribution, or possession of sexually explicit material
involving minors.
- Online Grooming: Predatory behavior targeting minors online to establish trust and
manipulate them for sexual exploitation or abuse.
9. Cyber Terrorism:
- Cyber Attacks on Critical Infrastructure: Targeting of essential systems such as power
grids, transportation networks, or financial institutions to cause disruption, damage, or loss of
life.
10. Cyber Fraud and Financial Crimes:
- Online Banking Fraud: Unauthorized access to online banking accounts, phishing attacks
targeting banking credentials, or fraudulent transactions.
- Investment Scams: Deceptive schemes to defraud individuals or organizations of money
through false investment opportunities or Ponzi schemes.

39. 1.Identify Scene Dimensions.
• Locate the focal point of the scene.
2.Establish Security.
• Tape around the perimeter.
3.Create a Plan & Communicate.
• Determine the type of crime that occurred.
4.Conduct Primary Survey.
5.Document and Process Scene.
6.Conduct a Secondary Survey.
7.Record and Preserve Evidence.
STEPS IN FORENSIC INVESTIGATION
Physical evidence

40. FORENSIC EXAMINATION PROCESS

41. Forensic Duplication:
• Forensic duplication, also known as disk imaging or forensic imaging,
involves creating a bit-by-bit copy of a storage device (such as a hard
drive, solid-state drive, or flash drive) in a forensically sound manner.
• The purpose of forensic duplication is to preserve the original data on
the storage device without altering or damaging it in any way.
• The resulting forensic image serves as an exact replica of the original
storage device and is used for analysis and investigation while
maintaining the integrity of the original evidence.

42. Forensic Investigation:
• Forensic investigation refers to the systematic process of examining
digital evidence collected from various sources, including forensic
duplicates, to reconstruct events, identify perpetrators, and support
legal proceedings.
• This process involves analyzing the digital evidence using a variety of
forensic techniques and methodologies to extract relevant information
and draw conclusions about the circumstances of a crime or incident.
• Forensic investigation encompasses tasks such as file analysis,
network traffic analysis, malware analysis, database examination,
timeline reconstruction, and data correlation, among others.
• The ultimate goal of forensic investigation is to uncover the truth,
establish facts, and provide credible evidence that can be presented in
court to assist in the prosecution or defense of a case.

43. Understanding Computer Investigation
• Understanding computer investigation involves grasping the principles,
methodologies, and techniques used to analyze digital evidence and
uncover information relevant to criminal investigations or legal
proceedings.
1. Digital Evidence Collection
2. Data Recovery and Acquisition
3. Forensic Analysis
4. Malware Analysis
5. Network Forensics
6. Mobile Device Forensics
7. Incident Response
8. Reporting and Documentation

44. Data Acquisition
• Data acquisition is the process of copying data.
• There are two types of data acquisition: static acquisitions and live
acquisitions.

45. Data Acquisition
Aspect Description
Purpose
Collecting digital evidence in a forensically sound manner for
analysis and legal proceedings.
Sources of Digital
Evidence
Computers, storage devices, mobile devices, network traffic,
cloud services.
Methods of Data
Acquisition
Forensic imaging, live data acquisition, memory forensics,
network packet capture, mobile device extraction.
Forensic Soundness
Ensuring data acquisition is performed using write-blocking
hardware or software to prevent alterations to original data.
Documentation and
Record-Keeping
Maintaining detailed documentation of the acquisition process
for establishing evidence integrity and admissibility.

46. FORMATS
There are three formats:
• Raw Format
• Proprietary format
• Advanced Forensics Format(AFF)

47. Raw Format
• Preservation and Examination

48. Proprietary format

49. Advanced Forensics Format(AFF)

50. Determining The Best Acquisition Method