UNIT – V

Understanding Cyber Forensics: Introduction, Need for Computer Forensics, Cyber

Forensics and Digital Evidence, Forensics Analysis of Email, Digital Forensics Life
Cycle, Chain of Custody Concept, Network Forensics, Challenges in Computer
Forensics.
Cyber Security: Organizational Implications: Introduction, Cost of Cybercrimes and
IPR issues, Software Piracy, Web threats for Organizations, Security and Privacy
Implications, Social media marketing: Security Risks and Perils for Organizations,
Social Computing and the associated challenges for Organizations.
UNIT-III

Introduction
Cyberforensics plays a key role in investigation of cybercrime. “Evidence” in the case of
“cyberoffenses” is extremely important from legal perspective.
There are legal aspects involved in the investigation as well as handling of the digital
forensics evidence.
Only the technically trained and experienced experts should be involved in the forensics
activities.
UNIT-III

Historical background of Cyber Forensics

Computer is either the subject or the object of cybercrimes or is used as a tool to
commit a cybercrime.
The earliest recorded computer crimes occurred in 1969 and 1970 when student
protestors burned computers at various universities.
Around the same time, people were discovering methods for gaining unauthorized
access to large-time shared computers.
Computer intrusion and fraud committed with the help of computers were the
first crimes to be widely recognized as a new type of crime.
UNIT-III
Historical background of Cyber Forensics
The Florida Computer Crimes Act was the first computer crime law to address
computer fraud and intrusion. It was enacted in Florida in 1978.
“Forensics evidence” is important in the investigation of cybercrimes.
Computer forensics is primarily concerned with the systematic “identification,”
“acquisition”, “preservation” and “analysis” of digital evidence, typically after an
unauthorized access to computer or unauthorized use of computer has taken place; while
the main focus of “computer security” is the prevention of unauthorized access to computer
systems as well as maintaining “confidentiality”,“integrity” and “availability” of computer
systems.
UNIT-III
Historical background of Cyber Forensics
There are two categories of computer crime: one is the criminal activity that involves
using a computer to commit a crime, and the other is a criminal activity that has a
computer as a target.
Forensics means a “characteristic of evidence” that satisfies its suitability for
admission as fact and its ability to persuade based upon proof (or high statistical
confidence level).
The goal of digital forensics is to determine the “evidential value” of crime scene and
related evidence.
The roles and contributions of the digital forensics/computer forensics experts are
almost parallel to those involved as forensics scientists in other crimes, namely,
analysis of evidence, provision of expert testimony, furnishing training in the
proper recognition, and collection and preservation of the evidence
UNIT-III
Digital Forensics Science
Digital forensics is the application of analyses techniques to the reliable and
unbiased collection, analysis, interpretation and presentation of digital evidence.
There is a number of slightly varying definitions.
The term computer forensics, however, is generally considered to be related to the
use of analytical and investigative techniques to identify, collect, examine
and preserve evidence/information which is magnetically stored or encoded.
UNIT-III
Digital Forensics Science
The objective of “cyberforensics” is to provide digital evidence of a specific or general
activity.
Following are two more definitions worth considering:
1. Computer forensics:
It is the lawful and ethical seizure, acquisition, analysis, reporting and
safeguarding of data and metadata derived from digital devices which may
contain information that is notable and perhaps of evidentiary value to the
trier of fact in managerial, administrative, civil and criminal investigations.
In other words, it is the collection of techniques and tools used to find
evidence in a computer.
2. Digital forensics: It is the use of scientifically derived and proven methods
toward the preservation, collection, validation, identification, analysis, interpretation,
documentation and presentation of digital evidence derived from digital sources for
the purpose of facilitation or furthering the reconstruction of events found to be
criminal, or helping to anticipate unauthorized actions shown to be disruptive to
planned operations.
UNIT-III

Digital Forensics Science

In general, the role of digital forensics is to:
1. Uncover and document evidence and leads.
2. Corroborate evidence discovered in other ways.
3. Assist in showing a pattern of events (data mining has an application here).
4. Connect attack and victim computers.
5. Reveal an end-to-end path of events leading to a compromise attempt, successful or
not.
6. Extract data that may be hidden, deleted or otherwise not directly available.
UNIT-III
Digital Forensics Science
The typical scenarios involved are:
1. Employee Internet abuse;
2. data leak/data breach – unauthorized disclosure of corporate information and data
(accidental and intentional);
3. industrial espionage (corporate “spying” activities);
4. damage assessment (following an incident);
5. criminal fraud and deception cases;
6. criminal cases (many criminals simply store information on intentionally or
computers, unwittingly) and countless others;
7. copyright violation
Using digital forensics techniques, one can:
1. Corroborate and clarify evidence otherwise discovered.
2. Generate investigative leads for follow-up and verification in other ways.
3. Provide help to verify an intrusion hypothesis.
4. Eliminate incorrect assumptions.
UNIT-III
Digital Forensics Science Figure shows the kind of data you “see” using forensics tools.
UNIT-III
The need for Computer Forensics
The convergence of Information and Communications Technology (ICT) advances and
the pervasive use of computers worldwide together have brought about many
advantages to mankind.
At the same time, this tremendously high technical capacity of modern
computers/ computing devices provides avenues for misuse as well as opportunities for
committing crime.
This has lead to new risks for computer users and also increased opportunities for
social harm.
The users, businesses and organizations worldwide have to live with a constant threat
from hackers who use a variety of techniques and tools to break into computer
systems, steal information, change data and cause havoc.
The widespread use of computer forensics is the result of two factors:
1. The increasing dependence of law enforcement on digital evidence
2. the ubiquity of computers that followed from the microcomputer revolution
UNIT-III
The need for Computer Forensics
The media, on which clues
related to cybercrime reside,
would vary from case to case.
There are many challenges for the
forensics investigator because
storage devices are getting
miniaturized due to advances in
electronic technology;
for example, external storage
devices such as mini hard disks
(pen drives) are available in
amazing shapes.
UNIT-III

The need for Computer Forensics

Computer forensics services include the following:
1. Data culling and targeting;
2. Discovery/subpoena process;
3. Production of evidence;
4. Expert affidavit support;
5. Criminal/civil testimony;
6. Cell phone forensics;
7. PDA forensics.
UNIT-III
The need for Computer Forensics
Specific client requests for forensics evidence extracting solution support include:
1. Index of fi les on hard drive;
2. Index of recovered files;
3. MS Office/user generated document extraction;
4. Unique E-Mail address extraction;
5. Internet activity/history;
6. Storage of forensics image for 1 year (additional charges then apply);
7. Keywords search; 13. Conversion to PDF;
8. Chain of custody; 14. Log extraction;
9. Mail indexing; 15. Imessaging history recovery;
10. Deleted fi le/folder recovery; 16. Password recovery;
11. Office document recovery; 17. Format for forensics extracts (DVD, C D, H DD, other);
12. Metadata indexing; 18. Network acquisitions.
UNIT-III
The need for Computer Forensics
Chain of custody means the chronological documentation trail, etc. that indicates the
seizure, custody, control, transfer, analysis and disposition of evidence, physical or
electronic.
“Fungibility” means the extent to which the components of an operation or product can be
inter-changed with similar components without decreasing the value of the operation or
product.
Chain of custody is also used in most evidence situations to maintain the integrity of the
evidence by providing documentation of the control, transfer and analysis of evidence.
Chain of custody is particularly important in situations where sampling can identify the
existence of contamination and can be used to identify the responsible party.
The purpose behind recording the chain of custody is to establish that the alleged
evidence is, indeed, related to the alleged crime, that is, the purpose is to establish the
integrity of the evidence.
In the context of conventional crimes, establishing “chain of custody” is especially important
when the evidence consists of fungible goods.
UNIT-III
Cyber Forensics and Digital Evidence
Cyberforensics can be divided into two domains:
1. Computer forensics;
2. network forensics

Network forensics is the study of network traffi c to search for truth in civil,
criminal and administrative matters to protect users and resources from
exploitation, invasion of privacy and any other crime fostered by the continual
expansion of network connectivity.
UNIT-III Cyber Forensics
Cyber Forensics and Digital Evidence
There are many forms of cybercrimes:
sexual harassment cases – memos, letters, E-Mails; obscene chats or
embezzlement cases – spreadsheets, memos, letters, E -Mails, online
banking
information;
corporate espionage by way of memos, letters, E-Mails and
chats; and frauds through memos, letters, spreadsheets
and E-Mails.
In case of computer crimes/cybercrimes, computer forensics helps.
Computer forensics experts know the techniques to retrieve the data from files
listed in standard directory search, hidden files, deleted files, deleted E-Mail and
passwords, login IDs, encrypted files, hidden partitions, etc.
Typically, the evidences reside on computer systems, user created files, user protected
files,
computer created files and on computer networks.
UNIT-III Cyber Forensics
Cyber Forensics and Digital Evidence
Computer systems have the following:
1. Logical fi le system that consists of
• File system: It includes files, volumes, directories and folders, file allocation
tables (FAT)
as in the older version of Windows Operating System, clusters, partitions,
sectors.
• Random access memory.
• Physical storage media: It has magnetic force microscopy that can be used
to recover
data from overwritten area.
(a) Slack space: It is a space allocated to the fi le but is not actually used due to internal
fragmentation and
(b)unallocated space.

2. User created files: It consists of address books, audio/video files, calendars,

database fi
les, spreadsheets, E-Mails, Internet bookmarks, documents and text files.
UNIT-III Cyber Forensics
Cyber Forensics and Digital Evidence
The Rules of Evidence
“Evidence” means and includes:
1. All statements which the court permits or requires to be made before it by witnesses, in
relation to matters of fact under inquiry, are called oral evidence.
2. All documents that are produced for the inspection of the court are called documentary
evidence

Paper evidence, the process is clear and intuitively obvious. Digital evidence by its very
nature is invisible to the eye. Therefore, the evidence must be developed using tools other
than the human eye.
UNIT-III Cyber Forensics

Cyber Forensics and Digital Evidence

T ere are number of contexts involved in
actually identifying a piece of digital evidence:
1 . Physical context: It must be definable in its
physical form, that is, it should reside on a
specific piece of media.
Logical context: It must be identifiable as to its
logical position, that is, where does it reside
relative to the fi le system.
Legal context: We must place the evidence in
the correct context to read its meaning. T is
may require looking at the evidence as
machine language, for example, American
Standard C ode for Information Interchange
(ASCII).
UNIT-III Cyber Forensics
Cyber Forensics and Digital Evidence
Following are some guidelines for the (digital) evidence collection phase:
1. Adhere to your site’s security policy and engage the appropriate incident
handling and law enforcement personnel.
2. Capture a picture of the system as accurately as possible.
3. Keep detailed notes with dates and times. If possible, generate an automatic
transcript (e.g., on Unix systems the “script” program can be used; however, the
output fi le it generates should not be given to media as that is a part of
the evidence). Notes and printouts should be signed and dated.
4. Note the difference between the system clock and Coordinated Universal Time
(UTC). For each timestamp provided, indicate whether UTC or local time is used
(since 1972 over 40 countries throughout the world have adopted UTC as their
official time source).
5. Be prepared to testify (perhaps years later) outlining all actions you took and
at what times. Detailednotes will be vital.
6. Minimize changes to the data as you are collecting is it.is T not limited to content
changes; avoid updating fi le or directory access times.
7. Remove external avenues for change.
UNIT-III Cyber Forensics
Cyber Forensics and Digital Evidence
8. When confronted with a choice between collection and analysis you should do
collection first and analysis later.
9. Needless to say, your procedures should be implementable. As with any
aspect of an incident response policy, procedures should be tested to ensure
feasibility, particularly, in a crisis. If possible, procedures should be automated for
reasons of speed and accuracy. Being methodical always helps.
10. For each device, a systematic approach should be adopted to follow the
guidelines laid down in your collection procedure. Speed will often be critical;
therefore, where there are a number of devices requiring examination, it may be
appropriate to spread the work among your team to collect the evidence in
parallel. However, on a single given system collection should be done step by step.
UNIT-III Cyber Forensics
Cyber Forensics and Digital Evidence
11. Proceed from the volatile to the less volatile; order of volatility is as follows:
• Registers, cache (most volatile, i.e., contents lost as soon as the power is turned
OFF);
• routing table, Address Resolution Protocol (ARP) cache, process table, kernel
statistics,
memory;
• temporary file systems;
• disk;
• remote logging and monitoring data that is relevant to the system in question;
• physical configuration and network topology;
• archival media (least volatile, i.e., holds data even after power is turned OFF).
11. You should make a bit-level copy of the system’s media. If you wish to do
forensics analysis you should make a bit-level copy of your evidence copy for
that purpose, as your analysis will almost certainly alter file access times. Try
to avoid doing forensics on the evidence copy
UNIT-III Cyber Forensics

Digital Forensics Lifecycle

The cardinal rules to remember are that evidence:

1. is admissible;
2. is authentic;
3. is complete;
4. is reliable;
5. is understandable and believable.
UNIT-III Cyber Forensics
Digital Forensics Lifecycle
The Digital Forensics Process
UNIT-III Cyber Forensics
Digital Forensics Lifecycle
The Phases in Computer Forensics/Digital Forensics
The Phases in Com puter Forensics/Digital Forensics the forensics life cycle involves the
following phases:
1. Preparation and identification;
2. storing and transporting;
3. collection and recording;
4. examination/investigation;
5. analysis, interpretation and attribution;
6. reporting;
7. testifying.
UNIT-III Cyber Forensics
Digital Forensics Lifecycle
The Phases in Computer Forensics/Digital Forensics
To mention very briefly, the process involves the following activities:
1. Prepare: C ase briefings, engagement terms, interrogatories, spoliation prevention,
disclosure and discovery planning, discovery requests.
2. Record: Drive imaging, indexing, profiling, search plans, cost estimates, risk analysis.
3. Investigate: Triage images, data recovery, keyword searches, hidden data review,
communicate, iterate.
4. Report: Oral vs. written, relevant document production, search statistic reports, chain
of custody reporting, case log reporting.
5. Testify: Testimony preparation, presentation preparation, testimony.
UNIT-III Cyber Forensics
Digital Forensics Lifecycle
The Phases in Computer Forensics/Digital Forensics
Preparing for the Evidence and Identifying the Evidence
Collecting and Recording Digital Evidence
Storing and Transporting Digital Evidence
Examining/Investigating Digital Evidence
Analysis, Interpretation and Attribution
Reporting

Testifying
UNIIII
Digital Forensics Lifecycle
Precautions to be Taken when Collecting Electronic Evidence
UNIT-III
Digital Forensics Lifecycle
Precautions to be Taken when Collecting Electronic Evidence
UNIT-III
Digital Forensics Lifecycle
Precautions to be Taken when Collecting Electronic Evidence
UNIT-III

Challenges in Computer Forensics.

Technical Challenges: Understanding the Raw Data and its Structure
The Legal Challenges in Computer Forensics and Data Privacy Issues
UNIT-III
Challenges in Computer Forensics.
Technical Challenges: Understanding the Raw Data and its Structure
There are two aspects of the technical challenges faced in digital forensics investigation –
one is the “ complexity” problem and the other is the “quantity” problem involved in a digital
forensics investigation.
A digital forensics investigator often faces the “complexity problem” because acquired data is
typically at the lowest and most raw format.
Non-technical people may find it too difficult to understand such format. For resolving the
complexity problem, tools are useful; they translate data through one or more “layers of
abstraction” until it can be understood.
For example, to view the contents of a directory from a fi le system image, tools process the
fi le system structures so that the appropriate values are displayed.
The data that represents the fi les in a directory exist in formats that are too low level to
identify without the assistance of tools
UNIT-III Cyber Forensics
Challenges in Computer Forensics.
Technical Challenges: Understanding the Raw Data and its Structure
The directory is a layer of abstraction in the fi le system. Examples of non-fi le system layers
of abstraction include:
1. AS C II;
2. HTML Files;
3. Windows Registry;
4. Network Packets;
5. Source Code.
Examples of abstraction layers are data reduction techniques; for example
1. Identifying known network packets using IDS signatures;
2. identifying unknown entries during log processing;
3. identifying known fi les using hash databases;
4. sorting fi les by their type.
UNIT-III Cyber Forensics
Challenges in Computer Forensics.
Technical Challenges: Understanding the Raw Data and its Structure
For Example if we are examine the FAT File system Disk
The FAT fi le system has seven layers of abstraction. The first layer uses just the partition
image as input,
assuming that the acquisition was done of the raw partition using a tool such as the UNIX
“dd” tool.
This layer uses the defined Boot Sector structure and extracts the size and location values.
Examples of extracted values include:
1. Starting location of FAT;
2. size of each FAT;
3. number of FATs;
4. number of sectors per cluster;
5. location of Root Directory
UNIT-III Cyber Forensics
Challenges in Computer Forensics.
Technical Challenges: Understanding the Raw Data and its Structure
The abstraction layers of the FAT file system are as follows:
1. Layer 0: Raw file system image;
2. Layer 1: File system image and values from Boot Sector and FAT Entry Size;
3. Layer 2: FAT Area and Data Area;
4. Layer 3: Starting Cluster, FAT Entries;
5. Layer 4: Clusters, Raw Cluster Content and Content Type;
6. Layer 5: Formatted Cluster Content;
7. Layer 6: List of Clusters.
UNIT-III Cyber Forensics
Challenges in Computer Forensics.
The Legal Challenges in Computer Forensics and Data Privacy Issues
Evidence, to be admissible in court, must be relevant, material and competent, and its
probative value must outweigh any prejudicial effect.
There are many types of personnel involved in digital forensics/computer forensics:
(a)Technicians: who carry out the technical aspects of gathering evidence
(b)Policy makers: establish forensics policies that refl ect broad considerations
(c) Professionals: the link between policy and execution – who must have
extensive technical skills as well as good understanding of the legal procedure
UNIT-III Cyber Forensics
Challenges in Computer Forensics.
The Legal Challenges in Computer Forensics and Data Privacy Issues
Skills for digital forensics professionals are the following:
 1. Identify relevant electronic evidence associated with violations of specific laws;
 2. identify and articulate probable cause necessary to obtain a search warrant and
recognize the limits of warrants;
 3. locate and recover relevant electronic evidence from computer systems using tools;
 4. recognize and maintain a chain of custody;
 5. follow a documented forensics investigation process.
Chain of Custody

Chain of Custody refers to the logical sequence that records the sequence of custody, control,
transfer, analysis and disposition of physical or electronic evidence in legal cases. Each step in
the chain is essential as if broke, the evidence may be rendered inadmissible. Thus we can say
that preserving the chain of custody is about following the correct and consistent procedure
and hence ensuring the quality of evidence.

One of the concepts that is most essential in Digital Forensics is the Chain of Custody. The chain
of custody in digital cyber forensics is also known as the paper trail or forensic link, or
chronological documentation of the evidence.Chain of custody indicates the collection,
sequence of control, transfer and analysis.
It also documents details of each person who handled the evidence, date and time it was
collected or transferred, and the purpose of the transfer.
It demonstrates trust to the courts and to the client that the evidence has not tampered.
Digital evidence is acquired from the myriad of devices like a vast number of IoT devices, audio
evidence, video recordings, images, and other data stored on hard drives, flash drives, and
other physical media.
Importance of maintaining Chain of Custody?

Importance to Examiner: To preserve the integrity of the evidence.

To prevent the evidence from contamination, which can alter the state of the evidence.
In case you obtained metadata for a piece of evidence but unable to extract any meaningful
information from the metadata. In such a case, the chain of custody helps to show where
possible evidence might lie, where it came from, who created it, and the type of equipment
used. This will help you to generate an exemplar and compare it to the evidence to confirm the
evidence properties.
In order to preserve digital evidence, the chain of custody should span from the first step of data
collection to examination, analysis, reporting, and the time of presentation to the Courts. This is
very important to avoid the possibility of any suggestion that the evidence has been
compromised in any way.
Data Collection: This is where chain of custody process is initiated. It involves identification,
labeling, recording, and the acquisition of data from all the possible relevant sources that preserve
the integrity of the data and evidence collected.
Examination: During this process, the chain of custody information is documented outlining the
forensic process undertaken. It is important to capture screenshots throughout the process to show
the tasks that are completed and the evidence uncovered.
Analysis: This stage is the result of the examination stage. In the Analysis stage, legally justifiable
methods and techniques are used to derive useful information to address questions posed in the
particular case.
Reporting: This is the documentation phase of the Examination and Analysis stage. Reporting
includes the following:
Statement regarding Chain of Custody.
Explanation of the various tools used.
A description of the analysis of various data sources.
Issues identified.
Vulnerabilities identified.
Recommendation for additional forensics measures that can be taken.
The Chain of Custody Form

In order to prove a chain of custody, you’ll need a form that lists out the details of how the evidence was handled
every step of the way. The form should answer the following questions:What is the evidence?: For example-
digital information includes the filename, md5 hash, and Hardware information includes serial number, asset ID,
hostname, photos, description.
How did you get it?: For example- Bagged, tagged or pulled from the desktop.
When it was collected?: Date, Time
Who has handle it?
Why did that person handled it?
Where was it stored?: This includes the information about the physical location in which proof is stored or
information of the storage used to store the forensic image.
How you transported it?: For example- in a sealed static-free bag, or in a secure storage container.
How it was tracked?
How it was stored?: For example- in a secure storage container.
Who has access to the evidence?: This involves developing a check-in/ check-out process.
The CoC form must be kept up-to-date. This means every time the best evidence is handled off, the chain of
custody form needs to be updated.
Procedure to establish the Chain of Custody
In order to assure the authenticity of the chain of custody, a series of steps must be followed. It is
important to note that the more information Forensic expert obtains concerning the evidence, the
more authentic is the created chain of custody.
The following procedure is followed according to the chain of custody for electronic devices:Save the
original material
• Take photos of the physical evidence
• Take screenshots of the digital evidence.
• Document date, time, and any other information on the receipt of the evidence.
• Inject a bit-for-bit clone of digital evidence content into forensic computers.
• Perform a hash test analysis to authenticate the working clone.
How can the Chain of Custody be assured?
A couple of considerations are involved when dealing with digital evidence and Chain of Custody. We shall discuss the most
common and globally accepted and practiced best practices.Never ever work with the Original Evidence: The biggest
consideration that needs to be taken care of while dealing with digital evidence is that the forensic expert has to make a full
copy of the evidence for forensic analysis. This cannot be overlooked as when errors are made to working copies or
comparisons need to be done, then, in that case, we need an original copy.
Ensuring storage media is sterilized: It is important to ensure that the examiner’s storage device is forensically clean when
acquiring the evidence. Suppose if the examiner’s storage media is infected with malware, in that case, malware can escape
into the machine being examined and all of the evidence will eventually get compromised.
Document any extra scope: During the process of examination, it is important to document all such information that is
beyond the scope of current legal authority and later brought to the attention of the case agent. A comprehensive report must
contain following sections:
Identity of the reporting agency.
Case identifier.
Case investigator.
Identity of the submitter.
Date of receipt.
Date of report.
Descriptive list of items submitted for examination: This includes the serial number, make, and model.
Identity and signature of the examiner
Brief description of steps taken during the examination: For example- string searches, graphics image searches, and recovering
erased files.
Results.
Document any extra scope: During the process of examination, it is important to document all such information that is
beyond the scope of current legal authority and later brought to the attention of the case agent. A comprehensive report must
contain following sections:
Identity of the reporting agency.
Case identifier.
Case investigator.
Identity of the submitter.
Date of receipt.
Date of report.
Descriptive list of items submitted for examination: This includes the serial number, make, and model.
Identity and signature of the examiner
Brief description of steps taken during the examination: For example- string searches, graphics image searches, and recovering
erased files.
Results.
Consider the safety of the personnel at the scene: It is very important to ensure that the crime scene is fully secure before
and during the search. In some cases, the examiner may only be able to do the following while onsite:
Identify the number and type of computers.
Interview the system administrator and users.
Identify and document the types and volume of media: This includes removable media also.
Determine if a network is present.
Document the information about the location from which the media was removed.
Identify offsite storage areas and/or remote computing locations.
Identify proprietary software.
Determine the operating system in question.
The Digital evidence and Digital Chain of Custody are the backbones of any action taken by digital forensic specialists.
 Network Forensics
• The word “forensics” means the use of science and technology to investigate and establish facts in
criminal or civil courts of law. Forensics is the procedure of applying scientific knowledge for the
purpose of analyzing the evidence and presenting them in court.
• Network forensics is a subcategory of digital forensics that essentially deals with the examination
of the network and its traffic going across a network that is suspected to be involved in malicious
activities, and its investigation for example a network that is spreading malware for stealing
credentials or for the purpose analyzing the cyber-attacks. As the internet grew cybercrimes also
grew along with it and so did the significance of network forensics, with the development and
acceptance of network-based services such as the World Wide Web, e-mails, and others.
• With the help of network forensics, the entire data can be retrieved including messages, file
transfers, e-mails, and, web browsing history, and reconstructed to expose the original
transaction. It is also possible that the payload in the uppermost layer packet might wind up on
the disc, but the envelopes used for delivering it are only captured in network traffic. Hence, the
network protocol data that enclose each dialog is often very valuable.
• For identifying the attacks investigators must understand the network protocols and applications
such as web protocols, Email protocols, Network protocols, file transfer protocols, etc.
Investigators use network forensics to examine network traffic data gathered from the networks that
are involved or suspected of being involved in cyber-crime or any type of cyber-attack.

Processes Involved in Network Forensics:

Some processes involved in network forensics are given below:
Identification: In this process, investigators identify and evaluate the incident based on the network
pointers.
Safeguarding: In this process, the investigators preserve and secure the data so that the tempering
can be prevented.
Accumulation: In this step, a detailed report of the crime scene is documented and all the collected
digital shreds of evidence are duplicated.
Observation: In this process, all the visible data is tracked along with the metadata.
Investigation: In this process, a final conclusion is drawn from the collected shreds of evidence.
Documentation: In this process, all the shreds of evidence, reports, conclusions are documented and
presented in court.
Challenges in Network Forensics:
The biggest challenge is to manage the data generated during the process.
Intrinsic anonymity of the IP.
Address Spoofing.
Advantages:
Network forensics helps in identifying security threats and vulnerabilities.
It analyzes and monitors network performance demands.
Network forensics helps in reducing downtime.
Network resources can be used in a better way by reporting and better planning.
It helps in a detailed network search for any trace of evidence left on the network.
Disadvantage:
The only disadvantage of network forensics is that It is difficult to implement.
Cyber Security: Organizational Implications

Introduction:
In today's digital age, organizations face a constant threat from cyber attacks that can have severe consequences
on their operations, reputation, and financial stability. This newsletter explores the challenges organizations
encounter in dealing with cyber attacks and highlights the implications for their security posture.
I. Evolving Threat Landscape:
The rapid advancement of technology has led to a parallel rise in sophisticated cyber threats. Hackers and
cybercriminals employ various techniques such as malware, phishing, ransomware, and social engineering to
exploit vulnerabilities in organizational systems. The ever-evolving nature of these threats poses a significant
challenge for organizations to keep up with the latest security measures.
II. Insider Threats:
One of the most challenging aspects of cyber attacks for organizations is the presence of insider threats.
Employees or former employees with malicious intent can compromise sensitive data, sabotage systems, or
provide unauthorized access to cybercriminals. Mitigating insider threats requires a delicate balance between
trust and security, as organizations must implement robust access controls, monitoring systems, and employee
awareness programs.
III. Data Breaches and Privacy Concerns:
Data breaches have become alarmingly common, leading to the exposure of sensitive information
and violating user privacy. Organizations must adhere to strict data protection regulations, such as
the General Data Protection Regulation (GDPR) in the European Union, to safeguard customer data.
The financial and reputational damage resulting from data breaches can be significant, necessitating
proactive measures to prevent and respond to such incidents.
IV. Resource Constraints:
Many organizations, particularly small and medium-sized enterprises, face resource constraints
when it comes to cybersecurity. Limited budgets and lack of skilled personnel make it challenging to
implement robust security measures and maintain an effective security posture. Cybersecurity
awareness training, regular system updates, and investing in reliable security solutions are crucial
but often overlooked due to resource limitations.
V. Rapid Technological Advancements:
The rapid adoption of emerging technologies such as cloud computing, the Internet of Things (IoT),
and artificial intelligence (AI) brings new security challenges for organizations. Integrating these
technologies into existing infrastructures without compromising security requires specialized
knowledge and expertise. Failure to address these challenges effectively can expose organizations to
vulnerabilities and potential cyber attacks.
VII. Third-Party Risks:
Many organizations rely on third-party vendors and partners for various services and support.
However, these relationships can introduce additional risks. Cyber attacks on third-party vendors
can compromise organizational systems and data. Organizations must conduct due diligence and
establish strong security protocols when engaging with third parties to mitigate these risks.
VIII. Regulatory Compliance:
Organizations are subject to an increasing number of cybersecurity regulations and compliance
standards. Failure to comply with these requirements can result in legal repercussions and
reputational damage. Navigating the complex landscape of regulatory compliance can be challenging,
particularly for multinational organizations operating in different jurisdictions with varying data
protection laws.