Cyber Forensic Investigative And Technical Issues :-

Cyber Forensic Investigative :- 1.The science of collecting,

inspecting, interpreting, reporting, and presenting
computerrelated electronic evidence is known as cyber forensics.
2.Evidence can be found on the hard drive or in deleted files.
3.It is the process of examining, acquiring, and analyzing data
from a system or device so that it can be transcribed into physical
documentation and presented in court.
4.During the inspection, it is critical to create a digital or soft copy
of the system’s special storage cell.
5.The purpose of carrying out a detailed cyber forensics
investigation is to determine who is to blame for a security
breach.
6.The entire inquiry is carried out on the software copy while
ensuring that the system is not affected.
7.In the technological age, cyber forensics is an inevitable factor
that is incredibly important.
How are cyber security and digital forensics related?
1.Cyber security aims to reduce the risk of cyber attacks and
protect against unauthorized exploitation of systems, networks,
and technologies.
2.While digital forensics focuses on the recovery and
investigation of artifacts found on a digital device.
3.As everything becomes digitalized, the scope of cyber forensics
expands.
4.It assists us in combating hostile actions by identifying
underlying perpetrators.
5.The evidence gathered during inquiries aids cyber security
specialists in locating the hackers and crackers.
6.The role of cyber forensic experts is becoming much more
crucial nowadays due to the increase in cybercrime.
7.According to NCRB, cybercrime has doubled from 2016 to
2018, and it is predicted to increase as much as four times than
the present day.
8.This shows the importance of law enforcement in solving
cybercrime and cyber experts facing various cyber forensics
challenges.
9.Cyber forensics enables specialists to remotely examine any
crime scene by reviewing the browsing history, email records, or
digital trace.
The Process Involved in Cyber Forensics:- •
Obtaining a digital copy of the underinspection system:
This method entails producing a copy of the system’s data to
avoid harm from being done to the actual system, which might
lead to file confusion with the files already present on the
computer. Cloning a hard disc entails replicating the hard drive’s
files and folders. The duplicate is present on another disc by
copying every small piece of data for analysis.
• Authenticating and confirming the replica: After copying the
files, experts verify that the copied data is consistent and exactly
as it exists in the real system.
• Determining that the copied data is forensically acceptable: It is
possible to change the format of the data while duplicating it from
a device, resulting in discrepancies in the operating systems of
the investigators and the one from which the data was copied.
To avoid this, detectives ensure that the structure stays constant
and that the data is forensically acceptable and is written on the
hard disk drive in a format that is adequately used in the
computer.
 • Recovering deleted files: Criminals think of innovative ways of
deleting the scene and often remove some data that could
indicate their misconduct; it is the work of the investigators to
recover and reconstruct deleted files with stateof-the-art software.
Forensics specialists can recover files erased by the user from a
computer; the files are not permanently wiped from the computer,
and forensics specialists can recover them.
• Finding the necessary data with keywords: Researchers use
specific high-speed tools to get appropriate information by
employing buzzwords in the instance document. The OS
perceives vacant space in the hard disc as room for storing new
files and directories; however, temporary files and documents
that were erased years ago will be stored there until new data is
entered. Forensics specialists look for these files using this free
space. Forensics specialists utilize tools that can access and
produce pertinent information throughout all data for phrases.
• Establishing a technical report: The last phase will be to
produce a technical report that is relevant and easily understood
regardless of the background of the individual. The result of this
report is to state clearly the crime, possible culprits, and innocent
individuals. The technical report must be straightforward for
everyone to grasp, irrespective of their background. It should
focus mostly on who the culprit is and what techniques they used
to commit the crime and how. Skills Required for a Cyber
Forensic Investigator:- • Technical Aptitude: Cyber security
is a technology-driven field; you will probably be responsible for
debugging, regularly updating the ISS, and offering protection
systems in realtime. To conduct the normal operations of cyber
security professionals, being technologically competent is
necessary.
• Beware of details: To preserve the vital elements of an
organization and to avoid risks, you need to be very alert and
detailed. You would, most likely, be required to conduct a
thorough assessment of your infrastructure, swiftly spot issues,
and develop ways to solve them in actual environments. •
Analytical ability: A major part of being a cyber forensics
specialist is the capability to analyze and build a clear
comprehension of data. • Strong communication skills: A crime
scene investigator must be able, as part of a case, to examine
and explain technical facts to others in depth. Cyber Forensics
and Information Security Cyber Forensics Information Security
Cyber forensics is used to collect and evaluate proofs of a
specific computing device in an inquiry, and scanning that is
acceptable for court filings Information security is the protection of
information assets to ensure integrity and availability and to
prevent unauthorized access, disclosure, interruption,
amendment, or annihilation Eg.: Defends hacking intrusion Eg.:
Computer system intrusion Cyber Forensics Tools:- • Data
capture tools: Data capture tools offer computerized assistance,
among other things, for forensic testing, data collecting, reporting,
query resolution, randomization, and authentication. • File
viewers: A file viewer is a software that correctly displays the data
recorded in a file. In contrast to an editor, only the content of a file
is visualized by the file viewer. • File analysis tools: Software for
file analysis are developed to allow cyber experts to comprehend
the file structure of an organization. These technologies index,
search, monitor, and evaluate critical file data. • Internet analysis
tools: Google Analytics is one of the best, free too that any
website owner can use to track and analyze data about web
traffic.
Crime Scene investigation in view of Cyber Crime:-
1.Cyber Crime Investigation is a broad term in the investigation
community.
2.Cyber crimes can be as simple as password stealing, phishing
schemes, or as complex or cruel as child exploitation, human
trafficking, and ransomware attacks. 3.The tactics investigators
use to catch the suspects involved can vary based on the type of
cybercrime committed. 4.Before investigating, there are still a few
key steps an investigator must take to ensure they gather and
analyze all the evidence correctly. 5.The first step in the
investigation is to assess the crime . You need to know what
exactly happened. 6.This is a great part to ask the rudimentary
questions: “Who, what, where, why, how, and when?” This will
give you the opportunity to gather surface-level information that
will help you prioritize your resources and time in the right
direction. 7.After you answer all the questions you can above,
you should have an idea of what tools you need to use to find the
evidence. 8.Next, you will need to follow the proper procedure to
collect the evidence. 9.The proper procedure is usually already
established by a proper investigating supervisor or department
officer . 10. The reason procedure is important is to ensure that
evidence is collected in the correct order and does not get lost in
the chain of custody. 11. You do not want a suspect’s counsel to
poke holes in your case and claim that the evidence was
acquired illegally before it even gets to trial because the evidence
was not collected or handled correctly. 12. Depending on the
tools you have, you will either be able to collect the evidence from
a device or have to bring the entire device to a lab to have
analyzed in later steps. 13. You may also need to acquire proper
warrants or court orders to look through these devices in this
stage. 14. Next, you will have to assess the evidence that you
have at the scene . 15. You may have a variety of different
devices and now it is time to discover if these devices and
laptops are important to solving your case. 16. This is also where
you decide the type of evidence you have on these devices that
will help solve the crime and convict a suspect. With that being
said, you may also need to follow certain steps set before in the
procedure part to make sure that evidence is collected and
cataloged. 17. After the assessment of the evidence, you are
ready to decide what it would take to commit this crime or show
evidence .
18. For example, financial crimes would require analyzing email
transfers, and artifact detection. 19. Therefore, you would perform
eDiscovery to find these traces. 20. You would also decide where
on a computer or mobile device where this might be hiding and
focus your tools to extract the evidence on that software or
mobile app. 21. Once you assess and collect the memory and
files from a device you can move on to the next step, Evidence
Examination. 22. In this stage, you analyze the evidence
collected and start using custom search profiles to expose more
detail and make better connections to the crime.
Detection methods for cyber-crime cases:-
1.Cyber crime scene protection The quality of crime scene
protection will have a major impact on whether criminal evidence
can be collected, whether the crime fact can be determined and
then solved in time.
2.Cybercrime is larger than the time and space of traditional
crimes.
3.Sometimes it can be free from geographical restrictions, and
even it can be committed across borders. It is difficult to
determine the scene.
4.Moreover, because the criminal target is intangible electronic
data, the computer system, especially the network system, has a
complicated structure, and the forensic work is technically strong,
and inadvertent operation may lead to the destruction of
evidence.
5.The specific methods for determining the cybercrime scene are
as follows:
6.The case of destroying the physical characteristics of the
computer system is obvious, that is, the computer itself and its
space.
7.Based on the information of the case, from the analysis of the
criminal suspect's motives, means, computer professional
knowledge level, knowledge level, etc., analyze the possible
perpetrators and computer for crime, and then determine the
scene of the crime.
8.The crime scene is found according to the contents of the
system log or audit record of the computer information system.
9.Determine the crime scene according to the type, nature and
means of crime of different cases.
10.Focus on the computer that discovered the problem, radiate to
other places and equipments connected to the network, and
determine the crime scene based on the circumstances of the
case.
11.In addition to hacking cases, most of the cybercriminal
murders are internal personnel.
12.Therefore, it is possible to conduct investigations based on
computer operators and related business personnel in the victim
units.
13.The person, then the person to the scene to determine the
crime scene.
Cyber-crime scene investigation:-
1.The investigation of cybercrime scene is an activity in which the
judicial organ observes, inspects and inspects the crime scene
according to law to understand the circumstances of the case
and collect relevant evidence. General survey methods for
cybercrime scenes:
2.Study the case, observe and inspect the site, and determine
the site and scope of the survey.
 3.Determine the survey sequence according to the site
environment and the circumstances of the case. Generally, the
computer is used as the center to survey the periphery. For larger
sites, the methods of fragmentation, segmentation, stratification,
and partitioning can be simultaneously performed.
4.Record the original scene by means of photography, video
recording, drawing, transcript, etc. to "fix" it, and use a scale and
a chart to illustrate. For the fleeting images and text on the screen
of the monitor, it is necessary to use the method of photography
and video to obtain evidence.
5.Detailed investigation and collection of various evidence. Under
the premise of ensuring that the computer information is not
destroyed, the suspicious traces of the crimes related to the
crime, such as fingerprints, footprints, tool marks, ink, grease,
dust, dirt, hair, fibers, etc., are found.
6.Pay attention to various physical evidence, especially various
documents such as system manuals, computer operating
records, computer printed forms, stock invoices, shipping orders,
deposit slips, and burnt or burnt paper, recorded fragments,
wiped or Modified records, etc.
7.Extract various magnetic storages that may contain criminal
information, mainly mobile hard disks, USB flash drives, magnetic
tapes, magnetic disks, optical disks, mobile phones, and the like.
If the project is unwilling to surrender, it can be copied and the
victim will use the copy.
8.The investigator must pay attention to the original, which is a
requirement for evidence. Cyber crime case investigation
procedures :- The whole process of cybercrime investigation,
including screening, secret investigation, on-site investigation,
arrest, trial, judicial identification, trial and transfer, is carried out
as the end of cybercrime investigation activities. Common
methods include: methods for obtaining case clues, methods for
analyzing and characterization of cases, methods for finding
breakthroughs in cases, categorization and statistical methods of
data information, and correlation analysis methods for case clues.
Collection of evidence of cybercrime:- In the process of detecting
cybercrime. It is very important to correctly implement computer
forensics and fix evidence of crime. In order to ensure the
authenticity of electronic evidence, four issues should be paid
attention to in the collection of electronic evidence in cybercrime:
collect strictly according to law, collect electronic evidence
comprehensively, invite electronic experts to participate, and
ensure the privacy rights of the parties.
Extraction of electronic evidence :-
1.Since the main carrier of electronic evidence is on computer
media, the extraction of computer evidence, also known as
computer media analysis, is the process of finding valuable data
from computers and information systems. The principle of
computer evidence extraction:
2.Maintain the originality of the data. That is, the forensic analysis
of the data is a copy of the original bitstream of the data on the
analyzed machine, which we usually call a clone.
3.Ensure the continuity of evidence. That is, when the evidence
is formally submitted to the court, it must be able to explain any
change in the evidence from the initial state of acquisition to the
state of appearance in court. Of course, there is preferably no
change.
4.Maintain the integrity of the data during analysis and delivery.
That is, analyzing the software and hardware environment does
not change the analyzed data, and the data does not change
during the data transfer process.
5.The accreditation of the forensic process. That is, the process
of obtaining evidence must be supervised.
6. In other words, all investigation and evidence collection work
done by experts appointed by the plaintiff should be supervised
by experts appointed by other parties.
7.Timeliness of evidence collection.
8.It is necessary to restore the destroyed and deleted electronic
data in a timely and accurate manner.
Construction of cybercrime investigation and evidence
collection model:-
1.Cyber-crime cases are characterized by strong concealment
and virtual reality.
2.In addition to the investigation methods of traditional crimes,
the investigation should also change the investigation ideas,
explore new investigation modes, and adopt new investigation
measures based on the network.
3.The Multi-Dimension Forensics Model (MDFM) reflects the
deepening of the forensic process over time.
4.At any time, digital forensics can be cycled back to the state of
any node, in line with the real forensic process;
5.The object-oriented concept proposes that the forensic
process needs to select the “forensics strategy” and the definition
of “knowledge base” according to the “forensic needs”; more
rarely, the forensic process is divided into evidence supervision
layer, evidence acquisition layer and basic data.
6.The three parts of the layer, in which the data and knowledge
base are in the basic position, the evidence acquisition is the
main work, and the supervision mechanism at the highest point
runs through, ensuring the integrity of the evidence chain and
greatly improving the reliability and legitimacy of the digital
evidence.
Preservation:-
1.Evidence preservation seeks to protect digital evidence from
modification.
2.The integrity of digital evidence should be maintained in each
phase of the handling of digital evidence (ISO/IEC 27037).
3.First responders, investigators, crime scene technicians, and/or
digital forensics experts must demonstrate, wherever possible,
that digital evidence was not modified during the identification,
collection, and acquisition phase; the ability to do so, of course,
depends on the digital device (e.g., computer and mobile phones)
and circumstances encountered by them (e.g., need to quickly
preserve data).
4.To demonstrate this, a chain of custody must be maintained.
5.The chain of custody is "the process by which investigators
preserve the crime (or incident) scene and evidence throughout
the life cycle of a case.
6.It includes information about who collected the evidence, where
and how the evidence was collected, which individuals took
possession of the evidence, and when they took possession of
it".
7.In the chain of custody, the names, titles, and contact
information of the individuals who identified, collected, and
acquired the evidence should be documented, as well as any
other individuals the evidence was transferred to, details about
the evidence that was transferred, the time and date of transfer,
and the purpose of the transfer.
Safely measures for handling original media :-
1.Cyber Security refers to the all safety measure taken to protect
from all deception practices done online to steal
2.personal data and to protect networks, programs, devices,
damage and any unauthorized access.
3.Any information which transferred through network can be
easily hacked these days and everyone access most of the
things only whether it is professional or personal.
4.In organisation most of the work done through email, audio
video conferences, HRMS, etc., and in personal people do online
banking as well.
5.Even the online chats are also not safe these days [1-4].
Cyber-crime is increasing day by day therefore there are various
organisation and Government who come in front to deal with all
kind of cyber-crimes.
6.IT industry must focus on safety measure as 60 percent of total
transactions are done online so this field must have high quality
of security to give all
7.safety to users while doing any transactions.
8.Even the cyber space these days are not safe. The latest
9.technologies like E-commerce, mobile computing, cloud
computing, big data science, artificial intelligence need
10. high cyber security standards.
11. Making the internet safer is the important and integral part of
the development IT Services and for Government also important
to look into it to safeguards IT Services.
12. human and to blackmail them and get all information.
13. Effective cyber security will protect but not necessary to
14. protect network where hackers will not attempt to attack and
target to track the system or whole server.
15. But by cyber security, it will difficult for hackers to crack the
firewall and get into it .
16. Cyber security is important in the world of networks where
people are always online doing work and it can
17. integrity and availability of computer system and resource
data of systems.
18. Therefore, cyber security is must to get all confidential trade
secrets and identifying lost data, integrity is sure so that data
which is used have some valuable and ethical data, and it helps
from restrain all kind of viruses and data stolen. 19. People have
lost their mental and financial stability due to cyber crime. 20.
Many of them lost their huge amount of money, personal photos
are viral through crimes and not only photos but videos as well
due to which people lost their trust from digital world. Therefore,
cyber security must be there and government should take legal
action against the cyber.
➢Web Servers
Cyber criminals create their fake servers which look exactly like
the original one with their malicious code so that one can easily
visit and input the personal information and they can easily track
all detail. Cyber security check twice while doing any transaction
and see about the server in detail.
➢Cloud space and its services-
These days everyone is preferring for cloud space to store data.
This latest service becomes the challenge for cyber security as it
requires large number of access and applications to prevent
important information. Hackers know all techniques to get into it.
➢Mobile Networks –
Mobile is the need of everyone. We can see in everyone’s hand
and its user do almost every activity on mobile. From social
media to banking, from pictures to videos, WhatsApp chat etc.
are very permeable as people are using different kind of devices
like smartphones, IPad, Tablet etc. all of which require high level
of security with two factor authentication. Mobile phones are very
prone to cybercrime and user must download latest software and
application and make themselves protect from cybercrime.
➢Encrypted Code-
Encryption is the process of encoding messages where only
users or coders can read that and or networks. Every user must
learn how to encode the messages and keep their data encrypted
safe. Encryption at every level is important and protect the data
privacy and the integrity. But use of encryption is the big
➢challenge for cyber security.
Encrypted code not only secure persona data on computers or
mobile but it is also helpful and secure data on all networks which
is present online .
Search And Seizure of Computers And related
evidences:-
1.As information and communications technologies have entered
everyday life, computer-related crime has dramatically increased.
2.As computers or other data storage devices can provide the
means of committing crime or be repository of electronic
information that is evidence of a crime, the use of warrants to
search for and seize such devices is given more and more
importance.
3.The primary source of the law governing electronic evidence in
criminal investigations is the Criminal Procedure Act (the “Act”).
4.The search and seizure of electronic evidence is in most
respects the same as any other search and seizure.
5.For instance, as with any other search and seizure, the search
and seizure of computers or other electronic storage media must
be conducted pursuant to a warrant which is issued by a district
court if there is probable cause to believe that they contain
evidence of a crime. In addition to the general principles,
however, the Act, as amended in 2011, has in place the following
specific provisions for electronic evidence stored in computers or
other data storage media.
1.In case that electronic information stored in computers or other
data storage media is to be searched and seized, the information
to be searched must be identified with particularity and shall be
obtained in the form of printed or electronic copies. If it is
unfeasible to specify the scope of information to be obtained in
copies, or if the purpose of the seizure cannot be accomplished
by obtaining the specified information in copies, computers or
other data storage media themselves may be seized (Article
106(3) of the Act). 2.In case that the electronic information seized
in the form of printed or electronic copies contains personal data,
the data subject must be notified without delay (Article 106(4) of
the Act). 3.In case that electronic information stored in computer
or other data storage media is to be searched and seized, the
warrant must describe with particularity the period during which
the information was created, besides the name of the suspect,
the crime, the things to be searched and seized and the place to
be searched, which are generally required to be specified in any
search and seizure warrant (Article 114(1) of the Act). It has been
pointed out, however, that these current rules governing
electronic evidence do not fully reflect the particular
characteristics of electronic information, such as mass quantities,
non-visibility, non-readability or network association. In a recently
released report, the National Assembly Research Service
discusses potential reforms to the current rules to address issues,
in particular, relating to (i) the search and seizure of remotely
located servers; (ii) the search and seizure of servers where a
huge array of information (including irrelevant information) is
stored; (ii) the search and seizure of information owned by a third
party; (iii) the suspect’s or their counsel’s participation in the
search process; and (iv) deleting or destroying electronic
information seized.
Incident Response: -
1.Incident response, similar to digital forensics, investigates
computer systems by collecting and analyzing data. 2.This is
done specifically in the context of responding to a security
incident, so while investigation is important, other steps such as
containment and recovery are weighed carefully against each
other while responding to an incident.
3.Today, incident response is often performed using EDR or
XDR tools that give responders a view into data on computer
systems across a company’s environment.
4.This is often accessible immediately or very quickly across
dozens, hundreds or even thousands of endpoints.
5.This rapid access to useful investigative information means
that in an incident, responders can start getting answers about
what is happening very quickly even if they do not already know
where in the environment they need to look.
6.Such tools can also be used to remediate and recover by
identifying, stopping and removing malware or other tools used
by a threat actor in the environment.
Incident Response Challenges •
Growing data, dwindling support: Organizations are facing more
and more security alerts but cannot find the cybersecurity talent
required to address the volume of information and ultimately the
relevant threat data. Increasingly, organizations are turning to
DFIR experts on retainer to help bridge the skills gap and retain
critical threat support.
• Increased attack surface: The vast attack surface of today’s
computing and software systems makes it more difficult to obtain
an accurate overview of the network and increases the risk of
misconfigurations and user error.
Incident Response Process • Scope: The first goal is to assess
the breadth and severity of the incident and identify indicators of
compromise.
• Investigate: Once the scope is determined, the search and
investigation process begins. Advanced systems and threat
intelligence are used to detect threats, collect evidence and
provide in-depth information.
• Secure: With individual threats addressed, there still needs to
be an identification of security gaps and ongoing monitoring of
cyber health. The secure stage involves containing/eradicating
active threats that were identified from the investigation and
closing any identified security gaps.
• Support and Report: Each security incident is closed out with
customized reporting and a plan for ongoing support. We
examine the overall organization and provide expert advice for
next steps.
• Transform: Finally, identify gaps and advise on how to
effectively harden areas of weakness and mitigate vulnerabilities
to improve security posture of the organization. Each process and
step must be optimized to ensure a speedy recovery and set the
organization up with the best chance of success in the future.
Forensic Analysis:-
Forensic analysis definition can be described as a detailed
process of detecting, investigating, and documenting the reason,
course, and consequences of a security incident or violation
against state and organization laws. Forensic analysis is often
used for providing evidence in court hearings, especially in
criminal investigations. It employs wide range of investigative
procedures and technologies. The Steps for Conducting Forensic
Analysis By tracking digital activity, investigators can relate digital
information to physical evidence. Digital forensics can also allow
investigators to discover planned attacks and prevent a crime
from occurring
There are five critical forensic analysis components involved in
conducting a detailed forensic analysis, all of which are involved
in contributing towards a successful investigation.
1. Developing Policy and Procedures Whether it’s about a
criminal conspiracy, cyber activity, or an intention to commit a
crime, forensic evidence can be highly sensitive and delicate.
Cybersecurity experts know how valuable the information is, and
understand that if it’s not properly handled and protected, it can
be compromised easily. For this reason, it is important to develop
and follow strict policies and procedures for all activities related to
forensic analysis. These procedures may include instructions on
how to prepare systems for retrieving evidence, where to store
the retrieved evidence, when to authorize forensic investigators to
recover potential evidence, and how to document the activities.
2. Assess the Evidence The second key step in the forensic
investigation is assessing potential evidence in a cybercrime.
This assessment involves classifying the cybercrime in question,
such as one related to identity theft, social engineering, phishing,
etc. The investigator then needs to determine the integrity and
source of data before entering it as an evidence.
3. Acquire Evidence This involves devising a detailed, rigorous
plan to acquire evidence. All information should be recorded and
preserved, and documented before, during, and after the
evidence acquisition. The policies regarding preserving the
integrity of potential evidence mainly apply to this step, since
without evidence, the forensic analysis may be considered futile.
The general guidelines to preserve evidence include using
controlled boot discs for retrieving critical data, physically
removing storage devices, and taking required steps to copy and
shift the evidence to the forensic investigation team. It is
important to document and authenticate all the evidence when in
a court case.
4. Examining the Evidence To examine a potential evidence,
there should be procedures to retrieve, copy, and store evidence
within the appropriate database. It can include a number of
approaches and methods for analyzing information, such as
using an analysis software to look for data archives with specific
file types or keywords, or retrieving recently-deleted files. Data
that is tagged with dates and times is of particular importance to
the investigators, along with any encrypted or hidden files. It is
also useful to analyze file names since it can help identify when
the data was created, uploaded, or downloaded. It can also send
files on a storage device to an online data transfer.
5. Documenting and Reporting Lastly, forensic investigators
need to keep a record of not only software and hardware
specifications, but also include all methods used in the
investigation, including methods to test system functionality and
copying, retrieving, and storing data. Documentation and
reporting not only demonstrate how user integrity was preserved,
but also ensures that all parties adhere.
Tools for Forensic Analysis :- Whether you require forensic
analysis for an investigation into unauthorized server access, a
human resource case, or a high-profile data breach investigation,
these open-source digital forensic tools can help carry out
memory forensic analysis, forensic image exploration, hard drive
analysis, and mobile forensics. the tools give ability to retrieve in-
depth information about an infrastructure.
Here are some of them:
• Autopsy – It is an open-source GUI-based tool that analyzes
smart phones and hard drives. It is used worldwide for
investigating what happened in a computer.
 • Wireshark – It is a network capture and analyzer software tool
that sees what happens in the network.
• Encrypted Disk Detector – It helps in checking encrypted
physical drives and supports Bitlocker, TrueCrypt, and Safeboot.
• Magnet RAM Capture – It is used to capture physical memory of
a computer to analyze memory artifacts.
• Network Miner – It is a network forensic analyzer for Linux,
Windows, and Mac OS X for detecting operating systems,
hostname, open ports and sessions by PCAP file or through
packet sniffing.
Importance of Forensic Analysis :- Preventing Hackers With
digital forensics, cyber security companies have been able to
develop technology that prevents hackers from accessing a
website, network, or device. By knowing the trends of how cyber
criminals steal or exploit data, cyber security software firms are
able to protect relevant data and scan networks to ensure that
outside parties cannot access it. Preventing Malware
Antimalware software is one of the biggest benefits resulting from
digital forensics
. Forensic analysis helps identify how a virus enters and behaves
in a network infrastructure. The software developed as a result
can detect malware and spyware and remove it before a
vulnerability can be exploited. Investigating Tools: - SIFT is a
forensic tool collection created to help incident response teams
and forensic researchers examine digital forensic data on several
systems.
When it comes to evidence image support, it works perfectly with
single raw image files, AFF (Advanced Forensic Format), EWF
(Expert Witness Format, EnCase), AFM (AFF with external
metadata), and many others. Other important features include:
Ubuntu LTS 16.04 64 bit base system, latest forensic tools,
cross compatibility between Linux and Microsoft Windows, option
to install as a stand-alone system, and vast documentation to
answer all your forensic needs. Written by Brian Carrier and
known as TSK, The Sleuth Kit is an open source collection of
Unix- and Windows-based forensic tools that helps researchers
analyze disk images and recover files from those devices. Its
features include full parsing support for different file systems such
as FAT/ExFAT, NTFS, Ext2/3/4, UFS 1/2, HFS, ISO 9660 and
YAFFS2, which leads in analyzing almost any kind of image or
disk for Windows-, Linux- and Unix-based operating systems.
Available from the command line or used as a library, The Sleuth
Kit is the perfect ally for any person interested in data recovery
from file systems and raw-based disk images. ¶
X-Ways Forensics
This software is one of the most complete forensic suites for
Windows-based operating systems. It's widely supported for
almost any version of Windows, making it one of the best in this
particular market and letting you easily work with versions
supporting both 32 Bit/64 Bit. One of its coolest features is the
fact that it's fully portable, making it possible to run it from a
memory stick and easily take it from one computer to another. Its
main features include: ability to perform disk cloning and imaging,
read partitions from raw image files, HDDS, RAID arrays, LVM2
and much more. It also offers advanced detection of deleted
partitions on FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2,
Ext3, Ext4, etc., as well as advanced file carving, and file and
directory catalog creation.
¶CAINE
CAINE is not a simple cybercrime investigation application or a
suite, it's a full Linux distribution used for digital forensic analysis.
It works from the live CD, and can help you extract data created
on multiple operating systems such as Linux, Unix and Windows.
File system, memory or network data extraction, CAINE can do it
all by combining the best forensic software that runs on both
command-line and GUIbased interfaces. It includes popular
digital crime investigation apps such as The Sleuth Kit, Autopsy,
Wireshark, PhotoRec, Tinfoleak and many others. ]
¶PALADIN
PALADIN is a bootable Linux distribution based on Ubuntu and
developed by SUMURI. The PALADIN Toolbox helps streamline
numerous forensic tasks, truly offering “forensic tools galore”—
over 30+ categories with over 100 tools, including The Sleuth Kit
and Autopsy. This veritable forensic lab on a disk is available in
both 64- and 32-bit versions, making it one of the most popular
suites of its kind. Used by law enforcement, military, federal, state
and corporate agencies, PALADIN is the perfect ally for any
computer crime investigator. ¶
ProDiscover Forensic
Widely used in computer forensics and incident response,
ProDiscover Forensic has the capabilities needed to handle every
aspect of a forensic investigation. This digital forensic product
helps investigators quickly and efficiently uncover files and
collect, process, protect and analyze data, as well as create
evidence reports. ProDiscover’s product suite offers investigators
a wide array of diagnostic and evidence tools to explore evidence
and extract relevant investigation artifacts. Its features include
extensive automation, cloud forensic, memory forensic, previews
of files without altering data on disk including metadata, and
examining data at the sector level.
¶Digital Forensics Framework Known as DFF, the Digital
Forensics Framework is computer forensics open-source
software that allows digital forensics professionals to discover
and save system activity on both Windows and Linux operating
systems. It allows researchers to access local and remote
devices such as removable drives, local drives, remote server file
systems, and also to reconstruct VMware virtual disks. When it
comes to file systems, it can extract data from FAT12/16/32, EXT
2/3/4, and NTFS on both active and deleted files and directories.
And it even helps to inspect and recover data from memory sticks
including network connections, local files and processes.
¶Oxygen Forensic Detective
This tool is one of the best multi-platform forensic applications
used by security researchers and forensic professionals to
browse all the critical data in a single place. With Oxygen
Forensic Detective you can easily extract data from multiple
mobile devices, drones and computer OS, including: grabbing
passwords from encrypted OS backups, bypassing screen lock
on Android, getting critical call data, extracting flight data from
drones, user information from Linux, MacOS and Windows
computers. It also supports IoT device data extraction. ¶Open
Computer Forensics Architecture Known as OCFA, Open
Computer Forensics Architecture is a forensic analysis framework
written by the Dutch National Police Agency. They developed this
software in pursuing the main goal of speeding up their digital
crime investigations, allowing researchers to access data from a
unified and UX-friendly interface. It has been integrated into or is
part of the core of many other popular cybercrime investigation
tools such as The Sleuth Kit, Scalpel, PhotoRec and others.
While the official project was discontinued some time ago, this
tool still being used as one of the top forensic solutions by
agencies from all over the world. There are many other related
projects that are still working with the OCFA code base, those
can be found at the official website at SourceForge.
¶Bulk Extractor Bulk
Extractor is one of the most popular apps used for extracting
critical information from digital evidence data. It works by
extracting features like URLs, email addresses, credit card
numbers and much more from ISO disk images and directories or
simply files— including images, videos, office-based and
compressed files. It's a tool that serves not only for data
extraction, but for analysis and collection as well. And one of its
best attributes is its wide support for almost any OS platform,
including Linux, Unix, Mac and Windows, all without problem.
¶ExifTool
Written in Perl, this forensic tool developed by Phil Harvey is a
command-line-based utility that can read, write and manipulate
metadata from several media files such as images and videos.
ExifTool supports extracting EXIF from images and vídeos
(common and specific meta-data) such as GPS coordinates,
thumbnail images, file type, permissions, file size, camera type,
etc. It also allows you to save the results in a text-based format or
plain HTML.
¶SurfaceBrowser
SurfaceBrowser™ is your perfect ally for detecting the full online
infrastructure of any company, and getting valuable intelligence
data from DNS records, domain names and their historical
WHOIS records, exposed subdomains, SSL certificates data and
more. Analyzing the surface of any company or domain name on
the Internet is as important as analyzing local drives or ram
sticks—it can lead to finding critical data that could be linked to
cybercrimes. Investigation of E-Mails and social media accounts:-
E-Mail Tracking: - Email tracking is a method for monitoring
the delivery of email messages to the intended recipient. Email
tracking means monitoring opens and clicks of emails to follow up
with leads, job applicants, and partners. In other words, email
tracking is the process of tracking sent emails and using that data
to inform business decisions. Email tracking involves using
software to monitor the emails you send. Most tracking
technologies use some form of digitally time-stamped record to
reveal the exact time and date that an email was received or
opened, as well the IP address of the recipient. In fact, Most
email tracking tools capture data on open rates, times, and
locations, as well as clickthroughs on links and attachments.
When the recipient opens the file, the beacon loads, alerting the
sender to who opened the email, and when, and on what device,
and where.
How this works is that you add a web beacon – a tiny image pixel
– to the mails that you send to the recipients. This web beacon is
not visible to the end reader. Certain actions like email opens or
link clicks will trigger notifications back to your email management
system, alerting you to the fact that the email recipient has
performed certain actions on the email you sent. Most email
marketing software provides tracking features, sometimes in
aggregate (e.g., click-through rate), and sometimes on an
individual basis. Some email applications, such as Microsoft
Office Outlook and Mozilla Thunderbird, employ a readreceipt
tracking mechanism. The sender selects the receipt request
option prior to sending the message, and then upon sending,
each recipient has the option of notifying the sender that the
message was received or read by the recipient. In other words,
many different variations on this theme exist: Some work like
read receipts, and simply report whether or not the recipient
opened your message by displaying a small check in your inbox
after the fact. Others can tell you how many times your message
has been opened and when.
Benefit:- Providing unique insight: With Email Tracking, we’re
provided with more than just valuable information about our
contact’s engagement with our emails. Saving time: if you notice
a contact is clicking on the links you sent and viewing a cover
letter or a proposal that you attached, you know that you’re
currently at the top of their minds. If you notice a customer is
clicking on the links you sent and viewing a new proposal or
cover letter that you attached with the email, there are clear
signals that there is an intent to engage further or purchase.
Contacting them at that point, when they are thinking about your
email, makes that conversation far more timely and relevant.
Investing in an email management system that allows email
tracking helps you save a lot of time. Providing context: For
example, if you included links or attachments in an email prior to
a meeting, you can see if your contact has viewed them.
IP Tracking: - This type of tracker deals with IP addresses
that identify machines that communicate directly with other
computers on the World Wide Web. An example of Internet-
connected devices would be modems that are connected to a
Wide Area Network and consequently assign an IP address to
the connected devices. Internet type of IP trackers allow
collecting basic information about computer users that access
Internet websites (such as TraceMyIP), FTP servers, various
remote-controlled hardware with different ports and protocols,
and monitoring of devices that connect to each other using WAN.
These trackers are often provided in form of a Software as a
service (SaaS) and are hosted by independent servers. Software
as a service (or SaaS) is a way of delivering applications over the
Internet—as a service. here are primarily 2 different types of IP
address trackers. Each has a specific purpose and is not
interchangeable. o Internet IP trackers (a.k.a. Wide Area Network
or WAN). This type of tracker deals with IP addresses that
identify machines that communicate directly with other computers
on the World Wide Web. o An example of Internet-connected
devices would be modems that are connected to a Wide Area
Network and consequently assign an IP address to the
connected devices. Internet type of IP trackers allow collecting
basic information about computer users that access Internet
websites (such as TraceMyIP), FTP servers, various
remotecontrolled hardware with different ports and protocols, and
monitoring of devices that connect to each other using WAN. o
Intranet or local area IP trackers and scanners (a.k.a. Local Area
Network or LAN). These IP tools allow monitoring and scanning
for IP addresses located on an internal network such as LAN. IP
scanning software can scan an entire IP range of a private local
network and find all devices and their IP numbers, including each
device’s status. The software can also provide basic statistics
such as an IP address connection history and port stats. IP
trackers are tools. They are used for a specific purpose to obtain
devices’ IP addresses. Their intended purpose is to provide a
useful function to maintain and improve the device
communications infrastructure. Internet IP trackers that are used
for collecting website visitor information provide useful
information to website owners such as geographical statistics
about the audience of the website, activity reports such as pages
viewed, time of the day when most traffic occurs, information
about submitted website forms, and security information that
allows monitoring for a website abuse. Local area IP scanners
are also tools that are essential in maintaining a private home or
business network integrity, security, and connectivity.

E-Mail Recovery: - Email recovery is a method of

retrieving accidentally deleted or lost emails due to unforeseen
system failure. Once email get lost it becomes very difficult to
recover them without using special technology. It does not matter
how you have lost your data like accidental deletion, virus attack,
software corruption, bad sector on the hard disk or any reason,
we can help you to regain your valuable emails and make it
accessible as it was. Our email data recovery specialists have
already handled plenty of email recovery cases and successfully
recovered emails in our clean room data recovery labs. Email is
ubiquitous - it is almost always a major component of any cyber
forensic investigation whether involving business or personal
communications. Global Digital Forensics addresses these issues
and more by provides complete email forensics services for law
firms, businesses, governmental bodies as well as private
investigators.
 • More than two decades experience investigating and testifying
in cases ranging from financial malfeasance to intellectual
property theft to issues of national security where email was
deleted, spoliated or its authenticity called into question
• All types of devices and data types recovered, from phones to
servers to webmail systems
• All work performed by highly trained CISSP and CCE certified
forensic examiners
• Complete reporting and case support - from initial consultations
to expert witnessing in court, mediation, spoliation hearings, TRO
motions, and any evidentiary hearings pertaining to the case or
investigation. Email Data Types and Evidence Recovery
• Email clients on desktop or laptop computers such as Outlook
360, Apple Mail, Inbox by Gmail, MailSpring, Mailbird, Em Client,
Windows, Linux, MAC OSX operating systems. et.
• Smart phones from Apple, Samsung, Google, Huawei, Sony,
Nokia, etc
• Tablets from Apple, Lenovo, Samsung, Microsoft (including
Surface), Amazon Kindle, etc.
• Digital devices such as smart watches, video gaming consoles.
• Online email services such as Gmail, Gsuite, MS Outlook,
Yahoo Mail, Hotmail, iCloud, AOL, GoDaddy, Zoho Mail,
integrated mail systems in CMS and CRM software, as well as
ISP based email systems, corporate email systems and servers,
private email servers, etc. Many different types of data can be
recovered as evidence. Not only is there information explicitly in
the email itself, but there is data (metadata) generated by the
sending/receiving process that can be useful in an investigation.
The following is a partial list of the types of data can be recovered
from email: • Written communications • Photographs, diagrams,
compressed attachments, etc. • Send to / Received from data •
Date and location data • Send path information • Contact list data
In addition, there can be email log information, email headers and
other types of metadata that can be used to establishing
timelines of action, locations, and connections between subjects
involved in investigations.
Recovering Evidence from Desktop-based or
Device-based Email Clients Email client programs, such as
Outlook 360, Mac Mail and others, are prime sources of forensic
email data. The data on these systems however, is prone to
deletion and other attempts at spoliation. Similar issues are
present when trying to recover emails from iPhones, Androids,
iPads, Surface tablets, etc. Device / Drive Imaging Imaging is
making a bit-by-bit copy of any data source, which helps to main
the integrity of the data and facilitate the speed and thoroughness
of the investigation. Recover Deleted Emails GDF provides
services to recover normal AND deleted emails in their original
form, with no data modification done at any time during the
process so as to maintain admissibility. Repair Corrupted or
Damaged Emails GDF provides services to repair damaged or
corrupted emails, again, while maintain admissibility. These
services are discussed on a case by case basis. Email Header
Analysis Email headers are crucial in establishing the origin,
destination and all the “hops” along the way an email traveled.
Email headers can divulge data such as: • Who sent and
received the email • The full network path the email traversed •
Timestamp Information • Information about the email client used
• Information about the device used Advanced Tools
for Investigating Cyber crime:
OS Forensic Tool: -
OSForensics allows users to identify suspicious files and activity
with hash matching, drive signature comparisons, email, memory,
and binary data. This software lets users extract forensic
evidence from computers with advanced file searching and
indexing and enables this data to be managed effectively. 1.
Nmap :-
Nmap is an open source network scanner that rapidly scans
large computer networks. First on our list of Top 10 Best Free
Open Source Cyber Security Tools. Used for hosting discovery
as well as service and OS detection. Utilizes raw IP packets to
dig up host information on a network. The Nmap Scripting Engine
(NSE) offers a solid way of writing and sharing custom scripts
that tackle common problems. You can choose from many readily
available scripts to perform quick network scans.
Pros of Nmap
• Map quickly the network without requiring complicating
commands. • Admins can search through subdomains and DNS
queries at ease. • Highly configurable, so users can easily
customize the scans. • Lightweight nature makes it super quick
and speeds up the start up process.
Cons of Nmap
• Mastering all of Nmap’s features has a steep learning curve. •
Scanning can take longer if you do not limit the network. • Some
scan types are aggressive and may unintentionally trigger
IDS/IPS mechanisms.
2. Metasploit :- Metasploit is a penetration testing framework that
helps security professionals perform simulation attacks to find
loopholes in a system. Robust feature set that helps detect bugs
and validate attacks. Additionally Metasploit offers premium tiers
for enterprises that need an all in one penetrating platform.
However, the community edition is usually enough for SMEs.
Pros of Metasploit • Fully cross platform and runs on Linux,
macOS, and Windows systems. • Community support for this
open source security tool is excellent. • Codebase is freely
available and you can use it for integrations with other tools. • Pro
version unlocks powerful automation abilities useful for large
scale security teams. Cons of Metasploit • Free edition is limited
in features and requires significant technical expertise. •
Noticeable performance difference between the Windows and
Linux versions. • User intervention is needed for some exploits to
work properly.
3. OSSEC:-
OSSEC is a free HIDS(Host based Intrusion Detection System)
that performs in real time monitoring and analysis. Equipped with
a solid correlation and analysis engine. Most common uses for
OSSEC include log analysis, integrity checks, Windows registry
monitoring, and security policy enforcement. Pros of OSSEC •
Gives you real time alerts for incidents and enables active
responses. • Log analysis- accepts them in formats such as FTP
servers, databases (PostgreSQL, MySQL) and web servers. •
Compliant with various security auditing standards like PCI-DSS
and CIS. • Collects system information effectively and act as a
system inventory. Cons of OSSEC • Lack of a monitoring
dashboard can make threat visualization harder. • Upgrading the
OSSEC version may result in inconsistencies between rules. •
Miscoordination with pre shared keys ca be troublesome.
4. Kali Linux :- Kali is a popular Linux distribution for digital
forensic analysis and penetration testing. Debian based distro
that offers you some of the best open source cyber security tools.
This security focused OS has everything that you need for
system assessments, including surveillance and payload delivery
tools.
Pros of Kali Linux
• Specialized environment for security professionals. • Over 600
penetration tools included. • Wireless device support. • Most of
the applications are derived from the Debian testing branch. •
You can run it almost everywhere, including the cloud,
containers, Android, ARM and WSl. Cons of Kali Linux • Steep
learning curve and may prove hard for beginners. • Some of the
security tools found on Kali can feel sluggish. • Driver support for
external devices can be improved.
5. OpenVAS :- OpenVAS (Open Vulnerability Assessment
System) is another choice for our Top 10 Best Free Open Source
Cyber Security Tools.
Ideal cyber security tool for vulnerability scanning. Offer you a
solid set of features that can be used for authenticated and
unauthenticated testing. Part of the Greenbone Community
Edition suite, a collection of free security tools. Pros of OpenVAS
• Uses a regularly updated list of NVT(Network Vulnerability Test)
feeds for vulnerability tests. • Useful for Small Businesses. • CVE
Coverage for bugs and testing. • Large and dedicated
community, so finding support is easy. • The open source license
of OpenVAS enables third party customization. Cons of
OpenVAS • Requires solid effort to get up and running with this
vulnerability scanner. • Doesn’t offer you any cloud scanner for
AWS, Azure, or GCP.
6. Wireshark:-
Wireshark is a free packet capture and analysis tool for
troubleshooting network connections and analysing IP packets.
Proven to be one of the most popular open source cyber security
tools since its release. Captures and analyses data packets in
real time makes it desirable to many organizations. Pros of
Wireshark • Captures live packets and saves them for later
inspection. • VoIP and VLAN identification. • Very robust filtering
capabilities for sorting through captured data. • Exports to CSV,
XML and plain text. • Allows you to find problems in networks and
solve routing problems Cons of Wireshark • New users will take
time to master all the analysis mechanisms. • Can’t send or alter
packets. • Some users may find the user interface confusing
initially. ‘
Introduction to Forensic Tool Kit (FTK):- FTK is intended
to be a complete computer forensics solution. It gives
investigators an aggregation of the most common forensic tools
in one place. Whether you are trying to crack a password,
analyze emails, or look for specific characters in files, FTK has
got you covered. And, to sweeten the pot further, it comes with an
intuitive GUI to boot. There are a few distinguishing qualities that
set FTK apart from the rest of the pack. First and foremost is
performance. Subscribing to a distributed processing approach, it
is the only forensic software that utilizes multi-core CPUs to
parallelize actions. This results in a momentous performance
boost; – according to FTK’s documentation, one could cut case
investigation time by 400% compared to other tools, in some
instances. Another unique feature of FTK is its use of a shared
case database. Rather than having multiple working copies of
data sets, FTK uses only a single, central database for a single
case. This enables team members to collaborate more efficiently,
saving valuable resources. The use of a database also provides
stability; unlike other forensics software that solely rely on
memory, which is prone to crashing if capacity exceeds limits,
FTK’s database allows for persistence of data that is accessible
even if the program itself crashes. Robust searching speeds are
another hallmark of FTK. Due to the tool’s emphasis on indexing
of files up front, investigators can greatly reduce search times.
FTK generates a shared index file, which means that you don’t
need to duplicate or recreate files. Some of its major capabilities
include: • Email analysis FTK provides an intuitive interface for
email analysis for forensic professionals. This includes having the
ability to parse emails for certain words, header analysis for
source IP address, etc. • File decryption A central feature of FTK,
file decryption is arguably the most common use of the software.
Whether you want to crack passwords or decrypt entire files, FTK
has an answer for it. You can retrieve passwords for over 100
applications with FTK. • Data carving FTK includes a robust data
carving engine. Investigators have the option to search files
based on size, data type, and even pixel size. • Data visualization
Evidence visualization is an up-and-coming paradigm in
computer forensics. Rather than analysing textual data, forensic
experts can now use various data visualization techniques to
generate a more intuitive picture of a case. FTK empowers such
users, with timeline construction, cluster graphs, and geolocation.
• Web viewer One of the more recent additions to the suite, the
FTK Web Viewer is a tool that accelerates case assessments by
granting access of case files to attorneys in real time, while
evidence is still being processed by FTK. It also allows for multi-
case searching, which means that you don’t have to manually
cross-reference evidence from different cases. • Cerberus
Embracing the shift towards analytics, FTK has included a
powerful automated malware detection feature called Cerberus. It
uses machine intelligence to sniff malware on a computer,
subsequently suggesting actions to deal with it if found.
SoloImage Master :- • Image MASSter Solo-4 is a forensic
tool equipped with functions from evidence acquisition to
evidence viewing in a lightweight portable body. • All the basic
data acquisition functions required for forensic surveys are
included, and it is possible to respond immediately at survey sites
where various situations are expected. • Since it is equipped with
Windows OS, you can easily analyze the acquired data on the
spot by installing the evidence analysis software. • Standard
support for SAS / USB, which previously required a dedicated
device.By using the optional adapter, it also supports IDE (1.8
inch / 2.5 inch / ZIF).One-to-one x 1 duplication at the copy
source and copy destination, and cross-copy from IDE to SATA
are also possible. • Achieves the fastest copy speed of 37.0GB /
min. • The copy source port is set to write protection to avoid
writing troubles on the copy source HDD. • Compatible with
various memory devices by using the optional media card reader.
• By using the optional Link MASSter (* see option) Boot CD,
data can be acquired quickly even in situations where it is difficult
to remove the HDD from the PC. • Hash value is generated while
copying. (Compare verify is also possible) • Supports not only
100% physical copy, but also copying with a forensic image
without writing. • Equipped with a function to acquire data in
network storage using Gigabit Ethernet. Data can be acquired
according to the actual evidence preservation process without
changing the access date and time of files and folders. Image
MASSter Solo-4 operation screen Main functions Acquisition
mode • 100% physical copy • Linux DD Copy / Linux DD Restore
/ Linux DD Hash • E01 copy / E01 restore • Disk hash value
calculation (CRC32 / MD5 / SHA-1 / SHA-256) • Disk capacity
limit HPA / DCO • Disk format (exFAT, NTFS) Log information •
Operation log (HDD format, serial number, number of sectors,
etc.) • Audit trail (investigator name, investigation environment,
situation, etc.) Erase mode (2 HDDs can be erased at the same
time) • DoD compliant standard data erasure • Manual (specify
the number of times) Data erasure • Firewire, ZIF, and media
cards with an option kit. • Big Drive compatible • Number of
copies 2: 2 units 1 to 1 x2 (parallel copy) • Compatible compact
media (using optional card reader) Compact Flash, SD card,
Memory Stick, Smart Media card • Drive lock function (write
protection).

Disk Locker:- Disk encryption prevents a disk drive, such as

a hard drive in a laptop computer or a portable USB storage
device, from booting up unless the user inputs valid
authentication data. The standard process for booting up an
operating system is that the first section of the disk, called the
master boot record, instructs the system where to read the first
file that begins the instructions for loading the operating system.
There are then no special instructions needed for interpreting the
contents of the disk—files are in plaintext by default. Installing a
disk encryption technology modifies this process. When disk
encryption is installed, the contents of the disk—except the
master boot record and a small system that it loads—are
encrypted using any suitable modern symmetric cipher by a
secret key. The master boot record is modified to first load this
small system, which can validate authentication information from
the user. If the user authenticates successfully, the encryption
key is unlocked. This small system, which varies per
implementation, contains the master key for the device encrypted
to one or more keys based on the authentication information,
which can be a password, a fingerprint scan, a public key–based
token, etc. When the valid authentication information is read, it
can decrypt the master key. This master key then remains in the
computer’s memory for the duration of power-on so that the
operating system can first read itself from the disk to boot up, and
then any other disk contents the user requests during operation
of the computer. Two important questions concerning assets are
whether the asset is private and whether it has to be intact. For
example, many disk encryption users apply the tool to their entire
system drive. Many system files are universally accessible as
part of the install media. They are in no way private assets, and
applying cryptography to them is a waste of resources. FRAT
(Forensic Registry Analysis Tool): - FRAT is a
significant forensic resource which provides a comprehensive
picture of the case. With the techniques that are described in this
document, an investigator can precisely acquire the registries
from the compromised system. We have demonstrated the format
of registry and the data it can uncover. If a single key is
unreadable then it’s subkeys below that tree are also
inaccessible to read. There are various tools that are used to
read and analyze. In addition to that, we also have the option to
parse the registry tree via the command line by using regedit.exe.
Windows Registry is essential and the exploration on it still
continues. Regardless of whether we have known each key,
subkey, and the value of Windows Registry, despite everything
we need to consider how to utilize them in genuine cases. In the
second part of this document, the important keys and subkeys
are explained by their location and the data it contains to help the
forensic investigation. Importance of Registry in Windows
Forensics For a Forensic analyst, the Registry is a treasure box
of information. It is the database that contains the default
settings, user, and system defined settings in windows computer.
Registry serves as repository, monitoring, observing and
recording the activities performed by the user in the computer.
The Data is stored in the main folders in a Tree like structure
which is called Hive and its subfolders are called KEYS and
SUBKEYS where each component’s configuration is stored called
VALUES.
Some Important aspects of Windows Registry are:
1.Windows Registry can be considered as a gold mine of forensic
evidence.
2.We can create new registries manually or we can modify the
ones that already exist.
3.Original files that contain registry values are stored in the
system directory itself.
4.Registry files are system protected and can not be accessed by
any user unless administration access is provided.
5.For the investigation purpose, the forensic investigator analyzes
registry files via tools such as Registry Viewer, Regshot, Registry
Browser etc..
6.Trojans and Malware information can be found in the registries.
Main Registry Hives
• HKEY_CLASSES_ROOT • HKEY_CURRENT_USER •
HKEY_LOCAL_MACHINE/SAM •
HKEY_LOCAL_MACHINE/SOFTWARE •
HKEY_LOCAL_MACHINE/SECURITY •
HKEY_LOCAL_MACHINE/SYSTEM • HKEY_USERS •
HKEY_CURRENT_CONFIG

Unit VI
Information Technology Act (IT Act 2000)
Introduction :- Computer, device for processing, storing, and
displaying information.Computer once meant a person who did
computations, but now the term almost universally refers to
automated electronic machinery. The first section of this article
focuses on modern digital electronic computers and their design,
constituent parts, and applications. The second section covers
the history of computing. For details on computer architecture,
software, and theory, see computer science. Computers also
have limitations, some of which are theoretical. For example,
there are undecidable propositions whose truth cannot be
determined within a given set of rules, such as the logical
structure of a computer. Because no universal algorithmic
method can exist to identify such propositions, a computer asked
to obtain the truth of such a proposition will (unless forcibly
interrupted) continue indefinitely—a condition known as the
“halting problem.” (See Turing machine.) Other limitations reflect
current technology. Human minds are skilled at recognizing
spatial patterns—easily distinguishing among human faces, for
instance—but this is a difficult task for computers, which must
process information sequentially, rather than grasping details
overall at a glance. Another problematic area for computers
involves natural language interactions. Because so much
common knowledge and contextual information is assumed in
ordinary human communication, researchers have yet to solve
the problem of providing relevant information to general-purpose
natural language programs.
Definitions of computer :- A computer is a machine or
device that performs processes, calculations and operations
based on instructions provided by a software or hardware
program. It has the ability to accept data (input), process it, and
then produce outputs. Computers can also store data for later
uses in appropriate storage devices, and retrieve whenever it is
necessary. Modern computers are electronic devices used for a
variety of purposes ranging from browsing the web, writing
documents, editing videos, creating applications, playing video
games, etc. They are designed to execute applications and
provide a variety of solutions by combining integrated hardware
and software components.
Computer System:- A computer system is a basic, full-
featured hardware and software configuration with all the
components needed to perform computing operations. It enables
humans to input, process, and output data effectively and
systematically. A computer system comprises several connected,
integrated devices collaborating to carry out one or more tasks. It
often consists of software and hardware elements, including
operating systems, programs, and drivers, as well as memory,
input/output devices, storage devices, and a central processing
unit (CPU). Evolution of Computer systems The origins of
computer systems can be traced back to the early 19th century,
with the introduction of mechanical calculators. These machines
were created to conduct mathematical calculations. The
development of electronic computers, however, marked the start
of the real evolution of computer systems.
Components of Computer System Let us now understand the
following basic components of a computer system. • Hardware •
Software • Humanware • Firmware • Bridgeware Hardware The
physical components collectively form the hardware of a
computer system. Hardware comprises of the equipment that
helps in the working system of the computer.
 Following are the different types of hardware components (which
have specific functions) − • Monitor − It displays (visual) the
result. • CPU − It is the Central Processing Unit that controls the
computer’s functions and transmits data. • Motherboard − It is
mainly accountable to establish communication between
components and transmission of information. • RAM − It is the
Random Access Memory and responsible for the storage of
programs that are currently running and also stores data
temporarily. • Hard Disk Drive − It is a permanent memory
storage device. • Floppy Disk Drive − It is hardly being used in
recent times. • Optical disks − It is a device that also store data.
For example, CD, DVD, etc.
Computer network:- A computer network is a set of devices
connected through links. A node can be computer, printer, or any
other device capable of sending or receiving the data. The links
connecting the nodes are known as communication channels.
Computer Network uses distributed processing in which task is
divided among several computers. Instead, a single computer
handles an entire task, each separate computer handles a s
Following are the advantages of Distributed processing: o
Security: It provides limited interaction that a user can have with
the entire system. For example, a bank allows the users to
access their own accounts through an ATM without allowing them
to access the bank's entire database. o Faster problem solving:
Multiple computers can solve the problem faster than a single
machine working alone. o Security through redundancy: Multiple
computers running the same program at the same time can
provide the security through redundancy. For example, if four
computers run the same program and any computer has a
hardware error, then other computers can override it Electronic
Record:- According to the World Bank, E-Governance is when
government agencies use information and communication
technologies to transform relations with citizens, businesses, and
other government agencies. One of the prime objectives of the IT
Act, 2000 is the promotion of electronic governance. In this
article, we will talk about electronic records and egovernance. In
the IT Act, 2000, there are special provisions under Chapter III to
grant legal recognition to electronic records, signature, and also
encourage the government and its agencies to use them.
Examples of electronic records include:
emails, websites, Word/Excel documents, digital purchase
receipts, databases, text messages, social media postings, and
information stored on SharePoint sites and content management
systems (Catalyst, Slack, DropBox, etc.). Electronic records must
be retained according to a legally approved records retention
schedule. Electronic records have the same record series (type of
record) and retention period as their paper equivalent. This
includes records stored in email, shared drives, the cloud, on
laptops and cell phones, even ones created on personally-owned
devices. If your office scans records with the intention of
destroying the original paper document (including Ariba
attachments), you must have a scanning policy on file with our
office. Click here to learn more. Managing Electronic Records
Every UW employee is individually responsible for maintaining
records they create and recieve in accordance with University
and Washington state policies - including electronic records and
email. Whether you just started at the University or have been
here for years, managing records is a fact of life. But don't worry -
you're not on your own! Records Management Services has
resources and training available to assist you.
Data :- In general, data is a distinct piece of information that is
gathered and translated for some purpose. If data is not
formatted in a specific way, it does not valuable to computers or
humans. Data can be available in terms of different forms, such
as bits and bytes stored in electronic memory, numbers or text on
pieces of paper, or facts stored in a person's mind. Since the
invention of computers, people have used the word data to mean
computer information, and this information is transmitted or
stored. There are different kinds of data; such are as follows: o
Sound o Video o Single character o Number (integer or floating-
point) o Picture o Boolean (true or false) o Text (string) In a
computer's storage, data is stored in the form of a series of binary
digits (bits) that contain the value 1 or 0. The information can be
in terms of pictures, text documents, software programs, audio or
video clips, or other kinds of data. The computer data may be
stored in files and folders on the computer's storage, and
processed by the computer's CPU, which utilizes logical
operations to generate output (new data) form input data. As the
data is stored on the computer in binary form (zero or one), which
can be processed, created, saved, and stored digitally. This
allows data to be sent from one computer to another with the help
of various media devices or a network connection. Furthermore, if
you use data multiple times, it does not deteriorate over time or
lose quality.
Secure system :- Cyber security means protecting the [cyber
assets] from [threats]. • The cyber assets are: Information,
Equipment, Devices, Computer, Computer resource,
Communication device and Information stored therein • The
cyber threats are: Unauthorised access, use, disclosure,
disruption, modification or destruction Today, let’s understand
what is a Secure System? Secure System means computer
hardware, software, and procedure that- • are reasonably secure
from unauthorized access and misuse; • provide a reasonable
level of reliability and correct operation; • are reasonably suited to
performing the intended functions; and • adhere to generally
accepted security procedures
Digital Signature :-
A digital signature is a mathematical technique which validates
the authenticity and integrity of a message, software or digital
documents. It allows us to verify the author name, date and time
of signatures, and authenticate the message contents. The digital
signature offers far more inherent security and intended to solve
the problem of tampering and impersonation (Intentionally copy
another person's characteristics) in digital communications. The
computer-based business information authentication interrelates
both technology and the law. It also calls for cooperation between
the people of different professional backgrounds and areas of
expertise. The digital signatures are different from other
electronic signatures not only in terms of process and result, but
also it makes digital signatures more serviceable for legal
purposes. Some electronic signatures that legally recognizable as
signatures may not be secure as digital signatures and may lead
to uncertainty and disputes.
Application of Digital Signature
The important reason to implement digital signature to
communication is: o Authentication o Non-repudiation o Integrity
Authentication
is a process which verifies the identity of a user who wants to
access the system. In the digital signature, authentication helps
to authenticate the sources of messages.
Non-repudiation- Non-repudiation means assurance of
something that cannot be denied. It ensures that someone to a
contract or communication cannot later deny the authenticity of
their signature on a document or in a file or the sending of a
message that they originated.
Integrity
Integrity ensures that the message is real, accurate and
safeguards from unauthorized user modification during the
transmission. lgorithms in Digital Signature A digital signature
consists of three algorithms: 1. Key generation algorithm The key
generation algorithm selects private key randomly from a set of
possible private keys. This algorithm provides the private key and
its corresponding public key. 2. Signing algorithm A signing
algorithm produces a signature for the document. 3. Signature
verifying algorithm A signature verifying algorithm either accepts
or rejects the document's authenticity. The steps which are
followed in creating a digital signature are: 1.Select a file to be
digitally signed. 2.The hash value of the message or file content
is calculated. This message or file content is encrypted by using a
private key of a sender to form the digital signature. 3.Now, the
original message or file content along with the digital signature is
transmitted. 4.The receiver decrypts the digital signature by using
a public key of a sender. 5.The receiver now has the message or
file content and can compute it. 6.Comparing these computed
message or file content with the original computed message. The
comparison needs to be the same for ensuring integrity.
Certifying authority as per IT Act:-
The IT Act accommodates the Controller of Certifying
Authorities(CCA) to permit and direct the working of Certifying
Authorities. The Certifying Authorities (CAs) issue computerized
signature testaments for electronic confirmation of clients. The
Controller of Certifying Authorities (CCA) has been named by the
Central Government under Section 17 of the Act for reasons for
the IT Act.
The Office of the CCA appeared on November 1, 2000. It targets
advancing the development of ECommerce and E-Governance
through the wide utilization of computerized marks.
The Controller of Certifying Authorities (CCA) has set up the Root
Certifying Authority (RCAI) of India under segment 18(b) of the IT
Act to carefully sign the open keys of Certifying Authorities (CA)
in the nation. The RCAI is worked according to the gauges set
down under the Act. The CCA guarantees the open keys of CAs
utilizing its own private key, which empowers clients in the
internet to confirm that a given testament is given by an
authorized CA. For this reason it works, the Root Certifying
Authority of India (RCAI). The CCA likewise keeps up the
Repository of Digital Certificates, which contains all the
authentications gave to the CAs in the nation. Role of Certifying
Authorities: Certificate Authority (CA) is a confided in substance
that issues Digital Certificates and open private key sets. The job
of the Certificate Authority (CA) is to ensure that the individual
allowed the extraordinary authentication is, truth be told, who the
individual in question professes to be. The Certificate Authority
(CA) checks that the proprietor of the declaration is who he says
he is. A Certificate Authority (CA) can be a confided in outsider
which is answerable for genuinely confirming the authenticity of
the personality of an individual or association before giving an
advanced authentication. A Certificate Authority (CA) can be an
outer (open) Certificate Authority (CA) like verisign, thawte or
comodo, or an inward (private) Certificate Authority (CA)
arranged inside our system.
Certificate Authority (CA) is a basic security administration in a
system. A Certificate Authority (CA) plays out the accompanying
capacities. A Controller plays out a few or the entirety of the
following roles:
1.Administer the exercises of the Certifying Authorities and
furthermore confirm their open keys. 2.Set out the guidelines that
the Certifying Authorities follow. 3.Determine the accompanying
capabilities and furthermore experience necessities of the
workers of all Certifying Authorities conditions that the Certifying
Authorities must follow for directing business the substance of the
printed, composed, and furthermore visual materials and ads in
regard of the advanced mark and the open key the structure and
substance of an advanced mark declaration and the key the
structure and way where the Certifying Authorities look after
records terms and conditions for the arrangement of examiners
and their compensation. 4.Encourage the Certifying Authority to
set up an electronic framework, either exclusively or together with
other Certifying Authorities and its guideline. 5.Indicate the way
where the Certifying Authorities manage the endorsers.
6.Resolve any irreconcilable situation between the Certifying
Authorities and the endorsers. 7.Set out the obligations of the
Certifying Authorities. 8.Keep up a database containing the
revelation record of each Certifying Authority with all the
subtleties according to guidelines. Further, this database is open
to the general population. Certificate Authority (CA) Verifies the
personality:
The Certificate Authority (CA) must approve the character of
the element who mentioned a computerized authentication before
giving it. Certificate Authority (CA) issues computerized
testaments: Once the approval procedure is finished, the
Certificate Authority (CA) gives the advanced authentication to
the element who requested it. Computerized declarations can be
utilized for encryption (Example: Encrypting web traffic), code
marking, authentication and so on. Certificate Authority (CA)
keeps up Certificate Revocation List (CRL): The Certificate
Authority (CA) keeps up Certificate Revocation List (CRL). An
authentication repudiation list (CRL) is a rundown of
computerized testaments which are not, at this point legitimate
and have been disavowed and subsequently ought not be
depended by anybody. A Certificate Authority (CA) is a selective
element which issues and signs SSL endorsements, confirming
and guaranteeing the reliability of their proprietors. Conclusion:
An entity or individual who needs a digitalized testament can
demand one from an authentication authority; when the
endorsement authority confirms the candidate’s character, it
creates an advanced declaration for the candidate and carefully
signs that authentication with the endorsement authority’s private
key. The computerized endorsement would then be able to be
verified (for instance, by an internet browser) utilizing the
authentication authority’s open key.
Authentication of electronic records (Section3) :- (1)
Subject to the provisions of this section any subscriber may
authenticate an electronic record by affixing his digital signature.
(2) The authentication of the electronic record shall be effected
by the use of asymmetric crypto system and hash function which
envelop and transform the initial electronic record into another
electronic record. Explanation. -For the purposes of this sub-
section, "hash function" means an algorithm mapping or
translation of one sequence of bits into another, generally
smaller, set known as --hash result" such that an electronic
record yields the same hash result every time the algorithm is
executed with the same electronic record as its input making it
computationally infeasible-- (a) to derive or reconstruct the
original electronic record from the hash result produced by the
algorithm (b) that two electronic records can produce the same
hash result using the algorithm. (3) Any person by the use of a
public key of the subscriber can verify the electronic record. (4)
The private key and the public key are unique to the subscriber
and constitute a functioning key pair.]
legal recognition of electronic records and digital
signature (Se ction-4 and 5 ) :- Legal recognition of
[electronic signatures]. ( Section 5 ) --Where any law provides
that information or any other matter shall be authenticated by
affixing the signature or any document shall be signed or bear the
signature of any person, then, notwithstanding anything
contained in such law, such requirement shall be deemed to have
been satisfied, if such information or matter is authenticated by
means of 1 [electronic signature] affixed in such manner as may
be prescribed by the Central Government. Explanation.--For the
purposes of this section, "signed", with its grammatical variations
and cognate expressions, shall, with reference to a person, mean
affixing of his hand written signature or any mark on any
document and the expression "signature" shall be construed
accordingly. Legal Recognition of Electronic Records (Section 4)-
Let’s say that a certain law requires a matter written, typewritten,
or printed. Even in the case of such a law, the requirement is
satisfied if the information is rendered or made available in an
electronic form and also accessible for subsequent reference.
Certifying Authorities and Controller,

Offences as per IT Act (Section-65 to

Section-78) :- Section 65. Tampering with computer
source documents. Whoever knowingly or intentionally conceals,
destroys or alters or intentionally or knowingly causes another to
conceal, destroy or alter any computer source code used for a
computer, computer programme, computer system or computer
network, when the computer source code is required to be kept or
maintained by law for the time being in force, shall be punishable
with imprisonment up to three years, or with fine which may
extend up to two lakh rupees, or with both. Explanation. —For the
purposes of this section, "computer source code" means the
listing of programmes, computer commands, design and layout
and programme analysis of computer resource in any form.
Section 66. Hacking with computer system. (1)
Whoever with the intent to cause or knowing that he is likely to
cause wrongful loss or damage to the public or any person
destroys or deletes or alters any information residing in a
computer resource or diminishes its value or utility or affects it
injuriously by any means, commits hack: (2) Whoever commits
hacking shall be punished with imprisonment up to three years, or
with fine which may extend upto two lakh rupees, or with both.
Section 66A: Punishment for sending offensive messages
through communication service, etc. - Information Technology Act
Any person who sends, by means of a computer resource or a
communication device,- a) any information that is grossly
offensive or has menacing character; or b) any information which
he knows to be false, but for the purpose of causing annoyance,
inconvenience, danger, obstruction, insult, injury, criminal
intimidation, enmity, hatred, or ill will, persistently by making use
of such computer resource or a communication device, c) any
electronic mail or electronic mail message for the purpose of
causing annoyance or inconvenience or to deceive or to mislead
the addressee or recipient about the origin of such messages,
shall be punishable with imprisonment for a term which may
extend to three years and with fine. Explanation: For the
purposes of this section, terms "Electronic mail" and "Electronic
Mail Message" means a message or information created or
transmitted or received on a computer, computer system,
computer resource or communication device including
attachments in text, image, audio, video and any other electronic
record, which may be transmitted with the message. Section 66B:
Punishment for dishonestly receiving stolen computer resource or
communication device Whoever dishonestly receives or retains
any stolen computer resource or communication device knowing
or having reason to believe the same to be stolen computer
resource or communication device, shall be punished with
imprisonment of either description for a term which may extend to
three years or with fine which may extend to rupees one lakh or
with both.
Section 66C: Punishment for Identity Theft, Misuse of
Digital Signature Whoever, fraudulently or dishonestly make
use of the electronic signature, password or any other unique
identification feature of any other person, shall be punished with
imprisonment of either description for a term which may extend to
three years and shall also be liable to fine which may extend to
rupees one lakh. Section 66D: Punishment for cheating by
personation by using computer resource Whoever, by means of
any communication device or computer resource cheats by
personation, shall be punished with imprisonment of either
description for a term which may extend to three years and shall
also be liable to fine which may extend to one lakh rupees.
Section 66E: Punishment for violation of privacy Whoever,
intentionally or knowingly captures, publishes or transmits the
image of a private area of any person without his or her consent,
under circumstances violating the privacy of that person, shall be
punished with imprisonment which may extend to three years or
with fine not exceeding two lakh rupees, or with both.
Explanation. - For the purposes of this section - (a) “transmit”
means to electronically send a visual image with the intent that it
be viewed by a person or persons; (b) “capture”, with respect to
an image, means to videotape, photograph, film or record by any
means; (c) “private area” means the naked or undergarment clad
genitals, pubic area, buttocks or female breast; (d) “publishes”
means reproduction in the printed or electronic form and making
it available for public; (e) “under circumstances violating privacy”
means circumstances in which a person can have a reasonable
expectation that- (i) he or she could disrobe in privacy, without
being concerned that an image of his private area was being
captured; or (ii) any part of his or her private area would not be
visible to the public, regardless of whether that person is in a
public or private place. Section 66F: Punishment for cyber
terrorism Whoever, - (A) with intent to threaten the unity, integrity,
security or sovereignty of India or to strike terror in the people or
any section of the people by – (i) denying or cause the denial of
access to any person authorised to access computer resource; or
(ii) attempting to penetrate or access a computer resource
without authorisation or exceeding authorised access; or (iii)
introducing or causing to introduce any Computer Contaminant.
and by means of such conduct causes or is likely to cause death
or injuries to persons or damage to or destruction of property or
disrupts or knowing that it is likely to cause damage or disruption
of supplies or services essential to the life of the community or
adversely affect the critical information infrastructure specified
under section 70, or (B) knowingly or intentionally penetrates or
accesses a computer resource without authorisation or exceeding
authorised access, and by means of such conduct obtains
access to information, data or computer database that is
restricted for reasons of the security of the State or foreign
relations; or any restricted information, data or computer
database, with reasons to believe that such information, data or
computer database so obtained may be used to cause or likely to
cause injury to the interests of the sovereignty and integrity of
India, the security of the State, friendly relations with foreign
States, public order, decency or morality, or in relation to
contempt of court, defamation or incitement to an offence, or to
the advantage of any foreign nation, group of individuals or
otherwise, commits the offence of cyber terrorism. (2) Whoever
commits or conspires to commit cyber terrorism shall be
punishable with imprisonment which may extend to imprisonment
for life’.
Section 67. Publishing of information which is obscene in
electronic form. Whoever publishes or transmits or causes to be
published in the electronic form, any material which is lascivious
or appeals to the prurient interest or if its effect is such as to tend
to deprave and corrupt persons who are likely, having regard to
all relevant circumstances, to read, see or hear the matter
contained or embodied in it, shall be punished on first conviction
with imprisonment of either description for a term which may
extend to five years and with fine which may extend to one lakh
rupees and in the event of a second or subsequent conviction
with imprisonment of either description for a term which may
extend to ten years and also with fine which may extend to two
lakh rupees.
Section 67A: Punishment for publishing or transmitting of
material containing sexually explicit act, etc. in electronic
form, Information Technology Act 2000 Whoever publishes or
transmits or causes to be published or transmitted in the
electronic form any material which contains sexually explicit act
or conduct shall be punished on first conviction with imprisonment
of either description for a term which may extend to five years
and with fine which may extend to ten lakh rupees and in the
event of second or subsequent conviction with imprisonment of
either description for a term which may extend to seven years
and also with fine which may extend to ten lakh rupees.
Exception: This section and section 67 does not extend to any
book, pamphlet, paper, writing, drawing, painting, representation
or figure in electronic form- (i) the publication of which is proved
to be justified as being for the public good on the ground that
such book, pamphlet, paper, writing, drawing, painting,
representation or figure is in the interest of
science,literature,art,or learning or other objects of general
concern; or (ii) which is kept or used bona fide for religious
purposes.
Section 67B: Punishment for publishing or transmitting of
material depicting children in sexually explicit act, etc. in
electronic form Whoever, - (a) publishes or transmits or causes
to be published or transmitted material in any electronic form
which depicts children engaged in sexually explicit act or conduct
or (b) creates text or digital images, collects, seeks, browses,
downloads, advertises, promotes, exchanges or distributes
material in any electronic form depicting children in obscene or
indecent or sexually explicit manner or (c) cultivates, entices or
induces children to online relationship with one or more children
for and on sexually explicit act or in a manner that may offend a
reasonable adult on the computer resource or (d) facilitates
abusing children online or (e) records in any electronic form own
abuse or that of others pertaining to sexually explicit act with
children, shall be punished on first conviction with imprisonment
of either description for a term which may extend to five years
and with a fine which may extend to ten lakh rupees and in the
event of second or subsequent conviction with imprisonment of
either description for a term which may extend to seven years
and also with fine which may extend to ten lakh rupees: Provided
that the provisions of section 67, section 67A and this section
does not extend to any book, pamphlet, paper, writing, drawing,
painting, representation or figure in electronic form- (i) The
publication of which is proved to be justified as being for the
public good on the ground that such book, pamphlet, paper
writing, drawing, painting, representation or figure is in the
interest of science, literature, art or learning or other objects of
general concern; or (ii) which is kept or used for bonafide heritage
or religious purposes Explanation: For the purposes of this
section, "children" means a person who has not completed the
age of 18 years.
Section 67 C: Preservation and Retention of information by
intermediaries, Section 67C of Information Technology Act
(1) Intermediary shall preserve and retain such information as
may be specified for such duration and in such manner and
format as the Central Government may prescribe. (2) Any
intermediary who intentionally or knowingly contravenes the
provisions of sub section (1) shall be punished with an
imprisonment for a term which may extend to three years and
shall also be liable to fine.
Section 68. Power of Controller to give directions. (1)
The Controller may, by order, direct a Certifying Authority or any
employee of such Authority to take such measures or cease
carrying on such activities as specified in the order if those are
necessary to ensure compliance with the provisions of this Act,
rules or any regulations made thereunder. (2) Any person who
fails to comply with any order under sub-section (1) shall be guilty
of an offence and shall be liable on conviction to imprisonment for
a term not exceeding three years or to a Fine not exceeding two
lakh rupees or to both.
Section 69. Directions of Controller to a subscriber to extend
facilities to decrypt information. (1) If the Controller is satisfied
that it is necessary or expedient so to do in the interest of the
sovereignty or integrity of India, the security of the State, friendly
relations with foreign Stales or public order or for preventing
incitement to the commission of any cognizable offence, for
reasons to be recorded in writing, by order, direct any agency of
the Government to intercept any information transmitted through
any computer resource. (2) The subscriber or any person
incharge of the computer resource shall, when called upon by
any agency which has been directed under sub-section (1),
extend all facilities and technical assistance to decrypt the
information. (3) The subscriber or any person who fails to assist
the agency referred to in sub-section (2) shall be punished with
an imprisonment for a term which may extend to seven years.
Section 69A: Power to issue directions for blocking for
public access of any information through any computer
resource - Information Technology Act (1) Where the Central
Government or any of its officer specially authorised by it in this
behalf is satisfied that it is necessary or expedient so to do in the
interest of sovereignty and integrity of India, defense of India,
security of the State, friendly relations with foreign states or public
order or for preventing incitement to the commission of any
cognizable offence relating to above, it may subject to the
provisions of sub-sections (2) for reasons to be recorded in
writing, by order direct any agency of the Government or
intermediary to block access by the public or cause to be blocked
for access by public any information generated, transmitted,
received, stored or hosted in any computer resource. (2) The
procedure and safeguards subject to which such blocking for
access by the public may be carried out shall be such as may be
prescribed. (3) The intermediary who fails to comply with the
direction issued under sub-section (1) shall be punished with an
imprisonment for a term which may extend to seven years and
also be liable to fine. Section 69B: Power to authorize to
monitor and collect traffic data or information through
any computer resource for Cyber Security -
Information Technology Act (1) The Central Government
may, to enhance Cyber Security and for identification, analysis
and prevention of any intrusion or spread of computer
contaminant in the country, by notification in the official Gazette,
authorize any agency of the Government to monitor and collect
traffic data or information generated, transmitted, received or
stored in any computer resource. (2) The Intermediary or any
person in-charge of the Computer resource shall when called
upon by the agency which has been authorised under sub-
section (1), provide technical assistance and extend all facilities
to such agency to enable online access or to secure and provide
online access to the computer resource generating, transmitting,
receiving or storing such traffic data or information. (3) The
procedure and safeguards for monitoring and collecting traffic
data or information, shall be such as may be prescribed. (4) Any
intermediary who intentionally or knowingly contravenes the
provisions of sub-section (2) shall be punished with an
imprisonment for a term which may extend to three years and
shall also be liable to fine. Explanation: For the purposes of this
section, (i)"Computer Contaminant" shall have the meaning
assigned to it in section 43 (ii) " traffic data "means any data
identifying or purporting to identify any person, computer system
or computer network or location to or from which the
communication is or may be transmitted and includes
communications origin, destination, route, time, date, size,
duration or type of underlying service or any other information.
Section
70. Protected system. (1) The appropriate Government may, by
notification in the Official Gazette, declare that any computer,
computer system or computer network to be a protected system.
(2) The appropriate Government may, by order in writing,
authorise the persons who are authorised to access protected
systems notified under sub-section (1). (3) Any person who
secures access or attempts to secure access to a protected
system in contravention of the provisions of this section shall be
punished with imprisonment of either description for a term which
may extend to ten years and shall also be liable to fine. Section
70 A: National nodal agency - Information Technology Act (1)
The Central Government may, by notification published in the
official Gazette, designate any organization of the Government as
the national nodal agency in respect of Critical Information
Infrastructure Protection. (2) The national nodal agency
designated under subsection (1) shall be responsible for all
measures including Research and Development relating to
protection of Critical Information Infrastructure. (3) The manner of
performing functions and duties of the agency referred to in sub-
section (1) shall be such as may be prescribed. Section 70 B:
Indian Computer Emergency Response Team to serve as
national agency for incident response - Information Technology
Act (1) The Central Government shall, by notification in the
Official Gazette, appoint an agency of the government to be
called the Indian Computer Emergency Response Team. (2) The
Central Government shall provide the agency referred to in sub-
section (1) with a Director General and such other officers and
employees as may be prescribed. (3) The salary and allowances
and terms and conditions of the Director General and other
officers and employees shall be such as may be prescribed. (4)
The Indian Computer Emergency Response Team shall serve as
the national agency for performing the following functions in the
area of Cyber Security,- (a) collection, analysis and dissemination
of information on cyber incidents (b) forecast and alerts of cyber
security incidents (c) emergency measures for handling cyber
security incidents (d) Coordination of cyber incidents response
activities (e) issue guidelines, advisories, vulnerability notes and
white papers relating to information security practices,
procedures, prevention, response and reporting of cyber
incidents (f) such other functions relating to cyber security as may
be prescribed (5) The manner of performing functions and duties
of the agency referred to in sub-section (1) shall be such as may
be prescribed. (6) For carrying out the provisions of sub-section
(4), the agency referred to in sub-section (1) may call for
information and give direction to the service providers,
intermediaries, data centers, body corporate and any other
person (7) Any service provider, intermediaries, data centers,
body corporate or person who fails to provide the information
called for or comply with the direction under sub-section (6) , shall
be punishable with imprisonment for a term which may extend to
one year or with fine which may extend to one lakh rupees or with
both. (8) No Court shall take cognizance of any offence under
this section, except on a complaint made by an officer authorised
in this behalf by the agency referred to in sub-section (1). Section
71. Penalty for misrepresentation.
Whoever makes any misrepresentation to, or suppresses any
material fact from, the Controller or the Certifying Authority for
obtaining any licence or Digital Signature Certificate, as the case
may be. shall be punished with imprisonment for a term which
may extend to two years, or with fine which may extend to one
lakh rupees, or with both.
Section 72. Penalty for breach of confidentiality and privacy.
Save as otherwise provided in this Act or any other law for the
time being in force, any person who, in pursuance of any of the
powers conferred under this Act, rules or regulations made
thereunder, has secured access to any electronic record, book,
register, correspondence, information, document or other material
without the consent of the person concerned discloses such
electronic record, book. register, correspondence, information,
document or other material to any other person shall be punished
with imprisonment for a term which may extend to two years, or
with fine which may extend to one lakh rupees, or with both.
Section 72 A: Punishment for Disclosure of information in
breach of lawful contract - Information Technology Act Save as
otherwise provided in this Act or any other law for the time being
in force, any person including an intermediary who, while
providing services under the terms of lawful contract, has secured
access to any material containing personal information about
another person, with the intent to cause or knowing that he is
likely to cause wrongful loss or wrongful gain discloses, without
the consent of the person concerned, or in breach of a lawful
contract, such material to any other person shall be punished with
imprisonment for a term which may extend to three years, or with
a fine which may extend to five lakh rupees, or with both.
Section 73. Penalty for publishing Digital Signature
Certificate false in certain particulars. (1) No person shall
publish a Digital Signature Certificate or otherwise make it
available to any other person with the knowledge that— (a) the
Certifying Authority listed in the certificate has not issued it; or (b)
the subscriber listed in the certificate has not accepted it; or (c)
the certificate has been revoked or suspended, unless such
publication is for the purpose of verifying a digital signature
created prior to such suspension or revocation. (2) Any person
who contravenes the provisions of sub-section (1) shall be
punished with imprisonment for a term which may extend to two
years, or with fine which may extend to one lakh rupees, or with
both.
Section 74. Publication for fraudulent purpose. Whoever
knowingly creates, publishes or otherwise makes available a
Digital Signature Certificate for any fraudulent or unlawful
purpose shall be punished with imprisonment for a term which
may extend to two years, or with fine which may extend to one
lakh rupees, or with both.
Section 75. Act to apply for offence or contravention
commited outside India. (1) Subject to the provisions of sub-
section (2), the provisions of this Act shall apply also to any
offence or contravention committed outside India by any person
irrespective of his nationality. (2) For the purposes of sub-section
(1), this Act shall apply to an offence or contravention committed
outside India by any person if the act or conduct constituting the
offence or contravention involves a computer, computer system
or computer network located in India.
Section 76. Confiscation. Any computer, computer system,
floppies, compact disks, tape drives or any other
accessories related thereto, in respect of which any
provision of this Act. rules, orders or regulations made
thereunder has been or is being contravened, shall be liable to
confiscation: Provided that where it is established to the
satisfaction of the court adjudicating the confiscation that the
person in whose possession, power or control of any such
computer, computer system, floppies, compact disks, tape drives
or any other accessories relating thereto is found is not
responsible for the contravention of the provisions of this Act,
rules, orders or regulations made thereunder, the court may,
instead of making an order for confiscation of such computer,
computer system, floppies, compact disks, tape drives or any
other accessories related thereto, make such other order
authorised by this Act against the person contravening of the
provisions of this Act, rules, orders or regulations made
thereunder as it may think fit. Section 77. Penalties or
confiscation not to interfere with other punishments. No penalty
imposed or confiscation made under this Act shall prevent the
imposition of any other punishment to which the person affected
thereby is liable under any other law for the time being in force.
Section 77A: Compounding of Offences - Information
Technology Act (1) A Court of competent jurisdiction may
compound offences other than offences for which the punishment
for life or imprisonment for a term exceeding three years has
been provided under this Act. Provided that the Court shall not
compound such offence where the accused is by reason of his
previous conviction, liable to either enhanced punishment or to a
punishment of a different kind. Provided further that the Court
shall not compound any offence where such offence affects the
socioeconomic conditions of the country or has been committed
against a child below the age of 18 years or a woman. (2) The
person accused of an offence under this act may file an
application for compounding in the court in which offence is
pending for trial and the provisions of section 265 B and 265 C of
Code of Criminal Procedures, 1973 shall apply.
Section 77B: Offences with three years imprisonment
to be cognizable - Information Technology Act
(1) Notwithstanding anything contained in Criminal Procedure
Code 1973, the offence punishable with imprisonment of
three years and above shall be cognizable and the offence
punishable with imprisonment of three years shall be
bailable. Section 78. Power to investigate offences.
Notwithstanding anything contained in the Code of Criminal
Procedure, 1973, a police officer not below the rank of
Deputy Superintendent of Police shall investigate any
offence under this Act.
Special provision in Indian Evidence Act
regarding admissibility of electronic records
(Section-65B of IEA, 1872) :- Section 65B talks about
the electronic device and the circumstances under which the
evidence is recorded. It also talks about the conditions of
electronic devices during the recording of evidence. SubSection
1 of Section 65B defines the computer output. While reading this
Section with Section 2 of Information technology Act, 2000, it can
be presumed that any electronic device such as a computer,
mobile phone, tape recorder, or video recorder, which has the
capacity to store, process and send information can be
considered an electronic device. These devices are commonly
called “computer output”. Conditions for the admissibility of
electronic evidence under Section 65B If any information
contained in an electronic record that is printed in paper, stored,
recorded, or copied in optical or magnetic media, produced by a
computer, shall be deemed as a document. Such documents
shall be admissible as evidence without further proof or
production of the original if the owner or person responsible for
the computer, who recorded the evidence gives a certificate
under Section 65B(4) of Indian Evidence Act, 1872 stating 1.The
working condition of the computer during the recording of
evidence. 2.It’s lawful use by the owner or operator. 3.A
description of the regular use of computers. 4.If the information is
fed into another computer in the ordinary course of activity, a
description about it. 5.A description of the working condition of
the computer during the entire period in which information is
processed or created or transferred. 6.If a group of computers is
used to create or process the information, then a description
about all the computers and further, all the computers can be
construed as a single computer.
MOBILE FORENSICS:
Digital evidences and Data Recovery Digital Evidence on
Operating systems (Window/Unix): -
Window :- Despite the unreliability and propensity to crash,
Windows remains the most widely used operating system in
people’s computers.
Investigators must be familiar with how Windows work and the
idiosyncrasies associated with Windows in order to conduct a
thorough and fruitful investigation.
An intimate knowledge of file allocation and deletion in Windows
file systems is needed to recover deleted files.
For this paper, we will be focusing on NTFS, the file system used
in Windows NT and Windows 2000 and above. But many of the
techniques mentioned in this section could be used in earlier
versions of Windows with few, if any, modifications.
NTFS stores attributes of files and folders in a system file called
the Master File Table or MFT . The attributes in the MFT of most
interest to the forensic analyst are the filename, MAC times (the
date and time of a files last modification, last access, and
creation), and the data (if the file is small enough) or the location
of the data on the disk.
With folders, additional attributes of interest are the index entries
in the MFT of the files for that folder or, if the MFT cannot hold
the entire folders entries, the location of these entries in an index
buffer (an allocated space outside the MFT to hold these index
entries). NTFS writes data to the disk in whole chunks called
clusters.
The size of the cluster varies depending on the size of the disk
partition and the Windows version.
NTFS uses another system file $BITMAP to keep track of what
clusters have been allocated on the disk.
In the $BITMAP file, a single bit is used to indicate to if the cluster
has been allocated or not. So when a file is allocated the bit for
the assigned cluster of that file must be set in the $BITFILE file, a
record must created in the MFT, an index entry must be created
in the folders MFT record or index buffer, and addresses of any
clusters used to hold file information must be added to the MFT
record.
Tools To Recover Data On Windows
• Drivespy It is a forensic DOS shell. It is designed to emulate
and extend the capabilities of DOS to meet forensic needs. It
includes A built in Sector (and Cluster) Hex Viewer which can be
used to examine DOS and Non-DOS partitions. • Encase It is a
computer forensics product which is used to analyze digital media
(for example in civil/criminal investigations, network
investigations, data compliance and electronic discovery). The
software is available to law enforcement agencies and
corporations. It includes tools for data acquisition, file recovery,
indexing/search and file parsing.
Special training is usually required to operate the software.
• Ilook The ILook Investigator Forensic Software is a
comprehensive suite of computer forensics tools used to acquire
and analyze digital media. It provides the list of allocated and
unallocated files and works with compressed zip files.
Unix: - Conducting an investigation on Unix systems is very
similar to conducting one on Windows systems. The forensic
analyst must understand how Unix allocates and deletes files in
order to know where to look for the contents and attributes of files
that exist (and potentially hidden) and are deleted. But the
idiosyncrasies of Unix provide the investigator with different
approaches to analyzing the data on Unix systems versus
windows systems. Unix and Windows view files very differently.
Unix uses the concept of inodes (index nodes) to represent files.
Each inode contains the pointers to the actual data on the disk as
well as file attributes useful to the investigator; these include the
owner ID, access Permissions (read, write, execute), the number
of links (number of directories referencing the file), the MAC times
which are the last modification, access, and change of status
(change of owner, permission or number of links), and file size.
Note that the filename is not included with the inode.
Instead the file name is stored as an entry in the directory
structure along with the location of the actual inode. Like the
NTFS on a Windows system, the Unix file system allocates data
in fixed sized pieces called blocks.
This is analogous to the clusters used by the NTFS. Therefore,
file slack, the space between the end of a file and the end of the
cluster, is also found on unix systems as well as Windows
systems because not all files fit exactly into the blocks on the
disk.
Forensic analysts can examine the file slack for remnants of
deleted files and attributes.
File deletion in Unix involves marking the directory entry for that
file name to marked as unused, resulting in the disconnection of
the file name with the actual file data and attributes.
The inode of the file is marked as unused and some but not all of
attribute information is lost. The file data blocks are marked as
unused according to the creators of the Unix forensics toolkit, The
Coroner’s Toolkit (TCT), the deleted file data and attributes
remain for long periods of time such as hundreds of days for
heavily used systems because Unix has good file system locality
files tend to be clustered together instead of randomly space
apart.
Tools To Recover Data On Unix
• The Coroner’ Tool Kit: A coroner’s means government official
who Investigates human death or determines cause of death.
The Coroner's Toolkit is a set of tools for post-mortem analysis of
a UNIX system . It is designed to discover data or programs
which may not be visible to the operating system through the
normal file interfaces
• The Sleuth Kit The Sleuth Kit (TSK) is a library and collection of
Unix and Windows-based tools and utilities to allow for the
forensic analysis of computer systems. The seulth kit’s tools allow
us to examine the layout of disks and other media . It supports
DOS partitions, BSD partitions (disk labels), Mac partitions, Sun
slices (Volume Table of Contents), and GPT disks. With these
tools, you can identify where partitions are located and extract
them so that they can be analyzed with file system analysis tools.
Mobile Forensics:
The Cell Phone
:- Mobile forensics, a subtype of digital forensics, is concerned
with retrieving data from an electronic source. The recovery of
evidence from mobile devices such as smartphones and tablets
is the focus of mobile forensics. Because individuals rely on
mobile devices for so much of their data sending, receiving, and
searching, it is reasonable to assume that these devices hold a
significant quantity of evidence that investigators may utilize.
Mobile devices may store a wide range of information, including
phone records and text messages, as well as online search
history and location data. We frequently associate mobile
forensics with law enforcement, but they are not the only ones
who may depend on evidence obtained from a mobile device.
Uses of Mobile Forensics:
The military uses mobile devices to gather intelligence when
planning military operations or terrorist attacks. A corporation
may use mobile evidence if it fears its intellectual property is
being stolen or an employee is committing fraud. Businesses
have been known to track employees’ personal usage of
business devices in order to uncover evidence of illegal activity.
Law enforcement, on the other hand, may be able to take
advantage of mobile forensics by using electronic discovery to
gather evidence in cases ranging from identity theft to homicide.
PDA :-
Handheld devices are commonplace in today’s society, used by
many individuals for both personal and professional purposes.
While such devices have limitations, they are nonetheless
extremely useful in such things as managing appointments and
contact information, corresponding via electronic mail and instant
messaging over wireless networks, and handling voice calls, as
well as transporting and viewing documents. Increasingly, such
devices also incorporate the ability to handle and even capture
multimedia information (e.g., sound, images, and video). For
cellular devices, such as smart phones, or GPSenabled devices,
additional evidence sources exist, for example, the last set of
dialed numbers or the coordinates of waypoints to some
destination. Even security minded individuals eventually succumb
to entering sensitive information into such devices. Over the
course of use, handheld devices can accumulate significant
amounts of personal information that can provide a wealth of
digital evidence when encountered during an investigation. As
with digital computers in general, both the functionality and
information capacity of handheld devices are improving rapidly.
Present day memory capacities can hold megabytes of
information, easily extendable into the gigabyte range. Though an
investigator can browse the contents of the device through its
user interface to obtain evidence, the approach is highly
impractical and problematic, and should be used only as a last
resort. Instead, applying forensic tools is the preferred alternative.
Forensic software tools facilitate the proper acquisition of data
from a device and the examination, organization, and reporting of
the evidence recovered. Some examples include the following
items: • Because PDAs are oriented toward mobility, they depend
on battery power, emphasize wireless connectivity, and use
specialized interfaces and media.
• PDAs typically use volatile memory versus nonvolatile memory
for user data, such that loss of battery power results in an
immediate loss of data.
• PDAs normally use different operating systems from desktop
computers, which accommodate mobility aspects such as power
management, specialized file systems, automatic file
compression, and execute-in-place programs.
• PDAs are always in an active state; when powered off or idle
various degrees of hibernation occur to avoid a lengthy delay
when powered on again or activity resumes. Forensic software
tools address only some of these issues. An investigator must
have a good technical understanding and follow appropriate
procedures to address the remaining issues when conducting an
investigation.
GPS Devices:- Location data is often of great interest in
litigation when attempting to establish or challenge an alibi.
Today, almost every smartphone has a GPS receiver. This GPS
data is used to track your location even when you are not using
navigation software or applications. It uses this information to
provide you with restaurant recommendations near you, tag your
Instagram photos with geolocation data, allow you to see who is
near you from your LinkedIn network, or tell you how long your
drive home might take with current traffic. Other than the mobile
phone, GPS devices today include personal GPS devices and
auto, aviation, and marine devices. Envista has certified GPS
examiners on staff who can properly collect data from GPS
devices in a forensically sound manner and analyze the data
using state-of-the-art forensic tools and mapping technology.
With GPS, each satellite in the system transmits navigation data
toward the Earth that contains the satellite's position, a
timestamp, and the health of the satellite. When a GPS device
can receive signals from at least three satellites at once, the
device itself can calculate its position in two dimensions, latitude
and longitude. This process is called triangulation. For a GPS
device to calculate its position vertically for altitude, it must be
able to receive signals from at least four satellites at the same
time. This process is called trilateration. The satellite signal data
is refreshed every 30 seconds, once at the top of the minute and
the bottom of the minute. For the device to calculate its position, it
needs to know the position of each of the satellites, the time it
took for the signal to reach the device itself, and whether the
satellite is healthy. Since the satellite travels at a known velocity,
the data provides enough information for the device to perform
the calculations.
Mobile Edit :-
MOBILedit Forensic Express is a phone and cloud extractor,
data analyzer and report generator all in one solution. A powerful
64-bit application using both the physical and logical data
acquisition methods, Forensic Express is excellent for its
advanced application analyzer, deleted data recovery, wide
range of supported phones including most feature phones, fine-
tuned reports, concurrent phone processing, and easy-to-use
user interface. With the password and PIN breaker you can gain
access to locked ADB or iTunes backups with GPU acceleration
and multi-threaded operations for maximum speed. Forensic
Express offers maximum functionality at a fraction of the price of
other tools. It can be used as the only tool in a lab or as an
enhancement to other tools through its data compatibility. When
integrated with Camera Ballistics it scientifically analyzes camera
photo origins.
All-in-one tool used to gather evidence from phones
With MOBILedit Forensic Express, you can extract all the data
from a phone with only a few clicks. This includes deleted data,
call history, contacts, text messages, multimedia messages,
photos, videos, recordings, calendar items, reminders, notes,
data files, passwords, and data from apps such as Skype,
Dropbox, Evernote, Facebook, WhatsApp, Viber, Signal, WeChat
and many others. MOBILedit Forensic Express automatically
uses multiple communication protocols and advanced techniques
to get maximum data from each phone and operating system.
Then it combines all data found, removes any duplicates and
presents it all in a complete, easily readable report.
Phone unlocking
Forensic Express has a built-in phone unlocking feature for many
phone models, allowing you to acquire a physical image even
when the phone is protected by a password or gesture. It can
bypass the lock-screen on a wide range of Android phones. It is
ready to utilize the full potential of modified recovery images in
order to perform physical acquisition with just a few clicks. Lock-
screen patterns, gestures, PINs and passwords are no longer an
obstacle in your way of acquiring any data from a wide variety of
Android devices. Physical data acquisition and analysis In
addition to advanced logical extraction we also provide Android
physical data acquisition, allowing you to extract physical images
of investigated phones and have exact binary clones. Physical
analysis allows you to open image files created by this process,
or those obtained through JTAG, chipoff or other tools to recover
deleted files plus all other deleted data where our product is
known to be excellent.
Advanced application analysis
The use of apps to communicate and share has grown rapidly.
Many apps are released or updated everyday. It is obvious that
the analysis of apps is vital to retrieving as much evidence as
possible. This is the strongest point of MOBILedit Forensic
Express, we dedicate a large part of our team specifically for
application analysis. We employ adaptive and in-depth methods
to ensure you retrieve the most data available for each app-
especially recovering deleted data. Data is analyzed for its
meaning so you see it on a timeline as a note, a photo, a video or
a flow of messages no matter what app was used to send them.
Live Updates
The use of apps to communicate and share has grown rapidly.
Many apps are released or updated everyday. It is obvious that
the analysis of apps is vital to retrieving as much evidence as
possible. This is the strongest point of MOBILedit Forensic
Express, you get updates of application analysis live and as often
as needed. Data is analyzed for its meaning so you see it on a
timeline as a note, a photo, a video or a flow of messages no
matter what app was used to send them.
Deleted data recovery
Deleted data is almost always the most valuable information in a
device. It often hides in applications; and because this is our
strongest expertise, we deliver great results in finding deleted
data. Our special algorithms look deeply through databases, their
invalidated pages and within caches to find any data that still
resides in a phone. MOBILedit Forensic Express retrieves the
deleted data and presents it clearly in a special section of the
report.

CDR (call data Recorder): - Call Data Records

amounts to an extremely large amount of information that is
generated by telecommunication companies by making use of
various call monitoring applications. It is the data record produced
by documenting the details of a telephone call or other
communication transactions (e.g. text messages, call durations)
that passes through a facility or device. Big Data has many
definitions, but generally, it is the data with the 3Vs (Volume,
Variety, Velocity) characteristics . Call Data Record is an
extremely valuable data resource as it is vast in volume, has
variety in its data & in its structure and the velocity at which it is
generated in real time is beyond any calculation. A CDR consists
of the following records. The requirement gathering phase of this
project, lead to a conclusion that in most of the cases, the
analysis of the CDR points towards the correct direction before
anything else does. In cases where the police records and case
evidence is insufficient, CDR of the suspects becomes the only
possible lead. Therefore it is about time that this vast data is
made use of in as many sectors as possible. In the proposed
project the idea is to make use of this data in order to detect
criminals by analyzing the CDRs of the suspects. This can be
done by implementing the proposed algorithm (section 4). In the
proposed project, the system takes as input the phone number/s
of the various suspects and then analysis the CDRs of these
suspects in many different ways. The analysis is subject to the
queries the Anti- Crime team may have. Many points of
similarities between data of various CDRs (of Suspects) can be
deduced simply by analyzing the common columns and rows. For
example, we can find out the number of times the suspect 1
called the suspect 2, how often the calls were made, how far the
suspects were from the crime scene at the time the crime was
committed, what is the locations of the suspects currently (this
can found out by extracting the details of cell tower the mobile
number was last connected to). The next section of the paper
gives a Comparative Study of the current way of working vs. the
proposed system which is followed by the Proposed Algorithm
which gives an idea of how the implementation can we worked
upon, followed by Conclusion and Future Scope.
Challenges to Digital Forensic Evidences:
1. Basics: Digital forensic evidence is identified, collected,
transported, stored, analysed, interpreted, reconstructed,
presented and destroyed through set of processes. Challenges to
this evidence come through challenges to the elements of this
process. This process, like all other processes and the people
and systems that carry them out, is imperfect. That means that
there are certain types of faults that occur in these processes.
A. Faults and Failures: Faults consist of intentional or accidental
making or missing of content, contextual information, the
meaning of content process elements, relationships, ordering
timing, location, corroborating content, consistencies, and
inconsistencies. Not all faults produce failures, but some do.
Although it may be possible to challenge faults, this generally
does not work and is unethical if there is no corresponding failure
in the process. Certain things turn faults into failures, and it is
these failures that legitimately should be and can be challenged
in legal matters. Failures consist of false positives and false
negatives. False negatives are items that should have been
found and dealt with in the process but were not, whereas false
positives are things that should have been discarded or
discredited in the process but were not.
B. Legal Issues: Evidence in legal cases is admitted or not
based on the relative weights of its probative and prejudicial
value. Probative value is the extent to which the evidence leads
to deeper understanding of the issues in the case. Prejudicial
value is the extent to which it leads the finder of fact to believe
one thing or another about the matter at hand. If the increased
understanding from the evidence is greater than the increase in
belief, the evidence is admissible. Part of the issue of probative
value is the quality of the evidence. If the process that created
the evidence as presented is flawed, this reduces the probative
value. Impure evidence, evidence presented by an expert who is
shown to be unknowledgeable in the subject at hand, evidence
that has not been retained in a proper chain of custody, evidence
that fails to take into account the context, or evidence falling
under any of the other fault categories all lead to reduces
probative value. If the result of these faults produces wrong
answers, the probative value goes to nearly zero in many cases.
C. The latent Nature of Evidence: In order to deal with digital
evidence, it must be presented in court. Because digital data is
not directly observable by the finder of fact, it must be presented
through expert witnesses using tools to reveal its existence,
content and meaning to the fact finders. This puts onto the
category of latent evidence. In addition, digital evidence is
hearsay evidence in that it is presented by an expert who asserts
facts or conclusions based on what the computer recorded, not
what they themselves have directly observed. In order for
hearsay evidee to be admitted, it normally has to come in under
the normal business records exemption to the hearsay evidence
prohibition. Thus, it depends on the quality and the unbiased
opinion of the experts for each side.
D. Notions Underlying “Good Practice”: One of the results of
diverse approaches to collection and analysis of digital forensic
evidence is that it has become increasingly difficult to show why
the process used in any particular case is reliable, trustworthy
and accurate. As a result, sets of good practices were developed
by law enforcement in the UK, US and elsewhere. The use of the
term good practices is specifically designed to avoid the use of
terms such as standards or best practices; this is because of a
desire to prevent challenges to evidence based on not following
these practices.
E. The Nature of Some Legal Systems and Refusing
Challenges: In some legal systems, there are great rewards to
those who challenge everything. The idea is to spread the seeds
of doubt in the minds of the finders of fact. In presenting and
characterizing evidence, care should be taken to not
mischaracterize, overcharacterise and undercharaterize the value
and measuring of evidence. Refuting clearly invalid challenges is
often straightforward. In most such cases, ground truth can be
clearly shown.
2. Identifying Evidence:
The first step in gathering evidence is identifying possible sources
of evidence for collection. It is fairly common that identified
evidence includes too little or too much information. If too much is
identified , then search and seizure limitations may be exceeded,
whereas of too little is identified, the exculpatory or inculpatory
evidence may be missed. The most common missed evidence
comes in the form of network logs from related network
components.
A. Common Misses: There is a great deal of corroborating
evidence that can be sought from connected systems that
produce log files, which can confirm or refute the use pf a system
by a suspect. Other evidences that is commonly missed includes
storage devices, networked computer contents, deleted file areas
from disks, secondary storage, backups and other similar
information. Properly identifying information to be collected often
fails because of missed relationships between computers and
evidence in those computers. This evidence is often times
sensitive and is lost if not identified and gathered within short time
frame. The chain of custody issues for such evidence can also be
quite complex and involve a large number of participants from
multiple jurisdictions.
B. Information Not Sought: In some cases evidence is not
sought. For example, when one side or another looks for
evidence in a case, they may decide to follow up or not follow up
on different facets of the case, pursue or not pursue various lines
of enquiry, or limit the level of detail or sort of evidence they
collect. Sometimes, evidence is stored somewhere the
investigators are unaware of or cannot gain access to.
Sometimes the evidence is destroyed or no longer exists by the
time it becomes apparent that it might be of value.
C. False Evidence: On the other hand there are also cases, rare
as they may be, when evidence is made up from whole cloth.
Although this is difficult to do in all areas, such evidence in the
digital arena is exceedingly rare. There are cases when the
defence makes such a claim and there are even cases when
digital evidence has been found to not be adequately tied to the
party involved.
D. Non-stored Transient Information: Any data that is not
stored in a permanent storage media cannot be seized; it ca only
be collected in real time by placing sensors in the environment.
Such evidence must be identified in a different manner than
evidence sitting on a desk or within a disk. This sort of evidence
must be identified by an intelligence process, and special legal
means must be applied in many cases to collect this evidence.
E. Good Practice: The general plan for good practice is to
discover the computer(s) and/or other sources of content to be
seized. It may seem obvious that anyone doing a search for
digital evidence will try to find anything they can, but the
technology of today leads to an enormous number of different
devices that can be concealed in a wide variety of ways. It is
good practice to seize the main system box, monitor, keyboards,
mouse, leads and cables, power supplies, connectors, modems,
floppy disks, DATs, tapes, Jazz and Zip disks and drives, CDs,
hard disks, manuals and software, paper, circuits boards keys,
printers, printouts and printer paper.

3. Evidence Collection:
Most evidence is collected electronically. In other words, the
process by which it is gathered is through the collection of
electromagnetic emanations. In order to trust evidence there
needs to be some basis for the manner in which it was collected.
A. Establishing Presence: Records of activity are often used to
establish presence. For example, users may have passwords that
are used to authenticate their identity. These may be stored
locally or remotely and will typically provide date and times
associated with the start of access, as well as with subsequent
accesses. The verification process provides evidence of the
presence of the individual at a time and place; however, such
validations can be forged, stolen and lent. In some environments
common passwords and user IDs are used, making these
identifications less reliable.
B. Chain of Custody: Digital forensic evidence comes in a wide
range of forms from a wide range of sources. For example, in a
recent terrorism case a computer asserted to be from a
defendant was provided to the FBI by someone who purchased
the computer at a swap meet. These are generally outdoor small
vender sales of used equipment of all sorts- from old guns to old
electronic equipment-sold over folding tables and from the backs
of cars. Some of it is stolen, some of it is resold by people who
nought new versions, some is wholesale, some are damaged
goods, and some is made by those who sell them. This computer
was asserted to contain especially, but establishing a chain of
custody was a very difficult proposition, especially considering
that the defendant claimed to never have had such a computer.
C. How the Evidence was Created: The information that
becomes evidence may be generated for various purposes, most
of which are not for the purpose of presentation in court. In most
cases when information is gathered from systems as they
operate, the systems under scrutiny are altered during the
gathering process.
D. Typical Audit Trails
Typical audit trails include the date and time of creation, last use,
and/or modification as well as identification information such as
program names, function performed, user names, owners,
groups, IP addresses, port numbers, protocol types, portions or
all of the content, and protection settings. If this sort of
information exists, it should be consistent to a reasonable extent
across different elements of the system under scrutiny.
E. Consistency of Evidence
For example, if a program is asserted to generate a file that was
not otherwise
altered, then the program must have been running at the time the
file was created, must have had the necessary permissions to
create the file, must have the capacity to create such a file in
such a format, and must have been invoked by a user or the
system using another program capable of invoking it. There is a
lot of information that should all link together cleanly, and if it
doesn’t, there are reasons to question it.
F. Proper Handling during Collection
In most police-driven investigations normal evidence-handling
requirements are used for digital forensic evidence, with a few
enhancements and exceptions. Photographs and labels are
commonly used, and an inventory sheet is typically made of all
seized evidence. Suspects and others at the location under
investigation are interviewed, passwords and similar information
are retrieved, and in some cases this is used on-site to gain
access to computer systems. If proper procedures are not
followed, then the evidence arising from this process may be
invalidated.
G. Selective Collection and Presentation
In some cases, prosecution teams have opted to not do a
thorough job of collecting or presenting evidence. They prefer to
seek out anything that makes the defendant look guilty and stop
as soon as they reach a threshold required to bring the case to
court. Many prosecution teams try to prevent the defence from
getting the evidence, provide only paper copies of digital
evidence, and so forth. Most defence teams fail to present
evidence that would tend to convict their clients, and they
certainly don’t try to help the prosecution find more evidence
against their clients. Defence teams also do everything they can
to limit discovery and make it as ineffective as possible for the
other side. But because the prosecution is the predominant
gatherer of digital forensic evidence in most criminal cases, it
ends up being the prosecution that conceals and the defence that
tries to reveal.
H. Forensic Imaging
In order to address decay and corruption of original evidence,
common practice is to image the contents of digital evidence and
work with the image instead of the original. Imaging must be done
in such a way as to accurately reflect the original content, and
there are now studies done by the United
States National Institute of Standards and Technology (NIST) to
understand the limitations of imaging hardware and software, as
well as standards for forensic imaging. If these standards are not
met, there may be a challenge to the evidence; however, such
challenges can often be defeated if proper experts are properly
applied.
I. Secret Science and Countermeasures
This is another similar line of pursuit that has been used to
prevent criminal defence teams from gaining access to key
evidence and methods of gathering and analysing evidence. In
essence, the prosecution says that they have an expert who used
a secret technique to determine that the defendant typed this or
that. The defence asks for access to the means and detailed
evidence
so that they can try to refute the evidence, and the prosecution
claims that this information is a government secret, classified at a
level so that the defence
team cannot see it.
IV. Seizure Errors
The evidence seizure process has the potential of producing a
wide range of
errors that may lead to challenges.
A. Warrant Scope Excess
In one case a warrant for a search for pornographic images was
found to be
exceeded when the officer making the search looked in
directories with names that were indicative of other legitimate
use.
B. Acting for Law Enforcement
Similar limitations exist for situations in which a non–law
enforcement person is acting on behalf of law enforcement or the
government.
C. Wiretap Limitations and Title 3
In some cases where a wiretap or network tap is used, there may
also be issues associated with the legality of such a wiretap. The
expertise of the person gathering the evidence is important to
examine. In addition, if minimization is done, then an argument
can sometimes be made that the exculpatory evidence was
excluded in the gathering phase.
D. Collection Limits
Because all collection methods are physical, there are inherent
physical limits in the collection of digital evidence. The challenge
evidence collected based on signals approaching these limits is
typically based on the inability of the mechanism used to gather
the evidence to accurately represent and collect the underlying
reality it is intended to reflect.
V. Transport of Evidence
When digital evidence is taken into custody, appropriate
measures should be
taken to assure that it is not damaged or destroyed.
A. Possession and Chain of Custody
It is common practice in some venues to videotape the evidence
collection
process, and this has been invaluable in meeting subsequent
challenges in many cases. In one example, a challenge was
made based on the presence of a floppy disk in a floppy disk
drive; however, the videotape clearly showed that no floppy disk
was present, and this defeated the assertion.
B. Packaging for Transport
Packaging for transport of digital forensic evidence has
requirements similar to those of other evidence. Chain-of-custody
requirements must be met throughout the process, and the
evidence has to be kept in a suitable environment to the
preservation of
its contents.
C. Due Care Takes Time
Based on the requirement for a speedy trial and high workloads
in most forensic laboratories, time constraints are often placed on
storage and analysis of evidence. The more time spent, the more
detailed an examination can be made and the more of the overall
mosaic will be pieced together.
D. Good Practice
Transportation should be done with the following good practice
elements.
Handle everything with care; keep it away from magnetic sources
such as loudspeakers, heated seats, and radios; place boards
and disks in antistatic
bags; transport monitors face down buckled into seats; place
organizers and palmtops in envelopes; and place keyboards,
leads, mouse, and modems in aerated bags.
VI. Storage of Evidence
Evidence must be stored in a safe, secure environment to assure
that it is safe
from alteration. Access must be controlled and logged in most
cases. Special precautions are needed to protect this evidence,
just as special precautions are needed for some sorts of
biological and chemical evidence.
A. Decay with Time
All media decays with time. Decay of media produces errors.
Typically, tapes,
CDs, and disks last 1 to 3 years if kept well but can fail in minutes
from excessive heat.
An audit trail is another thing that tends to decay with time. Some
are never stored, whereas others last minutes, hours, days,
weeks, months, or years.
B. Evidence of Integrity
Evidence of integrity is normally used to assert that digital
forensic evidence
is what it should be. This is generally assured by using a
combination of notes
taken while the data was extracted; using a well-understood and
well-tested process of collection; being able to reproduce results,
which is a scientific validity requirement in any case; using chain-
of-custody records and procedures; and applying proper imaging
techniques associated with the specific media under examination.
Keeping the original pure by only using it to generate an initial
image and working only from images from then on is a wise move
when
feasible. Just because evidence is not perfect, that doesn’t mean
it is not good enough.
C. Principles of Best Practices
Principle 1: No action should change data held on a computer or
other media.
Principle 2: In exceptional circumstances where examination of
original evidence is required, the examiner must be competent to
examine it and explain its relevance and implications.
Principle 3: Audit records or other records of all processes
applied to digital evidence should be created and preserved. An
independent third party should be able to reproduce those
actions with similar results.
Principle 4: Some individual person should be responsible for
adhering
to these principles.
VII. Evidence Analysis
Evidence analysis is perhaps the most complex and error-prone
aspect of digital evidence.
A. Content
Making content typically involves processing errors. If originals
are present and checksums can be shown to match, then such
challenges will only succeed in the presence of actual and
material error because the validity of the evidence can be
properly established. Missing content typically results from limited
time or excessive focus of attention.
B. Contextual Information
Information has meaning only in context. Analysis can make
context by
making assumptions that are invalid or cannot be demonstrated.
Context is
missed when assumptions that are valid and can be
demonstrated are not made. The challenge to context that has
been made starts with questioning the basis for assumptions. If
assumptions cannot be adequately demonstrated, the context
becomes dubious, the assumptions fall away, and the
conclusions are not demonstrable.
C. Meaning
The meaning of things that are found is obviously the basis for
interpretation.
Meaning that is missed leads to a failure to interpret, and
meaning that is made is an interpretation without adequate
support.
D. Process Elements
Content does not come to exist through magic. It comes to exist
through a process. The notion that a sequence of bits appears on
a system without the notion of how that sequence came to exist
there makes for a very weak case.
E. Relationships
Just as sequences of events produce content, relationships
between event
sequences and content produce content. The presence or
absence of related
content causes differences in the content generated by related
processes.
F. Unreliable Sources
There are a lot of unreliable sources of digital content. For
example, the
Internet is full of the widest possible range of different content,
only a small portion of which is really accurate and a significant
portion of which is just plain false.
G. Reconstructing Elements of Digital Crime Scenes
Digital crime scenes can also be reconstructed, and this is a
critical area for
scientific evidence. But even reconstruction of a digital crime
scene has its limits. Although similar circumstances can be
created, identical ones often cannot. As a rule of thumb, simple
questions can often be answered by digital reconstructions, but
complex sequences of events are far harder to confirm or refute.
DIGITAL EVIDENCE:
Digital Evidence on Operating Systems: An OS (OS) is that
the software component of a computing system that’s liable for
the management and coordination of activities and therefore the
sharing of the resources of the pc. The OS acts as a number for
application programs that are run on the machine. Operating
System Forensics is that the process of retrieving useful
information from the OS (OS) of the pc or mobile device in
question. The aim of collecting this information is to accumulate
empirical evidence against the perpetrator. “OS Forensics”
involves forensic examination of the OS of the pc. The foremost
commonly used operating systems are Windows, Mac, and Linux.
It’s highly likely that the forensic investigators may encounter one
among these operating systems during any crime investigation.
It’s imperative that they need thorough knowledge about these
operating systems, their features, methods of processing, data
storage and retrieval also as other characteristics.
What are the types of Operating systems?
The most popular types of Operating Systems are Windows,
Linux, Mac, iOS, and Android.
Windows
Windows is a widely used OS designed by Microsoft. The file
systems used by Windows include FAT, exFAT, NTFS, and
ReFS. Investigators can search out evidence by analyzing the
following important locations of the Windows:
Recycle Bin: This holds files that have been discarded by the
user. When a user deletes files, a copy of them is stored in
recycle bin. This process is called “Soft Deletion.” Recovering
files from recycle bin can be a good source of evidence.
Registry: Windows Registry holds a database of values and keys
that give useful pieces of information to forensic analysts. For
example, see the table below that provides registry keys and
associated files that encompasses user activities on the
system. Thumbs.db Files: These have images’ thumbnails that
can provide relevant information.
Browser History: Every Web Browser generates history files that
contain significant information. Microsoft Windows Explorer is the
default web browser for Windows OSs.
Linux
Linux is an open source, Unix-like, and elegantly designed
operating system that is compatible with personal computers,
supercomputers, servers, mobile devices, netbooks, and laptops.
Unlike other OSs, Linux holds many file systems of the ext family,
including ext2, ext3, and ext4. Linux can provide an empirical
evidence if the Linux-embedded machine is recovered from a
crime scene.
/etc [%SystemRoot%/System32/config]
This contains system configurations directory that holds separate
configuration files for each application.
/var/log
This directory contains application logs and security logs. They
are kept for 4-5 weeks.
/home/$USER
This directory holds user data and configuration information.
/etc/passwd
This directory has user account information.
Data Acquisition Methods for OS Forensics
There are four Data Acquisition methods for OS forensics which
will be performed on both Static Acquisition and Live Acquisition.
These methods are:
Disk-to-image file: A forensic examiner can make a 1 or quite
one copy of a drive under the OS in question. The tools used for
these methods are iLookIX, X-Ways, FTK, EnCase, or
ProDiscover.
Disk-to-disk copy: This works best when the disk-to-image
method isn’t possible. Tools for this approach include SnapCopy,
EnCase, or SafeBack.
Disk-to-Data File: This method creates a disk-to-data or disk-to-
disk file.
The Sparse copy of a file: this is often a preferable method if time
is restricted and therefore the disk features a large volume of
knowledge storage.
For both Linux and Windows Operating Systems, write-blocking
utilities with Graphical interface (GUI) tools must be utilized in to
realize access to switch the files. A Linux Live CD offers many
useful tools for digital forensics acquisition.
Data Analysis for OS Forensics
Forensic examiners perform data analysis to look at artifacts left
by perpetrators, hackers, viruses, and spyware. They scan
deleted entries, swap or page files, spool files, and RAM during
this process. These collected artifacts can provide a wealth of
data with reference to how malicious actors tried to hide their
tracks and what they were doing to a system.

DATA RECOVERY:
Disk geometry
Hard disk drives are composed of one or more disks or platters
on which data is stored. The geometry of a hard drive is the
organization of data on these platters. Geometry determines how
and where data is stored on the surface of each platter, and thus
the maximum storage capacity of the drive. There are five
numerical values that describe geometry:
Heads
Cylinders
Sectors per track
Write precompensation
Landing zone
Write precompensation and landing zone are obsolete, but often
seen on older drives.
Heads
The number of heads is relative to the total number of sides of all
the platters used to store data. If a hard disk drive has four
platters, it can have up to eight heads. The maximum number of
heads is limited by BIOS to 16. Hard disk drives that control the
actuator arms using voice coil motors reserve a head or two for
accuracy of the arm position. Therefore, it is not uncommon for a
hard disk drive to have an odd number of heads.
Some hard disk drive manufacturers use a technology called
sector translation. This allows some hard drives to have more
than two heads per platter. It is possible for a drive to have up to
12 heads but only one platter. Regardless of the methods used to
manufacture a hard drive, the maximum number of heads a hard
drive can contain is 16.
Cylinders
Data is stored in circular paths on the surface of each head. Each
path is called a track. There are hundreds of tracks on the
surface of each head. A set of tracks (all of the same diameter)
through each head is called a cylinder. The number of cylinders is
a measurement of drive geometry; the number of tracks is not a
measurement of drive geometry. BIOS limitations set the
maximum number of cylinders at 1024.
Sectors per Track
A hard disk drive is cut (figuratively) into tens of thousands of
small arcs, like a pie. Each arc is called a sector and
holds 512 bytes of data. The number of sectors is not important
and is not part of the geometry; the important value is the number
of sectors per track. BIOS limitations set the number of sectors
per track at 63.
Write Precompensation
All sectors store the same number of bytes: 512; however, the
sectors toward the outside of the platter are physically longer
than those closer to the center. Early drives experienced difficulty
with the varying physical sizes of the sectors. Therefore, a
method of compensation was needed-the write precompensation
value defines the cylinder where write precompensation begins.
Landing Zone
A landing zone defines an unused cylinder as a "parking place"
for the R/W heads. This is found in older hard disk drives that use
stepper motors. It is important to park the heads on these drives
to avoid accidental damage when moving hard disk drives.
CHS Values
Cylinders, heads, and sectors per track are known collectively as
the CHS values. The capacity of any hard disk drive can be
determined from these three values.
The maximum CHS values are:
1024 cylinders.
16 heads.
63 sectors per track.
512 bytes per sector.
Therefore, the largest hard disk drive size recognized directly by
the BIOS is 504 MB. Larger drive sizes can be attained by using
either hardware or software translation that manages access to
the expanded capacity without direct control by the system BIOS.
Recovery of cache files
Google Chrome uses a cache that it stores images, scripts and
other parts of downloaded Web pages in. Google Chrome loads
these files from the cache on your computer the next time you
load the page, speeding up page loads and reducing the amount
of downloaded data. You can view and search through a list of
cached files using the special About:cache page in Google
Chrome. After identifying the exact path of the file, you can
recover it from the cache and save it to your computer.
1. Click the address bar at the top of your Google Chrome
window, type “About:cache” into the box and press “Enter.” A
page appears with a list of cached files and their addresses.
2. Press the “Ctrl” and “F” keys on your keyboard at the same
time to open the find bar.
3. Type part of the name or address of a cached file into the find
box and press “Enter” to find it. Continue pressing “Enter” to page
through any matching results.
4. Select the full address of the cached file on the page with your
mouse and press “Ctrl” and “C” at the same time to copy the
address.
5. Click the address bar, press “Ctrl” and “V” at the same time to
paste the address and press “Enter” to load the file. Chrome
loads the file from the cache.
6. Right-click the image, page or script and select “Save As” to
save the cached file to your computer.

Formatted Partition Recovery

Partition formatting creates a file system on the drive so that files
can be stored and accessed by the system. For your operating
system to use and recognize a specific file system, you must
format the partition or volume on hard drives or other storage
devices. The bottom line is that you can recover lost files and
folders from a formatted partition or disk. So even if you
accidentally format the whole drive, file recovery is still a
possibility. But you may wonder how this formatted data is still
recoverable.
In a nutshell, when you format a partition, you only remove the
file entries on the root directory and file allocation tables. As a
result, all file data isn’t wiped from the drive. Since entries for
those files are removed, the operating system cannot access the
corresponding data and then marks these sectors (taken up by
formatted data) as free. These newly marked sections get
overwritten with new data.
For Successful Format Recovery: Although formatted partition
recovery is possible, you need to pay attention to the following to
maximize chances of data recovery:
🚫 Stop writing any data to the partition: Formatted files stay on
the partition and continue to exist somewhere on the volume,
although they appear invisible. Furthermore, if you save data to
the partition after formatting, there is a possibility to overwrite the
recoverable data. Hence, immediately stop using the partition
and close programs that may access the drive.
💿 Do not reformat the partition: Since the formatting process
creates a new file system on the volume, reformatting the
partition again hampers your chances of data recovery.
❌ Do not run a disk check on the formatted partition: The disk
check function provided by the operating system checks and
repairs partition errors. However, this tool may repair excessively
and even damage information critical to successful partition
recovery.
✔️ Try trusted recovery software: Do not try any cracked
recovery software which may contain viruses and destroy
recoverable data. Instead, you should download data recovery
software from trusted websites. The primary criterion is that the
tool should be clean, read-only, and reliable.
Formatted Partition Recovery Using Data Recovery Software
Formatted partition recovery is possible through partition recovery
software such as Disk Drill Partition Recovery, which offers a
straightforward and effective way to recover files. Here’s how you
can get started:
Get the tool: Download the free version of Disk Drill. Install it
with admin privileges.
Select the drive: Ensure that you have connected the drive for
recovery. Once you launch Disk Drill, it displays the accessible
drives. Select the desired drive, and then choose a scanning
algorithm. If you have a lot of data, it might be best to try All
recovery methods and then click Search for lost data.
Wait for the scan to complete: Disk Drill displays a progress bar
as the hunt for files goes on. Additionally, you can pause the
scan to quickly recover a select few and then keep the algorithm
running.
Recover your deleted files: Choose the files that you want to
recover from the list of recoverable files displayed by Disk Drill.
Select a destination: Select a destination for the recovered files.
We strongly suggest that you select a different location than your
original partition to avoid further data loss.

Computer Ethics
Ethics: Ethics are a structure of standards and practices that
influence how people lead their lives. It is not strictly
implemented to follow these ethics, but it is basically for the
benefit of everyone that we do.
Ethics are unlike laws that legally mandate what is right or
wrong. Ethics illustrate society’s views about what is right and
what is wrong.
Computer Ethics
Computer ethics are a set of moral standards that govern the use
of computers. It is society’s views about the use of computers,
both hardware and software. Privacy concerns, intellectual
property rights and effects on society are some of the common
issues of computer ethics. It primarily imposes the ethical use of
computing resources. It includes methods to avoid violating the
unauthorized distribution of digital content. The Internet has
changed our lifestyle. It has become a part of our life. It allows us
to communicate with a person from another part of the world.
collecting information on any topic, social meets, and many other
activities. But at the same time, some peoples are always trying
to cheat or harm others.
Ten Commandments of computer Ethics:
The commandments of computer ethics are as follows:
Commandment 1: Do not use the computer to harm other
people’s data.
Commandment 2: Do not use a computer to cause interference in
other people’s work.
Commandment 3: Do not spy on another person’s personal data.
Commandment 4: Do not use technology to steal personal
information.
Commandment 5: Do not spread misinformation using computer
technology.
Commandment 6: Do not use the software unless you pay for this
software.
Commandment 7: Do not use someone else’s computer
resources unless he authorized to use them.
Commandment 8: It is wrong to claim ownership of a work that is
the output of someone else’s intellect.
Commandment 9: Before developing software, think about the
social impact it can of that software.
Commandment 10: While computers for communication, always
respectful with fellow members.
Categories of Computer Ethics Issues:=
Privacy: i) Computers create a false sense of security ii)
People do not realize how vulnerable information stored
on computers are.
Property: i) Physical property ii) Intellectual property (in both
copyright and patent) iii)Data as property
Access: i) Access to computing technology
ii) Access to data
Accuracy: i) Accuracy of information stored.
Chain of Custody: As forensic investigators collect media
from the client and transfer it, they should document all the steps
conducted during the transfer of media and the evidence on the
Chain of Custody (CoC) forms and capture signatures, date, and
time upon the media handoff. It is essential to conduct CoC
paperwork due to the following reasons
: • CoC demonstrates that the image has been under known
possession since the time the image was created. • Any lapse in
the CoC nullifies the legal value of the image, and thus the
analysis. • Any gaps in the procession record like any time the
evidence was left unattended in an open space or an unsecured
location are problematic.
Evidence Analysis :- Digital evidence is any significant
information stored or transmitted in digital form that a party to a
court case may use at trial. Learn more in A Comprehensive
Perspective on Mobile Forensics: Process, Tools, and Future
Trends. Digital evidence is information stored or transmitted in
binary form that may be relied on in court. It can be found on a
computer hard drive, a mobile phone, among other place s.
Digital evidence is commonly associated with electronic crime, or
e-crime, such as child pornography or credit card fraud. However,
digital evidence is now used to prosecute all types of crimes, not
just e-crime. For example, suspects' e-mail or mobile phone files
might contain critical evidence regarding their intent, their
whereabouts at the time of a crime and their relationship with
other suspects. In an effort to fight e-crime and to collect relevant
digital evidence for all crimes, law enforcement agencies are
incorporating the collection and analysis of digital evidence, also
known as computer forensics, into their infrastructure. Law
enforcement agencies are challenged by the need to train officers
to collect digital evidence and keep up with rapidly evolving
technologies such as computer operating systems.
Processing of evidences and preparations of report :-
Digital evidence is volatile and fragile and the improper handling
of this evidence can alter it. Because of its volatility and fragility,
protocols need to be followed to ensure that data is not modified
during its handling. These protocols delineate the steps to be
followed when handling digital evidence. There are four phases
involved in the initial handling of digital evidence:
identification, collection, acquisition, and preservation. There
are protocols for the collecting volatile evidence. Volatile
evidence should be collected based on the order of volatility; that
is, the most volatile evidence should be collected first, and the
least volatile should be collected last.
Identification
In the identification phase, preliminary information is obtained
about the cybercrime case prior to collecting digital evidence.
This preliminary information is similar to that which is sought
during a traditional criminal investigation. The answers to these
questions will provide investigators with guidance on how to
proceed with the case. For example, the answer to the question
"where did this crime occur?" - that is, within or outside of a
country's borders - will inform the investigator on how to proceed
with the case. In the identification phase, cybercrime investigators
use many traditional investigative Before digital evidence
collection begins, the investigator must define the types of
evidence sought. Digital evidence can be found on digital
devices, such as computers, external hard drives, flash drives,
routers, smartphones, tablets, cameras, smart televisions,
Internet-enabled home appliances (e.g., refrigerators and
washing machines), and gaming consoles (to name a few), as
well as public resources (e.g., social media platforms, websites,
and discussion forums) and private resources (e.g. Internet
service providers logs of user activity; communication service
providers business records; and cloud storage providers records
of user activity and content).
Collection
With respect to cybercrime, the crime scene is not limited to the
physical location of digital devices used in the commissions of the
cybercrime and/or that were the target of the cybercrime. The
cybercrime crime scene also includes the digital devices that
potentially hold digital evidence, and spans multiple digital
devices, systems, and servers. The crime scene is secured when
a cybercrime is observed, reported, and/or suspected. The first
responder identifies and protects the crime scene from
contamination and preserves volatile evidence by isolating the
users of all digital devices found at the crime scene (e.g., holding
them in a separate room or location In addition to digital devices,
other relevant items should be collected as well. The actions
taken by the investigator during the collection of evidence should
be documented. Each device should be labelled (along with its
connecting cables and power cords), packaged, and transported
back to a digital forensics laboratory .Once the items are
transported to the laboratory, they are "inventoried, recorded, and
secured in a locked room…away from extreme temperatures,
humidity, dust, and other possible contaminants". Acquisition
Different approaches to performing acquisition exist. The
approach taken depends on the type of digital device. For
example, the procedure for acquiring evidence from a computer
hard drive is different from the procedure required to obtain digital
evidence from mobile devices, such as smartphones. Unless live
acquisition is performed, evidence is extracted from the seized
digital devices at the forensic laboratory (i.e., static acquisition).
At the forensics laboratory, digital evidence should be acquired in
a manner that preserves the integrity of the evidence (i.e.,
ensuring that the data is unaltered); that is, in a forensically
sound manner. Preservation Evidence preservation seeks to
protect digital evidence from modification. The integrity of digital
evidence should be maintained in each phase of the handling of
digital evidence (ISO/IEC 27037). First responders, investigators,
crime scene technicians, and/or digital forensics experts must
demonstrate, wherever possible, that digital evidence was not
modified during the identification, collection, and acquisition
phase; the ability to do so, of course, depends on the digital
device (e.g., computer and mobile phones) and circumstances
encountered by them (e.g., need to quickly preserve data). To
demonstrate this, a chain of custody must be maintained. The
chain of custody is "the process by which investigators preserve
the crime (or incident) scene and evidence throughout the life
cycle of a case. It includes information about who collected the
evidence, where and how the evidence was collected, which
individuals took possession of the evidence, and when they took
possession of it". In the chain of custody, the names, titles, and
contact information of the individuals who identified, collected,
and acquired the evidence should be documented, as well as any
other individuals the evidence was transferred to, details about
the evidence that was transferred, the time and date of transfer,
and the purpose of the transfer. Analysis and Reporting In
addition to the handling of digital evidence, the digital forensics
process also involves the examination and interpretation of digital
evidence ( analysis phase), and the communication of the
findings of the analysis ( reporting phase). During the analysis
phase, digital evidence is extracted from the device, data is
analysed, and events are reconstructed. Before the analysis of
the digital evidence, the digital forensics analyst in the laboratory
must be informed of the objectives of the search, and provided
with some background knowledge of the case and any other
information that was obtained during the investigation that can
assist the forensics analyst in this phase (e.g., IP address or
MAC addresses).

Data Recovery:
Disk Geometry:- If you’re planning an Exchange infra-structure
or even if you have already implemented it, one of the must-reads
is undoubtably Optimizing Storage for Exchange Server 2003. In
this fine document you can read:
“Disk subsystem bottlenecks cause more performance problems
than server-side CPU or RAM deficiencies, and a poorly
designed disk subsystem can leave your organization vulnerable
to hardware malfunctions.
“ This is so true! As memory chips become cheaper and
consolidation dictates more users per server, the disk subsystem
turns into the main cause of performance problems.
The key to a system without problems is proper planning and
design. Of course there’s always some tweaking you can do,
preferably before going live with the system.
Realigning the hard disk is one of these things, which can lead to
a significant performance improvement. Hard Disk Basics Hard
disks are organized as a concentric stack of platters. The data is
stored on concentric circles on the surfaces known as tracks.
Sections within each track are called sectors. A sector is the
smallest physical storage unit on a disk and typically it will hold
512 bytes of data.
The disk itself can’t handle smaller amounts of data than one
sector. Electromagnetic read/write heads are positioned above
and below each platter. As the platters spin, the drive heads
move in toward the center surface and out toward the edge. In
this way, the drive heads can reach the entire surface of each
platter.
Reading from 2 tracks implies a realignment of the reading
heads, thus it takes longer than reading a single track. The
Theory Microsoft provides a tool, DiskPar, which allows aligning
the disk tracks with sector tracks.
For partitions created by Windows 2000 and Windows Server
2003, the default starting sector for disks that have more than 63
sectors per track is the 64th sector.
Because Windows will read blocks of 4 KB (8 sectors), one out of
every eight blocks of data written to your disk will span two disk
tracks (assuming 64 sectors per track).
DiskPar can increase disk performance as much as 20 percent,
but you should always consult your hardware vendor before
using this tool (I’ll discuss why next).
Some disk configurations will have no benefit from the tool. The
Real World If you imagine the surface of a disk platter,
considering a constant number of sectors per track and knowing
that track lengths increase the farther a track resides from the
center of the disk (they are concentric circles), it’s not hard to
conclude that the outer data sectors are longer than the inner
data sectors.
This means that the outer tracks are greatly underutilized,
because in theory they can hold many more sectors given the
same linear bit density.
In order to increase capacity and eliminate this wasted space, a
technique called zone bit recording (ZBR) is employed on modern
hard disks. With this technique, tracks are grouped into zones
based on their distance from the center of the disk, and each
zone is assigned a number of sectors per track.
Data Recovery Procedures :-
1. Stop using all affected devices The moment you realize that
you’ve suffered a data loss incident, you need to stop using all
affected devices. In some cases, it’s possible to restore lost data
from your hard drive before it’s overwritten — but the risk of
overwriting is high if you keep using the disk. If your data loss has
been caused by an incident like fire or flooding, you’ll need to
stop using the equipment until it’s been inspected and declared
safe by a professional. Never attempt a DIY job after serious
damage — you’ll only risk your own safety and reduce the
chance of successful data recovery.
2. Record details on what happened Knowing exactly what
caused your data loss is essential if you want to choose the right
recovery method. As much knowledge as possible will also make
it easier to prevent the same thing from happening in the future.
Make notes on the circumstances surrounding the incident,
including as much detail as you can.
Consider things such as:
• Have you recently made changes to your IT system? • Is there a
new employee accessing your data? • Was your building affected
by extreme weather, as is common in Florida? • Is there any
building work taking place in your office? The most insignificant
details might provide important clues, so don’t leave anything out.
3. Decide which data recovery method to use Once you’ve
ascertained exactly what caused the data loss, it’s time to work
on getting your data back. If you’ve been creating regular
backups, the easiest solution is to restore your data from these
backups. However, if you don’t have a backup solution in place,
you’ll need to look at alternative methods like disk recovery. You
can attempt disk recovery on your own by downloading specialist
software, or you can get help from a professional. For equipment
that’s been damaged by water, fire, or other environmental
factors, you’ll need help from a recovery specialist. The details
you collected in the previous step will come in handy at this point.
4. Contact an IT professional for support Once you know what
caused your data loss and which recovery method is most
appropriate, you may decide to contact an IT professional for
support. Even in cases where you could attempt recovery
yourself, it’s always safer to get expert help — particularly if
you’ve lost large amounts of important data. A failed attempt at
recovery could do more harm, which means extra costs further
down the line.
5. Prevent future data incidents Once you’ve recovered as much
data as you can, it’s important to think about lessons learned.
Look at the factors that caused the loss and take steps to prevent
the same thing from happening again. If there’s a vulnerability in
your system, bring in experts to increase your security. If your
equipment was damaged by environmental factors, look into
backing your data up offsite (perhaps in another state altogether).
If you’re struggling to protect your data, consider investing in
managed IT services. Recovery of Internet Usage Data:-
Enterprise data recovery is the process of restoring lost,
corrupted, accidentally deleted, or otherwise inaccessible data to
its server, computer, mobile device, or storage device (or to a
new device if the original device no longer works). Typically, the
data is restored from a backup copy that is stored in another
location. The more recent the backup copy, the more completely
the data can be recovered in the event of loss or damage. For
any business, successful data recovery—data recovery that
prevents a greater-than-tolerable loss of data or discontinuity of
business due to loss of data— requires the business to have a
backup and restore plan that meets specific data recovery
objectives, usually as part of a larger disaster recovery plan. The
term ‘data recovery’ can also refer to the following:
• Software designed to ‘undelete’ files a user may have
accidentally deleted by restoring system formatting to those files.
• Specialized services for physically recovering data from
damaged disks.
• Restoring data to a mobile device from a cloudbased backup,
such as iCloud. This article, however, will focus on enterprise
data recovery. Backup plan Data loss due to human error
remains more prevalent than data destruction due to natural or
man-made disasters or criminal activities such as ransomware
attacks. Your enterprise should, however, be prepared for any
data loss that can disrupt critical business applications or
operations, no matter what the cause. A comprehensive backup
and recovery solution should be in place to protect every piece of
data worth saving, wherever it resides.
Backups may cover the following:
• Servers: Both on-premises physical servers and virtual or
cloud-hosted servers may need to be backed up regularly or
continuously.
• Storage area networks (SANs) and other shared storage
resources: This can include block, object, and file storage.
• Endpoint devices: These may include desktop and laptop
computers, workstations, and tablet and mobile devices. For
these device types, individual hard drives will have to be restored.
In addition to files, there are certain of types of data you need to
back up:
• Applications and their associated data
 • Databases and any associated data structures, formats, tags,
or metadata
• System data, including operating system (OS) and application
configurations
• Runtimes, including virtual machines (VMs) and containers
Recovery point objective and recovery time objective Recovery
point objective, or RPO, is essentially the age of the oldest
backup you can tolerate. RPOs will vary depending on the data,
the application, the industry, or a combination of these and other
factors.
For example, the email system at a coffee shop might be able to
tolerate a 24-hour RPO, whereas the email system at a hospital,
a bank, or some other highly regulated business may require
RPOs measured in minutes. At a brokerage, where each trade
could be worth millions, a trading system might have an RPO
measured in seconds—or less. Recovery time objective, or RTO,
is the longest amount of downtime you can afford. The checkout
at your local bookstore might have an RTO of hours or days,
because downtime might cost USD 100 per hour.
An online store might have an RTO measured in seconds,
because each second of downtime might mean hundreds of
thousands of dollars in lost business. RPO and RTO will
determine the frequency, method, and even the location of your
backups
. An application with an RPO and RTO measured in hours might
be able to get by with nightly backups to any third-party cloud
provider. An application with an RPO and RTO measured in
seconds (or less) might require continuous data replication or
even fully redundant systems hosted at a nearby location that
can take over immediately and seamless in the event of any data
loss or system problems. Any data recovery service provider you
work with should provide a service level agreement (SLA)
detailing the RPOs and RTOs they are able to achieve, the
security controls they have in place, and the safeguards against
data loss they they’ve established.
Your contract should specify the site or sites where your backups
will be stored and should indicate how the provider will comply
with any regulations in your industry
Cloud data recovery solutions Cloud backup and recovery
solutions are increasingly popular among consumers and
enterprises alike, but they’re especially useful when businesses
have to back up large amounts of data (such as the contents of
an entire data center) and want to reduce their infrastructure
expense and administrative burden.
Cloud backup and recovery preserves copies of data in a
secondary, offsite storage location. The cloud provider offers
access to the storage—and, possibly, additional managed
backup and recovery services— on a subscription basis with
pricing based on storage volume and/or bandwidth usage.
Secure data recovery The security of your data backups depends
on two major things:
• Encryption of backup files in transit and at the backup storage
site.
• Physical security, user authentication, and access controls at
the backup storage site. If your industry has regulations
governing data privacy and security, you’ll want to make sure
your backup tools, processes, or service providers comply with
those regulations (if you work with a service provider, ask for
certification of compliance).
Recovery of Swap Files/Temporary Files/Cache Files :-
Even when such files have been deleted, they can be recovered
months or years later using readily available forensics tools.
When a person “deletes” a file on a home computer, the data
contained in the file does not actually disappear; rather, that data
remains on the hard drive until it is overwritten by new data.
Therefore, deleted files, or remnants of deleted files, may reside
in free space or slack space — that is, in space on the hard drive
that is not allocated to an active file or that is unused after a file
has been allocated to a set block of storage space — for long
periods of time before they are overwritten. In addition, a
computer’s operating system may also keep a record of deleted
data in a swap or recovery file. Similarly, files that have been
viewed via the Internet are automatically downloaded into a
temporary Internet directory or cache. would be frustrating if you
mistakenly deleted a temp file. It is very easy to get it back if you
haven't erased it from the recycle bin or trash. What if you have
already emptied the recycle bin? Don't worry, you can still
recover permanently deleted temporary files using data recovery
software like Wondershare Recoverit.
Recover lost or deleted document files, photos, videos, music,
emails from any storage device effectively, safely and completely.
Restore files from all kinds of storage media like emptied recycle
bin, USB Drive, SD cards, SSDs, HDDs, Floppy Disks, Pen Drive,
etc. Supports recovering data for sudden deletion, formatting,
hard drive corruption, virus attack, and system crash under
different situations. Preview files before you recover them. No
payment is required if the files are unrecoverable.
Step1 Select the File Location Launch Recoverit on your
computer. Select the location where you have deleted the files
under the Hard Drives and Locations tab.
Step2 Scan the Location Recoverit will start an all-around scan
automatically. You only need to wait for seconds or minutes
depending on the file size in total. Meanwhile, you can see the
real-time scanning results on the interface, by which you can
check the result at any time. The different ways to filter, select,
and pinpoint the files help you find the desired files easily. Step3
Preview and Recover After reviewing the files and confirming
they are what you want, you can now get them all back by hitting
on the Recover button.
A temporary file, temp file, or a foo file is the one that is created
by the operating system or program while the program is running
or being created or modified. These temporary files are usually
deleted once the program is ended. However, if the temp file is
not deleted automatically, you can delete them for freeing some
space on your device.
Recovery Cache Files :-
Most devices have some form of cache cleanup. New data
comes in, and older information is removed. This system ensures
that your device isn't bogged down by so much storage that it
can't tackle anything new. But you might choose to clear cache
too. Common reasons for doing so include:
• Speed and performance. A full cache needs memory, and if
you're full, a bogged down memory doesn't work very quickly.
Clearing the backlog could make your device work quicker. •
Hacking cleanup. After an attack, developers can restore a
website to working order. If you have a cached version of the
broken site in your device, launching it again could mean still
launching the attack. A compromised site cache like this can be
very dangerous.
• Protecting privacy. Someone logging into your device can see
where you've gone and what you've done by looking over your
cached data. If you're using a public device, like a computer in a
library, your cache could be the gateway to an attack.
Recovery-Formatted Partition Recovery :- Circumstances
leading to corruption of partition information (tables) include faulty
disk sectors, a component failure on the disk logic board,
attempts to edit the partition tables by unskilled users and
reformatting procedures. As always in data recovery procedures,
no attempt should ever be made to repair or recover partition
information from the disk in question. An exact electronic replica
of all content on the disk must be made, and all work performed
on that. If you’ve experienced a computer disaster and deleted or
lost critical data, chances are we can recover it. We are data
recovery specialists and regularly recover deleted files following
computer disasters such as:
• Files have been accidentally or maliciously deleted, or files are
corrupted.
• Hard disk has failed due to power supply spike or head crash.

• Operating system has been reinstalled, or different operating

system has been installed.
• Disk has been formatted, or disk overwritten with Ghost image.
• Damaged or deleted partition/s, damaged or deleted MBR.
• Bad sectors occur on critical portions of disk, or FAT tables are
damaged or deleted.
• Or similar. If this has happened to you contact us straight away.
But before anything else do the following…
• Immediately power off the computer containing the lost data.
Switch the power off or remove the power cable. Do not use the
Windows shutdown procedure. • Do not attempt any further
procedures on your disk, and don’t let anyone try to help no
matter what tools they may want to use. Data recovery is a highly
specialised science and any further activity on the disk can
significantly add to the complexity of the data recovery process.
• Under no circumstances run Scandisk or similar software that
purports to be able to repair your file system. Use of these
programs can often complicate the data recovery process!
 • Contact us on 0800 LOST FILES (0800 5678 34) anytime for
further advice.
• If a desktop PC, have the hard disk or other media removed
from your PC by a competent computer professional. Place it in
an antistatic bag u0026amp; package this in a box with at least
10cm of protective material. Once we have received the drive, we
will analyse it to determine how corrupt or damaged it is, and
decide what the appropriate recovery procedure/s will be.
We will then provide you with a quotation to recover your data.
Data Recovery Tools: - Data Recovery Tools are software
applications that are intended to retrieve and restore data that
has been lost or damaged. These tools are utilized when files or
data have been accidentally deleted, formatted, or lost due to
hardware malfunction, virus attack, or other factors. Data
recovery software is suitable for recovering both user-stored and
systemcreated data, files, and folders. IT support staff and
service providers typically utilize data recovery software. This
type of software can access the core architecture of a hard disk,
allowing it to retrieve data from damaged storage devices or
deleted files/folders by referencing and accessing the file
structure records/entries. Before we let out our best Data
Recovery Tools, it’s important to understand your “why” behind a
selection. Choosing the right data recovery solution for your
requirements can be a daunting task and that’s why we present
you with five key parameters that we are confident will assist you
in selecting the best one.
• Performance & Versatility: It’s best to learn firsthand what file
types a rescue tool can recover (file type support), and
additionally if it all supports data recovery for external storage
devices (files
system support) like external HDD or USB flash drives.
Nowadays, most data is stored on external hard drives, and if
your rescue tool does not allow data recovery, it might be a
letdown.
• Speed: If you are concerned about lost data, it is quite likely
that you will want a recovery program to quickly restore your
data. You don’t want to sit in front of your computer for hours on
end attempting to get your request to be processed. High-speed
scanning is usually an option in good-performing data recovery
tools. Some even include customized scanning while focusing on
a single file for recovery.
• Features: Good data recovery tools should be adaptable,
simple to use, and offer features that set them apart from their
competitors. While searching for a recovery program, check for
capabilities such as the ability to preview deleted files before
recovery, the option to recover just specified files, and the ability
to recover data from devices that are failing, partially unreadable,
or that have lost a partition.
• User Reviews: A good recovery tool will feature an active user
community group, which often expresses concerns about the
dependability and usefulness of the software. It is pointless to
have a robust file recovery program if there is no user group to
govern it.
• Pricing
: After carefully considering all these factors, the next step is to
select the best recovery solution for your budget. The selection
procedure should be intelligently designed to meet your most
pressing requirements. Spending a lot of money on an expensive
product just to discover that you aren’t using it to its full potential
will be regarded as a waste of money.
Computer Ethics:- The dictionary defines ethics because of
the moral principles that govern the behavior of a gaggle or
individual. But, not every people in society need to live an
absolutely moral life. Ethics are actually the unwritten code of
conduct that every individual should follow. These codes are
considered correct only by the members of that particular
profession. Similarly, for computer users, computer ethics is a set
of principles that regulates the use of computers.
Computer ethics address issues related to the misuse of
computers and how they can be prevented. It primarily imposes
the ethical use of computing resources. It includes methods to
avoid violating the unauthorized distribution of digital content. The
core issues surrounding computer ethics are based on the use of
the internet, internet privacy, copyrighted content, software, and
related services, and user interaction with websites. The Internet
has changed our lifestyle. It has become a part of our life. It
allows us to communicate with a person from another part of the
world. collecting information on any topic, social meets, and many
other activities. But at the same time, some peoples are always
trying to cheat or harm others.
Advantages of using the internet:
• The Internet offers the facility to communicate with a person in
any part of the world.
• We can easily collect information related to any topic from the
world wide web on the internet.
• Various types of business are carried out through Internet,
which is referred to as ecommerce.
From booking railway tickets and flight tickets or tickets for
movies to purchasing any type of merchandise or commodities,
are possible via the Internet.
• The Internet allows social networking, that is, it provides the
ability to share our information, emotions, and feelings with our
friends and relatives.
Disadvantages of using the internet:
• A group of people is trying to get personal information (like bank
detail, address, contact details, etc,) over the Internet and uses
that for unethical benefits.
• Malware or viruses are becoming quick access to different
networks and ultimately are causing harm to personal
computers(PC) or computers connected to the network.
• Some people run deceitful businesses over the Internet, and the
common people very often become victims of them.
• People use the internet for cyberbullying, trolling, etc. Internet
Security The internet is an insecure channel for exchanging
information because it features a high risk of fraud or phishing.
Internet security is a branch of computer security specifically
associated with the utilization of the internet, involving browser
security and network security. Its objective is to determine
measures against attacks over the web. Insufficient internet
security can be dangerous. It can cause many dangerous
situations, like starting from the computer system getting infected
with viruses and worms to the collapse of an e-commerce
business
Different methods have been devised to protect the transfer of
data over the internet such as information privacy and staying
alert against cyber attacks.
Information Privacy: Information privacy is the privacy or
protection of personal information and refers to the personal data
stored on a computer. It is an important aspect of information
sharing. Information privacy is also known as data privacy or
online privacy. Some Internet privacy involves the right of
personal privacy and deals with the storing and displaying of
personal information on the internet. In any exchange of personal
information over the internet, there is always a risk involved with
the safety of personal information. Internet privacy may be a
cause for concern especially when online purchases, visiting
social networking sites, participating in online games or attending
forums.
Some important terms:
1.Spyware: An application that obtains data without the user’s
consent.
2.Malware: An application used to illegally harm online and offline
computer users
3.Virus: It is a small program or software which is embedded with
a legitimate program and designed to harm your system.
4.Worms: It is a self-replicating program that spread across
networks due to the poor security of the infected computers.
5.Trojan horse: Trojan horse is a program that allows the hackers
to gain remote access to a target system. General steps to
protect our system from risks:
To minimize internet privacy violation risks, the following
measures need to be taken:
1.Always use preventive software applications, like anti-virus,
anti-malware, etc,
2.Avoid exposing personal data on websites with low-security
levels.
3.Avoid shopping from unreliable websites
4.Always use strong passwords consisting of letters, numerals,
and special characters.
5.Always keep your operating system updated.
6.Always on the firewall.

Cyber Ethical Values for Digital Frontier :-

The global web and its digital ecosystem can be seen as tools of
emancipation, communication, and spreading knowledge or as
means of control, fueled by capitalism, surveillance, and
geopolitics. The Digital Frontier interrogates the world wide web
and the digital ecosystem it has spawned to reveal how their
conventions, protocols, standards, and algorithmic regulations
represent a novel form of global power. Sangeet Kumar shows
the operation of this power through the web's "infrastructures of
control" visible at sites where the universalizing imperatives of the
web run up against local values, norms, and cultures. These
include how the idea of the "global common good" is used as a
ruse by digital oligopolies to expand their private enclosures, how
seemingly collaborative spaces can simultaneously be
exclusionary as they regulate legitimate knowledge, how selfhood
is being redefined online along Eurocentric ideals, and how the
web's political challenge is felt differentially by sovereign nation
states. In analyzing this new modality of cultural power in the
global digital ecosystem, The Digital Frontier is an important read
for scholars, activists, academics and students inspired by the
utopian dream of a truly representative global digital network.