DIGITAL FORENSICS COURSE

(ICSS) PRAGMATIC EDUCATIONAL

SOCIETY
MODULE -2 CYBERCRIMES AND DIGITAL EVIDENCES

DIGITAL FORENSIC ANALYST, ICSS

TOPICS COVERED
• Overview
• Digital evidences and their characteristics.
• Evidences- separating wheat from chaff!
• Sources of evidences
• Type of data- volatile and non volatile data
• Chain of custody
• Admissibility in the court of law.
WHAT ARE CYBER CRIMES?
Cyber-crimes are not necessarily new crimes, but rather
classic crimes exploiting computing power and
accessibility to information. They are a consequence of
excessive availability and user proficiency of computer
systems in unethical hands. To catch and prosecute
criminals involved with digital crime, investigators must
employ consistent and well-defined forensic procedures.
Cybercrime can be carried out by individuals or
organizations. Some cybercriminals are organized, use
advanced techniques and are highly technically skilled.
Others are novice hackers.
threatmap.checkpoint.com
DEFINING CYBERCRIMES !

• Crimes Against Individual- These crimes include cyber harassment and stalking, distribution of
child pornography, credit card fraud, human trafficking, spoofing, identity theft, and online libel
or slander.
• Crimes Against Property- Some online crimes occur against property, such as a computer or
server. These crimes include DDOS attacks, hacking, virus transmission, cyber and typo
squatting, computer vandalism, copyright infringement, and IPR violations.
• Crimes Against Government - When a cybercrime is committed against the government, it is
considered an attack on that nation's sovereignty. Cybercrimes against the government include
hacking, accessing confidential information, cyber warfare, cyber terrorism, and pirated software.
CYBER CRIMES
• Email and internet fraud. • Cyberespionage (where hackers access government or company
data).
• Identity fraud (where personal information is stolen and
used). • Interfering with systems in a way that compromises a network.

• Theft of financial or card payment data. • Illegal gambling.

• Theft and sale of corporate data. • Selling illegal items online.

• Cyberextortion (demanding money to prevent a threatened • Soliciting, producing, or possessing child pornography.
attack).
• Cybercrime involves one or both of the following:
• Ransomware attacks (a type of cyberextortion).
• Criminal activity targeting computers using viruses and
• Cryptojacking (where hackers mine cryptocurrency using other types of malware.
resources they do not own).
• Criminal activity using computers to commit other crimes.
• Infringing copyright.
TYPES OF CYBERCRIMES

Cybercriminals are engaged in devising numerous strategies and programs to attack computers and
systems. The following are various types of cybercrime.

• Fraud - It is a general term used to label a cybercrime that aims to deceive a person in order to obtain
critical data or information. It can be done by stealing, destroying, altering or overpowering any
information to secure an illegal or unfair gain.
• Hacking – It involves the limited or comprehensive acquisition of definite functions within a network, a
system, or a website. It also aims to access to significant data and information, breaking privacy. Most
of the hackers are intended to attack government and corporate accounts. There are diverse types of
hacking procedures and methods.
CONTD.

• Identity Theft – It is a specific form of fraud in which cybercriminals steal personal data,
including passwords, details of bank account, credit cards, debit cards, social security number,
and other sensitive information. Through identity theft, cybercriminals can steal money.
• Scamming - Scam occurs in a diversity of forms. In cyberspace, scamming can be carried out
by offering computer repair, network troubleshooting, and IT support services, forcing users to
shell out hundreds of money for cyber problems that do not even exist.
• PUPs- PUPS or Potentially Unwanted Programs are less threatening than
other cybercrimes, but are a type of malware. They uninstall necessary
software in your system including search engines and pre-downloaded apps.
They can include spyware or adware, so it’s a good idea to install
an antivirus software to avoid the malicious download.
CONTD.

• Computer Viruses - To gain unauthorized access to systems and steal important data,
criminals take advantage of viruses. Typically, highly-skilled programs send malware, viruses,
and Trojan, among others to infect and destroy systems, computers, and networks. Viruses can
spread through the internet and removable devices.
• Ransomware – It is one of the most damaging malware-based attacks. It enters your
computer network and encrypts information and files through public-key encryption. In the
year 2016, ransomware affected over 638 million computer networks. Over $5 billion is lost
due to global ransomware in 2017.
RANSOMWARES
CONTD.

Botnets – These are controlled by remote attackers called “bot herders” with a view to attack
computers by sending malware or spams. Usually, they attack governments and businesses as
specifically botnets attack the IT infrastructure. There are various botnet removal tools
obtainable on the web with a view to detect and block botnets from entering your system.
CONTD.

Spamming – It uses electronic messaging

systems, most commonly emails in sending
messages that host malware, fake links of
websites, and other malevolent programs. In
recent times, Email spamming is very popular.
Unwanted bulk messages from companies,
unfamiliar organizations, and groups are sent
to large numbers of users. It offers promos,
deals, and other attractive components to
deceive users.
CONTD.

Phishing - It is a sort of cybercrime in

which targets are communicated by email,
telephone or text message by somebody
posturing as a legitimate institution to lure
individuals into providing critical sensitive
and personal data such as personally
identifiable information, details of
banking and credit card, and passwords.
https://checkphish.ai/
CONTD.

• Social Engineering – It is a technique in which cyber criminals make direct contact with you through
phone calls, emails, or even in person. Essentially, they will also act as a genuine company as well.
They will assist you to earn your trust until you will provide your vital information and personal
data.
• Malvertising – It is the technique of filling websites with advertisements carrying malevolent codes.
Users will click these advertisements, thinking they are genuine. Once they click on these ads, they
will be redirected to forged websites or a file carrying malware and viruses will automatically be
downloaded.
• Cyberstalking – It involves following a person online secretly. Virtually, the stalker will follow the
victim, including her or his activities. Most of the cyber stalking victims are women and children
being followed by men.
CONTD.

• Software Piracy - The internet is full of torrents and other malicious programs that unlawfully
duplicate original content, including movies, books, songs, albums, and software. This is a crime
as it interprets to copyright infringement. Due to software piracy, developers and companies
come across enormous cut down in their income because their products are illegitimately
reproduced.
• Cyberbullying – is one of the most widespread crimes committed in the virtual world. It is a
form of bullying carried over to the internet. On the other hand, global leaders are aware of
this crime and formulate laws and acts that prohibit cyber bullying proliferation.
CONTD.

• Trojan horse attack: A computer Trojan is an apparently harmless program or data containing
malicious or harmful code, which can later gain control and cause damage such as damage to the
file allocation table on the hard disk. Attackers use computer Trojans to trick the victim into
performing a predefined action. Trojans can grant attackers unrestricted access to all the data
stored on the compromised information system, potentially causing severe damage.
• Structured query language (SQL) attack: SQL injection/attack is a technique used to take
advantage of unsanitized input vulnerabilities to pass SQL commands through a web application
for execution by a backend database. In this technique, the attacker injects malicious SQL queries
into a user input form either to gain unauthorized access to a database or to retrieve information
directly from the database.
CONTD.

• Brute-force attack: It is the process of using a software tool or script to guess the login credentials
or keys or discover hidden applications or webpages through a trial-and-error method. A brute-
force attack is performed by attempting all possible combinations of usernames and passwords to
determine valid credentials.
• Denial-of-service (DoS) or Distributed Denial-of-service DDoS attack: A DoS attack is an attack
on a computer or network that reduces, restricts, or prevents access to system resources for
legitimate users. In a DoS attack, attackers flood a victim’s system with nonlegitimate service
requests or traffic to overload its resources and shut down the system, leading to the unavailability
of the victim’s website or at least significantly reducing the victim’s system or network performance.
RULE OF EVIDENCES
According to Matthew Braid, there are five rules of evidence:

• Admissible - The first and foremost rule is that your evidence must be able to use in court as evidence.
• Authentic - Evidence must be authentic and it must be relevant and related to the case, you are required to demonstrate in
front of the court that the collected evidence is authentic. Fail to do so, means the letdown of the investigation.

• Complete or Whole - The court will not receive half evidence; you should be impartial during your investigation and your
evidence must not show the one prospective of the incident. As Matthew says, it is important to collect evidence that removes
alternative suspects. For instance, if you can demonstrate the attacker was logged in at the time of the incident, you also
need to demonstrate who else was logged in and demonstrate why you think they didn’t do it. This is called exculpatory
evidence and is a vital part of proving a case.

• Reliable - Reliability of the evidence is important, but the process is also important and it should not create any doubt on the
evidence.

• Believable or Acceptable - The evidence presented in the court should be in layman’s language, clear and easy to
understand. You should present a well-crafted version of the document with the reference to the technical document.
SOURCES OF EVIDENCES

Following are the few sources where the

evidence might be collected:
• Email
• Hard-drive • GPS devices
• Firewall logs
• Security cameras
• System logs
• Networking equipment
• Social networking websites • Personal Digital Assistant (PDA)
• Website that was visited
TYPES OF DIGITAL EVIDENCES

• Volatile Evidences- Data resides in registries, cache, and random access

memory. Essentially, volatile data is easily changed, and there fore, we want
to make sure we collect it first.
• Non-volatile Evidences- Data on the other hand is any data that can be
retrieved even after the computer loses power or is turned off.
VOLATILE EVIDENCES

• System time • Process memory

• Logged-on user(s) • Network status
• Open files • Clipboard contents
• Network information • Service/driver information
• Network connections • Command history
• Process information • Mapped drives
• Process-to-port mapping • Shares
• Cache and cookies
NON-VOLATILE EVIDENCES

• Hidden files • Windows Search index

• Slack space • Unallocated clusters
• Swap files • Unused partitions
• Index.dat files • Hidden partitions
• Metadata • Registry settings
• Hidden ADS (alternate data • Connected devices
streams) • Event logs
CHAIN OF CUSTODY
What is the chain of custody in computer forensics?
The chain of custody in digital forensics can also be referred to as the forensic link, the paper
trail, or the chronological documentation of digital evidence. It indicates the gathering, sequence
of control, transfer, and analysis. It also documents everybody who handled the digital evidence,
the date/time it was collected or transferred, and also the purpose for the transfer.
Why is it important to maintain the chain of custody?
It is important to maintain the chain of custody to preserve the integrity of the electronic
evidence and prevent it from contamination, which might alter the state of the electronic
evidence. If not preserved, the electronic evidence presented in court may be challenged and
ruled impermissible.
PROCEDURE TO ESTABLISH CHAIN OF
CUSTODY
• Save the original materials. Always work on imaged data.

• Take photos of physical electronic evidence.

• Take screenshots of electronic evidence content.
• Document date, time, and the other information of receipt.
• Inject a bit-for-bit clone of digital evidence content into our forensic computers.
• Perform a hash test analysis to further authenticate the working clone.
The procedure of the chain of custody might be completely different, depending on the jurisdiction within
which the electronic evidence resides; but the steps are mostly identical to the ones outlined above.
ADMISSIBILITY IN THE COURT OF THE LAW

• Under Section 65A of the Evidence Act, the contents of electronic records have to be proved
as evidence in accordance with the requirements of Section 65B. Both Sections 65A and 65B
were inserted through the Indian Evidence (Amendment) Act, 2000, it was clarified that as
Section 65B begins with a non-obstante clause, if forms a complete code for the admissibility
of electronic evidence.
• It is also important to refer to Section 62 and Section 63 of the Evidence Act. Section 62
defines the term ‘primary evidence’ – which means the document itself that is produced
before the Court. Under Section 63, secondary evidence includes copies made from the
original, certified copies, oral accounts of the contents of a document etc.
ANY DOUBTS?