NCSAM 2024

1
CYBER SECURITY TECHNICAL
DOCUMENT

VERSION 1.0

2
 Index

Sr no. Topics Page No.

1 SQL Injection 04 - 09

2 Broken Access Control 10-14

3 OSINT 15 - 19

4 Reverse Image Search 20 - 22

5 Reverse Engineering 23 - 26

6 PHP Deserialization 27 - 30

7 Phishing 31 - 34

8 Memory Forensics 35 - 39

9 Disk Forensics 40 - 44

10 Quishing 45 - 47

11 JWT Token 48 - 52

12 CSRF Token 53 - 56

13 Network Analysis 57 - 60

14 PCAP Analysis 61 - 65

15 Magic Bytes 66 - 68

3
 SQL Injection
1. What is SQL Injection?

SQL Injection (SQLi) is a code injection technique that exploits vulnerabilities in a web
application’s software by manipulating SQL queries. Attackers can retrieve or modify the
database contents and, in some cases, even execute administrative operations.

2. Types of SQL Injection

● Classic SQL Injection: Injection via user input fields.

● Blind SQL Injection: No direct feedback from the application; attackers infer results
based on the application’s behavior.
● Time-Based Blind SQL Injection: Inference is made based on the time it takes the server
to respond.
● Error-Based SQL Injection: Exploits detailed error messages.
● Union-Based SQL Injection: Uses the UNION operator to combine the result of two or
more queries into a single result set.

4
3. Common SQL Injection Payloads

a. Basic SQL Injection

' OR '1'='1' -- (Bypass login forms)

admin' -- (Logging in as admin)

b. Error-Based SQL Injection

' UNION SELECT null,null,null -- (Discover the number of columns)

5
 ' UNION SELECT username, password FROM users -- (Dump data from a table)

c. Blind SQL Injection

1' AND SLEEP(5) -- (Time-based blind SQL injection)

1' AND (SELECT IF(SUBSTRING(password,1,1)='a',SLEEP(5),0))-- (Inferring

6
 character-by-character)

4. SQL Injection Techniques

a. Bypassing Authentication

' OR '1'='1':-

Bypasses login forms by manipulating the WHERE clause of the SQL query.

b. Union Attack

' UNION SELECT column1, column2 FROM users --

Combines multiple SELECT statements to extract data.

c. Extracting Database Information

● To discover the database version:

7
' UNION SELECT @@version --

● To discover all databases:

' UNION SELECT schema_name FROM information_schema.schemata --

5. SQL Injection Prevention

➔ Parameterized Queries (Prepared Statements): Ensure user input is treated as a string,

not as part of the SQL statement.

➔ Stored Procedures: Encapsulate SQL queries, making it harder to inject malicious code.

8
 ➔ Input Validation & Escaping: Validate all user inputs and escape special characters to
prevent their execution in SQL.

➔ Least Privilege Principle: Restrict database permissions for users interacting with the
web application.

➔ Web Application Firewalls (WAFs): Detect and block SQL injection attempts.

6. Detecting SQL Injection

➢ Manual Testing: Use payloads such as 1' OR '1'='1' -- in form inputs and observe results.

➢ Automated Tools:SQLmap: Automated tool to exploit SQL injection flaws.

➢ Burp Suite: Security testing tool with SQLi capabilities.

7. Common Tools for Exploiting SQL Injection

● SQLmap: Automates detection and exploitation of SQLi vulnerabilities.

● Havij: GUI-based automated SQL Injection tool.

● SQLNinja: Targeting Microsoft SQL Server.

8. Resources

● OWASP SQL Injection Cheat Sheet: OWASP Link

● SQLmap Documentation: SQLmap Tool

9
 Broken Access Control

1. What is Broken Access Control?

Broken Access Control occurs when a web application fails to enforce proper permissions,
allowing users to access data or functionalities they shouldn’t. Attackers can exploit this to gain
unauthorized access to sensitive resources.

2. Common Vulnerabilities in Access Control

a. Insecure Direct Object References (IDOR)

Occurs when internal objects (such as files, records, or database keys) are exposed and can be
directly accessed by users via modified URLs or request parameters.

10
 Example: /user/1234 changed to /user/1235 to access another user's data.

b. Missing Function-Level Access Control

When the application fails to verify if a user has the appropriate permissions to execute a
particular function.

Example: Regular users gaining access to administrative functions like

/admin/dashboard.

c. Forceful Browsing

Attackers can access unprotected pages or functionalities by directly navigating to hidden

URLs.

Example: Navigating to /admin/settings without proper authentication.

d. Privilege Escalation

Users with limited access can gain higher privileges (e.g., from a regular user to an admin) due
to improper checks.

Example: User modifies their role parameter from user to admin in an HTTP
request.

3. Exploitation Techniques

11
a. Horizontal Privilege Escalation

● Accessing resources of another user at the same privilege level.

● Example: Accessing another user’s profile or order details by changing the user_id.

b. Vertical Privilege Escalation

Gaining higher-level privileges, such as accessing administrative features as a regular

user.

Example: Modifying role attributes in a session or request to gain admin access.

4. Common Attack Scenarios

● Accessing Other Users' Data: An attacker changes a URL parameter to access another
user’s private data.
● Unauthorized Administrative Access: A regular user manually navigates to an admin
page to access protected features.
● Modifying User Roles: Altering hidden parameters to escalate privileges or gain
additional functionality.

5. Mitigating Broken Access Control

a. Deny by Default

● All access should be denied by default, and explicit permissions should be granted only
to specific roles or users.

12
b. Role-Based Access Control (RBAC)

● Implement RBAC to ensure users have only the permissions necessary for their role.

c. Implement Function-Level Access Controls

● Ensure proper checks are performed at both the UI and API levels for critical actions and
sensitive data.

d. Use Indirect Object References

● Use random or hashed identifiers instead of predictable ones

(e.g., user/123 ➔ user/ae123f4g).

e. Session Management

● Tie sessions to specific users and roles. Prevent session hijacking by enforcing
re-authentication for sensitive actions.

6. Testing for Broken Access Control

● Manual Testing: Attempt to access unauthorized pages, APIs, or resources by

manipulating URLs, cookies, or request parameters.

● Automated Tools:
○ OWASP ZAP: Can identify insecure object references and missing function-level
access controls.
○ Burp Suite: Security testing tool with a wide range of access control exploitation
features.

13
7. Common Tools for Exploiting Broken Access Control

● Postman: Test APIs and modify request parameters to check for access control flaws.

● Burp Suite: Automated scanner and manual testing tool to manipulate requests.

● OWASP ZAP: An open-source web application security scanner that helps test access
control vulnerabilities.

8. Prevention Checklist

● Verify access control checks are in place at both client and server levels.

● Never rely on client-side access control measures (e.g., hidden UI elements).

● Ensure sensitive functionalities require proper authentication and authorization.

● Test frequently for privilege escalation and IDOR vulnerabilities.

9. Resources

● OWASP Top 10: Broken Access Control: OWASP Link

● OWASP Access Control Cheat Sheet: OWASP Cheat Sheet

14
 Osint
1. What is OSINT?

OSINT stands for Open-Source Intelligence. It refers to the process of collecting and analyzing
publicly available data to gather actionable intelligence. This data can be accessed through
various sources, such as websites, social media, public records, forums, and other online
databases.

2. OSINT Process

➔ Planning: Define objectives and scope.

➔ Collection: Gather data from open sources (web, social media, etc.).

15
 ➔ Processing: Filter and organize raw data.
➔ Analysis: Derive meaningful insights from the collected data.
➔ Reporting: Present findings in a concise, actionable format.

3. Types of OSINT

● Passive OSINT: Gathering data without direct interaction with the target (e.g., searching
websites, public records).
● Active OSINT: Involves interaction with the target, such as sending emails or filling out
forms to elicit a response.

4. Common OSINT Techniques

● Footprinting: Discovering technical details about a target such as IP addresses, DNS

information, hosting details.
● Social Media Mining: Extracting information from social networks (e.g., LinkedIn,
Facebook, Twitter).
● Metadata Analysis: Reviewing file metadata for hidden information, like file authorship,
location, or software used.

16
 ● Search Engine Dorking: Using advanced search operators to uncover hidden or sensitive
information on search engines.
● Whois Lookup: Identifying domain ownership, IP address allocations, and DNS
information.
● Geolocation: Tracking locations from images, videos, and social media check-ins.

5. Key OSINT Tools

● Maltego: Visualization tool for analyzing relationships between people, domains,

networks, and companies.
● theHarvester: Collects emails, subdomains, IPs, and other data.
● Shodan: Search engine for internet-connected devices (IoT, servers).
● SpiderFoot: Automates the collection of OSINT data from multiple sources.
● Recon-ng: Web reconnaissance tool with modules for automating OSINT tasks.
● Google Dorks: Uses Google search operators for advanced querying.

6. Common OSINT Search Operators

● site: – Limits results to a specific website

(e.g., site:example.com).

● filetype: – Finds specific file types

17
 (e.g., filetype:pdf).

● intitle: – Searches for keywords in titles of web pages

(e.g., intitle:"login page").

● inurl: – Searches for keywords in URLs

(e.g., inurl:admin).

● related: – Finds sites related to a specific domain

(e.g., related:example.com).

7. Ethical Considerations in OSINT

➔ Legal Compliance: Ensure data collection follows the laws and regulations of the
country, including privacy laws (GDPR, CCPA).
➔ Avoid Hacking: OSINT focuses on open, publicly available data. Engaging in activities
such as password cracking or server intrusion is illegal.
➔ Respect Privacy: Avoid using OSINT to infringe on individuals' personal rights or stalk
them.

8. Examples of OSINT in Action

➔ Cybersecurity Investigations: Tracking down hacker infrastructure or identifying leaked

credentials.
➔ Corporate Intelligence: Competitor analysis, market research, and due diligence.
➔ Personal Investigations: Identifying social media profiles, blog posts, or online activity.
➔ Law Enforcement: Tracking down suspects using publicly available data or criminal
activity patterns.

9. Using OSINT for Threat Intelligence

OSINT can be used to monitor the internet for:

➔ Leaked credentials or sensitive data.

18
 ➔ Threat actor communications on forums.

➔ Vulnerabilities disclosed in public repositories.

➔ Infrastructure used for phishing or malware distribution.

10. Popular OSINT Resources

➔ OSINT Framework: An organized collection of tools and resources for OSINT.

➔ Intel Techniques: Free tools and resources for open-source investigations.

➔ SecLists: A collection of various OSINT-related wordlists for reconnaissance.

➔ Censys: Search engine for discovering devices, certificates, and websites on the internet.

➔ OSINTCurio.us: A blog and community offering in-depth OSINT analysis and research.

19
 Reverse Image Search
1. What is Reverse Image Search?

Reverse image search is a technique that allows users to search the internet using an image as
the query instead of text. It enables users to find similar images, track the original source of an
image, and identify modifications or usage across the web.

2. Common Uses of Reverse Image Search

● Finding Image Sources: Identify where an image originated or who created it.

● Checking Image Authenticity: Verify if an image has been altered or is being misused.

● Discovering Similar Images: Locate variations or similar images for design inspiration.

20
 ● Identifying People or Places: Find out more about people or locations depicted in the
image.

● Tracking Copyright Infringements: Monitor unauthorized use of copyrighted images.

3. Popular Reverse Image Search Tools

● Google Images: Upload or paste an image URL to find similar images and their sources.

● TinEye: A dedicated reverse image search engine that tracks image usage across the
web.

● Bing Visual Search: Microsoft's reverse image search tool that provides visual search
results.

● Yandex Images: Russian search engine with a powerful reverse image search feature.

● Pinterest Lens: Allows users to find visually similar images and related pins on Pinterest.

● CamFind: Mobile app that lets users take a picture and find similar images or products.

4. How to Perform a Reverse Image Search

1. Using Google Images:

○ Go to Google Images.
○ Click on the camera icon (Search by Image).
○ Upload an image or paste the URL of the image.
○ Review the results for similar images and their sources.
2. Using TinEye:
○ Visit TinEye.
○ Upload the image or paste the image URL.
○ Click "Search" to find where the image appears on the web.
3. Using Bing Visual Search:
○ Go to Bing.
○ Click on the camera icon in the search bar.
○ Upload the image or paste the URL to see related images.
4. Using Pinterest Lens:

21
 ○ Open the Pinterest app or website.
○ Click on the camera icon to upload an image or take a photo.
○ Discover similar images and related pins.

5. Tips for Effective Reverse Image Searches

● Use High-Quality Images: Clear images yield better results.

● Try Different Tools: If one tool doesn’t return useful results, try another.
● Experiment with Cropped Versions: Crop the image to focus on specific elements and
see if that provides better results.
● Use Metadata: For images from digital cameras, the metadata may provide useful
information about the image's origin.

6. Limitations of Reverse Image Search

● Image Quality: Low-resolution images may not yield accurate results.

● Privacy Concerns: Some images may not be indexed due to privacy settings on social
media platforms.
● Language Barriers: Results may vary based on the language of the image content or
metadata.

7. Applications in Cybersecurity and OSINT

● Tracking Malicious Images: Identify images used in phishing attacks or malware

distribution.
● Investigating Fake Profiles: Verify the authenticity of profile pictures on social media.
● Identifying Copyright Violations: Help creators track the usage of their images

22
 Reverse Engineering
1. What is Reverse Engineering?

Reverse engineering is the process of analyzing a system or product to understand its

components, functionality, and inner workings. This technique is often used in software
development, hardware design, and cybersecurity to recreate or improve upon existing
technologies.

2. Common Uses of Reverse Engineering

● Software Analysis: Understanding how a software application works, especially in the

context of security vulnerabilities.
● Malware Analysis: Analyzing malicious software to determine its behavior, payload, and
targets.
● Product Improvement: Analyzing competitor products to understand their features and
performance for enhancement.
● Legacy Systems: Updating or replacing outdated systems by understanding their design
and functionality.
● Interoperability: Creating products that can work with existing systems or products.

3. Types of Reverse Engineering

● Static Analysis: Examining the code or structure of a system without executing it. This
includes reading source code, analyzing binaries, or reviewing documentation.
● Dynamic Analysis: Executing the system and observing its behavior in real-time, which
may involve debugging and monitoring system calls or memory usage.

23
 ● Hardware Reverse Engineering: Disassembling physical devices to analyze their
components, circuitry, and functions.

4. Common Reverse Engineering Techniques

● Disassembly: Converting machine code back into assembly language for analysis.
● Decompilation: Translating compiled code back into high-level source code.
● Debugging: Using debugging tools to step through code execution to understand the
program flow and detect anomalies.
● Network Analysis: Capturing and analyzing network traffic to understand communication
protocols and data exchange.
● Protocol Analysis: Examining the protocols used for communication between devices or
software to identify vulnerabilities or compatibility issues.

5. Popular Reverse Engineering Tools

● Ghidra: A free and open-source software reverse engineering suite developed by the
NSA.
● IDA Pro: A powerful disassembler and debugger widely used for static and dynamic
analysis (commercial tool).
● Radare2: An open-source framework for analyzing binaries and performing reverse
engineering tasks.
● OllyDbg: A 32-bit assembler level analyzing debugger for Windows applications.
● x64dbg: An open-source debugger for Windows that supports both 32-bit and 64-bit
applications.
● Cutter: A Qt and C++ GUI powered by Radare2, providing a user-friendly interface for
reverse engineering.
● Wireshark: A network protocol analyzer that captures and inspects network packets.
● apktool: A tool for reverse engineering Android APK files to decode resources to their
original form.

24
6. Reverse Engineering Process

1. Define Objectives: Clearly outline the goals of the reverse engineering effort (e.g.,
understanding functionality, discovering vulnerabilities).
2. Data Collection: Gather relevant software, documentation, or hardware for analysis.
3. Static Analysis: Review the code structure, identify key components, and look for
potential vulnerabilities or interesting features.
4. Dynamic Analysis: Execute the system in a controlled environment, observing its
behavior and interactions.
5. Documentation: Keep detailed records of findings, including diagrams, code snippets,
and analysis results.
6. Reporting: Compile findings into a comprehensive report that addresses the initial
objectives.

7. Ethical Considerations

● Legal Compliance: Ensure that reverse engineering practices comply with copyright and
intellectual property laws.
● Respect Privacy: Avoid using reverse engineering to compromise personal or
confidential information.
● Intent: Use reverse engineering for ethical purposes, such as improving security or
interoperability, rather than malicious activities.

8. Applications in Cybersecurity

● Vulnerability Discovery: Identifying security flaws in software or systems that could be

exploited.
● Malware Threat Intelligence: Analyzing malware to understand its origin, behavior, and
impact.

25
 ● Security Audits: Assessing existing systems for vulnerabilities by replicating attack
scenarios.

9. Resources for Learning Reverse Engineering

● Books:
○ "Practical Reverse Engineering" by Bruce Dang et al.
○ "Reversing: Secrets of Reverse Engineering" by Eldad Eilam.
● Online Courses:
○ Cybrary's reverse engineering courses.
○ Udemy's reverse engineering courses.
● Communities and Forums:
○ Reverse Engineering Stack Exchange.
○ Reddit’s r/ReverseEngineering.

26
 PHP Deserialization
1. What is PHP Deserialization?

PHP Deserialization is the process of converting a serialized string back into its original PHP
object or data structure. Serialization converts data into a format suitable for storage or
transmission, while deserialization restores the data to its original form.

A PHP deserialization vulnerability arises when user-supplied data is deserialized without

proper validation or filtering. This can lead to malicious code execution, object injection, or other
security risks.

2. How PHP Serialization Works

Serialization: Converts PHP objects, arrays, or data structures into strings.

$data = ['name' => 'Alice', 'age' => 25];

$serialized = serialize($data);
echo $serialized;
// Output: a:2:{s:4:"name";s:5:"Alice";s:3:"age";i:25;}

Deserialization: Converts the serialized string back to the original data structure.

$unserialized = unserialize($serialized);
print_r($unserialized);
// Output: Array ( [name] => Alice [age] => 25 )

27
3. PHP Deserialization Vulnerability Example

When user input is directly passed to unserialize() without validation:

$userInput = $_GET['data']; // User-controlled input

$data = unserialize($userInput);

Malicious Payload Example: If the attacker passes:

O:8:"Exploit":0:{}

● This could create an object of the Exploit class, allowing the attacker to manipulate
the application if the class has exploitable methods (e.g., __wakeup() or
__destruct()).

4. Risks of PHP Deserialization Vulnerabilities

● Remote Code Execution (RCE): Attacker can inject code that is executed when a
vulnerable class method is called.
● Object Injection: Creating unauthorized objects that affect application logic.
● Denial of Service (DoS): Large or malicious data structures may cause the server to
crash.
● Authentication Bypass: Exploiting improperly serialized user sessions or objects.

5. Defensive Techniques Against PHP Deserialization Vulnerabilities

● Avoid Untrusted Data Deserialization: Never deserialize user-supplied input directly.

Use JSON Instead: JSON is safer for data serialization/deserialization.

$data = json_decode($_POST['data'], true); // Use JSON, not unserialize()

Use allowed_classes Parameter: When deserializing objects, limit deserialization to specific

classes.

$data = unserialize($input, ['allowed_classes' => false]);

● Input Validation: Validate and sanitize input before processing it.

28
 ● Disable PHP Object Serialization: Avoid using serialize() and unserialize()
when possible.

6. Common Exploitable Functions in PHP Classes

● __wakeup(): Called when an object is unserialized. Can be exploited to execute

arbitrary code.
● __destruct(): Called when an object is destroyed, potentially triggering malicious
actions.
● __toString(): Converts an object to a string and can be exploited if it contains
vulnerable logic.

7. Detecting PHP Deserialization Vulnerabilities

● Code Review: Look for any usage of unserialize() on untrusted input.

● Dynamic Testing: Use tools like Burp Suite to send serialized payloads and observe the
application’s behavior.
● Automated Scanners: Tools like RIPS and SonarQube can detect insecure
deserialization patterns.

8. Exploiting PHP Deserialization Vulnerabilities

Crafting Payloads: Attackers create payloads containing serialized objects with malicious logic.
Example:

O:8:"Exploit":1:{s:4:"code";s:20:"system('ls /');";}

● Use Public Exploit Tools: Tools like PHPGGC (PHP Generic Gadget Chains) can generate
payloads to exploit vulnerable deserialization.

9. PHPGGC Tool for Exploiting Deserialization

PHPGGC is a tool that generates gadget chains for PHP object injection:

phpggc monolog/rce1 system 'ls /'

● This generates a serialized payload that executes a system command when

deserialized.

10. Resources for Further Learning

● OWASP Insecure Deserialization Guide: OWASP

29
● PHP Manual: PHP serialize() and unserialize()
● PHPGGC Tool: PHPGGC

30
 Phishing
1. What is Phishing?

Phishing is a form of cyber attack that involves tricking individuals into providing sensitive
information, such as usernames, passwords, credit card numbers, or other personal data.
Attackers impersonate legitimate entities through various communication channels, often
leading victims to fraudulent websites or malicious attachments.

2. Types of Phishing Attacks

● Email Phishing: The most common form, where attackers send emails that appear to be
from trusted sources, often including links to fake websites.

● Spear Phishing: Targeted phishing aimed at specific individuals or organizations, often

personalized to make the attack more convincing.

31
 ● Whaling: A type of spear phishing that targets high-profile individuals, such as executives
or senior management, often with significant financial gain as the goal.

● Vishing (Voice Phishing): Phishing conducted through voice calls, where attackers
impersonate legitimate entities to extract sensitive information.

● Smishing (SMS Phishing): Phishing attacks carried out via SMS or text messages, often
containing malicious links.

● Clone Phishing: Attackers create a near-identical copy of a legitimate email previously

sent, replacing the legitimate link or attachment with a malicious one.

3. Common Phishing Techniques

● Urgency Tactics: Messages that create a sense of urgency, prompting immediate action
(e.g., "Your account will be suspended unless you verify it now!").

● Spoofed URLs: Links that appear legitimate but lead to malicious sites. Attackers often
use similar domain names to trick users (e.g., using "paypal-secure.com" instead of
"paypal.com").

● Malicious Attachments: Emails containing attachments that, when opened, can install
malware on the victim's device.

● Fake Login Pages: Fraudulent websites designed to look like legitimate login pages,
capturing user credentials when they attempt to sign in.

4. Indicators of Phishing Attempts

32
 ● Generic Greetings: Emails that start with "Dear Customer" instead of using the
recipient's name.

● Spelling and Grammar Errors: Poorly written emails with typos or awkward phrasing.

● Unusual Sender Addresses: Emails from suspicious or unfamiliar email addresses.

● Unexpected Attachments or Links: Emails that contain unsolicited attachments or links.

● Requests for Personal Information: Legitimate organizations typically do not request

sensitive information via email.

5. How to Recognize Phishing Emails

● Verify Sender's Email Address: Check if the email address matches the legitimate
organization's address.

● Hover Over Links: Place the cursor over links (without clicking) to see the actual URL
destination.

● Look for HTTPS: Legitimate websites will have HTTPS in the URL; however, this alone is
not a guarantee of safety.

● Analyze the Content: Consider the tone and urgency of the email. If it feels off, verify it
through official channels.

6. Preventing Phishing Attacks

● Education and Training: Conduct regular training sessions for employees on recognizing
and responding to phishing attempts.

● Implement Email Filters: Use email security solutions to filter out suspected phishing
emails.

● Enable Two-Factor Authentication (2FA): Adding an extra layer of security can help
protect accounts even if credentials are compromised.

● Regular Software Updates: Keep software, including security tools, up to date to protect
against vulnerabilities.

● Report Phishing Attempts: Encourage users to report suspected phishing attempts to

the IT department or security team.

7. Tools for Phishing Protection

33
 ● Anti-Phishing Solutions: Software solutions like Mimecast, Proofpoint, or Microsoft
Defender for Office 365 provide protection against phishing attacks.

● Browser Extensions: Tools like Web of Trust (WOT) or Netcraft can help identify
malicious websites.

● Email Security Solutions: Use email gateways with phishing detection capabilities to
filter out suspicious messages.

8. What to Do if You Fall Victim to Phishing

● Change Passwords Immediately: Update passwords for affected accounts and any
other accounts using similar credentials.
● Monitor Financial Accounts: Check for unauthorized transactions and report any
suspicious activity to your bank.

● Report the Attack: Inform your organization's IT department and report the phishing
attempt to the relevant authorities (e.g., FTC in the US).

● Enable Identity Theft Protection: Consider using identity theft protection services if
sensitive information has been compromised.

34
 Memory Forensics
1. What is Memory Forensics?

Memory forensics is the process of analyzing volatile memory (RAM) to extract valuable
information about the state of a system at a given point in time. It is a crucial aspect of digital
forensics, enabling investigators to uncover evidence related to malware infections, system
intrusions, and other malicious activities that may not be captured in disk-based analysis.

2. Objectives of Memory Forensics

● Malware Analysis: Identify and analyze malicious processes and code running in
memory.

● Incident Response: Gather evidence during an active incident to understand attacker

behavior and tactics.

● User Activity Monitoring: Determine what applications were running and what actions
users performed prior to an incident.

35
 ● Data Recovery: Recover sensitive information, such as passwords or encryption keys,
that may reside in memory.

3. Key Concepts in Memory Forensics

● Volatile Memory: Memory that is lost when a system is powered off. It includes RAM
and cache memory.

● Process Dump: A snapshot of a program’s memory at a particular moment, containing

data about the process, its execution state, and memory allocations.

● Memory Image: A complete capture of the system's RAM, used for analysis.

36
4. Common Memory Forensics Tools

● Volatility: An open-source memory forensics framework that supports analysis of

memory dumps from various operating systems.

● Rekall: Another open-source memory analysis tool with a user-friendly interface, suitable
for examining RAM captures.

● FTK Imager: A forensic imaging tool that can capture memory dumps as well as disk
images.

● WinDbg: A Microsoft debugger that can be used to analyze Windows memory dumps.

● LiME (Linux Memory Extractor): A tool used to acquire memory images from Linux
systems.

● DumpIt: A simple tool that can create memory images of Windows systems.

5. Steps in Memory Forensics Process

1. Capture Memory Image: Use tools like FTK Imager, DumpIt, or LiME to create a complete
memory dump from the target system.

2. Load Memory Image: Import the captured memory image into a forensic analysis tool
like Volatility or Rekall.

37
 3. Analyze the Memory:

○ Identify Running Processes: List active processes and their memory usage.

○ Investigate Network Connections: Examine active network connections and open

ports.

○ Extract Artifacts: Look for valuable artifacts such as user credentials, encryption
keys, and documents.

○ Analyze File System Structures: Investigate file handles and DLLs loaded into
memory.

4. Document Findings: Keep detailed notes on the analysis process and findings, including
evidence of malicious activity.

6. Common Artifacts Extracted from Memory

● Processes and Threads: Information about running processes and their states.

● Network Connections: Details of active connections and associated processes.

● Loaded Modules: Information about DLLs and kernel modules loaded in memory.

● User Data: Cached user passwords, browser sessions, and other sensitive information.

● Kernel Objects: Insights into system-level activity, including drivers and system calls.

7. Challenges in Memory Forensics

● Data Volatility: Memory is ephemeral, meaning evidence can be lost if not captured
quickly.

38
 ● Encryption: Encrypted data in memory can complicate analysis.

● Memory Forensics Techniques: The need for expertise in memory structures and
operating system internals.

● Large Volumes of Data: Memory images can be large and complex, requiring efficient
filtering and analysis.

8. Best Practices for Memory Forensics

● Preserve Evidence: Ensure the integrity of the memory image by using write-blocking
techniques during capture.
● Use Trusted Tools: Rely on well-known and widely accepted forensic tools to avoid
introducing errors.
● Maintain Chain of Custody: Document every step taken during the analysis process to
uphold legal standards.
● Regular Training: Keep skills updated with the latest techniques and tools in memory
forensics.

9. Resources for Learning Memory Forensics

● Books:
○ Practical Memory Forensics by Andrew Case, Jamie Levy, and AAron Walters.
○ The Art of Memory Forensics by Michael Hale Ligh, Andrew Case, Jamie Levy, and
AAron Walters.
● Online Courses: Platforms like Cybrary, Udemy, and SANS offer courses on digital
forensics and memory analysis.
● Communities and Forums: Engage with online communities like the SANS Institute or
various cybersecurity forums for knowledge sharing.

39
 Disk Forensics
1. What is Disk Forensics?

Disk forensics is the process of analyzing computer hard drives and other storage media to
recover, preserve, and analyze data in a way that is legally admissible. It is a crucial aspect of
digital forensics, often used in investigations involving cybercrime, data breaches, and data
recovery.

2. Objectives of Disk Forensics

● Data Recovery: Retrieve lost or deleted files from damaged or corrupted storage media.

● Evidence Preservation: Maintain the integrity of digital evidence for legal proceedings.

● Malicious Activity Investigation: Analyze disk images to find evidence of hacking,

malware, or unauthorized access.

40
 ● Incident Response: Investigate security incidents to determine the extent of a breach or
compromise.

3. Key Concepts in Disk Forensics

● Storage Media: Devices such as hard drives, SSDs, USB drives, and memory cards.

● Disk Image: A sector-by-sector copy of a storage device, used for analysis without
altering the original data.

● File System: The method and data structure that an operating system uses to manage
files on a disk.

● Logical vs. Physical Analysis: Logical analysis focuses on file structures and content,
while physical analysis looks at raw data and disk sectors.

4. Common Disk Forensics Tools

● EnCase: A comprehensive forensic tool for disk imaging, analysis, and reporting.

● FTK (Forensic Toolkit): A forensic software that provides disk imaging and data recovery
capabilities, along with analysis tools.

● Autopsy: An open-source digital forensics platform that supports disk analysis and
recovery.

● Sleuth Kit: A collection of command-line tools for disk forensic analysis, often used with
Autopsy.

● dd and dcfldd: Command-line tools for creating disk images in a forensic manner.

41
 ● X1 Social Discovery: Focused on the collection and analysis of social media data, with
some disk forensic capabilities.

5. Steps in Disk Forensics Process

1. Evidence Collection:

○ Use write-blockers to prevent any changes to the original media.

○ Create a forensic disk image using tools like FTK Imager or dd.

2. Data Preservation:

○ Store the original media securely and keep a documented chain of custody.

○ Verify the integrity of the disk image using checksums (e.g., MD5, SHA-1).

3. Data Analysis:

○ File System Analysis: Examine file systems (FAT, NTFS, EXT) for file structures,
timestamps, and metadata.

○ Keyword Searches: Search for specific terms, patterns, or file types relevant to
the investigation.

○ Recover Deleted Files: Identify and restore deleted files from unallocated space
or slack space.

○ Examine Artifacts: Analyze browser history, email databases, and application

data for relevant information.

4. Documentation:

○ Maintain detailed notes on the analysis process, findings, and any tools or
techniques used.

○ Prepare a forensic report summarizing the analysis and findings for legal
proceedings.

6. Common Artifacts in Disk Forensics

● File Metadata: Information about files, such as creation, modification, and access
timestamps.

● System Logs: Logs from the operating system that may provide insights into user
actions and system events.

42
 ● User Data: Documents, images, emails, and other files created or accessed by users.

● Temporary Files: Files created by applications that may contain remnants of user
activity.

7. Challenges in Disk Forensics

● Encryption: Encrypted disks can complicate data recovery and analysis.

● Data Overwriting: New data may overwrite deleted files, making recovery difficult or
impossible.
● File System Variability: Different operating systems and file systems have unique
structures and metadata, requiring specialized knowledge.
● Volume and Complexity of Data: Large disks can contain vast amounts of data, requiring
efficient analysis techniques.

8. Best Practices for Disk Forensics

● Use Write Blockers: Always use hardware or software write-blockers to prevent

modifications to the original media during acquisition.
● Maintain Chain of Custody: Document every action taken during the forensic process to
ensure the validity of evidence.
● Follow Legal and Ethical Guidelines: Ensure compliance with laws and regulations
governing data privacy and digital forensics.
● Regular Training: Stay updated on the latest tools, techniques, and legal considerations
in digital forensics.

9. Resources for Learning Disk Forensics

43
● Books:
○ Digital Forensics and Cyber Crime by T. A. J. O. T. S. (A. M. J.) and M. E. M. T. (R.
J. M.)
○ File System Forensic Analysis by Brian Carrier.
● Online Courses: Platforms like Udemy, Coursera, and SANS offer courses on digital
forensics and incident response.
● Communities and Forums: Join forums like the Digital Forensics Community and attend
conferences such as DEF CON and Black Hat for networking and knowledge sharing.

44
 Quishing
1. What is Quishing?

Quishing is a form of cyber attack that combines traditional phishing techniques with QR codes.
Attackers use QR codes to direct victims to malicious websites, download malware, or provide
sensitive information, often under the guise of legitimate services or promotions.

2. How Quishing Works

● Creation of Malicious QR Codes: Attackers generate QR codes that link to malicious

websites or downloadable content.
● Distribution: Malicious QR codes are shared through various channels, including email,
SMS, flyers, social media, or even printed materials.
● Deceptive Practices: The QR codes may be presented as legitimate, appearing on flyers
for events, product packaging, or official communications.

3. Common Techniques Used in Quishing

● Social Engineering: Manipulating victims by creating a sense of urgency or offering

enticing deals to scan the QR code.
● Fake Promotions: Offering discounts or exclusive content that requires users to scan a
QR code.
● Impersonation: Using trusted brands or organizations to make the QR code appear
legitimate.

45
4. Risks Associated with Quishing

● Malware Installation: Scanning a malicious QR code may lead to automatic downloads

of malware onto the user's device.
● Data Theft: Users may be directed to fake websites designed to collect personal
information, including login credentials and financial data.
● Phishing Attacks: Users may unwittingly provide sensitive information to attackers
posing as legitimate services.

5. Indicators of Quishing Attempts

● Unfamiliar QR Codes: Receiving or seeing QR codes from unknown sources or unusual

contexts.
● Lack of Branding: QR codes that lack proper branding or appear on unofficial materials.
● Urgency or Limited Offers: Messages that create a sense of urgency, pushing users to
scan the QR code quickly.

6. How to Protect Against Quishing

● Verify Sources: Only scan QR codes from trusted sources or known contacts.
● Preview URLs: Use a QR code scanner that previews the URL before redirecting you,
allowing you to verify its legitimacy.
● Avoid Providing Sensitive Information: Never enter personal data or credentials on
unfamiliar websites accessed via QR codes.
● Educate Yourself and Others: Raise awareness about quishing and teach others how to
recognize and avoid such attacks.

7. Detection and Mitigation Strategies

● Monitor Network Traffic: Use network monitoring tools to identify unusual or

unauthorized access attempts.

46
 ● URL Scanning Tools: Use services like VirusTotal to scan URLs before visiting them.
● Regular Security Training: Conduct training sessions for employees and users to identify
and respond to potential quishing attempts.

8. Tools for Scanning QR Codes

● QR Code Readers: Apps that can scan QR codes and preview the destination URL before
opening it.
● URL Shortener Checkers: Tools that help verify the legitimacy of shortened URLs linked
to QR codes.

9. Resources for Learning About Quishing

● Cybersecurity Blogs: Follow reputable cybersecurity blogs and news sites for the latest
information on quishing and related threats.
● Online Courses: Platforms like Coursera and Udemy offer courses on cybersecurity
awareness, including phishing and quishing.
● Community Forums: Participate in cybersecurity forums and discussions to stay
informed about emerging threats and defenses.

47
 JWT Token
1. What is a JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information
between parties as a JSON object. It is compact, URL-safe, and can be used for authentication
and information exchange. JWTs are commonly used in web applications for stateless
authentication and authorization.

2. Structure of a JWT

A JWT consists of three parts separated by dots (.):

● Header: Contains metadata about the token, including the type (JWT) and the signing
algorithm used (e.g., HS256).
● Payload: Contains the claims or the data being transmitted. This can include standard
claims (like iss, exp, sub, aud) and custom claims defined by the application.

48
 ● Signature: Used to verify the authenticity of the token. It is created by combining the
encoded header and payload and signing it with a secret key using the specified
algorithm.

Example JWT Structure:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. // Header
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
// Payload
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c // Signature

3. Claims in the Payload

Claims are pieces of information about the user or context. They can be classified into three
types:

● Registered Claims: Predefined claims that are recommended but not mandatory.
Examples include:
○ iss: Issuer of the token.
○ sub: Subject of the token (usually the user ID).
○ aud: Audience for which the token is intended.
○ exp: Expiration time (in Unix time).
○ iat: Issued at time (in Unix time).

49
 ● Public Claims: Custom claims defined by the application that can be used to convey
information.
● Private Claims: Claims created to share information between parties that agree on using
them.

4. Signing Algorithms

JWTs can be signed using two types of algorithms:

● HMAC (Symmetric Key): Both the issuer and the consumer share a secret key (e.g.,
HS256).
● RSA or ECDSA (Asymmetric Key): The issuer uses a private key to sign the token, while
the consumer uses a public key to verify it (e.g., RS256).

5. Use Cases for JWT

● Authentication: After successful login, the server generates a JWT and sends it to the
client, which stores it (typically in local storage or cookies) for future requests.
● Authorization: JWTs can convey user permissions or roles, allowing servers to check
access levels for protected resources.
● Information Exchange: JWTs can carry information between parties securely and can be
verified to ensure data integrity.

6. Advantages of Using JWT

● Compact: The tokens are small and can be sent via URLs, POST requests, or in HTTP
headers.

50
 ● Self-contained: JWTs contain all the necessary information about the user, reducing the
need to query the database multiple times.
● Cross-domain: JWTs can be used across different domains without issues related to
CORS.

7. Disadvantages of Using JWT

● Token Revocation: Once a JWT is issued, it cannot be easily revoked unless additional
mechanisms are implemented (e.g., maintaining a blacklist).
● Token Size: Although compact, large payloads can lead to performance issues when
transmitted.
● Complexity: Implementing JWT correctly requires careful attention to security practices.

8. Best Practices for JWT

● Use HTTPS: Always transmit JWTs over HTTPS to prevent interception.

● Set Short Expiry: Use short expiration times and refresh tokens for long sessions to
minimize risks from stolen tokens.
● Use Secure Algorithms: Choose strong signing algorithms (e.g., RS256 instead of
HS256 when appropriate) and keep keys secure.
● Validate Inputs: Always validate the data in the JWT and perform proper error handling.
● Implement Token Revocation: Consider using a blacklist for revoked tokens or storing
session states in a database.

9. JWT Libraries

● JavaScript: jsonwebtoken
● Python: PyJWT
● Java: jjwt
● .NET: System.IdentityModel.Tokens.Jwt
● PHP: firebase/php-jwt

51
10. Resources for Learning More About JWT

● RFC 7519: JSON Web Token (JWT)

● JWT.io: JWT Debugger for encoding, decoding, and verifying JWTs.
● Books: Look for books on web security or specific frameworks that utilize JWT (like
OAuth 2.0 and OpenID Connect).

52
 CSRF Token
1. What is a CSRF Token?

A CSRF Token (Cross-Site Request Forgery Token) is a security mechanism used to prevent
CSRF attacks, where unauthorized commands are transmitted from a user that the web
application trusts. CSRF tokens are unique, unpredictable values generated by the server and
included in requests made by the client.

2. How CSRF Attacks Work

● An attacker tricks a user into performing unwanted actions on a web application where
they are authenticated (e.g., submitting a form).

● For example, the user might be logged into their bank account, and the attacker sends a
malicious link or form that, when executed, transfers funds without the user’s
knowledge.

53
3. How CSRF Tokens Work

● Token Generation: When a user accesses a form on a web page, the server generates a
unique CSRF token and embeds it in the form.

● Token Submission: When the form is submitted, the CSRF token is sent along with the
request.

● Token Validation: The server checks the received CSRF token against the one stored in
the user session. If they match, the request is processed; if not, the request is rejected.

4. CSRF Token Implementation Steps

1. Token Generation:
○ Generate a unique token for each user session or each request.
○ Store the token in the user’s session or database.
2. Embedding the Token:

Include the token in forms as a hidden input field:

<input type="hidden" name="csrf_token" value="{{ csrf_token }}">

3. Sending the Token:

Send the CSRF token in headers for AJAX requests, often using JavaScript:

$.ajaxSetup({
headers: {
'X-CSRF-Token': $('input[name="csrf_token"]').val()
}
});

4. Token Verification:

On form submission or AJAX request, verify that the token received matches the one stored on
the server:

if request.form['csrf_token'] != session['csrf_token']:
abort(403) # Forbidden

54
5. Best Practices for CSRF Tokens

● Unique per Session: Generate a unique token for each session or request, not just for a
user’s session.

● Secure Storage: Store the token securely, ideally in the user session or in a database.

● Token Length and Complexity: Ensure tokens are sufficiently long and complex to resist
brute-force attacks.

● Same-Site Cookies: Use the SameSite attribute for cookies to prevent them from being
sent in cross-origin requests.

● HTTPS: Always use HTTPS to prevent token interception.

6. Detecting CSRF Vulnerabilities

● Review Forms: Ensure that all state-changing forms include CSRF tokens.

● Automated Testing: Use security scanning tools to identify CSRF vulnerabilities.

● Manual Testing: Attempt to submit forms without CSRF tokens to see if the application
properly rejects the requests.

7. Mitigating CSRF Attacks Without Tokens

While CSRF tokens are the most common defense mechanism, other strategies include:

● Same-Site Cookie Attribute: Set the SameSite attribute on cookies to prevent them
from being sent with cross-origin requests.

● Double Submit Cookies: Send the CSRF token in both a cookie and as a request
parameter and validate both.

55
 ● User Interaction Verification: Implement additional confirmation steps for sensitive
actions (e.g., re-entering a password).

8. Resources for Learning More About CSRF Tokens

● OWASP CSRF Prevention Cheat Sheet: OWASP CSRF Cheat Sheet

● Web Security Books: Look for titles focused on web application security and secure
coding practices.
● Security Blogs and Tutorials: Explore reputable cybersecurity blogs and video tutorials
covering CSRF attacks and defenses.

56
 Network Analysis
1. What is Network Analysis?

Network Analysis involves the process of inspecting, monitoring, and evaluating a computer
network's performance, security, and efficiency. It aims to optimize network functionality,
identify potential issues, and enhance security measures.

2. Objectives of Network Analysis

● Performance Monitoring: Assess network speed, bandwidth usage, and latency.

● Security Assessment: Identify vulnerabilities and potential security threats.

● Traffic Analysis: Analyze data packets to understand usage patterns and detect
anomalies.

● Troubleshooting: Diagnose and resolve connectivity issues and network faults.

3. Key Components of Network Analysis

● Network Topology: The layout of devices, connections, and data flows within the
network (e.g., star, ring, mesh).

● Protocols: Rules governing data transmission (e.g., TCP/IP, HTTP, FTP).

● Devices: Routers, switches, firewalls, servers, and endpoints involved in network

communication.

● Data Packets: Units of data transmitted across a network, containing headers and
payloads.

57
4. Network Analysis Tools

● Wireshark: A powerful network protocol analyzer that captures and inspects data
packets in real-time.
● Tcpdump: A command-line packet analyzer used to capture and analyze TCP/IP packets.

● SolarWinds Network Performance Monitor: A comprehensive tool for monitoring

network performance and availability.

● Nmap: A network scanning tool used for network discovery and security auditing.

● NetFlow Analyzer: Monitors and analyzes network traffic patterns using NetFlow data.

5. Common Techniques for Network Analysis

● Packet Sniffing: Capturing data packets flowing through the network to analyze traffic.

● Traffic Flow Analysis: Monitoring bandwidth usage and identifying peak usage times.

● Vulnerability Scanning: Scanning the network for security weaknesses using tools like
Nessus or OpenVAS.

● Protocol Analysis: Examining the protocols in use and their configurations to ensure
compliance and performance.

6. Steps in Conducting Network Analysis

1. Define Objectives: Establish the goals of the analysis (e.g., performance monitoring,
security assessment).
2. Collect Data: Use network analysis tools to gather traffic data, logs, and performance
metrics.
3. Analyze Data: Examine the collected data for patterns, anomalies, and potential issues.
4. Identify Issues: Diagnose problems such as bottlenecks, high latency, or unauthorized
access.

58
 5. Recommend Improvements: Suggest actions based on findings to enhance network
performance and security.

7. Key Metrics in Network Analysis

● Bandwidth Utilization: Measure of how much bandwidth is being used compared to its
capacity.

● Latency: The time taken for data to travel from the source to the destination.

● Packet Loss: The percentage of packets that do not reach their destination, which can
indicate network congestion or faults.

● Throughput: The actual amount of data transmitted successfully over a specific time
period.

8. Network Analysis Best Practices

● Regular Monitoring: Continuously monitor network performance to detect issues early.

● Update Tools and Techniques: Keep network analysis tools and methodologies up to
date to address evolving threats.

● Segment the Network: Use segmentation to isolate critical systems and reduce the
attack surface.

● Implement Security Measures: Employ firewalls, intrusion detection systems (IDS), and
proper access controls to protect the network.

9. Common Challenges in Network Analysis

● High Data Volumes: Managing and analyzing large amounts of network data can be
overwhelming.

59
 ● Encrypted Traffic: Analyzing encrypted traffic (e.g., HTTPS) can complicate visibility into
the data being transmitted.
● Dynamic Networks: Networks that frequently change can make consistent monitoring
difficult.

10. Resources for Learning More About Network Analysis

● Books: Look for titles on network security, performance analysis, and troubleshooting.
● Online Courses: Platforms like Coursera, Udemy, or LinkedIn Learning offer courses on
networking and analysis.
● Blogs and Forums: Participate in networking forums and follow cybersecurity blogs for
the latest trends and insights.

60
 PCAP Analysis
1. What is PCAP?

PCAP (Packet Capture) refers to the process of capturing and analyzing network traffic. A PCAP
file contains raw network packets, including headers and payload data, which can be inspected
to understand network behavior, diagnose issues, or investigate security incidents.

2. Why Perform PCAP Analysis?

● Network Troubleshooting: Identify connectivity issues, packet loss, or delays.

● Security Incident Investigation: Analyze malicious activities, such as malware

communication or intrusions.

61
 ● Performance Monitoring: Monitor bandwidth usage, latency, and network congestion.

● Protocol Inspection: Examine traffic for protocol-level issues or compliance.

3. Common PCAP Analysis Tools

● Wireshark: The most popular packet analyzer with a graphical interface for live and
offline PCAP analysis.

● Tcpdump: A command-line packet sniffer that captures packets and can save them as
PCAP files.

● TShark: The command-line version of Wireshark, suitable for scripting and automation.

● NGrep: A network grep tool for searching packet content.

● NetworkMiner: A tool focused on extracting artifacts from PCAP files (e.g., files,
credentials).

● Suricata: An intrusion detection and prevention system (IDS/IPS) that can analyze PCAP
files for suspicious activity.

4. PCAP File Structure

A PCAP file contains:

● Headers: Information about the captured packet, including timestamp, source and
destination addresses, and protocols.

● Payload: The actual data transferred within the packet (e.g., HTTP requests, DNS
queries).

5. Steps for PCAP Analysis

1. Capture or Collect PCAP File:

Use tcpdump to capture packets:

tcpdump -i eth0 -w capture.pcap

Open or import PCAP files into analysis tools like Wireshark.

62
 2. Filter Traffic:

● Use display filters to isolate relevant packets (e.g., filter HTTP traffic in Wireshark):

http

● Filter traffic by IP address:

ip.addr == 192.168.1.1

● Filter traffic by protocol:

tcp or udp

3. Analyze Network Behavior:

○ Inspect Conversations: View communication between specific IPs or ports.

○ Analyze Latency: Look for delays in TCP handshakes or high ping times.

○Examine Bandwidth Usage: Identify which hosts or services consume the most
bandwidth.
4. Detect Anomalies and Threats:

○ Look for unusual protocols or unexpected destinations (e.g., malware C2

servers).

○ Identify packet retransmissions or malformed packets.

○ Use Wireshark’s Expert Info to detect warnings and errors.

5. Extract Data from PCAP:

○ Reconstruct HTTP files or streams (in Wireshark, right-click and choose "Follow
TCP Stream").

○ Extract files from captured traffic using NetworkMiner or Wireshark export tools.
6. Generate Reports:

○ Export summaries, statistics, or filtered traffic from Wireshark for further analysis
or reporting.

63
6. Common Protocols to Inspect in PCAP Analysis

● HTTP/HTTPS: Monitor web traffic for suspicious activity.

● DNS: Analyze DNS queries for malicious domains or exfiltration attempts.

● FTP/SSH: Inspect for unauthorized access or brute-force attempts.

● ARP: Check for ARP spoofing attacks.

● ICMP: Analyze ping requests to detect scanning activities.

7. Wireshark Display Filters Examples

Filter by IP address:

ip.addr == 10.0.0.1

Filter by Port:

tcp.port == 80

Filter HTTP Requests:

http.request

Filter TLS/SSL Handshake Failures:

ssl.handshake && ssl.alert_message

8. Analyzing Security Threats with PCAP Analysis

● Malware Analysis: Look for connections to suspicious IP addresses or unusual

protocols.
● Intrusion Detection: Identify port scanning or brute-force attempts by analyzing repeated
connection requests.
● Data Exfiltration: Check for large or unexpected outbound data flows to suspicious IPs.

64
9. Best Practices for PCAP Analysis

● Use Filters Wisely: Narrow down large datasets using display and capture filters.
● Correlate with Logs: Use network and system logs to validate findings from PCAP files.
● Automate with Scripts: Use tools like TShark or Python scripts for repetitive tasks.
● Monitor Encrypted Traffic: Understand the limitations of encrypted traffic and focus on
metadata (e.g., IPs, ports).

10. Resources for Learning PCAP Analysis

● Wireshark Documentation: Wireshark User Guide

● Practical Packet Analysis by Chris Sanders: A popular book on network and PCAP
analysis.
● Security Onion: A Linux distribution focused on intrusion detection and network analysis,
including tools for PCAP analysis.

65
 Magic Bytes

1. What are Magic Bytes?

Magic bytes (or magic numbers) are unique sequences of bytes used at the beginning of a file
to identify the file type or format. These bytes act as a signature or fingerprint that allows
software to recognize the content of a file, even if the file extension is incorrect or missing.

2. Purpose of Magic Bytes

● File Type Identification: Determine the correct file type, irrespective of its extension.
● File Integrity Verification: Check if files have been tampered with or corrupted.
● Malware Analysis: Identify disguised malicious files (e.g., a malicious script with a .jpg
extension).
● Forensics and Reverse Engineering: Analyze unknown files and validate their content.

3. Common File Types and Their Magic Bytes

66
4. How to Identify Magic Bytes

1. Using Hex Editors:

○ Open the file in a hex editor (e.g., HxD or 010 Editor).
○ Check the first few bytes to match them with known signatures from the table
above.
2. Using Command-Line Tools:

Linux: Use xxd to view the file’s bytes.

xxd <filename> | head

file Command: Identify the file type based on its magic bytes

file <filename>

Using Python for Magic Byte Detection:

with open("sample.png", "rb") as f:

magic_bytes = f.read(8)
print(magic_bytes.hex())

5. Magic Bytes in Cybersecurity

● Anti-Malware Analysis: Detect hidden malicious files (e.g., an executable disguised as an

image).

67
 ● Forensics: Validate file types during forensic investigations.
● Intrusion Detection: Identify suspicious files uploaded to a server, even if the file
extensions have been changed.
● Reverse Engineering: Analyze binaries by examining their headers and magic bytes.

6. Changing Magic Bytes (File Header Manipulation)

● Attackers may modify a file’s magic bytes to bypass security filters. For example,
changing the bytes of a malicious .exe to match that of an image file.

7. Magic Bytes and File Extensions

● Mismatch Detection: Use both file extensions and magic bytes to verify a file’s integrity.
● File Type Forgery: Be cautious of files where the extension does not match the magic
bytes.

8. Common Issues with Magic Bytes

● False Identification: Some files may have similar starting bytes, leading to incorrect
identification.
● Corrupted Files: Missing or altered magic bytes can make it hard to determine the
original file type.

9. Resources for Learning More

● Hex Editors: Tools like HxD or 010 Editor allow you to explore file headers.
● The file Command Documentation: Learn more about the Linux file command.
● Online Magic Number Databases: Repositories that list common magic bytes for quick
reference.

68
—-------------------------------------------------------------EOF—------------------------------------------------------

69