SECURITY AND CRYPTOGRAPHHY

LECTURE NOTES

Cryptography is the process of hiding or coding information so that only the

person a message was intended for can read it. The art of cryptography has been

used to code messages for thousands of years and continues to be used in bank

cards, computer passwords, and ecommerce.

Modern cryptography techniques include algorithms and ciphers that enable

the encryption and decryption of information, such as 128-bit and 256-bit

encryption keys. Modern ciphers, such as the Advanced Encryption Standard

(AES), are considered virtually unbreakable.

A common cryptography definition is the practice of coding information to

ensure only the person that a message was written for can read and process the

information. This cybersecurity practice, also known as cryptology, combines

various disciplines like computer science, engineering, and mathematics to

create complex codes that hide the true meaning of a message.

Cryptography can be traced all the way back to ancient Egyptian hieroglyphics

but remains vital to securing communication and information in transit and

preventing it from being read by untrusted parties. It uses algorithms and

mathematical concepts to transform messages into difficult-to-decipher codes

1
 through techniques like cryptographic keys and digital signing to protect data

privacy, credit card transactions, email, and web browsing.

Cryptography employs various algorithms, also known as ciphers, to perform

encryption and decryption. These algorithms are a complete set of instructions

consisting of computations that render various properties of a standard

cryptosystem. Some guarantee non-repudiation and integrity, while others

guarantee privacy, security, and authentication.

Types of Cryptography

There are three types of cryptography:

 Symmetric key cryptography

 Asymmetric key cryptography

 Hash Function

Symmetric Key Cryptography

Symmetric key cryptography is also known as secret-key cryptography, and in

this type of cryptography, you can use only a single key. The sender and the

receiver can use that single key to encrypt and decrypt a message. Because there

is only one key for encryption and decryption, the symmetric key system has

2
one major disadvantage: the two parties must exchange the key in a secure

manner. An example of symmetric key cryptography is Blowfish.

Asymmetric Key Cryptography

Asymmetric key cryptography is also known as public-key cryptography, and it

employs the use of two keys. This cryptography differs from and is more secure

than symmetric key cryptography. In this system, each user encrypts and

decrypts using two keys or a pair of keys (private key and public key). Each

user keeps the private key secret and the public key is distributed across the

network so that anyone can use those public keys to send a message to any other

user. You can use any of those keys to encrypt the message and can use the

remaining key for decryption. An RSA algorithm is an example of asymmetric

key cryptography.

3
Hash Function

This algorithm makes no use of any keys. A hash value with a fixed length is

calculated based on the plain text, making it impossible to recover the plain

text’s contents. Many operating systems encrypt passwords using hash

functions.

Types of Cryptography Algorithm

Cryptographic algorithms are primarily of two types, and you can use them for

critical tasks, such as authentication, data encryption, and digital signatures.

RSA: RSA is an asymmetric cryptographic algorithm based on the block cipher

principle. It converts plain text to ciphertext at the receiver end and vice versa.

If we use User A’s public key for encryption, we must use the same user’s

private key for decryption.

4
DES: Data Encryption Standard (DES) is a symmetric cipher algorithm that

encrypts and decrypts data using the block cipher method. The algorithm uses

48-bit keys to convert the plain text in 64-bit blocks into ciphertext. It operates

on the Fiesta Cipher Structure.

Examples of Cryptography

End-to-end encryption in WhatsApp is a prominent example of cryptography

encryption these days. This feature is available in WhatsApp via the asymmetry

model or public key methods. Only the intended recipient is aware of the actual

message. After the WhatsApp installation, the server registers the public keys,

and messages are transmitted.

Digital signatures are the next real-time application of cryptography. When two

clients must sign documents for a business transaction. However, if two clients

never meet, they may not believe each other. The use of encryption in digital

signatures then ensures improved authentication and security.

How Does Cryptography Work?

Cryptographic algorithms are central to how cryptography works.

Cryptographic algorithms, also called ciphers, are mathematical functions that

encrypt text by combining them with keys such as phrases, digits, words, and so

5
on. You can define the effectiveness by the strength of the cryptographic

algorithms and the level of key secrecy.

Applications of Cryptography

There are various applications of cryptography. Some of those applications are:

Confidentiality: Cryptography allows users to store encrypted data, avoiding

the major flaw of hacker circumvention.

Non-repudiation: The creator/sender of information cannot later deny his

intent to send information.

Authentication: Helps to authenticate the sender and receiver’s identities along

with the destination and origin of the information.

Integrity: Information cannot be altered during storage or in transit between the

sender and the intended receiver without any addition to the information being

detected.

Conclusion

In today’s world, information is primarily available in digital format. Critical

information is now digitally recorded, analyzed, and transferred via computer

systems. Because information is so essential, attackers target computers to gain

6
unauthorized access. This is where cryptography comes into play. Cryptography

offers a scalable set of techniques that guarantee disruption of the attacker’s

malicious intentions while legitimate users have access to data.

Introduction to Cyber Security

Cyber Security Introduction - Cyber Security Basics:

Cyber security is the most concerned matter as cyber threats and attacks are

overgrowing. Attackers are now using more sophisticated techniques to target

the systems. Individuals, small-scale businesses or large organization, are all

7
being impacted. So, all these firms whether IT or non-IT firms have understood

the importance of Cyber Security and focusing on adopting all possible

measures to deal with cyber threats.

What is cyber security?

"Cyber security is primarily about people, processes, and technologies working

together to encompass the full range of threat reduction, vulnerability reduction,

deterrence, international engagement, incident response, resiliency, and

recovery policies and activities, including computer network operations,

information assurance, law enforcement, etc."

OR Cyber security is the body of technologies, processes, and practices

designed to protect networks, computers, programs and data from attack,

damage or unauthorized access.

• The term cyber security refers to techniques and practices designed to

protect digital data.

• The data that is stored, transmitted or used on an information system.

Cyber security is the protection of Internet-connected systems, including

hardware, software, and data from cyber attacks.

It is made up of two words one is cyber and other is security.

8
• Cyber is related to the technology which contains systems, network and

programs or data.

• Whereas security related to the protection which includes systems

security, network security and application and information security.

Why is cyber security important?

Listed below are the reasons why cyber security is so important in what’s

become a predominant digital world:

• Cyber attacks can be extremely expensive for businesses to endure.

• In addition to financial damage suffered by the business, a data breach

can also inflict untold reputational damage.

• Cyber-attacks these days are becoming progressively destructive.

Cybercriminals are using more sophisticated ways to initiate cyber attacks.

• Regulations such as GDPR are forcing organizations into taking better

care of the personal data they hold.

Because of the above reasons, cyber security has become an important part of

the business and the focus now is on developing appropriate response plans that

minimize the damage in the event of a cyber attack.

But, an organization or an individual can develop a proper response plan only

when he has a good grip on cyber security fundamentals.

9
Cyber security Fundamentals – Confidentiality:

Confidentiality is about preventing the disclosure of data to unauthorized

parties.

It also means trying to keep the identity of authorized parties involved in

sharing and holding data private and anonymous.

Often confidentiality is compromised by cracking poorly encrypted data, Man-

in-the-middle (MITM) attacks, disclosing sensitive data.

Standard measures to establish confidentiality include:

• Data encryption

• Two-factor authentication

• Biometric verification

• Security tokens

Integrity

Integrity refers to protecting information from being modified by unauthorized

parties.

Standard measures to guarantee integrity include:

• Cryptographic checksums

• Using file permissions

• Uninterrupted power supplies

10
• Data backups

Availability

Availability is making sure that authorized parties are able to access the

information when needed.

Standard measures to guarantee availability include:

• Backing up data to external drives

• Implementing firewalls

• Having backup power supplies

• Data redundancy

Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses

malicious code to alter computer code, logic or data and lead to cybercrimes,

such as information and identity theft.

Cyber-attacks can be classified into the following categories:

1) Web-based attacks

2) System-based attacks

11
Web-based attacks

These are the attacks which occur on a website or web applications. Some of the

important web-based attacks are as follows-

1. Injection attacks

It is the attack in which some data will be injected into a web application to

manipulate the application and fetch the required information.

Example- SQL Injection, code Injection, log Injection, XML Injection etc.

2. DNS Spoofing

DNS Spoofing is a type of computer security hacking. Whereby a data is

introduced into a DNS resolver's cache causing the name server to return an

incorrect IP address, diverting traffic to the attackers computer or any other

computer. The DNS spoofing attacks can go on for a long period of time

without being detected and can cause serious security issues.

3. Session Hijacking

It is a security attack on a user session over a protected network. Web

applications create cookies to store the state and user sessions. By stealing the

cookies, an attacker can have access to all of the user data.

4. Phishing

Phishing is a type of attack which attempts to steal sensitive information like

user login credentials and credit card number. It occurs when an attacker is

masquerading as a trustworthy entity in electronic communication.

12
5. Brute force

It is a type of attack which uses a trial and error method. This attack generates a

large number of guesses and validates them to obtain actual data like user

password and personal identification number. This attack may be used by

criminals to crack encrypted data, or by security, analysts to test an

organization's network security.

6. Denial of Service

It is an attack which meant to make a server or network resource unavailable to

the users. It accomplishes this by flooding the target with traffic or sending it

information that triggers a crash. It uses the single system and single internet

connection to attack a server. It can be classified into the following-

Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site,

and is measured in bit per second.

Protocol attacks- It consumes actual server resources, and is measured in a

packet.

Application layer attacks- Its goal is to crash the web server and is measured in

request per second.

7. Dictionary attacks

This type of attack stored the list of a commonly used password and validated

them to get original password.

8. URL Interpretation

13
It is a type of attack where we can change the certain parts of a URL, and one

can make a web server to deliver web pages for which he is not authorized to

browse.

9. File Inclusion attacks

It is a type of attack that allows an attacker to access unauthorized or essential

files which is available on the web server or to execute malicious files on the

web server by making use of the include functionality.

10. Man in the middle attacks

It is a type of attack that allows an attacker to intercepts the connection between

client and server and acts as a bridge between them. Due to this, an attacker will

be able to read, insert and modify the data in the intercepted connection.

System-based attacks

These are the attacks which are intended to compromise a computer or a

computer network. Some of the important system-based attacks are as follows-

1. Virus

It is a type of malicious software program that spread throughout the computer

files without the knowledge of a user. It is a self-replicating malicious computer

program that replicates by inserting copies of itself into other computer

programs when executed. It can also execute instructions that cause harm to the

system.

2. Worm

14
It is a type of malware whose primary function is to replicate itself to spread to

uninfected computers. It works same as the computer virus. Worms often

originate from email attachments that appear to be from trusted senders.

3. Trojan horse

It is a malicious program that occurs unexpected changes to computer setting

and unusual activity, even when the computer should be idle. It misleads the

user of its true intent. It appears to be a normal application but when

opened/executed some malicious code will run in the background.

4. Backdoors

It is a method that bypasses the normal authentication process. A developer may

create a backdoor so that an application or operating system can be accessed for

troubleshooting or other purposes.

5. Bots

A bot (short for "robot") is an automated process that interacts with other

network services. Some bots program run automatically, while others only

execute commands when they receive specific input. Common examples of bots

program are the crawler, chatroom bots, and malicious bots.

The 7 layers of cyber security should center on the mission critical assets you

are seeking to protect.

1: Mission Critical Assets – This is the data you need to protect

15
2: Data Security – Data security controls protect the storage and transfer of

data.

3: Application Security – Applications security controls protect access to an

application, an application’s access to your mission critical assets, and the

internal security of the application.

4: Endpoint Security – Endpoint security controls protect the connection

between devices and the network.

5: Network Security – Network security controls protect an organization’s

network and prevent unauthorized access of the network.

6: Perimeter Security – Perimeter security controls include both the physical

and digital security methodologies that protect the business overall.

7: The Human Layer – Humans are the weakest link in any cyber security

posture. Human security controls include phishing simulations and access

management controls that protect mission critical assets from a wide variety of

human threats, including cyber criminals, malicious insiders, and negligent

users.

Vulnerability, threat, Harmful acts

As the recent epidemic of data breaches illustrates, no system is immune to

attacks. Any company that manages, transmits, stores, or otherwise handles data

has to institute and enforce mechanisms to monitor their cyber environment,

identify vulnerabilities, and close up security holes as quickly as possible.

16
Before identifying specific dangers to modern data systems, it is crucial to

understand the distinction between cyber threats and vulnerabilities.

Cyber threats are security incidents or circumstances with the potential to have a

negative outcome for your network or other data management systems.

Examples of common types of security threats include phishing attacks that

result in the installation of malware that infects your data, failure of a staff

member to follow data protection protocols that cause a data breach, or even a

tornado that takes down your company’s data headquarters, disrupting access.

Vulnerabilities are the gaps or weaknesses in a system that make threats

possible and tempt threat actors to exploit them.

Types of vulnerabilities in network security include but are not limited to SQL

injections, server misconfigurations, cross-site scripting, and transmitting

sensitive data in a non-encrypted plain text format.

When threat probability is multiplied by the potential loss that may result, cyber

security experts, refer to this as a risk.

17
SECURITY VULNERABILITIES, THREATS AND ATTACKS – Categories

of vulnerabilities

• Corrupted (Loss of integrity)

• Leaky (Loss of confidentiality)

• Unavailable or very slow (Loss of availability)

– Threats represent potential security harm to an asset when vulnerabilities are

exploited - Attacks are threats that have been carried out

18
• Passive – Make use of information from the system without affecting

system resources

• Active – Alter system resources or affect operation

• Insider – Initiated by an entity inside the organization

• Outsider – Initiated from outside the perimeter

Computer criminals

Computer criminals have access to enormous amounts of hardware, software,

and data; they have the potential to cripple much of effective business and

government throughout the world. In a sense, the purpose of computer security

is to prevent these criminals from doing damage.

We say computer crime is any crime involving a computer or aided by the use

of one. Although this definition is admittedly broad, it allows us to consider

ways to protect ourselves, our businesses, and our communities against those

who use computers maliciously.

One approach to prevention or moderation is to understand who commits these

crimes and why. Many studies have attempted to determine the characteristics

of computer criminals. By studying those who have already used computers to

19
commit crimes, we may be able in the future to spot likely criminals and prevent

the crimes from occurring.

CIA Triad

The CIA Triad is actually a security model that has been developed to help

people think about various parts of IT security.

CIA triad broken down:

Confidentiality

It's crucial in today's world for people to protect their sensitive, private

information from unauthorized access.

Protecting confidentiality is dependent on being able to define and enforce

certain access levels for information.

In some cases, doing this involves separating information into various

collections that are organized by who needs access to the information and how

sensitive that information actually is - i.e. the amount of damage suffered if the

confidentiality was breached.

Some of the most common means used to manage confidentiality include access

control lists, volume and file encryption, and Unix file permissions.

Integrity

20
Data integrity is what the "I" in CIA Triad stands for.

This is an essential component of the CIA Triad and designed to protect data

from deletion or modification from any unauthorized party, and it ensures that

when an authorized person makes a change that should not have been made the

damage can be reversed.

Availability

This is the final component of the CIA Triad and refers to the actual availability

of your data. Authentication mechanisms, access channels and systems all have

to work properly for the information they protect and ensure it's available when

it is needed.

Understanding the CIA triad

The CIA Triad is all about information. While this is considered the core factor

of the majority of IT security, it promotes a limited view of the security that

ignores other important factors.

For example, even though availability may serve to make sure you don't lose

access to resources needed to provide information when it is needed, thinking

about information security in itself doesn't guarantee that someone else hasn't

used your hardware resources without authorization.

It's important to understand what the CIA Triad is, how it is used to plan and

also to implement a quality security policy while understanding the various

21
principles behind it. It's also important to understand the limitations it presents.

When you are informed, you can utilize the CIA Triad for what it has to offer

and avoid the consequences that may come along by not understanding it.

Assets and Threat

What is an Asset: An asset is any data, device or other component of an

organization’s systems that is valuable – often because it contains sensitive data

or can be used to access such information.

For example: An employee’s desktop computer, laptop or company phone

would be considered an asset, as would applications on those devices. Likewise,

critical infrastructure, such as servers and support systems, are assets. An

organization’s most common assets are information assets. These are things

such as databases and physical files – i.e. the sensitive data that you store

What is a threat: A threat is any incident that could negatively affect an asset –

for example, if it’s lost, knocked offline or accessed by an unauthorized party.

Threats can be categorized as circumstances that compromise the

confidentiality, integrity or availability of an asset, and can either be intentional

or accidental.

Intentional threats include things such as criminal hacking or a malicious insider

stealing information, whereas accidental threats generally involve employee

error, a technical malfunction or an event that causes physical damage, such as a

fire or natural disaster.

22
Motive of Attackers

The categories of cyber-attackers enable us to better understand the attackers'

motivations and the actions they take. As shown in Figure, operational cyber

security risks arise from three types of actions: i) inadvertent actions (generally

by insiders) that are taken without malicious or harmful intent; ii) deliberate

actions (by insiders or outsiders) that are taken intentionally and are meant to do

harm; and iii) inaction (generally by insiders), such as a failure to act in a given

situation, either because of a lack of appropriate skills, knowledge, guidance, or

availability of the correct person to take action Of primary concern here are

deliberate actions, of which there are three categories of motivation.

1. Political motivations: examples include destroying, disrupting, or taking

control of targets; espionage; and making political statements, protests, or

retaliatory actions.

2. Economic motivations: examples include theft of intellectual property or

other economically valuable assets (e.g., funds, credit card information); fraud;

industrial espionage and sabotage; and blackmail.

3. Socio-cultural motivations: examples include attacks with philosophical,

theological, political, and even humanitarian goals. Socio-cultural motivations

also include fun, curiosity, and a desire for publicity or ego gratification.

Types of cyber-attacker actions and their motivations when deliberate

Active attacks: An active attack is a network exploit in which a hacker attempts

to make changes to data on the target or data en route to the target.

23
Types of Active attacks:

Masquerade: in this attack, the intruder pretends to be a particular user of a

system to gain access or to gain greater privileges than they are authorized for.

A masquerade may be attempted through the use of stolen login IDs and

passwords, through finding security gaps in programs or through bypassing the

authentication mechanism.

Session replay: In this type of attack, a hacker steals an authorized user’s log in

information by stealing the session ID. The intruder gains access and the ability

to do anything the authorized user can do on the website.

Message modification: In this attack, an intruder alters packet header addresses

to direct a message to a different destination or modify the data on a target

machine.

In a denial of service (DoS) attack, users are deprived of access to a network or

web resource.

This is generally accomplished by overwhelming the target with more traffic

than it can handle.

In a distributed denial-of-service (DDoS) exploit, large numbers of

compromised systems (sometimes called a botnet or zombie army) attack a

single target.

24
Passive Attacks: Passive attacks are relatively scarce from a classification

perspective, but can be carried out with relative ease, particularly if the traffic is

not encrypted.

Types of Active attacks:

Eavesdropping (tapping): the attacker simply listens to messages exchanged by

two entities. For the attack to be useful, the traffic must not be encrypted. Any

unencrypted information, such as a password sent in response to an HTTP

request, may be retrieved by the attacker.

Traffic analysis: the attacker looks at the metadata transmitted in traffic in order

to deduce information relating to the exchange and the participating entities, e.g.

the form of the exchanged traffic (rate, duration, etc.). In the cases where

encrypted data are used, traffic analysis can also lead to attacks by

cryptanalysis, whereby the attacker may obtain information or succeed in

unencrypting the traffic.

Software Attacks: Malicious code (sometimes called malware) is a type of

software designed to take over or damage a computer user's operating system,

without the user's knowledge or approval. It can be very difficult to remove and

very damaging.

Characteristics

A virus is a program that attempts to damage a computer system and replicate

itself to other computer systems. A virus:

25
• Requires a host to replicate and usually attaches itself to a host file or a

hard drive sector.

• Replicates each time the host is used.

• Often focuses on destruction or corruption of data.

• Usually attaches to files with execution capabilities such as .doc, .exe,

and .bat extensions.

• Often distributes via e-mail. Many viruses can e-mail themselves to

everyone in your address book.

• Examples: Stoned, Michelangelo, Melissa, I Love You.

A worm is a self-replicating program that can be designed to do any number of

things, such as delete files or send documents via e-mail. A worm can

negatively impact network traffic just in the process of replicating itself. A

worm:

• Can install a backdoor in the infected computer.

• Is usually introduced into the system through a vulnerability.

• Infects one system and spreads to other systems on the network.

• Example: Code Red.

A Trojan horse is a malicious program that is disguised as legitimate software.

Discretionary environments are often more vulnerable and susceptible to Trojan

horse attacks because security is user focused and user directed. Thus the

26
compromise of a user account could lead to the compromise of the entire

environment. A Trojan horse:

• Cannot replicate itself.

• Often contains spying functions (such as a packet sniffer) or backdoor

functions that allow a computer to be remotely controlled from the network.

• Often is hidden in useful software such as screen savers or games.

• Example: Back Orifice, Net Bus, Whack-a-Mole.

A Logic Bomb is malware that lies dormant until triggered. A logic bomb is a

specific example of an asynchronous attack.

• A trigger activity may be a specific date and time, the launching of a

specific program, or the processing of a specific type of activity.

• Logic bombs do not self-replicate.

Hardware Attacks:

Common hardware attacks include:

• Manufacturing backdoors, for malware or other penetrative purposes;

backdoors aren’t limited to software and hardware, but they also affect

embedded radio - frequency identification (RFID) chips and memory

• Eavesdropping by gaining access to protected memory without opening

other hardware

• Inducing faults, causing the interruption of normal behavior

• Hardware modification tampering with invasive operations

27
• Backdoor creation; the presence of hidden methods for bypassing normal

computer authentication systems

• Counterfeiting product assets that can produce extraordinary operations

and those made to gain malicious access to systems.

Cyber Threats-Cyber Warfare:Cyber warfare refers to the use of digital attacks -

- like computer viruses and hacking -- by one country to disrupt the vital

computer systems of another, with the aim of creating damage, death and

destruction. Future wars will see hackers using computer code to attack an

enemy's infrastructure, fighting alongside troops using conventional weapons

like guns and missiles.

Cyber warfare involves the actions by a nation-state or international

organization to attack and attempt to damage another nation's computers or

information networks through, for example, computer viruses or denial-of-

service attacks.

Cyber Crime:

Cybercrime is criminal activity that either targets or uses a computer, a

computer network or a networked device.Cybercrime is committed by

cybercriminals or hackers who want to make money. Cybercrime is carried out

by individuals or organizations.

Some cybercriminals are organized, use advanced techniques and are highly

technically skilled. Others are novice hackers.

28
Cyber Terrorism:

Cyber terrorism is the convergence of cyberspace and terrorism. It refers to

unlawful attacks and threats of attacks against computers, networks and the

information stored therein when done to intimidate or coerce a government or

its people in furtherance of political or social objectives.

Examples are hacking into computer systems, introducing viruses to vulnerable

networks, web site defacing, Denial-of-service attacks, or terroristic threats

made via electronic communication.

Cyber Espionage:Cyber spying, or cyber espionage, is the act or practice of

obtaining secrets and information without the permission and knowledge of the

holder of the information from individuals, competitors, rivals, groups,

governments and enemies for personal, economic, political or military

advantage using methods on the Internet.

Security Policies:

Security policies are a formal set of rules which is issued by an organization to

ensure that the user who are authorized to access company technology and
information assets comply with rules and guidelines related to the security of
information.

29
A security policy also considered to be a "living document" which means that
the document is never finished, but it is continuously updated as requirements of
the technology and employee changes.

We use security policies to manage our network security. Most types of security
policies are automatically created during the installation. We can also customize
policies to suit our specific environment.

Need of Security policies-

1) It increases efficiency.

2) It upholds discipline and accountability

3) It can make or break a business deal

4) It helps to educate employees on security literacy

30
31
INTRODUCTION: CYBER FORENSICS

CYBER FORENSICS:

Computer forensics is the application of investigation and analysis techniques to gather and
preserve evidence.

32
Forensic examiners typically analyze data from personal computers, laptops, personal digital
assistants, cell phones, servers, tapes, and any other type of media. This process can involve
anything from breaking encryption, to executing search warrants with a law enforcement
team, to recovering and analyzing files from hard drives that will be critical evidence in the
most serious civil and criminal cases.

The forensic examination of computers, and data storage media, is a complicated and highly
specialized process. The results of forensic examinations are compiled and included in
reports. In many cases, examiners testify to their findings, where their skills and abilities are
put to ultimate scrutiny.

DIGITAL FORENSICS:

Digital Forensics is defined as the process of preservation, identification, extraction, and

documentation of computer evidence which can be used by the court of law. It is a science of
finding evidence from digital media like a computer, mobile phone, server, or network. It
provides the forensic team with the best techniques and tools to solve complicated digital-
related cases.
Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the
digital evidence residing on various types of electronic devices.
Digital forensic science is a branch of forensic science that focuses on the recovery and
investigation of material found in digital devices related to cybercrime.

THE NEED FOR COMPUTER FORENSICS

Computer forensics is also important because it can save your organization money. ... From a
technical standpoint, the main goal of computer forensics is to identify, collect, preserve, and
analyze data in a way that preserves the integrity of the evidence collected so it can be used
effectively in a legal case.

CYBER FORENSICS AND DIGITAL EVIDENCE:

Digital evidence is information stored or transmitted in binary form that may be relied on in
court. It can be found on a computer hard drive, a mobile phone, among other places. Digital
evidence is commonly associated with electronic crime, or e-crime, such as child pornography or
credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just
e-crime. For example, suspects' e-mail or mobile phone files might contain critical evidence
regarding their intent, their whereabouts at the time of a crime and their relationship with other
suspects. In 2005, for example, a floppy disk led investigators to the BTK serial killer who had
eluded police capture since 1974 and claimed the lives of at least 10 victims.

33
In an effort to fight e-crime and to collect relevant digital evidence for all crimes, law
enforcement agencies are incorporating the collection and analysis of digital evidence, also
known as computer forensics, into their infrastructure. Law enforcement agencies are
challenged by the need to train officers to collect digital evidence and keep up with rapidly
evolving technologies such as computer operating systems.

34
FORENSICS ANALYSIS OF EMAIL:

E-mail forensics refers to the study of source and content of e-mail as evidence to identify the
actual sender and recipient of a message, data/time of transmission, detailed record of e-mail
transaction, intent of the sender, etc. This study involves investigation of metadata, keyword
searching, port scanning, etc. for authorship attribution and identification of e-mail scams.

Various approaches that are used for e-mail forensic are:

• Header Analysis – Meta data in the e-mail message in the form of control
information i.e. envelope and headers including headers in the message body contain
information about the sender and/or the path along which the message has traversed.
Some of these may be spoofed to conceal the identity of the sender. A detailed
analysis of these headers and their correlation is performed in header analysis.

• Bait Tactics – In bait tactic investigation an e-mail with http: “<imgsrc>” tag having
image source at some computer monitored by the investigators is send to the sender
of e-mail under investigation containing real (genuine) e-mail address. When the e-
mail is opened, a log entry containing the IP address of the recipient (sender of the e-
mail under investigation) is recorded on the http server hosting the image and thus
sender is tracked. However, if the recipient (sender of the e-mail under investigation)
is using a proxy server then IP address of the proxy server is recorded. The log on
proxy server can be used to track the sender of the e-mail under investigation. If the
proxy server’s log is unavailable due to some reason, then investigators may send the
tactic e-mail containing a) Embedded Java Applet that runs on receiver’s computer or
b) HTML page with Active X Object. Both aiming to extract IP address of the
receiver’s computer and e-mail it to the investigators.

• Server Investigation – In this investigation, copies of delivered e-mails and server

logs are investigated to identify source of an e-mail message. E-mails purged from the
clients (senders or receivers) whose recovery is impossible may be requested from
servers (Proxy or ISP) as most of them store a copy of all e-mails after their
deliveries. Further, logs maintained by servers can be studied to trace the address of
the computer responsible for making the e-mail transaction. However, servers store
the copies of e-mail and server logs only for some limited periods and some may not
co-operate with the investigators. Further, SMTP servers which store data like credit
card number and other data pertaining to owner of a mailbox can be used to identify
person behind an e-mail address.

• Network Device Investigation – In this form of e-mail investigation, logs maintained

by the network devices such as routers, firewalls and switches are used to investigate
the source of an e-mail message. This form of investigation is complex and is used
only when the logs of servers (Proxy or ISP) are unavailable due to some reason, e.g.

35
 when ISP or proxy does not maintain a log or lack of co-operation by ISP’s or failure
to maintain chain of evidence.

• Software Embedded Identifiers – Some information about the creator of e-mail,

attached files or documents may be included with the message by the e-mail software
used by the sender for composing e-mail. This information may be included in the form of
custom headers or in the form of MIME content as a Transport Neutral Encapsulation Format
(TNEF). Investigating the e-mail for these details may reveal some vital information about the
senders e-mail preferences and options that could help client side evidence gathering. The
investigation can reveal PST file names, Windows logon username, MAC address, etc. of the
client computer used to send e-mail message.

• Sender Mailer Fingerprints – Identification of software handling e-mail at server can be

revealed from the Received header field and identification of software handling e-mail at
client can be ascertained by using different set of headers like “X-Mailer” or equivalent.
These headers describe applications and their versions used at the clients to send e-mail.
This information about the client computer of the sender can be used to help investigators
devise an effective plan and thus prove to be very useful.

EMAIL FORENSICS TOOLS

Erasing or deleting an email doesn’t necessarily mean that it is gone forever. Often emails
can be forensically extracted even after deletion. Forensic tracing of e-mail is similar to
traditional detective work. It is used for retrieving information from mailbox files.

• MiTec Mail Viewer – This is a viewer for Outlook Express, Windows

Mail/Windows Live Mail, Mozilla Thunderbird message databases, and single EML
files. It displays a list of contained messages with all needed properties, like an
ordinary e-mail client. Messages can be viewed in detailed view, including
attachments and an HTML preview. It has powerful searching and filtering capability
and also allows extracting email addresses from all emails in opened folder to list by
one click. Selected messages can be saved to eml files with or without their
attachments. Attachments can be extracted from selected messages by one command.

• OST and PST Viewer – Nucleus Technologies’ OST and PST viewer tools help you
view OST and PST files easily without connecting to an MS Exchange server. These
tools allow the user to scan OST and PST files and they display the data saved in it
including email messages, contacts, calendars, notes, etc., in a proper folder structure.

• eMailTrackerPro – eMailTrackerPro analyses the headers of an e-mail to detect the

IP address of the machine that sent the message so that the sender can be tracked
down. It can trace multiple e-mails at the same time and easily keep track of them.

36
 The geographical location of an IP address is key information for determining the
threat level or validity of an e-mail message.

• EmailTracer – EmailTracer is an Indian effort in cyber forensics by the Resource

Centre for Cyber Forensics (RCCF) which is a premier centre for cyber forensics in
India. It develops cyber forensic tools based on the requirements of law enforcement
agencies.

Collection: The first step in the forensic process is to identify potential sources of data and
acquire data from them.

Examination:After data has been collected, the next phase is to examine the data, which
involves assessing and extracting the relevant pieces of information from the collected data.
This phase may also involve bypassing or mitigating OS or application features that obscure
data and code, such as data compression, encryption, and access control mechanisms.

Analysis: Once the relevant information has been extracted, the analyst should study and
analyze the data to draw conclusions from it. The foundation of forensics is using a
methodical approach to reach appropriate conclusions based on the available data or
determine that no conclusion can yet be drawn.

37
Reporting: The process of preparing and presenting the information resulting from the
analysis phase. Many factors affect reporting, including the following:

a. Alternative Explanations:When the information regarding an event is incomplete, it

may not be possible to arrive at a definitive explanation of what happened. When an
event has two or more plausible explanations, each should be given due consideration
in the reporting process. Analysts should use a methodical approach to attempt to
prove or disprove each possible explanation that is proposed.

b. Audience Consideration. Knowing the audience to which the data or information

will be shown is important.

c. Actionable Information. Reporting also includes identifying actionable information

gained from data that may allow an analyst to collect new sources of information

FORENSICS INVESTIGATION:

Forensics are the scientific methods used to solve a crime. Forensic investigation is the
gathering and analysis of all crime-related physical evidence in order to come to a conclusion
about a suspect. Investigators will look at blood, fluid, or fingerprints, residue, hard drives,
computers, or other technology to establish how a crime took place. This is a general
definition, though, since there are a number of different types of forensics.

38
39
TYPES OF FORENSICS INVESTIGATION

• Forensic Accounting / Auditing

• Computer or Cyber Forensics

• Crime Scene Forensics

• Forensic Archaeology

• Forensic Dentistry

• Forensic Entomology

• Forensic Graphology

• Forensic Pathology

• Forensic Psychology

• Forensic Science

• Forensic Toxicology

CHALLENGES IN COMPUTER FORENSICS

Digital forensics has been defined as the use of scientifically derived and proven methods
towards the identification, collection, preservation, validation, analysis, interpretation, and
presentation of digital evidence derivative from digital sources to facilitate the reconstruction
of events found to be criminal.But these digital forensics investigation methods face some
major challenges at the time of practical implementation. Digital forensic challenges are
categorized into three major heads as per Fahdi, Clark, and Furnell are:

• Technical challenges

• Legal challenges

• Resource Challenges

40
TECHNICAL CHALLENGES

As technology develops crimes and criminals are also developed with it. Digital forensic
experts use forensic tools for collecting shreds of evidence against criminals and criminals
use such tools for hiding, altering or removing the traces of their crime, in digital forensic this
process is called Anti- forensics technique which is considered as a major challenge in digital
forensics world.

Anti-forensics techniquesare categorized into the following types:

S. No. Type Description

1 Encryption It is legitimately used for ensuring the privacy of

information by keeping it hidden from an
unauthorized user/person. Unfortunately, it can also
be used by criminals to hide their crimes

2 Data hiding in storage space Criminals usually hide chunks of data inside the
storage medium in invisible form by using system
commands, and programs.

3 Covert Channel A covert channel is a communication protocol which

allows an attacker to bypass intrusion detection
technique and hide data over the network. The
attacker used it for hiding the connection between
him and the compromised system.

41
Other Technical challenges are:

• Operating in the cloud

• Time to archive data

• Skill gap
• Steganography
• Legal challenges

42