Unit -4

UNDERSTANDING COMPUTER FORENSICS: Introduction, Digital Forensics Science, The

Need for Computer Forensics, Cyber forensics and Digital Evidence, Forensics Analysis of E-
Mail, Digital Forensics Life Cycle, Chain of Custody Concept, Network Forensics, Approaching
a Computer Forensics Investigation. Forensics and Social Networking Sites: The
Security/Privacy Threats, Challenges in Computer Forensics.

Introduction
Cyber Forensics is simply application of computer investigation and analysis techniques in the
interest of determining potential legal evidence. Forensic computing is the process of identifying
preserving, analyzing and presenting the digital evidence in a manner that is legally acceptable. It is
the study of evidence from attacks on computer system in order to learn what has occurred, how to
prevent it from recurring and the extent of the damage .
Cyber Forensics is one of the emerging professions of 21st century. It can be thought of as an
investigation of computer based evidence of criminal activity, using scientifically developed methods
that attempts to discover and reconstruct event sequences from such activity.
The fascinating part of the science is that the computer operating system invariably leaves behind the
computer evidences transparently without the knowledge of computer operator. The information may
actually be hidden from view. Any enterprise that uses computer networks should have concern for
both security and forensic capabilities (Yasinsac and Manzano, 2001). They suggest that forensic
tools should be developed to scan continually computers and networks within an enterprise for illegal
activities.
When misuse is detected these tools should record sequence of events and store relevant data for
further investigation. Special Forensic software tools and techniques are required in order to
recognize and retrieve such evidences. Cyber Forensics involves obtaining and analyzing such digital
information for use in civil/criminal or administrative cases. Digital evidence was not considered as
tangible evidence in courts until recently but now they are gaining importance.
Terminologies:
1. Disk Forensics: deals with extracting data/information from storage media by searching
active, deleted files and also from unallocated and slack space.
2. Network Forensics: It is a sub branch of digital forensics relating to monitoring and analysis of
computer network traffic for the purpose of information gathering, legal evidence or intrusion
detection. Unlike other areas of digital forensics, network investigation deal with volatile and
dynamic information. It is also called Pro-active forensics.
3. Wireless Forensics: It is a sub part of network forensics. The main goal of wireless
forensics is to provide the tools required to collect and analyze the data from wireless network traffic.
The data collected can correspond to plain data or with the broad usage of Voice over Internet
Protocol (VoIP) technologies especially over wireless technology.
4. Database Forensics: is a branch of digital forensics relating to study and examine databases and
their related metadata. A forensic examination of a database may relate to the timestamps that apply
to the row (update time) in a relational table being inspected and tested for validity in order to verify
the actions of a database user.
5. Malware Forensics: deals with analysis and identification of a malicious code, to study their
payload, viruses, worms, Trojans, Keyloggers etc.
6. Mobile Phone Forensics deals with examination and analysis of mobile devices, to retrieve phone
and SIM contacts, call logs(Dialled, Missed & Received), incoming and outgoing SMS/MMS,Audio,
videos, paired device history and in some smart phones, geolocation and calendar information etc.
7. GPS Forensics is also called SatNav Forensics, is a relatively new discipline with the fast paced
world of Mobile Device Forensics. It is used for examining and analysing GPS Cyber Forensics
devices to retrieve information such as TrackLogs, TrackPoints, WayPoints, Routes, Photos, audio
etc.
8. Email Forensics: Deals with recovery and analysis of emails including deleted emails, calendars
and contacts.
9. Memory Forensics deals with collecting data from system memory (system registers, cache, RAM)
in raw form and then carving the data from Raw dump.
10. E-Discovery: E-Discovery is the process of evaluating solutions for organization. A defensible e-
Discovery process is repeatable, systemized and meets legal requirements for proper handling and
admissibility of computer evidence. Email archiving can be a useful complement e-
Discovery. A defensible e-discovery process is repeatable, systematized and meets legal
requirements for proper handling and admissibility of computer evidence. An ideal e-discovery
process identifies, collects, preserves, processes, reviews and produces relevant electronically stored
information. Relevant information may be found in unmanaged, unstructured, semi-structured or
structured data sources dispersed across networks on desktops, laptops, servers, share drives,
removable
storage media and other devices. As the name implies, email archiving is limited to the contents of
email system since they work only with the set of emails and do not extend to data on the network.
An effective repeatable and defendable eDiscovery response plan requires an organization to
proactively anticipate the type of discovery that could be initiated and develop an offensive strategy
that employs both technology and human resources (Scott Carlson, 2009).

DIGITAL SPECTRUM

With the advent of new forms of criminality associated with growth of digital technologies, numbers
of terms are used within the forensic community. These include cyber crime, high tech crime, e
crime, new technology crime to indicate new and digitized versions of existing crime. Some crimes
can be placed on the spectrum depending upon the extent of digital environment.
Consider a street thief who first observes an unwary user input the PIN in an ATM and then steals the
card and later withdraws cash; this is not a crime that appears to be particularly digital and it is
therefore placed at the less digital end of the spectrum. On the other hand, skimming the magnetic
strip, cloning a card Skimming and cloning a credit card and then using it to make transactions is
clearly a crime unique to digital era and would appear to be placed at the more digital end of the
spectrum.
Similarly, some crimes are more likely to have a digital aspect rather than uniquely exploit digital
technologies. For example, a fraud enacted via an e-bay, a fraudster may have had planning for the
fraud in the internet, setting up temporary and difficult to trace email accounts, surfing the internet
for images, descriptions and prices. These are activities which exploit the advantages of digital
technologies but nonetheless arise from a conventional and classic form of crime.

GOOD FIELD PRACTICE IN PROCESSING A CRIME SCENE

Crime Scene: It is crucial to understand the definition of crime scene. For practical purpose, a Crime
scene is the aftermath of an event that is considered, by law, to be illegal. For basic understanding the
crime scene can be considered the apex of an Inverted pyramid that expands to encompass the five
phases, Investigation of crime, the recognition, analysis, interpretation of evidence, and finally, court
trial. Crime scene should be processed with due diligence, utmost care and by the application of
technology because any mistake made in processing the crime scene are impossible to rectify. Both
errors of omission and commission made in processing a crime scene can confound the final
resolution in two ways to make thing worse. The investigators use general guidelines for processing
crime scene and exercise the use of check sheets, forms lists as templates for search and examination
to be counterproductive. Each crime scene is unique and must be approached with knowledge,
education and experience of the investigator. Crime scene is the apex of an inverted pyramid.
 DIGITAL EVENT AND CASE RELEVANCE
Digital Event is an occurrence that changes the state of one or more objects. If the state of an object
changes as a result of an event, then it is an effect of the event. Some types of objects have the ability
to cause the events and these called causes (Carrier and Spafford, 2004). The property of any piece of
information, which is used to measure its ability to answer the investigative “who, what, where,
when, why and how” questions in criminal investigation.
(Rubin and Garrtner, 2005). The authors use this notion to describe the distinction between computer
security and forensics even defining degrees of case relevance and the same is given in
Figure.

The ultimate purpose of crime scene investigation is to seek to solve the commission of
crime inevitably that fall under the umbrella of the six “W” questions:
 1. What happened?
2. When did it happen?
3. Where did it happen?
4. Who was involved?
5. How was it done?
6. Why was it done?
In the examination of physical evidence the first five questions are relevant. The question
“Why” is irrelevant for laboratory analysis and it is left for the establishment of motive by”
“Profilers, “Criminologist” and “Courts”.
LOCARDS PRINCIPLE: TRADITIONAL FORENSICS VS. CYBER FORENSICS

Locard’s Exchange Principle is often cited in forensics publications, “Every contact leaves a
trace.” Essentially Locard’s Exchange Principle is applied to crime scenes in which the
perpetrator(s) of a crime comes into contact with the scene. The perpetrator(s) will both bring
something into the scene, and leave with something from the scene. In the cyber world, the
perpetrator may or may not come in physical contact with the crime scene, thus, this brings a
new facet to crime scene analysis.Accordin to the World of Forensic Science, Locard’s
publications make no mention of an “exchangeprinciple,” although he did make the observation
“Il est impossible au malfaiteur d’agir avec l’intensité
que suppose l’action criminelle sans laisser des traces de son passage.” (It is impossible for a
criminal to especially considering the intensity of a crime, without leaving traces of this
presence).

Cyber forensics and Digital Evidence :-

Cyber forensics :-

Computer forensics, also called digital or cyber forensics, is a field of technology that uses
investigation techniques to help identify, collect, and store evidence from an electronic device.
Oftentimes computer forensics professionals uncover evidence that can be used by law
enforcement agencies or by businesses and individuals to recover lost and damaged data.

Why is computer forensics important?

As the world becomes more connected digitally, digital evidence for solving crimes is becoming
more relevant every day. A computer forensics investigator’s job is to collect, examine, and
safeguard this evidence to help solve cyber crimes and to recover important compromised data.

Types of computer forensics

Computer forensics always involves gathering and analysing evidence from digital sources.
Some common types include:
• Database forensics: Retrieval and analysis of data or metadata found in databases
• Email forensics: Retrieval and analysis of messages, contacts, calendars, and other
information on an email platform
• Mobile forensics: Retrieval and analysis of data like messages, photos, videos, audio files,
and contacts from mobile devices
• Memory forensics: Retrieval and analysis of data stored on a computer's RAM (random
access memory) and/or cache
• Network forensics: Use of tools to monitor network traffic like intrusion detection systems
and firewalls.
• Malware forensics: Analysis of code to identify malicious programs like viruses,
ransomware, or Trojan horses

Common computer forensics techniques

When conducting an investigation and analysis of evidence, computer forensics specialists use
various techniques; here are four common ones:
• Deleted file recovery. This technique involves recovering and restoring files or fragments that
are deleted by a person—either accidentally or deliberately—or by a virus or malware.
• Reverse-steganography. The process of attempting to hide data inside a digital message or file is
called steganography. Reverse-steganography happens when computer forensic specialists look at
the hashing of a message or the file contents. A hashing is a string of data, which changes when
the message or file is interfered with.
• Cross-drive analysis. This technique involves analysing data across multiple computer drives.
Strategies like correlation and cross-referencing are used to compare events from computer to
computer and detect anomalies.
• Live analysis. This technique involves analysing a running computer's volatile data stored in
RAM (random access memory) or cache memory. This helps pinpoint the cause of abnormal
computer traffic.
Digital or Electronic Evidence
Digital or Electronic Evidence is any information and data to investigate value that is stored
on or transmitted by an electronic device. Equipment and software are required to make the
evidence visible, testimony may be required to explain the examination process and any
process limitations. Electronic Evidence is accepted as physical evidence, and by its nature is
fragile. It can be altered, damaged, or destroyed by improper handling or improper
examination. Thus, special precautions must be taken to document, collect, preserve, and
examine this type of evidence. Methods taken to collect evidence must preserve the integrity of
evidence.

Forensics Analysis of E-Mail

Email is one of the most popular services used over the internet and has become a primary
source of communication for organizations and the public. Usage of email services in business
activities like banking, messaging and sending file attachments increased at a tremendous rate.
This medium for communication has become vulnerable to different kinds of attacks. Hackers
can forge the email headers and send the email anonymously for their malicious purposes.
Hackers can also exploit open relay servers to carry out massive social engineering. Email is the
most common source of phishing attacks. To mitigate these attacks and catch the people
responsible, we use email forensics and techniques like performing header analysis, server
investigation, sender mailer fingerprints etc. Email forensics is the analysis of source and
content of the email message, identification of sender and receiver, date and time of email
and the analysis of all the entities involved. Email forensics also reforms to the forensics of
client or server systems suspected in an email forgery.

Email Architecture :
When a user sends an email, the email doesn’t go directly into the mail server at the recipient’s
end; rather, it passes through different mail servers.

MUA is the program at the client end that is used to read and compose emails. There are
different MUA’s like Gmail, Outlook etc. Whenever MUA sends a message, it goes to MTA
which decodes the message and identifies the location it is meant to be sent by reading
header information and modifies its header by adding data then passes it to MTA at the
receiving end. The last MTA present just before the MUA decodes the message and sends it
to MUA at the receiving end. That is why in the email header, we can find information about
multiple servers.
Email Header Analysis:

Email forensics starts with the study of email header as it contains a vast amount of
information about the email message. This analysis consists of both the study of the content
body and the email header containing the info about the given email. Email header analysis
helps in identifying most of the email related crimes like spear phishing, spamming, email
spoofing etc. Spoofing is a technique using which one can pretend to be someone else, and a
normal user would think for a moment that it’s his friend or some person he already knows.
It’s just that someone is sending emails from their friend’s spoofed email address, and it is
not that their account is hacked.
By analyzing email headers, one can know whether the email he received is from a spoofed
email address or a real one. Here is how an email header looks like :
In order to understand the header information, one has to understand the structured set of
fields in the table.
X-apparently to: This field is useful when the email is sent to more than one recipient like
bcc or a mailing list. This field contains an address to TO field, but in case of bcc, the X-
Apparently to the field is different. So, this field tells the address of the recipient despite the
email is sent as either cc, bcc or by some mailing list.
Return path: The Return-path field contains the mail address that the sender specified in the
From field.
Received SPF: This field contains the domain from which mail has come from. In this case
its
Received-SPF: pass (google.com: domain of topviralhod@gmail.com designates
209.85.000.00 as permitted sender) client-ip=209.85.000.00;

X-spam ratio: There is a spam filtering software at the receiving server or MUA that
calculates the spam score. If the spam score exceeds a certain limit, the message is
automatically sent to the spam folder. Several MUA’s use different field names for spam
scores like X-spam ratio, X-spam status, X-spam flag, X-spam level etc.
Received: This field contains the IP address of the last MTA server at sending end which
then sends the email to MTA at the receiving end. In some places, this can be seen under X-
originated to field.
X-sieve Header: This field specifies the name and version of the message filtering system.
This refers to the language used to specify conditions for filtering the email messages.
X-spam charsets: This field contains the information about character sets used for filtering
emails like UTF etc. UTF is a good character set that has the ability to be backward
compatible with ASCII.
X-resolved to: This field contains the email address of the recipient, or we can say the
address of the mail server to which the MDA of a sender delivers to. Most of the times, X-
delivered to, and this field contains the same address.
Authentication results: This field tells whether the received mail from the given domain has
passed DKIM signatures and Domain keys signature or not. In this case, it does.

Digital Forensics Life Cycle

The digital forensics process is shown in the following figure. Forensic life cycle phases are:
1. Preparation and identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying
1. Preparing for the Evidence and Identifying the Evidence

In order to be processed and analysed, evidence must first be identified. It might be possible that
the evidence may be overlooked and not identified at all. A sequence of events in a computer
might include interactions between:

• Different files
• Files and file systems
• Processes and files
• Log files

In case of a network, the interactions can be between devices in the organization or across the
globe (Internet). If the evidence is never identified as relevant, it may never be collected and
processed.

2. Collecting and Recording Digital Evidence

Digital evidence can be collected from many sources. The obvious sources can be:

• Mobile phone
• Digital cameras
• Hard drives
• CDs
 • USB memory devices

Non-obvious sources can be:

• Digital thermometer settings

• Black boxes inside automobiles
• RFID tags

Proper care should be taken while handling digital evidence as it can be changed easily. Once
changed, the evidence cannot be analysed further. A cryptographic hash can be calculated for the
evidence file and later checked if there were any changes made to the file or not. Sometimes
important evidence might reside in the volatile memory. Gathering volatile data requires special
technical skills.

3. Storing and Transporting Digital Evidence

Some guidelines for handling of digital evidence:

• Image computer-media using a write-blocking tool to ensure that no data is added to the
suspect device
• Establish and maintain the chain of custody
• Document everything that has been done
• Only use tools and methods that have been tested and evaluated to validate their accuracy
and reliability

Care should be taken that evidence does not go anywhere without properly being traced. Things
that can go wrong in storage include:

• Decay over time (natural or unnatural)

• Environmental changes (direct or indirect)
• Fires
• Floods
• Loss of power to batteries and other media preserving mechanisms

Sometimes evidence must be transported from place to place either physically or through a
network. Care should be taken that the evidence is not changed while in transit. Analysis is
generally done on the copy of real evidence. If there is any dispute over the copy, the real can be
produced in court.

4. Examining/Investigating Digital Evidence

Forensics specialist should ensure that he/she has proper legal authority to seize, copy and
examine the data. As a general rule, one should not examine digital information unless one has
the legal authority to do so. Forensic investigation performed on data at rest (hard disk) is called
dead analysis.

Many current attacks leave no trace on the computer’s hard drive. The attacker only exploits the
information in the computer’s main memory. Performing forensic investigation on main memory
is called live analysis. Sometimes the decryption key might be available only in RAM. Turning
off the system will erase the decryption key. The process of creating and exact duplicate of the
original evidence is called imaging. Some tools which can create entire hard drive images are:

• DCFLdd
• Iximager
• Guymager

The original drive is moved to secure storage to prevent tampering. The imaging process is
verified by using the SHA-1 or any other hashing algorithms.

5. Analysis, Interpretation and Attribution

In digital forensics, only a few sequences of events might produce evidence. But the possible
number of sequences is very huge. The digital evidence must be analyzed to determine the type
of information stored on it. Examples of forensics tools:

• Forensics Tool Kit (FTK)

• EnCase
• Scalpel (file carving tool)
• The Sleuth Kit (TSK)
• Autopsy

Forensic analysis includes the following activities:

 • Manual review of data on the media
• Windows registry inspection
• Discovering and cracking passwords
• Performing keyword searches related to crime
• Extracting emails and images

Types of digital analysis:

• Media analysis
• Media management analysis
• File system analysis
• Application analysis
• Network analysis
• Image analysis
• Video analysis

6. Reporting

After the analysis is done, a report is generated. The report may be in oral form or in written
form or both. The report contains all the details about the evidence in analysis, interpretation, and
attribution steps. As a result of the findings in this phase, it should be possible to confirm or
discard the allegations. Some of the general elements in the report are:

• Identity of the report agency

• Case identifier or submission number
• Case investigator
• Identity of the submitter
• Date of receipt
• Date of report
• Descriptive list of items submitted for examination
• Identity and signature of the examiner
• Brief description of steps taken during examination
• Results / conclusions

7. Testifying

This phase involves presentation and cross-examination of expert witnesses. An expert witness
can testify in the form of:

• Testimony is based on sufficient facts or data

• Testimony is the product of reliable principles and methods
 • Witness has applied principles and methods reliably to the facts of the case

Experts with inadequate knowledge are sometimes chastised by the court. Precautions to be
taken when collecting digital evidence are:

• No action taken by law enforcement agencies or their agents should change the evidence
• When a person to access the original data held on a computer, the person must be
competent to do so
• An audit trial or other record of all processes applied to digital evidence should be
created and preserved
• The person in-charge of the investigation has overall responsibility for ensuring that the
law and these are adhered to

Chain of Custody Concept :-

Chain of Custody

A chain of custody is the process of validating how evidences have been gathered, tracked, and
protected on the way to the court of law. Forensic professionals know that if you do not have a
chain of custody, the evidence is worthless.

The chain of custody is a chronological written record of those individuals who have had custody
of the evidence from its initial acquisition to its final disposition. A chain of custody begins
when an evidence is collected and the chain is maintained until it is disposed off. The chain of
custody assumes continuous accountability.

Network Forensics :-
Network forensics is a subcategory of digital forensics that essentially deals with the
examination of the network and its traffic going across a network that is suspected to be
involved in malicious activities, and its investigation for example a network that is spreading
malware for stealing credentials or for the purpose analyzing the cyber-attacks. As the internet
grew cybercrimes also grew along with it and so did the significance of network forensics,
with the development and acceptance of network-based services such as the World Wide Web,
e-mails, and others.
Processes Involved in Network Forensics:
Some processes involved in network forensics are given below:
• Identification: In this process, investigators identify and evaluate the incident based on the
network pointers.
• Safeguarding: In this process, the investigators preserve and secure the data so that the
tempering can be prevented.
• Accumulation: In this step, a detailed report of the crime scene is documented and all the
collected digital shreds of evidence are duplicated.
• Observation: In this process, all the visible data is tracked along with the metadata.
• Investigation: In this process, a final conclusion is drawn from the collected shreds of
evidence.
• Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.
Challenges in Network Forensics:
• The biggest challenge is to manage the data generated during the process.
• Intrinsic anonymity of the IP.
• Address Spoofing.

Advantages:
• Network forensics helps in identifying security threats and vulnerabilities.
• It analyzes and monitors network performance demands.
• Network forensics helps in reducing downtime.
• Network resources can be used in a better way by reporting and better planning.
• It helps in a detailed network search for any trace of evidence left on the network.
Disadvantage:
• The only disadvantage of network forensics is that It is difficult to implement.

Approaching a Computer Forensics Investigation :-

The phases in a computer forensics investigation are:
 • Secure the subject system
• Take a copy of hard drive/disk
• Identify and recover all files
• Access/view/copy hidden, protected, and temp files
• Study special areas on the drive
• Investigate the settings and any data from programs on the system
• Consider the system from various perspectives
• Create detailed report containing an assessment of the data and information collected

The Security/Privacy Threats :-

Information Security threats can be many like Software attacks, theft of intellectual property,
identity theft, theft of equipment or information, sabotage, and information extortion.
Threat can be anything that can take advantage of a vulnerability to breach security and
negatively alter, erase, harm object or objects of interest.
Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe that
malware, virus, worms, bots are all same things. But they are not same, only similarity is that
they all are malicious software that behaves differently.
Malware is a combination of 2 terms- Malicious and Software. So Malware basically means
malicious software that can be an intrusive program code or anything that is designed to
perform malicious operations on system. Malware can be divided in 2 categories:
1. Infection Methods
2. Malware Actions
Malware on the basis of Infection Method are following:

1. Virus – They have the ability to replicate themselves by hooking them to the program on
the host computer like songs, videos etc and then they travel all over the Internet. The
Creeper Virus was first detected on ARPANET. Examples include File Virus, Macro Virus,
Boot Sector Virus, Stealth Virus etc.
2. Worms – Worms are also self-replicating in nature but they don’t hook themselves to the
program on host computer. Biggest difference between virus and worms is that worms are
network-aware. They can easily travel from one computer to another if network is available
and on the target machine they will not do much harm, they will, for example, consume
hard disk space thus slowing down the computer.
3. Trojan – The Concept of Trojan is completely different from the viruses and worms. The
name Trojan is derived from the ‘Trojan Horse’ tale in Greek mythology, which explains
how the Greeks were able to enter the fortified city of Troy by hiding their soldiers in a big
wooden horse given to the Trojans as a gift. The Trojans were very fond of horses and
trusted the gift blindly. In the night, the soldiers emerged and attacked the city from the
inside.
Their purpose is to conceal themselves inside the software that seem legitimate and when
that software is executed they will do their task of either stealing information or any other
purpose for which they are designed.
 They often provide backdoor gateway for malicious programs or malevolent users to enter
your system and steal your valuable data without your knowledge and permission.
Examples include FTP Trojans, Proxy Trojans, Remote Access Trojans etc.

4. Bots –: can be seen as advanced form of worms. They are automated processes that are
designed to interact over the internet without the need for human interaction. They can be
good or bad. Malicious bot can infect one host and after infecting will create connection to
the central server which will provide commands to all infected hosts attached to that
network called Botnet.
Malware on the basis of Actions:

1. Adware – Adware is not exactly malicious but they do breach privacy of the users. They
display ads on a computer’s desktop or inside individual programs. They come attached
with free-to-use software, thus main source of revenue for such developers. They monitor
your interests and display relevant ads. An attacker can embed malicious code inside the
software and adware can monitor your system activities and can even compromise your
machine.
2. Spyware – It is a program or we can say software that monitors your activities on computer
and reveal collected information to an interested party. Spyware are generally dropped by
Trojans, viruses or worms. Once dropped they install themselves and sits silently to avoid
detection.
One of the most common example of spyware is KEYLOGGER. The basic job of
keylogger is to record user keystrokes with timestamp. Thus capturing interesting
information like username, passwords, credit card details etc.
3. Ransomware – It is type of malware that will either encrypt your files or will lock your
computer making it inaccessible either partially or wholly. Then a screen will be displayed
asking for money i.e. ransom in exchange.
4. Scareware – It masquerades as a tool to help fix your system but when the software is
executed it will infect your system or completely destroy it. The software will display a
message to frighten you and force to take some action like pay them to fix your system.
5. Rootkits – are designed to gain root access or we can say administrative privileges in the
user system. Once gained the root access, the exploiter can do anything from stealing
private files to private data.
6. Zombies – They work similar to Spyware. Infection mechanism is same but they don’t spy
and steal information rather they wait for the command from hackers.

• Theft of intellectual property means violation of intellectual property rights like

copyrights, patents etc.
• Identity theft means to act someone else to obtain person’s personal information or to
access vital information they have like accessing the computer or social media account of a
person by login into the account by using their login credentials.
• Theft of equipment and information is increasing these days due to the mobile nature of
devices and increasing information capacity.
• Sabotage means destroying company’s website to cause loss of confidence on part of its
customer.
• Information extortion means theft of company’s property or information to receive
payment in exchange. For example ransomware may lock victims file making them
inaccessible thus forcing victim to make payment in exchange. Only after payment victim’s
files will be unlocked.
These are the old generation attacks that continue these days also with advancement every
year. Apart from these there are many other threats. Below is the brief description of these new
generation threats.

• Technology with weak security – With the advancement in technology, with every passing
day a new gadget is being released in the market. But very few are fully secured and
follows Information Security principles. Since the market is very competitive Security
factor is compromised to make device more up to date. This leads to theft of data/
information from the devices
• Social media attacks – In this cyber criminals identify and infect a cluster of websites that
persons of a particular organization visit, to steal information.
• Mobile Malware –There is a saying when there is a connectivity to Internet there will be
danger to Security. Same goes for Mobile phones where gaming applications are designed
to lure customer to download the game and unintentionally they will install malware or
virus on the device.
• Outdated Security Software – With new threats emerging everyday, updation in security
software is a prerequisite to have a fully secured environment.
• Corporate data on personal devices – These days every organization follows a rule
BYOD. BYOD means Bring your own device like Laptops, Tablets to the workplace.
Clearly BYOD pose a serious threat to security of data but due to productivity issues
organizations are arguing to adopt this.
• Social Engineering – is the art of manipulating people so that they give up their
confidential information like bank account details, password etc. These criminals can trick
you into giving your private and confidential information or they will gain your trust to get
access to your computer to install a malicious software- that will give them control of your
computer. For example email or message from your friend, that was probably not sent by
your friend. Criminal can access your friends device and then by accessing the contact list,
he can send infected email and message to all contacts. Since the message/ email is from a
known person recipient will definitely check the link or attachment in the message, thus
unintentionally infecting the computer.

Challenges in Computer Forensics :-

Cyber forensics experts extract data from a variety of sources — any technologies that may be
used by an end-user. These include mobile devices, cloud computing services, IT networks and
software applications.
These technologies are developed and operated by distinct vendors. The technology limitations
and privacy measures tend to restrict investigative capacity of an individual InfoSec expert as
they face the following challenges:
• Data recovery. If the data is encrypted, the investigator will not be able to decrypt the
information without access to encryption keys. New storage tools such as SSD devices
may not offer immediate factory access to recover lost data, unlike traditional magnetic
tape and hard disk drive systems.
• Visibility into cloud system. Investigators may only have access to metadata but not the
information content of the files. The underlying resources may be shared and allocated
dynamically. That lack of access to physical storage systems means that lost data may not
be recovered by third party investigators.
• Network log big data. Network log data grows exponentially and requires advanced
analytics and AI tools to connect the dots and find insightful relationships between
networking activities.
• Multi-jurisdiction data storage. If the data is stored in a different geographic location,
cyber forensics investigators may not have the legal authority to access the required
information.