NS UNIT 3 COMBINED.pdf

AITD / COMP 8.2 Networks Security
1
Unit 3
3.1 Introduction to Cyber Crime and Law: Cyber Crimes – Types of Cyber Crimes.
3.2 Cyber-offenses: Hacking – Attack Vectors – Cyber Space and Cyber Behaviour –
Classification of terms – Traditional problems associated with Cyber Crime.
3.3 Introduction to Incident Response – Digital Forensics – Computer Language – Network
Language – Realms of Cyber World – A brief history of Internet –
3.4 Recognizing and defining Cyber Crime – Computers as targets – Contaminants and
Destruction of Data
3.5 Indian IT Act 2000.
3.1 Introduction to Cybercrime and Cyber Law
CYBERSPACE
 Cyberspace is a global computer network which felicitates online communication.
 It allows users to share information and ideas, interact and communicate, play games,
engage in discussions, conduct business and many other activities.
 In other words, this computer-generated worldwide stage of internet and web is known
as Cyberspace.
CYBERCRIME
 Cybercrime can be defined as any criminal activity directly related to the use of
computers and the internet, such as illegal trespass into the computer system or
database of another, manipulation or theft of stored or online data, hacking, phishing,
cyber warfare, spreading computer viruses etc.
 In simple words, any offence or crime in which a computer is used for committing that
crime.
 Cybercrime would be "unlawful acts wherein the computer is either a tool or a target or both".
CYBERCRIMES – CLASSIFICATION
Cybercrimes are classified as follows:
1. Cybercrimes against Individuals
2. Cybercrimes against properties
3. Cybercrimes against Organization
4. Cybercrimes against Society
(1) Cybercrimes against Individuals – The goal is exploit human weakness such as greed and
naivety. These crimes included financial crimes, sale of non-existent or stolen items, child
pornography, copyright violation, etc.
(i) Email Spoofing:
A spoofed email is one in which e-mail header is forged so that mail appears to
originate from one source but actually has been sent from another source.

2
(ii) Spamming:
Spamming means sending multiple copies of unsolicited mails or mass e-mails such
as chain letters.
(iii) Cyber Defamation:
This occurs when defamation takes place with the help of computers and / or the
Internet. E.g. someone publishes defamatory matter about someone on a website or
sends e-mails containing defamatory information.
(iv) Harassment & Cyber stalking :
Cyber Stalking Means following the moves of an individual's activity over internet. It
can be done with the help of many protocols available such at e- mail, chat rooms,
user net groups.
(2) Cybercrimes against Property – This includes stealing mobile devices and removable
media, transmitting harmful files or programs that can disrupt the functions of the system
or wipe out data from HDD or create malfunctioning of the attached devices in the system.
(i) Credit Card Fraud:
(ii) Intellectual Property crimes:
These include
Software piracy: illegal copying of programs, distribution of copies of software.
Copyright infringement; Trademarks violations; Theft of computer source code:
(iii) Internet time theft:
The usage of the Internet hours by an unauthorized person which is actually paid by
another person.
(3) Cybercrimes against Organisation – Cyber Terrorism is one of the distinct crime against
any organization or Government. Attackers use Computer tools and the Internet to usually
terrorize the citizens of a particular country by stealing the private information and also to
damage the programs and files or plant files to get control of the network or system.
(i) Unauthorized Accessing of Computer:
Accessing the computer/network without permission from the owner.
It can be of 2 forms:
a) Changing/deleting data: Unauthorized changing of data.
b) Computer voyeur: The criminal reads or copies confidential or proprietary
information, but the data is neither deleted nor changed.
(ii) Denial of Service:
When Internet server is flooded with continuous bogus requests so as to denying
legitimate users to use the server or to crash the server.
(iii) Computer contamination / Virus attack:
A computer virus is a computer program that can infect other computer programs by
modifying them in such a way as to include a (possibly evolved) copy of it.

3
Viruses can be file infecting or affecting boot sector of the computer.
Worms, unlike viruses do not need the host to attach themselves to.
(iv) Email Bombing:
Sending large numbers of mails to the individual or company or mail servers thereby
ultimately resulting into crashing.
(v) Salami Attack:
When negligible amounts are removed & accumulated in to something larger. These
attacks are used for the commission of financial crimes.
(vi) Logic Bombs:
Its an event dependent programme, as soon as the designated event occurs, it
crashes the computer, release a virus or any other harmful possibilities.
(vii) Trojan Horses:
An unauthorized program which functions from inside what seems to be an
authorized program, thereby concealing what it is actually doing.
(viii) Data diddling:
This kind of an attack involves altering raw data just before it is processed by a
computer and then changing it back after the processing is completed.
(4) Cybercrimes against Society
(i) Forgery:
Currency notes, revenue stamps, mark sheets etc can be forged using computers and
high quality scanners and printers.
(ii) Cyber Terrorism:
Use of computer resources to intimidate or coerce others.
(iii) Web Jacking:
Hackers gain access and control over the website of another, even they change the
content of website for fulfilling political objective or for money.
(5) Single Event of Cybercrime
It’s the single event from the perspective of the victim. For example, unknowingly open an
attachment that may contain virus that will infect the system. This is also known as hacking
or fraud.
(6) Series of events
This involves attacker interacting with the victims repetitively. For example, attacker interacts
with the victim on the phone or via chat rooms to establish relationship first and then they
exploit that relationship to commit the sexual assault.

4
Forms of Cybercrime:
Cybercrime is the act wherein the computer is used as a tool for an unlawful act. This kind of activity
usually involves a modification of a conventional crime by using computers. Some examples are:
1. Cybersquatting
 Cybersquatting is registering, selling or using a domain name with the intent of profiting
from the goodwill of someone else's trademark.
 It generally refers to the practice of buying up domain names that use the names of existing
businesses with the intent to sell the names for a profit to those businesses.
 As cybersquatting complaints throttle up worldwide, ICANN (Internet Corporation for
Assigned Names and Numbers) has implemented thorough standards of acceptance such
that domain name assigning is done with much more scrutiny.
 ICANN has also put solid requirements for domain name recovery in place for instances of
trademark registration lapses by trademark owners.
 ICANN urges trademark owners to renew their registrations yearly and to report misuse to
the agency as soon they become aware that they've neglected to reregister a domain.
2. Cyberpunk and Cyberwarfare
 Cyberpunk is a subgenre of science fiction in a dystopian futuristic setting that tends to
focus on a "combination of low-life and high technology" featuring advanced
technological and scientific achievements, such as artificial intelligence and cybernetics,
juxtaposed with a degree of breakdown or radical change in the social order.
 Cyberwarfare means the information warriors unleashing various attacks against on
unsuspecting opponent’s computer networks, wreaking havoc and paralyzing nations.
 Cyberwarfare have got historical connection in the context of attacks against
infrastructure.
3. Cyber Terrorism
 Cyber terrorism is the premeditated, politically motivated attack against information,
computer systems, computer programs and data which result in violence against
noncombatant targets by sub national groups or clandestine agents.
 It can also be defined as the use of information technology and means by terrorist groups
and agents.
4. Botnets
 The Botnet is used to refer to a group of compromised computers (zombie computers i.e
personal computers secretly under the control of hackers) running malwares under a
common command and control infrastructure.
 A Botnet maker can control the group remotely for illegal purposes, the most common
being DoS attack, Adware, Spyware, Email spam, click fraud, etc.

5
5. Email spoofing
 A spoofed E-mail is one that appears to originate from one source but actually has been
sent from another source.
 Email spoofing can also cause monetary damage. This misinformation was spread by
sending spoofed emails, purportedly from news agencies like Reuters, to share brokers
and investors who were informed that the companies were doing very badly.
6. Cyber Defamation
 This occurs when defamation takes place with the help of computers and / or the
Internet.
 E.g. someone publishes defamatory matter about someone on a website or sends e-mails
containing defamatory information to all of that person's friends.
7. Cyber stalking
 The Oxford dictionary defines stalking as "pursuing stealthily".
 Cyber stalking involves following a person's movements across the Internet by posting
messages (sometimes threatening) on the bulletin boards frequented by the victim,
entering the chat-rooms frequented by the victim, constantly bombarding the victim with
emails etc.
8. Unauthorized access to computer systems or networks
 This activity is commonly referred to as hacking. The Indian law has however given a
different connotation to the term hacking, so the term "unauthorized access"
interchangeably used with the term "hacking".
Theft of information contained in electronic form
 This includes information stored in computer hard disks, removable storage media etc.
Email bombing
 Email bombing refers to sending a large number of emails to the victim resulting in
the victim's email account (in case of an individual) or mail servers (in case of a
company or an email service provider) crashing.
9. Data diddling
 This kind of an attack involves altering raw data just before it is processed by a
computer and then changing it back after the processing is completed.
 Eg: Electricity Boards in India have been victims to data diddling programs inserted
when private parties were computerizing their systems.
10. Salami attacks
 These attacks are used for the commission of financial crimes. The key here is to make
the alteration so insignificant that in a single case it would go completely unnoticed.
E.g. a bank employee inserts a program, into the bank's servers, that deducts a small

6
amount of money (say Rs. 5 a month) from the account of every customer. No account
holder will probably notice this unauthorized debit, but the bank employee will make
a sizable amount of money every month.
 Logic bombs are programmes, which are activated on the occurrence of a particular
predefined event.
11. Denial of Service attack
 This involves flooding a computer resource with more requests than it can handle. This
causes the resource (e.g. a web server) to crash thereby denying authorized users the
service offered by the resource. Another variation to a typical denial of service attack
is known as a Distributed Denial of Service (DDoS) attack wherein the perpetrators are
many and are geographically widespread. It is very difficult to control such attacks.
The attack is initiated by sending excessive demands to the victim's computer(s),
exceeding the limit that the victim's servers can support and making the servers crash.
12. Trojan attacks
A Trojan as this program is aptly called, is an unauthorized program which functions
from inside what seems to be an authorized program, thereby concealing what it is
actually doing.
Internet time thefts: This connotes the usage by an unauthorized person of the Internet
hours paid for by another person.
Web Jacking: This occurs when someone forcefully takes control of a website (by cracking
the password and later changing it). The actual owner of the website does not have any more
control over what appears on that website.

1
Unit 3
3.2 Cyber-offenses: Hacking – Attack Vectors – Cyber Space and Cyber Criminals
Behaviours - Clarification of terms – Traditional problems associated with Cyber Crime.
Language – Realms of Cyber World – A brief history of Internet.
Destruction of Data
3.2 CYBER OFFENSES
HACKING
 Hacking is identifying weakness in computer systems or networks to exploit its
weaknesses to gain access. Example of Hacking: Using password cracking algorithm to
gain access to a system
 Computers have become mandatory to run a successful businesses. It is not enough to
have isolated computers systems; they need to be networked to facilitate
communication with external businesses. This exposes them to the outside world and
hacking.
 Hacking means using computers to commit fraudulent acts such as fraud, privacy
invasion, stealing corporate/personal data, etc.
 Cybercrimes cost many organizations millions and millions every year. Businesses need
to protect themselves against such attacks.
 A Hacker is a person who finds and exploits the weakness in computer systems and/or
networks to gain access. Hackers are usually skilled computer programmers with
knowledge of computer security.
 Hackers are classified according to the intent of their actions.
The following is the classification of hackers according to their intent.
1. Ethical Hacker (White hat): A hacker who gains access to systems with a view to fix
the identified weaknesses. They may also perform penetration Testing and
vulnerability assessments.
2. Cracker (Black hat): A hacker who gains unauthorized access to computer systems for
personal gain. The intent is usually to steal corporate data, violate privacy rights,
transfer funds from bank accounts etc.
3. Grey hat: A hacker who is in between ethical and black hat hackers. He/she breaks
into computer systems without authority with a view to identify weaknesses and
reveal them to the system owner.
4. Script kiddies: A non-skilled person who gains access to computer systems using
already made tools.

2
5. Hacktivist: A hacker who use hacking to send social, religious, and political, etc.
messages. This is usually done by hijacking websites and leaving the message on the
hijacked website.
6. Phreaker: A hacker who identifies and exploits weaknesses in telephones instead of
computers.
CYBER CRIMINALS
 A cybercriminal is an individual who commits cybercrimes, where he/she makes use of
the computer either as a tool or as a target or as both.
 Cybercriminals use computers in three broad ways:
1. Select computer as their target: These criminals attack other people's computers to
perform malicious activities, such as spreading viruses, data theft, identity theft, etc.
2. Uses computer as their weapon: They use the computer to carry out "conventional
crime", such as spam, fraud, illegal gambling, etc.
3. Uses computer as their accessory: They use the computer to save stolen or illegal data
1. Hacker:
 The term hacker may refer to anyone with technical skills, however, it typically refers to
an individual who uses his or her skills to achieve unauthorized access to systems or
networks so as to commit crimes.
 The intent of the burglary determines the classification of those attackers as white, gray,
or black hats. White hat attackers burgled networks or PC systems to get weaknesses so
as to boost the protection of those systems.
(a). White Hat Hackers
These hackers utilize their programming aptitudes for a good and lawful reason. These
hackers may perform network penetration tests in an attempt to compromise networks
to discover network vulnerabilities. Security vulnerabilities are then reported to
developers to fix them.
(b). Gray Hat Hackers
These hackers carry out violations and do seemingly deceptive things however not for
individual addition or to cause harm. These hackers may disclose a vulnerability to the
affected organization after having compromised their network.
(c). Black Hat Hackers
These hackers are unethical criminals who violate network security for personal gain.
They misuse vulnerabilities to bargain PC frameworks.
2. Organized Hackers:
These criminals embody organizations of cyber criminals, hacktivists, terrorists, and
state-sponsored hackers. Cyber criminals are typically teams of skilled criminals
targeted on control, power, and wealth. These criminals are extremely subtle and
organized, and should even give crime as a service. These attackers are usually
profoundly prepared and well-funded.

3
3. Internet stalkers
Internet stalkers are people who maliciously monitor the web activity of their victims
to acquire personal data. This type of cybercrime is conducted through the use of
social networking platforms and malware that are able to track an individual’s PC
activity with little or no detection.
4. Disgruntled Employees
 Disgruntled employees become hackers with a particular motive and also commit
cybercrimes.
 It is hard to believe that dissatisfied employees can become such malicious hackers.
In the previous time, they had the only option of going on strike against employers.
 But with the advancement of technology there is increased in work on computers and
the automation of processes, it is simple for disgruntled employees to do more
damage to their employers and organization by committing cybercrimes.
 The attacks by such employees brings the entire system down.
CYBERCRIMINALS BEHAVIOUR (How cyber criminals plan cyber-attacks)
 Cyber Criminals use many tool and methods to locate vulnerability of their victim. The
victim can be an individual and/or an organization.
 Criminals plan either Passive attacks or Active Attacks.
 Attackers also can be categorized as inside attacker or outside attacker.
 Attacks perform within the organization is called inside attack whereas attacker get
information from outside is called outside attack.
 Inside attack are always more dangerous than outside, because inside attackers has
get more resources than outsider.
Following are three major phases are involved in planning of cybercrime:
1. Reconnaissance (gathering information)
2. Scanning and scrutinizing the gathered information
3. Launching an attack
(1) RECONNAISSANCE:
 This is first step towards cyber-attacks, it is one kind of passive attack. “Reconnaissance”
means an act of reconnoitering. In this phase attacker try explore and gain every possible
information about target.
 In hacking world, Hacking start with “foot printing”. Foot printing provide overall system
structure, loop holes and exploration of those vulnerability. Attacker utilize this phase is to
understand system, personal information, networking ports and services.
Cyber attacker use two steps to gather this information.
(a) Passive Attacks: Passive attacks used to gain information about individual or organization.
It exploit confidential information. Passive attacks involve gaining data about a target without
target knowledge. Now day’s passive attack are much easier
 Use Google or other search engine: Gather information by searching on Google.

4
 Social Media: Search on social media like Facebook, Twitter, and LinkedIn.
 Use properly privacy setting in social media to avoid
 Organization Website: Attacker may get employee information using organizational
website.
 Blog or press release: This are new source where attacker easily get company or
individual information. Company.
 Job Posting: Search job profile provide valuable information about person an Job
profile for technical person can give data about type of technology that is, software,
server, database or network devices a company using on its network.
 Network Sniffing: This attack use to gather information such as IP address, network
range, hidden server and other valuable services on network.
(b) Active attacks: Active attack mostly used to manipulate or alter the system. It may effect
on integrity, authenticity and availability of data. Information from passive phase is act as
input to active phase. In this phase attacker verify gather information (IP address, network
range, hidden server, personal information). This is very important as cyber attacker point of
view, it provide security measure.
(2) SCANNING AND SCRUTINIZING
In this phase attacker collect validity of information as well as find out existing vulnerability.
It is key phase before actual attack happen.
 Port scanning: Identify all ports and services (open / closed)
 Network scanning: Verify IP address and network information before cyber attacks.
 Vulnerability scanning: Checking loop hole in system.
Scrutinizing phase is also called enumeration.
 Validate user accounts and groups
 Find out list of network resource and how many network devices are shared?
 Different types of OS and application.
(3) LAUNCHING AN ATTACK
Using step two information actual launching attack to gain system information. Once step
two complete cyber attacker ready to launch attack.
1. Crack the password.
2. Exploit the privilege
3. Execute malicious command
4. Hide the files
5. Final but most important is cover the track.

5
ATTACK VECTOR
 An attack vector is a path or means by which an attacker can gain unauthorized access to
a computer or network to deliver a payload or malicious outcome.
 Attack vectors allow attackers to exploit system vulnerabilities, install different types of
malware and launch cyber-attacks.
 Attack vectors can also be exploited to gain access to sensitive data, personally
identifiable information (PII) and other sensitive information that would result in
a data breach.
 Common attack vectors include malware, viruses, email attachments, web pages, pop-
ups, instant messages, text messages and social engineering.
COMMON ATTACK VECTORS
Compromised credentials: Usernames and passwords are still the most common type of
access credential and continue to be exposed in data leaks, phishing scams and
by malware. When lost, stolen or exposed, credentials give attackers unfettered access.
Weak credentials: Weak passwords and reused passwords mean one data breach can
result in many more. Teach your organization how to create a secure password, invest in
a password manager or a single sign-on tool, and educate staff on their benefits.
Malicious insiders: Disgruntled employees can expose private information or provide
information about company specific vulnerabilities.
Missing or poor encryption: Common encryption methods like SSL
certificates and DNSSEC can prevent man-in-the-middle attacks and protect the
confidentiality of data being transmitted. Missing or poor encryption for data at rest can
mean that sensitive data or credentials are exposed in the event of a data breach.
Misconfiguration: Misconfiguration of cloud services, like Google Cloud
Platform, Microsoft Azure or AWS, or using default credentials can lead to data breaches
and data leaks, check your S3 permissions or someone else will. Automate configuration
management where possible to prevent configuration drift.
Ransomware: Ransomware is a form of extortion where data is deleted or encrypted
unless a ransom is paid. Minimize the impact of ransomware attacks by keeping your
systems patched and backing up important data.
Phishing: Phishing is a social engineering technique where the target is contacted by
email, telephone or text message by someone who is posing to be a legitimate colleague
or institution to trick them into providing sensitive data, credentials or personally
identifiable information (PII).

6
Vulnerabilities: New vulnerabilities are added to CVE every day and zero-day
vulnerabilities are found just as often. If a developer has not released a patch for a zero-
day vulnerability before an attack can exploit it, it can be hard to prevent.
Brute force: Brute force attacks are based on trial and error. Attackers may continuously
try to gain access to your organization until one attack works. This could be by attacking
weak passwords or encryption, phishing emails or sending infected email attachments
containing a type of malware.
Distributed Denial of Service (DDoS): DDoS are cyber-attacks against networked
resources like data centers, servers or websites and can limit the availability of a computer
system. The attacker floods the network resource with messages which cause it to slow
down or even crash, making it inaccessible to users. Potential mitigations include CDNs
and proxies.
SQL injections: SQL stands for structured query language, a programming language used
to communicate with databases. Many of the servers that store sensitive data use SQL to
manage the data in their database. An SQL injection uses malicious SQL to get the server
to expose information it otherwise wouldn't. This is a huge cyber risk if the database
stores customer information, credit card numbers, credentials or other personally
identifiable information (PII).
Trojans: Trojan horses are malware that misleads users by pretending to be a legitimate
program and are often spread via infected email attachments or fake software.
Cross-site scripting (XSS): XSS attacks involve injecting malicious code into a website but
the website itself is not being attacked, rather it aims to impact the website's visitors. A
common way attackers can deploy cross-site scripting attacks is by injecting malicious
code into a comment e.g. embed a link to malicious JavaScript in a blog post's comment
section.
Session hijacking: When you log into a service, it generally provides your computer with
a session key or cookie so you don't need to log in again. This cookie can be hijacked by
an attacker who uses it to gain access to sensitive information.
Man-in-the-middle attacks: Public Wi-Fi networks can be exploited to perform man-in-
the-middle attacks and intercept traffic that was supposed to go elsewhere, such as when
you log into a secure system.
Third and fourth-party vendors: The rise in outsourcing means that your vendors pose a
huge cybersecurity risk to your customers data and your proprietary data. Some of
the biggest data breaches were caused by third-parties.

7
CLARIFICATION OF TERMS
 Many debates rage over the appropriate codification of crime committed via electronic
means, controversy surrounds the actual semantics associated with the phenomenon.
 For clarification purposes, then, it is necessary to define the historical usage of terms
associated with technological or electronic crimes.
1. Computer Crime—a general term that has been used to denote any criminal act which
has been facilitated by computer use. Such generalization has included both Internet
and non-Internet activity. Examples include theft of components, counterfeiting,
digital piracy or copyright infringement, hacking, and child pornography.
2. Computer-related crime—a broad term used to encompass those criminal activities
in which a computer was peripherally involved. Examples include traditional book-
making and theft.
3. Digital Crime—a term used to refer to any criminal activity which involves the
unauthorized access, dissemination, manipulation, destruction, or corruption of
electronically stored data.
4. Cybercrime—a specific term used to refer to any criminal activity which has been
committed through or facilitated by the Internet.
 Computer crime has been traditionally defined as any criminal act committed via
computer.
 Computer-related crime has been defined as any criminal act in which a computer is
involved, even peripherally.
 Cybercrime has traditionally encompassed abuses and misuses of computer systems or
computers connected to the Internet which result in direct and/or concomitant losses.
 Finally, digital crime, a relatively new term, includes any criminal activity which involves
the unauthorized access, dissemination, manipulation, destruction, or corruption of
electronically stored data.
 As data may be accessed or stored in a variety of ways and in a variety of locations, digital
crime may be characterized depending on the characteristics.
 While computer crime and computer- related crime will be used interchangeably,
cybercrime will only be used to describe that criminal activity which has been facilitated
via the Internet.
 While it is desirable to establish an environment where computers are viewed as
potential evidence containers in any case, to redefine traditional predatory crime as
cybercrime or computer crime is absurd.

8
TRADITIONAL PROBLEMS ASSOCIATED WITH COMPUTER CRIME
(1) Recognizing the Criminal
 Individuals seeking a crime have always displayed a remarkable ability to adapt to
changing technologies, environments, and lifestyles.
 This adaptability has often placed law enforcement at a disadvantage, struggling to keep
up with criminal innovations.
 Indeed, the law enforcement community has often failed to recognize the criminal
potentiality of emerging technologies until it is almost too late. This trend has proven to
be true in contemporary society.
 More Computer-related crime involves non-specialist users (e.g. Child pornographers,
narcotics traffickers and predators).
 In fact, the earliest computer crimes were characterized as non-technological. Theft of
computer components and software piracy were particular favorites. Hacking, DDoS
attacks, Phishing, Botnets and other technologically complicated computer crimes came
later.
(2) Information Retrieval
 The increasing volume of potential data to examine can create problem for law
enforcement. Collecting the specific, probative and crime-related information from very
large group of files is really a challenging issue.
(3) Data Representation: Understanding the Raw data and its structure
 There are two aspects of the technical challenge faced in data investigation
1. Complexity problem – acquired data is typically at the lowest and raw format.
2. Quantity problem – it involves the hugeness of data to analyse.
3. File Allocation and Storage structure – The FAT file system is still used in may
computers which is broken upto three main areas:
a) Boot Sector – contains the addresses and size of structure in specific file
system.
b) FAT – File Allocation Table
c) Data area – divided into consecutive sectors called clusters. Clusters store the
contents of a file or directory.
(4) Data privacy issues
 Although digital evidence is not unique with regard to relevancy and materiality there
is still a challenge involved. Digital evidence can be easily duplicated and modified
without leaving any evidences.

1
Unit 3
Destruction of Data
3.3 INTRODUCTION TO INCIDENT RESPONSE
 Incident response (IR) is a structured methodology for handling security incidents,
breaches, and cyber threats.
 A well-defined incident response plan allows you to effectively identify, minimize the
damage and reduce the cost of a cyber-attack, while finding and fixing the cause to
prevent future attacks.
 Incident management refers to the handling of any type of service disruption or
interruption. It includes preventing and handling computer security incidents.
 The primary focus is Identifying and minimizing the impact of technical vulnerabilities in
software or hardware that may expose computing infrastructure to attack or
compromise, thereby causing incidents.
 Computer Security incident – is any adverse event that compromises some aspects of
computer or network security. An event is an occurrence in a system that is relevant to
the security of the system.
 Incidents include but not limited to:
1. Loss of Computing devices
2. Detection or discovery of program agent like viruses, keystroke loggers, etc.
3. Detection or discovery of unauthorized users
4. Detection or discovery of critical or widespread vulnerability, misconfiguration, etc.
5. Misconfiguration that leads to a compromise affecting the “confidentiality” or
“availability” of information.
 Based on the Risk perspective, the cyber security incidents are classified as:
1. High-risk incident
2. Low risk incident
 An incident is high-risk when it meets any one of the following criteria, otherwise low-
risk incident:
1. Involves a keylogger, rootkit, remote access agent, password cracking agent or a new
threat from an unknown vector
2. Involves a server with the loss of confidential or operationally critical data.

2
 Based on the impact and urgency of the incident, a priority level of the incident is
determined.
1. High priority incident – Incidents having huge impact on the organization business or
service to the customers.
2. Medium priority incident – Incidents having a significant impact or have the potential
for a huge impact on the organization’s business or service to customers.
3. Low priority incident – Incidents having monumental impact on the organization’s
business or service to customers.
EVIDENCE
An Evidence means or includes:
1. Oral Evidence - All statements which the court permits or requires to be made before
it by witnesses, in relation to matters of fact under inquiry.
2. Documentary Evidence – all documents that are produced for the inspection of the
court.
3. Digital Evidence – is a new breed of evidence, by its very nature is developed using
tools other than the human eye. Digital evidence involving data acquisition,
preservation, recovery, analysis, Intellectual Property theft, computer misuse,
corporate policy violation,, malicious software / applications, system intrusion and
compromise, deleted and hidden files recovery, pornography, confidential
information leakage, etc.
Contexts involved in actually identifying a digital evidence:
1. Physical Context – It must be definable in its physical form, that is, it should reside on
a specific piece of media.
2. Logical Context – It must be identifiable as to its logical position, that is, where does
it reside relative to the file system.
3. Legal Context – It must be placed in the correct context to read its meaning. This may
require looking at the evidence as machine language. Ex: ASCII.
DIGITAL FORENSICS
 Forensics means a “characteristics of evidence” that satisfies its suitability for admission
as fact and its ability to persuade based upon proof or high statistical confidence level.
 Computer Forensics is the lawful and ethical seizure, acquisition, analysis, reporting and
safeguarding of data and metadata derived from digital devices which may contain
information that is notable and perhaps of evidentiary value to the tier of fact in
meaningful, administrative, civil and criminal investigation.
 Digital Forensics is the use of scientifically derived and proven methods towards the
identification, collection, validation, analysis, interpretation, preservation,
documentation and presentation of digital evidence derived from digital sources for the
purpose of facilitating or furthering the reconstruction of events found to be criminal, or
helping to anticipate unauthorized actions shown to be disruptive to planned operations.

3
DIGITAL FORENSICS – TYPES
Digital forensics is a constantly evolving scientific field with many sub-disciplines. Some of
these sub-disciplines are:
1. Computer Forensics – the identification, preservation, collection, analysis and
reporting on evidence found on computers, laptops and storage media in support of
investigations and legal proceedings.
2. Network Forensics – the monitoring, capture, storing and analysis of network activities
or events in order to discover the source of security attacks, intrusions or other
problem incidents, i.e. worms, virus or malware attacks, abnormal network traffic and
security breaches.
3. Mobile Devices Forensics – the recovery of electronic evidence from mobile phones,
smartphones, SIM cards, PDAs, GPS devices, tablets and game consoles.
4. Digital Image Forensics – the extraction and analysis of digitally acquired photographic
images to validate their authenticity by recovering the metadata of the image file to
ascertain its history.
5. Digital Video/Audio Forensics – the collection, analysis and evaluation of sound and
video recordings. The science is the establishment of authenticity as to whether a
recording is original and whether it has been tampered with, either maliciously or
accidentally.
6. Memory forensics – the recovery of evidence from the RAM of a running computer,
also called live acquisition.
ROLE OF DIGITAL FORENSICS
 In general, the role of digital forensics is to:
1. Uncover and document evidence and leads
2. Corroborate (verify) evidence discovered in other ways
3. Assist in showing a pattern of events
4. Connect attack and victim computers
5. Reveal an end-to-end path of events leading to a compromise attempt, successful or
not.
6. Extract data that may be hidden, deleted or otherwise not directly available.
DIGITAL FORENSICS LIFE CYCLE
 The Digital forensics process needs to be understood in the legal context starting from
preparation of the evidence to testifying.
 Digital forensics evidence consists of exhibits, each consisting of a sequence of bits,
presented by witness in a legal matter to help jurors establish the facts of the case
and support or refute legal theories of the case.

4
 These exhibits should be introduced and presented and /or challenged by properly
qualified people using the properly applied methodology that addresses the legal
theories at issue.
DIGITAL FORENSICS PROCESS - PHASES
 The Digital forensics life cycle involves the following phases:
1. Preparation and Identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, Interpretation and attribution
6. Reporting
7. Testifying.
Phase – 1: Preparing for the evidence and identifying the Evidence
 It is the first step in the forensic process. The identification process mainly includes things
like what evidence is present, where it is stored, and lastly, how it is stored (in which
format).
 First the evidence must be identified as evidence. There challenges includes:
o There is an enormous amount of potential evidence available for a legal matter.
o Majority of the potential evidences may never get identified.
 Under this phase, the professionals search for the devices involved in carrying out the
crime.
 Consider every sequence of events within a computer that causes interaction with the
files and the file system, other processes and programs they are executing, producing,
and managing log files and audit trails.
Phase – 2: Collecting and Recording Digital Evidence
 After the search and seizure phase, professionals use the acquired devices to collect data.
 They have well-defined forensic methods for evidence handling.
 Digital evidences can be collected from many sources. Obvious sources include
Computers, Mobile phones, Digital camera, HDD, CD-ROM, USB memory devices and so
on. Non-obvious devices include Settings of digital Thermometer, Blackbox inside
automobiles, RFID tags, Web pages, etc.
 In order to detect the change that have taken place or to revert the changes in data back
to its original state, calculate the cryptographic hash of an evidence file and record that
hash value.
Phase – 3: Collecting and Recording Digital Evidence
 The forensic staff should have access to a safe environment where they can secure the
evidence.
 They determine if the collected data is accurate, authentic, and accessible. As evidence
is a fragile form of data, it can be altered and damaged easily.
 It’s crucial that professionals handle digital evidence with care.

5
Practices to be followed in handling digital evidence:
1. Image computer media using a write-protected tool to ensure that no data is added
to the suspect device.
2. Establish and maintain the chain of custody.
3. Document everything that has been done.
4. Use tools and methods that have been tested and evaluated.
 Storage of the digital media involves any number of requirements ranging from
temperature, humidity, power supply level, etc.
 Sometimes evidence must be transported from place to place with adequate care. Digital
evidences can generally be transported by making exact duplicates at the level of bits of
the original content.
Phase – 4: Examining and Investigating Digital Evidence
 Traditionally computer forensics investigations were performed on data at rest, known
as dead analysis whereas performing analysis on live system is known as live analysis.
 The Computer Forensics Software package convert an entire digital media into a single
searchable file called an ‘image’.
 During imaging, a write – blocked device or application is normally used to ensure that
no information is introduced onto the evidentiary media during the forensics process.
Phase – 5: Analysis, Interpretation and Attribution
 Basically all digital evidences must be analysed to determine the type of information that
is stored upon it.
 Typical forensic analysis includes a manual review of material on the media – an example
of OS specific investigation is reviewing the Windows registry.
 Types of digital analysis:
1. Media Analysis
2. Media Management Analysis
3. File System Analysis
4. Application Analysis
5. Network Analysis
6. Image Analysis
7. Video Analysis.
Phase – 6: Reporting
 Once the analysis is complete, a report is generated. The report may be in written form
or an oral testimony or it may be a combination of the two.
 Finally, evidence, analysis, interpretation and attribution must ultimately be presented
in the form of expert reports, depositions and testimony.
 The major elements of the report are:
1. Identity of the reporting agency
2. Case Identifier and submission number
3. Case Investigation
4. Identity of the submitter

6
5. Date of receipt
6. Date of report
7. Descriptive list of items submitted for examination including serial no, make, model
8. Identity and Signature of the examiner
9. Description of steps taken during examination
10. Results and Conclusion.
Phase – 7: Testify
 This phase involves presentation and cross-examination of expert witnesses.
 Digital forensics evidence is normally introduced by expert witnesses except in cases
where non-expert can bring clarity to non-scientific issues by stating what they
observed.
 An expert witness can address issues based on scientific, technical or other specialized
knowledge.
 A Witness qualified as an expert by knowledge, skill, experience, training or education
may testify in the form of an opinion.
Digital forensics process - Activities
The Digital forensics process involves the following activities:
1. Prepare – Case briefing, engagement terms, interrogatories, spoliation prevention,
disclosure and discovery planning, discovery requests.
2. Record – Drive imaging, indexing, profiling, search plans, cost estimates, risk analysis.
3. Investigate – Triage images, data recovery, keyword searches, hidden data review,
communicate, iterate.
4. Report - Oral vs Written, relevant document production, search statistic reports,
chain of custody reporting, case log reporting.
5. Testify – Testimony preparation, presentation preparation and testimony.
Digital forensics – Advantages and Limitations
Advantages of Digital forensics
1. To ensure the integrity of the computer system.
2. To produce evidence in the court, which can lead to the punishment of the culprit.
3. It helps the companies to capture important information if their computer systems or
networks are compromised.
4. Efficiently tracks down cybercriminals from anywhere in the world.
5. Helps to protect the organization's money and valuable time.
6. Allows to extract, process, and interpret the factual evidence, so it proves the
cybercriminal action's in the court.
Disadvantages of Digital Forensics
1. Digital evidence accepted into court. However, it is must be proved that there is no
tampering
2. Producing electronic records and storing them is an extremely costly affair
3. Legal practitioners must have extensive computer knowledge

7
4. Need to produce authentic and convincing evidence
5. If the tool used for digital forensic is not according to specified standards, then in the
court of law, the evidence can be disapproved by justice.
6. Lack of technical knowledge by the investigating officer might not offer the desired
result
COMPUTER LANGUAGE
 There are three basic components of every computer system which are designed to
input, analyse and output data: Hardware, Software, and Firmware.
 Before discussing computer crime, cybercrime, and computer forensics, it is necessary to
discuss the nature of information as computers are the mechanism through which raw
information (i.e., data) is processed. Although raw data may seem intimidating or
complex to understand, the structure of data is actually very basic, and is based on a
binary language. The smallest piece of data is called a bit. Each bit has two possible
electrical states, ON (1) or OFF (0).
 Thus, raw data is a series of 1s and 0s. Of course, raw data is difficult to interpret by
users, so computers group bits together to provide identifiable meaning. The smallest
such grouping occurs when eight bits are combined to form a byte. Each byte of data
represents a letter, number, or character.
 As the emphasis on stored information has increased, so has the data capacity of
computers—from Kilobytes (Kb) to Megabytes (Mb) to Gigabytes (Gb) and now, in
Terabytes (Tb).
 Components of the Computer:
o Hardware: Input device, Output Devices, CPU, Memory, HDD, FDD, USB Drives.
o Software: Boot sequence, OS, Application Software.
NETWORK LANGUAGE
 Increasingly, network language is dominating the computer landscape. So, it is essential
that computer investigators understand the language behind the technology.
 The most commonly used terms are:
1. TCP/IP (Transmission Control Protocol/Internet Protocol) refers to the suite of
protocols that define the Internet. More specifically, TCP is a method of
communication between programs which enables a bit-stream transfer of
information. Originally proposed and designed as the standard protocol for
ARPANet (the precursor of today’s Internet), TCP/IP software is now available for
every computer operating system.
2. IMAP (Internet Message Access Protocol) is a method of accessing electronic mail or
bulletin board messages that are kept on a (possibly shared) mail server. This
technology is increasingly important as reliance on electronic messaging and use of
multiple computers increase, but this functionality cannot be taken for granted: the
widely used Post Office Protocol (POP) works best when one has only a single

8
computer, since it was designed to support “off-line” message access, wherein
messages are downloaded and then deleted from the mail server.
3. Routers are defined as special-purpose computers (or software packages)that
handle the connection between two or more networks. Routers spend all their time
looking at the destination addresses of the packets passing through themand
deciding which route to send them on. Routers are analogous to switches found within
telephone systems—the same switches that have proven irresistible to phone
phreakers and their contemporary counterparts. Hubs are central switching devices
for communications lines in a star topology. They may add nothing to the transmission
(passive hub) or may contain electronics that regenerate signals to boost strength as
well monitor activity (active hub, intelligent hub).
4. Packets are defined as units of data exchanged between host computers. Typically,
they are further distinguished as headers and data. Packet switching refers to the
method used to move data around on the Internet.
5. Cookies are small pieces of information that an HTTP server sends to the individual
browser upon the initial connection. Not all browsers support cookies. However, most
popular browsers do. These cookies are stored on an individual hard-drive for
retrieval by a particular site. Theoretically, this storage is to simplify things for
individual users so that their preferences and personal information do not necessarily
have to be re-entered upon return access.
6. A computer’s DNS (Domain Name System) entry isbased on a group of computers on
a common network defined by a commonality of internet protocol (IP) addresses.
These networks are governed by common rules and procedures and are treated as a
unit.
7. Peer-to-Peer networking (p2p) is a system whereby individual personal computers
are connected to one another, allowing each participant to serve as either a client or
a server. This varies from traditional systems in which some computers were solely
and entirely dedicated as servers. Such engineering allows individual users to search
for a particular type of file or information on any other system associated with the
network.
8. Cloud computing may be defined as a system in which a set of services, technologies,
and often virtualized resources enable the delivery of computing as a service as
opposed to a product. In such systems, users may access shared resources, software,
and information over a network or virtual server.
A BRIEF HISTORY OF THE INTERNET
 In the beginning there was no Internet. The original concept of an Internet did not include
commerce, global connectivity, or public usage.
 The initial conceptualization of such actually derived from the government suspicion and
social hysteria that permeated Cold War America in the 1960s. The threat of nuclear war
and mass destruction was such that government entities focused on developing

9
electronic communication systems that would remain viable even if large portions were
somehow destroyed.
 The beginning was a project of the Advanced Research Project Agency Network
(ARPANET) sponsored in 1969 by the Department of Defense. Primarily designed to
overcome threats from a blackout of communication in the event of a nuclear war, this
computer network linked four universities (UCLA, Stanford, UC Santa Barbara and the
University of Utah) and was intended to facilitate communications between computers
over phone lines regardless of system characteristics.
 Initially used by researchers, engineers, computer experts and the like the system
proved to be rather cumbersome (and complicated). Interactive sessions were not
possible. Rather, the method of communication required users to post suggestions in
papers titled “Requests for Comments (RFC)”and await responses or amendments to
their documents.
 The first RFC (RFC0001) was written on April 7, 1969—the closest thing to a “start date”
for the Internet. There are now well over 2000 RFCs, describing every aspect of how
the Internet functions.
 ARPANet was opened to non-military users later in the 1970s and early takers were
the big Universities— although at this stage it resembled nothing like the Internet
we know today.
 International connections (i.e., outside America) started in 1972, but the “Internet” was
still just a way for computers to talk to each other and for research into networking; there
was no World Wide Web (WWW) and no e-mail.
 By the mid-1980s, this network was further expanded with the introduction of the
NSFNet, established under the National Science Foundation by a small group of
Supercomputer research centers and researchers at remote academic and governmental
institutions. This network was highly supported by the government, which encouraged
researchers and institutions to avail themselves of this communication tool.
 Innovations in the software coupled with (and often facilitated by) government grants,
created a more user-friendly cyber-world.
 By the mid-1980s, the Commercial Internet Xchange (CIX) had emerged and
midlevel networks were leasing data circuitsfrom phone companies and subleasing
them to institutions.
 Eventually, this small network had expanded into networks of networks, until the
contemporary phenomenon known as the Internet emerged. During this period, the
services we use most now started appearing on the Internet. In fact, the concept of
“domain names”(e.g: www.microsoft.com) was first introduced in 1984. Prior to this
introduction, computers were simply accessed by their IP addresses (numbers).
 Most protocols for e-mail and other services appeared after this. The part of the Internet
most people are probably most familiar with is the World Wide Web. This is a collection
of hyperlinked pages of information distributed over the Internet via network protocol
called hypertext transfer protocol (Http) was invented in 1989 by Tim Berners-Lee, a

10
physicist working at CERN, the European Particle Physics Laboratory, who created the
Web so that physicists could share information about their research.
 Thus, the Web was introduced as a restricted means of communication between
scientists. Although it was originally a text-only medium, graphics were soon introduced
with a browser called NCSA Mosaic. Both Microsoft’s Internet Explorer and Netscape
were originally based on NCSA Mosaic. This graphical interface opened up the Internet
to novice users and in 1993 its use exploded as people were allowed to “dial-in” to the
Internet using their computers at home and a modem to ring up an internet service
provider (ISP) to get their connection to this network.
REALMS OF THE CYBERWORLD
 Basically there are three different levels of networked systems: Intranets, internets and
the Internet.
1. Intranet - are small local networks connecting computers which are within one
organization and which are controlled by a common system administrator.
2. Internet – connect several networks and are distinguished in the literature by a lower
case i(i.e, “internet” as opposed to “Internet”). These networks are usually located in
a small geographic area and share a common protocol (usually TCP/IP).
3. Internet – is the largest network in the world, an international connection of all types
and sizes of computer systems and networks. It is a system of small networks of
computers linked with other networks via routers and software protocols. This TCP/IP
based network links tens of millions of users, across more than 45,000 networks, in
countries spanning the globe.
 The Internet has become the backbone for global communications and transnational
capitalism. For the most part, the explosion of such may be attributed to advances in and
accessibility to inexpensive and efficient connection methods.
 During the Internet’s infancy, users could connect only via standardized modems and
telephone lines. Early service providers, initially charged users for the period of time they
spent on the Internet.
 As connection speeds via modems were notoriously slow, individuals racked up
substantial charges. This expense was compounded by users who connected via long-
distance numbers.
 As a result, telephone companies became victimized by criminals (i.e.,phreakers) seeking
to avoid such charges. As competition increased with the birth of the “BabyBells”, cost to
consumers began to decline.
 Connections made via modem are known as dial-up connections. Such connections were
originally categorized by the transfer rate of data using an older measure of bandwidth
known as baud. Initially, a transfer rate of 300 baud was not uncommon. Such rates
quickly evolved as market demand increased and 1200, 2400, 4800 and 9600 baud
became the standard. As these modem bandwidth rates grew, a new designation of
transfer speed was developed. Currently, data transfer rates are categorized as kilobits
per second (Kbps) or megabits per second (Mbps).

1
Unit 3
Destruction of Data
3.4 RECOGNIZING AND DEFINING CYBER CRIME
RECOGNIZING CYBER CRIME
 Recognizing Cyber Crime is a major problem and challenge for many organizations. This
is because all cyber breaches are not destructive in nature.
 Many companies are not proactively looking for cyber breaches and only when they detect
‘smoke’ do they realize the company has experienced a cyber-breach.
 Many cyber-attacks are far less conspicuous in their destruction, so the companies do not see
any smoke at all. Therefore they assume that everything is fine and nothing is at risk.
 However cyber criminals are already on the network, waiting, watching, stealing data and
committing financial fraud, typically using the credentials and accounts of a trusted
insider.
 So, the companies do recognize and combat cybercrime and improve the cyber hygiene
by following steps:
1. Education and Cyber security awareness
2. Collect security logs for suspicious or abnormal activities
3. Keep system and applications patched and up to date.
4. Use strong passwords and keep privileged accounts protected
5. Do not allow users to install / execute unapproved or untrusted applications.
6. Be deceptive and unpredictable.
1. Education and Cyber security awareness
 This is one of the most effective cyber security countermeasure and an instant win. By
educating employees on what to look for will increase the company’s ability to recognize
cybercrime early and in many cases prevent cyber crime
 Educate employees to avoid and prevent suspicious activity on their computers:
a. Detect suspicious applications running, popups, warning messages, etc.
b. Flag suspicious emails Be vigilant when browsing websites
c. Stop and think before clicking on links or ads
d. Ensure websites are trustworthy before entering credentials
e. Limit activities when using public insecure Wi-Fi networks or use a VPN

2
2. Collect security logs for suspicious or abnormal activities
 An important activity and best practice for companies is to make sure security logs
are being collected and analyzed for suspicious activities.
 In many situations looking at security logs will likely identify abnormal action.
 Collecting security logs can help
o to detect cyber-criminal activities,
o to determine root cause analysis and help with future prevention measures.
3. Keep system and applications patched and up to date.
 Keep systems and applications up to date and apply the latest security patches will
keep most hackers and cyber criminals from gaining access to systems by using known
exploits and vulnerabilities.
 This is not a full proof counter measure, but it will make a successful breach more
difficult for cyber criminals.
4. Use strong passwords and keep privileged accounts protected
 When choosing a password make it a strong password, unique to that account and
change it often.
 The average age of a social password today is years and social media does not do a
great job alerting you on how old your password is, how weak it is, and when it is a
good time to change it.
 It is your responsibility to protect your account so, protect it wisely. If you have many
accounts and passwords, use an enterprise password and privileged account vault to
make it easier to manage and secure. Never use the same password multiple times.
5. Do not allow users to install / execute unapproved or untrusted applications
 Providing users with privileged access—is that the user has the ability to install and
execute applications as they wish, can pose a major risk allowing ransom-ware or
malware to infect and propagate into the organization. It also allows the attacker to
install tools enabling them to easily return whenever they wish.
 When a user with a privileged account is reading emails, opening documents, browsing
the Internet and clicking on numerous links, or when they simply plug a USB device
into the system, they can unknowingly install infectious or malicious tools.
 This enables an attacker to quickly gain access and begin the attack from within the
perimeter, or in the worst case scenario, encrypt the system and sensitive data—then
request a financial payment in return to unlock them.
 Organizations must implement security controls that prevent any application or tool
from being installed onto the system by using Application Whitelisting, Blacklisting,
Dynamic Listing, Real-Time Privilege Elevation, and Application Reputation and
Intelligence.

3
6. Be deceptive and unpredictable
 It’s crucial to be deceptive, be unpredictable. Most organizations look to automation
to help assist in their cyber security defenses, but in many cases this lends itself to
predictability: scans are run at the same time every week, patches take place once per
month, assessments once per quarter or per year.
 Companies that are predictable are vulnerable, so should establish a mindset in which
systems are updated and assessed on an ad-hoc basis. Randomize your activity.
COMPUTER AS THE TARGET
 Crimes in which the computer is the target include offenses such as theft of
intellectual property, theft of marketing information (e.g., customer lists, pricing data,
or marketing plans), or blackmail based on information gained from computerized files
(e.g., medical information, personal history, or sexual preference).
 These crimes also could entail sabotage of intellectual property, marketing, pricing or
personnel data or sabotage of operating systems and programs with the intent to
impede a business or create chaos in a business' operations.
 Unlawful access to criminal justice and other government records is another crime
that targets the computer directly.
 This crime covers changing a criminal history; modifying want and warrant
information; creating a driver's license, passport, or another document for
identification purposes; changing tax records; or gaining access to intelligence files.
 In essence, the conduct of these offences seek to address:
1. The gaining of unauthorized access to a computer or computer system;
2. Causing unauthorized damage or impairment to computer data or the operation
of a computer or computer system; or
3. The unauthorized interception of computer data.
 Such conduct ranges from the technically sophisticated to the decidedly low-tech.
While the sophisticated hacker is a very real threat, some surveys indicate that insiders
are often just as likely as outsiders to be the source of cyber-attacks.
 The key form of conduct which potentially fall within this class of offence. At the outset
it must be acknowledged that these categories are neither mutually exclusive nor
fixed.
 One of the great challenges of drafting cybercrime laws is ensuring that they can adapt
to a broad range of overlapping and constantly evolving threats.
 Nonetheless, the three main categories of conduct are:
1. Unauthorized access to computers or computer systems;
2. Malicious software; and
3. DoS attacks.

4
CONTAMINANTS AND DESTRUCTION OF DATA
(i) DATA CONTAMINATION
 The alteration, maliciously or accidentally of data in a computer system is known as data
contamination.
 A contamination can occur when classified information is found on a computer or
information system either it is not accredited for classified information or it is not
supposed to be there
 This may have happened:
1. By accident
2. By transmission of insecure data
3. Because the information was changed to a different classification rating
4. Because users did not follow protocol and transferred information through insecure
methods such as floppy disks or thumb drives
 Contamination of a computer can also occur when malware infiltrates it. An anti-virus
tool should be enabled to remove an active virus from a system.
(ii) DESTRUCTION OF DATA
 Data destruction is the process of destroying data stored on tapes, hard disks and other
forms of electronic media so that it is completely unreadable and cannot be accessed or
used for unauthorized purposes.
 When data is deleted, it is no longer readily accessible by the operating system or
application that created it.
 The Different Forms of Data Destruction: Fortunately, there are several different ways
to destroy data. Unfortunately, none of these methods are perfect nor can any one
particular method promise complete success. But knowing the available methods will
help to choose the one that is right for the business.
1. Delete/Reformat
2. Wipe
3. Overwriting data
4. Erasure
5. Degaussing
6. Physical destruction (drill/band/crush/hammer)
7. Electronic shredding
8. Solid state shredding
1. Delete/Reformat
 Deleting a file from an electronic device may remove it from a file folder but does not
actually destroy the data. The data remains on the hard drive or the memory chip of the
device.
 The same is true when you try to destroy data by reformatting the disc. This does not
wipe the data away either. It is very easy for almost anyone to recover data from a disk

5
that has only been reformatted as many tools exist on the Internet that allow an
individual to do so.
 Using methods of this kind is a rather lazy, unimaginative and not very productive way to
attempt data destruction.
2. Wipe
 Data wiping involves overwriting data from an electronic medium so that this data can
no longer be read.
 Data wiping is normally accomplished by physically connecting any media to a bulk wiping
device. It can also be accomplished internally by starting a PC from a network or CD.
 As a process, it allows you to reuse any media wiped in this way without losing storage
capacity. Data wiping can take a very long time, sometimes an entire day for just one
device.
 Data wiping may be useful for an individual, but it is impractical for a business owner who
has several devices they need wiped.
3. Overwriting Data
 Overwriting data is a form of data wiping. When data on an electronic device is
overwritten, a pattern of one’s and zero’s is written over the existing data. The pattern
does not need to be random — set patterns can also be used.
 In most cases overwriting once will accomplish the task. But if the medium is a high-
security one, it may require multiple passes. This ensures that all data is completely
destroyed and no bit shadows can be detected.
 A bit shadow is a remnant of information that has been overwritten but can still be
detected using an electron microscope.
 Overwriting can take a lot of time and only works when the medium being overwritten
has not been damaged and can still have data written to it. It also does not offer any
security protection during the overwriting process.
4. Erasure
 Erasure is another term for overwriting. Erasure should be complete and destroy all data
stored on a hard drive, and deliver a certificate of destruction showing that the data on
an electronic device has been successfully erased.
 Erasure is a great idea for businesses that have purchased equipment off-lease, such as
desktops, enterprise data centers and laptops, or if you desire to reuse hard drives or
redeploy them for storage of different materials.
5. Degaussing
 Degaussing destroys computer data using a high-powered magnet which disrupts the
magnetic field of an electronic medium. The disruption of the magnetic field destroys the
data.

6
 Degaussing can effectively and quickly destroy the data in a device storing a large amount
of information.
 However, it has two major disadvantages.
1. When you degauss a piece of electronic equipment, you render its hard drive
inoperable. Degaussing destroys the interconnect equipment of the hard drive. This is
not the method to choose if you want to reuse an electronic digital device like a laptop,
computer or mobile phone.
2. No way of knowing if all the data has been destroyed. The only method to verify data
destruction, in this case, is to use an electron microscope. But unless you are
destroying high-security information, checking this way is expensive and impractical.
6. Physical Destruction
 Interestingly enough, physical destruction is also an efficient way for organizations and
businesses of all sizes to destroy data. One of physical destruction’s best features is that
it will give an organization the highest probability that data has been destroyed.
 However, it can be costly, and since it involves the destruction of electronic media, there
is a high capital cost as well. It can also cause a problem if an organization has a green
and sustainable program for recycling old electronic media.
 Degaussing is a form of physical destruction. Incineration is as well, although isn’t
common because it requires destruction to occur away from human habitats and creates
a chain of custody risk.
7. Shredding
 Shredding may be the most secure and cost-effective way to destroy electronic data in
any media that contain hard drives or solid state drives and have reached their end-of-
life.
 It’s also very effective for optical drives, smartphones, tablets, motherboards, thumb
drives and credit card swipe devices, to name a few.
 Shredding is a great way to destroy data if you have a large data enterprise center or a
large stockpile of old hard drives and media that you want to destroy.
 It’s very secure, fast and efficient.
 Shredding reduces electronic devices to pieces no larger than 2 millimeters.
 If you work in a high-security environment with high-security data, shredding should be
your number one choice as it guarantees that all data is obliterated.

1
Unit 3
Language – Realms of Cyber World – A brief history of Internet –
Destruction of Data
3.5 Indian IT Act 2000
Cyberspace
 Cyberspace is a global computer network which felicitates online communication.
 It allows users to share information and ideas, interact and communicate, play games,
engage in discussions, conduct business and many other activities.
 In other words, this computer-generated worldwide stage of internet and web is known
as Cyberspace.
Cybercrime
 Cybercrime can be defined as any criminal activity directly related to the use of
computers and the internet, such as illegal trespass into the computer system or
database of another, manipulation or theft of stored or online data, hacking, phishing,
cyber warfare, spreading computer viruses etc.
 In simple words, any offence or crime in which a computer is used for committing that
crime.
Cyber law
 Cyber Law can be defined as the law which governs Cyberspace and protects from
cybercrimes and lays down punishments for its violation.
 Cyber law is a common term which refers to legal jurisdiction and regulation of various
aspects of the internet and computer security.
 In India, Cyber laws are regulated by the Information Technology Act, 2000.
Impact of Cybercrimes
1. Impact on Economy
 People today are highly dependent on computers and the internet for money transfers
and making payments. Therefore, the risk of being subjected to online money frauds is
extremely high.
 Not just individuals suffer from financial losses due to cybercrimes; some of the surveys
conducted have stated that approximately 80% of the companies participating in the
surveys accepted financial losses due to cybercrimes.

2
2. Leakage of Personal Information
 Many social networking sites, no matter how safe, are still an open platform for everyone
to see someone else’s life, which can be dangerous.
 Apart from this, hackers can also hack into one’s account and collect whatever
information they want to. Spamming and phishing also cause harm to people.
3. Loss of Consumer Trust
 With such financial losses and a threat to personal information, consumers start losing
trust in such sites and apps.
 Even if the person committing the crime is someone else, the site or app is declared to
be fraudulent and unsafe.
 It also makes people reluctant to start a transaction when their credit card information is
asked.
 This affects the credibility of an e-business and consequently jeopardizes a potential
business.
4. The threat to National Security
 Nowadays, the military of most of the countries is using advanced computer technologies
and networks.
 Information warfare, albeit old, is used to spread malware, which can cause network
crashes and spread misinformation.
 The terrorists and cybercriminals also these technologies to intrude in other Country’s
security networks and obtain information.
 They also send threats and warnings through computer systems.
Need of Cyber Law
 With the evolution and development of the internet, information technology and
computers, challenges imposed by cybercrimes have also increased. Therefore, cyber
laws regulate all fields of laws in which cybercrimes can be committed, such as criminal
law, contract, intellectual property law and tort.
 Cyber laws deal with various kinds of concerns, such as free speech, safety, intellectual
property rights, privacy, terrorism, e-commerce and jurisdiction of cyber laws.
 With the increase in the number of internet users, the need for cyber laws and their
application has become very urgent in modern times. Cyber laws are needed because:
1. Consumers are increasingly using online transactions with the increased popularity
of payment apps and sites, as they are easy and efficient. Government’s scheme of
‘Cashless India’ has also gained popularity resulting in a high amount of online
transactions.
2. Email, SMS, messaging apps and social networking sites have become the main
mode of communication.
3. Companies are highly dependent upon their computer networks to keep their
electronic data safe.

3
4. Most of the government forms are now filled in electronic format, for example,
Income Tax Return, Passport application, Pan Card application, Company law forms
etc.
5. Digital Signatures and authorization is fast, replacing conventional ways of
identification for transactions.
6. Computers and networks also help in non-cybercrimes as well. As most of the data,
these days are stored in computers and mobile phones. The evidence collected
from them can help in various crimes such as kidnapping, terrorist attacks,
counterfeit currencies, tax evasion and such.
7. Cyber laws help in representing and defining the model of cyber society and
maintaining cyber properties.
8. Digital contracts are also gaining popularity in modern times; cyber laws help in
protecting the rights of these legally enforceable digital contracts.
Scope of Cyber Law
The scope of cyber law is very wide as it deals with various kinds of challenges and threats
imposed by the internet and developments in computer technology:
1. Dealing with computer hackers, spammers and those who spread malware and
viruses.
2. Protecting the privacy of the individuals and preventing frauds in money
transactions.
3. Regulations and categorization of contractual obligations related to the acquisition
of software.
4. Protection of Intellectual Property Rights and dealing with issues of copyright in a
computer program and patent protection of software programs.
5. Dealing with the purchases from other jurisdictions under e-commerce.
6. Regulation and dealing with the issue of trafficking in domain names under the law;
and
7. Regulation of the content and information available on the internet.
8. Protection and regulation of freedom of speech and expression and right to
information.
Cyber Law in India and the IT Act, 2000
 In India, cyber laws are contained in the Information Technology Act, 2000.
 The main object of this Act is to provide legal recognition to e-commerce and electronic
formats and to facilitate the filing of electronic records with the Government.
 This legislation lays down rules and regulations related to cybercrimes, electronic
information and formats, electronic authentication and digital signatures, and liability of
network service providers.

4
 The I.T. Act is based on the United Nations Model Law on Electronic Commerce 1996
(UNCITRAL Model) recommended by the General Assembly of the United Nations by a
resolution dated 30 January 1997.
The Indian Cyber Law covers these major aspects of Cyberspace and cybercrime:
1. The Indian Cyber Law makes every format in electronic form legal, which means
anything that you write, share and publish electronically is now considered legal.
2. It also makes all electronic contracts legal, which means that an offer can be
electronically made and accepted, and it would amount to a valid and binding
electronic contract.
3. The Indian Cyber Law recognizes and legalizes the concept of digital signatures and
electronic authentications.
4. Indian Cyber Law covers almost all kinds of cybercrimes and provides punishment
for the same.
5. It also punishes the people of other nationalities, provided their crimes involve any
computer or network situated in India.
Legalization of everything in electronic format, such as publications, communications,
signatures and authorization, means that it is all now valid and can be used in any
proceedings.
Key provisions under the Indian IT Act 2000
Section Offence Description Penalty
65
Tampering with
computer source
documents
If a person knowingly or intentionally
conceals, destroys or alters or causes
another to conceal, destroy or alter any
computer source code used for a
computer, computer programme,
computer system or computer network,
when the computer source code is
required to be kept or maintained by law
for the time being in force.
Imprisonment up to
three years, or/and
with fine up to
₹200,000
66
Hacking with
computer system
If a person with the intent to cause or
knowing that he is likely to cause wrongful
loss or damage to the public or any person
destroys or deletes or alters any
information residing in a computer
resource or diminishes its value or utility or
affects it injuriously by any means,
commits hack.
Imprisonment up to
three years, or/and
with fine up to
₹500,000
66B
Receiving stolen
computer or
communication
device
A person receives or retains a computer
resource or communication device which is
known to be stolen or the person has
reason to believe is stolen.
Imprisonment up to
three years, or/and
with fine up to
₹100,000

5
66C
Using password of
another person
A person fraudulently uses the password,
digital signature or other unique
identification of another person.
Imprisonment up to
three years, or/and
with fine up to
₹100,000
66D
Cheating using
computer
resource
If a person cheats someone using a
computer resource or communication.
Imprisonment up to
three years, or/and
with fine up to
₹100,000
66E
Publishing private
images of others
If a person captures, transmits or publishes
images of a person's private parts without
his/her consent or knowledge.
Imprisonment up to
three years, or/and
with fine up to
₹200,000
66F
Acts of cyber-
terrorism
If a person denies access to an authorised
personnel to a computer resource,
accesses a protected system or introduces
contaminant into a system, with the
intention of threatening the unity,
integrity, sovereignty or security of India,
then he commits cyber terrorism.
Imprisonment up to
life.
67
Publishing
information which
is obscene in
electronic form.
If a person publishes or transmits or causes
to be published in the electronic form, any
material which is lascivious or appeals to
the prurient interest or if its effect is such
as to tend to deprave and corrupt persons
who are likely, having regard to all relevant
circumstances, to read, see or hear the
matter contained or embodied in it.
Imprisonment up to
five years, or/and
with fine up to
₹1,000,000
67A
Publishing images
containing sexual
acts
If a person publishes or transmits images
containing a sexual explicit act or conduct.
Imprisonment up to
seven years, or/and
with fine up to
₹1,000,000
67B
Publishing child
porn or predating
children online
If a person captures, publishes or transmits
images of a child in a sexually explicit act or
conduct. If a person induces a child into a
sexual act. A child is defined as anyone
under 18.
Imprisonment up to
five years, or/and
with fine up to
₹1,000,000 on first
conviction.
Imprisonment up to
seven years, or/and
with fine up to
₹1,000,000 on second
conviction.

6
67C
Failure to
maintain records
Persons deemed as intermediatary (such as
an ISP) must maintain required records for
stipulated time. Failure is an offence.
Imprisonment up to
three years, or/and
with fine.
68
Failure/refusal to
comply with
orders
The Controller may, by order, direct a
Certifying Authority or any employee of
such Authority to take such measures or
cease carrying on such activities as
specified in the order if those are
necessary to ensure compliance with the
provisions of this Act, rules or any
regulations made thereunder. Any person
who fails to comply with any such order
shall be guilty of an offence.
Imprisonment up to 2
years, or/and with
fine up to ₹100,000
69
Failure/refusal to
decrypt data
If the Controller is satisfied that it is
necessary or expedient so to do in the
interest of the sovereignty or integrity of
India, the security of the State, friendly
relations with foreign States or public
order or for preventing incitement to the
commission of any cognizable offence, for
reasons to be recorded in writing, by order,
direct any agency of the Government to
intercept any information transmitted
through any computer resource.
Imprisonment up to
seven years and
possible fine.
70
Securing access or
attempting to
secure access to a
protected system
The appropriate Government may, by
notification in the Official Gazette, declare
that any computer, computer system or
computer network to be a protected
system.
The appropriate Government may,
by order in writing, authorise the persons
who are authorised to access protected
systems. If a person who secures access or
attempts to secure access to a protected
system, then he is committing an offence.
Imprisonment up to
ten years, or/and with
fine.
71 Misrepresentation
If anyone makes any misrepresentation to,
or suppresses any material fact from, the
Controller or the Certifying Authority for
obtaining any license or Digital Signature
Certificate.
Imprisonment up to 2
years, or/and

7
Information Technology (Amendment) Act, 2008
Few amendments have been made in the I.T. Act, 2000 which have improved certain
provisions of the original Act. Few of the amendments are:
1. The term’ digital signature’ has been replaced with ‘electronic signature’ to make the
Act more technology-neutral.
2. The term ‘Communication device’ has been defined. According to the definition,
‘Communication device’ means cell phones, personal digital assistants or combination
of both or any other device used to communicate, send or transmit any text, video,
audio or image.
3. The term ‘Cybercafe’ has also been defined as any facility from where the access to
the internet is offered by any person in the ordinary course of business to the members
of the public.
4. New Sections have been added to address data protection and privacy.
Pros and Cons of Indian ITA 2000
Pros of the I.T. Act, 2000
1. Before the enactment of the I.T. Act, 2000, the usual means of communication such as
emails and texts were not considered as a legal form of communication and due to
this, they were not admissible as evidence in a court of law. But after the enactment
of I.T. Act, 2000 electronic formats and communication got legal recognition, and now
they are admissible as evidence in a court of law.
2. With the introduction of the I.T. Act, 2000, now companies can carry out e-commerce
and e-business and promote online transactions commercially.
3. Digital signatures and authentications have been legalized after the I.T. Act, 2000,
which is a great assistance to carry out transactions online as they help in verifying the
identity of an individual on the internet.
4. The I.T. Act, 2000, provides for corporate to have statutory remedies if anyone hacks
and breaks into their computer systems or networks and causes any kind of damages.
The I.T. Act, 2000 provides for monetary damages, by the way, compensation, as a
remedy for such crimes.
5. The I.T. Act, 2000 has defined, recognized and penalized various cyber crimes such as
hacking, spamming, identity theft, phishing and many more. Prior to this Act,
cybercrimes were not included in any legislation, and there was no legal remedy for
such crimes.
6. The Act allows companies to issue digital certificates by becoming Certifying
Authorities.
7. This Act also allows the Government to issue notices on the internet through e-
governance.

8
Cons of the I.T. Act, 2000
1. The I.T. Act, 2000 may cause a conflict of jurisdiction.
2. Electronic commerce is based on the system of domain names. The I.T. Act, 2000 does
not address the issues relating to domain names, rights and liabilities of domain
owners.
3. The I.T. Act, 2000 does not provide for the protection of Intellectual Property Rights as
issues regarding copyrights and patents are very common in relation to computer
programs and networks.
4. The offences covered and defined under the I.T. Act, 2000 are not exhaustive in nature.
Since, with the advancements in technologies, computer programs and networks are
constantly changing and evolving, and with this advancement, the nature of
cybercrimes is also evolving. This Act does not cover various kinds of cybercrimes such
as cyberstalking, cyber fraud, chat room abuse, theft of internet hours and many
more.
5. The I.T. Act, 2000 has not addressed issues like privacy and content regulation, which
is very necessary, considering the vulnerability internet poses.
6. Lastly, the main issue with this Act is its implementation. The I.T. Act, 2000 does not
lay down any parameters for its implementation and regulations.

NS UNIT 3 COMBINED.pdf

More Related Content

Similar to NS UNIT 3 COMBINED.pdf (20)

Recently uploaded (20)

NS UNIT 3 COMBINED.pdf