├── README.md
├── Lecture-23 Cyber Forensics - Data Extration.txt
├── Lecture-18 Cyber Forensics - Identification or Analysis of Encryptions.txt
├── Lecture-8 Digital Forensics - Write Blocking.txt
├── Lecture-4-5 System-Password-Cracking.txt
├── Lecture-12 Windows Registry Forensics - Wireless Evidence.txt
├── Lecture-6 Part 2 Linux-Digital-Evidence-To-Create-Image-File.txt
├── Lecture-1 Part 2 Cyber Forensics - Cyber Laws.txt
├── Lecture-1 Part 1 Introduction of Cyber Forensics.txt
├── Lecture-6 Part 1 Windows Digital Forensics - Disk Imaging.txt
├── Lecture-22 Cyber Forensics - Information-Gathering-Image-File.txt
├── Lecture-17 Cyber Forensics - Encryption Analysis.txt
├── Lecture-9 Cyber Forensics - File System.txt
├── Lecture-20 Email Investigation.txt
├── Lecture-15 Cyber Forensics - Firewall Handling.txt
├── Lecture-13 Cyber Forensics - Denial Of Service Investigation.txt
├── Lecture-3 Computer Forensics - Investigation Technique.txt
└── Lecture-2 Computer Forensics - Investigation Methods.txt


/README.md:
--------------------------------------------------------------------------------
1 | # CHFI
2 | CHFI - Cyber Forensics Full Course Content
3 | 


--------------------------------------------------------------------------------
/Lecture-23 Cyber Forensics - Data Extration.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | Foremost Forensic tool-----
 4 | 
 5 | apt install foremost
 6 | insert the pendrive in to the system
 7 | fdisk -l  -----------to check the pendrive 
 8 | copy the disk name
 9 | foremost -h
10 | foremost -t jpg,png -v -i <input disk path> -o <output path>
11 | foremost -t jpg,png -v -i /dev/sdb1 -o /root/Desktop/recover


--------------------------------------------------------------------------------
/Lecture-18 Cyber Forensics - Identification or Analysis of Encryptions.txt:
--------------------------------------------------------------------------------
 1 | Hash Identifier Online:-
 2 | ----------------------------------
 3 | Link:- https://www.browserling.com/tools/all-hashes
 4 | Link:- https://www.tunnelsup.com/hash-analyzer/
 5 | 
 6 | Hash-identifier:-
 7 | -------------------------
 8 | It is simple to use the Command Line Interface (CLI) software. It helps to identify the different types of hashes used to encrypt data and especially passwords.
 9 | 
10 | 
11 | Commands:-
12 | ---------------------
13 | #hash-identifier
14 | 
15 | Hash: 8743b52063cd84097a65d1633f5c74f5
16 | Type: MD5
17 | 
18 | Hash: b89eaac7e61417341b710b727768294d0e6a277b
19 | Type: SHA-1
20 | 
21 | Hash: 7196759210defdc0
22 | Type: MySQL323
23 | 
24 | Hash:7ca8eaaaa15eaa4c038b4c47b9313e92da827c06940e69947f85bc0fbef3eb8fd254da220ad9e208b6b28f6bb9be31dd760f1fdb26112d83f87d96b416a4d258
25 | Type: Whirlpool
26 | 
27 | Hash: a4bd99e1e0aba51814e81388badb23ecc560312c4324b2018ea76393ea1caca9
28 | Type: SHS-256
29 | 
30 | 
31 | List of all Hashes:-
32 | ----------------------------
33 | Link:- https://hashcat.net/wiki/doku.php?id=example_hashes
34 | 
35 | 
36 | Algorithms of symmetric cryptography:-
37 | ------------------------------------------------------------
38 | we will see algorithms available for symmetric encryption. Blowfish, AES, RC4, DES, RC5, and RC6 are common algorithms of symmetric encryption. The most widely used symmetric algorithm is AES-128, AES-192, and AES-256.
39 | 
40 | 
41 | Cracking of Hash:-
42 | ------------------------------
43 | Link:- https://github.com/0x6470/bitwarden2hashcat


--------------------------------------------------------------------------------
/Lecture-8 Digital Forensics - Write Blocking.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | #-------------------------------Digital Forensics - Write Blocking Technique------------------------------#
 3 | 
 4 | Tool Name:- Winhex
 5 | 
 6 | 
 7 | Write Blocking:-
 8 | ------------------------
 9 | Write blocking is the act of ensuring that the contents of an evidence drive cannot be modified during the scope of an investigation. It allows acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. Write blockers do this by allowing read commands to pass but by blocking write commands, hence their name. This can be done one of two ways: with either hardware or software write blockers.
10 | 
11 | Procedure:-
12 | ------------------
13 | Once a disk image has been created, hashing and write blocking the image are the immediately pivotal steps to be taken in order to ensure the integrity of the evidence file. Write blocking tools have been written into several of the free software programs we have used or have available, including WinHex and DiskExplorer NTFS. Alternatively, it is possible to do a form of write blocking by simply changing the status of the disk image to read-only.
14 | 
15 | 
16 | Ways to Write Blocking:-
17 | ------------------------------------
18 | 1. Write block a disk image file using WinHex
19 | 2. Write block a disk image file using file properties and read-only.
20 | 
21 | Using WinHex:-
22 | ------------------------
23 | Step 1:- Open image file we created in Winhex
24 | Step 2:- Go to options and then to Edit Mode.
25 | Step 3:- Select ‘Read only mode’ and click OK
26 | 
27 | Using File Properties:-
28 | ---------------------------------
29 | Step 1:- Right Click on Image & click to properties
30 | Step 2:- Check the Read-only button & click to apply.
31 | 


--------------------------------------------------------------------------------
/Lecture-4-5 System-Password-Cracking.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | #-------------------------------------------System Password Cracking------------------------------------------#
 3 | 
 4 | 1. OS Bypassing
 5 | 
 6 | 	==> Online Procedure-----First Crack Password then get files
 7 | 		==>>Error Generation Method------To create conflit when system loads files from the boot manager
 8 | 	==> Offline Pro.--------------Use Bypass OS and get files without cracking Password
 9 | 
10 | 1. Windows---Win7/win8/win10
11 | 2. Linux----Kali/Ubantu
12 | 
13 | 
14 | 1. Online Method
15 | ================
16 | 	When you need to crack or bypass the password, change the OS login password when the system is up, and you do not know the current password. It only works in windows ultimate or professional version.
17 | 	1. Right click on "My Computers"
18 | 	2. Click on "Manage"
19 | 	3. Click on "Local Users and Groups", in the left pane
20 | 	4. Click on "Users"
21 | 	5. Choose the user, for whom you want to change the password.
22 | 	6. Right Click
23 | 	7. Set Password
24 | 
25 | SETHC(Syskey Password):-
26 | ----------------------------------------
27 | Command:-
28 | #control userpasswords2
29 | 
30 | 
31 | ren utilman.exe utilman.old
32 | copy cmd.exe utilman.exe
33 | exit
34 | 
35 | 
36 | CTRL+P
37 | 
38 | 
39 | Red Hat & CentOS Password Cracking:-
40 | ----------------------------------------------------------
41 | https://trendoceans.com/how-to-reset-or-crack-the-password-in-centos-rhel/
42 | 
43 | 
44 | Ubantu Password Cracking:-
45 | ------------------------------------------
46 | https://www.ubuntupit.com/how-to-reset-forgotten-root-password-in-ubuntu-linux/#:~:text=1%20Enter%20into%20Recovery%20Mode%20in%20Ubuntu%20Linux,...%203%20Recover%20Root%20Password%20in%20Ubuntu%20Linux
47 | 
48 | 
49 | 
50 | 2. Offline Method
51 | =================
52 | 	This is the condition, when the device is in shut down mode and we cannot open the group editing policies.
53 | 	SAM --> Security Account Manager
54 | 	C:\Windows\System32\Config\SAM
55 | 		Hiren Boot CD
56 | 		Kon Boot CD
57 | 	These are live bootable OS. We use tools like Rufus, to make the media bootable.
58 | 	BIOS --> Basic Input Output System
59 | 	Live OS ---> It replaces the BIOS of the Computer or the device from the one which is in the bootable media.


--------------------------------------------------------------------------------
/Lecture-12 Windows Registry Forensics - Wireless Evidence.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | #---------------------------------------Windows Registry Forensics-----------------------------------#
 3 | 
 4 | Registry:-
 5 | ---------------
 6 | Database of stored configuration information about the users, hardware, and software on a Windows system.
 7 | 
 8 | Although the registry was designed to configure the system, to do so, it tracks such a huge information about the user’s activities, the devices connected to system, what software was used & when etc. All of this can be useful for the forensic investigator in tracking the who, what, where, & when of a forensic investigation. The key is just knowing where to look for it.
 9 | 
10 | The registry or Windows registry is a database of information, settings, options, and other values for software and hardware installed on all versions of Microsoft Windows operating systems. When a program is installed, a new subkey is created in the registry. This subkey contains settings specific to that program, such as its location, version, and primary executable.
11 | 
12 | 
13 | Note:- 
14 | -----------
15 | As a forensic analyst, the registry can be a best place for evidence of what, where, when, and how something occurred on the system.
16 | 
17 | Wireless Evidence:-
18 | -----------------------------
19 | A type of Evidence, when the Attacker was connected to which wireless AP. 
20 | 
21 | 
22 | Common Registry List:-
23 | -----------------------------------
24 | HIVES :
25 | Inside the registry, there are root folders. These root folders are referred to as hives. 
26 | 
27 | 
28 | Types of Registry Hives:-
29 | ------------------------------------
30 |  
31 | -->HKEY_USERS: -------------------Contains all the loaded user profiles
32 | -->HKEYCURRENT_USER: --------Profile of the currently logged-on user
33 | -->HKEYCLASSES_ROOT: --------Configuration information on the application used to open files
34 | -->HKEYCURRENT_CONFIG: ----Hardware profile of the system at startup
35 | -->HKEYLOCAL_MACHINE: -----Configuration information including hardware and software settings.
36 | 
37 | 
38 | Steps:-
39 | -----------
40 | 
41 | 1. Goto search, and search as “regedit.exe”
42 | 2. Enter, or Click it.
43 | 
44 | 
45 | Wireless Evidence of Registry:-
46 | ---------------------------------------------
47 | Forensic Investigator goes to following location in Registry Editor to Gather the Wireless Evidence from the System.
48 | 
49 | Location:-
50 | ----------------
51 | -->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
52 | 
53 | Result:-
54 | ------------
55 | Now, we can say, indeed the system was connected to AP.
56 | 
57 | 
58 | Information that can be found in the registry:-
59 | -------------------------------------------------------------------
60 | 1. Users and the time they last used the system
61 | 2. Most recently used software
62 | 3. Any devices mounted to the system including unique identifiers of flash drives, hard drives, phones, tablets, etc.
63 | 4. When the system connected to a specific wireless access point
64 | 5. What and when files were accessed
65 | 6. A list any searches done on the system


--------------------------------------------------------------------------------
/Lecture-6 Part 2 Linux-Digital-Evidence-To-Create-Image-File.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | #-----------------------------------------------Digital Evidence To Create Image File-----------------------------------------------#
  3 | 
  4 | DC3DD:- Department of Defense Cyber Crime Center (DC3) dd
  5 | 	Forensic Image Acquisition and Burning Tool
  6 | 
  7 | 
  8 | DC3DD Target:-
  9 | ------------------------
 10 | ==>Copy a media device to an image file
 11 | ==>Copy an image file to a storage device
 12 | ==>Copy a device to another device
 13 | ==>Split output into multiple files
 14 | ==>Hash and verify image files
 15 | 
 16 | 
 17 | Check the disk name:-
 18 | -----------------------------------
 19 | #fdisk -l
 20 | 
 21 | 
 22 | Create Image file:-
 23 | -------------------------------
 24 | dc3dd if=/dev/sdb1 of=backup.img
 25 | 
 26 | Here:-
 27 | 	if==> input file
 28 | 	of==> output file
 29 | 
 30 | 
 31 | Create Multiple Image file with log:-
 32 | ----------------------------------------------------
 33 | #dc3dd if=/dev/sdb1 of=backup.img of=workcopy-001.img log=backup.txt
 34 | 
 35 | 
 36 | Burning the img file to another drive:-
 37 | --------------------------------------------------------
 38 | #dc3dd if=backup.img of=/dev/sdb2
 39 | 
 40 | 
 41 | Backup main file into multiple number segments of img file:-
 42 | -----------------------------------------------------------------------------------------
 43 | #dc3dd if=/dev/sdb1 ofs=backup.img.000 ofsz=25M
 44 | #ls -ls backup.img.0*
 45 | 
 46 | 
 47 | Backup main file into multiple char segments of img file:-
 48 | -----------------------------------------------------------------------------------
 49 | #dc3dd if=/dev/sdb1 ofs=backup.img.aa ofsz=25M
 50 | #ls -ls backup2.img.*
 51 | 
 52 | 
 53 | To produce multiple output files with segments:-
 54 | -------------------------------------------------------------------------
 55 | #dc3dd if=/dev/sdb1 of=backup.img of=workcopy-001.img ofs=backup.img.aa ofsz=25M
 56 | 
 57 | 
 58 | Merge multiple output file into one output file via single img input:-
 59 | --------------------------------------------------------------------------------------------------
 60 | #cat backup.img.0* | dc3dd of=backup.img
 61 | 
 62 | 
 63 | Compute Hash Value:-
 64 | -----------------------------------
 65 | #dc3dd if=/dev/sdb1 of=backup.img hash=md5 log=backup.txt hlog=backuphash
 66 | 
 67 | Note:- backuphash has less amount of data compair to backup.txt file
 68 | 
 69 | 
 70 | Generate backupfile via hash backup:-
 71 | ---------------------------------------------------------
 72 | #dc3dd if=/dev/sdb1 hof=backup.img hash=md5 log=backup.txt
 73 | 		<or>
 74 | #dc3dd if=/dev/sdb1 hof=sdb1.img hash=md5 log=evidencelog
 75 | 
 76 | 
 77 | Creating multi part of hash backup file:-
 78 | -----------------------------------------------------------
 79 | #dc3dd if=/dev/sdb1 hofs=backup.img.000 hash=md5 ofsz=25M log=backup.txt
 80 | 
 81 | 
 82 | Creating Multiple hash format of the image file:-
 83 | ----------------------------------------------------------------------
 84 | #dc3dd if=/dev/sdb1 hof=backup.img hash=md5 hash=sha1 hash=sha256
 85 | 
 86 | 
 87 | Burning the img file to another drive in hash:-
 88 | --------------------------------------------------------------------
 89 | #dc3dd if=backup.img hof=/dev/sdb2 hash=md5 log=backup.txt
 90 | 
 91 | 
 92 | Compair entire hash value of img file:-
 93 | ---------------------------------------------------------
 94 | #dc3dd if=backup.img fhod=/dev/sdb2 hash=md5 log=backup.txt
 95 | 
 96 | 
 97 | For remove all the sectors from the drive:-
 98 | ---------------------------------------------------------------
 99 | dc3dd wipe=/dev/sdb1
100 | 
101 | 
102 | Conclusion:-
103 | --------------------
104 | ==>Acquiring and burning images from media devices
105 | ==>Making multiple, simultaneous copies
106 | ==>Spliting an acquired image into multiple files
107 | ==>Joining multile image file parts into a single file
108 | ==>Hashing and block hashing acquired images
109 | ==>Verifying acquired image input matches output
110 | ==>Creating dc3dd operation log file


--------------------------------------------------------------------------------
/Lecture-1 Part 2 Cyber Forensics - Cyber Laws.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | #--------------------------------------------------------------Cyber Laws----------------------------------------------------------#
 3 | 
 4 | The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is an Act of the Indian Parliament (No 21 of 2000) notified on 17 October 2000. It is the primary law in India dealing with cybercrime and electronic commerce.
 5 | 
 6 | Section-43
 7 | ========	Damage to computer
 8 | Punishment:---- Imprisonment up to two years, or/and with fine up to ₹100,000
 9 | 
10 | Section-65
11 | ========	Tampering with computer source documents	
12 | Punishment:---- Imprisonment up to three years, or/and with fine up to ₹200,000
13 | 
14 | Section-66
15 | ========	Hacking with computer system	
16 | Punishment:---- Imprisonment up to three years, or/and with fine up to ₹500,000
17 | 
18 | Section-66A
19 | =========	Punishment for sending offensive messages through communication service.
20 | Punishment:---- Imprisonment up to three years, or/and with fine up to ₹100,000
21 | 
22 | Section-66B
23 | =========	Receiving stolen computer or communication device	
24 | Punishment:---- Imprisonment up to three years, or/and with fine up to ₹100,000
25 | 
26 | Section-66C
27 | =========	Identity Theft / Using password of another person	
28 | Punishment:---- Imprisonment up to three years, or/and with fine up to ₹100,000
29 | 
30 | Section-66D
31 | =========	Cheating using computer resource. (Phreakers)	
32 | Punishment:---- Imprisonment up to three years, or/and with fine up to ₹100,000
33 | 
34 | Section-66E
35 | =========	Violation of Privacy / Publishing private images of others	
36 | Punishment:---- Imprisonment up to three years, or/and with fine up to ₹200,000
37 | 
38 | Section-66F
39 | =========	Acts of cyberterrorism	
40 | Punishment:---- Imprisonment up to life.
41 | 
42 | Section-67
43 | =========	Publishing information which is obscene in electronic form.	
44 | Punishment:---- Imprisonment up to five years, or/and with fine up to ₹1,000,000
45 | 
46 | Section-67A
47 | =========	Publishing images containing sexual acts	
48 | Punishment:---- Imprisonment up to seven years, or/and with fine up to ₹1,000,000
49 | 
50 | Section-67B
51 | =========	Publishing child porn or predating children online	
52 | Punishment:---- Imprisonment up to five years, or/and with fine up to ₹1,000,000 on first conviction. 
53 | Punishment:---- Imprisonment up to seven years, or/and with fine up to ₹1,000,000 on second conviction.
54 | 
55 | Section-67C
56 | =========	Failure to maintain records	
57 | Punishment:---- Imprisonment up to three years, or/and with fine.
58 | 
59 | Section-68
60 | =========	Failure/refusal to comply with orders	
61 | Punishment:---- Imprisonment up to 2 years, or/and with fine up to ₹100,000
62 | 
63 | Section-69
64 | =========	Failure/refusal to decrypt data	
65 | Punishment:---- Imprisonment up to seven years and possible fine.
66 | 
67 | Section-70
68 | =========	Securing access or attempting to secure access to a protected system	
69 | Punishment:---- Imprisonment up to ten years, or/and with fine.
70 | 
71 | Section-71
72 | =========	Misrepresentation	
73 | Punishment:---- Imprisonment up to 2 years, or/and with fine up to ₹100,000
74 | 
75 | Section-72
76 | =========	Breach of confidentiality and privacy	
77 | Punishment:---- Imprisonment up to 2 years, or/and with fine up to ₹100,000
78 | 
79 | Section-72A
80 | =========	Disclosure of information in breach of lawful contract	
81 | Punishment:---- Imprisonment up to 3 years, or/and with fine up to ₹500,000
82 | 
83 | Section-73
84 | =========	Publishing electronic signature certificate false in certain particulars. Signature Forgery
85 | Punishment:---- Imprisonment up to 2 years, or/and with fine up to ₹100,000
86 | 
87 | Section-74
88 | =========	Publication for fraudulent purpose	
89 | Punishment:---- Imprisonment up to 2 years, or/and with fine up to ₹100,000
90 | 
91 | 
92 | Reference Link:-
93 | ------------------------
94 | https://en.wikipedia.org/wiki/Information_Technology_Act,_2000#:~:text=The%20Information%20Technology%20Act%2C%202000,with%20cybercrime%20and%20electronic%20commerce.


--------------------------------------------------------------------------------
/Lecture-1 Part 1 Introduction of Cyber Forensics.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | #-------------------------------------------------------Computer Forensics---------------------------------------------------------#
  3 | 				  ------------------------------
  4 | 
  5 | Computer forensics is a branch of digital forensic science obtaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, maintaining, recovering, analyzing and presenting facts and opinions about the digital information.
  6 | 
  7 | Objective:-
  8 | 	1. To track and prosecute perpetrators(Apradhi) of a cyber crime
  9 | 	2. To gather evidence of cyber crimes in a forensically sound manner
 10 | 	3. To estimate the potential impact of a malicious activity on the victim
 11 | 	4. To minimize the tangible and intangible losses to the organization
 12 | 	5. To protect the organization from similar incidents in future
 13 | 
 14 | 
 15 | #---------------------------------------------------------------####-------------------------------------------------------------------#
 16 | 
 17 | 
 18 | Cyber Crime:-
 19 | ---------------------
 20 | 
 21 | Cyber crime is defined as any illegal act involving a computing device, network, its systems, or its applications.
 22 | 
 23 | 		<OR>
 24 | 
 25 | Perform any type hacking with the using of internet or electronic devices....
 26 | 
 27 | 
 28 | Types Of Cyber Crime:-
 29 | ---------------------------------
 30 | Cyber crime can be categorized into two types based on the line of attack.
 31 | 
 32 | 1. Internal Attacks:- Breach of Trust by disgruntled or unsatisfied employees within the organization
 33 | 	Example:-
 34 | 		1. Spying(Jasoosi)
 35 | 		2. Theft of Intellectual Property
 36 | 		3. Manipulation of the records
 37 | 		4. Trojans horse attack
 38 | 
 39 | 2. External Attacks:- Attackers hired either by internal or external entities to destroy the organization's reputation
 40 | 	Example:-
 41 | 		1. SQL attack
 42 | 		2. Brute force
 43 | 		3. Identity theft
 44 | 		4. Phishing/Spoofing
 45 | 		5. Denial of Service Attack
 46 | 		6. Cyber Defamation(Badanaamee)
 47 | 
 48 | 
 49 | Other Type of Cyber Crime:--
 50 | ----------------------------------------
 51 | 1. Computer Fraud
 52 | 2. Privacy Violation----- Exposing the data over the internet
 53 | 3. Identity Theft----- Stealing information from the system/network
 54 | 4. Sharing Copyrighted files/ informtion---- leaking the confidential files
 55 | 5. Eletronic Money Transfer------ Net Banking-----Transection Procedure
 56 | 6. Electronic Money Laundering--- Convert Black money to white
 57 | 7. ATM Fraud----- Cloning of atm card
 58 | 8. DOS Attack----- Denial of Service Attack (Router/ Server)
 59 | 9. MITM Attack----- Man in the Middle Attack (Capturing packets b/w the transmission channel) 
 60 | 10. Spam------ Fake Mailing System
 61 | etc...
 62 | 
 63 | 
 64 | Cyber Bullying:-
 65 | https://www.youtube.com/watch?v=0Xo8N9qlJtk
 66 | 
 67 | 
 68 | #---------------------------------------------------------------####-------------------------------------------------------------------#
 69 | 
 70 | 
 71 | DATA | INFORMATION
 72 | 
 73 | Data : Raw Facts
 74 | Information : Processed data or collection of data
 75 | 
 76 | 
 77 | TYPES OF INFORMATION
 78 | ====================
 79 | 
 80 | 1. Confidentials INformation - Aadhar Cards, Passwords, Birth Certificates, PAN Cards etc.
 81 | 2. Financial Information -  Financial Statements, Bank Details, Login Credentials for banking poractices etc.
 82 | 3. Health Information - Policies, Diseases etc.
 83 | 4. Personal Information - Address, Phone Numbers, DOBs etc.
 84 | 
 85 | 
 86 | #---------------------------------------------------------------####-------------------------------------------------------------------#
 87 | 
 88 | 
 89 | Cyber Terrorism
 90 | =================
 91 | Terrorist have found a new way for indulging into disruptive activities through digital space.
 92 | 
 93 | 			<OR>
 94 | 
 95 | Cyber terrorism means to damage information, computer systems and data that result in harm against non-combatant targets.
 96 | 
 97 | 			<OR>
 98 | 
 99 | Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation.
100 | 
101 | Ways:- 	Email conversation
102 | 	Telephonic conversation
103 | 	Gaming platform.
104 | 
105 | CASE 26/11 ---> NATGrid formation
106 | 
107 | Whatsapp Group Attack:- https://www.youtube.com/watch?v=06WlzZl4jkk&bpctr=1566291253
108 | 
109 | Link:- https://duo.com/decipher/debunking-myths-do-terrorists-use-game-consoles-to-communicate-with-each-other
110 | 


--------------------------------------------------------------------------------
/Lecture-6 Part 1 Windows Digital Forensics - Disk Imaging.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | #-------------------------------Digital Forensics : Acquiring an Image--------------------------------#
 3 | 
 4 | Disk cloning and disk imaging are two processes that accomplish the same goal: They copy all of a hard drive's contents. ... Disk cloning creates a functional one-to-one copy of a hard drive, while disk imaging creates an archive of a hard drive that can be used to make a one-to-one copy.
 5 | 
 6 | Tool Name:- FTK IMAGER
 7 | 
 8 |  Step 1:- 
 9 | -------------
10 | -->Creating a disk image file of a target is the first step of any digital forensic investigation. In any investigation, analysis is not done on the original data storage device (target), but instead on the exact copy taken.
11 | --> A disk Image is defined as a computer file that contains the contents and structure of a data storage device such as a hard drive, CD drive, phone, tablet, RAM, or USB. The disk image consists of the actual contents of the data storage device, as well as the information necessary to replicate the structure and content layout of the device. This differs from a normal backup in that the integrity of the exact storage structure remains intact, which is pivotal in maintaining the integrity of a forensic investigation.
12 | -->An image may be taken locally or remotely. In the case that a disk image is taken locally, the data storage target is physically available, such as a USB key or hard drive on an acquired machine. In the case of remote acquisition, the target storage device is not present (i.e. a computer in a suspect’s office at their place of work).
13 | 
14 | Now, we’ll be making an image of a local drive using FTK Imager. FTK Imager is a software created by the company AccessData for the purpose of creating both local and remote images. However, the free version only allows for local imaging. This software can acquire images of locally available storage devices, such as USB, hard drives, CD drives, or even individual files.
15 | We’ll create an exact replica of a local drive (F: Source Drive) that will be used in the scope of a digital forensic investigation, later.
16 | 
17 | 
18 | Steps to launch FTK Imager:-
19 | ------------------------------------------
20 | 1. Launch FTK Imager by clicking on the ‘AccessData FTK Imager’ icon.
21 | 
22 | 2. Click File and look over the various options for creating images. We’ll be using the ‘Create Disk Image’ option. It’s good to note that you can also capture from memory, and image individual items.
23 | 
24 | 3. Click ‘Create Disk Image’. A window will appear. Select the correct drive type for the situation. In this case, we’re imaging a logical drive. Note: it’s possible to select individual folders and CD/DVD. Select logical drive and click Next.
25 | 
26 | 
27 | Process Steps:-
28 | ------------------------
29 | -->Select the desired drive in the resulting ‘Select Drive’ window. In this case, the drive we wish to image is ‘F: Source drive. Click Finish.
30 | 
31 | -->The ‘Create Image’ window will appear. Note that the appropriate Image Source has been selected. Click Add to select the image type and choose the Image Destination.
32 | 
33 | -->Select the desired image format. We’ll be using dd. dd (disk dump) is the raw image file format. It’s used not only in Windows, but also in Linux. 4. Select ‘Raw (dd)’ and click Next.
34 | 
35 | -->Select the folder in which the image file will be placed (H: Destination Drive). Also, give the image file a specific name if desired. Click Finish.
36 | 
37 | -->Note that the image destination has been changed to H:. The disk image will be saved to the Destination Drive. Note: the disk image will be created in raw/dd. Make sure that ‘Verify images after they are created’ is checked – this will automatically create a hash for the image. The hash is used to verify that no changes have been made to the image file. Click Start to create the image file.
38 | 
39 | -->The image will be created. This may take some time depending on the file size.
40 | 
41 | -->once the image has been completed. Note that both an MD5 and SHA1 hash have been created and verified. The hash is the fingerprint of the disk image. If the disk image is altered, the hash values will change. Keeping track of these hashes will allow you to continually verify the hash of the image file during your investigative process. Any other investigator should be able to replicate this hash; this maintains integrity in the eyes of the court. 
42 | 
43 | -->Click on ‘Image Summary’ to view the following results pertaining to the image that has just been created. This information should verify what was entered in the creation process. It will also verify the created hashes. Also, for your reference, this information has been printed out into a text file in the location to which the image file was saved.
44 | 
45 | -->Note that the image file (Thanks test1) as well as the image summary file from above (Thanks test1.001.txt) have been saved onto the ‘H: Destination Drive’. The .001 extension may be left as is, or can be changed to .dd. The .001 extension is used due to the fact that many times the file to be imaged is very large and must be split into multiple chunks. In that case, you would have Thanks test1.001, Thanks test1.002, etc
46 | 
47 | 
48 | Conclusion:-
49 | -------------------
50 | -->At this point, the disk image has been created. This is essential for analyzing the contents without touching the original drive. we’ll cover viewing the contents of this disk image file.
51 | 
52 | -->The disk image is completely intact and untouched at this point. It’s imperative that the hashes be recorded.


--------------------------------------------------------------------------------
/Lecture-22 Cyber Forensics - Information-Gathering-Image-File.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | #----------Information Gathering About the Image File---------#
  3 | 
  4 | Via using of this Procedure you can get the details like:--
  5 | 
  6 | 1. Device Name
  7 | 2. Device Information
  8 | 3. Camera Information
  9 | 4. Geo Location
 10 | 5. Date & Time of Image Click
 11 | etc.
 12 | 
 13 | Tool Name:-
 14 | 
 15 | 1. Exif-----Meta Information about the Image File
 16 | 2. Exiftool----Detailed Meta Information about the Image File
 17 | 
 18 | Installation:-
 19 | ---------------------
 20 | #apt install exif
 21 | #apt install exiftool
 22 | 
 23 | Command:-
 24 | ---------------------
 25 | For Exif:-- 
 26 | #exif <image fie name>
 27 | #exif test.jpg
 28 | 
 29 | For Exiftool:-
 30 | #exiftool <image file name>
 31 | #exiftool test.jpg
 32 | 
 33 | #----------------------------------------------------------------------------------------------------------------------------------------------------#
 34 | 
 35 | Windows Based Info via Exif Reader:-
 36 | -------------------------------------------------------
 37 | 
 38 | Exif Reader is image file analysis software for Windows. It analyzes and displays the shutter speed, flash condition, focal length, and other image information included in the Exif image format which is supported by almost all the latest digital cameras. Exif image files with an extension of JPG can be treated in the same manner as conventional JPEG files. This software analyzes JPEG files created by digital cameras.
 39 | Exif Reader can analyze some maker-specific formats such as Makernote. This software can display the image information in more details than any other Exif analysis software. For details, refer to the operating environment.
 40 | 
 41 | In addition to the Exif format, Exif Reader is applicable to the TIFF/EP format supported by CANON EOS D Series and Kodak digital cameras for professionals, the NSK-TIFF format by the Japan Newspaper Publishers and Editors Association, the TIFF-FX format for FAX by Xerox, and many other special image formats. 
 42 | 
 43 | Link to Download:- http://www.takenet.or.jp/~ryuuji/minisoft/exifread/english/download.html
 44 | 
 45 | 
 46 | #------------------------------------------------------------------------------------------------------------------------------------------------------#
 47 | 
 48 | Online Metadata Viewer:- 
 49 | -------------------------------------
 50 | Website:- http://exif.regex.info/exif.cgi
 51 | 	https://www.metadata2go.com/
 52 | 	https://exifinfo.org/
 53 | 
 54 | 
 55 | Using this website link You can get all the Metadata Details about the image file via pasting the image link in search box.
 56 | 
 57 | #------------------------------------------#
 58 | 
 59 | Extension Based Image Information:-
 60 | ----------------------------------------------------
 61 | Browser Used:- Mozila Firefox
 62 | 
 63 | Tool Name:- Exif Viewer
 64 | 
 65 | Using of this extension based tool you can get the image metadata on browser.
 66 | 
 67 | #------------------------------------------#
 68 | 
 69 | Get the location of the Image file:-
 70 | ---------------------------------------------- 
 71 | Website:- https://www.pic2map.com/
 72 | 
 73 | Using this website you can get the excat location of the image file where the user was clicked the Image... this procedure will work only if the user gave access the gps location while clicking the Image.
 74 | 
 75 | This procedure will give you such imformation like:-
 76 | 
 77 | 1. Camera Information
 78 | 2. Date & Time Information
 79 | 3. File Information
 80 | 4. GPS Information
 81 | 5. Location Infomation
 82 | 
 83 | #------------------------------------------#
 84 | 
 85 | Modification of Meta Data in Image File:-
 86 | -------------------------------------------------------
 87 | Using of this procedure you can change all the Metadata details of the Image File. 
 88 | Tool Name:- Exiftool
 89 | 
 90 | Commands:-
 91 | ----------------
 92 | 
 93 | #exiftool -<tag_name>=<Type New Name> <Image file Name with Extension>
 94 | #exiftool -Copyright=<Type New Name> <Image file Name with Extension>
 95 | #exiftool -Copyright=ENN test.jpg
 96 | 
 97 | #------------------------------------------#
 98 | 
 99 | Deletion of Meta Details:-
100 | ----------------------------------
101 | Using of this procedure you can delete the specific meta details or full meta details.
102 | Tool Name:- Exiftool
103 | 
104 | Commands:-
105 | ----------------
106 | In Single Image---
107 | #exiftool -<tag_name:all>=<*.jpg>
108 | #exiftool -gps:all= test.jpg
109 | 
110 | In All Images:----
111 | #exiftool -gps:all=*.jpg
112 | 
113 | Full MetaData Deletion:---
114 | #exiftool -all= test.jpg
115 | 
116 | #-------------------------------------------#
117 | 
118 | Remove Meta Data Via Online:---
119 | ------------------------------------------
120 | Website:- https://www.verexif.com
121 | 
122 | <<<<<<<<<<<<OR>>>>>>>>>>>>>
123 | 
124 | Search on google:- remove exif data online
125 | 
126 | #---------------------------------------------#
127 | 
128 | Remove Meta Data Via Offline:---
129 | ------------------------------------------
130 | Using of this kali tool you can completly delete Metadata of the Image File.
131 | Tool Name:- Imagemagick
132 | 
133 | Installation:-
134 | ---------------------
135 | #apt install imagemagick
136 | 
137 | Commands:-
138 | --------------------
139 | #mogrify -strip <Image file name>
140 | #mogrify -strip test.jpg
141 | 
142 | For Checking:---
143 | #exif <Image file name>
144 | #exif test.jpg
145 | 
146 | #------------------------------------------------#
147 | 
148 | Modify & Delete MetaData of Image in Windows:-
149 | -------------------------------------------------------------------
150 | 
151 | Using this Method You can Modify & Delete metadata from any Image file.
152 | 
153 | For Modification:-
154 | 1. Right Click on Selected Image & tab on Details Section
155 | 2. Modify the data what are you wanting
156 | 3. Click to Apply & Save the Changes
157 | 
158 | For Deletion:-
159 | 1. Right Click on Selected Image & tab on Details Section
160 | 2. Click on Remove Properties & Pensonal Information option
161 | 3. Select the deletions tags & Click on OK Button
162 | 
163 | #----------------------------------------------#
164 | 
165 | Modify & Delete MetaData of Image in Windows & Mac via tool:-
166 | -------------------------------------------------------------------
167 | 
168 | Using this Method You can Modify & Delete metadata from any Image file.
169 | Tool Name:- Exif Purge
170 | 
171 | Download link:- http://www.exifpurge.com/
172 | 


--------------------------------------------------------------------------------
/Lecture-17 Cyber Forensics - Encryption Analysis.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | #-----------------------------------------------------Investigation of Encryption-----------------------------------------------------#
  3 | 
  4 | INTRODUCTION TO CRYPTOGRAPHY
  5 | ===============================
  6 | 
  7 | Cryptography is a form of Encryption itself, where a readable plain text format is converted into another form which doesn’t leave the value of the plain text as it was before but the basic difference will be, the converted form will be readable by the human beings but will be of no sense. These encryption technique is used mostly for securing and maintaining the privacy of the data.
  8 | 
  9 | For this technique user have a Encryption Algorithm and a Key for its Decryption. User will transmit that encrypted message, Receiver will receive. Now for the receiver to understand, he needs to convert it into plain text, cipher, for that he again needs the key and the exact algorithm (decryption).
 10 | 
 11 | TERMINOLOGIES 
 12 |  
 13 | Plain Text  :  A text which is created and readable by the individuals only. like:---ABCD1234!@#$%
 14 | Cipher Text  :  It is the encrypted text, which is converted by applying an algorithm on the plain text.
 15 | Encryption  :  Process of converting a plain text to cipher text.
 16 | Decryption  :  Process of converting a cipher text to plain text.
 17 | 
 18 | CIPHERS
 19 | ========
 20 | In Cryptography process, Ciphers are those encrypted text which came through the algorithm process of encryption.
 21 | 
 22 | Example of Cipher : 
 23 | 
 24 | Caesar Cipher is one of the oldest ciphers which came across with the technique of encrypting a plain text into a Cipher Text. Caesar Cipher works by adding or subtracting 3 characters of that particular number. That means if in a Plain Text there is a Character E either it will be transferred it to B and if the character is A it will be transferred to X.
 25 | 
 26 | This Cipher algorithm is having some mathematical equations which describe the functionality of a cryptography process.
 27 | 
 28 | Example Of Ceaser Cipher:-
 29 | --------------------------------------
 30 | 
 31 | KEY :- ABCDEFGHIJKLMNOPQRSTUVWXYZ
 32 | 
 33 | Encryption Algo:---- Subtraction of 3 char of number
 34 | 
 35 | Plain Text:-     RACHIT
 36 | Cipher Text:-  OXZEFQ
 37 | 
 38 | Decryption Algo:-----Addition of 3 char of number
 39 | 
 40 | Cipher Text:-  OXZEFQ
 41 | Plain text:-      RACHIT
 42 | 
 43 | 
 44 | Further examples of these Ciphers are Hill Climb and Play Fair Cipher. 
 45 | 
 46 | When we talk about the algorithm of these Encryption Algorithms, these are type of standards or modulation  on which the Encryption is going on. Like  AES (Advanced Encryption Standard), DES (Data Encryption Standards), RSA (Rivest Shamir Adleman) etc.
 47 | 
 48 | 
 49 | KEY SYSTEM IN CRYPTOGRAPHY
 50 | =============================
 51 | A cryptographic key is that bits used of data  which are use by cryptographic algorithms for converting plain text into cipher text or vice versa. 
 52 | There are mainly two Cryptographic Keys. 
 53 | 
 54 | ASYMMETRIC KEY / PUBLIC KEY CRYPTOGRAPHY:-
 55 | ------------------------------------------------------------------------
 56 | Asymmetric key encryption algorithms called public key algorithms use two different keys but related keys for encryption and decryption and is publicly provided by the Web Server. 
 57 | 
 58 | Link:- https://www.youtube.com/watch?v=AQDCe585Lnc
 59 | 
 60 | Public Key Cryptography: RSA Encryption Algorithm:-
 61 | -----------------------------------------------------------------------------
 62 | Link:- https://www.youtube.com/watch?v=wXB-V_Keiu8
 63 | 
 64 | 
 65 | SYMMETRIC KEY / PRIVATE KEY CRYPTOGRAPHY:-
 66 | -----------------------------------------------------------------------
 67 | Symmetric key encryption algorithms use a single symmetric key for both encryption and decryption and is a privately kept.
 68 | 
 69 | 
 70 | STEGANOGRAPHY
 71 | ================
 72 | Steganography is a process in which we basically hide a data inside a data. This is the process in which the data is hidden into the Plain Sight or a Image, Audio or a Video file. This process can also be used along with cryptography as an extra-secure method in which to protect data. 
 73 | One of the most famous and simplest technique used in Steganography is least significant bit technique also known as LSB.
 74 | 
 75 | STEPS : 
 76 | $ CMD > copy /b Jelly.jpg+list.txt  steganography.jpg
 77 | 
 78 | Here,  /b is used for Binding the 2 files, Copy is used for copying the content of second file to first file.
 79 | 
 80 | For using Cryptography with Steganography, we can use “Encipher.it”.
 81 | 
 82 | Eg : 
 83 | 
 84 | copy /b gokuu.jpg+hashes.txt sanjeev.jpg
 85 | 
 86 | 
 87 | Hashes:-
 88 | ------------
 89 | It converts data into either alpha numeric form or in hex form. But there is a difference between a cipher encryption and a hash. The difference is encrypted text can be reverted and further decrypted, but hashes cannot be reverted. We need to crack the hashes. 
 90 | Hash function is that which takes an input and returns a fixed-size alphanumeric string. The string is called the hash value. Examples MD5 Hash, Base64 Encoding etc.
 91 | 
 92 | EG. alphanumeric - scusege67dg367df7fd3fd37f3636d
 93 | 
 94 | Link:- https://www.youtube.com/watch?v=2BldESGZKB8
 95 | 
 96 | 
 97 | Cracking methods for Hashes:-
 98 | ----------------------------------------------
 99 | We have to create a dictionary and have to convert every word into the hash of a particular wordlists, and after that we will compare that particular hash. If matches it means that the specific word is found. Hashes are usually uniques.
100 | 
101 | Passwords & hash functions:-
102 | Link:- https://www.youtube.com/watch?v=cczlpiiu42M
103 | 
104 | 
105 | HASHES FORMATS
106 | ================
107 | 1. Base64 encoding
108 | It is the process of encoding, in which the plain text is converted into the alpha numeric form, but the length of the hash varies as per the length of the plain text. It's a textual encoding of binary data where the resultant text has nothing but letters, numbers and the symbols.
109 | 
110 | 
111 | 2. MD5 (Message Digest 512 bit) 
112 | It will convert the plain text into hexadecimal text of fixed length. It always creates a unique hash for the plain text and are normally shown in their 32 digit hexadecimal value equivalent. 
113 | 
114 | 
115 | Digital Signatures:-
116 | Link:- https://www.youtube.com/watch?v=JR4_RBb8A9Q
117 | 
118 | 
119 | AUTOMATED TOOL
120 | ================
121 | 
122 | Hashcat is the world’s fastest and most advanced password recovery tool. It is the fastest hash recovery tool which converts the wordlist into the hashes and then matches those hashes with the specific hash we want to recover. It is pre-installed in kali linux OS.
123 | Instead of using standard CPU cores, it will use GPU or Graphic card cores.
124 | 
125 | USAGE :
126 | $  hashcat -m 0 -a 3 <hashfile in txt> <dictionary|wordlist>
127 | 
128 | STEPS :
129 | $  hashcat -m 0 -a 3 /root/Desktop/hash.txt /usr/share/wordlists/rockyou.txt
130 | $  hashcat -m 0 -a 3 /root/Desktop/hash.txt /usr/share/wordlists/rockyou.txt --force
131 | 
132 | Here, 
133 | hashcat is the tool for password recovery
134 | - m :  hash type
135 | 0  :  MD5
136 | -a  :  attack mode
137 | 3  :  Brute force attack
138 | hash.txt  :   file containing hashes to be recovered
139 | rockyou.txt  :  for brute forcing and comparing
140 | --force  :   to start forcefully
141 | 
142 | CUDA CRACKING
143 | ===============
144 | CUDA Cracking also called GPU Password Cracking is only for NVidia. Cuda is the part of NVidia only, so Graphic cards which are of NVidia can support cuda cracking, which makes the password recovery very fast.


--------------------------------------------------------------------------------
/Lecture-9 Cyber Forensics - File System.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | Hard Disk:-
  3 | ------------------
  4 | Hard disks are flat, circular plates made of aluminum or glass and coated with a magnetic material. Hard disks for personal computers can store up to several gigabytes (billions of bytes) of information.
  5 | 
  6 | 
  7 | File System:-
  8 | --------------------
  9 | A file system is a process that manages how and where data on a storage disk, typically a hard disk drive (HDD), is stored, accessed and managed. It is a logical disk component that manages a disk's internal operations as it relates to a computer and is abstract to a human user.
 10 | 
 11 | Regardless of type and usage, a disk contains a file system and information about where disk data is stored and how it may be accessed by a user or application. A file system typically manages operations, such as storage management, file naming, directories/folders, metadata, access rules and privileges.
 12 | 
 13 | Commonly used file systems include File Allocation Table 32 (FAT 32), New Technology File System (NTFS) and Hierarchical File System (HFS).
 14 | 
 15 | Different operating systems support different file systems. Your removable drive should use FAT32 for best compatibility, unless it’s bigger and needs NTFS. Mac-formatted drives use HFS+ and don’t work with Windows. And Linux has its own file systems, too.
 16 | 
 17 | 
 18 | How file systems work:-
 19 | -------------------------------------
 20 | A file system stores and organizes data and can be thought of as a type of index for all the data contained in a storage device. These devices can include hard drives, optical drives and flash drives.
 21 | 
 22 | File systems specify conventions for naming files, including the maximum number of characters in a name, which characters can be used and, in some systems, how long the file name suffix can be. In many file systems, file names are not case sensitive.
 23 | 
 24 | Along with the file itself, file systems contain information such as the size of the file, as well as its attributes, location and hierarchy in the directory in the metadata. Metadata can also identify free blocks of available storage on the drive and how much space is available.
 25 | 
 26 | 
 27 | File systems and the role of metadata:-
 28 | ----------------------------------------------------------
 29 | File systems use metadata to store and retrieve files. Examples of metadata tags include:
 30 | 
 31 | 1. Date created
 32 | 2. Date modified
 33 | 3. Last date of access
 34 | 4. Last backup
 35 | 5. User ID of the file creator
 36 | 6. Access permissions
 37 | 7. File size
 38 | 
 39 | Metadata is stored separately from the contents of the file, with many file systems storing the file names in separate directory entries. Some metadata may be kept in the directory, whereas other metadata may be kept in a structure called an inode.
 40 | 
 41 | 
 42 | File system access:-
 43 | ------------------------------
 44 | File systems can also restrict read and write access to a particular group of users. Passwords are the easiest way to do this. Along with controlling who can modify or read files, restricting access can ensure that data modification is controlled and limited.
 45 | 
 46 | File permissions such as access or capability control lists can also be used to moderate file system access. These types of mechanisms are useful to prevent access by regular users, but not as effective against outside intruders.
 47 | 
 48 | Encrypting files can also prevent user access, but it is focused more on protecting systems from outside attacks. An encryption key can be applied to unencrypted text to encrypt it, or the key can be used to decrypt encrypted text. Only users with the key can access the file.
 49 | 
 50 | 
 51 | 
 52 | Types of file systems:-
 53 | ----------------------------------
 54 | There are a number of types of file systems, all with different logical structures and properties, such as speed and size. The type of file system can differ by OS and the needs of that OS. The three most common PC operating systems are Microsoft Windows, Mac OS X and Linux. Mobile OSes include Apple iOS and Google Android.
 55 | 
 56 | FAT32:-
 57 | -------------
 58 | File allocation table (FAT) is supported by the Microsoft Windows OS. FAT is considered simple and reliable, and it is modeled after legacy file systems. FAT was designed in 1977 for floppy disks, but was later adapted for hard disks. While efficient and compatible with most current OSes, FAT cannot match the performance and scalability of more modern file systems.
 59 | 
 60 | GFS:-
 61 | ---------
 62 | Global file system (GFS) is a file system for the Linux OS, and it is a shared disk file system. GFS offers direct access to shared block storage and can be used as a local file system.
 63 | 
 64 | NTFS:-
 65 | -----------
 66 | The NT file system -- also known as the New Technology File System (NTFS) -- is the default file system for Windows products from Windows NT 3.1 OS onward. Improvements from the previous FAT file system include better metadata support, performance and use of disk space. NTFS is also supported in the Linux OS through a free, open-source NTFS driver. Mac OSes have read-only support for NTFS.
 67 | 
 68 | HFS:-
 69 | -----------
 70 | Hierarchical file system (HFS) was developed for use with Mac operating systems. HFS can also be referred to as Mac OS Standard, and it was succeeded by Mac OS Extended. Originally introduced in 1985 for floppy and hard disks, HFS replaced the original Macintosh file system. It can also be used on CD-ROMs.
 71 | 
 72 | UDF:-
 73 | ----------
 74 | Universal Disk Format (UDF) is a vendor-neutral file system used on optical media and DVDs. UDF replaces the ISO 9660 file system and is the official file system for DVD video and audio as chosen by the DVD Forum.
 75 | 
 76 | Ext2/Ext3/Ext4:-
 77 | -------------------------
 78 | You’ll often see the Ext2, Ext3, and Ext4 file systems on Linux. Ext2 is an older file systems, and it lacks important features like journaling — if the power goes out or a computer crashes while writing to an ext2 drive, data may be lost. Ext3 adds these robustness features at the cost of some speed. Ext4 is more modern and faster — it’s the default file system on most Linux distributions now, and is faster. Windows and Mac don’t support these file systems.
 79 | 
 80 | Btrfs:-
 81 | ----------
 82 | Btrfs — “better file system” — is a newer Linux file system that’s still in development. It isn’t the default on most Linux distributions at this point, but it will probably replace Ext4 one day. The goal is to provide additional features that allow Linux to scale to larger amounts of storage.
 83 | 
 84 | Swap:-
 85 | -------------
 86 | On Linux, the “swap” file system isn’t really a file system. A partition formatted as “swap” can just be used as swap space by the operating system — it’s like the page file on Windows, but requires a dedicated partition.
 87 | 
 88 | 
 89 | File system vs. DBMS:-
 90 | -----------------------------------
 91 | Like a file system, a database management system (DBMS) efficiently stores data that can be updated and retrieved. The two are not interchangeable, however. While a file system stores unstructured, often unrelated files, a DBMS is used to store and manage structured, related data.
 92 | 
 93 | A DBMS creates and defines the restraints for a database. A file system allows access to single files at a time and addresses each file individually.
 94 | 
 95 | The centralized structure of a DBMS allows for easier file sharing than a file system and prevents anomalies that can occur when separate changes are made to files in a file system.
 96 | 
 97 | 
 98 | Diffrence by Security:-
 99 | -----------------------------------
100 | Security in a file system is determined by the OS, and it can be difficult to maintain over time as files are accessed and authorization is granted to users.
101 | 
102 | A DBMS keeps security constraints high, relying on password protection, encryption and limited authorization. More security does result in more obstacles when retrieving data, so in terms of general, simple-to-use file storage and retrieval, a file system may be preferred.


--------------------------------------------------------------------------------
/Lecture-20 Email Investigation.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | #----------------------------------------Email Investigation--------------------------------------#
  3 | 
  4 | Email Identities and Data:-
  5 | ------------------------------------------
  6 | The primary evidence in email investigations is the email header. The email header contains a considerable amount of information about the email. Email header analysis should start from bottom to top, because the bottom-most information is the information from the sender, and the top-most information is about the receiver. 
  7 | 
  8 | 
  9 | Identify Email in Evidence File:- https://hashes.com/en/emails/extract
 10 | 
 11 | 
 12 | #-------------------------------------------------------------------------------####-------------------------------------------------------------------------------#
 13 | 
 14 | 
 15 | Email Forensic Investigation Techniques:-
 16 | ------------------------------------------------------------
 17 | Email forensics refers to analyzing the source and content of emails as evidence. Investigation of email related crimes and incidents involves various approaches.
 18 | 
 19 | Header Analysis:-
 20 | ---------------------------
 21 | Email header analysis is the primary analytical technique. This involves analyzing metadata in the email header. It is evident that analyzing headers helps to identify the majority of email-related crimes. Email spoofing, phishing, spam, scams and even internal data leakages can be identified by analyzing the header.
 22 | 
 23 | Server Investigation:-
 24 | ---------------------------------
 25 | This involves investigating copies of delivered emails and server logs. In some organizations they do provide separate email boxes for their employees by having internal mail servers. In this case, investigation involves the extraction of the entire email box related to the case and the server logs.
 26 | 
 27 | Network Device Investigation:-
 28 | ----------------------------------------------
 29 | In some investigations, the investigator requires the logs maintained by the network devices such as routers, firewalls and switches to investigate the source of an email message.  This is often a complex situation where the primary evidence is not percent (when the ISP or proxy does not maintain logs or lacks operation by ISP).
 30 | 
 31 | Software Embedded Analysis:-
 32 | ----------------------------------------------
 33 | Some information about the sender of the email, attached files or documents may be included with the message by the email software used by the sender for composing the email. This information may be included in the form of custom headers or in the form of MIME content as a Transport Neutral Encapsulation Format (TNEF).
 34 | 
 35 | Sender Mail Fingerprints:-
 36 | ---------------------------------------
 37 | The “Received” field includes tracking information generated by mail servers that have previously handled a message, in reverse order. The “X-Mailer” or “User-Agent” field helps to identify email software. Analyzing these fields helps to understand the software, and the version used by the sender.
 38 | 
 39 | Use of Email Trackers:-
 40 | ----------------------------------
 41 | In some situations, attackers use different techniques and locations to generate emails. In such situations it is important to find out the geographical location of the attacker. To get the exact location of the attacker, investigators often use email tracking software embedded into the body of an email. When a recipient opens a message that has an email tracker attached, the investigator will be notified with the IP address and geographical location of the recipient. This technique is often used to identify suspects in murder or kidnapping cases, where the criminal communicates via email.
 42 | 
 43 | Volatile Memory Analysis:-
 44 | ----------------------------------------
 45 | Recent research has been conducted in analyzing spoofed mails from volatile memory. Since everything passes through volatile memory, it is possible to extract email related evidence (header information) from volatile memory.
 46 | 
 47 | Attachment Analysis:-
 48 | ----------------------------------
 49 | Most viruses and malware are sent through email attachments. Investigating attachments is crucial in any email-related investigation. Confidential information leakage is another important field of investigation. There are software tools available to recover email-related data, such as attachments from computer hard discs. For the analysis of suspicious attachments, investigators can upload documents into an online sandbox such as VirusTotal to check whether the file is malware or not. However, it is important to bear in mind that even if a file passes a test such as VirusTotal’s, this is not a guarantee that it is fully safe. If this happens, it is a good idea to investigate the file further in a sandbox environment such as Cuckoo.
 50 | 
 51 | 
 52 | #-------------------------------------------------------------------------------####-------------------------------------------------------------------------------#
 53 | 
 54 | 
 55 | Online Header Analysis & Email Trace tools:-
 56 | ----------------------------------------------------------------
 57 | Link:- https://toolbox.googleapps.com/apps/messageheader/
 58 | Link:- https://www.iplocation.net/trace-email
 59 | Link:- https://www.iptrackeronline.com/email-header-analysis.php
 60 | Link:- https://whatismyipaddress.com/trace-email
 61 | Link:- https://my-addr.com/trace_email_address/free_email_trace_route/online_email_trace_route_tool.php
 62 | 
 63 | 
 64 | #-------------------------------------------------------------------------------####-------------------------------------------------------------------------------#
 65 | 
 66 | 
 67 | Email Authentication:-
 68 | -----------------------------------
 69 | Email authentication is a technical solution to proving that an email is not forged. In other words, it provides a way to verify that an email comes from who it claims to be from. Email authentication is most often used to block harmful or fraudulent uses of email such as phishing and spam.
 70 | 
 71 | The most commonly used email authentication standards are SPF, DKIM, and DMARC. These standards were designed to supplement SMTP, the basic protocol used to send email, because SMTP does not itself include any authentication mechanisms.
 72 | 
 73 | 
 74 | How does email authentication work?
 75 | --------------------------------------------------------
 76 | There are several different approaches to email authentication, each with its own advantages and disadvantages. Although the specific technical implementation varies from approach to approach, in general, the process works something like this:-
 77 | 
 78 | -->A business or organization that sends email establishes a policy that defines the rules by which email from its domain name can be authenticated.
 79 | -->The email sender configures its mail servers and other technical infrastructure to implement and publish these rules.
 80 | -->A mail server that receives email authenticates the messages it receives by checking details about an incoming email message against the rules defined by the domain owner.
 81 | -->The receiving mail server acts upon the results of this authentication to deliver, flag, or even reject the message.
 82 | 
 83 | 
 84 | #-------------------------------------------------------------------------------####-------------------------------------------------------------------------------#
 85 | 
 86 | 
 87 | Email Authentication Standards:-
 88 | --------------------------------------------------
 89 | SPF, DKIM, and DMARC are all standards that enable different aspects of email authentication. They address complementary issues.
 90 | 
 91 | SPF:-
 92 | ----------
 93 | The Sender Policy Framework (SPF), is a technical standard and email authentication technique that helps protect email senders and recipients from spam, spoofing, and phishing.
 94 | SPF allows senders to define which IP addresses are allowed to send mail for a particular domain.
 95 | 
 96 | Link:- https://www.sparkpost.com/resources/email-explained/spf-sender-policy-framework/
 97 | 
 98 | DKIM:-
 99 | ------------
100 | DomainKeys Identified Mail, or DKIM, is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing.  It is a form of email authentication that allows an organization to claim responsibility for a message in a way that can be validated by the recipient.
101 | DKIM provides an encryption key and digital signature that verifies that an email message was not faked or altered.
102 | 
103 | Link:- https://www.sparkpost.com/resources/email-explained/dkim-domainkeys-identified-mail/
104 | 
105 | DMARC:-
106 | ---------------
107 | Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing. DMARC allows an organization to publish a policy that defines its email authentication practices and provides instructions to receiving mail servers for how to enforce them.
108 | DMARC unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like email from that domain to be handled if it fails an authorization test.
109 | 
110 | Link:- https://www.sparkpost.com/resources/email-explained/dmarc-explained/
111 | 
112 | SPF Checker:-
113 | -----------------------
114 | Link:- https://tools.sparkpost.com/spf/inspector
115 | 
116 | Link:- https://www.sparkpost.com/blog/understanding-spf-and-dkim/#:~:text=SPF%20is%20a%20form%20of%20email%20authentication%20that,with%20SPF%20protocols.%20DomainKeys%20Identified%20Mail%20(DKIM)%20Definition:
117 | 
118 | 
119 | #-------------------------------------------------------------------------------####-------------------------------------------------------------------------------#
120 | 
121 | 
122 | Finding Email Headers:-
123 | -------------------------------------
124 | 1. Applications
125 | 	Apple Mail 2.x
126 | 	Microsoft Outlook 2003
127 | 	Mozilla Thunderbird 2.x
128 | 
129 | 2. Websites
130 | 	Google Mail (GMail)
131 | 	Windows Live Hotmail
132 | 	Yahoo Mail
133 | 
134 | 
135 | Apple Mail 2.x (Mac):-
136 | ----------------------------------
137 | -->Select the message you want to view the headers of.
138 | -->Press SHIFT-COMMAND-H to toggle full headers for the message. (Alternatively you can click VIEW in the menu bar, click MESSAGE, click LONG HEADERS.
139 | 
140 | Microsoft Outlook 2003 (Win):-
141 | ----------------------------------------------
142 | -->Select the message you want to view the headers of.
143 | -->Right click the mouse, select OPTIONS
144 | -->Headers will be displayed within the “Internet Headers” area of a pop-up window.
145 | 
146 | Mozilla Thunderbird 2.x (Win):-
147 | ----------------------------------------------
148 | -->Select the message you want to view the headers of.
149 | -->Press CTRL-U (or click VIEW from the menu bar, select MESSAGE SOURCE)
150 | -->Headers will be displayed in a new window.
151 | 
152 | Google Mail (GMail):-
153 | --------------------------------
154 | -->Open the message you want to view the headers of.
155 | -->Click the down arrow next to the “Reply” link.
156 | -->Select “Show Original” to open a new window with the full headers
157 | 
158 | Windows Live Hotmail (Full Version):-
159 | ------------------------------------------------------
160 | 
161 | -->This does not work with Safari on Mac OS X
162 | -->Right click on the message. (From the list of emails)
163 | -->Select “View Source”
164 | -->A new window with the full headers and HTML source of the email will open
165 | 
166 | Yahoo Mail (“New” Version):-
167 | ------------------------------------------
168 | 
169 | -->Right click on the message.
170 | -->Select “View Full Headers”
171 | -->A new window with the full headers will open
172 | 
173 | Yahoo Mail (“Classic” Version):-
174 | ----------------------------------------------
175 | 
176 | -->Click on the message.
177 | -->Click “Full Headers” on the bottom right of the screen
178 | 
179 | 
180 | 
181 | #-------------------------------------------------------------------------------####-------------------------------------------------------------------------------#
182 | 
183 | 
184 | Online IP Information & Location:-
185 | ---------------------------------------------------
186 | Link:- https://www.opentracker.net/feature/ip-tracker
187 | 
188 | 
189 | Tool:-
190 | Mail Examiner:-
191 | ------------------------
192 | E-Mail Examiner offers a performance with speed yet accuracy, and is a proven, easy-to-operate email examiner program.
193 | Link:- https://www.mailxaminer.com/download.html
194 | 
195 | For Learning:- https://sites.google.com/site/traceemailanalyzer/
196 | 
197 | 
198 | #-------------------------------------------------------------------------------####-------------------------------------------------------------------------------#
199 | 
200 | 
201 | Reference:- https://www.forensicfocus.com/articles/email-forensics-investigation-techniques/


--------------------------------------------------------------------------------
/Lecture-15 Cyber Forensics - Firewall Handling.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | #-------------------------------------------------Security Via FIREWALLS , IDS , IPS------------------------------------------------#
  3 | 
  4 | 
  5 | Firewall:-
  6 | --------------
  7 | A firewall is a component which is used to filter the incoming and outgoing OR the inbound and outbound rules of a particular network. A firewall is having a database of signatures for the data packets moving inside or outside of a Network. The data packets moving in a Network Traffic having a malicious content can be blocked by a firewall according to the rule sets created by a Network Administrator.
  8 | 
  9 | Link:- https://www.youtube.com/watch?v=kDEX1HXybrU&ab_channel=PowerCertAnimatedVideos
 10 | 
 11 | 
 12 | How Firewall Works:-
 13 | --------------------------------
 14 | Firewalls are software or hardware that work as a filtration system for the data attempting to enter your computer or network. Firewalls scan packets for malicious code or attack vectors that have already been identified as established threats. Should a data packet be flagged and determined to be a security risk, the firewall prevents it from entering the network or reaching your computer. 
 15 | 
 16 | Link:- https://www.youtube.com/watch?v=KZc1KaE1OKU
 17 | 
 18 | 
 19 | #-----------------------------------------------------------------####----------------------------------------------------------#
 20 | 
 21 | 
 22 | Types of Firewall:-
 23 | ----------------------------
 24 | On the basis of methods firewall are two types:-
 25 | 
 26 | 1. Softwares Based Firewalls : These are the firewalls which is  in the form of a application or a software which is having a rulesets of Inbound and Outbound Traffic coming from a Network. Eg. Windows Firewalls , LInux Firewalls - IP Tables.
 27 | 
 28 | 2. Hardware Based Firewalls : A hardware based firewall is a peripheral which is having a system box with a processor and giving us a Configuration Panel and having more advanced features from a Software Based Firewalls.
 29 | Eg. Juniper, Sophos, Endian etc. 
 30 | 
 31 | Link:- https://www.youtube.com/watch?v=eO6QKDL3p1I
 32 | Link:- https://www.youtube.com/watch?v=fCM86XAyQ7o
 33 | 
 34 | 
 35 | #-----------------------------------------------------------------####----------------------------------------------------------#
 36 | 
 37 | 
 38 | Other Types Of Firewall:-
 39 | -------------------------------------
 40 | 1. Packet Filtering:-
 41 |      ------------------------
 42 | Packets are small amounts of data. When a firewall uses packet filtering, the packets attempting to enter the network are run against a group of filters. These filters remove the packets that match certain identified threats and allow the others through to their intended destination. 
 43 | 
 44 | 2. Application Level Firewalls (Proxies):-
 45 |     ------------------------------------------------------
 46 | Application proxies are configured in multi-homed server and they are often used instead of router-based traffic controls, to prevent traffic from passing directly between networks. Application proxy-based firewalls function at the application level. At this level, you can block or control traffic generated by applications. Application-Level Firewalls can enforce correct application behavior, and can help to block malicious.
 47 | 
 48 | 3. Hybrid Firewalls:-
 49 |     ---------------------------
 50 | A hybrid firewall may consist of a pocket filtering combined with an application proxy firewall, or a circuit gateway combined with an application proxy firewall.
 51 | 
 52 | 
 53 | Link:- https://www.youtube.com/watch?v=aUPoA3MSajU
 54 | 
 55 | 
 56 | #-----------------------------------------------------------------####----------------------------------------------------------#
 57 | 
 58 | 
 59 | IDS
 60 | ===
 61 | IDS stands Intrusion DEtection System, it is a software or a hardware based program which detects every suspicious activity and create a log for it. It can also create the logs and send immediately to the Network Administrator so that they can find out that there is a Intruder in our network. 
 62 | It can be determined in different types such as NIDS (Network IDS),  HIDS (Host IDS), WIDS(Wireless IDS) etc
 63 | 
 64 | Link:- https://www.youtube.com/watch?v=YTWO7Q5iWzE
 65 | 
 66 | IPS
 67 | ===
 68 | IPS stands for Intrusion Prevention System, it acts and works by preventing the intruders which have been doing malicious and illegal activities in the Network or with there clients immediately.
 69 | 
 70 | EG. of IDS and IPS - SNORT etc.
 71 | 
 72 | 
 73 | #-----------------------------------------------------------------####----------------------------------------------------------#
 74 | 
 75 | 
 76 | HONEYPOTS
 77 | =========
 78 | A honeypot is a attracting technique to fetch and traps a Hacker, Attacker or a victim which can be a WEb Application, a   Network System or a Access Point(Wireless Connection) which seems like absolutely normal but is created to trap the Attackers.
 79 | 
 80 | If a company opens some ports on its server and hacker regularly try the hacking attacks on that port. In that case, Company will setup Honeypots to all these ports to trace hackers.
 81 | 
 82 | 
 83 | Link:- https://www.youtube.com/watch?v=c1UnNw_feQs
 84 | 
 85 | 
 86 | Honeypots are divided into two parts:-
 87 | ----------------------------------------------------------
 88 | 
 89 | 1. Production Honeypots
 90 | 2. Research Honeypots
 91 | 
 92 | Production Honeypots:-
 93 | ------------------------------------
 94 | It’s a low interaction honeypot by which we can collect limited information about the hacker. It’s very easy to use. Production Honeypots are placed into the production network to improve their state of security.
 95 | 
 96 | Research Honeypots:-
 97 | ----------------------------------
 98 | This is an advance honeypot which is set up to retrieve the information/motive of the Black Hat Hacker. It is mainly used by the Govt. Organizations.
 99 | 
100 | Research Honeypot is also divided into 3 parts:-
101 | 
102 | 1. Pure Honeypots
103 | 2. High-Interaction Honeypots
104 | 3. Low-Interaction Honeypots
105 | 
106 | 
107 | Tool:- Pentbox
108 | 
109 | #telnet ‘Kali IP’
110 | 
111 | 
112 | #-----------------------------------------------------------------####----------------------------------------------------------#
113 | 
114 | 
115 | How Firewall Protect Our Data:-
116 | -----------------------------------------------
117 | By putting protective filters in place around your network and devices, firewalls can help to prevent a number of different security risks.
118 | 	==>Backdoors
119 | 	==>Denial of service
120 | 	==>Macros
121 | 	==>Remote logins
122 | 	==>Spam
123 | 	==>Viruses
124 | 
125 | 
126 | #-----------------------------------------------------------------####----------------------------------------------------------#
127 | 
128 | 
129 | Limitations Of Firewall:-
130 | ------------------------------------
131 | A firewall is a crucial component of securing your network and is designed to address the issues of data integrity or traffic authentication (via stateful packet inspection) and confidentiality of your internal network (via NAT). Your network gains these benefits from a firewall by receiving all transmitted traffic through the firewall. Your network gains these benefits from a firewall by receiving all transmitted traffic through the firewall. The importance of including a firewall in your security strategy is apparent; however, firewalls do have the following limitations:-
132 | 
133 | 1. A firewall cannot prevent users or attackers with modems from dialing in to or out of the internal network, thus bypassing the firewall and its protection completely.
134 | 2. Firewalls cannot enforce your password policy or prevent misuse of passwords. Your password policy is crucial in this area because it outlines acceptable conduct and sets the ramifications of noncompliance.
135 | 3. Firewalls are ineffective against nontechnical security risks such as social engineering.
136 | 4. Firewalls cannot stop internal users from accessing websites with malicious code, making user education critical.
137 | 5. Firewalls cannot protect you from poor decisions.
138 | 6. Firewalls cannot protect you when your security policy is too lax
139 | 
140 | Link:- https://www.youtube.com/watch?v=Xj654WUdDFE
141 | 
142 | 
143 | #-----------------------------------------------------------------####----------------------------------------------------------#
144 | 
145 | 
146 | Advantages of Firewall:-
147 | ==================
148 | 1. Monitor Traffic:-
149 |     --------------------------
150 | A major responsibility of a firewall is to monitor the traffic passing through it. Whatever the information traveling through a network is in the form of packets. Firewall inspects each of these packets for any hazardous threats. If any chance the firewall happens to find them it will immediately block them.
151 | 
152 | 2. Protection against Trojans:-
153 |     ----------------------------------------
154 | Malwares especially the type Trojans are dangerous to a user. A Trojan silently sits on your computer spying over all the works you do with it. Whatever the information they gather will be sent to a web server. Obviously you will not know their presence until the strange behaviours of your computer. A firewall in this instance will immediately block Trojans before they cause any damages to your system.
155 | 
156 | 3. Prevent Hackers:-
157 |     --------------------------
158 | Hackers on the internet constantly look for computers in order for carrying out their illegal activities. When the hackers happen to find such computers they will start to do even malicious activities such as spreading viruses. Apart from those hackers there can be unknown people such as the neighbours looking out for an open internet connection. Hence, to prevent such intrusions it is a good idea to be with a firewall security.
159 | 
160 | 4. Access Control:-
161 |     -------------------------
162 | Firewalls comes with an access policy that can be implemented for certain hosts and services. Some hosts can be exploited with the attackers. So the best in case is to block such hosts from accessing the system. If a user feels that they need protection from these types of unwanted access, this access policy can be enforced. 
163 | 
164 | 5. Better Privacy:-
165 |     -----------------------
166 | Privacy is one of the major concerns of a user. Hackers constantly look out for privacy informations for getting clues about the user. But by using a firewall many of the services offered by a site such as the domain name service and the finger can be blocked. Hence, the hackers are with no chance of getting privacy details. Additionally firewalls can block the DNS informations of the site system. Due to this the names and the IP address will not be visible to the attackers. 
167 | 
168 | 
169 | Disadvantages of Firewall:-
170 | =====================
171 | 1. Cost:-
172 |     ----------
173 | Firewalls does have an investment depending on the types of it. In general hardware firewalls are more expensive than the software firewalls. Besides that hardware firewalls require installations and maintenance which can be costly. These types of configurations cannot be done without an expert IT employee. Comparing this to a software firewall, there is no much investment and it is easy enough for an average user to deploy them.
174 | 
175 | 2. User Restriction:-
176 |     --------------------------
177 | It is no doubt that firewalls prevent unauthorized access to your system from the network. While this can be advantageous for an average user, this can actually be a problem for large organizations. The policies used by the firewall cab be strict enough to prevent employees from doing certain operations. As a result of this, the overall productivity of the company an be affected severely. Sometimes this can also prompt employees from using backdoor exploits. However this can lead to security problems since the data travelled through these backdoor exploits are not examined properly.
178 | 
179 | 3. Performance:-
180 |     -----------------------
181 | Firewalls especially the software based has the capability to limit your computer's overall performance. The processing power and the RAM resources are some of the factors which decides the computer's overall performance. When the software firewalls constantly run on the background they consume more the processing power and the RAM resources. This can lead to a diminished system performance. However hardware firewalls does not impact the system performance since they do not rely upon the computer resources.
182 | 
183 | 4. Malware Attacks:-
184 |     ---------------------------
185 | Even though firewalls has the capability to block the basic types of trojans, it is proved to be defenseless against other types of malwares. These types of malwares can enter your system in the form of trusted data. Therefore, even if you have firewall, it is still recommended to have an anti-malware software installed on your PC. Because the only way to remove them is through an anti-malware scan.
186 | 
187 | 5. Complex Operations:-
188 |     ---------------------------------
189 | Even though for small businesses the firewall maintenance is made easy, it is definitely not for large organizations. Firewalls for large organizations require separate set of staffs for operating them. These people make sure that the firewall is safe enough to protect the network from intruders. 
190 | 
191 | 
192 | 
193 | Difference Among Hub/ Switch/ Router:-
194 | --------------------------------------------------------------
195 | Link:- https://www.youtube.com/watch?v=1z0ULvg_pW8


--------------------------------------------------------------------------------
/Lecture-13 Cyber Forensics - Denial Of Service Investigation.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | #--------------------------Denial Of Service Investigation---------------------#
  3 | 
  4 | Denial Of Service(DOS):-
  5 | ------------------------------------
  6 | A Denial of Service (DoS) is a type of attack on a service that disrupts its normal function and prevents other users from accessing it. The most common target for a DoS attack is an online service such as a website, though attacks can also be launched against networks, machines or even a single program.
  7 | 
  8 | Link:- https://www.youtube.com/watch?v=xdd505iOmDg&ab_channel=Cloudflare
  9 | 
 10 | 
 11 | Types of DoS & DDoS Attack:-
 12 | --------------------------------------------
 13 | DoS and DDoS attacks can be divided into three types.
 14 | 
 15 | 1. Volume Based Attacks:-
 16 |     ------------------------------------
 17 |      Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).
 18 | 
 19 | 2. Protocol Attacks:-
 20 |     ----------------------------
 21 |      Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in packets per second (Pps).
 22 | 
 23 | 3. Application Layer Attacks:-
 24 |     ----------------------------------------
 25 |      Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second (Rps).
 26 | 
 27 | 
 28 | 
 29 | Propagation of Malicious Codes:-
 30 | ------------------------------------------------
 31 | There are three most commonly used malicious code propagation methods.
 32 | 	1. Central Source Propagation(Publicity)
 33 | 	2. Back-Chaining Propagation(Publicity)
 34 | 	3. Autonomous Propagation
 35 | 
 36 | 
 37 | Central Source Propagation:-
 38 | ------------------------------------------
 39 | It Requires central source where attack toolkit is installed. when an attacker exploits the vulnerability machine, it opens the connection on infected system listening for file tranfer.
 40 | File Transfereing mechanism that is used for tranferring Malicious Code(toolkit) is nomally, HTTP, FTP, RPC.
 41 | 
 42 | 
 43 | Back-Chaining Propagation:-
 44 | -----------------------------------------
 45 | Back-Chaining Propagation requires attack toolkit installed on attacker's machine. When an attacker exploits the vulnerable machine. It Opens the connection on infected system listening for file transfer.  Then the toolkit is copied from the attacker. Once toolkit is installed on the infected system, it will search for other vulnerable system and the process continues.
 46 | 
 47 | 
 48 | Autonomous Propagation:-
 49 | ------------------------------------------
 50 | In this process the attacker exploits & send malicious code to the vulnerable system. The toolkit is installed & search for other vulnerable systems. Unlike Central Source Propagation, it does not require any Central Sourcce or planning toolkit on own system. 
 51 | 
 52 | 
 53 | 
 54 | #------------------------------------------------------------------------------------------------#
 55 | 
 56 | SYN Flooding Attack using Metasploit:-
 57 | ---------------------------------------------------------
 58 | 
 59 | Machines:-
 60 | 	1. Attacker Machine:- Kali
 61 | 	2. Victim Machine:- Windows 7
 62 | 
 63 | Tools:-
 64 | -----------
 65 | 	1. Nmap
 66 | 	2. Metasploit
 67 | 
 68 | Commands:-
 69 | --------------------
 70 | #nmap -p 21 192.168.1.132
 71 | #msfconsole
 72 | #use auxiliary/dos/tcp/synflood
 73 | #show options
 74 | #set RHOST <victim ip address>
 75 | #set RPORT 21
 76 | #set SHOST <spoofable ip address>
 77 | #set TIMEOUT 30000
 78 | #exploit
 79 | 
 80 | ==>Open Victim Machine & Check/Observe the Utilities Performance Graph
 81 | ==>Open wireshark and set TCP Packet Filter
 82 | 
 83 | 
 84 | SYN Flooding Attack using Hping3:-
 85 | ----------------------------------------------------
 86 | 
 87 | Machines:-
 88 | 	1. Attacker Machine:- Kali
 89 | 	2. Victim Machine:- Windows 7
 90 | 
 91 | Tools:-
 92 | 	1. Hping3
 93 | 
 94 | Commands:-
 95 | --------------------
 96 | #hping3 <victim ip address> --flood
 97 | 
 98 | ==>Open Victim Machine & Check/Observe the Utilities Performance Graph
 99 | ==>Open wireshark and set TCP Packet Filter
100 | 
101 | 
102 | #------------------------------------------------------------------------------------------------#
103 | 
104 | 
105 | Distributed Denial Of Service(DDOS):-
106 | ------------------------------------------------------- 
107 | A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. 
108 | 
109 | 
110 | Link:- https://www.youtube.com/watch?v=OhA9PAfkJ10
111 | Link:- https://www.youtube.com/watch?v=yLbC7G71IyE
112 | 
113 | 
114 | DoS vs. DDoS:-
115 | -----------------------
116 | The differences between regular and distributed denial of service assaults are substantive. In a DoS attack, a perpetrator uses a single Internet connection to either exploit a software vulnerability or flood a target with fake requests—usually in an attempt to exhaust server resources (e.g., RAM and CPU).
117 | 
118 | On the other hand, distributed denial of service (DDoS) attacks are launched from multiple connected devices that are distributed across the Internet. These multi-person, multi-device barrages are generally harder to deflect, mostly due to the sheer volume of devices involved. Unlike single-source DoS assaults, DDoS attacks tend to target the network infrastructure in an attempt to saturate it with huge volumes of traffic.
119 | 
120 | 
121 | Common DDoS attacks types:-
122 | ----------------------------------------------
123 | 1. UDP Flood:-
124 |     -------------------
125 | A UDP flood, by definition, is any DDoS attack that floods a target with User Datagram Protocol (UDP) packets. The goal of the attack is to flood random ports on a remote host. This causes the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP ‘Destination Unreachable’ packet. This process saps host resources, which can ultimately lead to inaccessibility.
126 | 
127 | 2. ICMP (Ping) Flood:-
128 |     ------------------------------
129 | Similar in principle to the UDP flood attack, an ICMP flood overwhelms the target resource with ICMP Echo Request (ping) packets, generally sending packets as fast as possible without waiting for replies. This type of attack can consume both outgoing and incoming bandwidth, since the victim’s servers will often attempt to respond with ICMP Echo Reply packets, resulting a significant overall system slowdown.
130 | 
131 | 3. SYN Flood:-
132 |     -------------------
133 | A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way handshake”), wherein a SYN request to initiate a TCP connection with a host must be answered by a SYN-ACK response from that host, and then confirmed by an ACK response from the requester. In a SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system continues to wait for acknowledgement for each of the requests, binding resources until no new connections can be made, and ultimately resulting in denial of service.
134 | 
135 | 4 .Ping of Death:-
136 |     -----------------------
137 | A ping of death (“POD”) attack involves the attacker sending multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet (including header) is 65,535 bytes. However, the Data Link Layer usually poses limits to the maximum frame size – for example 1500 bytes over an Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing denial of service for legitimate packets.
138 | 
139 | 				<OR>
140 | 
141 | A Ping of Death attack is a denial-of-service (DoS) attack, in which the attacker aims to disrupt a targeted machine by sending a packet larger than the maximum allowable size, causing the target machine to freeze or crash. The original Ping of Death attack is less common today. A related attack known as an ICMP flood attack is more prevalent.
142 | 
143 | 
144 | How does a Ping of Death work:-
145 | --------------------------------------------------
146 | An Internet Control Message Protocol (ICMP) echo-reply message or “ping”, is a network utility used to test a network connection, and it works much like sonar – a “pulse” is sent out and the “echo” from that pulse tells the operator information about the environment. If the connection is working, the source machine receives a reply from the targeted machine.
147 | 
148 | While some ping packets are very small, IP4 ping packets are much larger, and can be as large as the maximum allowable packet size of 65,535 bytes. Some TCP/IP systems were never designed to handle packets larger than the maximum, making them vulnerable to packets above that size.
149 | 
150 | When a maliciously large packet is transmitted from the attacker to the target, the packet becomes fragmented into segments, each of which is below the maximum size limit. When the target machine attempts to put the pieces back together, the total exceeds the size limit and a buffer overflow can occur, causing the target machine to freeze, crash or reboot.
151 | 
152 | Note:-Attacker Sends Malicious Packets larger than 110,000 bytes to victim
153 | Normal Packet Size 65538 bytes
154 | 
155 | 5. Slowloris:-
156 |     -------------------
157 | Slowloris is a highly-targeted attack, enabling one web server to take down another server, without affecting other services or ports on the target network. Slowloris does this by holding as many connections to the target web server open for as long as possible. It accomplishes this by creating connections to the target server, but sending only a partial request. Slowloris constantly sends more HTTP headers, but never completes a request. The targeted server keeps each of these false connections open. This eventually overflows the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients.
158 | 
159 | 6. NTP Amplification:-
160 |     ------------------------------
161 | In NTP amplification attacks, the perpetrator exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm a targeted server with UDP traffic. The attack is defined as an amplification assault because the query-to-response ratio in such scenarios is anywhere between 1:20 and 1:200 or more. This means that any attacker that obtains a list of open NTP servers (e.g., by a using tool like Metasploit or data from the Open NTP Project) can easily generate a devastating high-bandwidth, high-volume DDoS attack.
162 | 
163 | 7. HTTP Flood:-
164 |     --------------------
165 | In an HTTP flood DDoS attack, the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application. HTTP floods do not use malformed packets, spoofing or reflection techniques, and require less bandwidth than other attacks to bring down the targeted site or server. The attack is most effective when it forces the server or application to allocate the maximum resources possible in response to every single request.
166 | 
167 | 
168 | DDOS Ping of Death Attack using Hping3:-
169 | --------------------------------------------------------------
170 | 
171 | HPING 3:-
172 | ----------------- It is a network tool, which is used for crafting the packets, testing the firewall, digital footprinting and much more. 
173 | 
174 | #hping3 192.168.195.183 -c 10000000000 -d 999999999 --rand-source --flood -p 3306
175 | 
176 | Check the site status after DDOS:-  https://isitdown.us/
177 | 			          https://www.isitdownrightnow.com/
178 | 
179 | #------------------------------------------------------------------------------------------------#
180 | 
181 | 
182 | Defending Against a DoS Attack:-
183 | --------------------------------------------------
184 | The threat of being targeted by DoS attacks have lead many major online services to implement various strategies for handling overwhelming floods of data or traffic.
185 | 
186 | Some of the anti-DoS techniques:-
187 | ---------------------------------------------------
188 | 	1. Traffic analysis and filtering
189 | 	2. Sinkholing
190 | 	3. IP-based Prevention
191 | 
192 | Traffic analysis and filtering:-
193 | ------------------------------------------
194 | Traffic analysis is the process of monitoring network protocols and the data that streams through them within a network. 
195 | 
196 | Sinkholing:-
197 | ------------------
198 | Sinkholing is the redirection of traffic from its original destination to one specified by the sinkhole owners. The altered destination is known as the sinkhole. (The name is a reference to a physical sinkhole, into which items apparently disappear.) Sinkholes can be used for good or ill intent.
199 | 
200 | Link:- https://www.youtube.com/watch?v=mf6OMPNfLN8
201 | Link:- https://www.youtube.com/watch?v=yPNKQZar-Fw&ab_channel=HackerSploit
202 | 
203 | IP-based Prevention:-
204 | --------------------------------
205 | An intrusion prevention system (IPS) is a form of network security that works to detect and prevent identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents and capturing information about them.


--------------------------------------------------------------------------------
/Lecture-3 Computer Forensics - Investigation Technique.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 | #-----------------------------------------------------Cyber Forensics Investigation Technique---------------------------------------------------#
  4 | 			-----------------------------------------------------------------------------------
  5 | 
  6 | 
  7 | #--------------------Forensics Readiness-------------------#
  8 | 
  9 | Forensic Readiness, defines forensic readiness as: “The achievement of an appropriate level of capability by an organization in order for it to be able to collect, preserve, protect and analyse digital evidence so that this evidence can be effectively used in any legal matters, in disciplinary matters in  court of law.
 10 | Forensic readiness refers to an organization’s ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs.
 11 | 
 12 | Benefits:-
 13 | --------------
 14 | 1. Fast and efficient investigation with minimal break-down to the business
 15 | 2. Provides security from cybercrimes such as intellectual property theft, fraud, or extortion
 16 | 3. Offers structured storage of evidence that reduces expense and time of an investigation
 17 | 4. Improves law enforcement interface
 18 | 5. Easy identification of evidence related to the potential crimes
 19 | 6. Proper usage of evidence for positive outcome of any legal charge
 20 | 7. Helps the organization use the digital evidence in its own defense
 21 | 8. Blocks the attackers from covering their tracks
 22 | 9. Limits the cost of regulatory or legal requirements for disclosure of data
 23 | 10. Avoid similar attacks in the future
 24 | 
 25 | 
 26 | Forensics Readiness Planning:-
 27 | -------------------------------------------
 28 | Forensics readiness planning refers to a set of processes required to achieve and maintain forensics readiness.
 29 | 
 30 | ==>Potential evidence required for an incident
 31 | ==>Determine the source of the evidence
 32 | ==>Define a policy for pathway to legally extract electronic evidence with minimal break
 33 | ==>Policy for Securely handling and storing the collected evidence
 34 | ==>Identify if the incident requires full or formal investigation
 35 | ==>Train the staff to handle the incident and preserve the evidence
 36 | ==>Create a special process for documenting the procedure
 37 | ==>Establish a legal advisory board to guide the investigation process
 38 | 
 39 | 
 40 | Importance of Computer Forensics Process:-
 41 | --------------------------------------------------------------
 42 | The rapid increase of cyber crimes has led to the development of various laws and standards that define cyber crimes, digital evidence, search and seizure methodology, evidence recovery and the investigation process
 43 | 
 44 | The investigators must follow a forensics investigation process that comply to local laws and established precedents. Any deviation from the standard process may endanger the complete investigation
 45 | 
 46 | As digital evidence are fragile(Critical) in nature, a proper and thorough forensic investigation process that ensures the integrity of evidence is critical to prove a case in a court of law
 47 | 
 48 | The investigators must follow a repeatable and well documented set of steps such that every iteration of analysis provides the same findings, or else the findings of the investigation can be invalidated during the cross examination in a court of law
 49 | 
 50 | 
 51 | Phases Of Computer Forensics Investigation:-
 52 | -----------------------------------------------------------------
 53 | 					1. Pre-Investigation Phase
 54 | 					2. Investigation Phase
 55 | 					3. Post-Investigation Phase
 56 | 
 57 | Pre-Investigation Phase:- 
 58 | -------------------------------------
 59 | 1. Deals with tasks to be performed prior to the commencement of actual investigation
 60 | 2. Involves setting up a computer forensics lab, building a forensics workstation, developing an investigation toolkit, setting up an investigation team, getting approval from the relevant authority, etc.
 61 | 
 62 | Investigation Phase:-
 63 | ------------------------------
 64 | 1. Considered as the main phase of the computer forensics investigation process
 65 | 2. Involves acquisition, preservation, and analysis of evidentiary data to identify the source of crime and the culprit behind it
 66 | 
 67 | Post-Investigation Phase:-
 68 | -------------------------------------
 69 | 1. Deals with the documentation of all the actions undertaken and findings during the course of an investigation
 70 | 2. Ensures that the report is well explained to the target audience, and provides adequate and acceptable evidence
 71 | 
 72 | 
 73 | #--------------------------------------------------------------------------####-----------------------------------------------------------------------------#
 74 | 
 75 | 
 76 | Setting Up a Computer Forensics Lab:-
 77 | -------------------------------------------------------
 78 | 1. A Computer Forensics Lab (CFL) is a location designated for conducting computer-based investigation with regard to the collected evidence
 79 | 
 80 | 2. The lab houses instruments, software and hardware tools, suspect media & forensic workstations required to conduct the investigation
 81 | 
 82 | Steps To Setting up a forensics lab:-
 83 | ---------------------------------------------------
 84 | 1. Planning & budgeting
 85 | 2. Physical location & structural design considerations
 86 | 3. WorkArea Consideration
 87 | 4. Physical security recommendations
 88 | 5. Human resource considerations
 89 | 6. Forensics lab licensing
 90 | 
 91 | Planning & Budgeting:-
 92 | ---------------------------------
 93 | 1. Types of investigation to be conducted, based on the crime statistics of the previous year and the expected trend
 94 | 2. Number of cases expected
 95 | 3. Numbers of investigators/examiners to be involved and their required training
 96 | 4. Forensic and non-forensic workstations’ requirement
 97 | 5. Space occupied, equipment required, UPS & power supplies, etc.
 98 | 6. Necessary software and hardware
 99 | 7. Reference materials
100 | 8. Safe locker to store and secure original evidence
101 | 9. LAN and Internet connectivity
102 | 10. Storage shelves for unused equipment
103 | 
104 | 
105 | Physical Location and Structural Design Considerations:-
106 | --------------------------------------------------------------------------------
107 | 1. Physical location needs:- 
108 | 		==>Site of the lab
109 | 		==>Access to emergency services
110 | 		==>Physical milieu of the lab
111 | 		==>Design of parking facility
112 | 2. Communication Needs:-
113 | 		==>Dedicated Internet and communication lines
114 | 		==>Multiple backups for communication lines in case of emergencies
115 | 		==>A dedicated network
116 | 3. Environmental needs:-
117 | 		==>Appropriate room size
118 | 		==>Good ventilation & air-conditioning
119 | 4. Electrical Needs:-
120 | 		==>Good electricity supply
121 | 		==>Must have emergency power & lighting systems
122 | 
123 | 
124 | Work Area Considerations:-
125 | ----------------------------------------
126 | 1. Work Area of a Computer Forensics Lab:-
127 | 		==>An ideal lab consists of two forensic workstations & one ordinary workstation with Internet connectivity
128 | 		==>Forensics workstations vary according to the types of cases & processes handled in the lab
129 | 		==>The work area should have ample space for case discussions to take place among investigators
130 | 2. Ambience of a Computer Forensics Lab:-
131 | 		==>Investigators spend long hours in a forensics lab, so it is important to keep the lab environment comfortable
132 | 		==>The height of ceilings, walls, flooring & so on contribute to the ambience of a forensics lab
133 | 		==>Lighting, room temperature & communications form an important factor while considering the ambience of a 			computer forensics lab
134 | 
135 | 
136 | 
137 | #--------------------------------------------------------------------------####-----------------------------------------------------------------------------#
138 | 
139 | 
140 | 
141 | #------------------------Computer Forensics as Part of Incident Response Plan---------------------#
142 | 
143 | Incident response is a process of responding to incidents that may have occurred due to security breach in the system or network.
144 | 
145 | ==>Minimizes the damage and reduces recovery time and costs
146 | ==>Incident response professional includes identifying (how breach occurred, how to locate the method of breach & how to reduce the breach
147 | ==>Finding & analyzing the evidence to determine the culprit(apradhi) behind the incident via legally.
148 | ==>Organizations include incident response plan so that help to track and prosecute culprit who is responsible befind that incident.
149 | 
150 | 
151 | 
152 | 
153 | #--------------------------------Need for Forensic Investigator---------------------------#
154 | 
155 | Cyber Crime Investigation:-
156 | ----------------------------------------
157 | 			A forensic investigator, by virtue of his or her skills and experience, helps organizations and law enforcement agencies 	investigate and prosecute the perpetrators of cyber crimes
158 | 
159 | Sound Evidence Handling:-
160 | ---------------------------------------
161 | 			If a technically inexperienced person examines the computer involved in the crime, it will almost certainly result in rendering any evidence found inadmissible in a court of law
162 | 
163 | Incident Handling & Response:-
164 | --------------------------------------------
165 | 			Forensic investigators help organizations to maintain forensics readiness, and implement effective incident handling and response team.
166 | 
167 | 
168 | 
169 | #-----------------------Roles and Responsibilities of Forensics Investigator----------------------#
170 | 
171 | A forensic investigator performs the following tasks:-
172 | ---------------------------------------------------------------------------
173 | 
174 | 1. Determines damage during the crime
175 | 2. Recovers data of investigative value from computers
176 | 3. Gathers evidence in a forensically sound manner
177 | 4. Ensures that evidence is not damaged in any way
178 | 5. Creates an image of the original evidence without tampering with it &  to maintain the original evidence’s integrity
179 | 6. It is required that the forensic investigator submit the evidence, describing the procedure involved in its discovery.
180 | 7. Reconstructs the damaged disks or other storage devices, and uncovers the hidden information from the computer
181 | 8. Analyzes the evidence and find out the data
182 | 9. Preparing the proper analysis report
183 | 10. Updates the organization about various attack methods and data recovery techniques, and maintains a record of them regularly
184 | 11. Addresses the issue in a court of law and try attempts to win the case being testifying witness in court
185 | 
186 | 
187 | What makes a Good Computer Forensics Investigator?
188 | ----------------------------------------------------------------------------
189 | 
190 | ==>Better Interviewing skills for gathering as much as possible information about the case from the client or victim, witnesses, and suspects
191 | ==>Researching skills to understand the background activities from the client or victim, witnesses, and suspects
192 | ==>Maintains perfect accuracy of the tests performed & their records
193 | ==>Must  be Patience and willingness to work long hours
194 | ==>Excellent writing skills to detail findings in the report
195 | ==>Strong analytical skills to find the evidence and link it to the suspect
196 | ==>Excellent communication skills to explain all the things
197 | ==>Be updated with new methodologies and forensic technology
198 | ==>Well versed in more than one computer platform (includes Windows, Macintosh, and Linux)
199 | ==>Knowledge of various technologies, including hardware & software
200 | ==>Develops and maintains contact with computing, networking, and investigating professionals
201 | ==>Be honest, ethical, and law lasting
202 | ==>Knowledge of the laws surrounding the case
203 | ==>Ability to control emotions when dealing with issues that motivate anger
204 | ==>Multi-discipline expertise related to both criminal and civil cases
205 | 
206 | 
207 | 
208 | #------------------------Computer Forensics Issues-----------------------#
209 | 
210 | Legal Issues:-
211 | -----------------------
212 | 1. Digital evidence is criticle in nature, which makes it susceptible to changes during the course of investigation process rendering it rejectable in the court of law
213 | 
214 | 2. Legal system differs from one jurisdiction to the other, which makes the task of an investigator difficult as different legal systems have different rules for acquiring, preserving, investigating & presenting the digital evidence in the court
215 | 
216 | 3. Every legal system has a slightly different approach towards the issues related to authenticity, reliability, and completeness
217 | 
218 | 4. The approach of investigation differs and evolves with changes in the technology & the legal systems might not address these technological advances
219 | 
220 | Privacy Issues:-
221 | ------------------------
222 | 1. When retrieving evidence from a particular electronic device, investigators must be cautious to avoid charges against unlawful search & seizure, i.e., they need to be in compliance with the Fourth Amendment of the U.S. Constitution
223 | 
224 | 2. Fourth Amendment(correction) states that the government agents may not search or seize areas or things in which a person has a reasonable expectation of privacy, without a search warrant
225 | 
226 | Note: Private intrusions not acting in the color of governmental authority are exempted from the Fourth Amendment
227 | 
228 | 3. When dealing with the evidence related to Internet usage, investigators must protect other users’ anonymity while determining the identity of the few involved in illegal activities
229 | 
230 | 
231 | #---------------------------Code of Ethics---------------------------#
232 | 
233 | Code of ethics are the principles stated to describe the expected behavior of an investigator while handling a case.
234 | 
235 | Computer forensic investigator should:-
236 | ---------------------------------------------------------
237 | 1. Perform investigations based on well-known standard procedures
238 | 2. Perform assigned tasks with high commitment and diligence(strugle)
239 | 3. Act with ethical and moral principles
240 | 4. Examine the evidence carefully within the scope of the agreement
241 | 5. Ensure integrity of the evidence throughout the investigation process
242 | 6. Act in accordance with federal statutes, state statutes, and local laws and policies
243 | 7. Testify honestly before any board, court or trial proceedings
244 | 
245 | 
246 | Computer forensic investigator should not:-
247 | --------------------------------------------------------------
248 | 1. Refuse any evidence because that may cause failure in the case
249 | 2. Expose confidential matters without having any authorized permission
250 | 3. Exceed assignments beyond his/her skills
251 | 4. Perform actions that significantly leads to a conflict of interest
252 | 5. Present the training, credentials, or association membership in a wrong way
253 | 6. Provide personal or prejudiced opinions
254 | 7. Reserve any evidence relevant to the case


--------------------------------------------------------------------------------
/Lecture-2 Computer Forensics - Investigation Methods.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | #-------------------------------------------------------Cyber Forensics - Methods-----------------------------------------------------------#
  3 | 
  4 | 
  5 | Challenges Cyber Crime Present to Investigators:-
  6 | ----------------------------------------------------------------------
  7 | 1. Speed:- 
  8 | 	Advancement in technology has boosted the speed with which cyber crimes are committed, whereas investigators require authorization and warrants before starting legal procedure
  9 | 
 10 | 2. Anonymity:- 
 11 | 	Cyber criminals can easily hide their identity by pretend as some other entity or by hiding their IP addresses using proxies
 12 | 
 13 | 3. Volatile nature of evidence:- 
 14 | 	Most of the digital evidence can be easily lost as it is in the form of volatile data such as logs, records, light pulses, radio signals or other means
 15 | 
 16 | 4. Evidence Size and Complexity:- 
 17 | 	Diversity(Change) and distributed nature of digital devices results in increased size of evidence data and complexity
 18 | 
 19 | 5. Anti-Digital Forensics (ADF):- 
 20 | 	Attackers are increasingly using encryption and data hiding techniques to hide digital evidence
 21 | 
 22 | 6. Global origin and difference in laws:- 
 23 | 	The perpetrators can initiate the crime from any part of the world, whereas the authorities have jurisdiction over domestic crimes only
 24 | 
 25 | 7. Limited legal understanding:- 
 26 | 	Many victims are unaware of the law violated during the incident and fail to defend their claim
 27 | 
 28 | 
 29 | Cyber Crime Investigation:--
 30 | ----------------------------------------
 31 | 1. The investigation of any crime involves the hardworking collection of clues and forensic evidence with an attention to detail.
 32 | 2. It is mandatory that there will be at least one electronic device found during the investigation, be it a computer, cell phone, printer, or fax machine.
 33 | 3. The electronic device found may be central to the investigation as it could contain valuable evidence for solving the case.
 34 | 4. Therefore, the information contained in the device must be investigated in the proper manner in order to be relied upon in a court of law
 35 | 5. Processes such as collection of data, analysis, and presentation differ based on the type of case.
 36 | 
 37 | 
 38 | Types of cyber crime investigation cases:-
 39 | -----------------------------------------------------------
 40 | 				==>> Civil
 41 | 				==>> Criminal
 42 | 				==>> Administrative
 43 | 
 44 | 
 45 | Civil Vs. Criminal Investigation:-
 46 | ---------------------------------------------
 47 | Civil cases are brought for violation of contracts and lawsuits where a guilty outcome generally results in economic damages to the prosecutor, whereas criminal cases are generally brought by law enforcement agencies in response to a suspected violation of law where a guilty outcome may result in economic damages, imprisonment, or both.
 48 | 
 49 | Criminal Investigation:---
 50 | -----------------------------------
 51 | 1. Investigators must follow a set of standard forensic processes accepted by law in the respective jurisdiction.
 52 | 2. Investigators, under court’s warrant, have the authority to force seize the computing devices.
 53 | 3. A formal investigation report is required.
 54 | 4. The law enforcement agencies are responsible for collecting and analyzing evidence.
 55 | 5. Punishments are harsh and include fine, jail sentence or both.
 56 | 6. Standard of proof needs to be very high.
 57 | 7. Difficult to capture certain evidence, e.g., GPS device evidences.
 58 | 
 59 | Civil Investigation:---
 60 | ------------------------------
 61 | 1. Investigators try to show some information to the opposite party to support the claims and induce them for settlement.
 62 | 2. Searching of the devices is generally based on mutual understanding and provides a wider time window to the opposite party to hide the evidence.
 63 | 3. The initial reporting of the evidence is generally informal.----Yachika
 64 | 4. The claimant is responsible for the collection and analysis of the evidence.
 65 | 5. Punishments include monetary compensation.
 66 | 6. Poorly documented or unknown chain-of-custody for evidence.
 67 | 7. Sometimes, evidence can be within the third party control.
 68 | 
 69 | Administrative Investigation:-
 70 | -------------------------------------------
 71 | 1. Administrative investigation generally involves an agency or government performing inquiries to identify facts with reference to its own management and performance.
 72 | 2. Administrative investigations are non-criminal in nature and are related to misconduct or activities of an employee that includes but are not limed to:-
 73 | 		==> Violation of organization’s policies, rules, or protocols
 74 | 		==> Resources misuse or damage or theft
 75 | 		==> Threatening or violent behavior
 76 | 		==> Improper promotion or pay rises
 77 | 
 78 | 3. Any violation may result in disciplinary action such as demotion, suspension, revocation, penalties, and dismissal.
 79 | 4. For situations like promotions, increments, transfers, etc., administrative investigations can result in positive outcomes, like modifications to existing policies, rules, or protocols.
 80 | 
 81 | 
 82 | #---------------------Rules Of Forensics Investigation---------------#
 83 | 
 84 | 1. Limited access and examination of the original evidence
 85 | 2. Record changes made to the evidence files
 86 | 3. Create a chain of custody document
 87 | 4. Set standards for investigating the evidence
 88 | 5. Comply with the standards
 89 | 6. Hire professionals for analysis of evidence
 90 | 7. Evidence should be strictly related to the incident
 91 | 8. The evidence should comply with the jurisdiction standards
 92 | 9. Document the procedures applied on the evidence
 93 | 10. Securely store the evidence
 94 | 11. Use recognized tools for analysis
 95 | 
 96 | 
 97 | Enterprise Theory Of Investigation:--
 98 | ----------------------------------------------------
 99 | 
100 | The Enterprise Theory of Investigation (ETI) has become the standard investigative model used by the FBI when conducting investigations against major criminal organizations.
101 | 
102 | ETI completed a process known as Theory of change, commonly undertaken by organisations with social goals. This process helps to identify all the building blocks required to bring about a given long-term goal and describes the types of interventions that bring about the desired outcomes.
103 | 
104 | 
105 | 
106 | #---------------------Digital Evidence---------------#
107 | 
108 | Digital Evidence:-
109 | ----------------------------
110 | Digital evidence is “any information of probative value that is either stored or transmitted in a digital form”.
111 | 
112 | Understanding the Digital Evidence as Below:-
113 | ------------------------------------------------------------------
114 | 1. Digital evidence is information stored or transmitted in binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, among other places. Digital evidence is commonly associated with electronic crime, or e-crime, such as child pornography or credit card fraud.
115 | 
116 | 2. According to Locard's Exchange Principle, “anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave”
117 | 
118 | 3. Digital evidence is circumstantial and critical in nature, which makes it difficult for a forensic investigator to trace criminal activities
119 | 
120 | 4. Digital information can be gathered while examining digital storage media, monitoring the network traffic, or making duplicate copies of digital data found during forensics investigation
121 | 
122 | 
123 | Types Of Digital Evidence:-
124 | ---------------------------------------
125 | 1. Volatile Data:-
126 | 		Data that is lost as soon as the device is powered off. 
127 | 		Examples include system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc.
128 | 2. Non-Volatile Data:-
129 | 		Persistent data that is stored on secondary storage devices such as hard disks and memory cards. 
130 | 		Examples include hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, registry settings, event logs, etc.
131 | 
132 | 
133 | Characteristics Of Digital Evidence:-
134 | ---------------------------------------------------
135 | 		Digital evidence must have some characteristics to be disclosed in the court of law.
136 | 
137 | 		1. Believable:- Evidence must be clear and understandable by the judges
138 | 		2. Admissible:- Evidence must be related to the fact being proved
139 | 		3. Reliable:- There must be no doubt about the authenticity or veracity of the evidence
140 | 		4. Authentic:- Evidence must be real and related to the incident in a proper way
141 | 		5. Complete:- The evidence must prove the attacker’s actions or his innocence
142 | 
143 | 
144 | Roles Of Digital Evidence:-
145 | --------------------------------------
146 | Examples of cases where digital evidence may assist the forensic investigator in prosecution or defense of a suspect:-
147 | 		
148 | 		1. Identity theft
149 | 		2. Information leakage
150 | 		3. Theft of commercial secrets
151 | 		4. Unauthorized transmission of information
152 | 		5. Malicious attacks on the computer systems them selves
153 | 		6. Use/abuse of the Internet
154 | 		7. Abuse of systems
155 | 		8. Email communication between suspects/conspirators
156 | 		9. Production of false documents and accounts
157 | 		10. Unauthorized encryption/ password protection of documents
158 | 
159 | 
160 | #-----------------------Sources Of Potential Evidence-----------------#
161 | 
162 | User Created Files:-
163 | -----------------------------
164 | 		1. Address books
165 | 		2. Database files
166 | 		3. Media (images, graphics, audio, video, etc.) files
167 | 		4. Documents (text, spreadsheet, presentation, etc.) files
168 | 		5. Internet bookmarks, favorites, etc.
169 | User Protected Files:-
170 | ------------------------------
171 | 		1. Compressed files
172 | 		2. Misnamed files
173 | 		3. Encrypted files
174 | 		4. Password-protected files
175 | 		5. Hidden files
176 | 		6. Steganography
177 | Computer Created Files:-
178 | ------------------------------------
179 | 		1. Backup files
180 | 		2. Log files
181 | 		3. Configuration files
182 | 		4. Printer spool files
183 | 		5. Cookies
184 | 		6. Swap files
185 | 		7. System files
186 | 		8. History files
187 | 		9. Temporary files 
188 | 
189 | 
190 | #-----------------More Source OF Potential Evidence----------------#
191 | 
192 | Types Of Evidence may found from spot:-
193 | ----------------------------------------------------------
194 | 
195 | 1. Hard Drive:-  Text, picture, video, multimedia, database, and computer program files
196 | 
197 | 2. Thumb Drive:-  Text, graphics, image, and picture files
198 | 
199 | 3. Memory Card:- Event logs, chat logs, text file, image file, picture file, and the Internet browsing history
200 | 
201 | 4. Smart Card | Dongle | Biometric Scanner:- Evidence is found in recognizing or authenticating the information of the card and the user, level of access, configurations, permissions, and in the device itself
202 | 
203 | 5. Answering Machine:-  Voice recordings such as deleted messages, last number called, memo, phone numbers and tapes
204 | 
205 | 6. Digital Camera:- Images, removable cartridges, video, sound, time and date stamp, etc.
206 | 
207 | 7. Handheld Devices:-  Address book, appointment calendars or information, documents, email, handwriting, password, phone book, text messages, and voice messages
208 | 
209 | 8. Modem:- Device itself
210 | 
211 | 9. Local Area Network (LAN) Card/ Network Interface Card (NIC):-  MAC (Media Access Control) address
212 | 
213 | 10. Routers, Hubs, and Switches:- For routers, evidence is found in the configuration files
214 | 			       For hubs and switches, evidence is found on the devices themselves
215 | 
216 | 11. Network Cables and Connectors:- Devices themselves
217 | 
218 | 12. Server:- Computer system
219 | 
220 | 13. Pager:- It contains volatile evidence such as address information, text messages, e-mail, voice messages, and phone numbers
221 | 
222 | 14. Printer:- Evidence is found through usage logs, time and date information, and network identity information, ink cartridges, and time & date stamp
223 | 
224 | 15. Removable Storage Device and Media:- Storage device and media such as tape, CD, DVD, and Blu-ray have the evidence in the devices themselves
225 | 
226 | 16. Scanner:- Evidence is found by looking at the marks on the glass of the scanner
227 | 
228 | 17. Telephones:- Evidence is found through names, phone numbers, caller identification information, appointment information, electronic mail and pages, etc.
229 | 
230 | 18. Copiers:- Documents, user usage logs, time and date stamps, etc.
231 | 
232 | 19. Credit Card Skimmers:- Evidence is found through card expiration date, user’s address, credit card numbers, user’s name, etc.
233 | 
234 | 20. Digital Watches:- Evidence is found through address book, notes, appointment calendars, phone numbers, email, etc.
235 | 
236 | 21. Facsimile (Fax) Machines:- Evidence is found through documents, phone numbers, film cartridge, send or receive logs
237 | 
238 | 22. Global Positioning Systems(GPS):- Evidence is found through previous destinations, way points, routes, travel logs, etc.
239 | 
240 | 
241 | #-----------------------Rules Of Evidence-------------------#
242 | 
243 | ==>Evidence that is to be presented in the court must conform/adapt with the established rules of evidence.
244 | ==>In investigation process, it is important that the investigator understands the rules of evidence.
245 | 
246 | Definition:-
247 | ---------------
248 | ==>Rules of evidence govern whether, when, how, and for what purpose the proof of a case may be placed before a trier of fact for consideration
249 | ==>The trier of fact may be a judge or a jury, depending on the purpose of the trial and the choices of the parties
250 | 
251 | 
252 | Best Evidence Rules:-
253 | -------------------------------
254 | ==>Best evidence rule is established to prevent any alteration of digital evidence either intentionally or unintentionally
255 | ==>It states that the court only allows the original evidence of a document, photograph or recording at the trial rather than a copy, but the duplicate will be allowed as an evidence under the following conditions:-
256 | 					1. Original evidence destroyed due to fire/flood
257 | 					2. Original evidence destroyed in the normal course of business
258 | 					3. Original evidence in possession of a third party
259 | 
260 | 
261 | Evidence:-
262 | ----------------
263 | In legal terms, evidence covers the burden of proof, admissibility, relevance, weight and sufficiency of what should be admitted into the record of a legal proceeding. Evidence -- crucial in both civil and criminal proceedings -- may include blood or hair samples, video surveillance recordings, or witness testimony.
264 | 
265 | There are four general types of evidence:-
266 | 1. Real evidence (tangible things, such as a weapon)
267 | 2. Demonstrative (a model of what likely happened at a given time and place)
268 | 3. Documentary (a letter, blog post, or other document)
269 | 4. Testimonial (witness testimony)
270 | 
271 | 
272 | Federal Rules of Evidence:-
273 | ---------------------------------------
274 | The Federal Rules of Evidence are a set of rules that governs the introduction of evidence at civil and criminal trials in United States federal trial courts. The current rules were initially passed by Congress in 1975, after several years of drafting by the Supreme Court. The rules are straightforward and relatively short, compared to other sets of court rules, such as the Federal Rules of Civil Procedure.
275 | 
276 | These rules shall be construed to secure fairness in administration, elimination of unjustifiable expense & delay, promotion of growth & development of the law of evidence.
277 | 
278 | 
279 | Rulings On Evidence:-
280 | --------------------------------
281 | 		1. Effect of erroneous ruling:- Error may not be predicated upon a ruling which excludes evidence unless a substantial right of the party is affected
282 | 		2. Record of offer and ruling:- The court may add any other or further statement which shows the character of the evidence, the form in which it was offered, the objection made, and the ruling there on. It may direct the making of an offer in question and answer form
283 | 		3. Hearing of jury:- Proceedings shall be conducted, to the extent practicable, so as to prevent inadmissible evidence from being suggested to the jury by any means, such as making statements or offers of proof or asking questions in the hearing of the jury
284 | 		4. Plain error:- Nothing in this rule precludes taking notice of plain errors affecting substantial rights although they were not brought to the attention of the court
285 | 
286 | 
287 | 


--------------------------------------------------------------------------------