What is Digital Forensics?

Digital Forensics is defined as the process of preservation, identification,

extraction, and documentation of computer evidence which can be used by the
court of law. It is a science of finding evidence from digital media like a computer,
mobile phone, server, or network. It provides the forensic team with the best
techniques and tools to solve complicated digital-related cases.

Digital Forensics helps the forensic team to analyzes, inspect, identifies, and
preserve the digital evidence residing on various types of electronic devices.

Objectives of computer forensics

Here are the essential objectives of using Computer forensics:

 It helps to recover, analyze, and preserve computer and related

materials in such a manner that it helps the investigation agency to
present them as evidence in a court of law.
 It helps to postulate the motive behind the crime and identity of the
main culprit.
 Designing procedures at a suspected crime scene which helps you to
ensure that the digital evidence obtained is not corrupted.
 Data acquisition and duplication: Recovering deleted files and deleted
partitions from digital media to extract the evidence and validate them.
 Helps you to identify the evidence quickly, and also allows you to
estimate the potential impact of the malicious activity on the victim
 Producing a computer forensic report which offers a complete report on
the investigation process.
 Preserving the evidence by following the chain of custody.

Types of Digital Forensics

Three types of digital forensics are:

Disk Forensics:
It deals with extracting data from storage media by searching active, modified,
or deleted files.

Network Forensics:
It is a sub-branch of digital forensics. It is related to monitoring and analysis of
computer network traffic to collect important information and legal evidence.
Wireless Forensics:
It is a division of network forensics. The main aim of wireless forensics is to
offers the tools need to collect and analyze the data from wireless network
traffic.

Database Forensics:
It is a branch of digital forensics relating to the study and examination of
databases and their related metadata.

Malware Forensics:
This branch deals with the identification of malicious code, to study their
payload, viruses, worms, etc.

Email Forensics:
Deals with recovery and analysis of emails, including deleted emails,
calendars, and contacts.

Process of Digital forensics

Digital forensics entails the following steps:

 Identification
 Preservation
 Analysis
 Documentation
 Presentation

History of Digital forensics

Here, are important landmarks from the history of Digital Forensics:

 Hans Gross (1847 -1915): First use of scientific study to head criminal
investigations
 FBI (1932): Set up a lab to offer forensics services to all field agents and
other law authorities across the USA.
  In 1978 the first computer crime was recognized in the Florida Computer
Crime Act.
 Francis Galton (1982 – 1911): Conducted first recorded study of
fingerprints
 In 1992, the term Computer Forensics was used in academic literature.
 1995 International Organization on Computer Evidence (IOCE) was
formed.
 In 2000, the First FBI Regional Computer Forensic Laboratory
established.
 In 2002, Scientific Working Group on Digital Evidence (SWGDE)
published the first book about digital forensic called “Best practices for
Computer Forensics”.
 In 2010, Simson Garfinkel identified issues facing digital investigations.

FORENSIC HARDWARE AND SOFTWARE

Hardware:- Hardware tools are designed primarily for storage device
investigations, and they aim to keep suspect devices unaltered to preserve the
integrity of evidence. A forensic disk controller or a hardware write blocker is a
read-only device that allows the user to read the data in a suspect device without
the risk of modifying or erasing the content. Conversely, a disk write-protector
prevents the content in a storage device from being modified or erased. A hard-
drive duplicator is an imaging device that copies all files on a suspect hard drive
onto a clean drive; it can also duplicate data in flash drives or secured digital
(SD) cards. A password recovery device employs algorithms, such as brute-
force or dictionary attacks, to attempt to crack password-protected storage
devices.

SOFTWARE:- Software Most forensic software applications are multipurpose

and can perform various tasks in one application. Some applications are open
source, which allow experienced programmers to modify the code to meet their
specific needs and provide cost savings for law enforcement. Some can process
multiple devices simultaneously or manage different operating systems (e.g.,
Windows and Linux). The capabilities of these applications can be categorized
by the branches of digital forensics employed. Computer forensics software
complement the hardware tools available to law enforcement. While the
hardware tools such as write-blockers primarily focus on preserving the
evidence in a target device, software applications can acquire and analyze the
digital evidence collected from the suspect device. Suspects often hide or delete
their files or partition the hard drives of their computers so that evidence is
difficult to discover; however, forensic software applications can assist
investigators in recovering this evidence. Windows Registry records when,
where, and how a file is created, renamed, viewed, moved, or deleted, and some
applications can perform registry analysis to collect and analyze these traces. In
short, certain user activities can be recovered and investigated with digital
forensics software.

Need For CYBER/COMPUTER FORENSICS

In todays technology driven generation, the importance of cyber

forensics is immense. Technology combined with forensic forensics
paves the way for quicker investigations and accurate results. Below
are the points depicting the importance of cyber forensics:
 Cyber forensics helps in collecting important digital
evidence to trace the criminal.
 Electronic equipment stores massive amounts of data that a
normal person fails to see. For example: in a smart house,
for every word we speak, actions performed by smart
devices, collect huge data which is crucial in cyber
forensics.
 It is also helpful for innocent people to prove their innocence
via the evidence collected online.
 It is not only used to solve digital crimes but also used to
solve real-world crimes like theft cases, murder, etc.
 Businesses are equally benefitted from cyber forensics in
tracking system breaches and finding the attackers.
 WHAT TOOLS ARE USED FOR DIGITAL
FORENSICS?

At the early stages of digital forensics development, the specialists had a very
limited choice of tools used to analyze digital evidence. It led to multiple
allegations that such analysis might have caused evidence to be altered and
corrupted. Inevitably, there emerged sophisticated tools designed specifically
for digital forensics analysis.

 Disk and data capture tools can detect encrypted data and capture and
preview the information on physical drives;
 File viewers and file analysis tools work to extract and analyze
separate files;
 Registry analysis tools get the information about a user and their
activities from the Windows registry;
 Internet and network analysis tools provide detailed information about
traffic and monitor user’s activity on the Internet;
 Email analysis tools are designed to scan email content;
 Mobile device analysis tools help extract data from the internal and
external memory of mobile devices;
 Mac OS analysis tools retrieve metadata from Mac operating systems
and provide disk imaging;
 Database forensics tools can analyze and manipulate data and provide
reports of activities performed.

Techniques used in Computer Forensic:

Computer forensics investigation normally follows the typical digital

forensics procedure which is the acquisition, examination, analysis, and
reporting. These investigations are mostly performed on static data (disk
images) rather than live data or live systems, though in early computer
forensics days the investigators used to work on live data due to the lack
of tools.
Various kinds of techniques are used in computer forensics investigation
such as:
 Cross-drive analysis: Cross-drive analysis (CDA) is a technique that
allows an investigator to quickly identify and correlate information
from multiple data sources or information across multiple drives.
Existing approaches include multi-drive correlation using text
searches, e.g., email addresses, SSNs, message IDs, or credit card
numbers.
 Live analysis: It is used to examine the computers from within the OS
using various forensics and sysadmin tools to get the information from
the device. In forensic analysis, the collection of volatile data is very
important like the installed software packages, hardware information,
etc. this approach is useful in the case where the investigator is dealing
with encrypted files. If the device is still active and running when it’s
handed to the investigator, the investigator should collect all the
volatile information from the device such as user login history, which
TCP and UDP ports are open, what services are currently in use, and
running, etc.
 Deleted files recovery: It is a technique that is used to recover deleted
files. The deleted data can be recovered or craved out using forensic
tools such as CrashPlan, OnTrack EasyRecovery, Wise Data
Recovery, etc.
 Stochastic forensics: It is a method to forensically re-establish the
digital activities that have insufficient digital artifacts, thus analyzing
emerging patterns resulting from the stochastic nature of modern-day
computers.
 Steganography: Steganography is a technique of hiding the secret
information inside or on top of something, that something can be
anything from an image to any type o file. Computer forensics
investigators can counter this by looking and comparing the hash value
of the altered file and original file, the hash value will be different for
both files even though they might appear identical on visual
inspection.
 CHALLENGES IN DIGITAL FORENSICS
Technical Challenges: Encryption, data hiding in the storage space, covert
channels are the major technical challenges today. Digital forensics experts use
forensic tools for collecting shreds of evidence against criminals. And criminals
themselves use such tools for hiding, altering, or removing the traces of their
crime; this process is known as anti-forensic techniques. Another common
challenge is operating in the cloud, time to archive the data, skill gap, and
steganography.

Legal Challenges: There is an absence of guidelines and standards, and

limitations of the Indian Evidence Act 1872. For instance, consider the case of
dealing with the admissibility of an intercepted telephone call in a CDR (call
data record). This was done without a certificate under Section 65B of the
Indian Evidence Act, 1872. The court observed that the secondary electronic
evidence without a certificate under Section 65B of the Indian Evidence Act,
1872 is not admissible and cannot be investigated by the court for any purpose
whatsoever.

Other common challenges are:

 Privacy issues
 Admissibility in the courts
 The preservation of electronic digital evidence
 Analyzing a running computer

Resource Challenges: Change in technology, volume and replication can be

found in the resources area (Indian Evidence Act 1872). Due to rapid changes in
the technology, operating system, and application software and hardware,
reading digital evidence from an older version to support a newer version is a
growing challenge. The confidentiality, integrity, and availability of e-
documents are easily manipulated.
Why do we need Cyber Laws ?

Cyberlaw is used by smaller business organizations which are extremely

vulnerable because of the ineffective cybersecurity. It is very important to all
types of business organizations, particularly when you think about the
importance or advantages of the internet as well as digital systems are for
your day-to-day operations. There are various reasons for which Cyber Law,
is very important, are listed below;
 It allows employees to work safely – with the help of cyberlaw,
you and the employees of your company haven’t got any risk from a
potential cyberattack. If your system becomes infected than that can
really hamper their productivity.
 It can protect your business – This is one of the biggest factors,
because of which cyber law is very important. It allows the
employees to surf the internet as and when they require it. You have
to ensure that they can’t at risk from potential threats.
 It protects the personal information of the user – One of the most
important factors in the digital world is to keep your personal
information secret. It is very essential for the customer that they are
quite capable of selling the information.
 It protects productivity – There are many viruses present which
can slow down your personal computer. It may often bring your
personal business to a standstill.

THE INDIAN IT ACT

The Information Technology Act, 2000 also Known as an IT Act is an act
proposed by the Indian Parliament reported on 17th October 2000. This
Information Technology Act is based on the United Nations Model law on
Electronic Commerce 1996 (UNCITRAL Model) which was suggested by the
General Assembly of United Nations by a resolution dated on 30th January,
1997. It is the most important law in India dealing with Cybercrime and E-
Commerce.
The main objective of this act is to carry lawful and trustworthy electronic,
digital and online transactions and alleviate or reduce cybercrimes. The IT
Act has 13 chapters and 90 sections. The last four sections that starts from
‘section 91 – section 94’, deals with the revisions to the Indian Penal Code
1860.
The IT Act, 2000 has two schedules:
 First Schedule –
Deals with documents to which the Act shall not apply.
 Second Schedule –
Deals with electronic signature or electronic authentication method.
The offences and the punishments in IT Act 2000 :
The offences and the punishments that falls under the IT Act, 2000 are as
follows :-
1. Tampering with the computer source documents.
2. Directions of Controller to a subscriber to extend facilities to decrypt
information.
3. Publishing of information which is obscene in electronic form.
4. Penalty for breach of confidentiality and privacy.
5. Hacking for malicious purposes.
6. Penalty for publishing Digital Signature Certificate false in certain
particulars.
7. Penalty for misrepresentation.
8. Confiscation.
9. Power to investigate offences.
10. Protected System.
11. Penalties for confiscation not to interfere with other
punishments.
12. Act to apply for offence or contravention committed outside
India.
13. Publication for fraud purposes.
14. Power of Controller to give directions.
Sections and Punishments under Information Technology Act, 2000 are as
follows :
SECTION PUNISHMENT
This section of IT Act, 2000 states that any act of destroying, altering or stealing
computer system/network or deleting data with malicious intentions without
authorization from owner of the computer is liable for the payment to be made to
Section 43 owner as compensation for damages.

This section of IT Act, 2000 states that any corporate body dealing with sensitive
Section information that fails to implement reasonable security practices causing loss of
43A other person will also liable as convict for compensation to the affected party.

Hacking of a Computer System with malicious intentions like fraud will be

Section 66 punished with 3 years imprisonment or the fine of Rs.5,00,000 or both.

Section 66 Fraud or dishonesty using or transmitting information or identity theft is punishable

B, C, D with 3 years imprisonment or Rs. 1,00,000 fine or both.
Section 66 This Section is for Violation of privacy by transmitting image or private area is
E punishable with 3 years imprisonment or 2,00,000 fine or both.

Section 66 This Section is on Cyber Terrorism affecting unity, integrity, security, sovereignty
F of India through digital medium is liable for life imprisonment.

This section states publishing obscene information or pornography or transmission

of obscene content in public is liable for imprisonment up to 5 years or fine or Rs.
Section 67 10,00,000 or both.

CYBERCRIME SCENARIO IN INDIA

In today’s day and age, computers and the internet have become an integral
part of our lives, and we rely on them for various activities, from information
to ordering food, booking rides, etc. Digital or cyberspace is the driving force
for the world today, and more and more people are becoming a part of it. It
has brought the world at the tap of a finger, and the credit for all this goes to
the advent of the internet and technology. The emergence of digital
technologies and the convergence of computing and communication devices
have changed how we socialise and conduct business.

The internet has enhanced people’s lives in various ways, but as the saying
goes, every coin has two sides. Crime follows opportunity and has given rise
to cyber-crime in the digital world. cyber-crime, also known as computer
crime, can be understood as any unlawful act in which a computer is used as
a mean, a target, or both.

In total, 44,546 cases of cyber-crime were recorded in 2019, representing a

massive increase of 63.5 per cent over 2018. (27,248 cases). In this group,
the crime rate rose from 2.0 in 2018 to 3.3 in 2019. In 2019, fraud
accounted for 60.4 per cent of all cyber-crime cases (26,891 out of 44,546),
followed by sexual harassment at 5.1 per cent (2,266 cases) and causing
disrepute at 4.2 per cent (1,874 cases).
The current scenario in India is that the lawmakers have not been able to
keep pace with the development of cyberspace, and therefore the laws also
lack sophistication. The establishment of provision for dealing with cyber-
crime within the IT Act was a major step but one that was ill-thought out.
The IT Act was never intended to be a penal statute, and the difference of
penalty for what is basically the same unlawful act but for the mode of
conduct is a testament to the misunderstanding of the lawmakers.

Drawing inspiration from the international perspective of the USA or UK,

where technological advancement reached much earlier than India, and so
did the laws, it would be best to adopt statutes focusing on a specific aspect
of cyber-crimes, depending on the sophistication of the crimes like privacy
and data protection. However, the establishment of singular law is not
enough but would require regular amendments to cope with changing trends.

DIGITAL SIGNATURES AND THE INDIAN IT ACT

Digital signatures were given legal status in India, by Information Technology (IT ACT
2000) in the year 2000. It granted e-signatures on electronic documents, the same legal
status as the handwritten signatures on physical documents. The IT Act 2000 applies to
whole of India and it provides for enabling a person to use digital signature just like the
traditional signature. The basic purpose of digital signature is same as a conventional
signature, ie to authenticate the document, to identify the person and to make the
contents of the document binding on person putting digital signature. Under Indian law,
a written signature is not necessarily required for a valid contract - contracts are
generally valid if legally competent parties reach an agreement, whether they agree
verbally, electronically or in a physical paper document. The Information Technology
Act, 2000 (IT Act) specifically confirms that contracts cannot be denied enforceability
merely because they are concluded electronically.
Though most electronic documents are allowed to be signed digitally, there are few
exceptions that need to be executed using handwritten signatures. These documents
are:

 a negotiable instrument as defined in section 13 of the Negotiable Instruments

Act, 1881 (such as promissory note or bill of exchange);
 a power-of-attorney as defined in section 1A of the Powers-of-Attorney Act,
1882;
 a trust deed as defined in section 3 of the Indian Trusts Act, 1882;
 a will as defined in clause (h) of section 2 of the Indian Succession Act, 1925
including any other testamentary disposition by whatever name called;
 a contract for the sale or conveyance of immovable property or any interest in
such property

“Digital signature” is defined under section 2(p) of IT Act 2000 as follows: "Digital
Signature" means authentication of any electronic record by a subscriber by means of
an electronic method or procedure in accordance with the provisions of section 3;
Section 3 explains the digital signature technology as:

 Subject to the provisions of this section any subscriber may authenticate an

electronic record by affixing his digital signature.
 The authentication of the electronic record shall be effected by the use of
asymmetric crypto system (use of private and public keys) and hash function
which envelop and transform the initial electronic record into another electronic
record
  The private key and the public key are unique to the subscriber and constitute a
functioning key pair.

Digital signing is enabled using Digital Signature Certificates (DSC) that contains unique
private and public key pair that serves as an identity of an individual / signer. As per the
Act, DSC is issued by the authorities known as CA (Certifying Authorities) after
following a prescribed procedure. Signing using digital signature certificates (DSC)
issued by CA is considered legal.
There are three types of digital signatures based on security levels: Class-1, Class-2 and Class-3
certificates. Class 1 certificates do not carry legal recognition since its validation is done on the
basis of a valid e-mail and is not based on direct verification. In case of Class-2 certificates the
identity of the person is verified against a trusted pre-verified database. Class-3 is the highest
level where a person is required to be present in front of a RA(Registration Authority) to prove
his/her identity. Typically Class 2 certificate is required for signing most of the documents. DSC
is typically issued on a USB token containing the digital-certificate-based digital ID, along with a
personal PIN, to sign a document.

CYBER CRIME AND PUNISHMENT

Section 65 – Tampering with Computer Source Documents. Penalties if found guilty can be
imprisonment up to 3 years and/or up-to Rs 2 lakh fine. An example of such crime is:
Employees of a telecom company were held guilty by the court for tampering with the
Electronic Serial Number of cellphones of another company that had locked the handset before
selling it so as to work with its SIM only.

Section 66 – Hacking with computer systems or unauthorised usage of computer system and
network. Punishment if found guilty can be imprisonment up to three years and/or a fine of up to
Rs 5 lakh. An example: When a criminal hacked into an academy network by unauthorized
access of broadband and modified the passwords of users to deny access. The criminal was
punished under Section 66 of IT Act.

Section 66C – Identity theft using passwords, digital signatures, biometric thumb impressions or
other identifying features of another person for fraudulent purposes. An example is – when a
criminal obtained the login and password of an online trading account and transferred the profit
to his account by doing online transactions in the trading account in an unauthorized manner.
The criminal was charged under Section 66C.

Section 66D – Cheating by Personation Using Computer Resources. Punishment if found guilty
can be imprisonment up to three years and/or up to Rs 1 lakh fine. An example: A criminal who
posed as a woman and tried to seduce a businessman to extort Rs 96 lakh from him by creating a
fake email Id and trapping him in a cyber relationship. The criminal was arrested and charged
under Section 66D and various other IPC sections.

Section 66E – Taking pictures of private areas, publishing or transmitting them without a
person’s consent is punishable under this section. Penalties if found guilty can be imprisonment
up to three years and/or up to Rs 2 lakh fine.

Section 66F – Acts of cyber terrorism. Guilty can be served a sentence of imprisonment up to
life! An example: When a threat email was sent to the Bombay Stock Exchange and the
National Stock Exchange, which challenged the security forces to prevent a terror attack planned
on these institutions. The criminal was apprehended and charged under Section 66F of the IT
Act.

Section 67 – Publishing Obscene Information in Electronic Form. In this case, the imprisonment
is up to five years and a fine up to Rs 10 lakh. An example: When an accused from Mumbai
posted obscene information about the victim on the internet after she refused to marry him. The
criminal was implicated under Section 67 of the IT Act in addition to various sections of IPC.

The law enforcement agencies can take recourse to the following IPC, 1860 sections if the IT
Act is insufficient to cover specific cyber offences:

Section 379 – Punishment for theft for up to three years and/or fine. Since many cybercrimes are
committed using stolen mobile/computers or stolen data this IPC Section comes into the picture.

Section 420 – Cheating and dishonestly inducing delivery of property. Cybercrimes like
creating Bogus websites, cyber frauds are punishable under this section of IPC with a seven-year
jail term and/or fine. This section of the IPC deals with crimes related to password thefts for
committing frauds or creating fraudulent websites.

Section 463 – Making false documents or false electronic records. Crimes such as Email
spoofing are punishable under this section with imprisonment of up to seven years and/or fine.

Section 468 – Committing forgery for the intention of cheating attracts imprisonment of up to
seven years and/or a fine. Email spoofing is one such crime punishable under this section.
Apart from the above laws, there are many more sections under IT Act and IPC, which have
provisions for cybercrimes.

IP SECURITY
IPSec (IP Security) architecture uses two protocols to secure the traffic or data
flow. These protocols are ESP (Encapsulation Security Payload) and AH
(Authentication Header). IPSec Architecture includes protocols, algorithms, DOI,
and Key Management. All these components are very important in order to
provide the three main services:
 Confidentiality
 Authentication
 Integrity
IP Security Architecture:

1. Architecture: Architecture or IP Security Architecture covers the general

concepts, definitions, protocols, algorithms, and security requirements of IP
Security technology.
2. ESP Protocol: ESP(Encapsulation Security Payload) provides a confidentiality
service. Encapsulation Security Payload is implemented in either two ways:
 ESP with optional Authentication.
 ESP with Authentication.
Packet Format:

 Security Parameter Index(SPI): This parameter is used by Security

Association. It is used to give a unique number to the connection built
between the Client and Server.
 Sequence Number: Unique Sequence numbers are allotted to every
packet so that on the receiver side packets can be arranged properly.
 Payload Data: Payload data means the actual data or the actual
message. The Payload data is in an encrypted format to achieve
confidentiality.
 Padding: Extra bits of space are added to the original message in order
to ensure confidentiality. Padding length is the size of the added bits of
space in the original message.
 Next Header: Next header means the next payload or next actual data.
 Authentication Data This field is optional in ESP protocol packet
format.
3. Encryption algorithm: The encryption algorithm is the document that
describes various encryption algorithms used for Encapsulation Security
Payload.
4. AH Protocol: AH (Authentication Header) Protocol provides both
Authentication and Integrity service. Authentication Header is implemented in
one way only: Authentication along with Integrity.
Authentication Header covers the packet format and general issues related to the
use of AH for packet authentication and integrity.
5. Authentication Algorithm: The authentication Algorithm contains the set of
documents that describe the authentication algorithm used for AH and for the
authentication option of ESP.
6. DOI (Domain of Interpretation): DOI is the identifier that supports both AH
and ESP protocols. It contains values needed for documentation related to each
other.
7. Key Management: Key Management contains the document that describes
how the keys are exchanged between sender and receiver.