Cyber forensics is a process of extracting data as proof for a crime (that involves electronic devices)

while following proper investigation rules to nab the culprit by presenting the evidence to the court.
Cyber forensics is also known as computer forensics. The main aim of cyber forensics is to
maintain the thread of evidence and documentation to find out who did the crime digitally. Cyber
forensics can do the following:
 It can recover deleted files, chat logs, emails, etc
 It can also get deleted SMS, Phone calls.
 It can get recorded audio of phone conversations.
 It can determine which user used which system and for how much time.
 It can identify which user ran which program.

Why is cyber forensics important?

In today’s technology driven generation, the importance of cyber forensics is immense. Technology
combined with forensic forensics paves the way for quicker investigations and accurate results.
Below are the points depicting the importance of cyber forensics.
 Cyber forensics helps in collecting important digital evidence to trace the criminal.
 Electronic equipment stores massive amounts of data that a normal person fails to see. For
example: in a smart house, for every word we speak, actions performed by smart devices,
collect huge data which is crucial in cyber forensics.
 It is also helpful for innocent people to prove their innocence via the evidence collected online.
 It is not only used to solve digital crimes but also used to solve real-world crimes like theft
cases, murder, etc.
 Businesses are equally benefitted from cyber forensics in tracking system breaches and finding
the attackers.
The Process Involved in Cyber Forensics
1. Obtaining a digital copy of the system that is being or is required to be inspected.
2. Authenticating and verifying the reproduction.
3. Recovering deleted files (using Autopsy Tool).
4. Using keywords to find the information you need.
5. Establishing a technical report.

What is cybercrime?
Cybercrime is any criminal activity that involves a computer, network or networked device.While
most cybercriminals use cybercrimes to generate a profit, some cybercrimes are carried out against
computers or devices to directly damage or disable them. Others use computers or networks to
spread malware, illegal information, images or other materials. Some cybercrimes do both -- i.e.,
target computers to infect them with a computer virus, which is then spread to other machines and,
sometimes, entire networks.A primary effect of cybercrime is financial. Cybercrime can include many
different types of profit-driven criminal activity, including ransomware attacks, email and internet
fraud, and identity fraud, as well as attempts to steal financial account, credit card or other payment
card information.

As cybercriminals might target an individual's private information or corporate data for theft and
resale, it's especially important to protect backup data.

The U.S. Department of Justice (DOJ) divides cybercrime into the following three categories:

1. Crimes in which the computing device is the target -- for example, to gain network access.
2. Crimes in which the computer is used as a weapon -- for example, to launch a denial-of-service
(DoS) attack.
3. Crimes in which the computer is used as an accessory to a crime -- for example, using a computer
to store illegally obtained data.
Types of cybercrime
Cybercriminals have a plethora of cybercrime types to conduct malicious attacks. Most attackers carry
out cybercrimes with the expectation of financial gain, though the ways cybercriminals get paid can
vary. Specific types of cybercrimes include the following:
 Cyberextortion. This crime involves an attack or threat of an attack coupled with a demand for
money to stop the attack. One form of cyberextortion is a ransomware attack. Here, the attacker
gains access to an organization's systems and encrypts its documents and files -- anything of
potential value -- making the data inaccessible until a ransom is paid. Usually, payment is in some
form of cryptocurrency, such as bitcoin.
 Cryptojacking. This attack uses scripts to mine cryptocurrencies within browsers without the
user's consent. Cryptojacking attacks can involve loading cryptocurrency mining software to the
victim's system. Many attacks depend on JavaScript code that does in-browser mining if the user's
browser has a tab or window open on the malicious site. No malware needs to be installed as
loading the affected page executes the in-browser mining code.
 Identity theft. This type of attack occurs when an individual accesses a computer to steal a user's
personal information, which is then used to steal that person's identity or access their valuable
accounts, such as banking and credit cards. Cybercriminals buy and sell identity information on
darknet markets, offering financial accounts and other types of accounts, such as video streaming
services, webmail, video and audio streaming, online auctions and more. Personal health
information is another frequent target for identity thieves.
 Credit card fraud. This is an attack that occurs when malicious hackers infiltrate retailers'
systems to get their customers' credit card or banking information. Stolen payment cards can be
bought and sold in bulk on darknet markets, where hacking groups that have stolen mass
quantities of credit cards profit by selling to lower-level cybercriminals who profit through credit
card fraud against individual accounts.
 Cyberespionage. This crime involves cybercriminals hacking into systems or networks to gain
access to confidential information held by a government or other organization. Attacks are
motivated by profit or ideology. Cyberespionage activities include cyberattacks that gather,
modify or destroy data, as well as using network-connected devices, such as webcams or closed-
circuit TV cameras, to spy on a targeted individual or groups and monitoring communications,
including emails, text messages and instant messages.
 Software piracy. This attack involves the unlawful copying, distribution and use of software
programs with the intention of commercial or personal use. Trademark violations, copyright
infringements and patent violations are often associated with software piracy.
 Exit scam. The dark web has given rise to the digital version of an old crime known as the exit
scam. In today's form, dark web administrators divert virtual currency held in marketplace escrow
accounts to their own accounts -- essentially, criminals stealing from other criminals.
Common examples of cybercrime
Commonly seen cybercrime attacks include distributed DoS (DDoS) attacks, which use a network's
own communications protocol against it by overwhelming its ability to respond to connection
requests. DDoS attacks are sometimes carried out for malicious reasons or as part of a cyberextortion
scheme, but they can also be used to distract the victim organization from some other attack or exploit
carried out at the same time.
Malware is another common cybercrime that can damage systems, software or data stored on a
system. Ransomware attacks are a type of malware that encrypts or shuts down victim systems until a
ransom is paid.
Phishing campaigns help attackers infiltrate corporate networks. Phishing includes sending fraudulent
emails to users in an organization, enticing them to download malicious attachments or click on
malicious links that then spread the malware across the network.
In credential attacks, a cybercriminal aims to steal or guess victims' usernames and passwords.
These attacks can use of brute-force -- for example, by keylogger software -- or by exploiting
software or hardware vulnerabilities that expose the victim's credentials. Cybercriminals can also
hijack websites to change or delete content or to access or modify databases without authorization.
For example, attackers use Structured Query Language injection exploits to insert malicious code into
a website, which can then be used to exploit vulnerabilities in the website's database, enabling a
malicious hacker to access and tamper with records or gain unauthorized access to sensitive
information and data, such as customer passwords, credit card numbers, personally identifiable
information, trade secrets and intellectual property. Other common examples of cybercrime include
illegal gambling, the sale of illegal items -- such as weapons, drugs or counterfeit goods -- and the
solicitation, production, possession or distribution of child pornography.
Categories of Cyber crimes can be classified into the following different categories:
i) Crimes Against Persons:
 Harassment via E-Mails: Harassment through sending letters, attachments of files & folders i.e. via e-
mails. At present harassment is common as usage of social sites i.e. Orkut, hangout, zapak, Facebook,
Twitter etc. increasing day by day.
 Cracking: It is amongst the gravest cyber crimes known till date. In this a cyber criminal broke into your
computer systems without your knowledge and consent and Tampere with your precious confidential
data and information.
 Cyber-Stalking: It means expressed or implied a physical threat that creates fear through the use to
computer technology such as internet, e-mail, phones, text messages, webcam, websites or videos.
 Dissemination of Obscene Material: It includes Indecent exposure/ Pornography (basically child
pornography), hosting of web site containing these prohibited materials. These obscene matters may
cause harm to the mind of the adolescent and tend to deprave or corrupt their mind. This can create a
huge blunder in the society.
 SMS Spoofing: Spoofing is a blocking through spam which means the unwanted uninvited messages.
Here a offender steals identity of another in the form of mobile phone number and sending SMS via
internet and receiver gets the SMS from the mobile phone number of the victim.
 Assault by Threat: it refers to threatening a person with fear for their lives or lives of their families
through the use of a computer network i.e. E-mail, videos or phones.
 Page jacking: when a user, click on a certain link and an unexpected website gets opened through that
link then the ser is said to be ‘pagejacked’. This happens when someone steals part of a real website and
uses it in a fake site. If they use enough of the real site, Internet search engines can be tricked into listing
the fake site and people will visit it accidentally. Unfortunately one cannot prevent page jacking but only
can deal with it.
 Advance fee scams: An advance fee scam is fairly easy to identify as you will be asked for money or
goods upfront in return for giving you credit or money later. These advance fee scams can seem
convincing and have taken in many people.
 Defamation: It is an act of imputing any person with intent to lower down the dignity of the person by
hacking his mail account and sending some mails with using vulgar language to unknown persons mail
account.
 E-Mail Spoofing: A spoofed e-mail may be said to be one, which misrepresents its origin. It shows it’s
origin to be different from which actually it originates.
 Carding: It means false ATM cards i.e. Debit and Credit cards used by criminals for their monetary
benefits through withdrawing money from the victim’s bank account mala-fidely. There is always
unauthorized use of ATM cards in this type of cyber crimes.
 Cheating & Fraud: It means the person who is doing the act of cybercrime i.e. stealing password and
data storage has done it with having guilty mind which leads to fraud and cheating.
ii) Crimes Against Persons Property:
As a result of rapid growth in the international trade where businesses and consumers are increasingly using
computers to create, transmit and to store information in the electronic form instead of traditional paper documents
there are some of the offenses which affect person’s property:
 Intellectual Property Crimes: Any unlawful act by which the owner is deprived completely or partially
of his rights is an offense. The common form of IPR violation may be said to be software piracy,
infringement of copyright, trademark, patents, designs and service mark violation, theft of computer
source code, etc.
 Cybersquatting: It means where two persons claim for the same Domain Name either by claiming that
they had registered the name first on by right of using it before the other or using something similar to
that previously. For example two similar names i.e. www.yahoo.comand www.yaahoo.com.
 Cyber Vandalism: Vandalism means deliberately destroying or damaging property of another. Hence
cyber vandalism means destroying or damaging the data when a network service is stopped or disrupted.
It may include within its purview any kind of physical harm done to the computer of any person. These
acts may take the form of the theft of a computer, some part of a computer or a peripheral attached to the
computer.
  Hacking Computer System: Due to the hacking activity there will be loss of data as well as computer.
Also research especially indicates that those attacks were not mainly intended for financial gain too and
to diminish the reputation of particular person or company.
 Transmitting Virus: Viruses are programs that attach themselves to a computer or a file and then
circulate themselves to other files and to other computers on a network. They usually affect the data on
a computer, either by altering or deleting it. Worm attacks plays major role in affecting the computerize
system of the individuals.
 Cyber Trespass: It means to access someone’s computer without the right authorization of the owner
and does not disturb, alter, misuse, or damage data or system by using wireless internet connection.
 Internet Time Thefts: Basically, Internet time theft comes under hacking. It is the use by an
unauthorized person, of the Internet hours paid for by another person. The person who gets access to
someone else’s IP user ID and password, either by hacking or by gaining access to it by illegal means,
uses it to access the Internet without the other person’s knowledge. You can identify time theft if your
Internet time has to be recharged often, despite infrequent usage.
iii) Cyber Crimes Against Government:
There are certain offenses done by group of persons intending to threaten the international governments by using
internet facilities:
 Cyber Terrorism: Cyber terrorism is a major burning issue in the domestic as well as global concern.
The common form of these terrorist attacks on the Internet is by distributed denial of service attacks, hate
websites and hate e-mails, attacks on sensitive computer networks etc. Cyber terrorism activities
endanger the sovereignty and integrity of the nation.
 Cyber Warfare: It refers to politically motivated hacking to conduct sabotage and espionage. It is a
form of information warfare sometimes seen as analogous to conventional warfare although this analogy
is controversial for both its accuracy and its political motivation.
 Distribution of pirated software: It means distributing pirated software from one computer to another
intending to destroy the data and official records of the government.-25
 Possession of Unauthorized Information: It is very easy to access any information by the terrorists with
the aid of internet and to possess that information for political, religious, social, ideological objectives.
iv) Cybercrimes Against Society at large:
An unlawful act done with the intention of causing harm to the cyberspace will affect large number of persons:
 Cyber Trafficking: It may be trafficking in drugs, human beings, arms weapons etc. which affects large
number of persons. Trafficking in the cyberspace is also a gravest crime.
 Online Gambling: Online fraud and cheating is one of the most lucrative businesses that are growing
today in the cyberspace. There are many cases that have come to light are those pertaining to credit card
crimes, contractual crimes, offering jobs, etc. [3]
 Financial Crimes: This type of offence is common as there is rapid growth in the users of networking
sites and phone networking where culprit will try to attack by sending bogus mails or messages through
internet. Ex: Using credit cards by obtaining password illegally. [4]
 Forgery: It means to deceive large number of persons by sending threatening mails as online business
transactions are becoming the habitual need of today’s life style. [5]

What is Hacking?
A commonly used hacking definition is the act of compromising digital devices and networks through
unauthorized access to an account or computer system. Hacking is not always a malicious act, but it is
most commonly associated with illegal activity and data theft by cyber criminals.
But what is hacking in a cyber security context?
Hacking in cyber security refers to the misuse of devices like computers, smartphones, tablets, and
networks to cause damage to or corrupt systems, gather information on users, steal data and
documents, or disrupt data-related activity.
A traditional view of hackers is a lone rogue programmer who is highly skilled in coding and
modifying computer software and hardware systems. But this narrow view does not cover the true
technical nature of hacking. Hackers are increasingly growing in sophistication, using stealthy attack
methods designed to go completely unnoticed by cybersecurity software and IT teams. They are also
highly skilled in creating attack vectors that trick users into opening malicious attachments or links
and freely giving up their sensitive personal data.
As a result, modern-day hacking involves far more than just an angry kid in their bedroom. It is a
multibillion-dollar industry with extremely sophisticated and successful techniques.

Types of Hacking/Hackers
There are typically four key drivers that lead to bad actors hacking websites or systems: (1) financial
gain through the theft of credit card details or by defrauding financial services, (2) corporate
espionage, (3) to gain notoriety or respect for their hacking talents, and (4) state-sponsored hacking
that aims to steal business information and national intelligence. On top of that, there are politically
motivated hackers—or hacktivists—who aim to raise public attention by leaking sensitive
information, such as Anonymous, LulzSec, and WikiLeaks.

Prevention from Getting Hacked

There are several key steps and best practices that organizations and users can follow to ensure they
limit their chances of getting hacked.
Software Update
Hackers are constantly on the lookout for vulnerabilities or holes in security that have not been seen
or patched. Therefore, updating software and operating systems are both crucial to preventing users
and organizations from getting hacked. They must enable automatic updates and ensure the latest
software version is always installed on all of their devices and programs.
Use Unique Passwords for Different Accounts
Weak passwords or account credentials and poor password practices are the most common cause of
data breaches and cyberattacks. It is vital to not only use strong passwords that are difficult for
hackers to crack but also to never use the same password for different accounts. Using unique
passwords is crucial to limiting hackers’ effectiveness.
HTTPS Encryption
Spoofed websites are another common vehicle for data theft, when hackers create a scam website that
looks legitimate but will actually steal the credentials that users enter. It is important to look for the
Hypertext Transfer Protocol Secure (HTTPS) prefix at the start of a web address. For
example: https://www.fortinet.com.
Avoid Clicking on Ads or Strange Links
Advertisements like pop-up ads are also widely used by hackers. When clicked, they lead the user to
inadvertently download malware or spyware onto their device. Links should be treated carefully, and
strange links within email messages or on social media, in particular, should never be clicked. These
can be used by hackers to install malware on a device or lead users to spoofed websites.
Change the Default Username and Password on Your Router and Smart Devices
Routers and smart devices come with default usernames and passwords. However, as providers ship
millions of devices, there is a risk that the credentials are not unique, which heightens the chances of
hackers breaking into them. It is best practice to set a unique username and password combination for
these types of devices.
Protect Yourself Against Hacking
There are further steps that users and organizations can take to protect themselves against the threat of
hacking.
Download from First-party Sources
Only download applications or software from trusted organizations and first-party sources.
Downloading content from unknown sources means users do not fully know what they are accessing,
and the software can be infected with malware, viruses, or Trojans.
Install Antivirus Software
Having antivirus software installed on devices is crucial to spotting potential malicious files, activity,
and bad actors. A trusted antivirus tool protects users and organizations from the latest malware,
spyware, and viruses and uses advanced detection engines to block and prevent new and evolving
threats.
Use a VPN
Using a virtual private network (VPN) allows users to browse the internet securely. It hides their
location and prevents hackers from intercepting their data or browsing activity.
Do Not Login as an Admin by Default
"Admin" is one of the most commonly used usernames by IT departments, and hackers use this
information to target organizations. Signing in with this name makes you a hacking target, so do not
log in with it by default.
Use a Password Manager
Creating strong, unique passwords is a security best practice, but remembering them is difficult.
Password managers are useful tools for helping people use strong, hard-to-crack passwords without
having to worry about remembering them.
Use Two-factor Authentication
A few of the most common types of hackers that carry out these activities involve:

Black Hat Hackers

Black hat hackers are the "bad guys" of the hacking scene. They go out of their way to discover
vulnerabilities in computer systems and software to exploit them for financial gain or for more
malicious purposes, such as to gain reputation, carry out corporate espionage, or as part of a nation-
state hacking campaign. These individuals’ actions can inflict serious damage on both computer users
and the organizations they work for. They can steal sensitive personal information, compromise
computer and financial systems, and alter or take down the functionality of websites and critical
networks.
White Hat Hackers
White hat hackers can be seen as the “good guys” who attempt to prevent the success of black hat
hackers through proactive hacking. They use their technical skills to break into systems to assess and
test the level of network security, also known as ethical hacking. This helps expose vulnerabilities in
systems before black hat hackers can detect and exploit them. The techniques white hat hackers use
are similar to or even identical to those of black hat hackers, but these individuals are hired by
organizations to test and discover potential holes in their security defences.
Grey Hat Hackers
Grey hat hackers sit somewhere between the good and the bad guys. Unlike black hat hackers, they
attempt to violate standards and principles but without intending to do harm or gain financially. Their
actions are typically carried out for the common good. For example, they may exploit a vulnerability
to raise awareness that it exists, but unlike white hat hackers, they do so publicly. This alerts
malicious actors to the existence of the vulnerability.

An attack vector, or threat vector, is a way for attackers to enter a network or system. Common
attack vectors include social engineering attacks, credential theft, vulnerability exploits, and
insufficient protection against insider threats.
Hackers use multiple threat vectors to exploit vulnerable systems, attack devices and networks, and
steal data from individuals. There are two main types of hacker vector attacks: passive attacks and
active attacks.
Passive Attack
A passive attack occurs when an attacker monitors a system for open ports or vulnerabilities to gain or
gather information about their target. Passive attacks can be difficult to detect because they do not
involve altering data or system resources. Rather than cause damage to an organization’s systems, the
attacker threatens the confidentiality of their data.Passive attack vectors include passive
reconnaissance, which sees the attacker monitor an organization’s systems for vulnerabilities without
interacting with them through tools like session capture, and active reconnaissance, where the attacker
uses methods like port scans to engage with target systems.

Active Attack
An active attack vector is one that sets out to disrupt or cause damage to an organization’s system
resources or affect their regular operations. This includes attackers launching attacks against system
vulnerabilities, such as denial-of-service (DoS) attacks, targeting users’ weak passwords, or through
malware and phishing attacks.A common example of an active attack is a masquerade attack, in which
an intruder pretends to be a trusted user and steals login credentials to gain access privileges to system
resources. Active attack methods are often used by cyber criminals to gain the information they need
to launch a wider cyberattack against an organization.

Common Types of Attack Vectors

There are many types of attack vectors, with cyber criminals using many methods to target large or
small organizations from any industry, as well as individuals from nearly every business level. Some
of the most common threat vectors are listed below.
Compromised Credentials
Weak and compromised credentials are the most-used attack vector as people continue to use weak
passwords to protect their online accounts and profiles. Compromised credentials occur when
information like usernames or passwords are exposed to a third party such as mobile apps and
websites. This is frequently caused by victims of a phishing attempt revealing their login details to an
attacker by entering them on a spoofed website. Lost and stolen credentials enable an intruder to
access user accounts and corporate systems without detection, then escalate their access level within a
network.

Employees must use strong passwords and consider using a password manager to limit the chances of
an attacker stealing their credentials. To avoid the risk of compromised credentials, organizations
must move away from relying on passwords alone and deploy multi-factor authentication (MFA) to
verify users’ identities. Employee education is also vital to ensuring users understand the security
risks they face and the signs of a potential cyberattack.

Malware
Malware is a term that describes various strands of malicious software, which
include ransomware, spyware, Trojans, and viruses. Cyber criminals use malware as a threat vector to
help them gain access to corporate networks and devices, then steal data or damage systems.Avoiding
malware is reliant on understanding the signs of an attack, such as phishing schemes that urge users to
share valuable information. Protecting against malware requires technology like sandboxing,
firewalls, and antivirus and anti-malware software that detect and block potential attacks.
Phishing
Phishing is an email, Short Message Service (SMS), or telephone-based attack vector that sees the
attacker pose as a trusted sender to dupe the target into giving up sensitive data, such as login
credentials or banking details. Organizations can protect their employees and customers from phishing
attacks by using spam filters, deploying MFA, ensuring software is patched and updated, and blocking
malicious websites. However, the best way to defend against phishing is to assume that every email is
part of a phishing attack. This also comes down to employee education and relies on employees'
awareness of common security risks, such as never clicking any link within an email.

Insider Threats
Some security attacks come from inside the organization, through employees exposing confidential
information to attackers. While this can be accidental, malicious insiders expose corporate data or
vulnerabilities to third parties. These are often unhappy or disgruntled employees with access to
sensitive information and networks.It can be difficult for organizations to spot malicious insiders,
largely because they are authorized users with legitimate access to corporate networks and systems.
Therefore, businesses should monitor network access for unusual activity or users accessing files or
systems they would not normally, which could be an indicator of insider risk.

Missing or Weak Encryption

Encryption is a technique that hides the true meaning of a message and protects digital data by
converting it into a code or ciphertext. This ensures that the data within a message cannot be read by
an unauthorized party, which helps prevent cyber criminals from stealing sensitive
information.Missing, poor, or weak encryption leads to the transmission of sensitive data in plaintext.
This risks its exposure to unauthorized parties if intercepted or obtained through a brute-force attack.
To avoid this, users should use strong encryption methods, including Advanced Encryption Standard
(AES) or Rivest-Shamir-Adleman (RSA) encryption, and always ensure sensitive information is
encrypted while at rest, in processing, and in transit.

Unpatched Applications or Servers

Cyber criminals are always on the lookout for potential open doors or vulnerabilities in software and
servers. When they find and exploit a vulnerability that no one is aware of until the breach occurs, this
is known as a zero-day attack. Organizations and users can avoid this type of attack by ensuring their
software, operating systems, and servers are patched. This means applying a software update or fixing
code to a program or server to remove the vulnerability. Regular patching by software developers is
the best strategy for mitigating potential attacks. To assist with this and prevent any gaps that could
present a vulnerability to an attacker, users should ensure automatic software updates are enabled.

Distributed Denial of Service (DDoS)

A DDoS attack occurs when an attacker overloads a server with internet traffic using multiple
machines, also known as a botnet. This prevents users from accessing services and can force the
organization’s site to crash.A DDoS attack can be mitigated through the use of firewalls to filter and
prevent malicious traffic. Other defense tools include regular risk assessments, traffic differentiation
to scatter traffic and prevent a targeted attack, and rate-limiting to restrict the number of requests a
server can receive.

What Does Cyberspace Mean?

Cyberspace refers to the virtual computer world, and more specifically, an electronic medium that is
used to facilitate online communication. Cyberspace typically involves a large computer network
made up of many worldwide computer subnetworks that employ TCP/IP protocol to aid in
communication and data exchange activities. Cyberspace’s core feature is an interactive and virtual
environment for a broad range of participants. In the common IT lexicon, any system that has a
significant user base or even a well-designed interface can be thought to be “cyberspace.”
Cyberspace allows users to share information, interact, swap ideas, play games, engage in discussions
or social forums, conduct business and create intuitive media, among many other activities. consider
what happens when thousands of people, who may have gathered together in physical rooms in the
past to play a game, do it instead by each looking into a device from remote locations. As gaming
operators dress up the interface to make it attractive and appealing, they are, in a sense, bringing
interior design to the cyberspace. cyberspace has gained popularity as a medium for social
interaction, rather than its technical execution and implementation. This sheds light on how societies
have chosen to create cyberspace. In the end, it seems that the cyberspaces that we have created are
pretty conformist and one-dimensional, relative to what could exist.
Glossary of Cybercrime Terms
Cybercrime Dictionary
back door -- a vulnerability intentionally left in the security of a computer system or its software by
its designers
biometrics -- the use of a computer user's unique physical characteristics -- such as fingerprints,
voice, and retina -- to identify that user
black hat -- a term used to describe a hacker who has the intention of causing damage or stealing
information
bypass -- a flaw in a security device
ciphertext -- data that has been encrypted
Computer Emergency Response Team (CERT) -- an organization that collects and distributes
information about security breaches
countermeasure -- any action or device that reduces a computer system's vulnerability
cracker -- a term sometimes used to refer to a hacker who breaks into a system with the intent of
causing damage or stealing data
cracking -- the process of trying to overcome a security measure
cryptography -- protecting information or hiding its meaning by converting it into a secret code
before sending it out over a public network
crypto keys -- the algorithms used to encrypt and decrypt messages
cybercrime -- crime related to technology, computers, and the Internet
decrypt -- the process of converting encrypted information back into normal, understandable text
denial of service (DoS) -- an attack that causes the targeted system to be unable to fulfill its intended
function
digital signature -- an electronic equivalent of a signature
domain name -- the textual name assigned to a host on the Internet
dumpster diving -- looking through trash for access codes or other sensitive information
email -- an application that allows the sending of messages between computer users via a network
encryption -- the process of protecting information or hiding its meaning by converting it into a code
firewall -- a device designed to enforce the boundary between two or more networks, limiting access
hacker -- a term sometimes used to describe a person who pursues knowledge of computer and
security systems for its own sake; sometimes used to describe a person who breaks into computer
systems for the purpose of stealing or destroying data
hacking -- original term referred to learning programming languages and computer systems; now
associated with the process of bypassing the security systems on a computer system or network
high risk application -- a computer application that, when opened, can cause the user to become
vulnerable to a security breach
hijacking -- the process of taking over a live connection between two users so that the attacker can
masquerade as one of the users
host -- a computer system that resides on a network and can independently communicate with other
systems on the network
Hypertext Markup Language (HTML) -- the language in which most webpages are written
information security -- a system of procedures and policies designed to protect and control
information
Internet -- a computer network that uses the Internet protocol family
Internet Relay Chat (IRC) -- a large, multiple-user, live chat facility
Internet service provider (ISP) -- any company that provides users with access to the Internet
intranet -- a private network used within a company or organization that is not connected to the
Internet
intrusion detection -- techniques designed to detect breaches into a computer system or network
IP spoofing -- an attack where the attacker disguises himself or herself as another user by means of a
false IP network address
keystroke monitoring -- the process of recording every character typed by a computer user on a
keyboard
leapfrog attack -- using a password or user ID obtained in one attack to commit another attack
letterbomb -- an email containing live data intended to cause damage to the recipient's computer
malicious code -- any code that is intentionally included in software or hardware for an unauthorized
purpose
one-time password -- a password that can be used only once, usually randomly generated by special
software
packet -- a discrete block of data sent over a network
packet sniffer -- a device or program that monitors the data traveling over a network by inspecting
discrete packets
password -- a data string used to verify the identity of a user
password sniffing -- the process of examining data traffic for the purpose of finding passwords to use
later in masquerading attacks
pen register -- a device that records the telephone numbers of calls received by a particular telephone
phracker -- a person who combines phone phreaking with computer hacking
phreaker -- a person who hacks telephone systems, usually for the purpose of making free phone
calls
piggyback -- gaining unauthorized access to a computer system via another user's legitimate
connection
piracy -- the act of illegally copying software, music, or movies that are copyright-protected
Pretty Good Privacy (PGP) -- a freeware program designed to encrypt email
probe -- an effort to gather information about a computer or its users for the purpose of gaining
unauthorized access later
risk assessment -- the process of studying the vulnerabilities, threats to, and likelihood of attacks on a
computer system or network
smart card -- an access card that contains encoded information used to identify the user
sniffer -- a program designed to capture information across a computer network
social engineering -- term often used to describe the techniques virus writers and hackers utilize to
trick computer users into revealing information or activating viruses
spam -- unsolicited commercial email
spoofing -- the process of disguising one computer user as another
trap and trace device -- a device used to record the telephone numbers dialed by a specific telephone
Trojan horse -- an apparently innocuous program that contains code designed to surreptitiously
access information or computer systems without the user's knowledge
virus -- a computer program designed to make copies of itself and spread itself from one machine to
another without the help of the user
war dialer -- software designed to detect dial-in access to computer systems
warez -- slang for pirated software
white hat -- a hacker whose intentions are not criminal or malicious
wiretapping -- the interception of electronic communications in order to access information
worm -- a computer program that copies itself across a network

What is incident response?

Incident response (sometimes called cybersecurity incident response) refers to an organization’s
processes and technologies for detecting and responding to cyberthreats, security breaches or
cyberattacks. The goal of incident response is to prevent cyberattacks before they happen, and to
minimize the cost and business disruption resulting from any cyberattacks that occur.

Ideally, an organization defines incident response processes and technologies in a formal incident
response plan (IRP) that specifies exactly how different types of cyberattacks should be identified,
contained, and resolved. An effective incident response plan can help cybersecurity teams detect and
contain cyberthreats and restore affected systems faster, and reduce the lost revenue, regulatory fines
and other costs associate with these threats. IBM’s Cost of a Data Breach 2022 Report found that
organizations with incident response teams and regularly tested incident response plans had an
average data breach cost USD 2.66 million lower than that of organizations without incident response
teams and IRPs.
What are security incidents?
A security incident, or security event, is any digital or physical breach that threatens the
confidentiality, integrity or availability or an organization’s information systems or sensitive data.
Security incidents can range from intentional cyberattacks by hackers or unauthorized users, to
unintentional violations of security policy by legitimate authorized users.
Some of the most common security incidents include:

Ransomware. Ransomware is a type of malicious software, or malware, that locks up a victim's data
or computing device and threatens to keep it locked—or worse—unless the victim pays the attacker a
ransom. According to IBM's Cost of a Data Breach 2022 report, ransomware attacks rose by 41
percent between 2021 and 2022.

Phishing and social engineering. Phishing attacks are digital or voice messages that try to
manipulate recipients into sharing sensitive information, downloading malicious software, transferring
money or assets to the wrong people, or taking some other damaging action. Scammers craft phishing
messages to look or sound like they come from a trusted or credible organization or individual—
sometimes even an individual the recipient knows personally.Phishing is the most costly and second
most common cause of data breaches, according to IBM's Cost of a Data Breach 2022 report. It’s also
the most common form of social engineering—a class of attack that hacks human nature, rather than
digital security vulnerabilities, to gain unauthorized access to sensitive personal or enterprise data or
assets.

DDoS attacks. In a distributed denial-of-service (DDoS) attack, hackers gain remote control of large
numbers of computers and use them to overwhelm a target organization’s network or servers with
traffic, making those resources unavailable to legitimate users.
Supply chain attacks. Supply chain attacks are cyberattacks that infiltrate a target organization by
attacking its vendors—e.g., by stealing sensitive data from a supplier’s systems, or by using a
vendor’s services to distribute malware. In July 2021, cybercriminals took advantage of a flaw in
Kaseya's VSA platform (link resides outside ibm.com) to spread ransomware to customers under the
guise of a legitimate software update. Even though supply chain attacks are increasing in frequency,
only 32 percent of organizations have incident response plans prepared for this particular cyber threat,
according to IBM's 2021 Cyber Resilient Organization Study.

Insider threats. There are two types of insider threats. Malicious insiders are employees, partners or
other authorized users who intentionally compromise an organization’s information
security. Negligent insiders are authorized user who unintentionally compromise security by failing to
follow security best practices—by, say, using weak passwords, or storing sensitive data in insecure
places.

Incident response planning

An incident response plan usually includes
 The roles and responsibilities of each member of the CSIRT;
 The security solutions—software, hardware and other technologies—to be installed across the
enterprise.
 A business continuity plan outlining procedures for restoring critical affected systems and
data as quickly possible in the event of an outage;
 A detailed incident response methodology that lays out the specific steps to be taken at each
phase of the incident response process (see below), and by whom;
 A communications plan for informing company leaders, employees, customers, and even law
enforcement about incidents;
 Instructions for documenting for collecting information and documenting incidents for post-
mortem review and (if necessary) legal proceedings.

The incident response process Most IRPs also follow the same general incident response
framework based on incident response models developed by the SANS Institute, the National
Institute of Standards and Technology (NIST), and the Cybersecurity and Infrastructure
Agency (CISA).

Preparation. This first phase of incident response is also a continuous one, to make sure that
the CSIRT always has best possible procedures and tools in place to respond to identify,
contain and recover from an incident as quickly as possible and within minimal business
disruption.

Detection and Analysis. During this phase, security team members monitor the network for
suspicious activity and potential threats. They analyze data, notifications and alerts gathered
from device logs and from various security tools (antivirus software, firewalls) installed on
the network, filtering out the false positives and triage the actual alerts in order of severity.

Containment. The incident response team takes steps to stop the breach from doing further damage
to the network. Containment activities can be split into two categories:

 Short-term containment measures focus on preventing the current threat from spreading by
isolating the affected systems, such as by taking infected devices offline.
 Long-term containment measures focus on protecting unaffected systems by placing stronger
security controls around them, such as segmenting sensitive databases from the rest of the
network.

Eradication. Once the threat has been contained, the team moves on to full remediation and
complete removal of the threat from the system. This involves actively eradicating the threat
itself—e.g., destroying malware, booting an unauthorized or rogue user from the network—
 and reviewing both affected and unaffected systems to ensure no traces of the breach are left
behind.

Recovery. When the incident response team is confident the threat has been entirely
eradicated, they restore affected systems to normal operations. This may involve deploying
patches, rebuilding systems from backups, and bringing remediated systems and devices back
online.

Post-incident review. Throughout each phase of the incident response process, the CSIRT
collects evidence of the breach and documents the steps it takes to contain and eradicate the
threat. At this stage, the CSIRT reviews this information to better understand the incident.
The CSIRT seeks to determine the root cause of the attack, identify how it successfully
breached the network, and resolve vulnerabilities so that future incidents of this type don't
occur.

Incident response technologies As noted above, in addition to describing the steps

CSIRTs should take in the event of a security incident, incident response plans typically
outline the security solutions that incident response teams should have in place to carry out or
automate key incident response workflows, such as gathering and correlating security data,
detecting incidents in real-time, and responding to in-progress attacks.

Some of the most commonly used incident response technologies include:

 SIEM (security information and event management): SIEM aggregates and correlates
security event data from disparate internal security tools (e.g. firewalls, vulnerability
scanners, threat intelligence feeds) and from devices on the network. SIEM can help incident
response teams fight ‘alert fatigue’ by indicators of actual threats from the huge volume of
notifications these tools generate.

 SOAR (security orchestration, automation and response): SOAR enables security teams
to define playbooks—formalized workflows that coordinate different security operations and
tools in response to security incidents—and to automate portions of these workflows where
possible.

 EDR (endpoint detection and response): EDR is software designed to automatically protect
an organization's end users, endpoint devices and IT assets against cyberthreats that get past
antivirus software and other traditional endpoint security tools. EDR collects data
continuously from all endpoints on the network; it analyzes the data in real time for evidence
of known or suspected cyberthreats, and can respond automatically to prevent or minimize
damage from threats it identifies.

 XDR (extended detection and response): XDR is cybersecurity technology that unifies
security tools, control points, data and telemetry sources, and analytics across the hybrid IT
environment (endpoints, networks, private and public clouds) to create a single, central
enterprise system for threat prevention, detection and response. A still-emerging technology,
XDR has the potential to help overextended security teams and security operations centers
(SOCs) do more with less by eliminating by eliminating silos between security tools and
automating response across the entire cyberthreat kill chain.

 UEBA (user and entity behavior analytics): (UEBA) uses behavioral analytics, machine
learning algorithms, and automation to identify abnormal and potentially dangerous user and
device behavior. UEBA is particularly effective at identifying insider threats—malicious
insiders or hackers using compromised insider credentials—that can elude other security tools
because they mimic authorized network traffic. UEBA functionality is often included SIEM,
EDR, and XDR solutions.
  ASM (attach surface management): ASM solutions automate the continuous discovery,
analysis, remediation, and monitoring of the vulnerabilities and potential attack vectors across
all the assets in an organization's attack surface. ASM can uncover previously unmonitored
network assets, map relationships between assets.

Why incident response is Important

In the context of an enterprise IT organization, incident response tasks are usually conducted and
managed by a computer security incident response team (CSIRT). These groups may contain security
analysts, IT operators, IT managers and C-level executives that work together to establish an effective
incident response plan (IRP) and execute it when a security incident is detected.

Incident response planning helps IT organizations approach security incidents from a state of
readiness, with clear protocols for detecting, mitigating and eliminating security threats. IT
organizations should continually improve their incident response planning and processes to account
for new threat intelligence and enhance their security posture against future incidents.

Cyber security is an issue of significant importance for businesses and organizations that increasingly
deploy critical applications and IT infrastructure in hybrid cloud environments. While modern
methods of computing are both efficient and cost-effective, increasingly disparate cloud-based
infrastructure may expose security vulnerabilities that become attack vectors for cyber attacks. A
complete incident response strategy is necessary to respond effectively to the range of security
incidents that can be detected in these environments.From a cyber security perspective, the
proliferation of big data has made financially motivated cyber attackers keener on trying to steal data
from businesses.

With security incidents and data breaches on the rise, most enterprise organizations have invested
heavily in IT security to shore up its defenses. In turn, cyber attackers have started to go after small
and medium-sized businesses that may have weaker countermeasures and incident response processes
in place to deal with cyber attacks.

While some security incidents or cyber attacks can be prevented or mitigated outright, IT
organizations must have the proper incident response processes in place to deal with cyber security
threats in a timely way and prevent the massive financial and legal repercussions that can accompany
a data breach.

Incident response plans also typically contain a defined breach notification process that establishes
how the CSIRT will communicate to users, customers and other stakeholders about a breach. There
should also be provisions for testing the system, including running drills and simulations to ensure
that members of the CSIRT can function effectively in their roles when a genuine incident occurs.

Digital forensics is the process of storing, analysing, retrieving, and preserving

electronic data that may be useful in an investigation. It includes data from hard drives in
computers, mobile phones, smart appliances, vehicle navigation systems, electronic door
locks, and other digital devices.

An important part of digital forensics is the analysis of suspected cyberattacks, with the objective of
identifying, mitigating, and eradicating cyber threats. This makes digital forensics a critical part of the
incident response process. Digital forensics is also useful in the aftermath of an attack, to provide
information required by auditors, legal teams, or law enforcement.

Electronic evidence can be gathered from a variety of sources, including computers, mobile devices,
remote storage devices, internet of things (IoT) devices, and virtually any other computerized system.

Digital evidence can be used as evidence in investigation and legal proceedings for:
  Data theft and network breaches—digital forensics is used to understand how a breach
happened and who were the attackers.
 Online fraud and identity theft—digital forensics is used to understand the impact of a
breach on organizations and their customers.
 Violent crimes like burglary, assault, and murder—digital forensics is used to capture
digital evidence from mobile phones, cars, or other devices in the vicinity of the crime.
 White collar crimes—digital forensics is used to collect evidence that can help identify and
prosecute crimes like corporate fraud, embezzlement, and extortion.

Why Is Digital Forensics Important?

In the context of an organization, digital forensics can be used to identify and investigate both
cybersecurity incidents and physical security incidents. Most commonly, digital evidence is used as
part of the incident response process, to detect that a breach occurred, identify the root cause and
threat actors, eradicate the threat, and provide evidence for legal teams and law enforcement
authorities.

Digital risks can be broken down into the following categories:

 Cybersecurity risk—an attack that aims to access sensitive information or systems and use
them for malicious purposes, such as extortion or sabotage.
 Compliance risk—a risk posed to an organization by the use of a technology in a regulated
environment. For example, technologies can violate data privacy requirements, or might not
have security controls required by a security standard.
 Third party risks—these are risks associated with outsourcing to third-party vendors or
service providers. For example, vulnerabilities involving intellectual property, data,
operational, financial, customer information, or other sensitive information shared with third
parties.
 Identity risk—attacks aimed at stealing credentials or taking over accounts. These types of
risks can face an organization’s own user accounts, or those it manages on behalf of its
customers.

What Are the Different Branches of Digital Forensics?

Computer Forensics
Computer forensic science (computer forensics) investigates computers and digital storage evidence.
It involves examining digital data to identify, preserve, recover, analyze and present facts and
opinions on inspected information.
Mobile Device Forensics
Mobile device forensics focuses primarily on recovering digital evidence from mobile devices. It
involves investigating any device with internal memory and communication functionality, such as
mobile phones, PDA devices, tablets, and GPS devices.
Network Forensics
The network forensics field monitors, registers, and analyzes network activities. Network data is
highly dynamic, even volatile, and once transmitted, it is gone. It means that network forensics is
usually a proactive investigation process.
Forensic Data Analysis
Forensic data analysis (FDA) focuses on examining structured data, found in application systems and
databases, in the context of financial crime. FDA aims to detect and analyze patterns of fraudulent
activity.
Database Forensics
Database forensics involves investigating access to databases and reporting changes made to the data.
You can apply database forensics to various purposes. For example, you can use database forensics to
identify database transactions that indicate fraud.
 The Digital Forensics Process
The digital forensics process may change from one scenario to another, but it typically consists of four
core steps—collection, examination, analysis, and reporting.
Collection
The collection phase involves acquiring digital evidence, usually by seizing physical assets, such as
computers, hard drives, or phones. It is critical to ensure that data is not lost or damaged during the
collection process. You can prevent data loss by copying storage media or creating images of the
original.
Examination
The examination phase involves identifying and extracting data. You can split this phase into several
steps—prepare, extract, and identify.
When preparing to extract data, you can decide whether to work on a live or dead system. For
example, you can power up a laptop to work on it live or connect a hard drive to a lab computer.
Analysis
The analysis phase involves using collected data to prove or disprove a case built by the examiners.
Here are key questions examiners need to answer for all relevant data items:

 Who created the data

 Who edited the data
 How the data was created
 When these activities occur
 Reporting
 The reporting phase involves synthesizing the data and analysis into a format that makes
sense to laypeople. These reports are essential because they help convey the information so
that all stakeholders can understand.

Digital Forensic Techniques

Digital forensics involves creating copies of a compromised device and then using various
techniques and tools to examine the information. Digital forensics techniques help inspect
unallocated disk space and hidden folders for copies of encrypted, damaged, or deleted files.
Here are common techniques:

 Reverse Steganography
Cybercriminals use steganography to hide data inside digital files, messages, or data streams.
Reverse steganography involves analyzing the data hashing found in a specific file. When
inspected in a digital file or image, hidden information may not look suspicious. However,
hidden information does change the underlying has or string of data representing the image.

 Stochastic Forensics
Stochastic forensics helps analyze and reconstruct digital activity that does not generate
digital artifacts. A digital artifact is an unintended alteration of data that occurs due to digital
processes. Text files, for example, are digital artifacts that can content clues related to a
digital crime like a data theft that changes file attributes. Stochastic forensics helps investigate
data breaches resulting from insider threats, which may not leave behind digital artifacts.

 Cross-drive Analysis
Cross-drive analysis, also known as anomaly detection, helps find similarities to provide
context for the investigation. These similarities serve as baselines to detect suspicious events.
It typically involves correlating and cross-referencing information across multiple computer
drives to find, analyze, and preserve any information relevant to the investigation.

 Live Analysis
Live analysis occurs in the operating system while the device or computer is running. It
involves using system tools that find, analyze, and extract volatile data, typically stored in
 RAM or cache. Live analysis typically requires keeping the inspected computer in a forensic
lab to maintain the chain of evidence properly.

 Deleted File Recovery

Deleted file recovery, also known as data carving or file carving, is a technique that helps
recover deleted files. It involves searching a computer system and memory for fragments of
files that were partially deleted in one location while leaving traces elsewhere on the
inspected machine.

Digital Forensic Tools

Before the availability of digital forensic tools, forensic investigators had to use existing system
admin tools to extract evidence and perform live analysis. The drawback of this technique is that it
risks modifying disk data, amounting to potential evidence tampering.

In 1989, the Federal Law Enforcement Training Center recognized the need and created SafeBack and
IMDUMP. In 1991, a combined hardware/software solution called DIBS became commercially
available. These tools work by creating exact copies of digital media for testing and investigation
while retaining intact original disks for verification purposes.

By the late 1990s, growing demand for reliable digital evidence spurred the release of more
sophisticated tools like FTK and EnCase, which allow analysts to investigate media copies without
live analysis.

Today, the trend is for live memory forensics tools like WindowsSCOPE or specific tools supporting
mobile operating systems. Commercial forensics platforms like CAINE and Encase offer multiple
capabilities, and there is a dedicated Linux distribution for forensic analysis. Open source tools are
also available, including Wireshark for packet sniffing and HashKeeper for accelerating database file
investigation.The main types of digital forensics tools include disk/data capture tools, file viewing
tools, network and database forensics tools, and specialized analysis tools for file, registry, web,
Email, and mobile device analysis.

When evaluating various digital forensics solutions, consider aspects such as:

 Integration with and augmentation of existing forensics capabilities.

 Support for various device types and file formats.
 Availability of training to help staff use the product.
 CLI, graphic UI, and ease of use.
 Compatibility with additional integrations or plugins.
 Types of configurations available.
 Advanced features for more effective analysis.

Computer language for digital forensics

1. Python: Python is a versatile and widely used programming language in the field of computer
forensics. It offers numerous libraries and frameworks that aid in tasks such as data parsing, file
analysis, cryptography, network forensics, and automation of repetitive tasks.
2. PowerShell: PowerShell is a scripting language commonly used in Windows environments. It is
useful for automating tasks, conducting system-level analysis, and extracting information from
Windows systems during forensic investigations.

3. SQL: Structured Query Language (SQL) is crucial for working with relational databases. Many
forensic tools and platforms rely on databases for storing and analyzing large volumes of digital
evidence. Understanding SQL allows professionals to write queries to extract and manipulate data
effectively.

4. JavaScript: JavaScript is commonly used for web-related forensic investigations. It enables

professionals to analyze web-based evidence, extract information from web pages, and identify
potential malicious scripts or activities.

5. C/C++: Knowledge of C/C++ can be valuable for low-level programming and developing tools or
plugins specific to computer forensics. It may be helpful for tasks that require memory analysis, file
system analysis, or interaction with hardware components.

6. Perl: Perl is often utilized for text parsing, regular expressions, and log file analysis in computer
forensics. It provides powerful string manipulation capabilities and is efficient for processing large
volumes of textual data.

While proficiency in these programming languages can enhance a computer forensics professional's
skill set, it's important to note that practical knowledge of forensic tools, methodologies, and
investigative techniques is also crucial for effective computer forensics work.

What is Network Forensics?

The word “forensics” means the use of science and technology to investigate and establish facts in
criminal or civil courts of law. Forensics is the procedure of applying scientific knowledge for the
purpose of analyzing the evidence and presenting them in court.
Network forensics is a subcategory of digital forensics that essentially deals with the examination of
the network and its traffic going across a network that is suspected to be involved in malicious
activities, and its investigation for example a network that is spreading malware for stealing
credentials or for the purpose analyzing the cyber-attacks. As the internet grew cybercrimes also grew
along with it and so did the significance of network forensics, with the development and acceptance
of network-based services such as the World Wide Web, e-mails, and others.
With the help of network forensics, the entire data can be retrieved including messages, file transfers,
e-mails, and, web browsing history, and reconstructed to expose the original transaction. It is also
possible that the payload in the uppermost layer packet might wind up on the disc, but the envelopes
used for delivering it are only captured in network traffic. Hence, the network protocol data that
enclose each dialog is often very valuable.
For identifying the attacks investigators must understand the network protocols and applications such
as web protocols, Email protocols, Network protocols, file transfer protocols, etc.

What is Cyber World? Definition and Importance

Cyber world often referred to as the world of technology, is a global network of interconnected
computers and digital networks that has completely transformed the way we live, work, and
communicate. It is basically the internet, where billions of gadgets are connected to share information,
conduct business, and strengthen interpersonal relationships. Websites, social media platforms, online
games, and a massive amount of data are all part of this digital environment.

Key Elements of the Cyber World

The Internet, websites, social media, online entertainment, e-commerce, data flow, and cybersecurity
constitute vital elements of the cyber world, a digital environment that threads together to form our
online existence.
 The Internet: Consider the Internet as an amazing doorway to a universe of limitless
opportunities. With billions of devices connected worldwide, it functions as the cyber world’s
beating heart. It was created in the latter half of the 20th century and powers everything from
messaging to watching videos to accessing an infinite amount of information.
  Websites and Social Media: Websites are the digital spaces where we access information,
make purchases, and stay entertained. Social media sites like Facebook and Twitter are
crucial in bringing individuals from all over the world together and promoting social
connections and real-time communication.
 Online Gaming and Entertainment: The Internet is not a work-only environment. It
provides a space for online gaming and relaxation where people may take part in virtual
adventures, watch their preferred movies or television episodes, and even communicate with
others online.
 E-commerce: E-commerce has revolutionized how we buy and sell goods and services,
thanks to online purchasing. It’s a quick and effective way to shop, putting a wide selection of
goods at our fingertips.
 Data Flow and Cybersecurity: Data flows like a digital river in this world, and with it
comes the need for strong cybersecurity. Protecting personal information and sensitive data is
paramount in the cyber world, ensuring a safe online experience.

A brief history of the internet

A Network of Networks

The simplest way of explaining the Internet is to call it "the network of networks." It's the connection
of computer networks around the world into one entity, so to speak. It's not one big computer, but
rather numerous networked computers connected together.

When you dial into your Internet service provider (AOL, Earthlink, etc) from home, you are
essentially connecting your computer to a network. If you are on campus you connect to the Internet
through your school's network, which is connected to the larger Internet network through Peachnet,
which is the electronic highway for all educational institutions and libraries throughout the state of
Georgia. The "backbone" of all these connections is what you might hear referred to as the
"information superhighway."
The Internet started in the 1960s as a way for government researchers to share information.
Computers in the '60s were large and immobile and in order to make use of information stored in any
one computer, one had to either travel to the site of the computer or have magnetic computer tapes
sent through the conventional postal system.
Another catalyst in the formation of the Internet was the heating up of the Cold War. The Soviet
Union's launch of the Sputnik satellite spurred the U.S. Defense Department to consider ways
information could still be disseminated even after a nuclear attack. This eventually led to the
formation of the ARPANET (Advanced Research Projects Agency Network), the network that
ultimately evolved into what we now know as the Internet. ARPANET was a great success but
membership was limited to certain academic and research organizations who had contracts with the
Defense Department.
In response to this, other networks were created to provide information sharing.
January 1, 1983 is considered the official birthday of the Internet. Prior to this, the various computer
networks did not have a standard way to communicate with each other. A new communications
protocol was established called Transfer Control Protocol/Internetwork Protocol (TCP/IP). This
allowed different kinds of computers on different networks to "talk" to each other. ARPANET and the
Defense Data Network officially changed to the TCP/IP standard on January 1, 1983, hence the birth
of the Internet. All networks could now be connected by a universal language.
Contemporary crime: meaning
In criminology or criminal sociology, the word 'contemporary' is used to refer to the state and
occurrences of the modern world. Studies from previous decades and centuries can help us identify
trends in crime over time, as well as distinguish how patterns in crime have changed in tandem with
new developments.

Contemporary Crime - Key Takeaways

 Functionalism, Marxism, interactionism, and realism are the core sociological theories which
explain crime in sociology. Crime in contemporary society is not necessarily unique to the
 modern world - developments in modern society have given rise to different crimes being
committed in different ways.
 Globalisation refers to the increased interconnectedness of the world (including economic,
cultural, and technological development). This has resulted in crime becoming more
globalised and less restricted by national borders.
 Labelling, media representations, and media effects are the key points of consideration in the
study of the link between media and crime, with previous studies focusing particularly on
media violence.
 The concept of the 'risk society' has been used to explain that technological developments
make it so that modern society is inherently 'risky', and increasingly harmful to the
environment. Primary green crimes directly harm the environment, while secondary green
crimes breach environmental regulations.
 The perpetrators and victims of state crimes can be difficult to identify. State crimes include
crimes against humanity, war crimes, and genocide, which the UDHR has been established to
attempt to regulate.
Frequently Asked Questions about Contemporary Crime
What is contemporary crime?
In sociology, 'contemporary crime' is that which is committed in modern, contemporary society. While these
crimes might be unique to the modern era, new developments (such as technology) give rise to new ways of
committing these crimes.
What are the contemporary crime theories?
Several sociological theories seek to explain the prevalence of crime in contemporary society, including
strain theory, labelling theory, and left realism.
What is contemporary crime?
Contemporary crime encompasses the newest ideas about people and crime as well as the development
of new types of crime. One major characteristic of modern or contemporary criminology is the concern
with rehabilitation for criminals than severe punishments, which was the standard practice in prior
centuries.While it may seem like plenty of crimes are unique to contemporary society, most can be
traced back to older times in interesting ways. For example, theft before the era of online banking and
e-commerce involved break-ins and pickpocketing.
Today, while these types of crimes still occur, they're more likely to exist in the form of internet
scammers or online hacking.
Other examples of crime in contemporary society include:
 Air and water pollution-related crimes,
 Identity theft,
 Censorship, and
 The international trade of counterfeit goods

Computer as a target
In simple words, cybercrime can be divided into two big categories: Computer as a target and
computer as a tool.
Computer as a target crimes require much higher expertise from the perpetrators and are usually
committed as a group of individuals rather than loners. Given the technical expertise required to
execute and the novelty of these types of crimes, these are the crimes that society is more unprepared
to face. Fortunately, this type of cybercrime is the least common, due to the expertise and
coordination that they require. These crimes usually depend on computer viruses, malware, and denial
of service attacks.

Crimes in which the computer is the target include the theft of intellectual property or marketing
information, blackmail, or sabotage of operating systems and programs. In all of these crimes, the
offender uses the computer to obtain information or to damage operating programs.

What Does Contamination Mean?

A contamination can occur when classified information is found on a computer or information system
that is not accredited for classified information. Contamination of a computer can also occur when
malware infiltrates it.
data contamination The alteration, maliciously or accidentally, of data in a computer system. See also
data integrity. A Dictionary of Computing. "data contamination ."
Contamination may have occurred in an information system when classified information is found on a
computer system which is not supposed to be there. This may have happened:

1. By accident
2. By transmission of insecure data
3. Because the information was changed to a different classification rating
4. Because users did not follow protocol and transferred information through insecure methods
such as floppy disks or thumb drives
Contamination can also occur through a computer virus or other form of malware. An anti-virus tool
should be enabled to remove an active virus from a system.

What Is Data Destruction?

Under most circumstances, the term “data destruction” would cause concern. Prematurely losing
information could have catastrophic consequences for business and everyday life. However, a
planned data destruction process safeguards your company and customers.
While deleting a file on an electronic device makes it invisible to the user, the information still exists
on the device’s memory chip or hard drive. Data destruction entails making the data irretrievable,
either by overwriting the current data with random data or destroying the electronic medium itself.
In an era when companies of all sizes depend upon electronic media for their mission-critical business
operations, all the data created by this equipment needs secure protection. But at the end of its life
cycle, you must safely dispose of it. Your company may have legal requirements for data destruction,
particularly if you operate globally.
The importance of destroying all the data and preventing others from accessing it might seem
indisputable. But in a recent data recovery study of 100 hard drives, the majority contained residual
data. Clearly, most people lack the resources to properly wipe their devices before disposing of them.

What Are the Different Data Destruction Types?

While there are many ways to destroy data, none of these methods are perfect, nor can any specific
technique promise complete success. However, understanding the different techniques will help you
choose the best one for your business.
Here is a breakdown of every type of data destruction and the pros and cons connected with each one.
1. Deleting/Reformatting
As we mentioned above, deleting a file from an electronic device may remove it from a file folder, but
the data remains on the hard drive or memory chip.
The same is true when you try to destroy data by reformatting the disk. Rather than wiping the data
away, reformatting replaces the existing file system with a new one. It’s as if you are tearing out the
table of contents from an old book instead of getting rid of the book itself. Almost anyone can recover
data from a reformatted disk with easily accessible online tools.
Essentially, deletion or reformatting will do little to destroy your data beyond making it invisible to
you as the user.
2. Wiping
Data wiping involves overwriting data from an electronic medium, preventing others from reading
it. The usual way to accomplish this task is to physically connect any medium to a bulk wiping
device. As a process, it allows you to reuse any media wiped in this way without losing storage
capacity.
Data wiping can be time-consuming — sometimes, removing the data from only one device will take
an entire day. While this method may be useful for individuals, it’s impractical for businesses that
need multiple devices wiped.
3. Overwriting Data
In a sense, overwriting data is a form of data wiping. Overwriting data on an electronic device
involves writing a random or set pattern of ones and zeroes over the existing data. In most cases,
overwriting once will accomplish the task. A high-security medium may require multiple passes to
thoroughly destroy all data, with no detectable bit shadows.
A bit shadow is a remnant of overwritten information that is still detectable using an electron
microscope. It’s like when someone writes a note on a pad. They can remove the top sheet of paper,
but an impression of what they wrote may still be visible on the sheet directly underneath. Bit
shadowing remains a concern for high-security operations, but low-risk businesses probably don’t
need to concern themselves too much. Recovering data using an electron microscope is costly and
time-consuming.
Overwriting is perhaps the most common way to destroy data. However, it can take a lot of time and
only works when the medium you want to overwrite is intact and can still have data written to it. It
also does not offer any security protection during the overwriting process. Overwriting does not work
on any hard drive that contains advanced storage management components. If you are overwriting a
device due to legal requirements, you may require a separate license for every medium. It is not
foolproof. Experts in the field recommend following NIST or IRS standards to reduce the chances that
someone will manage to recover overwritten data.
4. Erasing
Erasure is another term for overwriting. Erasure should destroy all data stored on a hard drive, and
deliver a certificate of destruction proving successful completion.
Businesses that have purchased equipment off-lease, such as desktops, enterprise data centers and
laptops, will benefit most from using erasure. It’s also a good method for anyone wishing to reuse
hard drives or redeploy them for storing different materials.
5. Degaussing
Degaussing destroys computer data by eliminating an electronic medium’s magnetism using a high-
powered magnet. While degaussing is a quick and effective method for destroying a large amount of
information or sensitive data, it has two significant disadvantages.
First, when you degauss a piece of electronic equipment, you render its hard drive inoperable.
Degaussing destroys the hard drive’s interconnect equipment, making it impossible to reuse the
device containing the drive.
Additionally, you cannot verify complete data destruction if the hard drive is inoperable. In this case,
the only way to confirm data destruction is to use an electron microscope — though this method is
expensive and impractical in most instances.
A hard drive’s density can also impact how well degaussing works. As technology changes and hard
drives improve and grow larger, degaussing has become a less effective method.
6. Physical Destruction
Many people want to recycle their old equipment but are reluctant to do so because of the information
it may contain. Frequently, these people pull out the hard drive and smash it to bits with a hammer.
Physical destruction is also an efficient way for organizations and businesses of all sizes to destroy
data because it has a high likelihood of success.
The primary drawbacks to physically destroying data include its significant cost and environmental
impact. Destroying devices is expensive, and can cause conflict for organizations with green programs
for recycling old electronic media.
Degaussing is a form of physical destruction. So is incineration, though it’s less common because it
requires destruction to occur away from human habitats and creates a chain of custody risk.
7. Shredding
Shredding is another form of physical destruction that uses an industrial machine to destroy drives.
Experts consider it to be the most secure and cost-effective way to destroy data in any electronic
medium that has reached the end of its usable life, including:
Hard drives, Solid-state drives, Optical drives, Smartphones, Tablets, Motherboards,

 Thumb drives
 Credit card swipe devices
Salient Features of the Information Technology Act, 2000

The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on 17 October 2000. It is the primary law
in India dealing with cybercrime and electronic commerce. The Information Technology Act, 2000
provides legal recognition for transactions carried out by means of electronic data interchange and
other means of electronic communication, commonly referred to as "electronic commerce” The main
objective of this act is to carry lawful and trustworthy electronic, digital and online transactions and
alleviate or reduce cybercrimes. The IT Act has 13 chapters and 94 sections. The original Act
4 schedules, out of which the third and fourth schedule were omitted later. The law applies to the
whole of India.
A major amendment was made in 2008. It introduced Section 66A which penalized sending
"offensive messages". It also introduced Section 69, which gave authorities the power of "interception
or monitoring or decryption of any information through any computer resource". Additionally, it
introduced provisions addressing: pornography, child porn, cyber terrorism, publishing private images
without consent, cheating by impersonation, and sending offensive messages or those containing
sexually explicit acts through electronic means.and voyeurism. The amendment was passed on 22
December 2008 without any debate in Lok Sabha.

The IT Act, 2000 has two schedules:

 First Schedule –
Deals with documents to which the Act shall not apply.
 Second Schedule –
Deals with electronic signature or electronic authentication method.

The offences and the punishments in IT Act 2000 :

The offences and the punishments that falls under the IT Act, 2000 are as follows :-
1. Tampering with the computer source documents.
2. Directions of Controller to a subscriber to extend facilities to decrypt information.
3. Publishing of information which is obscene in electronic form.
4. Penalty for breach of confidentiality and privacy.
5. Hacking for malicious purposes.
6. Penalty for publishing Digital Signature Certificate false in certain particulars.
7. Penalty for misrepresentation.
8. Confiscation.
9. Power to investigate offences.
10. Protected System.
11. Penalties for confiscation not to interfere with other punishments.
12. Act to apply for offence or contravention committed outside India.
13. Publication for fraud purposes.
14. Power of Controller to give directions.

Traditional problems associated with Computer Crime

The physical environment that breeds computer crime is far different from traditional venues. In
fact, the intangible nature of computer interaction and subsequent criminality poses significant
questions for investigative agents. The lack of physical boundaries and the removal of traditional
jurisdictional demarcations allow perpetrators to commit multinational crime with little fear (or
potential) of judicial sanctions. For the first time, criminals can cross international boundaries
without the use of passports or official documentation.
Perceived Insignificance, Stereotypes, and Incompetence
 Many stereotype computer criminals as nonthreatening, socially challenged individuals (i.e., nerds
or geeks) and fail to see the insidious nature of computer crime;  In addition, those administrators
and investigators who grudgingly admit the presence and danger of electronic crime tend to
concentrate exclusively on child pornography, overlooking motivations and criminal behaviors apart
from sexual gratification.  Even in situations where law enforcement authorities recognize the
insidious nature of computer or cybercrime, many do not perceive themselves or others in their
department to be competent to investigate such criminal activity.
Prosecutorial Reluctance 
As media focus has increasingly highlighted the dangers of cyberspace, including those involving
cyber bullying and child exploitation, public awareness has heightened an urgency to protect
children’s virtual playgrounds.  In response, federal and state resources have often been allocated
to fund specialized units to investigate and prosecute those offenses which affect the safety of
American children.  For example, the Federal Bureau of Investigation maintains a partnership with
the Child Exploitation and Obscenity Section of the Department of Justice.  This organization is
composed of attorneys and computer forensic specialists who provide expertise to U.S. Attorney’s
Offices on crimes against children cases.
Lack of Reporting  reported that 58 percent of the organizations surveyed perceived themselves
to be more prepared to prevent, detect, respond to, or recover from a cybercrime incident
compared to the previous year.  However, only 56 percent of respondents actually had a plan for
reporting and responding to a crime.It was reported that over 75 percent of all insider intrusions
were handled internally without notification of authorities.  Underreporting on the part of
businesses and corporations may be attributed to a variety of reasons, but perhaps the most
common are exposure to financial losses, data breach liabilities, damage to brand, regulatory issues,
and loss of consumer confidence.  Contemporary society, characterized by increased reliance on
paperless transactions, demands assurances that the company’s infrastructure is invulnerable and
that confidential information remains inviolate.
Lack of Resources  Computer intrusions have proven to be problematic within the corporate
world, such institutions’ unwillingness or inability to effectively communicate with judicial
authorities has led to an increase in computer crime.  Unfortunately, law enforcement and
corporate entities desperately need to cooperate with one another.  Unlike their civil service
counterparts, the business communities have the resources (both financial and legal) necessary to
effectively combat computer crimes.  First, these companies, through their system administrators,
have far more leeway in monitoring communications and system activities, and they have the ability
to establish policies which enable wide-scale oversight.
Jurisprudential Inconsistency  Hesitation has become even more pronounced with the
emergence of wireless communications, social networking sites, and smart phones.  As such,
obvious demarcations of perception, application, and enforcement of computer crime laws vary
widely across the country, and a standard of behavior in one jurisdiction may supersede or even
negate legal standards in another.  Traditionally, trial and appellate courts evaluated the
constitutionality of computer crime statutes, searches, and investigations through the lens of the
First and Fourth Amendment.  Evaluating appropriate boundaries for free speech and establishing
standards of reasonableness have varied across state and federal rulings, and an inconsistent
patchwork of guidelines has resulted.