This is the core zero to hero cyber security repo , for college and beginner friendly.
Let's jump directly into the course :-
What is Cyber Security
Cyber security is the branch of Computer studies where do we research, analyise the digital forensics of cyber world.
Digital Forensic Essentials
Module Objectives
- Understanding the fundamentals of computer Forensics
- Understanding different Types of Cybercrimes
- Overview of Indicators of compromise (IOCs)
- Overview of Different Types of Digital Evidence and Rules of Evidence
- Understanding Forensic Readiness planning and Business Continuity.
- Understanding the Roles and Responsibilities of a Forensic Investigator.
- Understanding the legal compliance in computer Forensics.
Module Flow
- Undestanding of Fundamentals of computer Forensics
- Understanding Digital Evidence
- Understanding Forensic Readiness
- Indentify the Roles and Responsibilities of a Forensic Investigator
- Understand Legal Compliance in Computer Forensics.
Definitions :-
What is Computer Forensics ?
It is a set of methodological procedures and techniques that help identify,gather, preserve,extract,interpret,documentm and present ecidence from computing equipment,such that any discovered evidence is acceptable during a legal & administrative proceeding.
Objectives of Computer Forensics
- Identify,gather and preserve the evidence of a cybercrime.
- Gather evidence of cyber crimes in a forensically sound manner
- Estimate the potential impact of malicious activity on victim and assess the intent of the perpetrator.
- Minimize the tangible and intangible losses to the organisation.
- Protect the organization from similar incidents in the future.
- Support the prosecution of an incident.
Why do we need for Computer Forensics ?
- To ensure the overall integrity and continued existence of IT systems and network infrastructure within the organisation.
- To extract, process,and interpret the factual evidence such that it proves the attacker's actions in court
- To efficiently track down perpetrators from different parts of the world.
- To protect the organisation's financial resources and valuable time.
When we do use computer Forensics?
- prepare for Incidents by securing and strengthening the defence mechanism as well as closing the loopholes in security.
- Identify the actions needed for incident response
- Act against copyright & intellectual property theft misuse.
- Estimate and minimize the damage to resources in a corporate setup
- Set a security parameter and formulate security norms for ensuring forensic readiness.
Types of Cyber Crimes
Cybercrime is defined as any illegal act invloving a computer device,network, its systems or its applications.
These are categorized into two types based on the line of attack
| Internal Attack | External Attack |
|---|---|
| Attacker is Entrusted Person from inside the organisation | Attacker is from outside of the organisation |
| Attacker already have authorisation to access to the network | They are not authorised to access the n/w. They do gain unauthorised access |
| Attackers could be former or employees, business partners or contractors | These attackers exploit security loopholes or use social engineering techniques to infiltrate the n/w |
Examples of Common Cyber Crimes
- Espionage
- Intellectual property theft
- Data Manipulation
- Trojan Horse Attack
- SQL attack
- Brute-force Attack
- Phishing/Spoofing
- Privilege Escalation Attacks
- Denial of Service Attack (DDos)
- Cyber Defamation
- Cyber terrorism
- Cyberwarfare
Impact of Cyber crimes at the Organisational level :-
- Loss of confidentiality,integrity and availabilty of information stored in organisational systems.
- Theft of sensitive data.
- sudden disruption of business activities
- Loss of customer and stakeholder trust
- substantial reputational damage
- Huge financial losses
- Penalties arising from the failure to comply with regulations
Now Jump to the 2nd Modulue flow i.e Digital Evidence :-
What is Digital Evidence ?
Any information of probative value that is either stored or transmitted in a digital form is called as Digital Evidence.
Digital evidence is circumstantial and fragile in nature, which makes it difficult for a forensic investigator to trace criminal activities.
What is Locard's Exchange principle?
Anyone or anything,entering a crime scene takes something of the scene with them, and leaves somethings of themselves behind when they leave.
Types of Digital Evidence:-
-
Volatile Data:- Data that are lost as soon as the device is powered off. eg system timeout, process to port mapping, process memory, clipboard contents, service/driver information,command history.
-
Non-volatile Data:- Data that are stored on secondary storage device such as hard disks,memory cards , unallocated clusters, events logs.
The common enemy for both volatile and non volatile Digital evidence are :- Time
Role of Digital Evidence
Digital Evidence may assist the forensic investigator in the prosecution or defense of a suspect
- Identity theft
- Malicious attacks on the computer systems themselves
- Information leakage
- Unauthorised transmission of information
- Theft of commercial secrets
- Use/abuse of the Internet
- Production of false documents and accounts
- Unauthorised encryption/password protection of documents
- Abuse of Systems
- Email communication between suspects/conspirators.
Source of Potential Evidence
- user-Created Files
- Address books
- Database files
- Media(Images,graphics,audio,video etc) files
- Documents (text,spreadsheets) files
- Internet bookmarks, favourites etc.
User-Protected Files
- Compressed files
- Misnamed files
- Encrypted files
- Password-protected files
- Hidden files
- steganography
Computer-Created Files
- Backup Files
- Log Files
- Configuration Files
- Printer Spool files
- Cookies
- Swap Files
- System Files
- History Files
- Temporary Files
Devices
- Hard Drive
- Thumb Drive
- Memory Card
- Smart Card
- Dongle
- Biometric Scanner
- Answering Machine
- Digital camera
- RAM and Volatile storage
- Handheld Devices
- LAN
- Router,Modem,Hubs,Switches
- Network cables and Connectors
- Server
- Printer
- IOT and wearables
We have seen a lot more examples of Evidence, now Question is how to consider something as a evidence?
Rules of Evidence
Must have 5 basic rules that make it admissible in a court of law
- Understandable : Evidence must be clear and understandable to the judges
- Admissible : Evidence must be related to the fact being proved
- Authentic : Evidence must be real and appropriately related to the incident
- Reliable : There must be no doubt the authenticity or veracity of the evidence
- complete: The evidence must prove the attacker's actions or his/her innocence
Forensic Readiness Planning
Forensic readiness planning refers to a set of processes to be followed to achieve and maitain forensics readiness.
- Identify the potential evidence required for an incident
- Determine the source of evidence
- Define a policy to handle and store the acquired evidence in a secure manner
- Identify if the incident requires full or formal investigation
- Create a process for documenting the procedure
- Establish a legal advisory board to guide the investigation process
- keep an Incident response Team ready to review the incident and preserve the evidence.
Need for a forensic Investigator
- Cybercrime Investigation
- Sound Evidence Handling
- Incident Handling and Response
Roles and Responsibilities of a Forensics Investigator
- Determines the extent of any damage done during the crime
- Recovers data of investigative value from computing devices involved in crimes
- Create an image of the original evidence withour tampering with it to maintain its integrity.
- Guide the officials carrying out the investigation
- Analyses the evidence data found
- Prepares the analysis report
- Update the orginazation about various attack methods and data recovery attack methods and data recovery techniques and maintains a record of them
- Addresses the issue in a court of law and attempts to win the case by testifying in court.