UNIT Il: Cyber Crime Investigation: Introduction, Investigation Tools, eDiscovery, Digital Evidence Collection, Evidence Preservation, E-Mail Investigation, E-Mail Tracking, IP Tracking, E-Mail Recovery, Hands on Case ‘Studies. Eneryption and Decryption Methods, Search and Seizure of Computers, Recovering Deleted Evidences, Password Cracking Cyber crime investigation:Cyber crime investigation is the methodical process of identifying, analyzing, and mitigating computer-based crimes and malicious a‘ that occur in the digital realm. It's ike a detective story, but with digital evidence instead of fingerprints and footprints. Here's a breakdown of the key aspects: Goals: Identifying the source of the crime: Who is behind the attack? Gathering evidence: Collecting digital footprints and other data to build a case. Presenting evidence in court: Making sure the evidence is admissible and understandable for legal proceedings. Types of cyber crime: Westigated: Hacking and intrusion: Unauthorized access to computer systems or networks. Data breaches: Theft of sensitive information like personal data or financial records. Phishing and scams: Deceptive tactics to trick people into revealing personal information or money. Malware and ransomware: Malicious software that damages systems or demands ransom payments. Online harassment and cyberbullying: Threats, intimidation, and abuse through digital channels. Conduct the Initial Investigation When conducting a cybercrime investigation, normal investigative methods are still important, Asking who, what, where, when, why and how questions is still important. The investigator should also still ask the following questions: Who are the potential suspects? What crimes were committed? When were the crimes committed? Were these crime limited to US jurisdiction? What evidence is there to collect? Where might the physical and digital evidence be located? What types of physical and digital evidence were involved with the crime? Does any of the evidence need to be photographed/preserved immediately?‘© How can the evidence be preserved and maintained for court proceedings? Who investigates cyber crimes? * Law enforcement agencies: Police, FBI, and other specialized units. * Government agencies: Cyber security agencies responsible for national security. * Private companies: Security firms hired by businesses to investigate cyber attacks. Investigation Tools: 1, Disk and Data Capture Tools: Imagine a digital camera for evidence. These tools create an exact copy of a hard drive or storage device, preserving its pristine state for analysis. Popular examples include FTK Imager and Autopsy. 2, File Recovery Tools: Data can be accidentally deleted or hidden by attackers, Tools like Recuva and GetDataBack can recover these lost files, potentially revealing crucial evidence. 3. Memory Forensics Tools:RAM, the computer's temporary memory, can hold valuable information even after a system is shut down. Tools like Volatility and Mandiant RedLine help investigators analyze this volatile data for traces of malware or suspicious activity. 4, Mobile forensics tools: These tools are used to extract data from mobile devices, such as smartphones and tablets. Mobile forensics tools can be used to recover deleted data, analyze call logs and text messages, and track the location of the device 5, Email forensics tools: These tools are used to analyze email messages. Email forensics {tools can be used to recover deleted emails, identify the sender and recipient of an email, and extract attachments. Some popular email forensics tools include MailXAMiner, Forensic Toolkit (TK), and EnCase Mailbox investigator. 6. Packet Capture and Analysis Tools: Wireshark is a popular open-source tool that captures and analyzes network traffic, allowing investigators to see what data is flowing in and out of a system. It's like listening in on the digital chatter to identify suspicious conversations. 7. Password Cracking Tools:(Hashcat and John the Ripper: )These tools crack weak passwords by trying millions of combinations until they find the right one. They're like digital lockpicks, used ethically by security professionals to test password strength and identify vulnerabilities. 8. Social Media Analysis Tools:(Maltego and Social-Engineor Toolkit (SET): )These tools help investigators gather information from social media platforms, track online identities, and identify potential connections between suspects and victims eDiscovery:ediscovery and cybersecurity are two sides of the same coin in today's digital landscape. Both play crucial roles in protecting sensitive information and ensuring compliance with legal regulations in the face of cyber threats. ediscovery refers to the process of identifying, collecting, preserving, and producing electronically stored information (ESI) in the context of legal proceedings or investigations. This can include emails,documents, instant messages, social media posts, and any other digital data that could be relevant to a Cybersecurity, on the other hand, focuses on protecting computer systems and networks from unauthorized access, use, disclosure, disruption, modification, or destruction. This involves a wide range of activities, such as implementing security controls, monitoring networks for suspicious activity, and responding to security incidents, The Role of ediscovery in Cybersecurity Cybersecurity incidents, like data breaches and malware infections, often generate vast amounts of digital evidence. ediscovery tools and processes become essential for: © Investigating the incident: Identifying the source of the attack, the extent of the damage, and the data that was compromised. © Preserving evidence: Ensuring the integrity and authenticity of digital evidence for legal proceedings. * Collecting relevant data: Identifying and extracting the specific ES! needed for the investigation or litigation, while minimizing the collection of irrelevant data © Producing evidence: Presenting the collected ESI in a court-admissible format, Digital Evidence Collection Digital Evidence Collection is the systematic process of identifying, preserving, acquiring, and analyzing digital data that can be used to support or refute a hypothesis in a cybersecurity investigation or legal proceeding. I's like gathering clues from a crime scene, but in the digital realm, Process involved in Digital Evidence Collection: The main processes involved in digital evidence collection are given below: © Data collection: In this process data is identified and collected for investigation. © Examination: In the second step the collected data is examined carefully. © Analysi In this process, different tools and techniques are used and the collected evidence is analyzed to reach Reportin; n this final step all the documentation, reports are compiled so that they canbe submitted in coutCommon types of digital evidence collected: Challenges in Digital Evidence Collectio Documents: Emails, text messages, Word documents, spreadsheets, presentations Images: Photos, screenshots, videos Audio files: Voice recordings, call logs Internet activity: Browsing history, search queries, social media activity Network logs: Records of network traffic and communications ‘System logs: Records of system events and user actions Malware: Malicious software found on infected systems Data volume: The sheer amount of digital data can make it difficult to identify and collect relevant evidence, Data volatility: Digital evidence can be easily altered or destroyed, requiring careful preservation techniques. Anti-forensic techniques: Criminals often use methods to hide or destroy evidence, making collection more challenging Legal and privacy concerns: Collecting and handling digital evidence must be done in a way that respects privacy laws and individual rights. Evidence Preservation Evidence preservation is the crucial act of securing and protecting information or objects that can be used to prove or disprove a fact in a legal setting, investigation It involves ensuring the integrity, authenticity, and chain of custody of the evidence to be admissible and reliable in court or other proceedings. What are the steps involved? Immediate action: Depending on the situation, this might involve securing the scene, isolating the evidence, and minimizing further damage. Documentation: Meticulously document the evidence, including its location, condition, and chain of custody (who handled it and when). Collection and packaging: Collect the evidence carefully, using appropriate methods and containers to avoid contamination or damage Storage and security: Store the evidence in a secure location with controlled temperature and humidity, and implement access control measures. Maintenance and monitoring: Regularly check the evidence for any changes or deterioration, and take steps to address any issues. Types of Evidence: Physical evidence: Physical objects like fingerprints, weapons, or clothing. Electronic data like emails, documents, or video recordings. Testimonial evidence: Witness statements about what they saw or heard. Documentary evidence: Written records like reports, contracts, or off documents.