Module 2

1. Explain the phases of incident response Methodology with neat diagram.

Incident Response Methodology is a step-by-step process used to detect, respond to,

manage, and recover from computer security problems like hacking, malware, or data theft.
It helps organizations handle cyber-attacks quickly and effectively to reduce damage and get
back to normal.

Phases of Incident Response Methodology (Simple Explanation)

Incident Response is like handling an emergency (e.g., fire, theft) — but for computers. When
something bad happens to a computer system, like a virus or hacking, we follow these 7
steps to fix it.

🔹 1. Pre-Incident Preparation

(Getting ready before something goes wrong)

 Set up security tools like antivirus, firewalls.

 Train the staff what to do during an attack.

 Make backups of important data.

👉 Example: Like keeping a fire extinguisher and doing fire drills in case of fire.
 🔹 2. Detection of an Incident

(Finding out something is wrong)

 You get a warning from antivirus or someone notices strange activity.

👉 Example: An employee reports that their computer is acting weird or slow.

🔹 3. Initial Response

(Start checking what happened)

 Form the team.

 Collect basic information.

 Check what type of attack it is.

 Don't panic, just gather info.

👉 Example: IT team checks system logs and sees someone logged in at night from another
country.

🔹 4. Formulate a Response Strategy

(Plan how to fix the issue)

 Decide what to do based on the attack.

 Think about what is affected – data, systems, etc.

 Choose if you need legal help or inform police.

👉 Example: If customer data is leaked, they decide to inform management and reset all
passwords.

🔹 5. Taking Action

(Take proper steps to stop the attack)

 Block the attacker, change passwords.

 Take legal or HR actions if needed.

👉 Example: A staff member who shared their password might get warning or be suspended.

🔹 6. Investigate the Incident

(Find out what really happened)

 Collect evidence (logs, files).

 Check how the attacker entered and what damage was done.

👉 Example: You find out the hacker got in using a fake email (phishing).

🔹 7. Reporting

(Make a final report)

 Write what happened, what was done, and how to prevent it next time.

 Share it with management or police if needed.

👉 Example: A report is made to improve email security and warn all employees.

2. Explain Incident Response Process and its methodology.

Incident Response Process and Methodology (Simple Explanation)

Incident Response (IR) is the process of managing and handling computer security incidents
like hacking, data theft, or malware attacks. The main aim is to detect, respond, recover, and
prevent future attacks.

Steps in the Incident Response Process:

1. Initial Response
When an incident is suspected, the response team is formed. They collect basic information,
check logs, and try to understand what happened and how bad it is.
Example: If a company finds its system is slow and strange emails are being sent, they call the
IT security team to investigate.

2. Investigation
In this step, the team finds the root cause—how the attack happened, which systems are
affected, and who might be responsible.
Example: They check system logs and find a virus entered through a fake email link clicked by
an employee.

3. Remediation (Fixing the issue)

The infected systems are cleaned or rebuilt. Passwords are changed, and security holes are
closed. The aim is to remove the threat completely.
Example: The IT team removes the virus, updates antivirus software, and changes login
details.

4. Tracking Information
All details like what was stolen, which systems were attacked, and when things happened are
documented.
 Example: A list is created of affected computers, files accessed, and who was using the
system at that time.

5. Reporting
A report is created for management, showing what happened, how it was handled, and what
improvements are needed in the future.
Example: A final report is shared with management explaining the cause of the breach and
actions taken.

3. Explain role of Computer Security Incident Response Team.

4. Roles of CSIRT in handling incident

🔸 What is CSIRT?
CSIRT stands for Computer Security Incident Response Team.
It is a group of trained people in an organization whose job is to detect, respond, and
recover from cybersecurity incidents like:
 Hacking
 Virus attacks
 Data leaks
 Unauthorized access

🔸 Main Roles of CSIRT in Handling Incidents:

1. Prepare for Incidents

Before anything happens, CSIRT creates plans, policies, and trains staff.
👉 Example: Making sure antivirus is installed and employees know not to click on unknown
emails.

2. Detect and Monitor

They constantly watch the systems to catch any strange activity (like unusual login or
malware alert).
👉 Example: They see someone trying to log in from another country at midnight — they get
alerted.

3. Analyse the Problem

Once something happens, they find out what went wrong.
They check logs, systems, and figure out how the attack happened.
👉 Example: They find a virus entered through a fake email clicked by an employee.

4. Contain the Threat

They quickly stop the attack from spreading to other systems.
👉 Example: Disconnecting the infected computer from the network.

5. Remove the Threat (Remediation)

They clean the systems — remove malware, reset passwords, and fix the problem.
👉 Example: Reinstalling the OS and patching the security hole used by the attacker.
 6. Recover Systems
After cleanup, they help bring systems back to normal so that work can continue safely.
👉 Example: Restore data from backups and reopen the network for users.

7. Report and Learn

They write a report about what happened and suggest how to prevent it in the future.
👉 Example: After a data leak, they advise stronger passwords and regular security checks.

8. Coordinate with Others

They may need to talk to police, legal teams, management, or public if it's a serious incident.
👉 Example: Informing customers if their data was stolen and working with legal authorities.

🔸 Simple Example:
A company gets hacked and customer data is stolen.
CSIRT is called.
 They detect the hacking.
 Stop the hacker’s access.
 Remove the malware.
 Recover lost data.
 Make a report and suggest better firewalls.
The company is safe again — thanks to CSIRT.

5. Briefly explain Types of digital Evidence with examples.

6. Discuss Digital Evidence and its types.

🔸 What is Digital Evidence?

Digital evidence is any information or data that is stored or transmitted using electronic devices and
can be used in court as proof.
This includes data from computers, phones, emails, USBs, CCTV footage, etc.

👉 Example: A hacker sends a threatening email — that email is digital evidence.

🔸 Why is Digital Evidence Important?

 Used in solving cybercrimes, fraud, or illegal activity.

 Helps prove what happened, who did it, and when it happened.

 Accepted in courts just like physical evidence.

🧾 Types of Digital Evidence (With Examples):

There are 6 main types of digital evidence:

1. Illustrative Evidence

 Definition: Illustrative evidence is used to visualize or demonstrate information in a way that

helps people understand the case better. It is not direct proof of a crime, but it helps explain
facts.

 Examples:

o Photographs: Images taken of a crime scene, objects, or people involved.

o Videos: Security camera footage or videos from witnesses.

o Maps/Charts/Diagrams: Visual representations to show the location of a crime or

events.

o Simulations: 3D models or virtual recreations of events (like a car crash simulation).

o X-rays or Medical Images: Can help illustrate physical injuries.

Illustrative evidence makes it easier for the court to understand complex information or recreate a
scenario that’s difficult to explain with just words.

2. Electronic Evidence (Digital Evidence)

 Definition: Electronic evidence refers to information that is stored or transmitted in digital

form. It is one of the most commonly used types of evidence in modern legal cases,
especially with the rise of technology and the internet.

 Examples:

o Emails: Correspondence between individuals or groups that can show intent or

motive.

o Text messages and Social Media: Text messages, posts, and private messages on
social media platforms like Facebook, Twitter, or Instagram.

o Files and Documents: Word documents, PDFs, spreadsheets, or presentations saved

on computers or cloud storage.

o ATM or Banking Transactions: Digital records from financial institutions showing

where money was transferred.

o Cell phone data: Call logs, GPS location data, or photos stored on mobile phones
that can help prove someone's whereabouts.

Digital evidence has become a crucial part of investigations because it can provide direct proof of
activities, behaviors, or interactions related to a crime or event.

3. Documented Evidence

 Definition: Documented evidence refers to written or recorded materials that prove facts in
a case. It’s not always physical but could be in electronic or paper form.
  Examples:

o Contracts: Legal agreements or signed contracts between parties that are relevant to
the case.

o Invoices or Receipts: These can prove transactions, exchanges, or purchases made.

o Printed Emails: Emails that are printed out for use in court, showing communication
between parties.

o Wills and Legal Documents: Documents that show the intentions of individuals, like
a will or power of attorney.

o Official Reports: Police reports, accident reports, or medical records that document
facts about an event.

Documented evidence can be stored in different formats, and it can be used to support a person’s
claims or refute someone else’s version of events.

4. Explainable (Exculpatory) Evidence

 Definition: This type of evidence helps clear a person’s name by showing that they were not
involved in a crime or were not responsible for the alleged actions.

 Examples:

o Alibi witnesses: People who can confirm the suspect’s location at the time of the
crime.

o CCTV or Video Footage: Video showing the defendant was not near the crime scene.

o Phone Records: Showing that the defendant’s phone was in a completely different
location when the crime occurred.

o Data proving innocence: For example, showing that a suspect’s computer didn’t
contain any illegal files or activity.

Exculpatory evidence is important because it can help establish innocence, preventing wrongful
conviction.

5. Substantial Evidence

 Definition: Substantial evidence is physical evidence directly related to the crime scene or
suspect, providing real, tangible proof of the events.

 Examples:

o Fingerprints: Found at the scene of a crime, linking the suspect to the location.

o DNA Samples: Blood, hair, or other biological evidence linking a suspect to a crime
scene.

o Weapons: Guns, knives, or tools used during the commission of a crime.

 o Clothing or Personal Items: Items belonging to the suspect or victim, such as a jacket
or a bag, found at the scene.

o Physical traces: Like tire marks, footprints, or bullets.

Substantial evidence plays a key role in confirming that a crime occurred and identifying who was
involved. It’s essential for creating a clear link between the crime and the suspect.

6. Testimonial Evidence

 Definition: Testimonial evidence involves statements made by a witness under oath. This
evidence is spoken or written by individuals with knowledge about the crime or events.

 Examples:

o Witness Testimony: A person testifies in court about what they saw or heard related
to the crime.

o Expert Testimony: An expert, such as a forensic specialist, provides an opinion or

analysis based on their expertise.

o Affidavits: Written statements made under oath, often used when witnesses cannot
appear in court.

Testimonial evidence is one of the most common forms of evidence in criminal cases. It allows
witnesses and experts to share valuable information and explain what they observed or know about
the situation.

7. Explain different types of digital forensics

✅ Types of Digital Forensics (Simple Explanation)

Digital forensics is the process of collecting, analyzing, and preserving digital data to be
used as evidence in cybercrime investigations. It helps find out what happened in cases like
hacking, data theft, or fraud.

There are different types of digital forensics, based on where the evidence is found.

Digital forensics is a branch of forensic science that focuses on identifying, recovering, and
analysing digital evidence from electronic devices. It is widely used in cybercrime
investigations, fraud detection, and security breach analysis. Below are the key types of
digital forensics, along with real-world applications and examples.

1. Disk Forensics
🔹 Definition: Disk forensics involves analysing storage devices (like hard drives, SSDs, USB
drives, and memory cards) to recover deleted, hidden, or encrypted files.

🔹 Purpose: Used in fraud investigations, cybercrime cases, and data recovery.

📌 Example 1: A company suspects an employee of stealing confidential documents.

Investigators use forensic tools like Autopsy or FTK to recover deleted files from the
employee’s computer.

📌 Example 2: A hacker formats a hard drive after stealing sensitive information. Disk
forensics can recover lost data to provide evidence.

2. Network Forensics
🔹 Definition: Network forensics focuses on monitoring and analyzing network traffic to
detect cyber threats, unauthorized access, and data breaches.

🔹 Purpose: Used to prevent hacking, malware attacks, and insider threats.

📌 Example 1: A bank notices unauthorized withdrawals from customer accounts. Network

forensics tools like Wireshark or Snort help trace the hacker's IP address.

📌 Example 2: A government agency detects a cyber-espionage attack. Investigators analyze

encrypted network packets to uncover the hacker’s origin.

3. Wireless Forensics
🔹 Definition: Wireless forensics examines Wi-Fi and Bluetooth networks to identify
unauthorized access and cybercrimes.

🔹 Purpose: Detects Wi-Fi hacking, man-in-the-middle attacks, and rogue access points.

📌 Example 1: A hacker breaches a company’s Wi-Fi to steal sensitive data. Investigators

analyze router logs to identify the attack.

📌 Example 2: A criminal uses a public Wi-Fi network to send threatening emails.

Investigators use wireless forensics tools like Kismet to track the attacker’s device.
4. Database Forensics
🔹 Definition: Database forensics involves investigating databases to detect unauthorized
modifications, data breaches, and fraud.

🔹 Purpose: Used in financial fraud investigations, healthcare data breaches, and insider
threats.

📌 Example 1: A hospital finds that thousands of patient records have been deleted.
Investigators analyze SQL logs to determine who accessed the database.

📌 Example 2: A company suspects an employee of manipulating sales data. Forensic experts

check database logs for unauthorized queries.

5. Email Forensics
🔹 Definition: Email forensics investigates email communications to track phishing attacks,
fraud, and cyberbullying.

🔹 Purpose: Used in financial fraud, business email compromise (BEC), and spam analysis.

📌 Example 1: A CEO receives a fake invoice from a scammer. Investigators trace the email’s
metadata and find the sender’s location.

📌 Example 2: A person receives threatening emails. Experts analyze email headers to trace
the IP address and sender's identity.

6. Malware Forensics
🔹 Definition: Malware forensics focuses on identifying, analyzing, and neutralizing
malicious software like viruses, trojans, worms, and ransomware.

🔹 Purpose: Used in cybersecurity investigations, ransomware recovery, and threat

intelligence.

📌 Example 1: A company’s system is infected with ransomware. Investigators analyze the

malware’s code to create a decryption tool.

📌 Example 2: A government website is defaced by a cybercriminal. Malware forensics helps

find how the attacker injected malicious scripts.
7. Cloud Forensics
🔹 Definition: Cloud forensics investigates cybercrimes related to cloud storage, virtual
environments, and online servers.

🔹 Purpose: Detects unauthorized access, data leaks, and cloud security breaches.

📌 Example 1: A company’s confidential files stored on Google Drive are leaked.

Investigators check access logs to find who downloaded the files.

📌 Example 2: A hacker gains access to an AWS cloud server. Cloud forensics tools help
trace login attempts and security vulnerabilities.

8. Mobile Forensics
🔹 Definition: Mobile forensics focuses on recovering and analysing data from smartphones,
tablets, and other mobile devices.

🔹 Purpose: Used in criminal investigations, cyberstalking, and fraud cases.

📌 Example 1: A suspect deletes messages from their phone related to a drug deal.
Investigators use tools like Cellebrite to recover deleted texts.

📌 Example 2: A person claims they received a threatening call. Mobile forensics extracts call
logs and location data to verify the claim.

9. IoT (Internet of Things) Forensics

🔹 Definition: IoT forensics investigates digital evidence from smart devices like security
cameras, smart TVs, fitness trackers, and home automation systems.

🔹 Purpose: Used in smart home security, vehicle hacking investigations, and cybercrime
cases.

📌 Example 1: A smart home security camera captures footage of a break-in. Investigators

extract and analyse the video to identify the burglar.

📌 Example 2: A hacker takes control of a smart car. IoT forensics analyzes network logs to
find out how the attack was carried out.

8. Chain of custody
📌 Chain of Custody in Digital Forensics

Definition:
The Chain of Custody (CoC) is the process of documenting and tracking digital evidence from the
moment it is collected until it is presented in court. This ensures that the evidence remains
authentic, untampered, and legally admissible.

📌 Importance of Chain of Custody

🔹 Ensures evidence integrity (no modifications or tampering).

🔹 Helps in proving authenticity in court.
🔹 Prevents unauthorized access to the evidence.
🔹 Keeps a clear record of everyone who handled the evidence.

📌 Example:
If a suspect’s laptop is seized, the forensic team must record who collected it, when it was collected,
where it was stored, and who accessed it until the case is closed.

📌 Steps in Chain of Custody

1️Evidence Collection

 Identify what needs to be collected (e.g., hard drives, mobile phones, emails).

 Use proper forensic tools to take an exact copy (forensic image) of digital devices.

 Take photographs and document the condition of the evidence.

📌 Example:
A USB drive found at a cybercrime scene is sealed in an evidence bag, labeled with date, time, and
location of collection.

2️Evidence Labelling & Documentation

 Label each piece of evidence with a unique ID (e.g., Case#123-USB1).

 Record who collected it, the date, time, and location.

 Log any serial numbers or device details.

 Store in a secure forensic lab.

📌 Example:
A forensic analyst signs a logbook, recording that a suspect’s phone was received at 11:00 AM on
Feb 14, 2025, by Investigator John Doe.

3️Secure Storage & Preservation

 Store evidence in a secure, access-controlled environment.

  Use Faraday bags to prevent remote tampering.

 Ensure only authorized personnel can access it.

 Maintain a record of who accessed it and why.

📌 Example:
A hacked company’s hard drive is locked in a forensic lab cabinet with restricted access.

4️Evidence Transfer & Handling

 If evidence is moved, record who took it, why, and when.

 Use sealed envelopes or bags with tamper-proof seals.

 Keep a signed log whenever someone handles the evidence.

📌 Example:
When transferring a suspect’s laptop to court, a signed delivery form ensures the evidence is not
altered during transport.

5️Presentation in Court

 Investigators must prove the evidence was never altered.

 A detailed Chain of Custody report is presented to the judge.

 If the chain is broken (missing signatures, unclear records), the evidence can be rejected in
court.

📌 Example:
If a forensic report shows missing logs, the court may reject the evidence, and the suspect could be
freed.

🔸 Simple Example:
A cybercrime team finds a USB drive at a hacking suspect’s home.
 Officer A collects it on 1st May at 10 AM and labels it.
 It is sealed and stored in a secure locker.
 On 3rd May, Officer B takes it for analysis and signs the log.
 Later, it is sent to court with a full report of every person who accessed it.
👉 This full record is the Chain of Custody.