CYBER

(CYBER FORENSICS, CYBER LAW, CYBER CRIME AND CYBER SECURITY)

INTRODUCTION AND BASIC CONCEPTS

Edited and Presented By:

IFS INDIA TEAM, New Delhi

© All material provided within this notes are for informational and educational
purposes only. You are responsible for any misuse of your study material, tools and
account, even if the inappropriate activity was committed by a friend, family member,
guest or employee. All Contents, Texts, Data, Logos & Trademarks in Notes are
property of their respective owners and authors.

Page 1 / 107
 COMPUTER BASICS:

Define Byte:
A byte is a unit of data. Byte is 8 bits of data which has a possible value from 0 to
255. A byte is the unit most computers use to represent a character such as a letter,
number, or typographic symbol. Byte is a standard unit of measurement for file size.
The size of a computer's memory and the capacity of a disk are measured in bytes
(kilobytes, megabytes, gigabytes or terabytes).

Data:
Data is anything in a form suitable for use with a computer. Computer data is
information required by the computer to be able to operate. The term data is often
used to distinguish binary machine-readable information from textual human-readable
information. Data is now being used in a very wide sense. But actually data is
information in its very raw form.

Giga hertz:
Gigahertz, generally abbreviated GHz, refers to frequencies in the billions of cycles
per second range. Giga is the standard multiplier for 1 billion, and Hertz is the
standard unit for measuring frequencies, expressed as cycles or occurrences per
second. One GHz is equivalent to one thousand megahertz (MHz). GHz is commonly
used when discussing computer performance or radio frequencies. In computers, GHz
most often refers to the clock speed of the central processing unit (CPU).

Hardcopy:
A hardcopy is a printed copy of information from a computer. Sometimes referred to
as a printout, a hard copy is so-called because it exists as a physical object. When data
or softcopy is printed in human readable form on paper with the help of printer it is
called as hardcopy.

Hard disk:
Hard disc is a rigid magnetic disk mounted permanently in a drive unit.
A hard disk drive (HDD), commonly referred to as a hard drive or hard disk is a non-
volatile storage device which stores digitally encoded data on rapidly rotating platters
with magnetic surfaces. In other words Hard Disk is a fixed magnetic data storage
disk providing high-speed access for high-speed data processing.

Machine Cycle:
The steps performed by the computer processor for each machine language instruction
received. The machine cycle is a 4 process cycle that includes reading and interpreting
the machine language, executing the code and then storing that code.

The machine cycle consists of 4 steps-

1. The control unit fetch an instruction and data associated with it
from memory.
2. Control unit decodes the instructions.
3. Logic unit executes the instructions.
4. Logic unit store the result in the memory.

Page 2 / 107
Memory:
Memory is the electronic holding place for instructions and data that your computer's
microprocessor can reach quickly. When computer is in normal operation, its memory
usually contains the main parts of the operating system and some or all of the
application programs and related data that are being used.

Secondary Storage:
Secondary storage is also called auxiliary storage and is used to store data and
programs when they are not being processed. Secondary storage is more permanent
than main memory, as data and programs are retained when the power is turned off.
The needs of secondary storage can vary greatly between users. Secondary storage is
a data storage device that is not the main memory of a computer.

Input Devices:
Any device used to input data into the computer (keyboard, mouse, scanner, etc).
Input Devices are hardware devices that send information into the CPU.
The devices that send data or instructions to the processing unit to be processed in
useful information are called input devices. Without any input devices a computer
would simply be a display device and not allow users to interact with it, much like a
TV.

CPU:
CPU is an acronym that stands for central processing unit. The central processing unit
is responsible for performing all of the mathematical calculations that are required for
a computer to function properly. Because a computer cannot function without the
CPU (which may also be referred to as the central processor or just the processor), it
is not uncommon to hear people refer to the CPU as the "brains" of a computer.

Hardware:
The parts of a computer system that we can touch. They are mechanical, magnetic,
electronic, and electrical components making up a computer system.
In operation, a computer is both hardware and software. One is useless without the
other. The hardware design specifies the commands it can follow, and the software
instructions tell it what to do.
Examples of hardware are input devices like keyboards and mice, output devices
like printers and monitors, storage devices like disk drives, and the computer itself.

Software:
Written programs or procedures or rules and associated documentation pertaining
to the operation of a computer system and that are stored in read/write memory.
The programs used to direct the operation of a computer, as well as documentation
giving instructions on how to use them. Anything that is not hardware but is used with
hardware, esp. audiovisual materials, as film, tapes, records, etc.: a studio fully
equipped but lacking software.
Software can be thought of as the variable part of a computer and hardware the
invariable part. Software is often divided into application software (programs that do
work users are directly interested in) and system software (which includes operating
systems and any program that supports application software).

Page 3 / 107
Micro-Computer:
The term microcomputer is generally synonymous with personal computer (PC),
or a computer that depends on a microprocessor. Microcomputers are designed to be
used by individuals, whether in the form of PCs, workstations or notebook computers.
A microcomputer contains a central processing unit (CPU) on a microchip (the
microprocessor), a memory system (typically read-only memory and random access
memory), a bus system and I/O ports, typically housed in a motherboard.
A microcomputer is a computer with a microprocessor as its central processing
unit. Another general characteristic of these computers is that they occupy physically
small amounts of space when compared to mainframe and minicomputers.

PDA:
A personal digital assistant (PDA) is a handheld computer, also known as a
palmtop computer. or a handheld device that combines computing, telephone/fax,
Internet and networking features. A typical PDA can function as a cellular phone, fax
sender, Web browser and personal organizer. Unlike portable computers, most PDAs
began as pen-based, using a stylus rather than a keyboard for input. This means that
they also incorporated handwriting recognition features. Some PDAs can also react to
voice input by using voice recognition technologies. PDAs of today are available in
either a stylus or keyboard version.

Super Computers:
A supercomputer is a computer that performs at or near the currently highest
operational rate for computers. A supercomputer is typically used for scientific and
engineering applications that must handle very large databases or do a great amount
of computation (or both).

The term “supercomputer” was coined in 1929 by the New York World,
referring to tabulators manufactured by IBM. To modern computer users, these
tabulators would probably appear awkward, slow, and cumbersome to use, but at the
time, they represented the cutting edge of technology. This continues to be true of
supercomputers today, which harness immense processing power so that they are
incredibly fast, sophisticated, and powerful. The primary use for supercomputers is in
scientific computing, which requires high-powered computers to perform complex
calculations.

Computer Network-
A computer network is a group of computers that are connected to each other for the
purpose of communication. Networks may be classified according to a wide variety of
characteristics. A computer network allows computers to communicate with many
other computers and to share resources and information.

Difference between a LAN, a MAN, and a WAN:

A LAN (local area network) is a group of computers and network devices connected
together, usually within the same building. By definition, the connections must be
high speed and relatively inexpensive (e.g., token ring or Ethernet). Most Indiana
University Bloomington departments are on LANs. For more information on LANs,

A MAN (metropolitan area network) is a larger network that usually spans several
buildings in the same city or town. The IUB network is an example of a MAN.

Page 4 / 107
A WAN (wide area network), in comparison to a MAN, is not restricted to a
geographical location, although it might be confined within the bounds of a state or
country. A WAN connects several LANs, and may be limited to an enterprise (a
corporation or an organization) or accessible to the public. The technology is high
speed and relatively expensive. The Internet is an example of a worldwide public
WAN.

A LAN connection is a high-speed connection to a LAN. On the IUB campus, most

connections are either Ethernet (10Mbps) or Fast Ethernet (100Mbps), and a few
locations have Gigabit Ethernet (1000Mbps) connections.

Types of Networks:
Based on their scale, networks can be classified as-
• Local Area Network (LAN),
• Wide Area Network (WAN),
• Metropolitan Area Network (MAN),
• Personal Area Network (PAN),
• Virtual Private Network (VPN),
• Campus Area Network (CAN),
• Storage Area Network (SAN), etc.

Personal area network

A personal area network (PAN) is a computer network used for communication
among computer devices close to one person. Some examples of devices that are used
in a PAN are personal computers, printers, fax machines, telephones, PDAs, scanners,
and even video game consoles. Such a PAN may include wired and wireless
connections between devices. The reach of a PAN is typically at least about 20-30
feet (approximately 6-9 meters), but this is expected to increase with technology
improvements.

Campus area network

A campus area network (CAN) is a computer network made up of an interconnection
of local area networks (LANs) within a limited geographical area. It can be
considered one form of a metropolitan area network, specific to an academic setting.
In the case of a university campus-based campus area network, the network is likely
to link a variety of campus buildings including; academic departments, the university
library and student residence halls. A campus area network is larger than a local area
network but smaller than a wide area network (WAN) (in some cases). The main aim
of a campus area network is to facilitate students accessing internet and university
resources.

Global area network

A global area networks (GAN) specification is in development by several groups, and
there is no common definition. In general, however, a GAN is a model for supporting
mobile communications across an arbitrary number of wireless LANs, satellite
coverage areas, etc.

Page 5 / 107
Virtual private network
A virtual private network (VPN) is a computer network in which some of the links
between nodes are carried by open connections or virtual circuits in some larger
network (e.g., the Internet) instead of by physical wires. The data link layer protocols
of the virtual network are said to be tunneled through the larger network when this is
the case. One common application is secure communications through the public
Internet, but a VPN need not have explicit security features, such as authentication or
content encryption. VPNs, for example, can be used to separate the traffic of different
user communities over an underlying network with strong security features.

Internet
The Internet, sometimes called simply "the Net," is a worldwide system of computer
networks - a network of networks in which users at any one computer can, if they
have permission, get information from any other computer (and sometimes talk
directly to users at other computers).

The Internet consists of a worldwide interconnection of governmental, academic,

public, and private networks based upon the networking technologies of the Internet
Protocol Suite. It is the successor of the Advanced Research Projects Agency
Network (ARPANET) developed by DARPA of the U.S. Department of Defense. The
Internet is also the communications backbone underlying the World Wide Web
(WWW). The 'Internet' is most commonly spelled with a capital 'I' as a proper noun,
for historical reasons and to distinguish it from other generic internet works.
Participants in the Internet use a diverse array of methods of several hundred
documented, and often standardized, protocols compatible with the Internet Protocol
Suite and an addressing system (IP Addresses) administered by the Internet Assigned
Numbers Authority and address registries. Service providers and large enterprises
exchange information about the reach ability of their address spaces through the
Border Gateway Protocol (BGP), forming a redundant worldwide mesh of
transmission paths.

HTTP: Hypertext Transfer Protocol

In order to fetch a web page for you, your web browser must "talk" to a web server
somewhere else. When web browsers talk to web servers, they speak a language
known as HTTP, which stands for Hyper Text Transfer Protocol. This language is
actually very simple and understandable and is not difficult for the human eye to
follow.
A Simple HTTP Example

The browser says:

GET / HTTP/1.0
Host: www.ifsindia.in

And the server replies:

HTTP/1.0 200 OK
Content-Type: text/html

<head>
<title>Welcome IFS INDIA!</title>
</head>

Page 6 / 107
<body>
IFS INDIA home page appears here
</body>

Programming Language-
A vocabulary and set of grammatical rules for instructing a computer to perform
specific tasks, the term programming language usually refers to high-level languages,
such as BASIC, C, C++, COBOL, FORTRAN, Ada, and Pascal. Each language has a
unique set of keywords (words that it understands) and a special syntax for organizing
program instructions.

High-level programming languages, while simple compared to human languages, are

more complex than the languages the computer actually understands, called machine
languages. Each different type of CPU has its own unique machine language.

Lying between machine languages and high-level languages are languages called
assembly languages. Assembly languages are similar to machine languages, but they
are much easier to program in because they allow a programmer to substitute names
for numbers. Machine languages consist of numbers only.

Flow Chart:
A flowchart is a schematic representation of an algorithm or a process.
A graphical representation for the definition, analysis, or solution of a problem, in
which symbols are used to represent operations, data, flow, equipment, etc A problem
solving tool that illustrates a process. It can show the "as is" process or "should be"
process for comparison and should make waste evident

Basic Requirements of Networking/LAN:

Regardless of type, all LANs require special hardware. The usual parallel and serial
ports that come with personal computers are not fast enough for most uses on a LAN,
each desktop computer that will be networked on a LAN must have an Ethernet card,
which gives the desktop computer a third, very fast, type of communications port.

Once a desktop computer has an appropriate network card installed, it can be

connected to other computers through cables, hubs, and routers, so that the
information can flow from one to another as quickly as possible. Commonly, "LAN
hardware" also includes dedicated machines like file or print servers, which provide
LAN services to really make the network a LAN.

BASIC REQUIREMENTS FOR LAN:

- A decent computer/laptop
- A modem from an ISP
- A router
- Modem to Router to Computer/Laptop
- Routers typically now are wireless. They have an antenna.
- The back has a WAN port, so modem plugs in that, and 4 other ports for a
wired connection.

Page 7 / 107
 - If a router is wireless, the computer/laptop must have a wireless card or
adapter. If it uses a wire (Ethernet cable called RJ45 cable) that would go to
router, into the LAN port.

Characteristics of Storage Devices-

Capacity- Storage capacity must be larger than actual requirement
Performance and Speed- Performance/Speed should be good and faster
Quality- Should have good quality storage device
Reliability- Storage Device should be reliable to store sensitive data
Durability- Must be durable
Cost- Should be cheaper
Multi Purpose- Same storage device to store and back up
Installation- Easy to install
Size- Usually smaller in size
Security- Should have security Function
Compatibility/Support- Storage devices must be compatible with wide range

Difference between SAVE and SAVE AS

When you are working on a document, it is a good idea to save your work every
couple of minutes. In the File menu of the program, you will typically find the options
"Save" and "Save As..."

Choosing "Save" simply saves your work by updating the last saved version of the file
to match the current version you see on your screen.

Choosing "Save As..." brings up a prompt to save your work as a file with a different
name. For example, you might choose to save a document called "Paper - rev. 3" as
"Paper - rev. 4". This way, you can save you file at different stages and keep multiple
versions on your hard drive.

Choosing "Save" and then "Save As..." is also a good way to make a backup of your
file. Just be sure to rename the file something new when you choose "Save As..." or
you will overwrite the current saved version, just like choosing the "Save" command
would do.

"Save"

The "Save" command preserves a document on your computer, writing it to your hard
drive or a floppy disk so you can keep a copy of it or use it again later. You can use
"Save" to retain a document you've been working on for the first time, or after you've
made any changes to it.

The first time you ever save a document, it will ask you to name your document, and
to pick a place on your computer to store the document. From then on however, the
"Save" command doesn't ask you for a name or a place anymore. It simply re-writes
the document with any changes to your hard drive or floppy disk.

"Save As..."

Page 8 / 107
The "Save As.." command lets you use a document as a template for similar
documents, and/or lets you save different versions or different file types of the same
document without altering the original. This comes in handy when sending email
attachments to people with different versions of software than you, or different
software programs than what you use.

How does it do this? Instead of re-writing the changes on top of the original document
like "Save", the "Save As..." command allows you to turn the original document with
your new revisions, into a new document with a different name and/or storage
location.

In most programs, both the "Save" and the "Save As..." commands give you the
option of saving your document in several different file types.

Disk Image / Snap / Image: An accurate digital representation of all data contained
on a digital storage device (e.g., hard drive, CD-ROM, flash, memory, floppy disk,
Zip, Jaz). Maintains contents and attributes, but may include metadata such as hash
value, and audit information.

Deleted files: If a subject knows there are incriminating files on the computer, he or
she may delete them in an effort to eliminate the evidence. Many computer users
think that this actually eliminates the information. However, depending on how the
files are deleted, in many instances a forensic examiner is able to recover all or part of
the original data.

Data Wipe / Disk Wipe / Data remanence: It is the residual representation of data
that has been in some way nominally erased or removed. This residue may be due to
data being left intact by a nominal delete operation, or through physical properties of
the storage medium. (Secure Deletion of Data or Information beyond its recovery)

Analysis: To look at the results of an examination for its significance and probative
value to the case.

Examination: Technical review that makes the evidence visible and suitable for
analysis; tests performed on the evidence to determine the presence or absence of
specific data.

Suspect/Owner: A person who is suspected of something, in particular of committing

a crime; to imagine or suppose (something) to be true without evidence and Owner is
a person who owns system/computer/media etc...

Client: A person who seeks the advice or services of an expert or who request for
services. (Client may be a Person or Agency)

Write protection: Hardware or software methods of preventing data from being

written to a disk or other medium.

References: U.S. Department of Justice Office of Justice Programs National Institute

of Justice, Forensic Examination of Digital Evidence: A Guide for Law Enforcement

Page 9 / 107
 The types of computers range from the Hybrid to the Analog types. The
computers you come across in the daily course of your day range from laptops,
palmtops and towers, to desktop computers, to name a few. But the very word
“computers” reminds one of the desktop computers used in offices or homes.
Different categories of computes have been devised in keeping with our varied
needs.

The Types Of Computers: Analog and Hybrid (classification based on

operational principle)

• Analog Computers: The analog computer is almost an extinct type of

computer these days. It is different from a digital computer in respect that it
can perform numerous mathematical operations simultaneously. It is also
unique in terms of operation as it utilizes continuous variables for the purpose
of mathematical computation. It utilizes mechanical, hydraulic, or electrical
energy or operation.
• Hybrid computers: These types of computers are, as the name suggests, a
combination of both Analog and Digital computers. The Digital computers
which work on the principle of binary digit system of “0” and “1” can give
very precise results. But the problem is that they are too slow and incapable of
large scale mathematical operation. In the hybrid types of computers the
Digital counterparts convert the analog signals to perform Robotics and
Process control.

Apart from this, computers are also categorized on the basis of physical structures
and the purpose of their use. Based on Capacity, speed and reliability they can be
divided into three categories of computers:

1. The Mainframe Computer – These are computers used by large organizations

like meteorological surveys and statistical institutes for performing bulk
mathematical computations. They are core computers which are used for desktop
functions of over one hundred people simultaneously.

2. The Microcomputer – These are the most frequently used computers better
known by the name of “Personal computers”. This is the type of computer meant
for public use. Other than Desktop Computer the choice ranges as follows:

• Personal Digital Computer

• Tablet PC
• Towers
• Work Stations
• Laptops
• Hand Held Computer

3. The Mini computer – Mini computers like the mainframe computers are used by
business organization. The difference being that it can support the simultaneous
working of up to 100 users and is usually maintained in business organizations for
the maintenance of accounts and finances.

Page 10 / 107
Yet another category of computer is the Super Computers. It is somewhat similar
to mainframe computers and is used in economic forecasts and engineering
designs. Today life without computers is inconceivable. Usage of different types of
computers has made life both smooth and fast paced.

Different types of Computers

Based on the operational principle of computers, they are categorized as analog

computers and hybrid computers.

Analog Computers: These are almost extinct today. These are different from a
digital computer because an analog computer can perform several mathematical
operations simultaneously. It uses continuous variables for mathematical
operations and utilizes mechanical or electrical energy.

Hybrid Computers: These computers are a combination of both digital and

analog computers. In this type of computers, the digital segments perform process
control by conversion of analog signals to digital ones.

Following are some of the other important types of computers.

Mainframe Computers: Large organizations use mainframes for highly critical

applications such as bulk data processing and ERP. Most of the mainframe
computers have the capacities to host multiple operating systems and operate as a
number of virtual machines and can thus substitute for several small servers.

Microcomputers: A computer with a microprocessor and its central processing

unit is known as a microcomputer. They do not occupy space as much as
mainframes. When supplemented with a keyboard and a mouse, microcomputers
can be called as personal computers. A monitor, a keyboard and other similar input
output devices, computer memory in the form of RAM and a power supply unit
come packaged in a microcomputer. These computers can fit on desks or tables
and serve as the best choices for single-user tasks.

Personal computers come in a variety of forms such as desktops, laptops and

personal digital assistants. Let us look at each of these types of computers.

Desktops: A desktop is intended to be used on a single location. The spare parts of

a desktop computer are readily available at relative lower costs. Power
consumption is not as critical as that in laptops. Desktops are widely popular for
daily use in workplaces and households.

Laptops: Similar in operation to desktops, laptop computers are miniaturized and

optimized for mobile use. Laptops run on a single battery or an external adapter
that charges the computer batteries. They are enabled with an inbuilt keyboard,
touch pad acting as a mouse and a liquid crystal display. Its portability and
capacity to operate on battery power have served as a boon for mobile users.

Page 11 / 107
Personal Digital Assistants (PDAs): It is a handheld computer and popularly
known as a palmtop. It has a touch screen and a memory card for storage of data.
PDAs can also be effectively used as portable audio players, web browsers and
smart phones. Most of them can access the Internet by means of Bluetooth or Wi-
Fi communication.

Minicomputers: In terms of size and processing capacity, minicomputers lie in

between mainframes and microcomputers. Minicomputers are also called mid-
range systems or workstations. The term began to be popularly used in the 1960s
to refer to relatively smaller third generation computers. They took up the space
that would be needed for a refrigerator or two and used transistor and core memory
technologies. The 12-bit PDP-8 minicomputer of the Digital Equipment
Corporation was the first successful minicomputer.

Supercomputers: The highly calculation-intensive tasks can be effectively

performed by means of supercomputers. Quantum physics, mechanics, weather
forecasting, molecular theory are best studied by means of supercomputers. Their
ability of parallel processing and their well-designed memory hierarchy give the
supercomputers, large transaction processing powers.

Wearable Computers: A record-setting step in the evolution of computers was

the creation of wearable computers. These computers can be worn on the body and
are often used in the study of behavior modeling and human health. Military and
health professionals have incorporated wearable computers into their daily routine,
as a part of such studies. When the users’ hands and sensory organs are engaged in
other activities, wearable computers are of great help in tracking human actions.
Wearable computers are consistently in operation as they do not have to be turned
on and off and are constantly interacting with the user.

Page 12 / 107
Types of Anti-Viruses
Anti-virus programs are the most effective means of fighting viruses. But I would like
to point out at once that there are no anti-viruses guaranteeing 100 percent
protection from viruses. Any declarations about their existence may be considered to
be either an advertising trick or a sign of incompetence. Such systems do not exist,
because, for each anti-virus algorithm, it is always possible to suggest a virus counter
algorithm, making this particular virus invisible for this particular anti-virus
(fortunately, the opposite is also true: for any anti-virus algorithm, it is always
possible to create an anti-virus). Moreover, the impossibility of the existence of the
absolute anti-virus has been mathematically proved based on the theory of finite slot
machines - the author of this proof is Fred Cohen.
It is also necessary to pay attention to some terms used in anti-virus program
discussion:
False Positive - when an uninfected object (file, sector or system memory) triggers the
anti-virus program. The opposite term - False Negative - means that an infected object
arrived undetected.
On-demand Scanning - a virus scan starts upon user request. In this mode, the anti-
virus program remains inactive until a user invokes it from a command line, batch file
or system scheduler.
On-the-fly Scanning - all the objects that are processed in any way (opened, closed,
created, read from or written to etc.) are being constantly checked for viruses. In this
mode, the anti-virus program is always active, it is a memory resident and checks
objects without user request.

Which Anti-Virus Program is Better?

Which anti-virus program is the best? The answer is any program, if no viruses live in
your computer and you use only a reliable virus-free software source and no other.
However, if you like using new software or games, are an active e-mail user, using
Word or exchanging Excel spreadsheets, then you should use some kind of anti-virus
protection. Which one exactly - you should decide that for yourself, but there are
several points of comparison of different anti-virus programs.
The quality of anti-virus programs is determined by the following points, from the
most to least important:
1. Reliability and convenience of work - absence of anti-virus "hang ups" and
other technical problems, requiring special technical knowledge from a user.
2. Quality of detection of all major kinds of viruses, scanning inside document
files, spreadsheets (Microsoft Word, Excel, Office97), packed and archived files.
Absence of false positives. Ability to cure infected objects. For scanners (see below),
this means the availability of timely updates, which is the speed of tuning a scanner to
new viruses.
3. Availability of anti-virus versions for all the popular platforms (DOS,
Windows 3.xx, Windows95, WindowsNT, Novell NetWare, OS/2, Alpha, Linux etc.),
not only on-demand scanning, but also scanning on-the-fly capabilities, availability of
server versions with possibility for network administration.
4. Speed of work and other useful features, functions, bells and whistles.
Reliability of anti-virus programs is the most important criterion, because even the
"absolute anti-virus" may become useless, if it is not able to finish the scanning
process and hangs, leaving a portion of your disks and files unchecked, thereby
leaving the virus in the system undetected. The anti-virus may also be useless if it
demands some special knowledge from a user - most users are likely to simply ignore

Page 13 / 107
the anti-virus messages and press [OK] or [Cancel] at random, depending on which
button is closer to the mouse cursor at this time. And if the anti-virus asks an ordinary
user complicated questions too often, the user will most likely stop running such an
anti-virus and even delete it from the disk.
Virus-detection quality is the next item, for quite an obvious reason. Anti-virus
programs are called anti-virus, because their main purpose is to detect and remove
viruses. Any highly sophisticated anti-virus is useless if it is unable to catch viruses,
or does it with low efficiency. For example, if an anti-virus can not detect a certain
polymorphic virus with 100% success, then after the system has been infected with
this particular virus, such an anti-virus detects only part (say 99%) of all the infected
files in a system. As little as 1% of infected files will remain undetected, but when
this virus has infiltrated the system again, the anti-virus misses this 1% for the second
time, but this time this will be 1% of the 99% left from the previous time, i.e., 1.99%.
And so on until all the files become infected with the anti-virus being perfectly happy
about it.
Therefore, detection quality is the second most important criterion of anti-virus
quality; even more important than its multi-platform availability, various convenient
features and so on. However, if an anti-virus with high quality of detection causes lots
of false positives, then its level of usefulness drops significantly, because a user has to
either delete uninfected files or analyze suspicious files all by himself, or gets used to
these frequent false alarms and in the end misses the real virus warning (the boy who
cried wolf?).
Multi-platform availability is the next item on the list, because for each OS, only a
native for that OS program can make extensive use of these OS features. Non-native
anti-viruses are often not as useful or sometimes even destructive. For example the
"OneHalf" virus has infected a Windows95 or WindowsNT system. If you use a DOS
anti-virus for disk decryption (this virus encrypts disk sectors), the results may be
disappointing: the information on a disk will be damaged beyond repair, because
Windows95/NT would not allow the anti-virus to use direct sector reads/writes while
decrypting sectors, whereas a native Windows95 or NT anti-virus fulfills this task
flawlessly.
On-the-fly checking capability is also a rather important feature of an anti-virus.
Immediate, forced-virus checking of all incoming files and diskettes gives virtually a
100% guarantee of a virus free system, if, of course, the anti-virus is able to detect the
supposed viruses. Anti-viruses capable of continuous file-server health care (for
Novell Netware, Windows NT, and recently after massive invasion of macro viruses,
also for email servers, that is scanning all the incoming mail) are very useful. If a file
server version of an anti-virus contains network administration features, its value
increases even more.
The next important criterion is working speed. If full system check requires several
hours to complete, it is unlikely that most users are going to run it frequently. Also the
slowness of anti-virus does not imply that it catches more viruses or does it better than
its faster counterpart. Different anti-viruses utilize different virus scanning algorithms,
some being faster and of higher quality while another may be slower and not so of
such quality. Everything here depends on the abilities and competence of developers
of a particular anti-virus.
Various additional options are last in the anti-virus quality criteria list because very
often these options have no effect on overall usefulness. However these additional
options make user's life much easier and maybe push him to run anti-virus more often.

Page 14 / 107
Tips on Usage of Anti-Virus Programs
Always see that you have the latest antiviral software version available. If software
updates are available, check them for "freshness". Usually new versions of anti-
viruses are announced, so it is sufficient to visit the corresponding WWW/ftp/BBS
sites.
Anti-virus "nationality" in most cases does not matter, because, at the present time,
the processes of virus emigration to other countries and antiviral software
immigration is limited only by the speed of the Internet, so both viruses and anti-
viruses know no borders.
If a virus has been found on your computer, it is imperative not to panic (for those
who "meet" viruses daily, a remark like this may seem funny). Panicing never does
any good; thoughtless actions may result in bitter consequences.
If a virus is found in some newly arrived file(s) and has not infiltrated the system yet,
there is no reason to worry: just kill the file (or remove the virus with your favorite
antiviral program) and you may keep on working. If you have found a virus in several
files at once or in the boot sector, the problem becomes more serious, but still it can
be resolved - anti-virus developers are not drones.
Once more, you should pay attention to the term "false positive." If in some SINGLE
file "living" in your computer system for a long time some single anti-virus has
detected a virus, this is most likely a false positive. If this file has been run several
times, but the virus still has not crawled to other files, then this is extremely strange.
Try to check this file with some other anti-viruses. If all of them keep silent, send this
file to the research lab of the company that developed the anti-virus, which was
triggered by it.
However, if a virus has really been found in your computer, you should do the
following:
1. In the case of a file-virus detection, if the computer is connected to a network,
you should disconnect it from the network and inform the system administrator. If the
virus has not yet infiltrated the network, this will protect the server and other
workstations from virus attack. If the virus has already infected the server,
disconnection from the network will not stop the virus from infiltrating into your
computer again after its treatment. Reconnection to the network must be done only
after all the servers and workstations have been cured.
If a boot virus has been found, you should not disconnect your computer from the
network: viruses of this kind do not spread over it (except file-boot viruses, of
course).
If the computer is infected with a macro-virus, then instead of disconnecting from
network, it is enough to make sure that the corresponding editor (Word/Excel) is
inactive on any computer.
2. If a file or boot virus has been detected, you should make sure that either the
virus is non-resident, or the resident part of it has been disarmed: when started, some
(but not all) anti-viruses automatically disable resident viruses in memory. Removal
of a virus from the memory is necessary to stop its spreading. When scanning files,
anti-viruses open them; many resident viruses intercept this event and infect the files
being opened. As a result, the majority is infected because the virus has not been
removed from memory yet. The same thing may happen in the case of boot viruses -
all the diskettes being checked may become infected.
If the anti-virus you use does not remove viruses from memory, you should reboot the
computer from a known uninfected and well-written, protected system diskette. You
should do a "cold" boot (by pressing "Reset" or power "off/on"), because several

Page 15 / 107
viruses "survive" after a "warm" boot. Some viruses apply a technique allowing for
their survival even after the "cold" boot (see the "Ugly" virus for example), so you
should also check the item "boot sequence A:, C:" in the machine's BIOS to ensure
DOS boots from the system diskette and not from infected hard drive.
In addition to resident/non-resident capabilities, it is useful to make yourself
acquainted with other features of the virus: types of files it infects, its effects etc. The
only known source of such information, containing data of this kind on virtually all
known viruses, is "The AVP Virus Encyclopedia."
3. With the help of the anti-viral program, you should restore the infected files
and check them for functionality. At the same time or before treatment, you should
backup the infected files and print/save the anti-virus log somewhere. This is
necessary for restoring files in case the treatment proves to be unsuccessful due to an
error in anti-virus-treatment module, or because of an inability of this anti-virus to
cure this kind of virus. In this case, you will have to resort to the services of some
other anti-virus.
It is much more reliable, of course, to simply restore the backed up files (if available),
but, still, you will need to resort to an anti-virus - what if all the copies of the virus
haven't been destroyed, or some backed up files are infected, too?
It is worth mentioning that the quality of file restoration by many antiviral programs
leaves much to be desired. Many popular anti- viruses often irreversibly damage files
instead of curing them. Therefore, if file loss undesirable, you should execute all the
previous recommendations completely.
In the case of a boot virus, it is necessary to check all the diskettes to see whether they
are bootable (i.e., contain DOS files) or not. Even a completely blank diskette may
become a source of viral infection - it is enough to forget it in the drive and reboot (of
course, if a diskette boot is enabled in BIOS).
Besides the above-mentioned items, you should pay special attention to the cleanness
of modules, compressed with utilities like LZEXE, PKLITE or DIET, files inside
archives (ZIP, ARC, ICE, ARJ, etc.) and self-extracting data files (created by the likes
of ZIP2EXE). If you accidentally pack a virus in an infected file, it will be virtually
impossible to detect and remove the virus from it without unpacking. In this case, a
situation in which all the antiviral programs, unable to scan inside archives, report that
all disks are virus free (however, after some time, the virus re-emerges) will become
typical.
Colonies of viruses may infiltrate backup copies of software, too. Moreover, archives
and back-up copies are the main source of long known viruses. A virus may "sit" in a
distribution copy of some software for ages and then suddenly appear after software
installation on a new computer.
Nobody can guarantee removal of all copies of a computer virus, because a file virus
may attack not only executables, but also overlay modules not having COM or EXE
extensions. A boot virus may remain on some diskettes and appear suddenly after an
attempt to boot from it. Therefore, it is sensible to use some resident anti-virus
scanner continuously for some time after virus removal (not to mention that it's better
to a use scanner at all times).

Detection of an Unknown Virus

Detection of a TSR Virus

In this chapter, we discuss the situations in which a user suspects that his computer is
infected, but none of the anti-viruses known to him tested positive. How and where do

Page 16 / 107
you look for a virus? What tools are needed for this, what methods do you use and
what rules do you follow?
The very first rule is - don't panic. This will never do any good. You are neither the
first nor the last person whose computer has been infected. Besides, not every
computer malfunction is attributed to a virus. You should remind yourself of the 3 c's
more often - "cool, calm and collected." And viral infection is not the worst thing that
could happen to a computer.
If you are not sure yourself, ask a system programmer for help; he will locate the
virus and help remove it (if it is really a virus), or he might help find the reason for the
"strange" behavior of your computer.
You should not call anti-virus companies and ask, "I think I have a virus in my
computer. What should I do?". They will not be able to help you, because to remove a
virus, they need somewhat more information. For an anti-virus company to be of real
help, you should send them a sample of the virus - an infected file in case of a file
virus, or an infected diskette (or its image) in case of a boot virus. How to detect
infected files/disks will be discussed further.
Don't forget to boot up your computer from a backup copy of DOS on a virus-free and
write-protected diskette before running any kind of antiviral software, and use
subsequent programs only from diskettes. This is necessary to protect the system from
a resident virus, because it may block program execution or use the running to infect
the checked files/disks. Moreover, there are a lot of viruses that destroy data on disks
if they "suspect" that their code has been uncovered. This condition, of course, does
not apply to macro-viruses and disks partitioned in one of the new formats (NTFS,
HPFS) - after DOS boots up, such a disk becomes inaccessible for DOS programs.

Detection of a Boot Virus

As a rule, boot sectors of disks carry small programs, whose purpose is to determine
borders and sizes of logical disks (for MBR of hard drives) or operating system boot
up (for boot sector).
In the beginning, you should read the contents of the sector suspected of virus
presence. DISKEDIT from Norton Utilities or AVPUTIL from AVP Pro are best
suited for that.
Some boot viruses may be detected almost immediately by the presence of various
text strings (for example, the "Stoned" virus contains the strings: "Your PC is now
Stoned!", "LEGALISE MARIJUANA!"). Some boot viruses infecting hard disks may
be found in the opposite way, by the absence of strings, which must be in the boot
sector. Such strings are: system file names (for example, "IO SYSMSDOS SYS") and
error message strings. Absence of or change in a header string of the boot sector (the
string containing the DOS version number or software vendor name, e.g.,
"MSDOS5.0" or "MSWIN4.0") may also be a signal of viral infection, but only if the
computer does not have Windows95/NT installed - these systems, for reasons
unknown, record random text string into a diskette's boot sector header.
Standard MS-DOS loader located in MBR occupies less than half a sector, and many
viruses infecting the MBR of a hard drive are easily spotted by an increase in the size
of the code in MBR sector.
However, there also are viruses, which infiltrate the loader without changing its text
strings and with minimum changes to the loader code. To detect such a virus, in most
cases, it is sufficient to format a diskette on a 100% uninfected computer, save its
boot sector as a file, use this diskette for some time on the infected computer
(read/write several files) and afterwards compare its current boot sector with the

Page 17 / 107
original one on an uninfected computer. If the boot code underwent some changes,
then the virus has been caught.
Also, there are viruses using more complicated infecting techniques, for example,
changing as little as 3 bytes of the Disk Partition Table, corresponding to the address
of the active boot sector. To identify such a virus, it is necessary to explore boot
sector codes in greater detail, up to the complete analysis of its code algorithm.
These arguments are based on the fact that standard loaders (programs saved by the
operating system in boot sectors) employ standard algorithms for the loading of an
operating system and are implemented in accordance with this system's standards.
However, if the disks have been formatted with utilities other than standard DOS (for
example, Disk Manager), then, when detecting a virus in them, one should analyze the
operating algorithm and implementation of loaders created by such a utility.

Detection of a File Virus

As already mentioned, viruses are divided into resident and non-resident. Resident
viruses found so far stood out for their much greater craftiness and sophistication in
comparison with non-resident. Therefore, we shall discuss the simplest case for
starters - attack of an unknown non-resident virus. Such a virus activates itself upon
starting of any infected programs, does all it has to, passes control to the host program
and afterwards (unlike resident viruses) does not interfere with its work. To detect
such a virus, it is necessary to compare file size on disks and in backup copies (the
reminder about the importance of keeping such copies has already become
commonplace). If this doesn't help, you should do a byte comparison of distribution
copies with the working copies you use. At the present, there are many such
programs, the simplest of them (COMP utility) can be found in DOS.
One may also examine a hex dump of executables. In some cases, it is possible to
immediately detect viral presence by some text strings residing in its code. For
example, many viruses contain strings ".COM", "*.COM", ".EXE", "*.EXE", "*.*",
"MZ", "COMMAND" etc. These strings may often be found at the top or end of the
infected files.
There is yet one more method for the visual detection of a virus in a DOS file. It is
based on the fact that executables, the source code of which was in a high level
programming language, have a quite definite inside structure. In the case of Borland
or Microsoft C/C++ program, the code segment is at the very beginning of a file,
immediately followed by the data segment containing a copyright notice with the
name of a compiler vendor company at the beginning. If the data segment in the dump
is followed by one more code segment, then it might very well be that the file is
infected with a virus.
The same is true for the most part of the viruses, whose target is Windows and OS/2
files. In these, OS executables have the following standard order of segments: code
segment(s) followed by data segments. If a data segment is followed by one more
code segment, it may be the sign of the presence of a virus.
If a user is familiar with the assembly language, he may try to figure out the code of
suspicious programs. For a quick look, most suitable are the following utilities: HIEW
(Hacker's View) or AVPUTIL. For more detailed analysis, one will require
disassembly software - Sourcer or IDA.
It is recommended to run one of the resident antiviral behavior blockers and follow its
messages about "suspicious" actions of programs (writes to COM or EXE files, writes
to absolute disk addresses etc.). There are blockers not only intercepting such actions,
but also displaying messages about the originating addresses of such calls (AVPTSR

Page 18 / 107
is one such blocker). Having discovered such a message, one should find out what
program caused it and analyze its code with the help of a resident disassembler (for
example, AVPUTIL.COM). Tracing the interruptions, INT 13h and 21h are often a
great help in the analysis of TSR programs.
One must note that the resident DOS blockers often are powerless when working in a
DOS window under Windows95/NT, because Windows95/NT allows viruses to work
bypassing the blocker (and the rest TSR programs with it). DOS blockers are also
unable to stop the spreading of Windows viruses.
The above methods of detection of file and boot viruses are suitable for most resident
and non-resident viruses. But these methods fail if a virus is Stealth by design, which
renders useless the majority of modern resident blockers, file comparison and sector
read utilities.

Detection of a Macro Virus

Characteristic features of macro-viruses are:
• Word: inability to convert an infected Word document to another format.
• Word: infected files have the Template format, because when infecting, Word
viruses convert files from the Word Document format to Template format.
• Word 6 only: inability to save a document to another directory or disk with the
"Save As" command.
• Excel/Word: "alien" files are present in the STARTUP directory
• Excel versions 5 and 7: Cookbooks contain redundant and hidden Sheets.
To check the system for viral presence, you may use the Tools/Macro menu item. If
"alien" macros have been found, they may belong to a virus, but this method fails in
the case of Stealth viruses, which disable this menu item, which in itself is sufficient
to consider the system infected.
Many viruses contain errors or work incorrectly in various versions of Word/Excel,
resulting in Word/Excel error messages, for example:
WordBasic Err = Error number

If such a message appears while editing a new document or table, and you definitely
do not use-run any user macros, then this may also serve as a sign of system infection.
Changes in Word, Excel and Windows system configuration files are also a sign of
possible infection. Many viruses change menu items under "Tools/Options" in one
way or another - enabling or disabling the following functions: "Prompt To Save
Normal Template," "Allow Fast Save," "Virus Protection." Some viruses set file
passwords after infecting them, and a lot of viruses create new sections and/or options
in the Windows configuration file (WIN.INI).
Of course, such obvious facts such as appearing messages or dialogues with strange
contents or in a language other than the default for this installation are also signs of
virus.

Prophylaxis of Computer Infection

One of the major methods of fighting computer viruses, like in medical science, is
timely prophylaxis or preventive measures. Computer preventive measures suggest
following a small set of rules, allowing to lower considerably the possibility of virus
infection and data loss.

Page 19 / 107
To define the main rules of computer hygiene, it is necessary to find out the main
ways of virus intrusion into computer and computer network.

Where do Viruses Come From

Global Access Networks and EMail

Today one of the primary sources of viral infection is the Internet. The most part of
cases of infection takes place while exchanging messages in the Word/Office97
formats. The unsuspecting user of an infected by macro virus editor software sends
infected letters to addressees, who in their turn send new infected letters and so on.
Let's suppose that the user is engaged in email exchange with five addressees. After
sending an infected message all the five computers that receive these become
infected:
+-----+
|.....|
+-+-----+-+ --+--------+-------------+-------------+-------------+
+---------+ | | | | |
| V V V V
+-----+<+ +-----+ +-----+ +-----+ +-----+
| | | | | | | | | |
+-+-----+-+ +-+-----+-+ +-+-----+-+ +-+-----+-+ +-+-----+-+
+---------+ +---------+ +---------+ +---------+ +---------+

After that, five more infected letters are sent from each infected computer. One of
them returns to the computer which is already infected, the other 4 are sent to new
addressees:
^ ^ ^ ^ ^
| +-----+ | +-----+ | +-----+ | +-----+ | +-----+
+----|.....| +---|.....| +---|.....| +---|.....| +---|.....|
| +-+-----+-+ | +-+-----+-+ | +-+-----+-+ | +-+-----+-+ | +-+-----+-+
| +---------+ | +---------+ | +---------+ | +---------+ | +---------+
+--> +--> +--> +--> +-->
+--> +--> +--> +--> +-->
+--> +--> +--> +--> +-->
+--> +--> +--> +--> +-->

Therefore, on the second level of exchange we have as much as 1+5+20=26

computers. It addressees exchange letters once a day, then by the end of the working
week (five days) a minimum of 1+5+20+80+320=426 computers will become
infected. It's easy to calculate that in ten days more than 100,000 computers may
become infected! Moreover this number is likely to become four times that large with
each passing day.
This is the most common case of virus spreading registered by anti-virus companies.
Often enough an infected document file or Excel spreadsheet may get into business
mailing lists of large companies. In this case not 5 but hundreds and even thousands
of subscribers become victims of such mailings, who in turn may then send infected
files to tens of thousands of theirs subscribers.

Page 20 / 107
Email Conferences, File Servers, FTP and BBS
General access file servers and email conferences are also one of the main sources of
virus spreading. Virtually every week there appear messages that some user infected
his computer with a virus which had been downloaded from a BBS system, FTP
server, or emailed to some Usenet group.
Often enough authors of viruses upload infected files to several BBS/FTP sites, or are
sent to several groups simultaneously, often these files are camouflage as new
versions of some software (sometimes as new versions of anti-virus software).
In case of mass virus outflows to BBS/FTP file servers thousands of computers main
visually simultaneously become infected, but in most cases DOS or Windows viruses
are uploaded, which in most cases have much lower speed of spreading then macro
viruses have. For this reason incidents like this virtually never lead to mass epidemics,
which is not so for macro viruses.

Local Access Networks

The third way of "fast infection" is via local access networks. If no necessary safety
measures are taken, an infected workstation after logging on to a network infects one
or several system utility files on a network server (LOGIN.COM in case of Novell
NetWare):
+---+
| | <----------------+-------------+-------------+-------------+
| | ^ | | | |
| | +-----+ | | | | |
| || || | | | |
+---+ +-----+ | | | | |
| | | | |
+-----+ | +-----+ +-----+ +-----+ +-----+
|.....| + | | | | | | | |
+-+-----+-+ +-+-----+-+ +-+-----+-+ +-+-----+-+ +-+-----+-+
+---------+ +---------+ +---------+ +---------+ +---------+

The next day when users log on to the network, they run infected files from server,
and therefore the virus is granted access to users' workstations:
+---+
|...| --------+--------+-------------+-------------+-------------+
|...| | | | | |
|...| +-----+ | | | | |
|...| | | | | | | |
+---+ +-----+ | | | | |
| V V V V
+-----+ | +-----+ +-----+ +-----+ +-----+
|.....| + | | | | | | | |
+-+-----+-+ +-+-----+-+ +-+-----+-+ +-+-----+-+ +-+-----+-+
+---------+ +---------+ +---------+ +---------+ +---------+

Instead of LOGIN.COM utility there may be other software, residing on the server,
such as standard document templates or Excel spreadsheets used by company
employees, etc.

Page 21 / 107
Pirated Software
Illegal copies of software, as it has always been, are one of the main "danger zones".
Often piracy software on diskettes and even on CDs contains files, infected with all
kinds of viruses.

General Access Personal Computers

Computer systems installations in educational institutions also present danger. If one
of the students infected such an installation with virus, brought by him on a diskette,
then all the other students using this computer will also get the parasite on their
diskettes.
The same goes for home computers too, is more than one person uses them. There
offer arise situations when a son or a daughter, being students and working on a multi-
user computer in college or school, acquire viruses from there and take them to home
computer, from which it gets into a computer network of Dad's or Mom's company.

Repair Services
Cases like that are seldom but still possible, when a computer is infected while being
repaired. Repair personnel are also humans and are prone to negligence to basic rules
of computer security. Having once forgotten to write protect one of his floppies, such
person will pretty soon spread the viruses to computers of his clients and most likely
will lose them (clients).

Recovery of Affected Objects

In most cases of viral infection the procedure of recovery of infected files and disks
means running a suitable anti-virus capable to disinfect the system. However, if the
virus is not known to any anti-virus, it is enough to send the infected file to anti-virus
developer companies, and in some time (usually several days or weeks) receive the
cure updates for this virus. But if time presses, you will have to disinfect the virus
yourself.

Recovery of Word Document and Excel Spreadsheets

To disinfect Word and Excel it is enough to save all the necessary information in non-
document and nonspreadsheet format - RTF text format is most suitable for this
purpose, it contains virtually all the information from original documents but does not
contain macros. Then you should exit Word/Excel, delete all the infected Word
documents, Excel spreadsheets, Word's NORMAL.DOT file and all the
documents/spreadsheets in start-up directories of Word/Excel. After that you should
run Word/Excel and recover documents/spreadsheets from RTF files.
As a result of this procedure, the virus will be deleted from system, and all the
information will remain virtually unchanged. But this method has several
disadvantages. The main one is that the process of converting documents and
spreadsheets to RTF format and back might be very time-consuming for large number
of files. Besides that in case of Excel it is necessary to convert each sheet in each
Excel file separately. Another drawback is the loss of all non-virus macros used in
work. Therefore before beginning the described procedure one should save their
source text, and after disarming the virus restore the necessary macros in their original
form.

Page 22 / 107
Boot Sector Recovery
Boot sector recovery in most cases is rather simple and can be done with the help of
DOS SYS command (for boot sectors of diskettes and logical disks of hard drives) or
with the help of the FDISK /MBR command (Master Boot Record of hard drives). Of
course one might use the FORMAT command, but virtually in all cases SYS will do.
One should keep in mind, that sector recovery must be done only under the condition
of absence of virus in RAM. If RAM copy of virus has not been disarmed, then it is
quite possible, that the virus will repeatedly infect diskette or hard drive after the
removal of viral code (even if you use the FORMAT utility).
Also you should be very careful while using FDISK /MBR. This command rewrites
completely the code of the system loader routine and does not change the Disk
Partition Table. FDISK /MBR is a 100 percent successful cure for most boot viruses,
however, if the virus encrypts the Disk Partition Table or uses nonstandard methods
of infection, FDISK /MBR may result in complete loss of information on disk.
Therefore before running FDISK /MBR make sure that the Disk Partition Table is
intact. To do so boot to DOS from an uninfected diskette and check the validity of this
Table (the most suitable program for this purpose is Norton Disk Editor).
But if sector recovery with the help of SYS/FDISK is impossible, usually figure out
the operating algorithm of the virus, find the original boot/MBR sector on disk and
move it to the proper place (Norton Disk Editor or AVPUTIL suit for this best).
Doing that you should constantly keep in mind that when rewriting system loaders
you must be extra careful, because incorrect adjustment of the MBR or boot sector
may result in total loss of all the information on disk(s).

File Recovery
In the vast majority of cases recovery of infected files is complicated enough. This
procedure is impossible to be carried out by hand without the necessary knowledge -
executable file formats, assembly language, etc. Besides that usually several dozens or
hundreds of files become infected at once, and disarm them it is necessary to create
and anti-virus program of your own (or you may also use the features of anti-virus
database editor from the AVP package versions 2.x).
When curing files you should consider the following rules:
• it is necessary to test and cure all the executable files (COM, EXE, SYS,
overlays) in all the directories of all disks irrespective of file attributes (that is read-
only, system and hidden);
• it is desirable to keep file attributes and the date of last modification
unchanged;
• the possibility of multiple infections of one file must be regarded (virus
"sandwich").
The treatment of the file itself in most cases is carried out by one of several standard
methods, depending on the algorithm of multiplication of virus. In most cases file
header recovery and size adjustment do the job.

RAM deactivation
The RAM deactivation procedure, like treatment of infected files, requires some
knowledge of OS and assembly language expertise.
While treating RAM it is necessary to detect where the virus goes and change them in
such a way that the virus could not prevent the anti-virus program from working
further - "disable" the infection and Stealth routines. To do this it is required to have a
complete analysis of the virus code done, because the infection and Stealth routines

Page 23 / 107
may be situated in different areas of the virus, duplicate each other and take control
under different circumstances.
In most cases to deactivate memory it is enough to "cut off" those interrupts that are
intercepted by virus: INT 21h in case of file viruses and INT 13h in case of boot
viruses (of course there are viruses intercepting other interrupts or several interrupts at
once). For example, if the virus infects files upon opening, then this may look
approximately so:
Virus code Deactivated virus code
---------- ----------------------
.... ..... .... .....
80 FC 3D CMP AH,3Dh 80 FC 3D CMP AH,3Dh
74 xx JE Infect_File 90 90 NOP, NOP
E9 xx xx JMP Continue E9 xx xx JMP Continue
.... ..... .... .....
When deactivating a TSR copy of the virus it is imperative to remember, that the virus
might take special precautions for recovery of its own code (for example, some
viruses of the "Yankee" family restore themselves using the method of error-
correcting encoding), and in this case the mechanism of self recovery of the virus
must also be neutralized. Besides that several viruses calculate the CRC of their
resident copy and reboot the computer or erase disk sectors, if the calculated CRC
differs from the original value. In this case the CRC calculation routine must also be
"disarmed".

Virus Algorithm Analysis

The most suitable object for keeping and analyzing a virus is a file containing the
virus body. In practice, when analyzing a file virus, it is convenient to have several
different infected, but not-too-large-in size, files. It is also desirable to have infected
files of all types (COM, EXE, SYS, BAT, NewEXE) that this virus can infect. If it is
necessary to analyze a part of the RAM, then with the help of some utilities (for
example, AVPUTIL.COM), it is rather easy to simply mark the area where the virus
is and copy it to a disk. If, however, analysis of the MBR or boot sector is required,
you may copy them to files with the help of popular Norton utilities or AVPUTIL.
The most suitable form of keeping a boot virus is an image file of the infected disk.
To create this file, it is necessary to format a diskette, infect it with virus, copy that
diskette's image (all sectors, starting from 0 and off to the very last one) to file and, if
necessary, to compress it (this procedure can be done with the help of Norton
Utilities, TELEDISK or DISKDUPE programs).
The infected files or image files of infected diskettes should be e-mailed to anti-virus
program developers, or at least by conventional mail on diskettes. However, if this
might take a lot of time, confident users may try to figure the virus out and create an
anti-virus of their own.
While analyzing the virus algorithm, the following has to be ascertained:
• the virus' means of multiplication;
• possible kinds of damage to disk information inflicted by virus;
• method of RAM and infected files (sectors) treatments and cure.
In solving these problems, one should not work without a disassembler or debugger
(for example, AFD, AVPUTIL, SoftICE, TurboDebugger debuggers or Sourcer or
IDA disassemblers).

Page 24 / 107
Both debuggers and disassemblers have their strong points and drawbacks. Everybody
chooses what's best for him. Small uncomplicated viruses may quickly be "cracked"
by the standard DEBUG DOS command; but it is impossible to analyze highly
sophisticated and bulky polymorphic Stealth viruses without a disassembler. If it is
necessary to find a fast method of restoring all infected files, it is sufficient to trace
the beginning of a virus using a debugger are to the point where the virus restores the
loaded program before passing control to it (in fact, this particular algorithm is most
commonly used when curing viruses). If it is required to receive a detailed virus-
operation feature, or a well documented listing, then hardly anything will help except
for Sourcer or IDA disssemblers with their capability of restoring cross references.
Apart from that, it is necessary to remember that first of all, some viruses can
successfully block attempts at tracing them; and second of all, while working with a
debugger, there is some probability that a virus might take control.
To analyze a file virus, it is necessary to find out which files (COM, EXE, SYS) are
targeted by the virus, into which area(s) of file is the virus code saved: at the top, end
or middle of a file; an how completely a file can be restored, in what place does the
virus keep the information to restore.
When analyzing a boot virus, the main problem is finding out the address(es) of the
sector(s) in which the virus saves the original boot sector (if, of course, the virus saves
it at all).
For a resident virus, it is also necessary to determine the code fragment, creating a
resident copy of the virus, and to calculate possible addresses of entry points to the
interrupting vectors intercepted by the virus. It is also necessary to determine by what
means and where in the RAM a virus reserves a place for its resident copy: whether
the virus records itself at fixed addresses in DOS and BIOS system areas, decreases
memory size reserved for DOS (a WORD at [0000:0413]), creates a special MCB
block for itself or uses some other method.
There are special cases, when analysis of the virus may turn out to be a problem too
complicated for a user to handle, for example, the analysis of a polymorphic virus. In
this case, it is better to turn to an expert program code analyst.
To analyze macro-viruses, it is necessary to obtain the source texts of their macros.
For non-encrypted, non-Stealth viruses, this is achieved with the help of the menu
item "Tools/Macro." However, if the virus encrypts its macros or uses a Stealth
technique, it is necessary to use special macro viewing utilities. Such utilities may be
found among the products of virtually any anti-virus development company, but they
are for internal use only and are not distributed outside the company.
Nowadays, there are several known shareware programs for macro viewing. They are
Perforin, LWM, and HMVS, but so far, not all of them support the Office97 formats.

The Main Rules of Protection

Rule No. 1
Be very careful with programs and documents of Word/Excel received from global
access networks. Before executing a file or opening a document/spreadsheet/database
be sure to check them for viruses.
Use customized anti-viruses to check all the file coming via email and Internet on the
fly. To my regret so far I don't know any anti-virus program capable of reliably detect
and kill viruses in files received via Internet, but they may very well appear in the
near future.

Page 25 / 107
Rule No. 2 - Local Access Network Protection
To lower the risk of infecting files on the server network administrators have to make
extensive use of standard network security features: user access restrictions; setting
"read-only" or even "execute only" attributes for all that executables (unfortunately
this may not always be possible) etc.
Use customized anti-viruses, checking the files in use on the fly. It for some reason
this is impossible, run conventional anti-virus programs on server disks regularly.
The risk of computer network infection becomes considerably lower in case of use of
diskless workstations.
It is a good idea before running some new software on the network to test it on a
stand-alone trial computer, not connected to network.

Rule No. 3
It is better to buy software distribution packages from official vendors and copy them
for free or almost for free from other sources or buy piracy copies. This way the risk
of infection is considerably lower, although there are known cases of purchase of
infected distribution packages.
As a consequence from this rule goes the necessity of keeping distribution copies of
software (including copies of operating system), and preferably on write protected
diskettes.
Also use only well established source of software and other files, although this is not
always helpful (for example for a long time on the Microsoft WWW server there has
been a document infected with "Wazzu" macro virus). Apparently the only reliable
sites from the point of view of virus protection are BBS/ftp/WWW sites of anti-virus
development companies.

Rule No. 4
Try not to run unchecked files including those received via computer network. Use
only those programs received from reliable source. Before running the programs be
sure to check them by one or several anti-virus programs.
Even if, none of the anti-virus programs was triggered by the file, downloaded from a
BBS or newsgroup, don't hurry to run it. Wait for a week; it is possible that this file is
infected with some new unknown virus, in that case somebody else might "step into
it" before you and inform about it.
It is also desirable to have some kind of a resident anti-virus monitor when working
with some new software. If executed program is infected by virus, such a monitor will
have to detect virus and prevent it from spreading.
All this leads to necessity of limiting of a number of persons using a particular
computer. Multi-user personal computers are generally most prone to infection.

Rule No. 5
Use validation and data integrity checking utilities. Such utilities the special databases
of disks system areas (or keep the entire system areas in databases) and file
information (check sums, sizes, attributes, last modification dates etc.). You should
periodically compare such database information with actual hard drive contents,
because any inconsistency might be a signal of presence of a Trojan horse or virus.

Page 26 / 107
Rule No. 6
Backup your working files periodically. The expenses of backups of all your source
code files, database files, document files etc. are much lower than the expenses of
restoring these files in case of a virus attack or a computer malfunction.
If you have a streamer or other mass storage device, then it makes sense to backup all
the hard drive's contents. The duty and the fact that such a backup copy needs a lot of
time to be the created, it makes sense to make such backups less often.

Other Rules
If there is no need to boot the system from a floppy drive everyday, set the boot order
in BIOS Setup as "C:, A;". This will protect your computer from boot viruses reliably.
Do not rely on the built-in BIOS virus protection, many viruses pass it by with the
help of different techniques.
The same goes for anti-virus protection, which is built into Word and Office 97. This
protection can also be disabled by virus or by user (because it may be a nuisance).

Page 27 / 107
 CYBER
(CYBER FORENSICS, CYBER LAW, CYBER CRIME AND CYBER SECURITY)

Cyber crime contains all criminal offences which are committed with the aid of
communication devices in a network. This can be the Internet, the telephone line and
the mobile network etc.

Every user and expert should aware about new happenings and issues related
to cyber crimes and cyber security. The challenge for cyber forensic expert is to
detect, collect and protect digital evidences in such a manner that its evidentiary value
is preserved and admissible in court. Security Auditing is accurate and reliable
technique which often acceptable in any court. This digital evidence can reveal many
things: what files were accessed, when and by whom; what files were modified, when
and by whom; and what Internet sites have been visited, and which of those are stored
in cache memory to name only a few. The operating system creates this evidence in
part for the purpose of facilitating file access and speeding access to Internet sites
often visited. From a purely functional standpoint, such evidence can be a valuable
feature. However when a person utilizes a computer to commit a crime, this trail
serves another valuable purpose as a pathway to evidence. All these evidences are
covered in Security monitoring and help to Cyber Forensics Expert to focus on point
of attack, affected area and detailed activity report of cyber criminal on system.

A security hole allows somebody into computer via Internet connection. Big
holes allow them to take over computer completely. Little holes maybe give access to
the contents of clipboard or the last password entered. Currently, most personal
computers are not secure. With the right bit of code hidden on a Web page, it's
possible to download cookies from a user's computer.

Security is important from server side to client side, developer to end-user, means
everyone and everywhere. Government, Small, medium and large enterprise IT
managers are increasingly challenged by an ever-growing list of cyber threats.
Security is very important because it is independent of age group, gender, social class,
field and place. Exactly the question now is how to manage so many different types of
security solutions?

According to the Internet Fraud Complaint Center (IFCC), a partnership between the
Federal Bureau of Investigation (FBI) and the National White Collar Crime Center,
between May 2000 and May 2001, its first year of operation, the IFCC Web site
received 30,503 complaints of Internet fraud.

According to the Computer Security Institute’s Computer Crime and Security Survey
for 2001, conducted in conjunction with the FBI’s Computer Intrusion Squad, 186
responding corporations and government agencies reported total financial losses of
over US$3.5 million, due primarily to theft of proprietary information and financial
fraud.

According to a Symantec study, 20 percent of malicious activities in the world

originated from the Asia-Pacific region during the second half of 2006. Symantec also
observed an average of 19,095 active bot-infected computers per day in the Asia-

Page 28 / 107
Pacific region. Overall, spam made up 69 percent of all Symantec-monitored e-mail
traffic in the Asia Pacific region.

Hacking:
“Hacker” is a term commonly applied to a “computer user who intends to gain
unauthorized access to a computer system.” Hackers are skilled computer users who
penetrate computer systems to gain knowledge about computer systems and how they
work.

Hacking in simple terms means an illegal intrusion into a computer system

and/or network. Every act committed towards breaking into a computer and/or
network is hacking. Hackers write or use ready-made computer programs to attack the
target computer. They possess the desire to destruct and they get the kick out of such
destruction. Some hackers hack for personal monetary gains, such as to stealing the
credit card information, transferring money from various bank accounts to their own
account followed by withdrawal of money. They extort money from some corporate
giant threatening him to publish the stolen information which is critical in nature.

Cracking:
There is an equivalent term to hacking i.e. cracking, but from Indian Laws
perspective there is no difference between the term hacking and cracking.

A “cracker” is a hacker with criminal intent. According to The Jargon

Dictionary, the term began to appear in 1985 as a way to distinguish “benign” hackers
from hackers who maliciously cause damage to targeted computers. Crackers
maliciously sabotage computers, steal information located on secure computers, and
cause disruption to the networks for personal or political motives.

Phishing:
The act of sending an e-mail to a user falsely claiming to be an established
legitimate enterprise in an attempt to scam the user into surrendering private
information, that will be used for identity theft. The e-mail directs the user to visit a
Web site where they are asked to update personal information, such as passwords and
credit card, social security, and bank account numbers, that the legitimate
organization already has. The Web site, however, is bogus and set up only to steal the
user’s information.

Credit Card Fraud:

The unauthorized and illegal use of a credit card to purchase property, Credit
card fraud is also an adjunct to identity theft.

Net Extortion:
Copying the company’s confidential data in order to extort said company for
huge amount

Denial of service Attack:

This is an act by the criminal, who floods the bandwidth of the victim’s
network or fills his e-mail box with spam mail depriving him of the services he is
entitled to access or provide

Page 29 / 107
IRC Crime:
Internet Relay Chat (IRC) servers have chat rooms in which people from
anywhere the world can come together and chat with each other.

Virus Dissemination:
Malicious software that attaches itself to other software, (virus, worms, Trojan
Horse, Time bomb, Logic Bomb, Rabbit and Bacterium are the malicious

Software Piracy:
Theft of software through the illegal copying of genuine programs or the
counterfeiting and distribution of products intended to pass for the original.

Cyber Stalking:
Cyber Stalking can be defined as the repeated acts harassment or threatening
behavior of the cyber criminal towards the victim by using internet services.

Viruses:
A virus is a man-made computer program that infects a file or program on
computers. Each time the infected program is run, the virus is also triggered. It
replicates or spreads itself by infecting other programs on the same computer.

A computer program that replicates on computer systems by incorporating itself into

shared programs. Viruses range from harmless pranks, that merely display an
annoying message to programs that can destroy files or disable a computer altogether.
Whether they're considered malicious or malevolent, all viruses spread rapidly

Worms:
A worm is also a man-made program that replicates itself. However, unlike a
virus, it does not infect other program files on the computer. Instead, a worm can
spread itself automatically to other computers. Cleverly, it does this by sending a copy
of itself through email, over a network and via Internet Relay Chat (IRC) to other
computers.

Malware:
Malware is a software or code, which is intended to do damage to other users
or computers. Different types of malware can be, for example, viruses, Trojan horses,
spyware or adware.

Adware:
Adware is software that presents banner ads or in pop-up windows through a
bar that appears on a computer screen. Those advertising spots usually can't be
removed and are consequently always visible. The connection data allow many
conclusions on the usage behavior and are problematic in terms of data security.

Backdoors:
A backdoor can gain access to a computer by going around the computer access
security mechanisms. A program that is being executed in the background generally
enables the attacker almost unlimited rights. User's personal data can be spied with the
backdoor's help, but are mainly used to install further computer viruses or worms on
the relevant system.

Page 30 / 107
Boot viruses:
The boot or master boot sector of hard drives is mainly infected by boot sector
viruses. They overwrite important information necessary for the system execution.

Bot-Net:
A Bot-Net is collection of software bots, which run autonomously. A Bot-Net
can comprise a collection of cracked machines running programs (usually referred to
as worms, Trojans) under a common command and control infrastructure. Boot-Nets
server various purposes, including Denial-of-service attacks, etc., partly without the
affected PC user's knowledge. The main potential of Bot-Nets is that the networks can
achieve dimensions on thousands of computers and its bandwidth sum bursts most
conventional Internet accesses.

Dialer:
A dialer is a computer program that establishes a connection to the Internet or
to another computer network through the telephone line or the digital ISDN network.
Fraudsters use dialers to charge users high rates when dialing up to the Internet
without their knowledge.

Honeypot:
A honeypot is a service (program or server), which is installed in a network. It
has the function to monitor a network and to protocol attacks. This service is
unknown to the legitime user - because of this reason he is never addressed. If an
attacker examines a network for the weak points and uses the services which are
offered by a Honeypot, it is protocolled and an alert sets off.

Keystroke logging:
Keystroke logging is a diagnostic tool used in software development that
captures the user's keystrokes. It can be useful to determine sources of error in
computer systems and is sometimes used to measure employee productivity on certain
clerical tasks. Like this, confidential and personal data, such as passwords or PINs,
can be spied and sent to other computers via the Internet.

Script viruses and worms:

Such viruses are extremely easy to program and they can spread - if the
required technology is on hand - within a few hours via email round the globe.
Script viruses and worms use a script language such as JavaScript, VBScript
etc. to infiltrate in other new scripts or to spread by activation of operating system
functions. This frequently happens via email or through the exchange of files
(documents).
A worm is a program that multiplies itself but that does not infect the host.
Worms can consequently not form part of other program sequences. Worms are often
the only possibility to infiltrate any kind of damaging programs on systems with
restrictive security measures.

Spyware:
Spyware are so called spy programs that intercept or take partial control of a
computer's operation without the user's informed consent. Spyware is designed to
exploit infected computers for commercial gain. Typical tactics furthering this goal

Page 31 / 107
include delivery of unsolicited pop-up advertisements. Antivirus is able to detect this
kind of software with the category "ADSPY" or "adware-spyware".

Trojan horse:
Although Trojan horse programs are categorized as viruses, they are not true
viruses, since they do not replicate. It is a malicious program disguised as something
benign, such as a screen saver.
When loaded onto our machine, a Trojan horse can capture information from our
system -- such as user names and passwords--or could allow a malicious hacker to
remotely control our computer.

Zombie:
A Zombie-PC is a computer that is infected with malware programs and that
enables hackers to abuse computers via remote control for criminal purposes. The
affected PC, for example, can start Denial-of-Service- (DoS) attacks at command or
send spam and phishing emails.

Rootkits:
These are collections of software programs that a hacker can use to gain
unauthorized remote access to a computer and launch additional attacks.. These
programs may use a number of different techniques, including monitoring keystrokes,
changing system log files or existing system applications, creating a backdoor into the
system, and starting attacks against other computers on the network. Rootkits are
generally organized into a set of tools that are tuned to specifically target a particular
operating system.

Internet Cookies:
Internet cookies are text files that are placed on a user's computer by Web sites
that the user visits. Cookies contain and provide identifying information about the
user to the Web sites that place them on the user computer, along with whatever
information the sites want to retain about the user's visit.

Malicious Hackers
The term malicious hacker, sometimes called crackers, refers to those who break into
computers without authorization. They can include both outsiders and insiders.
Much of the rise of hacker activity is often attributed to increases in connectivity in
both government and industry. One 1992 study of a particular Internet site (i.e., one
computer system) found that hackers attempted to break in at least once every other
day.

Malicious Code
Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other
"uninvited" software. Sometimes mistakenly associated only with personal
computers, malicious code can attack other platforms.

Forgery:
Counterfeit currency notes, postage and revenue stamps, mark sheets etc., can be
forged using sophisticated computers, printers and scanners.

Internet Time Theft:

Page 32 / 107
This connotes the usage by unauthorized persons of the Internet hours paid for by
another person.

Physically damaging a computer system:

This crime is committed by physically damaging a computer or its peripherals.

MODUS OPERANDI-
Hacking is a multi-stage process that takes place over several hours or days. While a
few hackers may forego sleep and work at it constantly for 48-72 hours, it is more
common to see the process take place over a lengthy period of time. Like pedophiles,
they will have a number of potential "recruits" all at various stages of seduction.
Some sites will have just been probed; others will have just been scanned; and still
others will be ready for 0-day exploits. Hackers rarely focus on a single victim since
they have multiple victims at their disposal.

REASONS FOR CYBER CRIME:

The reasons for the vulnerability of computers may be said to be:

1. Capacity to store data in comparatively small space-

The computer has unique characteristic of storing data in a very small space.
This affords to remove or derive information either through physical or virtual
medium makes it much easier.

2. Easy to access-
The problem encountered in guarding a computer system from unauthorised
access is that there is every possibility of breach not due to human error but due to the
complex technology. By secretly implanted logic bomb, key loggers that can steal
access codes, advanced voice recorders; retina imagers etc. that can fool biometric
systems and bypass firewalls can be utilized to get past many a security system.

3. Complex-
The computers work on operating systems and these operating systems in turn
are composed of millions of codes. Human mind is fallible and it is not possible that
there might not be a lapse at any stage. The cyber criminals take advantage of these
lacunas and penetrate into the computer system.

4. Negligence-
Negligence is very closely connected with human conduct. It is therefore very
probable that while protecting the computer system there might be any negligence,
which in turn provides a cyber criminal to gain access and control over the computer
system.

5. Loss of evidence-
Loss of evidence is a very common & obvious problem as all the data are routinely
destroyed. Further collection of data outside the territorial extent also paralyses this
system of crime investigation.

CYBER CRIMINALS:

Page 33 / 107
 The cyber criminals constitute of various groups/ category. This division may
be justified on the basis of the object that they have in their mind. The following are
the category of cyber criminals-

1. Children and adolescents between the age group of 6 – 18 years –

The simple reason for this type of delinquent behaviour pattern in children is
seen mostly due to the inquisitiveness to know and explore the things. Other cognate
reason may be to prove them to be outstanding amongst other children in their group.
Further the reasons may be psychological even. E.g. the Bal Bharati (Delhi) case was
the outcome of harassment of the delinquent by his friends.

2. Organised hackers-
These kinds of hackers are mostly organised together to fulfil certain
objective. The reason may be to fulfil their political bias, fundamentalism, etc. The
Pakistanis are said to be one of the best quality hackers in the world. They mainly
target the Indian government sites with the purpose to fulfil their political objectives.
Further the NASA as well as the Microsoft sites is always under attack by the hackers.

3. Professional hackers / crackers –

Their work is motivated by the color of money. These kinds of hackers are
mostly employed to hack the site of the rivals and get credible, reliable and valuable
information. Further they are ven employed to crack the system of the employer
basically as a measure to make it safer by detecting the loopholes.

4. Discontented employees-
This group include those people who have been either sacked by their
employer or are dissatisfied with their employer. To avenge they normally hack the
system of their employee.

MODE AND MANNER OF COMMITING CYBER CRIME:

1. Unauthorized access to computer systems or networks / Hacking-
This kind of offence is normally referred as hacking in the generic sense.
However the framers of the information technology act 2000 have no where used this
term so to avoid any confusion we would not interchangeably use the word hacking
for ‘unauthorized access’ as the latter has wide connotation.

2. Theft of information contained in electronic form-

This includes information stored in computer hard disks, removable storage
media etc. Theft may be either by appropriating the data physically or by tampering
them through the virtual medium.

3. Email bombing-
This kind of activity refers to sending large numbers of mail to the victim,
which may be an individual or a company or even mail servers there by ultimately
resulting into crashing.

4. Data diddling-

Page 34 / 107
 This kind of an attack involves altering raw data just before a computer
processes it and then changing it back after the processing is completed. The
electricity board faced similar problem of data diddling while the department was
being computerised.

5. Salami attacks-
This kind of crime is normally prevalent in the financial institutions or for the
purpose of committing financial crimes. An important feature of this type of offence
is that the alteration is so small that it would normally go unnoticed.

6. Denial of Service attack-

The computer of the victim is flooded with more requests than it can handle
which cause it to crash. Distributed Denial of Service (DDoS) attack is also a type of
denial of service attack, in which the offenders are wide in number and widespread.
E.g. Amazon, Yahoo.

7. Virus / worm attacks-

Viruses are programs that attach themselves to a computer or a file and then
circulate themselves to other files and to other computers on a network. They usually
affect the data on a computer, either by altering or deleting it. Worms, unlike viruses
do not need the host to attach themselves to. They merely make functional copies of
themselves and do this repeatedly till they eat up all the available space on a
computer's memory. E.g. love bug virus, which affected at least 5 % of the computers
of the globe. The losses were accounted to be $ 10 million.

8. Logic bombs-
These are event dependent programs. This implies that these programs are
created to do something only when a certain event (known as a trigger event) occurs.
E.g. even some viruses may be termed logic bombs because they lie dormant all
through the year and become active only on a particular date (like the Chernobyl
virus).

9. Trojan attacks-
This term has its origin in the word ‘Trojan horse’. In software field this
means an unauthorized programme, which passively gains control over another’s
system by representing itself as an authorised programme. The most common form of
installing a Trojan is through e-mail. E.g. a Trojan was installed in the computer of a
lady film director in the U.S. while chatting. The cyber criminal through the web cam
installed in the computer obtained her nude photographs. He further harassed this
lady.

10. Internet time thefts-

Normally in these kinds of thefts the Internet surfing hours of the victim are
used up by another person. This is done by gaining access to the login ID and the
password. E.g. Colonel Bajwa’s case- the Internet hours were used up by any other
person. This was perhaps one of the first reported cases related to cyber crime in
India. However this case made the police infamous as to their lack of understanding
of the nature of cyber crime.

11. Web jacking-

Page 35 / 107
 This term is derived from the term hi jacking. In these kinds of offences the
hacker gains access and control over the web site of another. He may even mutilate or
change the information on the site. This may be done for fulfilling political objectives
or for money. E.g. recently the site of MIT (Ministry of Information Technology) was
hacked by the Pakistani hackers and some obscene matter was placed therein. Further
the site of Bombay crime branch was also web jacked. Another case of web jacking is
that of the ‘gold fish’ case. In this case the site was hacked and the information
pertaining to gold fish was changed. Further a ransom of US $ 1 million was
demanded as ransom. Thus web jacking is a process where by control over the site of
another is made backed by some consideration for it.

CLASSIFICATION:
The subject of cyber crime may be broadly classified under the following three
groups, they are-

1. Against Individuals
a. their person &
b. their property of an individual

2. against Organization
a. Government
c. Firm, Company, Group of Individuals.

3. Against Society at large

TARGET GROUPS-

Against Individuals: –
i. Harassment via e-mails.
ii. Cyber-stalking.
iii. Dissemination of obscene material.
iv. Defamation.
v. Unauthorized control/access over computer system.
vi. Indecent exposure
vii. Email spoofing
viii. Cheating & Fraud

Against Individual Property: -

i. Computer vandalism.
ii. Transmitting virus.
iii. Unauthorized control/access over computer system
iv. Intellectual Property crimes
v. Internet time thefts

Against Organization: -
i. Unauthorized control/access over computer system
ii. Possession of unauthorized information

Page 36 / 107
 iii. Cyber terrorism against the government organization
iv. Distribution of pirated software etc

Against Society at large: -

i. Pornography (basically child pornography).
ii. Polluting the youth through indecent exposure.
iii. Trafficking
iv. Financial crimes
v. Sale of illegal articles
vi. Online gambling
vii. Forgery

The above mentioned offences may discuss in brief as follows:

1. Harassment via e-mails-

Harassment through e-mails is not a new concept. It is very similar to
harassing through letters. Recently I had received a mail from a lady wherein she
complained about the same. Her former boy friend was sending her mails constantly
sometimes emotionally blackmailing her and also threatening her. This is a very
common type of harassment via e-mails.

2. Cyber-stalking-
The Oxford dictionary defines stalking as "pursuing stealthily". Cyber
stalking involves following a person's movements across the Internet by posting
messages (sometimes threatening) on the bulletin boards frequented by the victim,
entering the chat-rooms frequented by the victim, constantly bombarding the victim
with emails etc.

3. Dissemination of obscene material/ Indecent exposure/ Pornography (basically

child pornography) / Polluting through indecent exposure-
Pornography on the net may take various forms. It may include the hosting of
web site containing these prohibited materials. Use of computers for producing these
obscene materials. Downloading through the Internet, obscene materials. These
obscene matters may cause harm to the mind of the adolescent and tend to deprave or
corrupt their mind. Two known cases of pornography are the Delhi Bal Bharati case
and the Bombay case wherein two Swiss couple used to force the slum children for
obscene photographs. The Mumbai police later arrested them.

4. Defamation
It is an act of imputing any person with intent to lower the person in the
estimation of the right-thinking members of society generally or to cause him to be
shunned or avoided or to expose him to hatred, contempt or ridicule. Cyber
defamation is not different from conventional defamation except the involvement of a
virtual medium. E.g. the mail account of Rohit was hacked and some mails were sent
from his account to some of his batch mates regarding his affair with a girl with intent
to defame him.

5. Unauthorized control/access over computer system-

Page 37 / 107
 This activity is commonly referred to as hacking. The Indian law has however
given a different connotation to the term hacking, so we will not use the term
"unauthorized access" interchangeably with the term "hacking" to prevent confusion
as the term used in the Act of 2000 is much wider than hacking.

6. E mail spoofing-
A spoofed e-mail may be said to be one, which misrepresents its origin. It
shows it's origin to be different from which actually it originates. Recently spoofed
mails were sent on the name of Mr. Na.Vijayashankar (naavi.org), which contained
virus.
Rajesh Manyar, a graduate student at Purdue University in Indiana, was
arrested for threatening to detonate a nuclear device in the college campus. The
alleged e- mail was sent from the account of another student to the vice president for
student services. However the mail was traced to be sent from the account of Rajesh
Manyar.

6. Computer vandalism-
Vandalism means deliberately destroying or damaging property of another.
Thus computer vandalism may include within its purview any kind of physical harm
done to the computer of any person. These acts may take the form of the theft of a
computer, some part of a computer or a peripheral attached to the computer or by
physically damaging a computer or its peripherals.

7. Transmitting virus/worms-
This topic has been adequately dealt herein above.

8. Intellectual Property crimes / Distribution of pirated software-

Intellectual property consists of a bundle of rights. Any unlawful act by which,
the owner is deprived completely or partially of his rights is an offence. The common
form of IPR violation may be said to be software piracy, copyright infringement,
trademark and service mark violation, theft of computer source code, etc.
The Hyderabad Court has in a land mark judgement has convicted three people and
sentenced them to six months imprisonment and fine of 50,000 each for unauthorized
copying and sell of pirated software.

9. Cyber terrorism against the government organization

At this juncture a necessity may be felt that what the need to is, distinguish
between cyber terrorism and cyber crime. Both are criminal acts. However there is a
compelling need to distinguish between both these crimes. A cyber crime is generally
a domestic issue, which may have international consequences; however cyber
terrorism is a global concern, which has domestic as well as international
consequences. The common form of these terrorist attacks on the Internet is by
distributed denial of service attacks, hate websites and hate emails, attacks on
sensitive computer networks, etc. Technology savvy terrorists are using 512-bit
encryption, which is next to impossible to decrypt. The recent example may be cited
of – Osama Bin Laden, the LTTE, and attack on America’s army deployment system
during Iraq war.

Cyber terrorism may be defined to be “ the premeditated use of disruptive

activities, or the threat thereof, in cyber space, with the intention to further social,

Page 38 / 107
ideological, religious, political or similar objectives, or to intimidate any person in
furtherance of such objectives”
Another definition may be attempted to cover within its ambit every act of
cyber terrorism.
A terrorist means a person who indulges in wanton killing of persons or in
violence or in disruption of services or means of communications essential to the
community or in damaging property with the view to –
(1) Putting the public or any section of the public in fear; or
(2) Affecting adversely the harmony between different religious, racial, language or
regional groups or castes or communities; or
(3) Coercing or overawing the government established by law; or
(4) Endangering the sovereignty and integrity of the nation and a cyber terrorist is the
person who uses the computer system as a means or ends to achieve the above
objectives. Every act done in pursuance thereof is an act of cyber terrorism.

10. Trafficking
Trafficking may assume different forms. It may be trafficking in drugs, human
beings, arms weapons etc. These forms of trafficking are going unchecked because
they are carried on under pseudonyms. A racket was busted in Chennai where drugs
were being sold under the pseudonym of honey.

11. Fraud & Cheating

Online fraud and cheating is one of the most lucrative businesses that are
growing today in the cyber space. It may assume different forms. Some of the cases of
online fraud and cheating that have come to light are those pertaining to credit card
crimes, contractual crimes, offering jobs, etc.
Recently the Court of Metropolitan Magistrate Delhi found guilty a 24-year-
old engineer working in a call centre, of fraudulently gaining the details of Campa's
credit card and bought a television and a cordless phone from Sony website.
Metropolitan magistrate Gulshan Kumar convicted Azim for cheating under IPC, but
did not send him to jail. Instead, Azim was asked to furnish a personal bond of Rs
20,000, and was released on a year's probation.

PREVENTION OF CYBER CRIME:

Prevention is always better than cure. It is always better to take certain
precaution while operating the net. A netizen should keep in mind the following
things-
1. To prevent cyber stalking avoid disclosing any information pertaining to one. This
is as good as disclosing your identity to strangers in public place.
2. Always avoid sending any photograph online particularly to strangers and chat
friends as there have been incidents of misuse of the photographs.
3. Always use latest and up date anti virus software to guard against virus attacks.
4. Always keep back up volumes so that one may not suffer data loss in case of virus
contamination
5. Never send your credit card number to any site that is not secured, to guard against
frauds.
6. Always keep a watch on the sites that your children are accessing to prevent any
kind of harassment or depravation in children.
7. It is better to use a security programme that gives control over the cookies and send
information back to the site as leaving the cookies unguarded might prove fatal.

Page 39 / 107
8. Web site owners should watch traffic and check any irregularity on the site. Putting
host-based intrusion detection devices on servers may do this.
9. Use of firewalls may be beneficial.
10. Web servers running public sites must be physically separate protected from
internal corporate network.
Reference:
1- Cyber Crime Investigation Cell, CID, Mumbai: http://www.cybercellmumbai.com
2- Robbins, Judd. "An Explanation of Computer Forensics" URL:
http://www.computerforensics.net/forensics.htm)
3- Parthasarathy Pati, NAAVI, http://www.naavi.org/

SECURITY ADUTING
A computer security audit is a manual or systematic measurable technical
assessment of a system or application. Manual assessments include interviewing staff,
performing security vulnerability scans, reviewing application and operating system
access controls, and analyzing physical access to the systems. Automated
assessments, or CAAT's, include system generated audit reports or using software to
monitor and report changes to files and settings on a system. Systems can include
personal computers, servers, mainframes, network routers, switches. Applications can
include Web Services, Microsoft Project Central, and Oracle Database. (Examples
only) (Wikipedia: http://en.wikipedia.org/wiki/Computer_security_audit)

No two enterprises have the exact same security requirements.

A government installation with sensitive Defense documents, for example, will
require a much higher degree of security, encryption, and access control than an
enterprise with no sensitive data. Creating an appropriate security infrastructure starts
with a security audit. (Secure Computing)

"Auditing your company's website is critical, as even a single vulnerability

could lead to the theft of sensitive corporate data such as credit card information. Not
to mention the cost of lost revenue, severe fines, diminished customer trust and
substantial damage to business reputation and credibility,” (Help Net Security: HNS
CONS. LTD)
Consider this scenario: you build a Web site that requires some kind of user
log-in. You allow users to create usernames and passwords and require a valid
username and password to get in to your site. But is your Web site authentication
scheme secure? Every time I register at a site, I marvel at the consistently laughable -
sometimes pathetic - security among even the world's largest Web sites. As the Web
becomes more a part of our personal lives, the threat of fraud and identity theft grows
accordingly.
Inadequate user security is a problem that Web developers must address.
Perhaps it is lack of standards. Perhaps it is a lack of auditing. This article addresses
both of those issues by establishing a standard audit procedure by which to measure
your own security. Test this list of questions against your own Web site's
authentication scheme and see how it stands. (Security Focus)

Is Your Website Hackable?

The company believes that these audits will prevent hundreds of security
breaches that would otherwise have led to valuable customer details, credit card
numbers and proprietary corporate data being exposed.

Page 40 / 107
 "Many enterprise organizations are simply not aware of how vulnerable their
sites are to hackers," said Nick Galea, CEO of Acunetix. “By offering free security
audits, we hope to help educate the market on how they can protect themselves from
the latest hacking techniques. Our expectation is that this new service will play a
valued role in helping to secure valuable enterprise and consumer data that could
otherwise be easily accessible to hackers.”

What is a Security Audit?

You may see the phrase "penetration test" used interchangeably with the
phrase "computer security audit". They are not the same thing. A penetration test (also
known as a pen-test) is a very narrowly focused attempt to look for security holes in a
critical resource, such as a firewall or Web server. Penetration testers may only be
looking at one service on a network resource. They usually operate from outside the
firewall with minimal inside information in order to more realistically simulate the
means by which a hacker would attack the site.
On the other hand, a computer security audit is a systematic, measurable
technical assessment of how the organization's security policy is employed at a
specific site. Computer security auditors work with the full knowledge of the
organization, at times with considerable inside information, in order to understand the
resources to be audited.
Security audits do not take place in a vacuum; they are part of the on-going
process of defining and maintaining effective security policies. This is not just a
conference room activity. It involves everyone who uses any computer resources
throughout the organization. Given the dynamic nature of computer configurations
and information storage, some managers may wonder if there is truly any way to
check the security ledgers, so to speak. Security audits provide such a tool, a fair and
measurable way to examine how secure a site really is.
Computer security auditors perform their work though personal interviews,
vulnerability scan examination of operating system settings, analyses of network
shares, and historical data. They are concerned primarily with how security policies -
the foundation of any effective organizational security strategy - are actually used.
There are a number of key questions that security audits should attempt to answer:

• Are passwords difficult to crack?

• Are there access control lists (ACLs) in place on network devices to control
that has access to shared data?
• Are there audit logs to record that accesses data?
• Are the audit logs reviewed?
• Are the security settings for operating systems in accordance with accepted
industry security practices?
• Have all unnecessary applications and computer services been eliminated for
each system?
• Are these operating systems and commercial applications patched to current
levels?
• How is backup media stored? Who has access to it? Is it up-to-date?
• Is there a disaster recovery plan? Have the participants and stakeholders ever
rehearsed the disaster recovery plan?
• Are there adequate cryptographic tools in place to govern data encryption, and
have these tools been properly configured?

Page 41 / 107
 • Have custom-built applications been written with security in mind?
• How have these custom applications been tested for security flaws?
• How are configuration and code changes documented at every level? How are
these records reviewed and who conducts the review?

Auditing Standards for auditing Information Systems

The specialized nature of Information Systems auditing and the
professional skills and credibility necessary to perform such audits, require standards
that would apply specifically to IS auditing. Standards, procedures and guidelines
have been issued by various institutions, which discuss the way the auditor should go
about auditing Information Systems.

Information Systems Security and Audit

Organizations in all sectors of the economy depend upon information
systems and communications networks, and share common requirements to protect
sensitive information. Organizations and professional bodies’ work towards
establishing secure information technology systems for protecting the integrity,
confidentiality, reliability, and availability of information.

Defining Security Audit

Information Systems Security Audit is an independent review and
examination of system records, activities and related documents to determine the
adequacy of system controls ensure compliance with established security policy and
approved operational procedures, detect breaches in security so as to verify whether
data integrity is maintained, assets are safeguarded, organizational goals are achieved
effectively and resources are used efficiently. Security audit is a systematic,
measurable technical assessment of how security policies are built into the
information systems.

Secure system:

Computer system protected through the use of special hardware and software,
policies, and practices against data corruption, destruction, interception, loss, or
unauthorized access.

Five essential services provided by a secure system are-

(1) Authentication,

(2) Authorization,

(3) Integrity,

(4) Privacy, and

(5) Non-repudiation.

(1) Authentication-

Page 42 / 107
General: Verification of the genuineness of a document or signature, to make it
effective or valid.

Computer access: Verification of the identity of a user through a code such as a

password.

(2) Authorization-

General: Process used in verifying that the individual or organization who has
requested or initiated an action has the right to do so.

Computer access: Process of granting or denying a user the access to a secure system.
Most computer security systems are based on a two step process:

(a) Authentication to ensure that the entity requesting access to the system is what or
who it claims to be, and

(b) Authorization to allow access only to those resources which are appropriate to that
entity's identity.

(3) Integrity-

State of a system where it is performing its intended functions, without being

degraded or impaired by changes or disruptions in its internal or external
environments

(4) Privacy-

Privacy may be divided into four categories

(A) Physical: restriction on others to experience a person or situation through one or

more of the human senses;

(B) Informational: restriction on searching for or revealing facts that are unknown or
unknowable to others;

(C) Decisional: restriction on interfering in decisions that are exclusive to an entity;

(D) Dispositional: restriction on attempts to know an individual's state of mind.

(5) Non-repudiation-

Intent to accept responsibility of submitting or receiving an electronic message

and be bound by its substance, Non repudiation protects a sender against the false
assertion of the receiver that the message has not been received, and a receiver against
the false assertion of the sender that the message has been sent. An essential element
of secure electronic commerce, non repudiation is generally established by the
protocol (such a public key infrastructure or EDIFACT) used in data transfer, and
includes legal and security criteria of authentication and report integrity.
(BusinessDictionary.com)

Page 43 / 107
CYBER SECURITY:

Cyber security actually protects your personal information by responding, detecting

and preventing the attacks. Cyber security is actually introduced to decrease cyber
crimes. All banking institutions and businesses today run their business online.
Hackers can hack your computer system and misuse your personal information and
pictures. Various other dangers associated with cyber crimes are entry of virus into
your system, altering your files, change of passwords, stealing credit card information
and make unauthorized purchases.

Computer security-

Computer security is a branch of technology known as information security as applied

to computers. The objective of computer security varies and can include protection of
information from theft or corruption, or the preservation of availability, as defined in
the security policy.

Internet Security-

When a computer connects to a network and begins communicating with others, it is

taking a risk. Internet security involves the protection of a computer's internet account
and files from intrusion of an unknown user. Basic security measures involve
protection by well selected passwords, change of file permissions and back up of
computer's data.

Internet security professionals should be fluent in the four major aspects:

1. Penetration testing
2. Intrusion Detection
3. Incidence Response
4. Legal / Audit Compliance

Computer security imposes requirements on computers that are different from

most system requirements because they often take the form of constraints on what
computers are not supposed to do. This makes computer security particularly
challenging because it is hard enough just to make computer programs do everything
they are designed to do correctly. Furthermore, negative requirements are deceptively
complicated to satisfy and require exhaustive testing to verify, which is impractical
for most computer programs. Computer security provides a technical strategy to
convert negative requirements to positive enforceable rules. For this reason, computer
security is often more technical and mathematical than some computer science fields.

Secure operating systems

One use of the term computer security refers to technology to implement a

secure operating system. This forms the foundation for a secure operating system
which, if certain critical parts are designed and implemented correctly, can ensure the
absolute impossibility of penetration by hostile elements. This capability is enabled

Page 44 / 107
because the configuration not only imposes a security policy, but in theory completely
protects itself from corruption. Ordinary operating systems, on the other hand, lack
the features that assure this maximal level of security. The design methodology to
produce such secure systems is precise, deterministic and logical.

Systems designed with such methodology represent the state of the art of
computer security although products using such security are not widely known. In
sharp contrast to most kinds of software, they meet specifications with verifiable
certainty comparable to specifications for size, weight and power. Secure operating
systems designed this way are used primarily to protect national security information,
military secrets, and the data of international financial institutions. The assurance of
security depends not only on the soundness of the design strategy, but also on the
assurance of correctness of the implementation, and therefore there are degrees of
security strength defined for COMPUSEC. The Common Criteria quantifies security
strength of products in terms of two components, security functionality and assurance
level (such as EAL levels), and these are specified in a Protection Profile for
requirements and a Security Target for product descriptions. None of these ultra-high
assurances secure general purpose operating systems have been produced for decades
or certified under the Common Criteria.

Security Architecture-

Security Architecture can be defined as the design artifacts that describe how
the security controls (security countermeasures) are positioned, and how they relate to
the overall information technology architecture. These controls serve the purpose to
maintain the system's quality attributes, among them confidentiality, integrity,
availability, accountability and assurance." In simpler words, security architecture is
the plan that shows where security measures need to be placed. If the plan describes a
specific solution then, prior to building such a plan, one would make a risk analysis. If
the plan describes a generic high level design (reference architecture) then the plan
should be based on a threat analysis.

Security by design-

The technologies of computer security are based on logic. There is no

universal standard notion of what secure behavior is. "Security" is a concept that is
unique to each situation. Security is extraneous to the function of a computer
application, rather than ancillary to it, thus security necessarily imposes restrictions on
the application's behavior.

There are several approaches to security in computing; sometimes a combination of

approaches is valid:

Trust all the software to abide by a security policy but the software is not trustworthy
(this is computer insecurity).

Trust all the software to abide by a security policy and the software is validated as
trustworthy (by tedious branch and path analysis for example).

Page 45 / 107
Trust no software but enforce a security policy with mechanisms that are not
trustworthy (again this is computer insecurity).

Trust no software but enforce a security policy with trustworthy mechanisms.

Many systems have unintentionally resulted in the first possibility. Since approach
two is expensive and non-deterministic, its use is very limited. Approaches one and
three lead to failure, because approach number four is often based on hardware
mechanisms and avoids abstractions and a multiplicity of degrees of freedom, it is
more practical. Combinations of approaches two and four are often used in a layered
architecture with thin layers of two and thick layers of four.

There are myriad strategies and techniques used to design security systems. There are
few, if any, effective strategies to enhance security after design.

One technique enforces the principle of least privilege to great extent, where
an entity has only the privileges that are needed for its function. That way even if an
attacker gains access to one part of the system, fine-grained security ensures that it is
just as difficult for them to access the rest

Furthermore, by breaking the system up into smaller components, the

complexity of individual components is reduced, opening up the possibility of using
techniques such as automated theorem proving to prove the correctness of crucial
software subsystems. This enables a closed form solution to security that works well
when only a single well-characterized property can be isolated as critical, and that
property is also assessable to math. Not surprisingly, it is impractical for generalized
correctness, which probably cannot even be defined, much less proven. Where formal
correctness proofs are not possible, rigorous use of code review and unit testing
represent a best-effort approach to make modules secure.

The design should use "defense in depth", where more than one subsystem
needs to be violated to compromise the integrity of the system and the information it
holds. In addition, security should not be an all or nothing issue. The designers and
operators of systems should assume that security breaches are inevitable. Full audit
trails should be kept of system activity, so that when a security breach occurs, the
mechanism and extent of the breach can be determined. Storing audit trails remotely,
where they can only be appended to, can keep intruders from covering their tracks.
Finally, full disclosure helps to ensure that when bugs are found the "window of
vulnerability" is kept as short as possible.

Secure coding-

If the operating environment is not based on a secure operating system capable

of maintaining a domain for its own execution, and capable of protecting application
code from malicious subversion, and capable of protecting the system from subverted
code, then high degrees of security are understandably not possible. While such
secure operating systems are possible and have been implemented, most commercial
systems fall in a 'low security' category because they rely on features not supported by
secure operating systems (like portability, et al.). In low security operating
environments, applications must be relied on to participate in their own protection.

Page 46 / 107
There are 'best effort' secure coding practices that can be followed to make an
application more resistant to malicious subversion.

In commercial environments, the majority of software subversion

vulnerabilities result from a few known kinds of coding defects. Common software
defects include buffer overflows, format string vulnerabilities, integer overflow, and
code/command injection.

Some common languages such as C and C++ are vulnerable to all of these defects.
Other languages, such as Java, are more resistant to some of these defects, but are still
prone to code/command injection and other software defects which facilitate
subversion.

In summary, 'secure coding' can provide significant payback in low security

operating environments, and therefore worth the effort. Still there is no known way to
provide a reliable degree of subversion resistance with any degree or combination of
'secure coding.' (http://en.wikipedia.org/wiki/Computer_security)

CYBER SECURITY TOOLS / SOFTWARES:

• Anti-virus
• Anti-spyware
• Email Security
• Firewall
• Digital and SSL Certificates
• Start Up Monitor
• Security Auditing Tools
• Network and LAN Security Tools etc…

SMTP, POP3 AND IMAP:

SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and
receiving e-mail. However, since it is limited in its ability to queue messages at the
receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that
let the user save messages in a server mailbox and download them periodically from
the server. In other words, users typically use a program that uses SMTP for sending
e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based systems,
sendmail is the most widely-used SMTP server for e-mail. A commercial package,
Sendmail, includes a POP3 server. Microsoft Exchange includes an SMTP server and
can also be set up to include POP3 support.

SMTP usually is implemented to operate over Internet port 25. An alternative to

SMTP that is widely used in Europe is X.400. Many mail servers now support
Extended Simple Mail Transfer Protocol (ESMTP), which allows multimedia files to
be delivered as e-mail.

POP3 (Post Office Protocol 3) is the most recent version of a standard protocol for
receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held
for you by your Internet server.

Page 47 / 107
The Internet Message Access Protocol (IMAP) is one of the two most prevalent
Internet standard protocols for e-mail retrieval, the other being the Post Office
Protocol (POP). Virtually all modern e-mail clients and mail servers support both
protocols as a means of transferring e-mail messages from a server, such as those used
by Gmail, to a client, such as Mozilla Thunderbird, KMail, Apple Mail and Microsoft
Outlook.

PORT:

On computer and telecommunication devices, a port is generally a specific place for

being physically connected to some other device, usually with a socket and plug of
some kind. Typically, a personal computer is provided with one or more serial ports
and usually one parallel port. The serial port supports sequential, one bit-at-a-time
transmission to peripheral devices such as scanners and the parallel port supports
multiple-bit-at-a-time transmission to devices such as printers.

Port numbers are from 0 to 65535. Ports 0 to 1024 are reserved for use by certain
privileged services. For the HTTP service, port 80 is defined as a default and it does
not have to be specified in the Uniform Resource Locator (URL).

Some important port numbers

There are huge numbers of ports which are reserved. But the ports mentioned below
are more important.

• 20-FTP Data
• 21-FTP Control
• 23-Telnet
• 25-SMTP
• 53 -TCP
• 69 -TFTP
• 80 -HTTP/WWW
• 109-POP2
• 110-POP3
• 123/UDP-NTP
• 137-NetBIOS
• 443-HTTPS
• 546-DHCPv6 client
• 547-DHCPv6 server

Theft, fraud and financial crime:

The convergence of computing and communications technologies has

changed dramatically the nature of our lives, at least for those of us who live in
developed countries. We are able to do our shopping and banking from home, work
and be paid electronically, and engage in leisure activities using computers.
Government benefits are also able to be processed electronically and a wide range of

Page 48 / 107
services delivered on-line. 'Digitisation', or the process of reducing information to
electronic streams of '0s and 1s' that are stored on computers, has enabled people to
communicate more effectively and at lower cost than in the past. It has also meant that
geographical boundaries are able to be crossed more easily. This has enhanced the
process of globalization of economic and social life enormously.

These same technologies that have provided so many benefits have, however,
created enormous opportunities for economic offenders. Fraudsters are able to
communicate with each other in secret, disguise their identities in order to avoid
detection, and manipulate electronic payment systems to obtain funds illegally. They
are also able to target a wide range of potential victims throughout the world, all from
the comfort of their home or office. The risk of fraud is one of the principal barriers to
electronic commerce systems becoming widely accepted in the community.
(Australian Institute of Criminology)

The UK is suffering a cyber crime wave that has seen online financial fraud jump 20
per cent, according to a new report.

Reports of cyber crime in the UK rose nine per cent over 2007, according to the UK
Cybercrime Report by online identity company Garlik, which compiled government,
police and analysts statistics.

Internet and email fraud saw the largest hike, jumping to 250,000 incidents in 2007
from 207,000 in 2006. (www.silicon.com-CBS Interactive Limited)

CASE STUDY

Hacker hacks into a financial website

Mumbai poilce have arrested a hacker by name Kalpesh (name change) for
hacking into a financial website. Although the hacker couldn’t break into the main
server of the financial institution, which was well secured by the financial institution.
The accused person could make some addition to the home page of the financial
website and has added a string of text to the news module of the home page of the
website. Police were able to crack the case by following the trace left by the hacker on
the web server of the financial institution. The financial institution has maintained a
separate server for financial online transactions, for which utmost security has been
taken by the fianancial institution. The website was hosted on a different server which
comparatively had lesser security.

The hacker Kalpesh (name changed) is a 10th Pass youngster of 23 years old. He
has done computer courses like CCNA, MCSE etc. But he is a computer addict. He
sits before the computer for almost 16 to 20 times each day. He has mostly used the
readymade hacking tools, to hack into any website. He goes to a particular website on
the web, which facilitates him to see the entire directory structure of that website.
Then using various techniques, such as obtaining a password file, he gets into the
administrator’s shoes and hacks the website.

Page 49 / 107
 A case has been registered against the hacker under section 67 of Information
Technology Act – 2000 and under various sections of Indian Penal Code. (Cyber
Crime Investigation Cell, Mumbai.)

General Precautions
1. Use Integrity checking- This detects for any sign of change in file or folder
(md5)
2. Uncheck- Remember my password option in public places or on multi user
system
3. Logout from your account before leaving computer
4. Be Suspicious of Free Software available on internet and avoid visiting
suspicious sites.
5. Keep your application and operating system software updated.
6. Perform regular backups on external storage media of essential files.
7. Don’t click pop-up ads or unsolicited and alarmist pop-ups that claim you
have spyware or other problems with your PC.
8. Avoid sharing personal details with strangers.
9. Don’t open e-mail that claims to come from a financial institution or e-
commerce site that you don’t do business with.
10. Scan your system regularly (at least once a month) with good anti-virus and
spyware scanners
11. Don’t accept e-mail attachments from strangers.
12. Never respond to spam
13. Use a browser other than Internet Explorer. For instance, the Firefox, Google
Chrome, Safari and Opera browsers which don’t use ActiveX, which prevents
ActiveX-based exploits from affecting your computer. These browsers are also
less frequently subjected to vulnerability exploits.
14. Never ignore security issues. Keep yourself away from involvement in any
criminal activity, either directly or indirectly.
15. Read the End User License Agreement (EULA), which is a contract between
you and the software vendor. When you download and install software, you
are presented with a screen that includes the EULA. Most people simply click
the button without reading the license. This is a mistake, especially with free
software, because it often includes adware or other unwanted programs.
16. Avoid experience with crack files, patches and key generators available on
internet.
17. Use computer forensic tools and procedures which are also used to identify
computer security weaknesses and the leakage of sensitive computer data.
18. Antivirus software and other security tools are like a seat belt of car, so you
have to be alert every time because these tools alone are not enough for
protection.
19. The user, if attacked, should file an FIR immediately.

Page 50 / 107
 CYBER LAWS
INFORMATION TECHNOLOGY ACT 2000 INDIA

History of the Act

The United Nations General Assembly by resolution A/RES/51/162, dated the 30

January 1997 has adopted the Model Law on Electronic Commerce adopted by the
United Nations Commission on International Trade Law. This is referred to as the
UNCITRAL Model Law on E-Commerce.
The said resolution recommended inter alia that all States give favorable
consideration to the said Model Law when they enact or revise their laws, in view of
the need for uniformity of the law applicable to alternatives to paper-based methods
of communication and storage of information.
The Ministry of Commerce Government of India created the first draft of the
legislation following the UNO termed as "E Commerce Act 1998".
After the formation of a separate ministry of Information Technology, the draft was
taken over by the new ministry which re-drafted the legislation as "Information
Technology Bill 1999".
This draft was placed in the Parliament in December 1999 and passed in May
2000. After the assent of the President on June 9, 2000, the act was finally notified
with effect from October 17, 2000 vide notification number G.S.R 788(E).
A major amendment was made to the Act with effect from 6th February 2003
consequent to the passage of a related legislation called Negotiable Instruments
Amendment Act 2002.

Specifics of the Act

Information technology Act 2000 consists of 94 sections segregated into 13 chapters.
Four schedules form part of the Act.

Essence of the Act

Information Technology Act 2000 addressed the following issues:
Legal Recognition of Electronic Documents
Legal Recognition of Digital Signatures
Offenses and Contraventions
Justice Dispensation System for Cybercrimes
(http://en.wikipedia.org/wiki/Information_Technology_Act)

Since the beginning of civilization, man has always been motivated by the
need to make progress and better the existing technologies. This has led to
tremendous development and progress which has been a launching pad for further
developments. Of all the significant advances made by mankind from the beginning
till date, probably the most important of them is the development of Internet.

However, the rapid evolution of Internet has also raised numerous legal issues
and questions. As the scenario continues to be still not clear, countries throughout the
world are resorting to different approaches towards controlling, regulating and
facilitating electronic communication and commerce.

Page 51 / 107
 The Parliament of India has passed its first Cyber law, the Information
Technology Act, 2000 which provides the legal infrastructure for E-commerce in
India.... (Pavan Duggal: http://www.mondaq.com)

The Act - Information Technology Act

An act to provide legal recognition for transactions carried out by means of
electronic data interchange and other means of electronic communication, commonly
referred to as "electronic commerce", which involves the use of alternatives to paper
based methods of communication and storage of information, to facilitate electronic
filing of documents with the government agencies and further to amend the Indian
Penal Code, the Indian Evidence Act, 1872, the Bankers Book Evidence Act, 1891
and the Reserve Bank of India Act, 1934 and for matters connected therewith or
incidental thereto; (http://www.legalhelpindia.com)

Whereas the General Assembly of the United Nations by resolution

A/RES/51/162, dated the 30th January, 1997 has adopted the Model Law on
Electronic Commerce adopted by the United Nations Commission on International
Trade Law;

STATUTORY PROVISONS:
The Indian parliament considered it necessary to give effect to the resolution
by which the General Assembly adopted Model Law on Electronic Commerce
adopted by the United Nations Commission on Trade Law. As a consequence of
which the Information Technology Act 2000 was passed and enforced on 17th May
2000.the preamble of this Act states its objective to legalise e-commerce and further
amend the Indian Penal Code 1860, the Indian Evidence Act 1872, the Banker’s Book
Evidence Act1891 and the Reserve Bank of India Act 1934. The basic purpose to
incorporate the changes in these Acts is to make them compatible with the Act of
2000; So that they may regulate and control the affairs of the cyber world in an
effective manner.
The Information Technology Act deals with the various cyber crimes in
chapters IX & XI. The important sections are Ss. 43,65,66,67. Section 43 in particular
deals with the unauthorised access, unauthorised downloading, virus attacks or any
contaminant, causes damage, disruption, denial of access, interference with the
service availed by a person. This section provide for a fine up to Rs. 1 Crore by way
of remedy. Section 65 deals with ‘tampering with computer source documents’ and
provides for imprisonment up to 3 years or fine, which may extend up to 2 years or
both. Section 66 deals with ‘hacking with computer system’ and provides for
imprisonment up to 3 years or fine, which may extend up to 2 years or both. Further
section 67 deals with publication of obscene material and provides for imprisonment
up to a term of 10 years and also with fine up to Rs. 2 lakhs.

Amendments to Information Technology Act 2000-

The Information Technology (Amendment) Bill, 2006

The Government of India has proposed major amendments to ITA-2000 in form of

the Information Technology (Amendment) Bill, 2006 which have been passed by the

Page 52 / 107
Cabinet Committee of the Government of India and are ready for being placed before
the Indian Parliament for discussion.
(http://en.wikipedia.org/wiki/Information_Technology_Act)

On 18th October the union cabinet of India has decided to amend IT act 2000
and decided to expand the scope of section 72 of the act to provide for criminal
liability in case of leak of information. "This will prevent any intermediary and
service provider, which has secured any material or information from a user entering
into a contract with it, from passing it on to others without the consent of the user.
Violations will invite imprisonment for a term of up to two years or fine of up to Rs 5
lakh (Rs 500,000) or both," an official of the department of information technology
said.
The amendment introduces 5 million rupees (equivalent to 5, 00,000 GBP)
penalty on any company found leaking sensitive information which will be paid as
damages to the affected party. This will cover all sensitive data or information which
a company may “own”, “possesses”, “control”, or “operate”.
The Cabinet has also approved a proposal to amend Section 43 of the IT Act,
under which a person involved in hacking of computers will be liable for punishment
of up to two years or fine of up to 5 lakh (5000 GBP approximately) or both. The
department of information technology is also keen to reduce crime like e-commerce
frauds through digital signatures and impersonation such as phishing, and identity
theft. It has proposed to insert a new section in the Indian Penal Code, under which
the punishment for identity theft may be extended to two years and a fine, while the
penalty for impersonation may be extended to 5 years and a fine

Recently, many cases related to theft of data have been reported and this time Indian
government is very keen to assure foreign investors about India’s sensitivity to their
concerns on data theft.

Offences and Section under IT Act

Tampering with Computer source documents- Sec.65

Hacking with Computer systems, Data alteration- Sec.66
Publishing obscene information- Sec.67
Un-authorized access to protected system- Sec.70
Breach of Confidentiality and Privacy- Sec.72
Publishing false digital signature certificates- Sec.73
NOTE: Sec.78 of I.T.Act empowers Deputy Supdt. Of Police to investigate cases
Falling under this Act. Sec.67

Computer Related Crimes Covered under IPC and Special Laws

Sending threatening messages by email- Sec 503 IPC

Sending defamatory messages by email- Sec 499 IPC
Forgery of electronic records- Sec 463 IPC
Bogus websites, cyber frauds- Sec 420 IPC
Email spoofing- Sec 463 IPC
Web-Jacking- Sec. 383 IPC
E-Mail Abuse- Sec.500 IPC

Page 53 / 107
Online sale of Drugs- NDPS Act
Online sale of Arms- Arms Act

Security is for all, No alternative and No option!!! Security is now a social issue
which can prevent loss, harm, save time, save money and work. Hacking is becoming
easy due to internet sites, complex coding, human errors, hence learning and teaching
security techniques is essential. Till now many information technology (IT)
professionals are not aware of Cyber Security and do not show interest in the cyber
crime phenomenon, hence awareness is important.

Only single or few security techniques are not sufficient to fight against cyber crime.
We need advance level of integrated security techniques because hackers have
developed new series of cracking techniques which are easily available on internet
and more importantly updated regularly. It is therefore necessary to create awareness
among user (mostly youngster) about various cyber crimes. It will help in preventing
many incidents of cyber crimes in future.

The term "Computer Forensics" was coined in 1991 in the first training session held
by the International Association of Computer Specialists (IACIS) in Portland, Oregon.
Since then, Computer forensics has become a popular topic in computer security
world and in the law enforcement. Like any other forensic science areas, computer
forensics deals with the application of law to a science. In this case, the science
involved is computer science and some refer to it as Forensic Computer Science.
Cyber Forensics is also known as Computer Forensics or Digital Forensics.

Cyber Forensics is the process of recovering evidences from Digital Medias.

According to Robbins’ definition, Computer Forensics involves the preservation,
identification, extraction and documentation of computer evidence stored in the form
of magnetically encoded information (data). Computer forensics has also been
described as the autopsy of computer storage Medias for evidence. Chris LT Brown
defined cyber forensics as ‘the art and science of applying computer science to aid the
legal processes’. A simpler definition would be ‘the examination of computers,
cyberspace and other electronic devices for evidence that might have forensic value’.

Cyber Crime is- Any crime or criminal activity related to Computer or Network.

Cyber-forensics, in common with forensic science, adheres to the forensic principles

of securing the crime scene, gathering, preserving and analyzing the evidence, and
presenting the evidence in a court of law as an expert witness.

Cyber Crime investigation process goes through: Collecting Evidence- Analysis of

Evidence- Opinion or Report Writing. There are four basic steps that are followed in
conducting a cyber forensic analysis: Identifying sources of evidence, Securing
evidence and preserving identified evidence, analyzing the evidence, Documenting
legally admissible evidence. A witness cannot show a jury the contents of a disk drive
by holding the physical disk drive up in front of them. The evidence must be
extracted in a way that preserves its evidentiary value, yet enables the court to see
exactly what is on that drive; Law enforcement wants reliable methods to extract such
evidence in a way that will pass muster with the courts

Page 54 / 107
Cybercrime is a growing and serious threat to individuals, business and government.
Cyber crimes have virtually no boundaries and may affect every country in the world.
Cybercrime is serious problem that require indepth study and serious consideration.
Cyber Crime is- Any crime or criminal activity related to Computer or Network.
Personal computers have become an inexpensive and yet powerful tool that can be
used in the furtherance of almost any criminal activity. The invention of the
information technology, computer, e-mail and internet has brought along with it
modern crimes like sending threatening e-mail, spamming, web cam hacking, hacking
e-mail, e-mail bombs, virus attacks etc.

“Hacker” is a term commonly applied to a “computer user who intends to gain

unauthorized access to a computer system.” And A “cracker” is a hacker with
criminal intent. No doubts there are no limit of hackers, cyber criminals and their fans
in world, but cyber forensic still facing lack of cyber forensic experts. Cyber forensics
can minimize cyber crime by motivating people and spreading awareness about cyber
laws with taking strict action against professional cyber criminal.

Every crime scene contains evidence; this is because of Locard’s Principle, this
principle is also applicable in Cyber Forensics, as every activity on computer
leaves its traces.

Cyber Forensics is the process of recovering evidences from Digital Medias.

A simpler definition would be ‘the examination of computers, cyberspace and other
electronic devices for evidence that might have forensic value’ but it is not limited up
to this, because Cyber Forensics can also help in detection and prevention of cyber
crimes.

Computer Forensic Science:

Computer forensic science was created to address the specific and articulated
needs of law enforcement to make the most of this new form of electronic evidence.
Computer forensic science is the science of acquiring, preserving, retrieving, and
presenting data that has been processed electronically and stored on computer media.

"Computer Forensics involves the preservation, identification, extraction and

documentation of computer evidence stored in the form of magnetically encoded
information (data)." (Robbins’ definition)

CYBER FORENSIC EXPERT:

Even though cyber forensics is a highly technical and specialized discipline, there are
no fixed educational qualifications criteria in order to pursue a career in cyber
forensics. To be a Cyber Forensic Expert, person should have a wide range of
knowledge and experience about- Cyber Forensics including Cyber Crimes, Hacking,
Spamming, Viruses, Tracking user activity, forensic imaging & Verification, Data
recovery and analysis, File types (extensions), Encryption, Password breaking etc
with basic understandings about programming languages & Operating systems like-
Windows, Linux, Mac, Java, Symbian etc. and also have knowledge about legal
issues, acts, laws, responsibilities etc related to digital evidence. Person must have
interest in Cyber Forensics, who enjoys the investigation process and have ability to

Page 55 / 107
work hours continuously, because evidence collection and analysis process takes lot
of times. A 40 GB hard disk takes near about 6 hours only for imaging and same
hours or even days to analysis. During examination of servers and their databases it
takes several months for imaging and analysis, due to their high storage capacity.
Disk imaging refers to copying the contents of a data storage device or medium, and
transferring this to another, similar medium or device. In its original context, disk
imaging implies the creation of an exact duplicate of a computer's hard disk drive -
including its programs, setup and data then storing this in a special, compressed file
format. Cyber Forensics Expert never works on Original or Evidence media. He first
create Image file of the original disk and check its signature (MD5 hash) for accuracy
and then follow all the investigation on duplicate media

Cyber Forensics Experts recover data from media, with Encase it is possible to
recover data after Deleting files, Formatting, Virus attack, Password protected files,
but some times this work becomes difficult when Hard disks are damaged, after
Overwritten of files, after wiping, (Wiper erases data by wiping its contents beyond
recovery, destroying its name and dates and finally removing it from disk) etc
When files are erased or deleted in DOS & Windows the content of the file is not
actually erased, Data from the erased files remains behind in an area called
unallocated storage space. Hence unallocated file space and file slack are both
important sources of leads for the Cyber forensics investigator.
Cyber Crime and Digital evidence can relate to Data theft, Online Banking frauds,
Virus attacks, Denial of Service, Hacking, Phishing, Net Extortion, Software Piracy,
Cyber stalking, Divorce cases, Murder cases, Pornography, Organized crime,
Terrorist operations, Smuggling etc

Cyber Forensic is a challenging and interesting field, which gives a job satisfaction.
Cyber forensic experts can find employment in both the government and the private
sector. Government sector employment is limited to the police and other law
enforcement agencies, with cyber crime departments in Delhi, Chennai, Mumbai,
Bangalore, Kolkata, Hyderabad, Chandigarh and Kerala. In the private sector, there
are great opportunities in IT and non-IT companies; and also, there are a lot of scope
for those wants to start independent consultancies and cyber forensic services. Some
of the major responsibilities for those involved with cyber forensics in the private
sector are to guard against data theft, implement security systems, and avoid cyber
attacks, to find security holes, prevent unauthorized access to system, and stop
hacking, virus and phishing attacks.

Patterson K. says the field of computer forensics requires a person able to deal with
highly technical subjects, yet articulate enough to explain and describe unerase to a
jury. He goes on to say that a computer forensics specialist must have the patience of
a wildlife photographer and the literary skills of Mark Twain.

Cyber forensics is an exciting field that energizes the students who pursue its study. It
behooves all computer science programs to develop one or more related courses to
meet the critical demand for professionals in this field.

Page 56 / 107
 CYBER CRIME EXAMINTION

Physical Forensic Imaging Live System

Analysis Analysis

Recovering Sterilizing the Volatile Evidence

Deleted Files Forensic Media Analysis

Unallocated Creating a Forensic Log Files as

Space Image Digital Evidence

Formatted Drives Verifying Image Evidence

Integrity Contamination

Slack Space Analysis of a Network &

Forensic Image History Analysis

Password Mounting the Image

Protected Files

Reducing our Search

Space Hash Analysis

Signature Analysis

Searching a Forensic
Image Keyword Searches

Swap file

File types search

Email Searches

Page 57 / 107
CYBER FORENSIC INVESTIGATION TOOLS:
Encase and Forensic Tool Kit (FTK) are the widely used tools in Cyber Forensics for
Recovery and Imaging of media, all over the world, Opinions based on Encase or
FTK are acceptable in any court of world. EnCase is a powerful combination of
integrated tools that facilitates seamless sharing of evidentiary data among examiners.
EnCase provides investigators with a single tool, capable of conducting large-scale
and complex investigations from beginning to end. EnCase Investigate and analyze
multiple platforms- Windows, Linux, AIX, OS X, Solaris and more and run on almost
all Operating systems. Logical Evidence Files function in EnCase let you selectively
choose exactly which files or folders you want to preserve, instead of acquiring the
entire drive. Unlike copying files from a device and altering critical metadata, logical
evidence preserves the original files as they existed on the media and include a wealth
of additional information such as file name, file extension, last accessed, file created,
last written, entry modified, logical size, physical size, MD5 hash value, permissions,
starting extent and original path of the file. Examiners can sort files according to 30
different fields, including all four time stamps (File Created, Last Accessed, Last
Written and Entry Modified), file names, file signatures and extensions, hash value,
full path, permissions. EnCase also provide hardware analysis, file signature analysis,
registry tracker, automatic report generation and much more. It helps in solving cases
within less time. These tools plays very important role in Cyber Forensics
Investigation, but many times success is depend upon the expert’s knowledge, skill
and experience; thus expert’s evidence searching skill helps to solve mystery of
crime.

Investigative Tools and Electronic Crime Scene Investigation

Forensic computer investigators have a number of software tools and utilities
available for their use in analyzing a suspect’s computer. A list of some of the tools
available is as follows:
• Safeback
• Maresware
• DIBs Mycroft, version 3
• Snap Back Dot Arrest
• Encase
• ntrack
• Capture It
• DIBS Analyzer
• Data Lifter
• Smart
• Forensic X

DIGITAL / ELECTRONIC EVIDENCES:

The Digital Evidences founds in Hard Disks, CDs, DVDs, Floppies, USB Drives (Pen
Drives) and Memory Cards, Tapes, Cell Phones, Servers and Computer networks etc
Everyone who uses a computer for any purpose leaves digital evidence (Trail /
Traces). This digital evidence can reveal many things: what files were accessed,
when and by whom; what files were modified, when and by whom; and what Internet
sites have been visited, and which of those are stored in cache memory to name only a
few. The operating system creates this evidence in part for the purpose of facilitating
file access and speeding access to Internet sites often visited. From a purely

Page 58 / 107
functional standpoint, such a evidence can be a valuable feature. For example, Web
sites stored in local RAM or disk cache eliminates the need to wait for those Web
pages to re-download each time the user visits them. Especially where there is a dial-
up connection, such functionality saves a great deal of time. However when a person
utilizes a computer to commit a crime, this trail serves another valuable purpose as a
pathway to evidence. Many computer users falsely believe that when they delete a file
from their computer, it is gone. However, while various operating systems deal with
file deletion in different ways, they generally delete only the reference to the file and
not the actual file itself. For example, in Microsoft FAT file systems, when a file is
deleted, the operating system simply replaces the first character of the filename with
the lowercase sigma character (). This tells the operating system that the file is no
longer available and the disk space it once occupied is now unallocated and can
receive new data. However, until that file space receives new data and overwrites the
old file, the deleted file remains exactly as it was except for the first character of the
filename. Therefore when a criminal tries to eliminate evidence from a computer by
using a simple file delete, the digital trail remains. In fact, this trail of computer
evidence often provides law enforcement with evidence of intent and patterns of
criminal behavior in a given case.

EnCase Forensic: GENERAL PROCEDURES

The following outlines standard processing procedures used in examining fixed and
removable media. Selecting which procedures are appropriate is at the discretion of
the computer forensic examiner, in consultation with the case officer. Decisions on
which techniques are used depend on the facts of the case and information presented
by the investigator, coupled with training and experience of the computer forensic
examiner. No two cases of forensic examination are exactly alike due to these and
other factors.
1. The examining computer system is a sheriff's office-owned, DOS-based
Gateway E-3000 running under MS-DOS and Windows. The system is equipped with
one 3.5" floppy drive, a read-only CD-ROM drive, another CD-ROM that is writeable
(able to "burn" or copy evidentiary information from suspect files) and an external
Iomega 100 mb zip drive. The zip drive and floppy drive are both capable of
reading/writing to removable media. The primary government media for examining
images of a SUBJECT's computer is a 40-gigabyte hard drive in a removable hard
drive bay. The machine has an additional removable hard drive bay where we can
place a SUBJECT's IDE hard drive for direct drive-to-drive imaging, as well as a
SCSI cable we can use to acquire an image from a SUBJECT's SCSI hard drive. In
addition, we have a Hewlett Packard SureStore T20 tape drive attached that we can
use to back up evidentiary files up to 10 gigabytes native or 20 gigabytes in a
compressed format.
2. Prior to analyzing the hard drives from the CPUs seized, we use EnCase to
make an exact duplicate of each hard drive. These image files are then archived to the
HP SureStore tape drive for future reference, and, if necessary, can be transferred to a
write-able CD-ROM or a larger-capacity Travan 20-gig tape for investigators and
prosecutors, and eventually for use in the discovery process.
3. EnCase, a forensic data acquisition program for Windows, is based on law
enforcement specifications and requirements. It reads all DOS and Windows hard disk
and removable media, including FAT 32 drives, and allows the forensic investigator
to save an exact snapshot of a disk to an evidence file, including hidden and deleted

Page 59 / 107
files, even the data contained in unallocated disk space and partitions. Every file is an
exact, sector-by-sector copy of a floppy, zip disk or hard disk; every byte of the file
verified using a 32-bit CRC (cyclical redundancy check -- similar to a checksum). In
essence, this compares two very large, unique numbers to one another to say, for a
certainty, that the evidence file created matches exactly the files captured from the
original media. That way, the forensic examiner can assure investigators, attorneys,
and indeed judge and jury, if necessary that the two match and have not been altered
in any way. Odds that two different strings produce the same CRC are roughly 1 in 4
billion.
4. EnCase allows us to tie directly into the suspect computer with our evidence
processing computer via a standard null modem cable and do a duplicate image so
that we search and work on the image of the original evidence, and do not do the
examination directly on the suspect's files, which prevents alteration of any kind. We
can also remove the hard drive from the SUBJECT's machine and place it in the
evidence processing machine to acquire an image drive-to-drive, which is faster than
the parallel-port method.
5. We can use EnCase to view files without changing the file contents or time
stamps, and to acquire, authenticate and build a case out of the most common types of
media -- floppies, zip disks, jaz, and all IDE and SCSI hard disks.
6. EnCase allows us to quickly search a hard drive by keywords, cutting down
on investigative time and preventing access to computer files not the subject of the
examination by virtue of a specific search warrant. The program allows us to pull up
and view deleted files automatically, see fragments of information in the "slack"
(where bits of erased files reside until overwritten), and bookmark interesting files
and file segments to come back to later or to save to another media for permanent
storage of evidence. We can also export any part of a file, any selected files, or even
an entire folder or tree (folders, subfolders, and files) with ease. We can also restore
an entire hard disk volume back to its original state.
7. EnCase allows us to view graphic files (possible pornography) in a
"thumbnail" view that can be easily copied or put on a CD-ROM, making it
unnecessary to use other computer investigative software.
8. The EnCase program prints nicely formatted reports that show the contents
of the case, dates, times, investigators involved, and information on the computer
system itself. Those reports are enclosed with the "Computer Forensic Investigative
Analysis Report."
9. In processing these machines, we use the EnCase DOS version to make a
"physical" image; in other words, we got the entire hard drive, without being selective
as to files captured in the EnCase image file. We then copy what we find to disks to
relay to investigators, district attorney's office, and the defense. Following
examination, we make a copy of the EnCase image file and evidentiary files "saved,"
and back them up on a Travan Technology 20-gigabyte cartridge in case law
enforcement investigators or 10th Judicial District investigators and attorneys need
other questions answered from this computer seizure. We then return the original
evidence in the SUBJECT's computers with hard drive intact (nothing changed) to the
submitting agency's evidence room.

Overview of What A Forensic Examiner Can Do With EnCase:

• Determine whether a computer system contains evidence and is within the scope of
our investigation
• View files without changing the file contents or time stamps

Page 60 / 107
• Acquire, authenticate and build a case out of the most common types of media.
Read:
• Floppies
• Zips
• Jaz
• All IDE and SCSI hard disks etc…
• Do a basic keyword search of the entire case using any number of search terms
• Do advanced searches using the powerful UNIX GREP syntax
• Sort files according to any number of fields, including all three time stamps
• Bookmark interesting files and file segments and save these for future browsing
• Export any part of a file, any selected files, or even entire folder trees with ease
• Restore entire disk volumes back to their original state
• Recognize and validate file signatures and add your own signatures
• Browse basic file system artifacts such as the swap file, file slack and spooler files,
and the recycle bin
• Recover printed and faxed pages just as they came out on the printer
• Prepare computer evidence for court presentation
• View the entire case at once
• Print a nicely formatted report that shows:
• Contents of the case
• Dates
• Times
• Investigators involved
• A graphical map that shows disk allocation by cluster or sector including
layout of any file
• Access a bookmark table to show a list of every bookmark the examiner
created for easy reference and locating evidence found later for case consultation and
presentation
• Access a search view that shows every search with the results
• Remotely preview a computer with a parallel cable, without creating an
image file first
• View and copy files (even graphics) without changing a bit of the suspect
drive
• Perfect for quick searches and overviews of the SUBJECT's computer when
consent is obtained to search
• View graphic files in a “thumbnail” view that can be easily copied or put on
a CD-ROM

What is EnCase?
A forensic data acquisition and analysis program for Windows, Based on law
enforcement specs and requirements
Purpose: To aid in computer-related investigations

EnCase Features
• Read all DOS and Windows hard disks and removable media, including new
FAT32 drives
• Password protect any piece of evidence to control chain of custody
• Save an exact snapshot of a disk to an evidence file, including
• hidden and unallocated disk space and partitions
• Combine evidence files to create a case that you can search as a unit

Page 61 / 107
 • View files without changing file contents or time stamps
• View, search, filter and sort every file from every disk and computer in the
case in
• one pass; see the results graphically on the screen
• Graphical Allocation Map shows a disk cluster by cluster
• Formatted report shows all case-related information
• Powerful search features include background search and GREP keywords

System Support
• Hardware and software RAIDs.
• Dynamic disk support for Windows 2000/XP/2003 Server
• Interpret and analyze VMware, Microsoft Virtual PC, DD and
• SafeBack v2 image formats.
• File systems: Windows FAT12/16/32, NTFS; Macintosh HFS, HFS+;
• Sun Solaris UFS, ZFS; Linux EXT2/3; Reiser; BSD FFS, FreeBSD’s
• Fast File System 2 (FFS2) and FreeBSD’s UFS2; Novell’s NSS &
• NWFS; IBM’s AIX jfs, JFS and JFS with LVm8; TiVo Series One and Two;
CDFS; Joliet; DVD; UDF; ISO 9660; and Palm

Internet and Email Investigation

• Browser History Analysis
• Internet artifacts
• WEB History & cache analysis
• HTML carver
• HTML page reconstruction
• Kazaa toolkit
• Instant Messenger toolkit - Microsoft® Internet Explorer,
• Mozilla Firefox, Opera and Apple Safari

Email Support Includes

• Outlook PSTs/OSTs (‘97–‘03)
• Outlook Express DBXs
• Microsoft Exchange EDB Parser
• Lotus Notes v6.0.3, v6.5.4 and v7
• AOL 6.0, 7.0, 8.0 and 9.0 PFCs
• Yahoo
• Hotmail
• Netscape Mail
• MBOX archives

Acquiring evidence...
• Make a “logical” image with the Windows version, or
• Make a “physical” image with the DOS version (EN.EXE)
• To create an evidence file in Windows:
• Click “Create” button, or select FILE-CREATE EVIDENCE FILE
• Select the volume you want to scan
• NEXT

Page 62 / 107
• Choose highest level of lock you can for the media
• NEXT
Choose the level of compression
• Specify output file
• NEXT
• Fill in all relevant case information
• Use notes to describe where you found the disk/system
• NEXT
• Enter password to protect evidence file, if necessary
• FINISH
• EnCase starts creating an evidence file. Progress bar indicates bytes read and time to
completion.

Installation-
• One small floppy disk
• Run
• A:\SETUP
• OK
• To run EnCase, either:
• Double-click icon, or
• START-PROGRAMS-ENCASE
• Hardware key (dongle) is necessary to use the copyrighted program
• Activates complete features of EnCase
• Place on parallel port before starting EnCase program

Acquiring evidence-
• Make a “logical” image with the Windows version, or
• Make a “physical” image with the DOS version (EN.EXE)
• To create an evidence file in Windows:
• Click “Create” button, or select FILE-CREATE EVIDENCE FILE
• Select the volume you want to scan
• NEXT
• Choose highest level of lock you can for the media
• NEXT
• Choose the level of compression
• Specify output file
• NEXT
• Fill in all relevant case information
• Use notes to describe where you found the disk/system
• NEXT
• Enter password to protect evidence file, if necessary
• FINISH
• EnCase starts creating an evidence file. Progress bar indicates bytes read and time to
completion.

Source- Standard Operating Procedures, Pueblo High-Tech Crimes Unit,

Investigative and Technical Protocols, "EnCase Forensic Imaging and Evidence
Acquisition" 2 June 2000; Cmdr. Dave Pettinari, Pueblo County Sheriff's Office

Page 63 / 107
The Digital Evidences are often hidden or found in Stored files, Deleted files,
Formatted Partitions, Erased Disks, Hidden in pictures, Encrypted files, Password
protected files, Deleted E-mails, Chat History, Cache, Cookies, Visited URLs,
Installed software’s, Log files, System Restore Points, Windows Event Logs, Website
and Network traffic, File with unknown extensions or no extensions, Files with
changed extensions and other suspicious files.

Negligence is mostly responsible for the Cyber crime, carelessness or negligence

during protecting the computer system, which provides hole to a cyber criminal, to
gain access and control over the computer system.

The computers operating systems are composed of millions of codes. Human mind is
fallible and it is not possible that there might not be a lapse at any stage. The cyber
criminals take advantage of these lacunas and penetrate into the computer system.

Computer forensic tools and procedures are also used to identify computer security
weaknesses and the leakage of sensitive computer data.

Cyber security has become a critical concern of government, law enforcement, and
industry. Personal computers have become an inexpensive and yet powerful tool that
can be used in the furtherance of almost any criminal activity.

Every crime scene contains evidence; this is because of Locard’s Principle, this
principle is also applicable in Cyber Forensics, as every activity on computer
leaves its traces. When the internal state of a computer or network is altered by the
intervention of an unauthorized agent, be it human, software or hardware, the
mathematical-logical tests and deep examination is required to detect and interpret
this state of change.

In India, Cyber Forensics is a special division in Forensic Science Laboratory, or

attached with Physical Sciences and Questioned Document division.

Many youngsters ask and request us to teach hacking. They have keen interest in
hacking, but important fact is that, anybody doesn’t want to work for law
enforcement, and they are not aware about Cyber Laws, they only want to enjoy
hacking by breaking password of friends mail account and interested to see others
personal data. This is very serious structure about current generation.

One real case:

Cyber Crime Investigation Cell, Crime Branch, CID, Mumbai has registered a case
u/s 66 of IT Act, sec 419, 420, 465, 468, 471 of I.P.C. r/w Sections 51, 63 and 65 of
Copyright Act, 1957 which attract the punishment of 3 years imprisonment and fine
up to 2 lac rupees . It is a case of Phishing. One accused has been arrested in this case
who is from a respectable family having professional qualification.
The Investigation was carried out with help of emails received by the customers of the
financial Institution and accused was arrested. The profile of the accused is as given
below:-
Qualification: – B Sc. (Computer Application) and studying MBA, Having very
good knowledge of Programming and Network Security.

Page 64 / 107
Occupation: He was teaching Programming and Network security at local classes
and having good job of Network security in a reputed company.
Family Back Ground: – One of his brother is in USA as Programmer with a reputed
company. Father is retired person and mother is housewife.
- He was teaching Programming and Network security at local classes and having
good job of Network security in a reputed company. Family Back Ground: – One of
his brother is in USA as Programmer with a reputed company. Father is retired person
and mother is housewife.
Reason for committing Crime: - He wanted to show his ability in cyber space and
thus acted with a false sense of bravado thinking that he will not be caught as he was
using USA anonymous server.
Moral = 1) Law is same for all i.e. educated professionals or illiterates.
2) Please do not test the comptense of law enforcement agencies.
(Source- www.cybercellmumbai.com)

Examining an E-mail Header:

The email header is the information that travels with every email, containing details
about the sender, route and receiver. These headers may help to track the source of
spam. Full header will have information such as the mail servers name that the email
passed through on its way to the recipient, recipient and sender's IP address and even
the name of the email program and its version used. This information is essential for
analysis and investigation purposes on cases involving email abuse, spamming,
mailbombing.

Mobile phone spam is a form of spamming directed at the text messaging service of
a mobile phone. It is described as mobile spamming, SMS spam or SpaSMS but is
most frequently referred to as m-spam.
As the popularity of mobile phones surged in the early 2000s, frequent users of text
messaging began to see an increase in the number of unsolicited (and generally
unwanted) commercial advertisements being sent to their telephones through text
messaging. This can be particularly annoying for the recipient, because unlike email,
it is usually difficult or impossible to delete an SMS message without reading it.
In addition, most cell phone providers charge a fee for every message received,
including spam, placing users in the unenviable position of having to pay to receive
unwanted spam on their mobile phones.
Some telecommunications providers believe that SMS spam is going to be the next
big challenge as the fast development of technology allows SMS spam to be sent at
relatively low cost using Internet SMS portals.
This is an era of technology and one cannot live without computers, camera phones
and internet. When there are good uses of these technologies there are mal intentions
and misuses of such technologies. One has to learn to live with these technological
innovations but on the other hand he has to be made aware about the pros and cons of
them.

CYBER FORENSIC LAB

Cyber Forensics Workstation:
Forensic Software Tools-
• Encase (Guidance Software's)
• Forensic Toolkit (AccessData's FTK),

Page 65 / 107
 • CyberCheck (C-DAC’s)
• Operating System- Microsoft Windows XP
• DIBS® Mycroft High Speed Search Engine
• Password Recovery Toolkit
• Registry Viewer
• DVD CD Authoring software
• Various forensic analysis utility programs
• X-Ways Forensic Tools
• Windows XP Legal Copy
• Microsoft Office Legal Copy
• Adobe PhotoShop Legal Copy
• Advanced Windows Care
• K-Lite Codec Pack
• Decryption Tools
• Security Auditing Tools
• Mobile Forensic Tools
• SIM Card Data Recovery Tools etc..

Forensic Hardware Tools-

• Forensic software fully installed and configured on the forensic drive primary
partition
• Powerful computer systems with standard peripherals like CD-ROM drives
and CD-writers, desktop and laser printers, scanners etc.
• Storage devices for making bit-stream copies or clones of the suspect storage
media
• Card readers. e.g., MMC, SD, MicroDrives, Flash cards.
• USB external CD Writers for taking back-up of information retrieved from
various storage media.
• A wide array of connectors for connecting various hardware devices
• Laptop Hard Disk Drive examination tools, PCMCIA Cards and Drives
• External CD Writers for portability
• Fast disk imaging and cloning
• Various kinds of removable storage media (e.g., JAZZ Cartridges and ZIP
cartridges)
• Inverter, UPS, cooling system and Secure work Environment.
• Other kinds of electronic storage devices (Compact Flash, Smart Media,
Memory Stick)
• IDE hard drives, SCSI hard drives
• Write protect devices to prevent any information being written on to the
suspect storage media
• Additional storage devices for making bit-stream copies or clones of the
suspect storage media for examination purposes
• SIM Card-reader, Smart Card Reader and Barcode reader.
• 17" TFT flat screen "non-glare" monitor
• Cyber Forensic Work Station
• ForensicQuest Disk Imaging Tool
• FastBloc

Page 66 / 107
 • Blank Hard Disks
• CelleBrite Mobile Tool
• And other tools…

No doubts there are no limit of hackers, cyber criminals and their fans in world, but
cyber forensic still facing lack of cyber forensic experts. Cyber forensics can
minimize cyber crime by motivating people and spreading awareness about cyber
laws with taking strict action against professional cyber criminal.

The challenge for cyber forensic expert is to collect and protect digital evidence in
such a manner that its evidentiary value is preserved and admissible in court. Like the
forensics of traditional physical evidence such as questioned documents, fingerprints,
bloodstains, ballistics, and DNA, digital evidence requires careful collection, chain of
custody documentation, access management, diligence, and attention to detail. Unlike
traditional forensics however, the forensics of digital evidence requires specialized
knowledge of computer technology (both hardware and software). Therefore, this
represents a major adjustment in some of the procedures followed by law
enforcement. For law enforcement, the challenge is to find people with these skills,
and provide them with the tools and up-to-date training they need. The challenge for
cyber forensics programs across the world is to meet the critical need for trained
personnel in the field of cyber forensics.

For Detailed Information and References please refer e-Books provided in CD

Recommended Study and Reference Books-

• Cyber Forensics: Concepts and Approaches- Ravi Kumar Jain B

• Cyber Forensics: A Field Manual For Collecting, Examining, And Preserving
Evidence Of Computer Crimes, (Information Security) by Doug Menendez,
Marcella Albert J. Jr.
• Cyberlaw In India- Mr. Pavan Duggal
• Cyber Crime in India- Dr M Dasgupta
• Cyber Crimes- Virendra K. Pamecha
• Cyber Crimes Detention and Prevention- Ashish Pandey
• Cyber Crimes, Electronics Evidence & Investigation Legal Issues- Vivek Sood
• and other

Page 67 / 107
 Setting of browser security to high level because malicious hackers and
virus writers can infect your computer by taking advantage of low
security settings in your e-mail and Web browsing software.

It is an anti-piracy security system created by Microsoft, It appears when pirated windows is installed
and then updated online.

Page 68 / 107
Phishing E-mail (Fake E-mail) received from hacker to collect HDFC account information.

Page 69 / 107
Header Information of Phishing E-mail (Fake E-mail) received from hacker to collect HDFC
account information.

Page 70 / 107
Phishing E-mail 2 (Fake E-mail) received from Hacker to collect HDFC account information.

Page 71 / 107
Header information of Phishing E-mail (Fake E-mail) received from Hacker to collect HDFC
account information.

Genuine Web Page of Internet Banking site of HDFC Bank.

Page 72 / 107
Genuine E-mail Received From HDFC Bank.

E-mail Header of Genuine E-mail Received From HDFC Bank.

Page 73 / 107
E-Mail Tracing for Traveling Route of Genuine E-mail Received From HDFC Bank.

Page 74 / 107
E-Mail Tracing for Traveling Route of Fake / Phishing E-mail Received From Hacker.

Page 75 / 107
Fake / Phishing / Spoofed E-mail Received From Hacker.

Page 76 / 107
Fake / Phishing / Spoofed E-mail Received From Hacker.

Page 77 / 107
Genuine Web Pages of Axis Internet Banking

Fake / Phishing / Spoofed website of Axis Bank Designed by Hacker

Page 78 / 107
Virtual Credit Card:
This is a New & Advanced Virtual Credit Card System of HDFC Bank, having ability to create new
card each time during purchasing online in any amount and automatically expire it within 24 hours,
Very Safe and secure way for online transactions.

Genuine Web Site of IDBI Bank with trusted security sign

Page 79 / 107
Fake / Phishing / Spoofed E-mail of IDBI Bank Sent by Hacker

Page 80 / 107
Anti-Phishing Feature of Google Chrome Browser shown after clicking on link provided in E-Mail
or website

Parameters to detect and identify difference between Fake and genuine website /
mails

Sr. No. Parameter / Details Genuine Content Fake / Phishing

1 Request to verify account No1 Yes2
2 Request for account details No1 Yes2
3 Spelling / Grammar Mistakes No1 Yes2
4 Genuine HTTPS URL Yes1 No2
5 Security Sign / Pad Lock Icon Yes1 No2
6 Genuine path after header tracing Yes1 No
7 Account Deletion warning E- No1 Yes2
mails
8 Account Errors warning E-mails No1 Yes
9 Good Quality of Web Site Yes2 Yes2
Interface and Information
10 Urgency / Doubtful Content No1 Yes2

Yes1= strictly present Yes2= May be present No1= strictly ascent No2= May be
ascent

Page 81 / 107
Advanced Windows Care Error Detection Results, Showing Errors Found in PC

Note: Advanced Windows Care has a one-click approach to helping protect, repair, clean, and
optimize PC. Safely cleans registry junk, compacts registry bloats and defragment the whole registry
for maximum performance. Detect and analyze Windows security environment. Scans and removes
spyware and adware using up-to-date definition files. Prevents spyware, hackers and hijackers from
installing malicious items on computer. Erases and updates PC’s activity history.

Page 82 / 107
 Advanced Windows Care Error Fixing/Removal Results, Showing Errors Fixed in PC

Note: Most useful are the startup manager, which shows you all the programs that run on startup,
and lets you kill any you no longer want to start; a Registry fixer, that fixes invalid or incorrect
Registry entries and values; and a system optimizer, which alters the way Windows runs, in order to
improve performance. There are a slew of other tools as well, such as a spyware remover, junk file
cleaner, and privacy sweeper. And there are also some very good tools for showing details about
your hardware and software configuration.

Page 83 / 107
 Digital Signature Certificate for Authentication and Encryption of E-mails, Files and Documents

Note: A digital signature certificate is basically a way to ensure that an electronic document (e-mail,
word document, spreadsheet, text file, software etc.) is authentic and trusted. Authentic means that
you know who created the document and you also know that it has not been altered in any way since
that person created it. It has same value as handwritten signature, Digital Signatures are legally
admissible in a Court of Law, as provided under the provisions of IT and authority provides DSC to
user after verification of identity of person and authentication.

Fore more please visit- www.forensic.co.in/study and www.forensic.tk

Page 84 / 107
 COMPUTER FINGERPRINTING

Introduction:
Computer Fingerprinting is the process of recovering evidences from Digital Medias.
In law enforcement and IT professional commonly known as Cyber Forensics.
According to Robbins’ definition, Computer Forensics involves the preservation,
identification, extraction and documentation of computer evidence stored in the form
of magnetically encoded information (data). Computer forensics has also been
described as the autopsy of computer storage Medias for evidence. Chris LT Brown
defined cyber forensics as ‘the art and science of applying computer science to aid the
legal processes’. A simpler definition would be ‘the examination of computers,
cyberspace and other electronic devices for evidence that might have forensic value’.
This process of collecting evidence is similar as Brain Fingerprinting and DNA
Fingerprinting.

Computer Fingerprinting
Every crime scene contains evidence; this is because of Locard’s Principle, this
principle is also applicable in Cyber Forensics, as every activity on computer leaves
its traces. When the internal state of a computer or network is altered by the
intervention of an unauthorized agent, be it human, software or hardware, the
mathematical-logical tests and deep examination is required to detect and interpret
this state of change, this changes are detected and investigated in Computer
Fingerprinting by Cyber Forensics Expert.

Computer Fingerprinting and Cyber Forensics investigation process goes through:

Collecting Evidence- Analysis of Evidence- Opinion or Report Writing. There are
four basic steps that are followed in conducting a cyber forensic analysis: Identifying
sources of evidence, Securing evidence and preserving identified evidence, analyzing
the evidence, Documenting legally admissible evidence. A witness cannot show a jury
the contents of a disk drive by holding the physical disk drive up in front of them.
The evidence must be extracted in a way that preserves its evidentiary value, yet
enables the court to see exactly what is on that drive; Law enforcement wants reliable
methods to extract such evidence in a way that will pass muster with the courts

Cyber Crime Statistics from the 2006 Internet Crime Report*

1. In 2006, the Internet Crime Complaint Center received and processed over
200,000 complaints.
2. More than 86,000 of these complaints were processed and referred to various
local, state, and federal law enforcement agencies.
3. Most of these were consumers and persons filing as private persons.
4. Total alleged dollar losses were more than $194 million.
5. Email and websites were the two primary mechanisms for fraud.

Computer Fingerprinting Tools-

Encase (Guidance Software’s)and Forensic Tool Kit (FTK, Access Data) are the
widely used tools in Cyber Forensics for Recovery and Imaging of media, all over the
world, Opinions based on Encase and FTK are acceptable in every court of world.
EnCase is a powerful combination of integrated tools that facilitates seamless sharing
of evidentiary data among examiners. EnCase provides investigators with a single

Page 85 / 107
tool, capable of conducting large-scale and complex investigations from beginning to
end. EnCase Investigate and analyze multiple platforms- Windows, Linux, AIX, OS
X, Solaris and more and run on almost all Operating systems. Logical Evidence Files
function in EnCase let you selectively choose exactly which files or folders you want
to preserve, instead of acquiring the entire drive. Unlike copying files from a device
and altering critical metadata, logical evidence preserves the original files as they
existed on the media and include a wealth of additional information such as file name,
file extension, last accessed, file created, last written, entry modified, logical size,
physical size, MD5 hash value, permissions, starting extent and original path of the
file. Examiners can sort files according to 30 different fields, including all four time
stamps (File Created, Last Accessed, Last Written and Entry Modified), file names,
file signatures and extensions, hash value, full path, permissions. EnCase also provide
hardware analysis, file signature analysis, registry tracker, automatic report generation
and much more. It helps in solving cases within less time. These tools plays very
important role in Cyber Forensics Investigation, but many times success is depend
upon the expert’s knowledge, skill and experience; thus expert’s evidence searching
skill helps to solve mystery of crime.

The main purpose of computer fingerprinting is recovering and finding the digital or
electronic evidences, left by criminal. The Digital Evidences are often hidden or
found in Stored files, Deleted files, Formatted Partitions, Erased Disks, Hidden in
pictures, Encrypted files, Password protected files, Deleted E-mails, Chat History,
Cache, Cookies, Visited URLs, Installed software’s, Log files, System Restore Points,
Windows Event Logs, Website and Network traffic, File with unknown extensions or
no extensions, Files with changed extensions and other suspicious files.

In Computer fingerprinting primary step is imaging and recovering evidences,

recovery of data is possible because, when files are erased or deleted in DOS &
Windows the content of the file is not actually erased, Data from the erased files
remains behind in an area called unallocated storage space. Hence unallocated file
space and file slack are both important sources of leads for the Cyber forensics
investigator. Cyber Crime and Digital evidence can relate to Data theft, Online
Banking frauds, Virus attacks, Denial of Service, Hacking, Phishing, Net Extortion,
Software Piracy, Cyber stalking, Divorce cases, Murder cases, Pornography,
Organized crime, Terrorist operations, Smuggling etc

Legal provisions
The Indian parliament considered it necessary to give effect to the resolution by
which the General Assembly adopted Model Law on Electronic Commerce adopted
by the United Nations Commission on Trade Law. As a consequence of which the
Information Technology Act 2000 was passed and enforced on 17th May 2000.the
preamble of this Act states its objective to legalize e-commerce and further amend the
Indian Penal Code 1860, the Indian Evidence Act 1872, the Banker’s Book Evidence
Act1891 and the Reserve Bank of India Act 1934. The basic purpose to incorporate
the changes in these Acts is to make them compatible with the Act of 2000, So that
they may regulate and control the affairs of the cyber world in an effective manner.

The Information Technology Act deals with the various cyber crimes in chapters IX
& XI. The important sections are Ss. 43,65,66,67. Section 43 in particular deals with
the unauthorized access, unauthorized downloading, virus attacks or any contaminant,

Page 86 / 107
causes damage, disruption, denial of access, interference with the service availed by a
person. This section provide for a fine up to Rs. 1 Crore by way of remedy. Section 65
deals with ‘tampering with computer source documents’ and provides for
imprisonment up to 3 years or fine, which may extend up to 2 years or both. Section
66 deals with ‘hacking with computer system’ and provides for imprisonment up to 3
years or fine, which may extend up to 2 years or both. Further section 67 deals with
publication of obscene material and provides for imprisonment up to a term of 10
years and also with fine up to Rs. 2 lakhs.
Some acts of IPC and CrPC are also applicable to Cyber Crime.

(Source: Parthasarathi Pati, Superintendent of Police, Cyber Crime Investigation Cell, New Delhi)

Future and Challenges

Computer fingerprinting is legal process of investigation, but due to lack of awareness
and expert this area is still facing many problems during fighting against cyber
crimes. No doubts there are no limit of hackers, cyber criminals and their fans in
world, but cyber forensic still facing lack of cyber forensic experts. Cyber forensics
can minimize cyber crime by motivating people and spreading awareness about cyber
laws with taking strict action against professional cyber criminal.

In Computer fingerprinting the challenge for cyber forensic expert is to collect and
protect digital evidence in such a manner that its evidentiary value is preserved and
admissible in court. Like the forensics of traditional physical evidence such as
questioned documents, fingerprints, bloodstains, ballistics, and DNA, digital evidence
requires careful collection, chain of custody documentation, access management,
diligence, and attention to detail. Unlike traditional forensics however, the forensics
of digital evidence requires specialized knowledge of computer technology (both
hardware and software). Therefore, this represents a major adjustment in some of the
procedures followed by law enforcement. For law enforcement, the challenge is to
find people with these skills, and provide them with the tools and up-to-date training
they need.

Page 87 / 107
 Introduction to “Computer Networking”
Issued by- National Centre for Technology in Education (NCTE)

1.0 Introduction

The purpose of the networking guidelines are as follows:

• to assist schools in understanding the benefits of networking

• to help schools place in context their current stage of networking development
in their school.
• to assist schools in planning the next stage of network development in their
school.
• to provide standard networking ‘models’ and best practice to schools that will
assist schools in their network planning.

This document includes information under the following main headings:

• Introduction to Networking
• Advantages of Networking
• Types of Networks
• Models of networking appropriate to schools
• NCTE recommendation to schools
• Some relevant terms.

1.1. Basic of Networking

A computer network consists of a collection of computers, printers and other
equipment that is connected together so that they can communicate with each other
(see Advice Sheet 17 on the ICT Planning for schools pack). Fig 1 gives an example
of a network in a school comprising of a local area network or LAN connecting
computers with each other, the internet, and various servers.

Access to: File and Print Server

Internet content & CD or Multimedia
learning resources, Servers
Scoilnet etc Printers , Scanners etc
Users
Email communication
computers
Cache, Proxy,
Filtering, Firewall
Server

School ‘Local Area

Modem or Router
Network’ (LAN)

Other users,
computers

Fig 1: Representation of Network in a school.

Page 88 / 107
Broadly speaking, there are two types of network configuration, peer-to-peer
networks and client/server networks.

Peer-to-peer networks are more commonly implemented where less then ten
computers are involved and where strict security is not necessary. All computers have
the same status, hence the term 'peer', and they communicate with each other on an
equal footing. Files, such as word processing or spreadsheet documents, can be shared
across the network and all the computers on the network can share devices, such as
printers or scanners, which are connected to any one computer.

Peer to Peer
Network

Fig 2: Peer to Peer Networking

Client/server networks are more suitable for larger networks. A central computer, or
'server', acts as the storage location for files and applications shared on the network.
Usually the server is a higher than average performance computer. The server also
controls the network access of the other computers which are referred to as the 'client'
computers. Typically, teachers and students in a school will use the client computers
for their work and only the network administrator (usually a designated staff member)
will have access rights to the server.

File Server

Other
equipment

Fig 3: Client - Server Networking

Table 1 provides a summary comparison between Peer-to-Peer and Client/Server Networks.

Page 89 / 107
 Peer-to-Peer Networks vs Client/Server Networks
Peer-to-Peer Networks Client/Server Networks
• Easy to set up • More difficult to set up
• Less expensive to install • More expensive to install
• A variety of operating systems can be supported on
• Can be implemented on a wide range of
the client computers, but the server needs to run an
operating systems
operating system that supports networking
• More time consuming to maintain the • Less time consuming to maintain the software
software being used (as computers must be being used (as most of the maintenance is managed
managed individually) from the server)
• Very low levels of security supported or • High levels of security are supported, all of which
none at all. These can be very cumbersome to are controlled from the server. Such measures prevent
set up, depending on the operating system the deletion of essential system files or the changing
being used of settings
• Ideal for networks with less than 10 • No limit to the number of computers that can be
computers supported by the network
• Requires a server running a server operating
• Does not require a server
system
• Demands that the network administrator has a high
• Demands a moderate level of skill to
level of IT skills with a good working knowledge of a
administer the network
server operating system

Table 1: Peer-to-Peer Networks vs Client/Server Networks

Components of a Network
A computer network comprises the following components:
• A minimum of at least 2 computers
• Cables that connect the computers to each other, although wireless
communication is becoming more common (see Advice Sheet 20 for more
information)
• A network interface device on each computer (this is called a network
interface card or NIC)
• A ‘Switch’ used to switch the data from one point to another. Hubs are
outdated and are little used for new installations.
• Network operating system software

Structured Cabling
The two most popular types of structured network cabling are twisted-pair (also
known as 10BaseT) and thin coax (also known as 10Base2). 10BaseT cabling looks
like ordinary telephone wire, except that it has 8 wires inside instead of 4. Thin coax
looks like the copper coaxial cabling that's often used to connect a Video Recorder to
a TV.

10BaseT Cabling
When 10BaseT cabling is used, a strand of cabling is inserted between each computer
and a hub. If you have 5 computers, you'll need 5 cables. Each cable cannot exceed
325 feet in length. Because the cables from all of the PCs converge at a common
point, a 10BaseT network forms a star configuration.
Fig 4a shows a Cat5e cable, with a standard connector, known as an RJ-45 connector.
Fig 4b shows a standard Cat5e Wall Outlet socket which the cables are connected to.

Page 90 / 107
Fig 4c shows a standard Cat5e Patch Panel Wall Outlet socket which is used to
terminate the cables from various points in the school bank to a central point.
Fig 4d shows a wall mounted cabinet used to house and protect patch panel cables and
connectors.

Fig 4a: Cat5e Cable and a close up of RJ-45 connector

Fig 4b: Cat5e Wall Outlets

Fig 4c: Cat5e Patch Panel

Fig4d: Wall Mounted Cabinet

10BaseT cabling is available in different grades or categories. Some grades, or "cats",

are required for Fast Ethernet networks, while others are perfectly acceptable for
standard 10Mbps networks--and less expensive, too. All new networks use a
minimum of standard unshielded twisted-pair (UTP) Category 5e 10BaseT cabling
because it offers a performance advantage over lower grades.

Network Interface Card (NIC)

A NIC (pronounced 'nick') is also known as a network card. It connects the computer
to the cabling, which in turn links all of the computers on the network together. Each
computer on a network must have a network card. Most modern network cards are
10/100 NICs and can operate at either 10Mbps or 100Mbps.
Only NICs supporting a minimum of 100Mbps should be used in new installations
schools.

Page 91 / 107
Computers with a wireless connection to a network also use a network card (see
Advice Sheet 20 for more information on wireless networking).

Fig 5: Network Interface Cards (NICs)

Hub and Switch

A hub is a device used to connect a PC to the network. The function of a hub is to
direct information around the network, facilitating communication between all
connected devices. However in new installations switches should be used instead of
hubs as they are more effective and provide better performance. A switch, which is
often termed a 'smart hub'.
Switches and hubs are technologies or ‘boxes’ to which computers, printers, and other
networking devices are connected. Switches are the more recent technology and the
accepted way of building today's networks. With switching, each connection gets
"dedicated bandwidth" and can operate at full speed. In contrast, a hub shares
bandwidth across multiple connections such that activity from one PC or server can
slow down the effective speed of other connections on the hub.

Now more affordable than ever, Dual-speed 10/100 autosensing switches are
recommended for all school networks. Schools may want to consider upgrading any
hub based networks with switches to improve network performance – ie speed of data
on the network.

Fig 6a: An 8 port Hub

Fig 6b: 2 Examples of 24 port Switches

Wireless Networks
The term 'wireless network' refers to two or more computers communicating using
standard network rules or protocols, but without the use of cabling to connect the
computers together. Instead, the computers use wireless radio signals to send

Page 92 / 107
information from one to the other. A wireless local area network (WLAN) consists of
two key components: an access point (also called a base station) and a wireless card.
Information can be transmitted between these two components as long as they are
fairly close together (up to 100 meters indoors or 350 meters outdoors).

Fig 7a: Wireless Access point or Wireless Base station

Suppliers would need to visit the schools and conduct a site survey. This will
determine the number of base stations you need and the best place(s) to locate them.
A site survey will also enable each supplier to provide you with a detailed quote. It is
important to contact a number of different suppliers as prices, equipment and opinions
may vary. When the term 'wireless network' is used today, it usually refers to a
wireless local area network or WLAN. A WLAN can be installed as the sole network
in a school or building. However, it can also be used to extend an existing wired
network to areas where wiring would be too difficult or too expensive to implement,
or to areas located away from the main network or main building. Wireless networks
can be configured to provide the same network functionality as wired networks,
ranging from simple peer-to-peer configurations to large-scale networks
accommodating hundreds of users.

Fig 7b: Desktop PC Wireless LAN card Fig 7c: Laptop PC Wireless LAN card

What are the advantages and disadvantages of a Wireless LAN?

Wireless LANs have advantages and disadvantages when compared with wired
LANs. A wireless LAN will make it simple to add or move workstations, and to
install access points to provide connectivity in areas where it is difficult to lay cable.
Temporary or semi-permanent buildings that are in range of an access point can be
wirelessly connected to a LAN to give these buildings connectivity. Where computer
labs are used in schools, the computers (laptops) could be put on a mobile cart and
wheeled from classroom to classroom, providing they are in range of access points.
Wired network points would be needed for each of the access points.

A WLAN has some specific advantages:

• It is easier to add or move workstations
• It is easier to provide connectivity in areas where it is difficult to lay cable
• Installation can be fast and easy and can eliminate the need to pull cable
through walls and ceilings

Page 93 / 107
 • Access to the network can be from anywhere in the school within range of an
access point
• Portable or semi-permanent buildings can be connected using a wireless LAN
• Where laptops are used, the ‘computer suite’ can be moved from classroom to
classroom on mobile carts
• While the initial investment required for wireless LAN hardware can be
similar to the cost of wired LAN hardware, installation expenses can be
significantly lower
• Where a school is located on more than one site (such as on two sides of a
road), it is possible with directional antennae, to avoid digging trenches under
roads to connect the sites
• In historic buildings where traditional cabling would compromise the façade, a
wireless LAN can avoid drilling holes in walls
• Long-term cost benefits can be found in dynamic environments requiring
frequent moves and changes
• They allows the possibility of individual pupil allocation of wireless devices
that move around the school with the pupil.

WLANs also have some disadvantages:

• As the number of computers using the network increases, the data transfer rate
to each computer will decrease accordingly
• As standards change, it may be necessary to replace wireless cards and/or
access points
• Lower wireless bandwidth means some applications such as video streaming
will be more effective on a wired LAN
• Security is more difficult to guarantee, and requires configuration
• Devices will only operate at a limited distance from an access point, with the
distance determined by the standard used and buildings and other obstacles
between the access point and the user
• A wired LAN is most likely to be required to provide a backbone to the
wireless LAN; a wireless LAN should be a supplement to a wired LAN and
not a complete solution
• Long-term cost benefits are harder to achieve in static environments that
require few moves and changes
• It is easier to make a wired network ‘future proof’ for high data transfer.

Wireless Network Components

There are certain parallels between the equipment used to build a WLAN and that
used in a traditional wired LAN. Both networks require network interface cards or
network adapter cards. A wireless LAN PC card, which contains an in-built antenna,
is used to connect notebook computers to a wireless network. Usually, this is inserted
into the relevant slot in the side of the notebook, but some may be internal to the
notebook. Desktop computers can also connect to a wireless network if a wireless
network card is inserted into one of its internal PCI slots.
In a wireless network, an 'access point' has a similar function to the hub in wired
networks. It broadcasts and receives signals to and from the surrounding computers

Page 94 / 107
via their adapter card. It is also the point where a wireless network can be connected
into an existing wired network.
The most obvious difference between wireless and wired networks, however, is that
the latter uses some form of cable to connect computers together. A wireless network
does not need cable to form a physical connection between computers.

Wireless Network Configurations

Wireless networks can be configured in an ad hoc/peer-to-peer arrangement or as a
local area network.

Ad Hoc/Peer-to-Peer Configuration
This is the most basic wireless network configuration. It relies on the wireless
network adapters installed in the computers that are communicating with each other.
A computer within range of the transmitting computer can connect to it. However, if a
number of computers are networked in this way, they must remain within range of
each other. Even though this configuration has no real administration overhead, it
should only be a consideration for very small installations.

Benefits and Educational Uses

The installation of cables is time consuming and expensive. The advantages of not
doing so are apparent:
the amount of work required and the time taken to complete it are significantly
reduced
the network is accessible in places where wiring would have been difficult or
impossible
with no cables linking computers together, cable-related faults and network downtime
are minimized Where a wireless network is in place, teachers or students can have
continuous access to the network, even as they move with their equipment from class
to class.
The space over which a wireless network operates is not planar but spherical.
Therefore, in a multi-level site, network access is available in rooms above or below
the access point, without the need for additional infrastructure.
In a location within a school where network access is required occasionally, desktop
computers fitted with wireless network cards can be placed on trolleys and moved
from location to location. They can also be located in areas where group work is
taking place. As they are connected to the network, documents and files can be
shared, and access to the Internet is available, enhancing group project work.
As the range of the wireless network extends outside the building, students and
teachers can use wireless devices to gather and record data outside, e.g., as part of a
science experiment or individual performance data as part of a PE class.

Technical and Purchasing Considerations

Network interface cards for wireless networks are more expensive than their wired
counterparts. The cost of the access points has also to be considered.
Wireless networks work at up top 54Mbps, whereas wired networks normally work at
100Mbps (Fast Ethernet). This data transmission rate is dependant on the number of
users, the distance from the access point and the fabric of the building (metal
structures in walls may have an impact). A wireless network will be noticeably slow
when a group of users are transferring large files. This should be considered if

Page 95 / 107
 multimedia applications are to be delivered over the network to a significant number
of users.
As the range of the network may extend beyond the walls of the building, it can be
accessed from outside. Consideration should be given to what security features the
equipment provides to ensure that only valid users have access to the network and that
data is protected.

1.2. Advantages of Networking schools

Speed.
Networks provide a very rapid method for sharing and transferring files. Without a
network, files are shared by copying them to floppy disks, then carrying or sending the
disks from one computer to another. This method of transferring files in this manner is
very time-consuming.

Cost.
The network version of most software programs are available at considerable savings
when compared to buying individually licensed copies. Besides monetary savings,
sharing a program on a network allows for easier upgrading of the program. The changes
have to be done only once, on the file server, instead of on all the individual workstations.

Centralized Software Management.

One of the greatest benefits of installing a network at a school is the fact that all of the
software can be loaded on one computer (the file server). This eliminates that need to
spend time and energy installing updates and tracking files on independent computers
throughout the building.

Resource Sharing.
Sharing resources is another area in which a network exceeds stand-alone computers.
Most schools cannot afford enough laser printers, fax machines, modems, scanners, and
CD-ROM players for each computer. However, if these or similar peripherals are added
to a network, they can be shared by many users.

Flexible Access.
School networks allow students to access their files from computers throughout the
school. Students can begin an assignment in their classroom, save part of it on a public
access area of the network, then go to the media center after school to finish their work.
Students can also work cooperatively through the network.

Security.
Files and programs on a network can be designated as "copy inhibit," so that you do not
have to worry about illegal copying of programs. Also, passwords can be established for
specific directories to restrict access to authorized users.

Main challenges of installing a School Network

Costs
Although a network will generally save money over time, the initial costs can be
substantial, and the installation may require the services of a technician.
Requires Administrative Time.

Page 96 / 107
 Proper maintenance of a network requires considerable time and expertise. Many schools
have installed a network, only to find that they did not budget for the necessary
administrative support.

File Server May Fail.

Although a file server is no more susceptible to failure than any other computer, when the
files server "goes down," the entire network may come to a halt. When this happens, the
entire school may lose access to necessary programs and files.

1.3. Networking Models: Towards a Networked School

This model shows a diagram of a networked school indicating the various types of
networking models used. These include computer rooms, networked classrooms,
networked specialist rooms for specific subjects. Mobile solutions are shown in the
Resource room, the General Purpose room and Building # 2. Note: To improve
readability only network points are shown, rather than cabling itself. Refer to Fig 8.

Page 97 / 107
 Main School Building
School Principals
Admin Office
Technology Office
Room
Staff Room
Post
Primary

Resource
Science Room Standard
Labs Classroom
Post
Primary

Standar
d
General Purpose Room Classro
Standard
oms
Classroom

Standard
Standard
Classroom
Classroom
ICT
Server &
Store
Equipment
Room
Room
Standard
Classroom Standard
Classroom

Standard
Specialist
Classroom
Room
Post
Primary

Computer room
Standard with 15-30 computers
Classroom Specialist
Room
Wireless link to Post
Building 2 Primary

Building 2
Building 3
Temporary Pre-Fab
- Wireless Network

Fig 8: Representation of a Whole School Network Model

Page 98 / 107
 Junior Infants Senior Infants 1st Class 2nd Class Resource room Principal/Office
# of computers # of computers # of computers # of computers # of computers Staffroom
# of computers

3rd Class
# of computers
File & Print Server

Access to:
Internet content &
learning resources, 4th Class
Scoilnet etc # of computers
Email communication

Cache, Proxy,
Filtering, Firewall
Server
5th Class
# of computers
School ‘Local Area
Network’ (LAN)
Modem or Router

6th Class
# of computers

Fig 9: Typical Network Model for a Primary or Special school.

Figure 9 shows a model for a Primary or Special school. This includes connectivity to all classrooms
back to a central network. The network connects to a File and Print Server. Internet access is handled
via a modem or router, while internet Filtering , Proxy and Web Caching are all handled via a dedicated
server.

standard classroom computer room Staff room Principal/Office Library

# of computers # of computers # of computers # of computers # of computers

science lab
# of computers

File & Print Server

Access to:
Internet content &
learning resources, technology lab
Scoilnet etc # of computers
Email communication

Cache/Proxy,
Filtering/Firewall resource room
Server # of computers
School ‘Local Area
Network’ (LAN)
Modem or Router
specialist room
# of computers

Fig 10: Typical Network Model for a Post Primary school.

Figure 10 shows a model for a Post Primary school. This includes connectivity to all classrooms back
to a central network. The network connects to a File and Print Server. Internet access is handled via a
modem or router, while internet Filtering , Proxy and Web Caching are all handled via a dedicated
server.

Page 99 / 107
 File & Print Server

Printer

Multimedia or
CD Server Scanner

Access to:
Internet content &
learning resources,
Scoilnet etc
Email communication
Cache/Proxy,
Filtering/Firewall Main Servers &
Server
Internet Access

Modem or Router

Network

Fig 11: Server Functionality Model

Server Functionality
The network connects to a File and Print Server, Fig 11. The File server stores common
files, The Print Server manages the different requests for printing. A Multimedia or CD
server is used to store and distribute Multimedia - Sound, Video, Text , applications etc
. Internet access is handled via a modem or router, while internet Filtering , Proxy and
Web Caching are all handled via a dedicated server.

Example network configurations:

Models for Networking

First let’s review some simple models where no networking exits and computers are
used in standalone or ad-hoc mode. The following represent some simple models
representing classrooms.

Model 1a: One computer in a classroom with its own private printer. It is
recommended that schools with computers in this situation would network the
classrooms in question as shown. Networking will more effectively make use of
commonly shared resources such as file servers and school printers, internet , email
etc. When a mobile PC or PC with projector is require in a room the network points
are already present.
In this scenario, there could be a single LAN-connected point for the teacher and an
additional LAN connection to allow for a portable switch. Refer to diagram 12a
Model 1a

Page 100 / 107

 Fig 12a: From single PC to networked LAN Points

Model 1b: This scenario is similar to Model 1a, but where other equipment such as printers, scanners
are used in ad-hoc and inefficient configuration. It is recommended that schools with computers in this
situation would network the classrooms in question . Networking will more effectively make use of
commonly shared resources such as scanners, printers, internet , email etc. In this scenario there may be
a single LAN-connected point for the teacher and a limited number of LAN connection points
throughout the room to allow students access to the school LAN. The connection points may be
situated as required around the room depending upon class learning requirements and the availability of
existing power outlets. Refer to diagram 12b

Model 1b:

Fig 12b: Networking other commonly used equipment

Networked Computer Room

Model 1c: A non networked computer room or resource area with an ad-hoc and inefficient use of
printers, scanners etc. Networking computer rooms is essential so that all PCs can access printers, the
internet, email etc. This scenario represents a school computing room which can be timetabled for
classes, and with each computer networked to the LAN. There may be a single LAN-connected
presentation point for the teacher and LAN-connected computers throughout the classroom.
Traditionally, ICT in Irish secondary schools has been concentrated in dedicated computer rooms.
Primary schools have more varied deployment. From an administrative point of view, this setup is
attractive. An entire class can be timetabled, avoiding problems of extra teachers for split classes. Refer
to diagram 12c

Model 1c:

Page 101 / 107

 Fig 12c: Networked computer lab.

Media Bays (Ref Fig 13a)

Media bays, or data suites are clusters of perhaps four desktop computers, a scanner and a printer.
Though self-sufficient in terms of peripherals, they would be connected to the main school network and
have Internet access. This is one reason why they would be best sited in public areas around the school.
These suites would be used by students in small groups or individually and could accommodate task-
oriented activities and self-directed learning.
Advantages are easy access to staff and students alike, Utilise areas of school without losing
classrooms
Public supervision
Disadvantages are Open access means security issues must be addressed .

Fig 13a: Movable or mobile Media Bays

Laptop and data-projector (Ref Fig 13b)

A combination of laptop and data-projector is a highly effective teaching model where a teacher wants
to provide the whole class with visual or multimedia content . It can be used in conjunction with an
existing LAN point in the room for best effect.

Fig 13b: Movable or mobile Laptop PC with Digital Projector

Page 102 / 107

 Wireless LAN (Ref Fig 13c)
This scenario has the capability to connect multiple computers to the school LAN without providing
direct LAN connections. No LAN cabling is required for the classroom; instead all computers are
radio linked to the LAN. Wireless LAN technology is relatively new and generally more expensive
and more limited than cabled LANs. There is the potential, however, to save on extensive cabling
work with this option.

Wireless connections allow a region to be connected to a network by radiowaves, which link a wireless
card in the computer to a wireless access point. One should remember that the access point itself must
be connected by cable to the main network.

Advantages

• Flexibility of machines - usually laptops - linked even if students break into small workgroups
in different parts of room.
• Wireless networking means that large common areas such as canteens or libraries can be
easily connected to the network.
• Less unplugging of cables into sockets reduces wear and tear

Disadvantages

• Wireless networking may prove much more expensive if wiring large numbers of machines
close together.
• Wireless hubs data rates (typically 11Mbps) are considerably less at present than their cable
equivalent. Thus is unsuitable for high data volumes such as multimedia access by large
numbers of machines.
• Manufacturers stated ranges of 100 - 300 metres is wildly optimistic. Ranges of less than 18
metres are not uncommon, Data rates drop off as distance increases.

While it is unlikely that wireless will replace data cables in the near future they do provide a
flexibility that can be harnessed creatively.

Fig 13c: Wireless LAN (WLAN)

2.1. Some Relevant Terms

MDF Main Distribution Frame
IDF Intermediate Distribution Frame
Broadband Refers to a higher speed always on internet connection

Page 103 / 107

Narrowband Refers to speeds of up to 128kbps
Dial up Refers to having to dial up the internet every time one goes online.
Always On Refers to the nature of broadband, being ‘always on’ means a dial up
is not required.
Download speed The speed at which data is delivered to a school modem from
the internet
Upload speed The speed at which data is sent to the internet from a school modem.

ISP Internet Service Provider

ISDN Integrated Services Digital Network (64kbps single channel or
128kbps dual channel)
PSTN Public Switched Telephone Network (refers to an ordinary telephone
line)
ADSL Asymmetric Digital Subscriber Loop
Mbps Megabits per second (1,000,000 bits per second)
Kbps Kilobits per second (1,000 bits per second)
Ethernet Ethernet is a standard for transferring data over networks.
USB Universal Serial Bus
Modem A simple device used to access the internet
Router A more technically advanced device used to access the internet

APPLICATIONS

There is a long list of application areas, which can be benefited by establishing

Computer Networks. Few of the potential applications of Computer Networks are:
1. Information retrieval systems which search for books, technical reports, papers
and articles on particular topics
2. News access machines, which can search past news, stories or abstracts with
given search criteria.
3. Airline reservation, hotel booking, railway-reservation, car-rental, etc.
4. A writer's aid: a dictionary, thesaurus, phrase generator, indexed dictionary of
quotations, and encyclopedia.
5. Stock market information systems which allow searches for stocks that meet
certain criteria, performance comparisons, moving averages, and various
forecasting techniques.
6. Electronic Financial Transactions (EFT) between banks and via cheque
clearing house.
7. Games of the type that grow or change with various enthusiasts adding to the
complexity or diversity.
8. Electronic Mail Messages Systems (EMMS).

Page 104 / 107

9. Corporate information systems such as marketing information system,
customer information system, product information system, personnel
information system, etc.
10. Corporate systems of different systems such as Order-Entry System,
Centralized Purchasing, Distributed Inventory Control, etc.
11. On-line systems for Investment Advice and Management, Tax Minimization,
etc.
12. Resources of interest to a home user.
13. Sports results.
14. Theatre, movies, and community events information.
15. Shopping information, prices, and advertisements.
16. Restaurants; good food guide.
17. Household magazine, recipes, book reviews, film reviews.
18. Holidays, hotels, travel booking.
19. Radio and TV programmes.
20. Medical assistance service.
21. Insurance information.
22. Computer Assisted Instruction (CAI).
23. School homework, quizzes, tests.
24. Message sending service.
25. Directories.
26. Consumer reports.
27. Employment directories and Job opportunities.
28. Tax information and Tax assistance.
29. Journey planning assistance viz. Train, bus, plane etc.
30. Catalogue of Open University and Virtual University courses.

Page 105 / 107

References:

McQuade, S. (2006) Understanding and Managing Cyber crime, Boston: Allyn & Bacon

Cyber Forensic Group: http://www.cyberforensicsgroup.com/services.html

Electronic Crime Scene Investigation Guide: A Guide for First Responders, National Institute of
Justice, 2001. http://www.ncjrs.gov/pdffiles1/nij/187736.pdf

Locard: http://en.wikipedia.org/wiki/Locard's_exchange_principle

EnCase Forensic: http://www.guidancesoftware.com

Casey, E., & Seglem, K., Introduction, in E. Casey (Ed), Handbook of Computer

Crime Investigation: Forensic Tools and Technology, San Diego, CA: Academic
Press, 2002

Shoeb Hakim, http://cyberforensicsindia.blogspot.com

Patterson, K., Corpus Christi Police Department Computer Crimes Unit, personal interview, February
20, 2004

Computer Evidence Ltd, http://www.computer-evidence.com/products/fws.asp

CDAC Trivandrum, http://www.cyberforensics.in/

John F. “Computer Forensics- a critical need in Computer Science programmes” A&M University,
Texas

McQuade, S. (2006) Understanding and Managing Cyber crime, Boston: Allyn & Bacon

Wall, D.S. (2007) Cybercrime: The transformation of crime in the information age, Cambridge: Polity

Jussi Parikka (2007) Digital Contagions, A Media Archaeology of Computer Viruses, Peter Lang: New
York. Digital Formations-series

Dave Dittrich, Network monitoring/Intrusion Detection Systems (IDS), University of Washington

Bassham, Lawrence E. and W. Timothy Polk, Threat Assessment of Malicious Code and Human
Threats, NIST Computer Security Division 1994

National Institute of Standards and Technology; Technology Administration; U.S. Department of

Commerce., an Introduction to Computer Security: The NIST Handbook

Bruce Schneier: Secrets & Lies: Digital Security in a Networked World, ISBN 0-471-25311-1

Tipton, Harold F. and Krause, Micki Editors; Auerbach "Information Security Management
Handbook", 4th Edition, Volume 1 1999

Tipton, Harold F. and Krause, Micki Editors; Auerbach "Information Security Management
Handbook", 4th Edition, Volume 2 2000

McQuade, S., Understanding and Managing Cyber crime, Boston: Allyn & Bacon, 2006

Stephenson, P., Investigating Computer-RelatedCrime. CRC Press, 2001

Casey, E., & Seglem, K., Introduction, in E. Casey (Ed), Handbook of Computer
Crime Investigation: Forensic Tools and Technology, San Diego, CA: Academic
Press, 2002

Page 106 / 107

Blankenhorn, C. A., Huebner, E., & Cook, M. Forensic investigation of data in live high volume
environments Retrieved October 2, 2006

Bogen, A. C., & Dampier, D. A., Knowledge discovery and experience modeling in computer forensics
media analysis, 2004

Carrier, B., & Spafford, E. H. Getting physical with the digital investigation process. International
Journal of Digital Evidence, 2003

Carrier, B. D. Risks of live digital forensic analysis. Communications of the ACM, 2006

Kling, R. Computer Abuse and Computer Crime as Organizational Activities. Special Interest Group
Computers and Society, 1981

Manzano, Y., & Yasinsac. Policies to Enhance Computer and Network Forensics, 2000

Armstrong, Illena. "Computer Forensics." SC Magazine April 2000.

URL: http://www.scmagazine.com/scmagazine/2000_04/cover/cover.html

Sommer, Peter. "Computer Forensics: An Introduction." 1997.

URL: http://www.virtualcity.co.uk/vcaforens.htm#history

Holley, James O. "Computer Forensics in the new Millennium." September 1999.

URL: http://www.scmagazine.com/scmagazine/1999_09/survey/survey.html

The International Association of Computer Investigative Specialists "Forensic Procedures" 2000

URL: http://cops.org/forensic_examination_procedures.htm

Robbins, Judd. "The Devils Advocate: Computer Forensics Can Support Both Sides of Computer
Litigation."
URL: http://www.expertnetwork.com/computer_expert.htm

Cyber Forensic Group: http://www.cyberforensicsgroup.com/services.html

Electronic Crime Scene Investigation Guide: A Guide for First Responders, National Institute of
Justice, 2001. http://www.ncjrs.gov/pdffiles1/nij/187736.pdf

Asian School of Cyber Laws, http://www.asianlaws.org

Cyber Crime Investigation Cell, Crime Branch, CID, Mumbai,

http://www.cybercellmumbai.com/news/warning-cyber-space-is-safe-to-use-unsafe-to-misuse

Standard Operating Procedures, Pueblo High-Tech Crimes Unit, Investigative and Technical Protocols,
"EnCase Forensic Imaging and Evidence Acquisition" 2 June 2000; Cmdr. Dave Pettinari, Pueblo
County Sheriff's Office

And other

Page 107 / 107