Cyber Security and Digital Forensics

The CIA Triad is a fundamental model used in information security to guide policies for data protection within an organization. It consists of three main components: Confidentiality, Integrity, and Availability.

1. Confidentiality

Confidentiality ensures that sensitive information is accessed only by authorized individuals and kept away from those who are not authorized. It prevents the disclosure of information to unauthorized parties.

• Methods: Encryption (AES, RSA), Access Control Lists (ACLs), Two-factor authentication (2FA).
• Example: A bank employee only seeing the financial records they are permitted to see.

2. Integrity

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure it cannot be altered by unauthorized people.

• Methods: Digital Signatures, Checksums, Hashing (SHA-256), Version Control.
• Example: Ensuring that an email sent by a sender is exactly what the receiver sees.

3. Availability

Availability ensures that information and resources are accessible to authorized users when needed. This involves maintaining hardware, performing technical upgrades, and ensuring network connectivity.

• Methods: Redundancy, Failover systems, DDoS protection, Regular Backups.
• Example: Ensuring a website stays online during a spike in traffic.

Cybersecurity is not a single layer but a multi-layered defense strategy known as Defense in Depth. The seven layers of cybersecurity are:

1. Physical Security: Protecting the physical infrastructure like data centers, servers, and cables using locks, cameras, and guards.
2. Human Layer: Protecting against social engineering, phishing, and human errors through training and awareness programs.
3. Perimeter Security: The first line of digital defense, including firewalls and Intrusion Prevention Systems (IPS) that control traffic entering the network.
4. Network Security: Securing the internal network through segmentation, encryption of data in transit, and monitoring.
5. Endpoint Security: Securing individual devices like laptops, mobile phones, and workstations using antivirus and EDR (Endpoint Detection and Response).
6. Application Security: Ensuring that the software used is free from vulnerabilities through secure coding practices and WAF (Web Application Firewalls).
7. Mission Critical Assets (Data): The innermost layer focusing on the data itself, using encryption at rest and database security.

• Cryptography: The practice and study of techniques for secure communication in the presence of third parties. It involves converting plain text into scrambled text (ciphertext) and vice versa.
• Attack: An intentional action taken by an unauthorized party to exploit a vulnerability, cause damage, or gain unauthorized access to a system or data.
• Vulnerability: A weakness or flaw in a system's design, implementation, or operation that could be exploited by a threat to perform an unauthorized action.
• Threat: A potential danger that could exploit a vulnerability. It represents the "who" or "what" that could cause harm (e.g., a hacker, malware, or natural disaster).

Cryptography is primarily categorized into three types based on the keys used:

1. Symmetric Key Cryptography

Uses a single common key for both encryption and decryption. Both sender and receiver must have the same secret key.

• Algorithms: AES (Advanced Encryption Standard), DES, 3DES.
• Pros: Very fast and efficient for large volumes of data.
• Cons: Key distribution is a major challenge.

2. Asymmetric Key Cryptography (Public Key)

Uses a pair of keys: a Public Key (accessible to everyone) and a Private Key (kept secret by the owner). Data encrypted with the public key can only be decrypted by the private key.

• Algorithms: RSA, Elliptic Curve Cryptography (ECC), Diffie-Hellman.
• Pros: Solves the key distribution problem.
• Cons: Computationally slow compared to symmetric encryption.

3. Hashing Functions

Hashing is a one-way process that transforms data into a fixed-length string of characters (the hash). It is used for integrity, not confidentiality, as it cannot be reversed.

• Algorithms: MD5 (now insecure), SHA-1, SHA-256 (modern standard).
• Use: Storing passwords, verifying file downloads.

Feature	Threat	Attack
Definition	A potential danger that may harm an asset.	An active attempt to exploit a vulnerability.
Nature	Theoretical or potential until it happens.	Practical and intentional action.
Example	Malware, a hacker group, a hurricane.	Injecting SQL code into a form.
Focus	Focuses on "What could happen".	Focuses on "What is happening".

A Proxy Server acts as an intermediary between a client and the internet, masking the user's IP and providing security.

Types of Proxy Servers:

• Forward Proxy: Sits in front of clients and handles requests to external servers. Used for content filtering in schools/offices.
• Reverse Proxy: Sits in front of web servers and directs client requests. Used for load balancing and caching.
• Transparent Proxy: Intercepts requests without the user knowing. Used for caching and monitoring.
• Anonymous Proxy: Hides the original IP address but identifies itself as a proxy.
• Elite Proxy (High Anonymity): Hides the original IP and does not reveal itself as a proxy.

Need for Private Proxy:

• Exclusive Access: Only one user has access to the IP, reducing the risk of being blacklisted.
• Higher Speed: Shared proxies are often slow; private ones offer dedicated bandwidth.
• Security: Reduces the risk of "Man-in-the-Middle" attacks common in public proxies.
• Geo-unblocking: More reliable for accessing content restricted to specific regions.

AAA is a framework for intelligently controlling access to computer resources and enforcing policies.

• Authentication: Verifying "who you are". This is the process of validating a user's identity (e.g., via password, biometric).
• Authorization: Determining "what you can do". Once authenticated, this defines the permissions and resources the user can access.
• Accounting: Recording "what you did". It tracks resources consumed and actions taken for auditing and billing purposes.

Passive Attacks:

In these attacks, the attacker monitors the communication without altering the data. The goal is to obtain information.

• Release of Message Contents: Reading an email or sensitive data being sent over the network.
• Traffic Analysis: Observing the patterns, frequency, and length of communication to deduce the nature of the conversation.

Active Attacks:

In these attacks, the attacker actively modifies the data or generates false messages.

• Masquerade: An attacker pretends to be a different entity (e.g., IP spoofing).
• Replay: Capturing a valid authentication message and re-sending it later to gain access.
• Modification of Messages: Altering the content of a message while it's in transit.
• Denial of Service (DoS): Disrupting some service so that users cannot access it.

• Countermeasures: An action, process, or device that neutralizes or reduces a security risk or vulnerability. Examples include using strong passwords, updating software, and using encryption.
• Firewall: A network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. It acts as a barrier between a trusted internal network and untrusted external networks (like the internet).

• Virus: Malicious code that attaches itself to a clean program and spreads by reproducing itself when the host program is executed. It requires human action to spread.
• Worm: A self-replicating program that spreads over network connections without needing to attach to a host file or any human intervention.
• Trojan Horse: A program that appears useful or legitimate but hides malicious logic inside (e.g., a fake game that steals passwords). It does not replicate.
• Ransomware: A type of malware that encrypts a victim's files. The attacker then demands a ransom (usually in Bitcoin) from the victim to restore access to the data upon payment.

Security can be implemented at multiple layers of the OSI model:

Layer	Security Examples
Application (L7)	WAF, Email Encryption (PGP), HTTPS.
Presentation (L6)	SSL/TLS (Negotiation of encryption).
Session (L5)	Authentication, Session Management.
Transport (L4)	TLS, SSL, Port Filtering.
Network (L3)	IPSec, Routing Security, Packet Filtering.
Data Link (L2)	MAC Filtering, VLAN Security, Port Security.
Physical (L1)	Physical access control, Cable shielding.

Feature	HTTP	HTTPS
Protocol	Hypertext Transfer Protocol	Hypertext Transfer Protocol Secure
Security	Data sent in plain text (No encryption).	Data is encrypted using SSL/TLS.
Port	Port 80	Port 443
Certificates	Not required.	Requires SSL certificates.
Trust	Browsers mark it as 'Not Secure'.	Browsers display a padlock icon.

Malware can be categorized based on how it spreads and what it does:

• Propagation Mechanisms:
  • Infection (Viruses)
  • Self-replication (Worms, Bots)
  • Social Engineering (Trojans, Spammers)
• Payload Actions:
  • Information Theft (Spyware, Keyloggers)
  • Extortion (Ransomware)
  • Sabotage (Logic Bombs, Wipers)
  • Resource Theft (Botnets, Cryptojacking)

OT controls physical processes (PLCs, SCADA systems). Attacks on OT can have physical consequences.

• ICS/SCADA Manipulation: Sending false commands to machines to cause physical damage (e.g., Stuxnet).
• Protocol Attacks: Exploiting vulnerable industrial protocols like Modbus or DNP3 which often lack encryption.
• Human-Machine Interface (HMI) Hijacking: Taking over the operator's screen to hide what's happening.
• Spear Phishing: Targeting plant engineers to gain a foothold in the corporate network and then jump to the OT network.

IoT devices often have weak security, making them easy targets.

• Botnet Recruitment: Turning thousands of IoT devices into soldiers for a DDoS attack (e.g., Mirai Botnet).
• Default Password Exploitation: Many IoT devices ship with 'admin/admin'.
• Eavesdropping: Hiding inside a smart camera or microphone to spy on the surroundings.
• Man-in-the-Middle (MitM): Intercepting data between a smart device and its smartphone app.

Cyber Crime: Any criminal activity that involves a computer, or a networked device. The computer may have been used in the commission of a crime, or it may be the primary target.

Needs of Cyber Law:

• Legality of Documents: To provide legal recognition to electronic records and digital signatures.
• Prosecution: To define specific punishments for digital crimes that didn't exist in traditional laws (e.g., hacking, data theft).
• Privacy Protection: To enforce data protection regulations on companies and individuals.
• Jurisdiction: To handle the boundaryless nature of internet crimes where the criminal and victim are in different countries.

Common cyber-attacks include: Phishing, DoS/DDoS, SQL Injection, Cross-Site Scripting (XSS), Man-in-the-Middle, Malware, etc.

1. Phishing: Sending fraudulent emails that appear to come from a reputable source to steal user data or login credentials.
   Ex: An email looking like it's from PayPal asking you to "reset your password".
2. DoS (Denial of Service): Overwhelming a server with traffic until it crashes or becomes unavailable to users.
   Ex: Flooding a small business website with millions of requests.
3. SQL Injection: Inserting malicious SQL queries into an input field to manipulate a database.
   Ex: Entering ' OR 1=1 -- in a login username field.
4. Ransomware: Locking a user out of their own files and demanding money for the key.
   Ex: The WannaCry attack that affected hospitals worldwide.
5. Man-in-the-Middle (MitM): An attacker intercepts the communication between two parties to eavesdrop or modify data.
   Ex: Using public Wi-Fi to sniff a user's banking credentials.

• Strong Authentication: Using multi-factor authentication (MFA) across all platforms.
• Encryption: Encrypting sensitive data at rest (disk encryption) and in motion (SSL/TLS).
• Patch Management: Regularly updating operating systems and software to fix known vulnerabilities.
• Employee Training: Educating users on how to spot phishing and social engineering attempts.
• Backup Strategy: Maintaining regular, offline backups to recover from Ransomware or hardware failure.
• Network Segmentation: Dividing the network into smaller parts to prevent an attacker from moving laterally.

Hacking: The act of identifying and exploiting vulnerabilities in a computer system or network to gain unauthorized access or cause disruption.

Types of Hackers:

• White Hat: Ethical hackers who hack for defensive purposes with permission. They help organizations find and fix flaws.
• Black Hat: Malicious hackers who violate computer security for personal gain or to cause harm.
• Grey Hat: Hackers who might violate laws or ethical standards but do not have the malicious intent of a black hat. They often hack first then report the flaw.
• Script Kiddies: Non-skilled programmers who use existing tools and scripts created by others to launch attacks.
• Hacktivists: Hackers who hack for political or social causes.

1. Reconnaissance (Footprinting): Gathering information about the target.
   Ex: Using whois or Google Dorking to find public information about a company.
2. Scanning: Identifying open ports, services, and vulnerabilities.
   Ex: Running `nmap` to find which services are running on a server.
3. Gaining Access: Exploiting a vulnerability to enter the system.
   Ex: Using Metasploit to exploit a buffer overflow flaw in a web application.
4. Maintaining Access: Ensuring the hacker can return even if the original exploit is fixed.
   Ex: Installing a Backdoor or a rootkit.
5. Clearing Tracks: Deleting logs and evidence of the intrusion to avoid detection.
   Ex: Deleting /var/log/auth.log or modifying event viewer entries.

1. Download the Kali Linux ISO from the official kali.org website.
2. Open VMware Workstation and select "Create a New Virtual Machine".
3. Choose "Installer disc image file (iso)" and browse to the Kali ISO.
4. Select Guest OS as "Linux" and Version as "Debian 64-bit".
5. Assign Disk Space (min 20GB) and RAM (min 2GB).
6. Power on the VM and select "Graphical Install".
7. Follow prompts for Language, Keyboard, and Network settings.
8. Create a user account and password.
9. In partitioning, select "Guided - use entire disk".
10. Select software components (keep defaults) and wait for installation to finish.
11. Install GRUB boot loader to the primary drive.
12. Reboot and log in.

Kali Linux provides a suite of tools for vulnerability assessment:

• Scanning (Nmap):

  nmap -sV -A 192.168.1.10

  This identifies the OS, services, and versions running on the target.
• Vulnerability Scanning (Nikto):

  nikto -h http://example.com

  Scans web servers for dangerous files and outdated software.
• Password Cracking (John the Ripper):

  john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

  Cracks encrypted password hashes using a dictionary attack.
• Brute Force (Hydra):

  hydra -l admin -P passlist.txt ssh://192.168.1.5

  Attempts to guess passwords for various protocols like SSH, FTP, or HTTP.

Digital Forensics: The process of identifying, preserving, analyzing, and presenting digital evidence from electronic devices in a way that is legally admissible in a court of law.

Need for Digital Forensics:

• Evidence Recovery: Recovering deleted files or emails from a suspects computer.
• Incident Response: Determining how a hacker entered a system and what they took.
• Intellectual Property Theft: Proving that an employee stole company secrets.
• Legal Compliance: Ensuring evidence is handled in a way that is valid in court.

Locard's Exchange Principle states that "Every contact leaves a trace." In the physical world, this might be hair or fingerprints. In the digital world:

• When an attacker enters a system, they leave fingerprints (logs, registry changes, modified timestamps).
• When a user visits a website, a trace is left (browser history, cookies, cache).
• The job of the forensic investigator is to find these digital traces.

• Computer Forensics: Investigation of data on laptops, desktops, and servers.
• Mobile Forensics: Recovery of data from smartphones, tablets, and wearable devices.
• Network Forensics: Monitoring and analysis of network traffic to gather evidence of intrusion.
• Memory Forensics: Analysis of volatile data in a computer's RAM.
• Cloud Forensics: Investigating data stored in cloud services like AWS, Google Drive, or Azure.

The standard process follows these five phases:

1. Identification: Determining what devices and data are involved in the case.
2. Preservation: Ensuring the evidence is not changed. Use of write-blockers and bit-stream imaging is critical here.
3. Collection: Securely gathering the physical devices and digital images.
4. Analysis: Examining the data to find evidence. This involves searching for hidden files, recovering deleted data, etc.
5. Reporting: Documenting the findings in a clear, technical report for legal use.

Methods of Preservation:

• Write Blockers: Hardware devices that prevent any write operation to the source drive.
• Imaging (Cloning): Creating a bit-by-bit copy of the entire drive. Never work on the original evidence.
• Hashing: Generating MD5 or SHA-256 hashes of the drive before and after imaging to prove no data was changed.

Critical Steps in Preserving:

1. Secure the physical area.
2. Document the scene (take photos of cables, monitor state).
3. Maintain the Chain of Custody (log everyone who touched the evidence).
4. Store evidence in anti-static bags in a climate-controlled room.

For evidence to be admissible in court, it must follow specific standards:

• Authentic: It must be shown that the evidence is tied to the case.
• Complete: It must tell the whole story, including evidence that might favor the suspect.
• Reliable: The tools used must be industry-standard and validated.
• Believable: The investigator must be able to explain the findings clearly to a judge/jury.