Movatterモバイル変換

Digital ForensicsEr.Anal Prasanna Salshingikar,FacultySchool of Management StudiesNational Forensics Science University, Gandhinagaranal.salshingikar@nfsu.ac.in8989028109

Er. Anal Prasanna Salshingikar –PhD (Perusing)(8+ Years of Experience in the field of Cyber & Technology)Faculty at NFSU Gandhinagar – School of Management➢ Diploma in Computer Engineering➢ B.E in Computers with specialization in Digital forensics &Cyber security➢ MBA in Cyber Security Management from National forensicsScience University➢ Diploma in Cyber Law from Mumbai University➢ Ex - Cyber Consultant in Maharashtra Cyber (Nodal office)About Me

UNIT-I: IntroductionIntroduction to Digital ForensicsWhat are Digital DevicesSteps of Digital ForensicsLocard’s Principle of ExchangeChain of CustodyAcquisitionStorage Device Imaging using Hardware and SoftwareImportance of Integrity and Documentation

Introduction• Forensic science is a scientific method ofgathering and examining information about thepast which is then used in a court of law.• Digital Forensics is the use of scientificallyderived and proven methods for the preservation,collection, validation, identification, analysis,interpretation, documentation, and presentation ofdigital evidence derived from digital devices.

Branches of Digital Forensics• Computer Forensics• Mobile Device Forensics• Network Forensics• Live Forensics• Database Forensics• Vehicle Forensics• Drone Forensics

Digital Forensics Process• Collection• Examination• Analysis• Reporting--or--• Seizure• Acquisition• Analysis• Reporting

Digital Forensic Investigation CycleStage 1 – Preservation & CollectionStage 2 –Processing& AnalysisStage 3 – Production

Example Investigation Process?

Locard's Exchange Principle'Locard's Exchange Principle' in forensic science holds that the perpetrator of a crimewill bring something to the crime scene and will leave with something from it•Anyone, or anything, entering a crime scene• takes something of the scene with them• leaves something of themselves behind when they leave.•For example, in a homicide case,• the offender attempts to misdirect investigators by creating a suicide note onthe victim's computer• and leaves his fingerprints on the keyboard...

Chain of Custody▪ Chain of custody refers to the chronological and documented record of the custody,control, transfer, analysis, and disposition of physical or digital evidence in a legalcase or investigation.▪ It is a critical component of the legal and criminal justice systems, ensuring theintegrity and admissibility of evidence in court.▪ The chain of custody is crucial because it ensures that evidence is admissible in courtand that its reliability and authenticity can be established.▪ If there are gaps or inconsistencies in the chain of custody, it can undermine thecredibility of the evidence, potentially leading to its exclusion from legal proceedings▪ In addition to its importance in criminal cases, the chain of custody concept is alsorelevant in civil cases, regulatory investigations, and other situations where theintegrity of evidence is a concern.

Chain of CustodyKey aspects of the chain of custody process include:▪ Collection: This is the initial step, where evidence is gathered from a crime scene orfrom individuals. Proper procedures must be followed to ensure that evidence is notcontaminated, altered, or tampered with during collection.▪ Documentation: Each piece of evidence should be thoroughly documented. Thisincludes noting the date, time, location, and individuals involved in its collection.A unique identifier or evidence tag is often assigned to each item to track it throughoutthe process.▪ Packaging and Sealing: Evidence is carefully packaged to prevent contamination ordamage.It is typically placed in sealed containers or evidence bags, and these containers aresigned, sealed, or labeled to indicate that they have not been tampered with.

Chain of CustodyTransfer: When evidence is moved from one location to another (e.g., from the crimescene to the police station or to a forensic laboratory), a record of this transfer ismaintained. This often involves a chain of custody form or log that is signed by eachperson who handles the evidence.Storage: Evidence must be securely stored to prevent unauthorized access or tampering.Proper storage conditions are maintained to preserve the integrity of the evidence.Analysis: If the evidence requires analysis (e.g., by a forensic expert), the chain ofcustody continues to be documented throughout this process. Any changes orexaminations of the evidence are recorded.Court Presentation: When the case goes to court, the chain of custody documentationis presented to establish that the evidence being introduced is the same as what wasoriginally collected and that it has been handled in a way that maintains its integrity.

Chain of CustodyIt is the duty of the police officials to maintain an unbroken chain of custody for thesuccessful trial of a case. The duty of the police officers commences from:✓ Collecting the evidence from the crime scene.✓ Keeping the evidence collected safe in sealed bags with unique identificationnumbers.✓ Examining the evidence collected.✓ Be responsible if the evidence is transferred to another specialist for examination oranalysis.✓ Handle all the transfers of the evidence taking place.✓ Maintaining the record of every procedure which the evidence is handled through.✓ Presenting the evidence with all authenticated records before the court.

Acquisition:storage device imaging using hardware and software

Data acquisition methods for operating systemforensicsData Acquisition methods for Operating System forensics that can be performed on bothStatic Acquisition and Live Acquisition. These methods are:Disk-to-image file: A forensic examiner can make a one or more than one copy of adrive under the operating system in question. The tools used for these methods areiLookIX, X-Ways, FTK, EnCase, or ProDiscover.Disk-to-disk copy: This works best when the disk-to-image method is not possible.Tools for this approach include SnapCopy, EnCase, or SafeBack.Disk-to-data file: This method creates a disk-to-data or disk-to-disk file.The Sparse copy of a file: This is a preferable method if time is limited and the disk hasa large volume of data storage.

Importance of integrity and documentationWhat is data integrity?Data integrity is the assurance that digital information is uncorrupted and can only be accessed ormodified by those authorized to do so.Data integrity describes data that's kept complete, accurate, consistent and safe throughout its entirelifecycle in the following ways:•Complete. Data is maintained in its full form and no data elements are filtered, truncated or lost. Forexample, if 100 tests are performed, complete data reflects the results of all 100 tests. Tests that failed oryielded undesirable results aren't omitted from data requests.•Accurate. Data isn't altered or aggregated in any way that affects data analytics. For example, test resultsaren't rounded up or down, and any test criteria or conditions are well-documented and understood.Repeating tests should return the same results.•Consistent. Data remains unchanged regardless of how, or how often, it's accessed and no matter howlong it's stored. For example, data accessed a year from now will be the same data that's generated oraccessed today.•Safe. Data is maintained in a secure manner and can only be accessed and used by authorizedapplications or individuals. Further, safe data can't readily be exploited by malicious actors. Datasecurity involves considerations such as authentication, authorization, encryption, backup or other dataprotection, and access logging.

Importance of integrity and documentationThis manifests itself in three major ways:Business analytics. A traditional axiom of early computing was garbage in/garbage out. This iscertainly true of modern business analytics for business decision-making and product development. Thismakes data integrity critical to analytical results, as missing or inaccurate data might result in poorbusiness decisions or product behaviors.Customer interactions. Businesses collect and use an enormous amount of customer data, includingsensitive or personally identifiable data. Data integrity ensures that customers are treated correctly, suchas receiving proper account crediting and reporting. Data security must keep that sensitive data safefrom loss of theft.Compliance. Businesses are typically obligated to retain data for a period of time to ensure thatbusiness processes are followed in accordance with prevailing industry standards and governmentregulations. Data integrity is vital for complete, accurate and consistent reporting for all compliancepurposes; otherwise, the business may be out of compliance and subject to fines and other legalremedies.

UNIT-II: Computer & Cyber TerminologiesUnderstanding Windows,Linux;Macintosh operating systems,Understanding mobile operating systems such as android, iOS, etc.,Digital Signatures and Certificates,Computer and Internet Frauds, phishing, hacking and cracking, network sniffing

Introduction – Key terms of CS• Unauthorized access − An unauthorized access is when someone gains access to a server,website, or other sensitive data using someone else's account details.• Hacker − Is a Person who tries and exploits a computer system for a reason which can bemoney, a social cause, fun etc.• Threat − Is an action or event that might compromise the security.• Vulnerability − It is a weakness, a design problem or implementation error in a system that canlead to an unexpected and undesirable event regarding security system.• Attack − Is an assault on the system security that is delivered by a person or a machine to asystem. It violates security.• Antivirus or Antimalware − Is a software that operates on different OS which is used to preventfrom malicious software.• Social Engineering − Is a technique that a hacker uses to stole data by a person for different forpurposes by psychological manipulation combined with social scenes.• Virus − It is a malicious software that installs on your computer without your consent for a badpurpose.• Firewall − It is a software or hardware which is used to filter network traffic based on rules.

Forensics of Operating SystemDefinition: Operating System Forensics is the process of retrieving useful informationfrom the Operating System (OS) of the computer or mobile device in question.The aim of collecting this information is to acquire empirical evidence against theperpetrator.Overview: The understanding of an OS and its file system is necessary to recover datafor computer investigations.The file system provides an operating system with a roadmap to data on the hard disk.

Operating System – WindowsWindows is a widely used OS designed by Microsoft.The file systems used by Windows include FAT, exFAT, NTFS, and ReFS.can search out evidence by analyzing the following important locations of theWindows:Recycle Bin: This holds files that have been discarded by the user. When a user deletesfiles, a copy of them is stored in recycle bin. This process is called “Soft Deletion.”Recovering files from recycle bin can be a good source of evidence.Registry: Windows Registry holds a database of values and keys that give useful piecesof information to forensic analysts.For example, see the table below that provides registry keys and associated files thatencompasses user activities on the system.

Operating System – WindowsThumbs.db Files: These have images’ thumbnails that can provide relevantinformation.Browser History: Every Web Browser generates history files that contain significantinformation. Microsoft Windows Explorer is the default web browser for Windows OSs.However, some other supported browsers are Opera, Mozilla Firefox, Google Chrome,and Apple Safari.Print Spooling: This process occurs when a computer prints files in a Windowsenvironment.When a user sends a print command from a computer to the printer, the print spoolingprocess creates a “print job” to some files that remain in the queue unless the printoperation is completed successfully

Operating System – LinuxLinux is an open source, Unix-like, and elegantly designed operating system that iscompatible with personal computers, supercomputers, servers, mobile devices,netbooks, and laptops. Unlike other OSs, Linux holds many file systems of the extfamily, including ext2, ext3, and ext4. Linux can provide an empirical evidence if theLinux-embedded machine is recovered from a crime scene. In this case, forensicinvestigators should analyze the following folders and directories./etc [%SystemRoot%/System32/config]This contains system configurations directory that holds separate configuration files foreach application./var/logThis directory contains application logs and security logs. They are kept for 4-5 weeks./home/$USERThis directory holds user data and configuration information./etc/passwdThis directory has user account information.

Operating System MAC OS XMac OS X is the UNIX-based operating system that contains a Mach 3 microkernel anda FreeBSD-based subsystem. Its user interface is Apple-like, whereas the underlyingarchitecture is UNIX-like.Mac OS X offers a novel technique to create a forensic duplicate. To do so, theperpetrator’s computer should be placed into a “Target Disk Mode.” Using this mode,the forensic examiner creates a forensic duplicate of perpetrator’s hard disk with thehelp of a Firewire cable connection between the two PCs.iOSApple iOS is the UNIX-based operating system first released in 2007. It is a universalOS for all of Apple’s mobile devices, such as iPhone, iPod Touch, and iPad. An iOSembedded device retrieved from a crime scene can be a rich source of empiricalevidence.

Digital Signatures and Certificates• Encryption – Process of converting electronic data into another form, calledciphertext, which cannot be easily understood by anyone except the authorizedparties. This assures data security.• Decryption– Process of translating code to data.✓ The message is encrypted at the sender’s side using various encryption algorithmsand decrypted at the receiver’s end with the help of the decryption algorithms.✓ When some message is to be kept secure like username, password, etc., encryptionand decryption techniques are used to assure data security.

Digital Signatures and CertificatesTypes of Encryption1. Symmetric Encryption– Data is encrypted using a key and the decryption is alsodone using the same key.2. Asymmetric Encryption-Asymmetric Cryptography is also known as public-keycryptography. It uses public and private keys to encrypt and decrypt data.One key in the pair which can be shared with everyone is called the public key. Theother key in the pair which is kept secret and is only known by the owner is called theprivate key.

Digital Signatures and CertificatesDigital Signature➢ A digital signature is a mathematical technique used to validate the authenticity andintegrity of a message, software, or digital document.➢ A digital signature is a cryptographic technique used to verify the authenticity andintegrity of a digital message, document, or communication.➢ It provides a way to ensure that the sender of a message is who they claim to be andthat the message has not been altered in transit.➢ Digital signatures are commonly used in various online transactions, securecommunications, and electronic documents to ensure the integrity and authenticity ofthe information being exchanged.

Digital Signatures and CertificatesDigitalSignature

Digital Signatures and CertificatesDigital Certificate➢ Digital certificate is issued by a trusted third party which proves sender’s identity tothe receiver and receiver’s identity to the sender.➢ A digital certificate is a certificate issued by a Certificate Authority (CA) to verify theidentity of the certificate holder.➢ The CA issues an encrypted digital certificate containing the applicant’s public keyand a variety of other identification information.➢ Digital certificate is used to attach public key with a particular individual or an entity.

Digital Signatures and CertificatesDigital certificate contains:-▪ The authenticity▪ Name of certificate holder.▪ Serial number which is used to uniquely identify a certificate, the individual or theentity identified by the certificate▪ Expiration dates.▪ Copy of certificate holder’s public key.(used for decrypting messages and digitalsignatures)▪ Digital Signature of the certificate issuing authority.▪ Digital certificate is also sent with the digital signature and the message.

Digital Signatures and CertificatesDigital certificate

Digital Signatures and CertificatesDigital Signature v/s CertificateFeature Digital Signature Digital CertificateBasics / DefinitionDigital signature is like a fingerprint or anattachment to a digital document thatensures its authenticity and integrity.Digital certificate is a file that ensuresholder’s identity and provides security.Process / StepsHashed value of original message isencrypted with sender’s secret key togenerate the digital signature.It is generated by CA (Certifying Authority)that involves four steps: Key Generation,Registration, Verification, Creation.Security ServicesAuthenticity of Sender, integrity of thedocument and non-repudiation.It provides security and authenticity ofcertificate holder.Standard It follows Digital Signature Standard (DSS). It follows X.509 Standard Format

Computer and Internet FraudsThe term "internet fraud" generally covers cybercrime activity that takes place over theinternet or on email, including crimes like identity theft, phishing, and other hackingactivities designed to scam people out of money.Internet fraud can be broken down into several key types of attacks, including:Phishing and spoofing: The use of email and online messaging services to dupe victimsinto sharing personal data, login credentials, and financial details.Data breach: Stealing confidential, protected, or sensitive data from a secure locationand moving it into an untrusted environment. This includes data being stolen from usersand organizations.Denial of service (DoS): Interrupting access of traffic to an online service, system, ornetwork to cause malicious intent.

Computer and Internet FraudsMalware: The use of malicious software to damage or disable users’ devices or stealpersonal and sensitive data.Ransomware: A type of malware that prevents users from accessing critical data thendemanding payment in the promise of restoring access. Ransomware is typicallydelivered via phishing attacks.Business email compromise (BEC): A sophisticated form of attack targetingbusinesses that frequently make wire payments. It compromises legitimate emailaccounts through social engineering techniques to submit unauthorized payments.Financial Cyber Crimes: Cybercrime in finance is the act of obtaining financial gainthrough profit-driven criminal activity, including identity fraud, ransomware attacks,email and internet fraud, and attempts to steal financial accounts, credit cards, or otherpayment card information.

Investigating Financial Cyber Crimes

Investigating Financial Cyber CrimesSix Steps of Financial Fraud Investigation

Investigating Financial Cyber CrimesResponse Process for Financial Fraud Investigation

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal SalshingikarDigital ForensicsDigital forensics is a branch of forensic science that focuses on identifying, acquiring, processing,analyzing, and reporting on data stored electronically. Electronic evidence is a component ofalmost all criminal activities and digital forensics support is crucial for law enforcementinvestigations.Digital Forensics is defined as the process of preservation, identification, extraction,and documentation of computer evidence which can be used by the court of law. It is a scienceof finding evidence from digital media like a computer, mobile phone, server, or network.It provides the forensic team with the best techniques and tools to solve digital crime.Digital Forensics gives support for the forensic team to analyse, inspect, identify, and preserve thedigital evidence which is living on various types of electronic devices and storage media.Objectives of computer forensicsHere are the essential objectives of using Computer forensics:o It helps to postulate the motive behind the crime and identity of the main culprit.o It helps to recover, analyze, and preserve computer and related materials in such a mannerthat it helps the investigation agency to present them as evidence in a court of law.o Designing procedures at a suspected crime scene which helps you to ensure that thedigital evidence obtained is not corrupted.o Data acquisition and duplication: Recovering deleted files and deleted partitions from digitalmedia to extract the evidence and validate them.o Helps you to identify the evidence quickly, and also allows you to estimate thepotential impact of the malicious activity on the victimo Producing a computer forensic report which offers a complete report on theinvestigation process.o Preserving the evidence by following the chain of custody.What is the Purpose of Digital Forensics?The most common use of digital forensics is to support or refute a hypothesis in a criminal or civilcourt:Criminal cases: Involving the investigation of any unlawful activity by cybercriminals. Thesecases are usually carried out by law enforcement agencies and digital forensic examiners.Civil cases: Involving the protection of rights and property of individuals or contractual disputesbetween commercial entities were a form of digital forensics called electronic discovery(eDiscovery).

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal SalshingikarProcess of Digital forensics [Steps of Forensics Process]Digital Forensics ProcessIdentificationIt is the first step in the forensic process. The identification process mainly includes thingslike what evidence is present, where it is stored, and lastly, how it is stored (in which format).Electronic storage media can be personal computers, Mobile phones, PDAs, etc.PreservationIn this phase, data is isolated, secured, and preserved. It includes preventing people fromusing the digital device so that digital evidence is not tampered with.AnalysisIn this step, investigation agents reconstruct fragments of data and draw conclusions basedon evidence found. However, it might take numerous iterations of examination to supporta specific crime theory.DocumentationIn this process, a record of all the visible data must be created. It helps in recreating the crime sceneand reviewing it. It Involves proper documentation of the crime scene along with photographing,sketching, and crime-scene mapping.PresentationIn this last step, the process of summarization and explanation of conclusions is done.However, it should be written in a layperson's terms using abstracted terminologies.All abstracted terminologies should reference the specific details.

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal SalshingikarTypes of Digital ForensicsThree types of digital forensics are:Disk Forensics:It deals with extracting data from storage media by searching active, modified, or deleted files.Network Forensics:It is a sub-branch of digital forensics. It is related to monitoring and analysis ofcomputer network traffic to collect important information and legal evidence.Wireless Forensics:It is a division of network forensics. The main aim of wireless forensics is to offers thetools need to collect and analyze the data from wireless network traffic.Database Forensics:It is a branch of digital forensics relating to the study and examination of databases andtheir related metadata.Malware Forensics:This branch deals with the identification of malicious code, to study their payload,viruses, worms, etc.Email ForensicsDeals with recovery and analysis of emails, including deleted emails, calendars, and contacts.Memory Forensics:It deals with collecting data from system memory (system registers, cache, RAM) in rawform and then carving the data from Raw dump.Mobile Phone Forensics:It mainly deals with the examination and analysis of mobile devices. It helps to retrievephone and SIM contacts, call logs, incoming, and outgoing SMS/MMS, Audio, videos, etc.Challenges faced by Digital ForensicsHere, are major challenges faced by the Digital Forensic:• The increase of PC's and extensive use of internet access• Easy availability of hacking tools• Lack of physical evidence makes prosecution difficult.• The large amount of storage space into Terabytes that makes this investigation job difficult. •Any technological changes require an upgrade or changes to solutions.

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal SalshingikarExample Uses of Digital ForensicsIn recent time, commercial organizations have used digital forensics in following a typeof cases:• Intellectual Property theft• Industrial espionage• Employment disputes• Fraud investigations• Inappropriate use of the Internet and email in the workplace• Forgeries related matters• Bankruptcy investigations• Issues concern with the regulatory complianceAdvantages of Digital forensicsHere, are pros/benefits of Digital forensics• To ensure the integrity of the computer system.. To ensure the integrity of the computer system.To produce evidence in the court, which can lead to the punishment of the culprit.• It helps the companies to capture important information if their computer systems or networksare compromised.• Efficiently tracks down cybercriminals from anywhere in the world. • Helps to protect theorganization's money and valuable time.• Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminalaction’s in the court.Disadvantages of Digital ForensicsHere, are major cos/ drawbacks of using Digital Forensic• Digital evidence accepted into court. However, it is must be proved that there is no tampering• Producing electronic records and storing them is an extremely costly affair • Legal practitionersmust have extensive computer knowledge• Need to produce authentic and convincing evidence• If the tool used for digital forensic is not according to specified standards, then in the court oflaw, the evidence can be disapproved by justice.

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal Salshingikar• Lack of technical knowledge by the investigating officer might not offer the desired resultSummary:• Digital Forensics is the preservation, identification, extraction, and documentation of computerevidence which can be used in the court of law• Process of Digital forensics includes 1) Identification, 2) Preservation, 3) Analysis,4) Documentation and, 5) Presentation• Different types of Digital Forensics are Disk Forensics, Network Forensics,Wireless Forensics, Database Forensics, Malware Forensics, Email Forensics, MemoryForensics, etc.• Digital forensic Science can be used for cases like 1) Intellectual Property theft, 2) Industrialespionage 3) Employment disputes, 4) Fraud investigations.--------------------------------------------------------------------------------------------------------------------Locard’s Exchange PrincipleDr. Edmond Locard’s exchange principle states that whenever two objects come in contact,a transfer of material occurs. For example, when a killer enters and subsequently departs acrime scene, the attacker could leave blood, DNA, latent prints, hair, and fibers [4], or pick upsuch evidence from the victim.Locard’s exchange principle also applies to a digital environment. Registry keys and log files canserve as the digital equivalent to hair and fiber . Like DNA, our ability to detect and analyze theseartifacts relies heavily on the technology available at the time. Look at the numerous cold casesthat are now being solved due to the significant advances in DNA science. Viewing a device orincident through the “lens” of Locard’s exchange principle can be very helpful in locating andinterpreting not only physical but also digital evidence.Locard’s Exchange PrincipleDr. Edmond Locard was the director of the world’s first forensic laboratory in France.He presented Locard’s Exchange Principle, also known as Locard’s Principle of Transference,in the early 20th century for the purpose of collecting the trace evidence. Locard firmlybelieved that no matter what a criminal does or where a criminal goes, he/she will certainly leavetrace evidence at the crime scene. In fact, whenever two or more people come into contact withone another, a physical transfer takes place. Skin, hair, pollen, clothing fiber, glassfragments, makeup, debris from clothing, or any other material can be transferred from one personto another. This material helps the forensic examiners to collect the trace evidence.The applicability of Locard’s Principle of Transference in computer forensics appliesto cybercrimes involving computer networks, such as identity thefts and electronic bankfrauds. To understand how Locard’s Exchange Principle applies to computer forensics, considerwhat happens when a computer is connected to a particular network. To establish an

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal Salshingikarinternet connection, the computer must have a network interface card (NIC). Once the connectionis successfully established, the NIC transmits its MAC address to a relevant DHCP server.After that, the DHCP server logs record this MAC address and assign an IP address to thecomputer, which would receive and store this IP address. Noticeably, the interaction betweencomputer and DHCP server causes the exchange of information, such as MAC and IP addresses,between both devices. This interaction can help the forensic experts to determine the specifieddate and time of the day when this interaction took place.The Inman-Rudin ParadigmLocard’s Exchange Principle set the stage for various other forensic scientists to developnew ways of investigating and analyzing evidence. Later on, the Inman-Rudin Paradigmwas designed by Keith Inman and Norah Rudin. This paradigm, in fact, expanded theLocard’s Exchange Principle into two principles and four processes that were applicable not onlyin physical forensics but also in computer forensics.The principles are:1. Transfer: The transfer, in fact, is Locard’s Exchange Principle, the exchange ofmaterial between two persons.2. The divisibility of matter: This represents the ability to impute the characteristics to the wholeof something from a separate piece of it.Four processes:1. Identification defines the physico-chemical nature of the evidence; for example, the numberof heads, cylinders, and sectors of the hard drive.2. Classification/Individualization—Classification attempts to determine the source, whereasthe individualization employs some characteristics to uniquely identify a specimen. For example,a security camera captured the crime scene and showed an unidentified perpetrator who killed thevictim. On the other hand, the image was clear enough to recognize his gun. The investigatorsexamined the bullet recovered from the victim corpse and found the gun manufacturer, based onbullet’s composition, size, and weight. In fact, these are all class characteristics.When the perpetrator was arrested, the weapon recovered from him was the same as theweapon identified in the examination. Consequently, it was proved that the bullet had a commonorigin and, therefore was “class evidence.” This is a process of identification that providesthe “individual evidence.”Classification/individualization can be applied to digital evidence. For example, the structure andlocation of data on storage media can determine the file system and partition type.3. Association links a person with a crime. In computer forensics, the experts necessarily identifythe items, such as files, data structures, and code, that need to be associated and to determine

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal Salshingikarwhere they might be stored and what tools could be used to locate these items. The experts thenextract the required information and determine the associations.4. Reconstruction tries to answer the questions of “How? Where? And When?” the crime hadtaken place. For example, in computer forensics, the date and time relating to data, file system,and network communication can be utilized to demonstrate a sequence of events in the computersystem.What Is the Chain of Custody in Computer Forensics?The chain of custody in digital forensics can also be referred to as the forensic link, the paper trail,or the chronological documentation of electronic evidence. It indicates the collection, sequenceof control, transfer, and analysis. It also documents each person who handled the evidence, thedate/time it was collected or transferred, and the purpose for the transfer.Why Is It Important to Maintain the Chain of Custody?It is important to maintain the chain of custody to preserve the integrity of the evidenceand prevent it from contamination, which can alter the state of the evidence. If not preserved,the evidence presented in court might be challenged and ruled inadmissible.Importance to the ExaminerSuppose that, as the examiner, you obtain metadata for a piece of evidence. However, youare unable to extract meaningful information from it. The fact that there is nomeaningful information within the metadata does not mean that the evidence is insufficient. Thechain of custody in this case helps show where the possible evidence might lie, where it camefrom, who created it, and the type of equipment that was used. That way, if you want to createan exemplar, you can get that equipment, create the exemplar, and compare it to the evidenceto confirm the evidence properties.Importance to the CourtIt is possible to have the evidence presented in court dismissed if there is a missing link inthe chain of custody. It is therefore important to ensure that a wholesome and meaningful chainof custody is presented along with the evidence at the court.What Is the Procedure to Establish the Chain of Custody?In order to ensure that the chain of custody is as authentic as possible, a series of steps mustbe followed. It is important to note that, the more information a forensic expert obtainsconcerning the evidence at hand, the more authentic is the created chain of custody. Due to this,it is important to obtain administrator information about the evidence: for instance,the administrative log, date and file info, and who accessed the files. You should ensurethe following procedure is followed according to the chain of custody for electronic evidence:

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal Salshingikar• Save the original materials: You should always work on copies of the digital evidence asopposed to the original. This ensures that you are able to compare your work products to theoriginal that you preserved unmodified.• Take photos of physical evidence: Photos of physical (electronic) evidence establish the chainof custody and make it more authentic.• Take screenshots of digital evidence content: In cases where the evidence is intangible, takingscreenshots is an effective way of establishing the chain of custody.• Document date, time, and any other information of receipt. Recording the timestamps ofwhoever has had the evidence allows investigators to build a reliable timeline of where theevidence was prior to being obtained. In the event that there is a hole in the timeline, furtherinvestigation may be necessary.• Inject a bit-for-bit clone of digital evidence content into our forensic computers.This ensures that we obtain a complete duplicate of the digital evidence in question.• Perform a hash test analysis to further authenticate the working clone. Performing a hashtest ensures that the data we obtain from the previous bit-by-bit copy procedure is not corrupt andreflects the true nature of the original evidence. If this is not the case, then the forensic analysismay be flawed and may result in problems, thus rendering the copy non-authentic.The procedure of the chain of custody might be different. depending on the jurisdiction in whichthe evidence resides; however, the steps are largely identical to the ones outlined above.What Considerations Are Involved with Digital Evidence?A couple of considerations are involved when dealing with digital evidence. We shall take a lookat the most common and discuss globally accepted best practices.1. Never work with the original evidence to develop procedures: The biggest considerationwith digital evidence is that the forensic expert has to make a complete copy of the evidence forforensic analysis. This cannot be overlooked because, when errors are made to working copies orcomparisons are required, it will be necessary to compare the original and copies.2. Use clean collecting media: It is important to ensure that the examiner’s storage deviceis forensically clean when acquiring the evidence. This prevents the original copies from damage.Think of a situation where the examiner’s data evidence collecting media is infected by malware.If the malware escapes into the machine being examined, all of the evidence can becomecompromised.3. Document any extra scope: During the course of an examination, information of evidentiaryvalue may be found that is beyond the scope of the current legal authority. It is recommended thatthis information be documented and brought to the attention of the case agent because theinformation may be needed to obtain additional search authorities. A comprehensive report mustcontain the following sections:

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal Salshingikaro Identity of the reporting agencyo Case identifier or submission numbero Case investigatoro Identity of the submittero Date of receipto Date of reporto Descriptive list of items submitted for examination, including serial number, make, and modelo Identity and signature of the examinero Brief description of steps taken during examination, such as string searches, graphics imagesearches, and recovering erased fileso Results/conclusions4. Consider safety of personnel at the scene. It is advisable to always ensure the sceneis properly secured before and during the search. In some cases, the examiner may only have theopportunity to do the following while onsite:o Identify the number and type of computers.o Determine if a network is present.o Interview the system administrator and users.o Identify and document the types and volume of media, including removable media.Digital Forensics Noteso Document the location from which the media was removed.o Identify offsite storage areas and/or remote computing locations.o Identify proprietary software.o Determine the operating system in question.The considerations above need to be taken into account when dealing with digital evidence due tothe fragile nature of the task at hand.What is acquisition in digital forensics?Data acquisition in digital forensics encompasses all the procedures involved in gathering digitalevidence including cloning and copying evidence from any electronic source. Itinvolves producing a forensic image from digital devices including CD ROM, hard drive,removable hard drives, smartphones, thumb drive, gaming console, servers, and othercomputer technologies that can store electronic data.

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal SalshingikarIn digital forensics investigation, data acquisition is perhaps the most critical stage and it involvesa demanding, thorough, and well-crafted plan for acquiring digital evidence. Thoroughinformation must be stored and preserved, as well as all software and hardware provisions, thecomputer media applied during the investigation process, and the forensic evidence beingconsidered.Data acquisition methodsThere are different types of data acquisition methods including logical disk-to-disk file, disk to-disk copy, sparse data copy of a file or folder, and disk-to-image file. There are alsodifferent approaches used for data acquisition. This will depend on the type of digital deviceyou’re applying to. For instance, the approach you’ll utilize for retrieving evidence from asmartphone will be different from the technique needed to acquire digital evidence from acomputer hard drive.Except you’re performing a live acquisition, the forensics evidence is typically obtained from thedigital media seized and stored at the forensics lab (static acquisition). The seized digital forensicsevidence is regarded as the primary source of evidence during a forensics investigation. It is calledan ‘exhibit’ in legal vocabulary. Although, the digital forensics professional does not obtain datadirectly from the primary source so as not to corrode or compromise the evidence.

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal SalshingikarDigital Signatures and CertificatesEncryption – Process of converting electronic data into another form, called ciphertext, whichcannot be easily understood by anyone except the authorized parties. This assures data security.Decryption– Process of translating code to data.• The message is encrypted at the sender’s side using various encryption algorithmsand decrypted at the receiver’s end with the help of the decryption algorithms.• When some message is to be kept secure like username, password, etc., encryptionand decryption techniques are used to assure data security.Types of EncryptionData encryption transforms information into a code that is only accessible to those with a passwordor secret key, sometimes referred to as a decryption key. Data that has not been encrypted isreferred to as plaintext, whereas data that has been encrypted is referred to as ciphertext. In today’sbusiness sector, encryption is one of the most popular and effective data protection solutions. Byconverting data into ciphertext, which can only be decoded with a special decryption key generatedeither before or at the time of the encryption, data encryption serves to protect the secrecy of data.• Symmetric Encryption:Data is encrypted using a key and the decryption is also done using the same key.There are a fewstrategies used in cryptography algorithms. For encryption and decryption processes, somealgorithms employ a unique key. In such operations, the unique key must be secured since thesystem or person who knows the key has complete authentication to decode the message forreading.Symmetric Encryption• Asymmetric EncryptionAsymmetric Cryptography is also known as public-key cryptography. It uses public and privatekeys for the encryption and decryption od message. One key in the pair which can be shared witheveryone is called the public key. The other key in the pair which is kept secret and is only knownby the owner is called the private key.

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal SalshingikarAsymmetric EncryptionPublic key– Key which is known to everyone. Ex-public key of A is 7, this information isknown to everyone.Private key– Key which is only known to the person who’s private key it is.Authentication-Authentication is any process by which a system verifies the identity of a userwho wishes to access it.Non- repudiation– Non-repudiation is a way to guarantee that the sender of a message cannotlater deny having sent the message and that the recipient cannot deny having received themessage.Integrity– to ensure that the message was not altered during the transmission.Message digest -The representation of text in the form of a single string of digits, created using aformula called a one way hash function. Encrypting a message digest with a private key creates adigital signature which is an electronic means of authentication..Digital SignatureA digital signature is a mathematical technique used to validate the authenticity and integrity of amessage, software, or digital document.1. Key Generation Algorithms: Digital signature is electronic signatures, which assure that themessage was sent by a particular sender. While performing digital transactions authenticity andintegrity should be assured, otherwise, the data can be altered or someone can also act as if hewas the sender and expect a reply.2. Signing Algorithms: To create a digital signature, signing algorithms like email programscreate a one-way hash of the electronic data which is to be signed. The signing algorithm thenencrypts the hash value using the private key (signature key). This encrypted hash along withother information like the hashing algorithm is the digital signature. This digital signature isappended with the data and sent to the verifier. The reason for encrypting the hash instead of theentire message or document is that a hash function converts any arbitrary input into a much shorterfixed-length value. This saves time as now instead of signing a long message a shorter hash valuehas to be signed and moreover hashing is much faster than signing.

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal Salshingikar3. Signature Verification Algorithms : Verifier receives Digital Signature alongwith the data. It then uses Verification algorithm to process on the digital signature and the publickey (verification key) and generates some value. It also applies the same hash function on thereceived data and generates a hash value. If they both are equal, then the digital signature is validelse it is invalid.The steps followed in creating digital signature are :1. Message digest is computed by applying hash function on the message and then messagedigest is encrypted using private key of sender to form the digital signature. (digitalsignature = encryption (private key of sender, message digest) and message digest =message digest algorithm(message)).2. Digital signature is then transmitted with the message.(message + digital signature istransmitted)3. Receiver decrypts the digital signature using the public key of sender.(This assuresauthenticity, as only sender has his private key so only sender can encrypt using his privatekey which can thus be decrypted by sender’s public key).4. The receiver now has the message digest.5. The receiver can compute the message digest from the message (actual message is sentwith the digital signature).6. The message digest computed by receiver and the message digest (got by decryption ondigital signature) need to be same for ensuring integrity.Message digest is computed using one-way hash function, i.e. a hash function in whichcomputation of hash value of a message is easy but computation of the message from hash valueof the message is very difficult.

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal SalshingikarAssurances about digital signaturesThe definitions and words that follow illustrate the kind of assurances that digital signatures offer.1. Authenticity: The identity of the signer is verified.2. Integration: Since the content was digitally signed, it hasn’t been altered orinterfered with.3. Non-repudiation: demonstrates the source of the signed content to all parties. Theact of a signer denying any affiliation with the signed material is known as repudiation.4. Notarization: Under some conditions, a signature in a Microsoft Word, MicrosoftExcel, or Microsoft PowerPoint document that has been time-stamped by a secure time-stamp server is equivalent to a notarization.Benefits of Digital Signatures• Legal documents and contracts: Digital signatures are legally binding. This makesthem ideal for any legal document that requires a signature authenticated by one ormore parties and guarantees that the record has not been altered.• Sales contracts: Digital signing of contracts and sales contracts authenticates theidentity of the seller and the buyer, and both parties can be sure that the signatures arelegally binding and that the terms of the agreement have not been changed.• Financial Documents: Finance departments digitally sign invoices so customers cantrust that the payment request is from the right seller, not from a bad actor trying totrick the buyer into sending payments to a fraudulent account.• Health Data: In the healthcare industry, privacy is paramount for both patientrecords and research data. Digital signatures ensure that this confidential informationwas not modified when it was transmitted between the consenting parties.Drawbacks of Digital Signature• Dependency on technology: Because digital signatures rely on technology, they aresusceptible to crimes, including hacking. As a result, businesses that use digitalsignatures must make sure their systems are safe and have the most recent securitypatches and upgrades installed.• Complexity: Setting up and using digital signatures can be challenging, especially forthose who are unfamiliar with the technology. This may result in blunders and errorsthat reduce the system’s efficacy. The process of issuing digital signatures to seniorcitizens can occasionally be challenging.• Limited acceptance: Digital signatures take time to replace manual ones sincetechnology is not widely available in India, a developing nation.

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal SalshingikarDigital CertificateDigital certificate is issued by a trusted third party which proves sender’s identity to the receiverand receiver’s identity to the sender.A digital certificate is a certificate issued by a Certificate Authority (CA) to verify the identity ofthe certificate holder. Digital certificate is used to attach public key with a particular individualor an entity.Digital certificate contains• Name of certificate holder.• Serial number which is used to uniquely identify a certificate, the individual or theentity identified by the certificate• Expiration dates.• Copy of certificate holder’s public key.(used for decrypting messages and digitalsignatures)• Digital Signature of the certificate issuing authority.Digital certificate is also sent with the digital signature and the message.Advantages of Digital Certificate• NETWORK SECURITY : A complete, layered strategy is required by moderncybersecurity methods, wherein many solutions cooperate to offer the highest level ofprotection against malevolent actors. An essential component of this puzzle is digitalcertificates, which offer strong defence against manipulation and man-in-the-middleassaults.• VERIFICATION : Digital certificates facilitate cybersecurity by restricting accessto sensitive data, which makes authentication a crucial component of cybersecurity.Thus, there is a decreased chance that hostile actors will cause chaos. At many differentendpoints, certificate-based authentication provides a dependable method of identityverification. Compared to other popular authentication methods like biometrics or one-time passwords, certificates are more flexible.• BUYER SUCCESS : Astute consumers demand complete assurance that thewebsites they visit are reliable. Because digital certificates are supported by certificateauthority that users’ browsers trust, they offer a readily identifiable indicator ofreliability.Disadvantages of Digital Certificate• Phishing attacks: To make their websites look authentic, attackers can fabricatebogus websites and obtain certificates. Users may be fooled into providing sensitive

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal Salshingikarinformation, such as their login credentials, which the attacker may then take advantageof.• Weak encryption: Older digital certificate systems may employ less secureencryption methods that are open to intrusions.• Misconfiguration: In order for digital certificates to work, they need to be set upcorrectly. Websites and online interactions can be attacked due to incorrectlyconfigured certificates.Digital certificate vs digital signatureDigital signature is used to verify authenticity, integrity, non-repudiation ,i.e. it is assuring that themessage is sent by the known user and not modified, while digital certificate is used to verify theidentity of the user, maybe sender or receiver. Thus, digital signature and certificate are differentkind of things but both are used for security. Most websites use digital certificate to enhance trustof their usersFeature Digital Signature Digital CertificateBasics / DefinitionA digital signature securesthe integrity of a digitaldocument in a similar wayas a fingerprint orattachment.Digital certificate is a filethat ensures holder’s identityand provides security.Process / StepsHashed value of originaldata is encrypted usingsender’s private key togenerate the digitalsignature.It is generated by CA(Certifying Authority) thatinvolves four steps: KeyGeneration, Registration,Verification, Creation.Security ServicesAuthenticity ofSender, integrity of thedocument and non-repudiation.It provides securityand authenticity ofcertificate holder.StandardIt follows Digital SignatureStandard (DSS).It follows X.509 StandardFormat

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal SalshingikarWhat is Operating system forensics?Definition: Operating System Forensics is the process of retrieving useful information from theOperating System (OS) of the computer or mobile device in question. The aim of collecting thisinformation is to acquire empirical evidence against the perpetrator.Overview: The understanding of an OS and its file system is necessary to recover data forcomputer investigations. The file system provides an operating system with a roadmap to data onthe hard disk. The file system also identifies how hard drive stores data. There are many filesystems introduced for different operating systems, such as FAT, exFAT, and NTFS for WindowsOperating Systems (OSs), and Ext2fs, or Ext3fs for Linux OSs. Data and file recovery techniquesfor these file systems include data carving, slack space, and data hiding. Another important aspectof OS forensics is memory forensics, which incorporates virtual memory, Windows memory,Linux memory, Mac OS memory, memory extraction, and swap spaces. OS forensics also involvesweb browsing artifacts, such as messaging and email artifacts. Some indispensable aspects of OSforensics are discussed in subsequent sections.What are the types of Operating systems?The most popular types of Operating Systems are Windows, Linux, Mac, iOS, and Android.WindowsWindows is a widely used OS designed by Microsoft. The file systems used by Windows includeFAT, exFAT, NTFS, and ReFS. Investigators can search out evidence by analyzing the followingimportant locations of the Windows:• Recycle Bin: This holds files that have been discarded by the user. When a user deletesfiles, a copy of them is stored in recycle bin. This process is called “Soft Deletion.”Recovering files from recycle bin can be a good source of evidence.• Registry: Windows Registry holds a database of values and keys that give useful pieces ofinformation to forensic analysts. For example, see the table below that provides registrykeys and associated files that encompasses user activities on the system.• Thumbs.db Files: These have images’ thumbnails that can provide relevant information.• Browser History: Every Web Browser generates history files that contain significantinformation. Microsoft Windows Explorer is the default web browser for Windows OSs.However, some other supported browsers are Opera, Mozilla Firefox, Google Chrome, andApple Safari.• Print Spooling: This process occurs when a computer prints files in a Windowsenvironment. When a user sends a print command from a computer to the printer, the printspooling process creates a “print job” to some files that remain in the queue unless the printoperation is completed successfully. Moreover, the printer configuration is required to beset in either EMF mode or RAW mode. In a RAW mode, the print job merely provides a

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal Salshingikarstraight graphic dump of itself, whereas with an EMF mode, the graphics are convertedinto the EMF image format (Microsoft Enhanced Metafile). These EMF files can beindispensable and can provide an empirical evidence for forensic purposes. The path toEMF files is:For Windows NT and 2000: Winntsystem32spoolprintersFor WindowsXP/2003/Vista/2008/7/8/10: Windowssystem32spoolprintersOS forensic tools canautomatically detect the path; there is no need to define it manually.A Real-world scenario involving print job artifactsA love triangle of three Russian students led to a high-profile murder of one of them. A femaledefendant stalked her former lover for a couple of months in order to kill his new girlfriend. Oncea day, she found the right moment and drove to her boyfriend’s apartment where his new girlfriendwas alone. She murdered the girl and tried not to leave any evidence behind to assist theinvestigation process. However, she used used her computer extensively in the plotting of thecrime, a fact that later provided strong material evidence during the entire process of her trail. Forexample, she made three printouts for directions from her home to her boyfriend’s apartment.The forensic examiners took her computer into custody and recovered the spool files (or EMEfiles) from her computer. Among one of the three pages within spool files provide substantialevidence against her (defendant). The footer at the bottom of the page incorporates the defendant’saddress and her former lover’s address, including the date and time when the print job wasperformed. This evidence later proved to be a final nail in her coffin.LinuxLinux is an open source, Unix-like, and elegantly designed operating system that is compatiblewith personal computers, supercomputers, servers, mobile devices, netbooks, and laptops. Unlikeother OSs, Linux holds many file systems of the ext family, including ext2, ext3, and ext4. Linuxcan provide an empirical evidence if the Linux-embedded machine is recovered from a crimescene. In this case, forensic investigators should analyze the following folders and directories./etc [%SystemRoot%/System32/config]This contains system configurations directory that holds separate configuration files for eachapplication./var/logThis directory contains application logs and security logs. They are kept for 4-5 weeks./home/$USERThis directory holds user data and configuration information./etc/passwdThis directory has user account information.

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal SalshingikarMac OS XMac OS X is the UNIX-based operating system that contains a Mach 3 microkernel and aFreeBSD-based subsystem. Its user interface is Apple-like, whereas the underlying architecture isUNIX-like.Mac OS X offers a novel technique to create a forensic duplicate. To do so, the perpetrator’scomputer should be placed into a “Target Disk Mode.” Using this mode, the forensic examinercreates a forensic duplicate of perpetrator’s hard disk with the help of a Firewire cable connectionbetween the two PCs.iOSApple iOS is the UNIX-based operating system first released in 2007. It is a universal OS for allof Apple’s mobile devices, such as iPhone, iPod Touch, and iPad. An iOS embedded deviceretrieved from a crime scene can be a rich source of empirical evidence.AndroidAndroid is a Google’s open-source platform designed for mobile devices. It is widely used as themobile operating system in the handsets industry. The Android operating system runs on a Linux-based kernel which supports core functions, such as power management, network infrastructure,and device drivers. Android’s Software Development Kit (SDK) contains a very significant toolfor generic and forensic purposes, namely Android Debug Bridge (ADB). ADB employs a USBconnection between a computer and a mobile device.What are the examination steps in operating system forensics?There are five basic steps necessary for the study of Operating System forensics. These five stepsare listed below:1. Policies and Procedure Development2. Evidence Assessment3. Evidence Acquisition4. Evidence Examination5. Documenting and ReportingData acquisition methods for operating system forensicsThere are four Data Acquisition methods for Operating System forensics that can be performed onboth Static Acquisition and Live Acquisition. These methods are:Disk-to-image file: A forensic examiner can make a one or more than one copy of a drive underthe operating system in question. The tools used for these methods are iLookIX, X-Ways, FTK,EnCase, or ProDiscover.

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal SalshingikarDisk-to-disk copy: This works best when the disk-to-image method is not possible. Tools for thisapproach include SnapCopy, EnCase, or SafeBack.Disk-to-data file: This method creates a disk-to-data or disk-to-disk file.The Sparse copy of a file: This is a preferable method if time is limited and the disk has a largevolume of data storage.For both Linux and Windows Operating Systems, write-blocking utilities with Graphical UserInterface (GUI) tools must be used in to gain access to modify the files. A Linux Live CD offersmany helpful tools for digital forensics acquisition.EXAMINATION STEPSThere are a number of methodologies for the forensic process, which define how forensicexaminers should gather, process, analyze, and extract data. Digital forensics investigationscommonly consist of four stages:1. Seizure: Prior to actual examination, the digital media is seized. In criminal cases, this willbe performed by law enforcement personnel to preserve the chain of custody.2. Acquisition: Once the assets are seized, a forensic duplicate of the data is created, using ahard drive duplicator or software imaging tool. Then the original drive is returned to securestorage to prevent tampering. The acquired image is verified with SHA-1 or MD5 hashfunctions and will be verified again throughout the analysis to verify the evidence is stillin its original state.3. Analysis: After the acquisition of the evidence, files are analyzed to identify evidence tosupport or contradict a hypothesis. The forensic analyst usually recovers evidence materialusing a number of methods (and tools), often beginning with the recovery of deletedinformation. The type of data analyzed varies but will generally include email, chat logs,images, internet history, and documents. The data can be recovered from accessible diskspace, deleted space, or the operating system cache.4. Reporting: Once the investigation is complete, the information is collated into a reportthat is accessible to non-technical individuals. It may include audit information or othermeta-documentation.DATAACQUISITIONThe gathering and recovery of sensitive data during a digital forensic investigation is known asdata acquisition. Cybercrimes often involve the hacking or corruption of data. There are four dataacquisition techniques that can be used for both static and live acquisition in operating systemforensics. These approaches are:• Disk-to-image file: A drive running the relevant operating system can be copied once ormore by a forensic examiner. Disk imaging is a form of hard drive backup that places all

DIGITAL FORENSICS NOTESCompiled and Rebuilt by Er. Anal Salshingikarof a hard drive’s data into a compressed file. That file can be stored on other devices, in afile system, or in the cloud. Disk imaging allows individuals and businesses to recover alldata that was on a computer when the image was made.• Disk-to-disk copy: Sometimes it is not possible to create a bit-stream disk-to-image filedue to software or hardware errors or incompatibilities. Investigators face such issues whiletrying to acquire data from older drives. Through this method, certain parameters of thehard drive may be changed but the files will remain the same.• Logical acquisition: Logical acquisition involves collecting files that are specificallyrelated to the case under investigation. This technique is typically used when an entire driveor network is too large to be copied.• Sparse Acquisition: Sparse acquisition is similar to logical acquisition. Through thismethod, investigators can collect fragments of unallocated (deleted) data. This method isvery useful when it is not necessary to inspect the entire drive.

Notes by Er. Anal Prasanna SalshingikarVehicle ForensicsIn recent years, Smart Cars have become the trend in the development of today’sautomobile industry. Big-name automakers such as Tesla, BYD, and NIO have joined the R&D,design, and manufacturing of smart cars. Intelligent Vehicle is a comprehensive systemintegrating environmental perception, planning and decision-making, multi-level assisteddriving and other functions.It uses computers, modern sensing, information fusion, communication, artificialintelligence and automatic control technologies. It is a typical high-tech technology complex.The various safety devices and entertainment devices installed in the car are becoming moreand more abundant. It can be said that a large amount of data on the car can be used as theobject of digital vehicle forensics.Vehicle forensics Common Car Data Forensics objects include:• Car speed information• Accelerator/brake status• Location change information• Collision information• Communication information• Entertainment informationUsing advanced professional software, digital forensics investigators can extract andanalyze the information for use in traffic accident investigation, criminal or civil case tracking,and vehicle management.What is Digital Vehicle Forensics?Digital vehicle forensics is a branch of digital forensics that involves recovering digitalevidence or data stored in a vehicle’s modules, networks, and messages sent across operatingsystems. The purpose of digital vehicle forensics is to provide evidence for criminal cases, rootcause analysis and accident investigations.How Does the Vehicle Store Information?Generally speaking, almost all vehicles are equipped with on-board informationsystems.The vehicle information system includes two parts: the vehicle information displaysystem and the information communication system.Among them, the status information of the vehicle’s operation can be obtained byobserving the display of the dashboard, and the outside information needs to be obtainedthrough the communication equipment in contact with the outside.The current vehicle information display system is composed of three parts:Vehicle condition monitoring componentsOn-board computerElectronic instruments.

Notes by Er. Anal Prasanna SalshingikarThe Vehicle condition monitoring system monitors the working conditions of theengine, braking system, power supply system and lights through sensors such as liquid level,pressure, temperature, and lights.The on-board computer provides information on safety, fuel economy and passengercomfort, such as average fuel consumption, average vehicle speed, mileage, driving time, clockand temperature, etc. This information is not displayed when it is not needed. The driver cancall up by pressing the relevant button.For the basic operating information required by the driver, as long as the power is turnedon, continuous information can be displayed on the electronic instrument.Vehicle information communication system refers to a device for communicationbetween the automobile and the outside world, which mainly includes on-board multimediasystem, driver information system, voice system, intelligent transportation system (ITS), globalpositioning system (GPS), computer network communication system, and on-board vehicleshort-range wireless communication system, condition monitoring and fault diagnosis system,etc.How Do Law Enforcement Conduct Digital Vehicles Forensic?The purpose of digital vehicle forensics is to retrieve data and develop a timetable ofincidents in order to provide the court with accurate information about criminal activities oraccidents.The first step is to understand the source of the evidence. This includes originalequipment manufacturer (OEM), brand, model, architecture, software, and physicalcomponents.A strategy will then be developed to determine which technologies and tools can beused to retrieve data from the vehicle and how to achieve this without destroying the data orphysical components of the vehicle. This is especially important in Vehicle Forensics, becausethe extraction of these on-board data requires the physical disassembly of the vehicle.Infotainment and telematics systems usually provide the best source of data. Lawenforcement uses specialized tools to obtain data from infotainment (phone and connecteddevice data), telematics (navigation data), and GPS (location data).Law enforcement can also work with vehicle manufacturers to gain access to data invehicle, such as Mercedes and BMW, which retain proprietary tools for maintenance andtroubleshooting that can access these systems. These data is used in criminal proceedings toprove that drivers are speeding or deliberately making driving decisions that cause damage,injury or death.In a vicious case, the murderer abandoned the car and fled. The investigators collectedevidence on the vehicle’s information navigation system on the spot, and extracted the vehicle’strajectory (GPS record). The suspect’s residence was located through the starting point of thetrajectory. After squatting for 3 days, the suspect was found to return to his residence. Theinvestigators arrested him and successfully solved the case.A city’s public security bureau recently received a hit-and-run case. Three suspiciousvehicles were found during surveillance near the time and place of the incident. The

Notes by Er. Anal Prasanna Salshingikarinvestigators found that one of the three vehicles had a dash cam that had been emptied. Thepersonnel conducted further evidence collection on the driving recorder and recovered a sceneof a collision at the time of the incident, successfully solving the case.These are two typical cases where investigators use vehicle forensics. Automobileshave become “witnesses who will not lie” in the process of handling cases, providing a moreeffective means and platform for Law Enforcement agencies to deal with traffic accidents andcriminal cases.

Notes by Er. Anal Prasanna SalshingikarMETADATAMetadata refers to data that provides information about other data. It describes various aspectsof data, such as its content, structure, format, location, ownership, and other attributes. Theconcept and importance of metadata can be understood in several key aspects:Concept of Metadata:1. Descriptive Metadata: This type of metadata describes the content and context of data.It includes information such as titles, abstracts, keywords, and summaries, which helpusers understand what the data is about without needing to access the full content.2. Structural Metadata: This metadata describes the organization and structure of data.It includes information about how data is formatted, grouped, or organized into files,databases, or records.3. Administrative Metadata: Administrative metadata provides information about themanagement and administration of data. It includes details such as data creation date,creator or author, permissions, access rights, and usage restrictions.4. Technical Metadata: Technical metadata describes the technical characteristics andspecifications of data. It includes details such as file format, encoding methods, datasize, resolution (for images or videos), and other technical attributes necessary for dataprocessing and interpretation.5. Rights Metadata: This metadata specifies intellectual property rights and usagepermissions associated with data. It includes copyright information, licensing terms,and access control policies.Importance of Metadata:1. Data Discovery and Retrieval: Metadata improves the discoverability of data byenabling efficient search and retrieval. Users can find relevant data based on keywords,descriptions, or other metadata attributes without having to examine every individualdataset.2. Data Understanding and Interpretation: Metadata provides context and meaning todata, helping users understand its purpose, structure, and content. It aids in interpretingdata correctly and using it effectively for analysis, decision-making, and research.3. Data Integration and Interoperability: Metadata facilitates data integration bydescribing data formats, structures, and relationships. It enables different systems andapplications to understand and exchange data effectively, promoting interoperabilityacross platforms and environments.4. Data Management and Governance: Metadata supports effective data managementpractices by providing information about data lineage, versioning, and quality. It aidsin tracking data provenance, ensuring data accuracy and reliability, and enforcing datagovernance policies.5. Compliance and Security: Metadata includes information about data access rights,usage permissions, and security classifications. It helps organizations comply with

Notes by Er. Anal Prasanna Salshingikarregulatory requirements (e.g., GDPR, HIPAA) and implement security measures toprotect sensitive data from unauthorized access or breaches.6. Long-term Preservation and Archiving: Metadata facilitates the long-termpreservation and archiving of data by documenting its origin, format, and storagerequirements. It ensures that data remains accessible and usable over time, even astechnologies and systems evolve.In essence, metadata plays a fundamental role in managing, understanding, and maximizingthe value of data assets within organizations and across various domains. It enhances datagovernance, supports data-driven decision-making, fosters collaboration, and ensures thereliability and usability of digital information.

Notes by Er. Anal Prasanna SalshingikarDATA CARVINGData carving, also known as file carving, is the forensic technique of reassembling files fromraw data fragments when no filesystem metadata is available.It is a common procedure when performing data recovery, after a storage device failure, forinstance. It may also be performed on a core memory dump as part of a debugging procedure.File or data carving is a term used in the field of Cyber forensics. Cyber forensics is the processof acquisition, authentication, analysis and documentation of evidence extracted from and/orcontained in a computer system, computer network and digital media.Extracting data (file) out of undifferentiated blocks (raw data) is called as carving. Identifyingand recovering files based on analysis of file formats is known as file carving.In Cyber Forensics, carving is a helpful technique in finding hidden or deleted files from digitalmedia. A file can be hidden in areas like lost clusters, unallocated clusters and slack space ofthe disk or digital media.To use this method of extraction, a file should have a standard file signature called a file header(start of the file).A search is performed to locate the file header and continued until the file footer (end of thefile) is reached.The data between these two points will be extracted and analyzed to validate the file. Theextraction algorithm uses different methods of carving depending on the file formats.THE ADVANTAGES USING FILE CARVING IN DATA RECOVERYFile or data carving is a term used in the field of Cyber Forensics. Cyber forensics is the processof acquisition, authentication, analysis, and documentation of evidence extracted from and/orcontained in a computer system, computer network, and digital media.Extracting data (file) out of undifferentiated blocks (raw data) is called ‘carving’. Identifyingand recovering files based on analysis of file formats is known as file carving.In Cyber Forensics, carving is a helpful technique in finding hidden or deleted files from digitalmedia. A file can be hidden in areas like lost clusters, unallocated clusters, and slack space ofthe disk or digital media.

Notes by Er. Anal Prasanna SalshingikarTo use this method of extraction, a file should have a standard file signature called a file header(start of the file). A search is performed to locate the file header and continued until the filefooter (end of the file) is reached.The data between these two points will be extracted and analyzed to validate the file. Theextraction algorithm uses different methods of carving depending on the file formats.HOW IS IT DIFFERENT FROM AUTOMATED RECOVERY SOFTWARE?Such Techniques are different, we can remotely attach to a machine and perform sophisticatedanalysis using these carving techniques attempting to recover lost data, even if they arecompletely deleted.It is important to get in touch with us before you start using your machine, when you deletesomething, it’s still there, the way Operating System works, is it informs that this file is deleted,but in the raw sector, it is still there, and the more you use the machine, the more it willoverwrite the data, which then starts to be lost within the cluster.It is also important to understand that not all data can be recovered, and if the hard drive stillworks physically, such as spindle works, but is not detected, we can still be able to try andrecover lost files. It also could be that, even if recovery is attempted, it could be permanentlydamaged.Difference between file recovery and file carvingAfter reading the above, I think you might be confused: If file carving is a method of filerecovery, then what is the difference between file recovery and file carving?Modern operating systems do not automatically eradicate a deleted file without prompting forthe user's confirmation. Deleted files are recoverable by using some forensic programs if thedeleted file's space is not overwritten by another file. A damaged file can only be recovered ifits data is not corrupted beyond a minimal degree. File recovery is different fromfile restoration, in which a backup file stored in a compressed (encoded) form is restored to itsusable (decoded) form.So there is a difference between the techniques. File recovery techniques make use of the filesystem information and, by using this information, many files can be recovered. If theinformation is not correct, then it will not work.File carving works only on raw data on the media and it is not connected with file systemstructure. File carving doesn't care about any file systems which is used for storing files.In the

Notes by Er. Anal Prasanna SalshingikarFAT file system for example, when a file is deleted, the file's directory entry is changed tounallocated space. The first character of the filename is replaced with a marker, but the file dataitself is left unchanged. Until it's overwritten, the data is still present.File systems overviewA file system is a type of data store that can be used to store, retrieve, and update a set of files.It is a way in which the files are stored and named logically for storage and retrieval.Windows File systems: Microsoft Windows simply uses two types of files system FAT andNTFS.A) FAT, which stands for "file allocation table," is the simplest file system type. It consists ofa boot sector, a file allocation table, and plain storage space to store files and folders. Lately,FAT has been extended to FAT12, FAT16, and FAT32. FAT32 is compatible with Windows-based storage devices. Windows can't a create FAT32 file system with a size of more than32GB.B) NTFS, or "new technology file system," started when Windows NT introduced in market.NTFS is the default type for file systems over 32GB. This file system supports many fileproperties, including encryption and access control.Linux File systems: We already know that Linux is an open source operating system. It wasdeveloped for testing and development and aimed to use different concepts for file systems. InLinux there are varieties of file systems.A) Ext2, Ext3, Ext4—This is the native Linux file system. Generally, the file system is calledthe root file system for all Linux distribution. Ext3 file system is just an upgraded Ext2 filesystem that uses transactional file write operations. Ext4 is further development of Ext3 thatsupports optimized file allocation information and file attributes.B) ReiserFS—This file system is designed for storing huge amount of small files.It has a good capability for searching files and it enables allocation of compact files by storingfile tails or small files along with metadata in order not to use large file system blocks for thispurpose.C) XFS—This file system used in the IRIX server which is derived from the SGI company.The XFS file system has great performance and is widely used to store files.

Notes by Er. Anal Prasanna SalshingikarD) JFS—This is the file system currently used by most modern Linux distributions. It wasdeveloped by IBM for powerful computing systems.MacOS File systems: Apple Macintosh OS uses only the HFS+ file system, which is anextension of the HFS file system. The HFS+ file system is applied to Apple desktop products,including Mac computers, iPhones, iPods, and Apple X Server products. Advanced serverproducts also use the Apple Xsan file system, a clustered file system derived from StorNext orCentraVision file systems.This file system, in addition to files and folders, also stores finder information about directoriesview, window positions, etc.File Carving Techniques: During digital investigations, various types of media have to beanalyzed. Relevant data can be found on various storage and networking devices and incomputer memory. Various types of data such as emails, electronic documents, system logs,and multimedia files have to be analyzed. In this article, we focus on the recovery of multimediafiles that are stored either on storage devices or in computer memory using the file carvingapproach.File carving is a recovery technique that merely considers the contents and structures of filesinstead of file system structures or other meta-data which is used to organize data on storagemedia.The most common general file carving techniques are:1. Header-footer or header-"maximum file size" carving—Recover files based on knownheaders and footers or maximum file size• JPEG—"xFFxD8" header and "xFFxD9" footer• GIF—"x47x49x46x38x37x61" header and "x00x3B"• footer• PST—"!BDN" header and no footer• If the file format has no footer, a maximum file size is used in the carving program,2. File structure-based carving• This technique uses the internal layout of a file• Elements are header, footer, identifier strings, and size information

Notes by Er. Anal Prasanna Salshingikar3. Content-based carving• Content structure is loose (MBOX, HTML, XML)• Content characteristics• Character count• Text/language recognition• White and black listing of data• Statistical attributes (Chi^2)• Information entropyTools widely used for file carving: Data recovery tools play an important role in most forensicinvestigations because smart malicious users will always try to delete evidence of theirunlawful acts. Some important data recovery tools are:1. Scalpel2. FTK3. Encase4. Foremost5. PhotoRec6. Revit7. TestDisk8. Magic Rescue9. F-Engrave

Notes by Er. Anal Prasanna SalshingikarRAID (Redundant Arrays of Independent Disks)RAID (RedundantArrays of Independent Disks) is a technique that makes use of a combinationof multiple disks for storing the data instead of using a single disk for increased performance,data redundancy, or to protect data in the case of a drive failure.What is RAID?RAID (Redundant Array of Independent Disks) is like having backup copies of your importantfiles stored in different places on several hard drives or solid-state drives (SSDs). If one drivestops working, your data is still safe because you have other copies stored on the other drives.It’s like having a safety net to protect your files from being lost if one of your drives breaksdown.RAID (Redundant Array of Independent Disks) in a Database Management System (DBMS)is a technology that combines multiple physical disk drives into a single logical unit for datastorage. The main purpose of RAID is to improve data reliability, availability, and performance.There are different levels of RAID, each offering a balance of these benefits.How RAID Works?Let us understand How RAID works with an example- Imagine you have a bunch of friends,and you want to keep your favourite book safe. Instead of giving the book to just one friend,you make copies and give a piece to each friend. Now, if one friend loses their piece, you canstill put the book together from the other pieces. That’s similar to how RAID works with harddrives. It splits your data across multiple drives, so if one drive fails, your data is still safe onthe others. RAID helps keep your information secure, just like spreading your favorite bookamong friends keeps it safeWhat is a RAID Controller?A RAID controller is like a boss for your hard drives in a big storage system. It works betweenyour computer’s operating system and the actual hard drives, organizing them into groups tomake them easier to manage. This helps speed up how fast your computer can read and writedata, and it also adds a layer of protection in case one of your hard drives breaks down. So, it’slike having a smart helper that makes your hard drives work better and keeps your importantdata safer.Types of RAID ControllerThere are three types of RAID controller:Hardware Based: In hardware-based RAID, there’s a physical controller that manages thewhole array. This controller can handle the whole group of hard drives together. It’s designedto work with different types of hard drives, like SATA (Serial Advanced TechnologyAttachment) or SCSI (Small Computer System Interface). Sometimes, this controller is builtright into the computer’s main board, making it easier to set up and manage your RAID system.It’s like having a captain for your team of hard drives, making sure they work togethersmoothly.Software Based: In software-based RAID, the controller doesn’t have its own specialhardware. So it use computer’s main processor and memory to do its job. It perform the samefunction as a hardware-based RAID controller, like managing the hard drives and keeping yourdata safe. But because it’s sharing resources with other programs on your computer, it mightnot make things run as fast. So, while it’s still helpful, it might not give you as big of a speedboost as a hardware-based RAID system

Notes by Er. Anal Prasanna SalshingikarFirmware Based: Firmware-based RAID controllers are like helpers built into the computer’smain board. They work with the main processor, just like software-based RAID. But they onlyimplement when the computer starts up. Once the operating system is running, a special drivertakes over the RAID job. These controllers aren’t as expensive as hardware ones, but they makethe computer’s main processor work harder. People also call them hardware-assisted softwareRAID, hybrid model RAID, or fake RAID.Why Data Redundancy?Data redundancy, although taking up extra space, adds to disk reliability. This means, that incase of disk failure, if the same data is also backed up onto another disk, we can retrieve thedata and go on with the operation. On the other hand, if the data is spread across multiple diskswithout the RAID technique, the loss of a single disk can affect the entire data.Key Evaluation Points for a RAID System• Reliability: How many disk faults can the system tolerate?• Availability: What fraction of the total session time is a system in uptime mode, i.e.how available is the system for actual use?• Performance: How good is the response time? How high is the throughput (rate ofprocessing work)? Note that performance contains a lot of parameters, not just the two.• Capacity: Given a set of N disks each with B blocks, how much useful capacity isavailable to the user?RAID is very transparent to the underlying system. This means, that to the host system, itappears as a single big disk presenting itself as a linear array of blocks. This allows oldertechnologies to be replaced by RAID without making too many changes to the existing code.Figure: The RAID Configuration for 128 TB

Noted by Er Anal SalshingikarThe Importance of Forensic TimelinesForensic timelines are chronological records of the events that occur relative to a crime. Thetimeline can list the relevant events proceeding the crime, all events related to the crime fromthe initial discovery of the crime to the resolution of the case. They are created by investigatorsto document the evidence they collect and the steps they take to analyze it.Although the word “forensic” implies that the technique can be employed only by a crime sceneinvestigator, the most generic meaning of the term forensic simply means that it is suitable foruse in a legal proceeding. Hence, anyone with good attention to detail can create a timeline.Forensic timelines are essential tools for law enforcement, prosecutors, and defense attorneysalike. They can be used to:• Reconstruct the sequence of events of a crime• Identify potential suspects• Corroborate witness statements• Support or refute a theory of the crime• Present evidence in courtHow to create a forensic timelineForensic timelines are typically created using a variety of sources of information, including:• Witness statements• Physical evidence• Chain of Custody documentation• Crime scene photos and videos• Laboratory reports• Medical examiner's reports• Digital forensic reports• Court filingsThe first step in creating a forensic timeline is to gather as much information as possible aboutthe crime. This includes examining witness statements, collecting physical evidence, andreviewing crime scene photos and videos. Once the information has been gathered, theinvestigator begins to create a timeline of events.The timeline is typically organized by time, with each event listed in chronological order. Aspreadsheet can be very useful to collect the information. It can be useful to have separatecolumns for the date, time, description of the event, location, people involved, and the sourcedocument. This allows the spreadsheet to be sorted or filtered for additional analysis.

Noted by Er Anal SalshingikarSome analysts may find it easiest to work with a single source document at a time and then re-sort the spreadsheet into chronological order. Bates numbering of evidentiary documents makestracking the source document easy and convenient.Sometimes two different witnesses may recall a specific event as having happened at a differenttime. In that case, simply create two different records and notate them as such. Some thingsoccur over a time range; in that case, create a “start” event and a second “end” event. If atimestamp is approximate or an estimate, designate it using a consistent convention such as anitalic font.Obviously, the timeline that is used for the case analysis will have much more detail than thetimeline that would be presented to a jury.The benefits of using forensic timelinesForensic timelines offer several benefits to investigators, prosecutors, and defense attorneys.Reconstructing the sequence of events: Forensic timelines can help investigators toreconstruct the sequence of events at a crime scene. This can be helpful in identifying potentialsuspects and developing a theory of the crime.Identifying gaps and missing information: Timelines can be used by the analyst to identifychronological gaps and missing information. For example, an affidavit needs to be presentedto a judge before the judge will sign a search warrant. A timeline analysis may identify that theaffidavit is missing.Identifying potential suspects: Forensic timelines can also be used to identify potentialsuspects. For example, if the timeline shows that the suspect was in the area of the crime at thetime of the crime, this can be used as evidence to support their arrest.Corroborate witness statements: Forensic timelines can also be used to corroborate witnessstatements. For example, if a witness says that they saw the suspect at the crime scene at acertain time, the timeline can be used to verify that this is possible.Support or refute a theory of the crime: Forensic timelines can also be used to support orrefute a theory of the crime. For example, if the timeline shows that the suspect was in adifferent location at the time of the crime, this can be used to refute the theory that the suspectcommitted the crime.Presenting evidence in court: Forensic timelines can also be used to present evidence in court.For example, an investigator may use a timeline to show the jury how the suspect committedthe crime.Digital Forensic TimelinesAspecial type of timeline is a Digital Forensic Timeline. Devices such as computers and mobilephones create thousands of records of timestamped data. This includes geo-location data basedon GPS or cell tower records. It also includes system events, such as when the system wasunlocked by the user.

Noted by Er Anal SalshingikarConclusionForensic timelines are essential tools for law enforcement and prosecutors. They can be usedto solve crimes, identify suspects, and present evidence in court. Forensic timeline analysis isa valuable technique, and new technologies are being developed to make it even morepowerful.Future of Forensic Timeline AnalysisNew technologies are being developed to make forensic timeline analysis more efficient andaccurate. At Lucid Truth Technologies, we use natural language processing (NLP) and artificialintelligence (AI) tools to analyze large amounts of data and identify patterns that would bedifficult for humans to see.As AI technology continues to develop, it is likely that forensic timeline analysis will becomeeven more sophisticated. This will allow investigators to solve crimes more quickly andefficiently.

Notes by Er. Anal Prasanna SalshingikarForensic Imaging with FTK ImagerA Forensic Image is most often needed to verify the integrity of the image after an acquisitionof a Hard Drive has occurred. This is usually performed by law enforcement for court because,after a forensic image has been created, its integrity can be checked to verify that it has notbeen tampered with. Forensic Imaging is defined as the processes and tools used in copying anelectronic media such as a hard-disk drive for conducting investigations and gathering evidencethat will be presentable in the law of court. This copy not only includes files that are visible tothe operating system but every bit of data, every sector, partition, files, folders, master bootrecords, deleted files, and unallocated spaces. The image is an identical copy of all the drivestructures and contents.Further, a forensic image can be backed up and/or tested on without damaging the original copyor evidence.Also, you can create a forensic image from a running or dead machine. It is a literal snapshotin time that has integrity checking.Need for a Forensic Image1. In today’s world of crime, many cases have been solved by using this technique, asevidence apart from what is available through an operating system, has been foundusing this technique, as incriminating data might have deleted to prevent discoveryduring the investigation. Unless that data is overwritten and deleted securely, it can berecovered.2. One of the advantages includes the prevention of the loss of critical files.3. When you suspect a custodian of deleting or altering files. A complete forensic imagewill, to a certain extent, allow you to recover deleted files. It can also potentially beused to identify files that have been renamed or hidden.4. When you expect that the scope of your investigation could increase at a later date. Ifyou aren’t sure about the scope of your project, ALWAYS OVER COLLECT. It’s betterto have too much data than not enough, and you can’t get much more data than aforensic image.5. When you expect that you or someone in your organization may need to certify ortestify to the forensic soundness of the collection. In most cases, this need will neverarise, but will almost certainly come into play in any criminal or potential criminalproceedings.6. The Imaging of random access memory (RAM) can be enabled by using Live imaging.Live imaging can bypass most encryption.What Is FTK Imager?FTK Imager is a tool for creating disk images and is absolutely free to use. It was developedby The Access Data Group. It is a tool that helps to preview data and for imaging.

Notes by Er. Anal Prasanna SalshingikarWith FTK Imager, you can:• Create forensic images or perfect copies of local hard drives, floppy and Zip disks,DVDs, folders, individual files, etc. without making changes to the original evidence.• Preview files and folders on local hard drives, network drives, floppy diskettes, Zipdisks, CDs, and DVDs.• You can also preview the contents of the forensic images that might be stored on a localmachine or drive.• You can also mount an image for a read-only view that will also allow you to view thecontents of the forensic image exactly as the user saw it on the original drive.• Export files and folders from forensic images.• View and recover files that have been deleted from the Recycle Bin, but have not yetbeen overwritten on the drive.There are many ways to create a forensic image. However, one of which is explained below.Approach:To create a forensic image with FTK imager, we will need the following:1. FTK Imager from Access Data, which can be downloaded using the followinglink: FTK Imager from Access Data2. A Hard Drive that you would like to create an image of.Method :Step 1: Download and install the FTK imager on your machine.Step 2: Click and open the FTK Imager, once it is installed. You should be greeted with theFTK Imager dashboard.Step 3: In the menu navigation bar, you need to click on the File tab which will give you adrop-down, like given in the image below, just click on the first one that says, Add EvidenceItem.Step 4: After that, there will be a pop-up window that will ask you to Select the Source of theEvidence. If you have connected a physical hard drive to the laptop/computer you are using tomake the forensic image, then you will select the Physical Drive here. Click on Next. Now,Select the Physical Drive that you would like to use. Please make sure that you are selectingthe right drive, or you will waste your time exporting a forensic image of your own OS drive.

Notes by Er. Anal Prasanna SalshingikarStep 5: Now, we will export the forensic images.• Right-click on the Physical Drive that you would like to export in the FTK Imagerwindow. Select Export Disk Image here.• Click the Add button for the Image Destination.• Select the Type of Forensic Image you would like to export. Select .E01 and Click Next.• After that, you will have to enter information regarding the case now. You can eitherleave them blank or keep it general, this part is totally upon you.• Next, you will need to Choose the Destination that you would like to export the forensicimage and Name the Image.Lastly, you will need to wait for the Forensic Image to be created and then verified. The speedof creating the forensic image will vary based on your hardware. Once both have occurred, youhave your forensic images ready.Pros Of FTK Imager1. It has a simple user interface and advanced searching capabilities.2. FTK supports EFS decryption.3. It produces a case log file.4. It has significant bookmarking and salient reporting features.5. FTK Imager is free.

Notes by Er. Anal Prasanna SalshingikarCons Of FTK Imager1. FTK does not support scripting features.2. It does not have multitasking capabilities.3. There is no progress bar to estimate the time remaining.4. FTK does not have a timeline view.

Complied & Redesigned by Anal SalshingikarDigital Forensics with AutopsyWhat is Autopsy?Autopsy is an open source digital forensics tool developed by BasisTechnology, first released in 2000. It is a free to use and quite efficienttool for hard drive investigation with features like multi-user cases,timeline analysis, registry analysis, keyword search, email analysis,media playback, EXIF analysis, malicious file detection and muchmore.How to install Autopsy?Step 1: Download Autopsy from here.(https://www.autopsy.com/download/)Step 2: Run the Autopsy msi installer file.Step 3: If you get a Windows prompt, click Yes.Step 4: Click through the dialog boxes until you click a button thatsays Finish.Step 5: Autopsy should be installed now.

Complied & Redesigned by Anal SalshingikarHow to use Autopsy for digital investigation?Now, we will see how we can use Autopsy for investigating a harddrive. For that, we will go through a popular scenario most of us comeacross while studying digital forensics, and that is the scenarioof Greg Schardt.Let me tell you the scenario in brief:It is suspected that this computer was used for hacking purposes,although cannot be tied to a hacking suspect, Greg Schardt. Schardtalso goes by the online nickname of “Mr. Evil” and some of hisassociates have said that he would park his vehicle within range ofWireless Access Points where he would then intercept internettraffic, attempting to get credit card numbers, usernames &passwords. Find any hacking software, evidence of their use, andany data that might have been generated. Attempt to tie thecomputer to the suspect, Greg Schardt.Step 1: Run Autopsy and select New Case.

Complied & Redesigned by Anal SalshingikarStep 2: Provide the Case Name and the directory to store the casefile. Click on Next.Step 3: Add Case Number and Examiner’s details, then clickon Finish.

Complied & Redesigned by Anal SalshingikarStep 4: Choose the required data source type, in this case DiskImage and click on Next.Step 5: Give path of the data source and click on Next.

Complied & Redesigned by Anal SalshingikarStep 6: Select the required modules and click on Next.Step 7: After the data source has been added, click on Finish.

Complied & Redesigned by Anal SalshingikarStep 8: You reach here once all the modules have been ingested. Youcan begin investigating but i recommend waiting until analysis andintegrity check is complete.There are a lot of things we can investigate to solve the scenariodescribed earlier but for tutorial purposes we will be findinganswers to the following 20 questions.Q1. What is the image hash?Soln. AEE4FCD9301C03B3B054623CA261959A.To check the image hash, click on image and go to FileMetadata tab. (We check the image hash in order to verify that it isthe same as the hash created during the time when the image wascreated.)

Complied & Redesigned by Anal SalshingikarQ2: What operating system was used on the computer?Soln: Microsoft Windows XP.For this, in the left side panel, we go to Results > ExtractedContent > Operating System Information.

Complied & Redesigned by Anal SalshingikarQ3: When was the install date?Soln: GMT: Thursday, August 19, 2004 10:48:27 PMQ4. Who is the registered owner?Soln. Greg Schardt

Complied & Redesigned by Anal SalshingikarQ5. What is the computer account name?Soln. N-1A9ODN6ZXK4LQ (Click on System file)Q6. When was the last recorded computer shutdown date/time?Soln. 2004/08/27–10:46:27To find this we goto C:WINDOWSsystem32configsoftwareMicrosoftWindowNTCurrentVersionPrefetcherExitTime

Complied & Redesigned by Anal SalshingikarQ7. How many accounts are recorded (total number)?Soln. 5 accounts: Administrator, Guest, HelpAssistant, Mr. Evil, andSUPPORT_388945a0 (Look at the Account Type column).In the left side panel, we go to Results > Extracted Content >Operating System User AccountQ8.Who was the last user to logon to the computer?Soln. Mr. Evil (Can be checked through Date Accessed column)

Complied & Redesigned by Anal SalshingikarQ9. List the network cards used by this computer?Soln. Xircom CardBus Ethernet 100 + Modem 56 (EthernetInterface)Compaq WL110 Wireless LAN PC CardWe find answerat C:WINDOWSsystem32configsoftwareMicrosoftWindows NTCurrentVersionNetworkCards

Complied & Redesigned by Anal SalshingikarQ10. What is the IP address and MAC address of the computer?Soln. IP=192.168.1.111MAC=00:10:a4:93:3e:09We go to C:/Program Files/Look@LAN/irunin.iniQ11. List down the programs that can be used for hacking purpose?Soln. Cain & Abel v2.5 beta45 (password sniffer & cracker)Ethereal (packet sniffer)123 Write All Stored Passwords (finds passwords in registry)Anonymizer (hides IP tracks when browsing)CuteFTP (FTP software)Look@LAN_1.0 (network discovery tool)NetStumbler (wireless access point discovery tool)WinPcap (provide low-level network access and a library that is usedto easily access low-level network layers.)

Complied & Redesigned by Anal SalshingikarIn the left side panel, we go to Results > Extracted Content> Installed ProgramsQ12. Which Email client is used by Mr. Evil?Soln: Outlook Express, Forte Agent, MSN Explorer, MSN (Hotmail)EmailGo to C:/WINDOWS/system32/config/Clients/Mail

Complied & Redesigned by Anal SalshingikarQ13. What is the SMTP email address for Mr. Evil?Soln: whoknowsme@sbcglobal.netWe find the answer at C:ProgramFilesAgentDataAGENT.INIQ14. How many executable files are in the recycle bin?Soln. There are 4 namely, Dc1.exe, Dc2.exe, Dc3.exe, Dc4.exeWe find those at C:/RECYCLER (RECYCER is the directory forRecycle Bin.)

Complied & Redesigned by Anal SalshingikarQ15. Are there any viruses on the computer?Soln. Yes, a zip bomb(unix_hack.tgz) is present.For this, in the left side panel, we go to Results > InterestingItems > Possible ZipBomb > Interesting Files (InterestingItems is where Autopsy shows possibly malicious files.)

Complied & Redesigned by Anal SalshingikarQ16. A popular IRC (Internet Relay Chat) program called MIRC wasinstalled. What are the userid, username, email and nickname usedwhen the user was online in a chat channel?Soln. user=Mini Me, email=none@of.ya, nick=Mr,anick=mrevilrulezWe can find that at C:Program FilesmIRCmirc.iniQ17. Ethereal, a popular “sniffing” program that can be used tointercept wired and wireless internet packets was also found to beinstalled. When TCP packets are collected and re-assembled, thedefault save directory is that users /My Documents directory. What isthe name of the file that contains the intercepted data?Soln. File name is ‘Interception’As hinted we need to go to through My Documents which inthis case would be Documents and Setting/Mr.Evil

Complied & Redesigned by Anal SalshingikarQ18. What type of wireless computer was the victim (person who hadhis internet surfing recorded) using?Soln: Internet Explorer 4 on Windows CEWe find this in Interception file.

Complied & Redesigned by Anal SalshingikarQ19. What websites victim was accessing?Soln. Mobile.msn.com, MSN (Hotmail) EmailQ20. What is the web-based email address for main user?Soln. mrevilrulez@yahoo.com (Through web history)To find this, in the left side panel, we go to Results > Extracted Content >Web History and look at websites where login might be required.

Notes by Er. Anal Prasanna SalshingikarSOP ON DATA RECOVERY USING AUTOPSYHere, we start our journey with the autopsy tool to recover deleted files from your pen drive.Step 1: - Start Autopsy and select “New Case”.Step 2: - Enter the “Case Name” and your directory. {Autopsy provides multi-userfunctionality, so select that if required.}

Notes by Er. Anal Prasanna SalshingikarStep 3: - Enter Case Number and Examiner’s details, then click on Finish.Step 4: - Specify the host name or else keep this setting as default.Step 5: - Choose the required data source type, in this case Local Disk for recovering thedeleted files from pen drive.

Notes by Er. Anal Prasanna SalshingikarStep 6: - Select the correct drive and time zone and click on Next.Step 7: - Select the modules you want to scan and click on Next. By default, it will select allthe supported modules.

Notes by Er. Anal Prasanna SalshingikarStep 8: - Now the Data source is already added, and file analysis has been started.Step 9: - Once it's done, you will be able to see all the files, both present and deleted, and hereis the preview you will get. It would be great if you try this yourself and explore all the options.You can even save the files on our laptop or computer using extract functionality.

Notes by Er. Anal Prasanna Salshingikar

SOP on Collecting Artifacts from AnydeskDigital Forensic Artifact of Anydesk ApplicationIn this case we try to connect from laptop A to Laptop B using anydesk, and see what can weget from the evidence.Log of AnydeskThere is 4 log on Anydesk :1. Connection log2. Ad trace log3. Ad_svc trace log (only at installed version)4. Chat logAs explained before anydesk comes up with 2 version, it is installed version and portableversion, this 2 version have different path on storing configuration and log.Path log installed version :C:ProgramDataAnydeskPath log portable version :C:Users[user profile]AppDataRoamingAnyDesk

SOP on Collecting Artifacts from Anydesk- Connection_trace LogThe first one we need to check is connection_trace.txt file. in this file we can see history ofincoming connection to our AnyDesk, but the information is limited to Date/Time, status, aliasand ID of AnyDesk.- ad.trace LogIn ad.trace log we can check history of connection event, error event and system notificationthat happened in our AnyDesk. this log can be opened by Notepad or any text editor application.We can search connection event at ad.trace log for incoming and outgoing connection asinformation below, but the information is limited to AnyDesk ID and user (desktop).- ad_svc.trace Log

SOP on Collecting Artifacts from Anydeskad_svc.trace is like ad.trace, it contain connection event, error event, and also systemnotification. but for the connection event it store more informative log such as, IP addresses ofincoming or outgoing connection, AnyDesk ID, Relay server that we connect to, and etc. Butremember, this log is active if we install the AnyDesk, if its portable version, it just come withad.trace only.We can search connection event at ad.trace log for incoming and outgoing connection asinformation below.Chat LogChat log of AnyDesk is stored at AnyDesk Portable Path in folder chat.

SOP on Collecting Artifacts from AnydeskThe file log will be named as ID that connected to the desktop and have txt format. in this logwe can see all conversation history from the active session before.- Other EvidenceSometimes log from anydesk is altered by threat actor, if this happened we can restore it withrestoration tools such us EaseUs, R-recovery and etc. But when we cannot restore it the onlyway we can do is looking after another evidence.We can see IP addresses of incoming connection to the anydesk from Network Packet Capture.Why should packet capture? we can see at the traffic log from Firewall or IPS maybe, but theinformation that we get about the IP source of incoming connection is only IP of AnyDeskRelay Server. The original IP of incoming connection is not captured by firewall.With packet capture we could see the original ip of incoming connection from the AnyDesk.By default AnyDesk is used port 80, 442 or 6568, but when it accept connection request it willlistening to port 7070. So we can filter it at packet capture application such as wireshark ormoloch all connection that using port 7070.The other additional evidence that we can check is at OS Level evidence. We can checkprogram execution artifact to see how much AnyDesk being execute and when it being executeby user. the execution artifact can be get from analysis Userassist and Prefetch. and you cancheck installed program artifact from OS. If you didn’t familiar with these, you can check thisvideo to learn about Windows forensics.

Download your data using Google TakeoutThe fastest way to download your Google data is to use Google Takeout. What is Google Takeout? Google Takeout is a data retrieval platformcreated in 2011 by the engineering team known as the Google Data Liberation Front. It lets you easily import and export data from many Googleservices. It’s not, as the name might suggest, an online food delivery service.With Google Takeout, you can export images for editing, free up space by archiving old files, and create backups to store on hard drives or onother cloud services. You can also download data from Google Calendar, Gmail, your Google Drive — even data related to your searches andmovements on Google Maps.Once you learn how to use Google Takeout, there are around 50 separate services whose data you can access, which will give you some ideaof how Google uses your data. You can take out (export) some or all of the data you want. Just note that if you download Google data it doesn’tremove it from their servers — it just lets you access and explore it.How does Google Takeout work? Just go to Google Takeout, download your data in a few easy steps, and start exploring the data Googlecollects. You might want to begin by downloading data from just one service, so there’s less to wade through when getting started.For popular Google services whose data you may want to access immediately, jump ahead to:• Gmail• Google Calendar• Google Photos• Google Maps• Google DriveStep 1: Select the data you want to downloadThere are just a few steps you need to take to export data from Google Takeout.1. First, log in to your Google account.2. Then, go to Google Takeout.3. Click on the menu item Select data to include to expand it.4. Choose which services to export data from. By default, all data is selected, but there’s a button above the individualcheckboxes that lets you Deselect all or Select all.5. For more details about each service, click on the buttons below that service. For example, the Multiple Formats buttonunder Chrome tells you which formats each type of data will be exported in and also has an option to select which Chromeitems to download.

We’ll take a closer look at five of the most popular services in the section on downloading data from specific Google productsand services below.6. Click the Next Step button at the bottom and then choose the file type, frequency, and destination of your data export.

Step 2: Choose your preferred delivery method and export typeDelivery method: You can choose to get a download link delivered via email or add your data to a cloud storage service such as Google Drive,Dropbox, OneDrive, or Box.1. Frequency: Choose to export your data all at once (one export) or in two-month increments over one year (meaning you’ll get sixseparate exports, each with two months of data).

Step 3: Set your maximum archive size1. File type: Choose to download your data in a zip file or a tgz file (these are compressed file formats and most people choose azip file).2. File size: Use the dropdown menu to choose how large you want your Google archive files to be. Files larger than the archivesize you select will be split into multiple files. In a test of 15 services with moderate use, choosing the default 2GB file sizeresulted in 88 separate files to download and examine.Step 4: Download and save your Google archiveAfter setting your file size and type, it’s time to download your data.1. Click the Create export button.2. The Export progress window will open. It may take some time to create your Google archive (maybe hours or even a coupleof days if you’re downloading data from lots of services). But typically it’ll be created the same day you make the request. Inour test for 15 Google services, it took just over an hour (67 minutes).3. To go back and select fewer or more services, you can cancel the export. Or you can initiate a new export while the first one isbeing created.4. You may receive an email from Google notifying you that an archive of Google data has been requested and asking you toverify that you made that request.a. Of course, if you get this email and you did not request your data, then something is amiss and Google willcancel the request.b. If you did make the request, click that button and you’ll see a screen that says, “You’re all set!” There’s alsoa link to manage your Google data archives, which takes you back to the Google Takeout page you werejust on.5. When your archive is finished, you’ll get an email notification.6. Open the email, click Download archive, and follow the instructions to access and save the exported archive. You’ll need toverify it’s you by using your Google account password.Your files will be made available to download for seven days. After that, Google blocks access so that someone else can’t download your data.

Downloading data from specific Google products andservicesNow let’s explore how to use Google Takeout to request a data archive for five of the company’s most popular services: Gmail, GoogleCalendar, Google Photos, Google Maps, and Google Drive.GmailFirst, log in to your Google account and go to Google Takeout.1. Click on the menu Select data to include to expand it.2. To download your Google emails, scroll down to Mail (also known as Gmail). Your email messages will be in an MBOX format, and youruser settings will be in a JSON format.3. Click the All Mail data included button to open the Mail content options menu. You’ll see a list of all your labels and categories. Checkthe box to Include all messages in Mail to download everything, or uncheck that box and individually select the items you want to see orarchive.(Note that Google is rolling out new settings to give you more control over your Gmail and Google Chat data.)4. To download your data, proceed as described above in the section Download your data using Google Takeout, steps 2-4.

Google CalendarYou can use Google Takeout to access your Google Calendar data, or you can export events directly if you’re using a desktop computer (thisfunctionality isn’t possible with the mobile app).Note that if your Google calendar is administered by an organization (like your work or school), you may have to contact your organization’sadmin to download your calendar data.Use Google Takeout to download your Google Calendar data1. First, log in to your Google account and go to Google Takeout.2. Click on the menu Select data to include to expand it.3. Scroll down to Calendar. Your data will be in the iCalendar format.4. Click the All calendars included button to open the Calendar content options menu.5. Select which calendars to export data from.Use Google Calendar to export all calendarsOpen Google Calendar on your desktop computer.1. Click the Settings icon in the top right and then select Settings.2. In the left menu, click Import & export. This will create a zip file of all the listed calendars.3. Download the zip file to your computer.

Use Google Calendar to export just one calendarMaybe you don’t need data from all your calendars. Here’s how to export data from just one Google calendar:1. Open Google Calendar on your desktop computer.2. In the left menu, expand the My calendars menu.3. Mouse over the calendar you want and click the three vertical dots on the right.4. Click Settings and sharing.5. Click the Export calendar button. This will create a zip file for the calendar.6. Download the zip file to your computer.

Google PhotosYou can export the photos and videos that you have stored in Google Photos, as well as the metadata for your files and albums.Use Google Takeout to download your Google PhotosFirst, log in to your Google account and go to Google Takeout.1. Click on the menu Select data to include to expand it.

2. Scroll down to Google Photos.3. Click the All photo albums included button to open the Google Photos content options menu.4. You’ll see a list of all your labels and categories. Check Select all to download everything, or uncheck it and then select theindividual albums you want to archive.5. To download your data, proceed as described above in the section Download your data using Google Takeout, steps 2-4.Use Google Photos to download individual pictures and videosOpen Google Photos on your desktop computer, Android device, iPhone, or iPad.1. Select a photo or video.2. Click the three vertical dots in the upper right corner.3. Click Download (if the picture is already on your device, this option will not be visible).4. Choose a location on your device and click Save.

Google MapsFirst, log in to your Google account and go to Google Takeout.1. Click on the menu Select data to include to expand it.2. Scroll down to Maps (Google Maps).3. Click the All Maps data included button to open the Maps content options menu.4. Make sure the boxes for the data you want are checked, like any dishes, products, or activities you’ve added; your commuteroutes; your food and drink preferences; places you’ve labelled; or even all of your personalization feedback.5. To download your data, proceed as described above in the section Download your data using Google Takeout, steps 2-4.Google DriveYou can download all your Google Drive documents and files, or just some of them. This includes anything created or saved in Google Docs,Sheets, Forms, Slides, Drawings, Jamboard, and Sites.Use Google Takeout to download your Google Drive data1. First, log in to your Google account and go to Google Takeout.

2. Click on the menu Select data to include to expand it.3. Scroll down to Drive (Google Drive).4. Click the All Drive data included button to open the Drive content options menu.5. Choose the individual folders you’d like to download, or check the Include all files and folders in Drivebox. You can addmore information by clicking on the Advanced Settings button, which will open the Drive — advanced settings menu.6. To download your data, proceed as described above in the section Download your data using Google Takeout, steps 2-4.

Use Google Drive to download single files1. Open Google Drive on your device and right-click on the file you’d like to download.2. Choose Download from the menu. If you’d like to select multiple files, press the Ctrl key on a Windows computeror Command on a Mac while you select files.3. Choose a location on your device and click Save.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/

Office of RBI Ombudsmanhttps://cms.rbi.org.in/Table of ContentsSubject Page No.Preface 1Part A - Modus Operandi and Precautions to be taken againstFraudulent Transactions - Banks21 Phishing links 32 Vishing calls 43 Frauds using online sales platforms 54 Frauds due to the use of unknown / unverified mobile apps 65 ATM card skimming 76 Frauds using screen sharing app / Remote access 87 SIM swap / SIM cloning 98 Frauds by compromising credentials through search engines 109 Scam through QR code scan 1110 Impersonation on social media 1211 Juice jacking 1312 Lottery frauds 1413 Online job frauds 1514 Money mules 16Part B - Modus Operandi and Precautions to be taken againstFraudulent Transactions - NBFCs171 Fake advertisements for grant of loans 182 SMS / Email / Instant Messaging / Call scam 193 OTP based frauds 204 Fake loan websites / App frauds 215 Money circulation / Ponzi / Multi-Level Marketing (MLM) scheme frauds 226 Loans with forged documents 23Part C - General precautions to be taken for financial transactions 24Glossary 32

Office of RBI Ombudsmanhttps://cms.rbi.org.in/1PrefaceThere has been a surge in usage of digital modes of payment in the recent years. This gainedfurther momentum during the Covid-19 induced lockdowns. While enhancing customerconvenience, it also furthered the national objective of financial inclusion. However, as thespeed and ease of doing financial transactions has improved, the number of frauds reportedin retail financial transactions have also gone up. Fraudsters have been using innovativemethods to defraud the common and gullible people of their hard-earned money, especiallythe new entrants in the use of digital platforms who are not entirely familiar with the techno-financial eco-system.This booklet has been compiled from various incidents of frauds reported as also fromcomplaints received at the offices of RBI Ombudsmen to provide maximum practicalinformation of value, especially to those who are inexperienced, or not so experienced, indigital and electronic modes of financial transactions. The booklet is intended to createawareness among the members of public about the modus operandi adopted by fraudsters todefraud and mislead them, while also informing them about the precautions to be taken whilecarrying out financial transactions. It emphasizes the need for keeping one's personalinformation, particularly the financial information, confidential at all times, be-ware of unknowncalls / emails / messages, practicing due diligence while performing financial transactions andchanging the secure credentials / passwords from time to time. Hence the title BE(A)WARE– Be Aware and Beware!This booklet is part of the public awareness initiative by the Consumer Education andProtection Department, Reserve Bank of India and has been conceptualized by the office ofOmbudsman, Mumbai-II.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/2Modus Operandi and Precautions to be taken against FraudulentTransactions - Banks

Office of RBI Ombudsmanhttps://cms.rbi.org.in/31. Phishing linksModus Operandi➢ Fraudsters create a third-party phishing website which looks like an existing genuinewebsite, such as - a bank’s website or an e-commerce website or a search engine,etc.➢ Links to these websites are circulated by fraudsters through Short Message Service(SMS) / social media / email / Instant Messenger, etc.➢ Many customers click on the linkwithout checking the detailed UniformResource Locator (URL) and entersecure credentials such as PersonalIdentification Number (PIN), One TimePassword (OTP), Password, etc., whichare captured and used by thefraudsters.Precautions➢ Do not click on unknown / unverified links and immediately delete such SMS / email sent byunknown sender to avoid accessing them by mistake in future.➢ Unsubscribe the mails providing links to a bank / e-commerce / search engine website and blockthe sender’s e-mail ID, before deleting such emails.➢ Always go to the official website of your bank / service provider. Carefully verify the website detailsespecially where it requires entering financial credentials. Check for the secure sign (https with apadlock symbol) on the website before entering secure credentials.➢ Check URLs and domain names received in emails for spelling errors. In case of suspicion, informthe police.➢ local police/cybercrime branch immediately.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/42. Vishing callsModus Operandi➢ Imposters call or approach the customers through telephone call / social media posingas bankers / company executives / insurance agents / government officials, etc. Togain confidence, imposters share a few customer details such as the customer’s nameor date of birth.➢ In some cases, imposters pressurize / trickcustomers into sharing confidential detailssuch as passwords / OTP / PIN / CardVerification Value (CVV) etc., by citing anurgency / emergency such as - need to blockan unauthorised transaction, paymentrequired to stop some penalty, an attractivediscount, etc. These credentials are then usedto defraud the customers.Precautions➢ Bank officials / financial institutions / RBI / any genuine entity never ask customers toshare confidential information such as username / password / card details / CVV / OTP.➢ Never share these confidential details with anyone, even your own family members,and friends.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/53. Frauds using online sales platformsModus Operandi➢ Fraudsters pretend to be buyers on online sales platforms and show an interest inseller’s product/s. Many fraudsters pretend to be defence personnel posted in remotelocations to gain confidence.➢ Instead of paying money to the seller, they use the “request money” option through theUnified Payments Interface (UPI) app and insist that the seller approve the request byentering UPI PIN. Once the seller enters the PIN, money is transferred to thefraudster’s account.Please enter PINto receive money!!Precautions➢ Always be careful when you are buying or selling products using online sales platforms.➢ Always remember that there is no need to enter PIN / password anywhere to receivemoney.➢ If UPI or any other app requires you to enter PIN to complete a transaction, it means youwill be sending money instead of receiving it.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/644. Frauds due to the use of unknown / unverified mobile appsModus Operandi➢ Fraudsters circulate through SMS / email / social media / Instant Messenger, etc.,certain app links, masked to appear similar to the existing apps of authorised entities.➢ Fraudsters trick the customer to click on such links which results in downloading ofunknown / unverified apps on the customer’s mobile / laptop / desktop, etc.,➢ Once the malicious application is downloaded, the fraudster gains complete access tothe customer’s device. These include confidential details stored on the device andmessages / OTPs received before / after installation of such apps.Precautions➢ Never download an application from any unverified / unknown sources or on being asked/guided by an unknown person.➢ As a prudent practice before downloading, check on the publishers / owners of the appbeing downloaded as well as its user ratings etc.➢ While downloading an application, check the permission/s and the access to your data itseeks, such as contacts, photographs, etc. Only give those permissions which areabsolutely required to use the desired application.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/75. ATM card skimmingModus Operandi➢ Fraudsters install skimming devices in ATM machines and steal data from thecustomer’s card.➢ Fraudsters may also install a dummy keypad or asmall / pinhole camera, well-hidden from plain sight tocapture ATM PIN.➢ Sometimes, fraudsters pretending to be othercustomer standing near-by gain access to the PINwhen the customer enters it in an ATM machine.➢ This data is then used to create a duplicate card andwithdraw money from the customer’s account.Precautions➢ Always check that there is no extra device attached, near the card insertion slot or keypad ofthe ATM machine, before making a transaction.➢ Cover the keypad with your other hand while entering the PIN.➢ NEVER write the PIN on your ATM card.➢ Do NOT enter the PIN in the presence of any other / unknown person standing close to you.➢ Do NOT give your ATM card to anyone for withdrawal of cash.➢ Do NOT follow the instructions given by any unknown person or take assistance / guidancefrom strangers / unknown persons at the ATMs.➢ If cash is not dispensed at the ATM, press the ‘Cancel’ button and wait for the home screen toappear before leaving the ATM.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/86. Frauds using screen sharing app / Remote accessModus Operandi➢ Fraudsters trick the customer to download a screen sharing app.➢ Using such app, the fraudsters can watch / control the customer’s mobile / laptop andgain access to the financial credentials of the customer.➢ Fraudsters use this information to carry out unauthorised transfer of funds or makepayments using the customer’s Internet banking / payment apps.Precautions➢ If your device faces any technical glitch and you need to download any screen sharing app,deactivate / log out of all payment related apps from your device.➢ Download such apps only when you are advised through the official Toll-free number of thecompany as appearing in its official website. Do not download such apps in case anexecutive of the company contacts you through his / her personal contact number.➢ As soon as the work is completed, ensure that the screen sharing app is removed from yourdevice.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/97. SIM swap / SIM cloningModus Operandi➢ Fraudsters gain access to the customer’s Subscriber Identity Module (SIM) card ormay obtain a duplicate SIM card(including electronic-SIM) for theregistered mobile number connected tothe customer’s bank account.➢ Fraudsters use the OTP received onsuch duplicate SIM to carry outunauthorised transactions.➢ Fraudsters generally collect thepersonal / identity details from thecustomer by posing as a telephone /mobile network staff and request thecustomer details in the name of offerssuch as - to provide free upgrade ofSIM card from 3G to 4G or to provideadditional benefits on the SIM card.Precautions➢ Never share identity credentials pertaining to your SIM card.➢ Be watchful regarding mobile network access in your phone. If there is no mobile network in yourphone for a considerable amount of time in a regular environment, immediately contact the mobileoperator to ensure that no duplicate SIM is being / has been issued for your mobile number.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/108. Frauds by compromising credentials on results through search enginesModus Operandi➢ Customers use search engines to obtain contact details / customer care numbers oftheir bank, insurance company, Aadhaar updation centre, etc. These contact detailson search engines often do NOT belong to the respective entity but are made to appearas such by fraudsters.➢ Customers may end up contactingunknown / unverified contactnumbers of the fraudstersdisplayed as bank / company’scontact numbers on search engine.➢ Once the customers call on thesecontact numbers, the imposters askthe customers to share their cardcredentials / details for verification.➢ Assuming the fraudster to be a genuine representative of the RE, customers sharetheir secure details and thus fall prey to frauds.Precautions➢ Always obtain the customer care contact details from the official websites of banks /companies.➢ Do not call the numbers directly displayed on the search engine results page as theseare often camouflaged by fraudsters.➢ Please also note that customer care numbers are never in the form of mobile numbers.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/119. Scam through QR code scanModus Operandi➢ Fraudsters often contact customers under various pretexts and trick them intoscanning Quick Response (QR) codes using the apps on the customers’ phone.➢ By scanning such QR codes, customers may unknowingly authorise the fraudsters towithdraw money from their account.Precautions➢ Be cautious while scanning QR code/s using any payment app. QR codes have accountdetails embedded in them to transfer money to a particular account.➢ Never scan any QR code to receive money. Transactions involving receipt of money donot require scanning barcodes / QR codes or entering mobile banking PIN (m-PIN),passwords, etc.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/1210. Impersonation on social mediaModus Operandi➢ Fraudsters create fake accounts using details of the users of social media platformssuch as Facebook, Instagram, Twitter, etc.➢ Fraudsters then send a request to the users’ friends asking for money for urgentmedical purposes, payments, etc.➢ Fraudsters, using fake details, also contact users and gain users’ trust over a periodof time. When the users’ share their personal or private information, the fraudsters usesuch information to blackmail or extort money from the users.Precautions➢ Always verify the genuineness of a fund request from a friend / relative by confirmingthrough a phone call / physical meeting to be sure that the profile is not impersonated.➢ Do not make payments to unknown persons online.➢ Do not share personal and confidential information on social media platforms.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/1311. Juice jackingModus Operandi➢ The charging port of a mobile, can also be used to transfer files / data.➢ Fraudsters use public charging ports to transfer malware to customer phones connectedthere and take control / access / steal data sensitive data such as emails, SMS, savedpasswords, etc. from the customers’ mobile phones (Juice Jacking).Precaution➢ Avoid using public / unknown charging ports / cables.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/1412. Lottery fraudModus Operandi➢ Fraudsters send emails or make phone calls that a customer has won a huge lottery.However, in order to receive the money, the fraudsters ask the customers to confirm theiridentity by entering their bank account / credit card details on a website from which datais captured by the fraudsters.➢ Fraudsters also ask the customers to pay taxes/ forex charges / upfront or pay the shippingcharges, processing / handling fee, etc., to receive thelottery / product.➢ Fraudsters in some cases, may also pose as arepresentative of RBI or a foreign bank / company /international financial institution and ask the customerto transfer a relatively small amount in order to receivea larger amount in foreign currency from that institution.➢ Since the requested money is generally a very smallpercentage of the promised lottery / prize, the customermay fall into the trap of the fraudster and make thepayment.Precautions➢ Beware of such unbelievable lottery or offers - nobody gives free money, especially suchhuge amounts of money.➢ Do not make payments or share secure credentials in response to any lottery calls / emails.➢ RBI never opens accounts of members of public or takes deposits from them. Suchmessages are fraudulent.➢ RBI never asks for personal / bank details of members of public. Beware of fake RBI logosand messages.➢ Never respond to messages offering / promising prize money, government aid and KnowYour Customer (KYC) updation to receive prize money from banks, institutions etc.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/1513. Online job fraudModus Operandi➢ Fraudsters create fake job search websites and when the job seekers share securecredentials of their bank account / credit card / debit card on these websites duringregistration, their accounts are compromised.➢ Fraudsters also pose as officials of reputed company(s) and offer employment afterconducting fake interviews. The job seeker is then induced to transfer funds forregistration, mandatory training program, laptop, etc.Precautions➢ For any job offer, including from overseas entities, first confirm the identity and contactdetails of the employing company / its representative.➢ Always remember that a genuine company offering a job will never ask for money foroffering the job.➢ Do not make payments on unknown job search websites.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/1614. Money mulesModus Operandi➢ Money Mule is a term used to describe innocent victims who are duped by fraudsters intolaundering stolen / illegal money via their bank account/s.➢ Fraudsters contact customers via emails, social media, etc., and convince them to receivemoney into their bank accounts (money mule), in exchange for attractive commissions.➢ The money mule is then directed to transfer the money to another money mule’s account,starting a chain that ultimately results in the money getting transferred to the fraudster’saccount.➢ Alternatively, the fraudster may direct the money mule to withdraw cash and hand it overto someone.➢ When such frauds are reported, the money mule becomes the target of police investigationfor money laundering.Precautions➢ Do not allow others to use your account to receive or transfer money for a fee / payment.➢ Do not respond to emails asking for your bank account details.➢ Do not get carried away by attractive offers / commissions and give consent to receiveunauthorised money and to transfer them to others or withdraw cash and give it out for ahandsome fee.➢ If the source of funds is not genuine, or the rationale for underlying transaction is not provedto authorities, the receiver of money is likely to land in serious trouble with police and otherlaw enforcement agencies.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/17Modus Operandi and Precautions to be taken against FraudulentTransactions – Non Banking Financial Companies (NBFCs)

Office of RBI Ombudsmanhttps://cms.rbi.org.in/181. Fake advertisements for extending loans by fraudstersModus Operandi➢ Fraudsters issue fake advertisements offering personal loans at very attractive and lowrates of interest or easy repayment options or without any requirement of collateral/security, etc.➢ Fraudsters send emails with such offers and ask the borrowers to contact them. Togain credibility with the gullible borrowers and to induce confidence, these email-idsare made to look-like the emails IDs of senior officials of well-known / genuine Non-Banking Financial Companies (NBFCs).➢ When borrowers approach the fraudstersfor loans, the fraudsters take money fromthe borrowers in the name of various upfrontcharges like processing fees, Goods andServices Tax (GST), intercity charge,advance Equated Monthly Instalment (EMI),etc., and abscond without disbursing theloans.➢ Fraudsters also create fake website links toshow up on search engines, when people search for information on loans.Precautions➢ Loan processing fee charged by NBFCs / banks is deducted from the sanctioned loanamount and not demanded upfront in cash from the borrower.➢ Never pay any processing fee in advance as NBFCs / banks will never ask for anadvance fee before the processing of loan application.➢ Do not make payments or enter secure credentials against online offer of loans at lowinterest rates, etc., without checking / verifying the particulars through genuine sources.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/192. SMS / Email / Instant Messaging / Call scamsModus Operandi➢ Fraudsters circulate fake messages in instant messaging apps / SMS / social mediaplatforms on attractive loans and use the logo of any known NBFC as profile picture inthe mobile number shared by them toinduce credibility.➢ The fraudsters may even share theirAadhaar card / Pan Card and fakeNBFC ID card.➢ After sending such bulk messages /SMS / emails, the fraudsters callrandom people and share fakesanction letters, copies of fakecheques, etc., and demand variouscharges. Once the borrowers pay thesecharges, the fraudsters abscond with the money.Precautions➢ Never believe loan offers made by people on their own through telephones / emails, etc.➢ Never make any payment against such offers or share any personal / financial credentialsagainst such offers without cross-checking that it is genuine through other sources.➢ Never click on links sent through SMS / emails or reply to promotional SMS / emails.➢ Never open / respond to emails from unknown sources containing suspicious attachment orphishing links.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/203. OTP based FraudsModus Operandi➢ Fraudsters impersonating as NBFCs, send SMS / messages offering loans orenhancement of credit limit on NBFC/bank customers’ loan accounts, and askthe customers to contact them on a mobile number.➢ When the customers call such numbers, fraudsters ask them to fill forms to collect theirfinancial credentials. Fraudsters then induce / convince the customers to share theOTP or PIN details and carry out unauthorised transfers from the customers’ accounts.Precautions➢ Never share OTP / PIN / personal details, etc., in any form with anyone, including your ownfriends and family members.➢ Regularly check SMS / emails to ensure that no OTP is generated without your priorknowledge.➢ Always access the official website of bank / NBFC / e-wallet provider or contact the branch toavail their services and / or seek product and services related information and clarifications.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/214. Fake loan websites / App fraudsModus Operandi➢ Fraudsters create unscrupulous loan apps which offer instant and short-term loans.These apps dupe the borrowers and may also chargesignificantly higher interest rates.➢ To attract gullible borrowers, the fraudsters advertise“limited period offers” and ask borrowers to makeurgent decisions using pressure tactics.Precautions➢ Verify if the lender is registered with the Government / Regulator /authorised agencies➢ Check whether the lender has provided a physical address or contact information toensure it is not difficult to contact them later.➢ Beware if the lender appears more interested in obtaining personal details rather than inchecking credit scores.➢ Remember that any reputed NBFC / bank will never ask for payment before processingthe loan application.➢ Genuine loan providers never offer money without verifying documents and other credentials ofthe borrowers.➢ Verify if these NBFC-backed loan apps are genuine.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/225. Money circulation / Ponzi / Multi-Level Marketing (MLM)schemes fraudModus Operandi➢ Fraudsters use MLM / Chain Marketing / PyramidStructure schemes to promise easy or quickmoney upon enrolment / adding of members.➢ The schemes not only assure high returns but alsopay the first few instalments (EMIs) to gainconfidence of gullible persons and attract moreinvestors through word of mouth publicity.➢ The schemes encourage addition of more peopleto the chain / group. Commission is paid to theenroller for the number of people joining thescheme, rather than for the sale of products.➢ This model becomes unsustainable after some time when number of persons joiningthe scheme starts declining. Thereafter, the fraudsters close the scheme anddisappear with the money invested by the people till then.Precautions➢ Returns are proportional to risks. Higher the return, higher is the risk.➢ Any scheme offering abnormally high returns (40-50% p a) consistently, could be the first sign of apotential fraud and caution needs to be exercised.➢ Always notice that any payment / commission / bonus / percentage of profit without the actual saleof goods / service is suspicious and may lead to a fraud.➢ Do not be tempted by promises of high returns offered by entities running Multi-Level Marketing /Chain Marketing / Pyramid Structure schemes.➢ Acceptance of money under Money Circulation / Multi-level Marketing / Pyramid structures is acognizable offence under the Prize Chits and Money Circulation Schemes (Banning) Act, 1978.➢ In case of such offers or information of such schemes, a complaint must be immediately lodged withthe State Police.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/236. Fraudulent loans with forged documentsModus Operandi➢ Fraudsters use forged documents to avail services from financial institutions.➢ Fraudsters commit identity thefts, steal personal information of customers such asidentity cards, bank account details etc., and use this information or credentials to availbenefits from a financial institution.➢ Fraudsters pose as NBFC employees and collect KYC related documents fromcustomers.Precautions➢ Exercise due care and vigilance while providing KYC and other personal documents, includingthe National Automated Clearing House (NACH) form for loan sanction / availing of creditfacility from any entity, especially individuals posing to be representatives of these entities.➢ Such documents should be shared only with the entity’s authorised personnel or on authorisedemail IDs of the entities.➢ Follow up with the concerned entities to ensure that the documents shared by you are purgedimmediately by them in case of non-sanction of loan and/ or post closure of the loan account.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/24General Precautions to be taken for financial transactions

Office of RBI Ombudsmanhttps://cms.rbi.org.in/25General precautions➢ Be wary of suspicious looking pop ups that appear during your browsing sessions oninternet.➢ Always check for a secure payment gateway (https:// - URL with a padlock symbol) before making online payments / transactions.➢ Keep the PIN (Personal IdentificationNumber), password, and credit or debit cardnumber, CVV, etc., private and do not sharethe confidential financial information withbanks/ financial institutions, friends or evenfamily members.➢ Avoid saving card details on websites /devices / public laptop / desktops.➢ Turn on two-factor authentication where suchfacility is available.➢ Never open / respond to emails fromunknown sources as these may contain suspicious attachment orphishing links.➢ Do not share copies of chequebook, KYC documents with strangers.For device / computer security➢ Change passwords at regular intervals.➢ Install antivirus on your devices and install updateswhenever available.➢ Always scan unknown Universal Serial Bus (USB)drives / devices before usage.➢ Do not leave your device unlocked.➢ Configure auto lock of the device after a specified time.➢ Do not install any unknown applications or software onyour phone / laptop.➢ Do not store passwords or confidential information on devices.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/26For safe internet browsing➢ Avoid visiting unsecured / unsafe / unknown websites.➢ Avoid using unknown browsers.➢ Avoid using / saving passwords on public devices.➢ Avoid entering secure credentials on unknown websites/ public devices.➢ Do not share private information with anyone, particularly unknown persons onsocial media.➢ Always verify security of any webpage (https:// - URL with a pad locksymbol), more so when an email or SMS link is redirected to suchpages.For safe internet banking➢ Always use virtual keyboard on public devices since the keystrokes can also becaptured through compromiseddevices, keyboard, etc.➢ Log out of the internet bankingsession immediately after usage.➢ Update passwords on a periodicbasis.➢ Do not use same passwords foryour email and internet banking.➢ Avoid using public terminals (viz.cyber cafe, etc.) for financialtransactions.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/27Factors indicating that a phone is being spied➢ Unfamiliar applications are being downloaded on the phone.➢ There is a faster than usual draining of phone battery.➢ Phone turning hot may be a sign of someone spying by running a spyware in thebackground.➢ An unusual surge in the amount of data consumption can sometimes be a sign that aspyware is running in the background.➢ Spyware apps might sometimes interfere with a phone’s shutdown process so that thedevice fails to turn off properly or takes an unusually long time to do so.➢ Note that text messages can be used by spyware and malware to send and receivedata.Actions to be taken after occurrence of a fraud➢ Block not only the debit card / credit card but also freeze the debit in the bank accountlinked to the card by visiting your branch or calling the official customer care numberavailable on the bank’s website. Also, check and ensure the safety of other bankingchannels such as Net banking, Mobile banking etc., to prevent perpetuation of thefraud once the debit/ credit cards, etc., are blocked following a fraud.➢ Dial helpline number 155260 or 1930 or report the incident on National CybercrimeReporting Portal (www.cybercrime.gov.in).Reset Mobile: Use (Setting-Reset-Factory Data) to reset mobile if a fraud has occurreddue to a data leak from mobile.Precautions related to Debit / Credit cards➢ You should deactivate various features of credit / debit card, viz., online transactionsboth for domestic and international transactions, in case you are not going to use thecard for a while and activate the same only when the card usage is required.➢ Similarly, Near Field Communication (NFC) feature should be deactivated, if the cardis not to be used.➢ Before entering PIN at any Point of Sale (POS) site or while using the card at an NFCreader, you must carefully check the amount displayed on the POS machine screenand NFC reader.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/28➢ Never let the merchant take the card away from your sight for swiping while making atransaction.➢ Cover the keypad with your other hand while entering the PIN at a POS site / ATM.For E-mail account security➢ Do not click on links sent through emailsfrom unknown addresses / names.➢ Avoid opening emails on public or freenetworks.➢ Do not store secure credentials / bankpasswords, etc., in emails.For password security➢ Use a combination of alphanumeric and special characters in your password.➢ Keep two factorauthentication for all youraccounts, if such facility isavailable.➢ Change your passwordsperiodically.➢ Avoid having you date ofbirth, spouse name, carnumber etc. as passwords.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/29How do you know whether an NBFC accepting deposit is genuine or not?➢ Verify whether the name of NBFC appears in the list of deposit taking NBFCs entitledto accept deposits, available at https://rbi.org.in and to ensure that it is not appearingin the list of companies prohibited from accepting deposits.➢ NBFCs must prominently display the Certificate of Registration (CoR) issued by theReserve Bank on its site / in its office. This certificate should also reflect that the NBFChas been specifically authorised by RBI to accept deposits. Scrutinize the certificate toensure that the NBFC is authorised to accept deposits.➢ NBFCs cannot accept deposits for a period less than 12-months and more than 60months and the maximum interest rate that an NBFC can pay to a depositor shouldnot exceed 12.5%.➢ The Reserve Bank publishes the change in the interest rates on https://rbi.org.in →Sitemap → NBFC List → FAQs.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/30Precautions to be taken by depositors➢ When depositing money, insist on a proper receipt for each and every deposit madewith the bank / NBFC / company.➢ The receipt should be duly signed by an officer authorised by the company and shouldstate, inter alia, the date of the deposit, the name of the depositor, the amount in wordsand figures, rate of interest payable, maturity date and amount.➢ In the case of brokers / agents, etc., collecting public deposits on behalf of NBFCs,verify that the brokers / agents are duly authorised for the purpose by the concernedNBFC.➢ Remember that the Deposit Insurance facility is not available to depositors of NBFCs.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/31File a complaintComplaint to RBI Ombudsman➢ For filing complaints online, please visit the link at https://cms.rbi.org.in/➢ Complaints in physical / paper form can be sent to CRPC, Reserve Bank of India,Central Vista, Sector -17, Chandigarh -160 017.Complaint to Securities and Exchange Board of India (SEBI)➢ Please visit the link at https://www.sebi.gov.in/Complaint to Insurance Regulatory and Development Authority of India (IRDAI)➢ Please visit the link at https://www.irdai.gov.in/Complaint to National Housing Bank (NHB)➢ Please visit the link at https://nhb.org.in/Complaint to Cyber Police Station➢ Please visit https://cybercrime.gov.in/**********

Office of RBI Ombudsmanhttps://cms.rbi.org.in/32Glossary➢ Advance fee/Processing fee/Token fee: These include preliminary payments such asdocumentation charges, meeting expenses, processing fees, other charges that may beapplicable for disbursal of the loan to a borrower.➢ Two-factor authentication: Authentication methodologies involve three basic ‘factors’-something the user knows (e.g., password, PIN- either static or one time generated);something the user has (e.g., ATM/ smart card number, expiry date and CVV that is printedon the card); and something the user is (e.g., biometric characteristic, such as a fingerprint).Two-factor authentication (also known as 2FA) provides identification of users by means ofa combination of two different components - what the user has and what the user knows/isto complete a transaction.➢ Authorisation: The response from a card-issuing bank to a merchant’s transactionauthorisation request indicating that the payment information is valid and funds areavailable on the customer’s credit card.➢ Card number: The number assigned by a credit card association or card issuing bank toa card. This information must be provided to a merchant by a customer in order to makea credit card payment but should not be shared with anyone else. The string of digits isprinted on the card.➢ Credit card: A card that allows paying for products or services by availingunsecured/secured credit from a financial institution.➢ Credit limit: The term refers to the maximum amount of credit a financial institutionextends to a customer. A lending institution extends a credit limit on a credit card basedon the analysis of the information given by the credit-seeking applicant. The credit limitcan affect the customer’s credit scores and their ability to obtain credit in the future.➢ CVV: Stands for Card Verification Value. This is a 3-digit number printed on the card whichis mandatory for completing most online transactions. These details are confidential andmust NEVER be shared with anyone.➢ Debit card: A card that allows paying for products or services by deduction of availablefunds in a bank account of the cardholder.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/33➢ E-commerce platform: It is a platform/website that enables buying and selling of goodsand services including digital products over digital and electronic network.➢ EMI: It stands for Equated Monthly Instalment. This a fixed monthly payment (includesprincipal and interest) to be made by a borrower to his lender/creditor (like bank/NBFC)each month till the loan/credit, along with interest, taken from the lender/creditor is paid offby the borrower in full.➢ Encryption: The process of transforming processing information into an electronic codeto maintain its secrecy.➢ Expiry date: The date on which the validity of a card, contract, agreement, document, etc.expires. Transactions will be approved only in respect of cards or documents which havenot yet expired.➢ Gateway: It is an intermediary that provides technology infrastructure to route and facilitateprocessing of services such as transactions base management, risk management, etc.without its involvement directly. Payment Gateways are entities that provide technologyinfrastructure to route and facilitate processing of online payment transactions without anyinvolvement in handling of funds.➢ Immediate payment services (IMPS): It is an instant interbank electronic fund transferservice (up to a limit) through mobile phones, provided by National Payments Corporationof India (NPCI).➢ KYC: Stands for Know Your Customer. It is process in which the financial institution makesan effort to verify the identity, suitability, and risks involved with maintaining a relationshipwith a customer by obtaining a set of documents and carrying out due diligence.➢ Money mule: It is a term used to describe victims who are exploited by fraudsters intolaundering stolen / illegal money via their bank account(s).➢ Multi-Level Marketing: The practice of selling goods or services on behalf of a companyin a system whereby participants receive commission on their sales as well as the salesof any participants they recruit.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/34➢ National Automated Clearing House (NACH): It is a centralised Electronic ClearingService (ECS) system operated by National Payments Corporation of India (NPCI).➢ Near Field Communication (NFC): It is a communication technology used to transmitdata from a NFC equipped device to a capable terminal. The NFC technology is used tomake a contactless payment that is carried out by keeping the smartphone/card near theNFC enabled machine.➢ National Electronic Fund Transfer (NEFT): It is a nation-wide centralised paymentsystem owned and operated by RBI, which enables bank customers in India to transferfunds between any two NEFT-enabled bank accounts.➢ OTP: One Time Password is one of the factors in the authentication methodology, whichthe customer knows and is often used for carrying out online transactions. This isCONFIDENTIAL and should not be shared with anyone.➢ Phishing: It refers to spoofed emails and / or SMSs designed to dupe customers intothinking that the communication has originated from their bank / e-wallet provider andcontain links to extract confidential details.➢ Point of Sale device (POS) / Acceptance Device (mPOS): It refers to any device /terminal / machine installed at Merchant Establishments which enables the merchants toaccept payments through payment cards (credit cards, debit cards, gift cards etc.).➢ Quick Response (QR) code: The QR Code is type of a two-dimensional bar code. Itconsists of black squares arranged in a square grid on a white background. Imagingdevices such as smartphone cameras can be used to read and interpret these codes. QRcode contains information about the payee and is used to facilitate mobile payments at thepoint-of-sale by debiting the customers’ account.➢ Remote Access: It refers to luring customer to download an application on their mobilephone / computer which is able to access all the customers’ data on that customer device.

Office of RBI Ombudsmanhttps://cms.rbi.org.in/35➢ UPI: Unified Payment Interface is a platform that allows transfer of money from one bank/ wallet account to other using a mobile phone which has access to the Internet. Once acustomer registers for UPI with the bank, a unique virtual identifier is created and mappedto the customer’s mobile phone to initiate the payment. It uses authentication in the formof UPI-PIN, which is CONFIDENTIAL and should not be shared with anyone.➢ Vishing: It refers to phone calls pretending to be from bank / non-bank e-wallet providers/ telecom service providers luring customers into sharing confidential details in the pretextof KYC-updation, unblocking of account / SIM-card, crediting debited amount, etc.➢ Wallet: A wallet is like an account which can be used for purchase of goods and servicesagainst the stored value in it. A wallet can be virtual (e.g. mobile wallet) or physical (prepaidcards).**********

Office of RBI Ombudsmanhttps://cms.rbi.org.in/36

Movatterモバイル変換

Change Language

DIGITAL FORENSICS - Notes for Everything.pdf

Embed presentation

Recommended

More Related Content

Similar to DIGITAL FORENSICS - Notes for Everything.pdf

Recently uploaded

DIGITAL FORENSICS - Notes for Everything.pdf