Cybercrime, Hacking, and Digital Forensics: An Overview

Posted on Apr 3, 2025 in Business Administration and Innovation Management

Classification of Cybercrimes

Classification of Cybercrimes Cybercrimes refer to illegal activities conducted using digital devices and the internet. They can be categorized into the following types:

  • Crime Against Individuals – Includes cyberstalking, identity theft, phishing, and online harassment.
  • Crime Against Property – Involves hacking, credit card fraud, and malware attacks on digital assets.
  • Crime Against Organizations – Targets businesses or government institutions through cyber espionage, data breaches, and DDoS attacks.
  • Crime Against Society – Includes cyberterrorism, fake news propagation, and child exploitation.
  • Crimes Starting from Usenet Newsgroups – Includes spreading malicious content, illegal file sharing, and online scams.
Active AttackPassive Attack
The attacker needs control over the media or network.The attacker only observes the communication in media or network.
It can be easily detected.It is difficult to detect.
It affects the system by altering data.It does not affect the system directly.
It involves modification of data.It involves monitoring or interception of data.
It involves monitoring or interception of data.It scans the system for vulnerabilities and loopholes.
It is difficult to prevent.It can be prevented with security measures.
Examples: Masquerade, replay attacks, denial of service (DoS), message modification.Examples: Release of message content, traffic analysis.


Types of Hackers

Types of Hackers Hackers are individuals skilled in computer security who exploit or secure systems. They are classified into the following types:

  • White Hat Hackers – Ethical hackers authorized to test and secure government and corporate networks.
  • Black Hat Hackers – Malicious hackers who gain unauthorized access to systems for personal or financial gain.
  • Grey Hat Hackers – A mix of white and black hat hackers; they may break into systems without permission but report vulnerabilities.
  • Script Kiddies – Inexperienced hackers who use pre-made hacking tools without deep technical knowledge.
  • Red Hat Hackers – Aggressive hackers who target cybercriminals and protect sensitive government data.
  • Blue Hat Hackers – Security testers hired by companies to check for vulnerabilities before software launch.
  • Green Hat Hackers – New hackers eager to learn and improve their skills in the hacking community.
  • State/Nation Sponsored Hackers – Hackers appointed by governments to conduct cyber espionage and cybersecurity operations.
  • Hacktivists – Individuals who hack systems to promote social, political, or ideological causes, often defacing websites.
  • Malicious Insiders – Employees or insiders who misuse their authorized access to harm an organization.
HackingEthical Hacking
Steals valuable company and individual data for illegal activity.Hacks systems to reduce vulnerabilities and improve security.
An illegal practice and considered a crime.A legal practice, authorized by companies or individuals.
Hackers involved are called black hat hackers.Hackers involved are called white hat hackers.
Attempts to access restricted networks through illegal means, reducing data security.Creates firewalls and implements security protocols to protect systems.
Works for personal gain or illegal profit.Works for government agencies and tech companies to improve cybersecurity.


Hacker – A person curious about computer systems, having deep knowledge of programming and security. Hackers are ethical professionals who protect systems and fight cybercrime.

Cracker – A malicious individual who illegally breaks into systems, destroys data, and disrupts services. Crackers have technical knowledge but use it for criminal activities.

Phreaker – A hacker specializing in telephone systems, gaining unauthorized access to make free calls or manipulate networks. Phreakers exploit vulnerabilities in telecommunication systems.

Key Differences: Hackers have strong ethics and work to secure systems, while crackers engage in cybercrime. Phreakers focus on telephone networks, whereas hackers and crackers target computer systems. Hackers fight cybercriminals, while crackers are cybercriminals.

Ethical Hacking

Ethical hacking follows a structured approach to identify vulnerabilities and strengthen cybersecurity. The six key phases are:

  • Reconnaissance – The first phase, where hackers collect preliminary information about the target system using passive (public sources) or active (direct interaction) methods. Tools like Whois, Google Dorking, and Shodan are used.
  • Scanning – Involves identifying open ports, network topology, and vulnerabilities in the system. Scanners like Nmap, Nessus, and Wireshark help detect weaknesses.
  • Gaining Access – Exploiting detected vulnerabilities to enter the system. Techniques like SQL injection, phishing, and brute force attacks are used in a controlled environment.
  • Maintaining Access – Ensuring continuous control over the system using backdoors, Trojans, or rootkits. Ethical hackers analyze how attackers persist in a network to enhance security measures.
  • Covering Tracks – Hiding hacking activities to avoid detection. This includes deleting logs, modifying timestamps, and disabling security mechanisms to simulate real cyber threats.
  • Report Writing – The final phase where findings, exploited vulnerabilities, risks, and security recommendations are documented. A detailed report helps organizations strengthen their defenses.

Anti-Forensics

Anti-Forensics refers to techniques used to counteract cyber forensics by preventing, manipulating, or destroying digital evidence to obstruct investigations.


Computer Security Incident Response Team (CSIRT)

A Computer Security Incident Response Team (CSIRT) is responsible for detecting, responding to, and mitigating security incidents. Its key roles include:

  • Incident Detection and Response – Identifying security threats and taking immediate action to minimize damage.
  • Centralized Reporting – Acting as a single point of contact for reporting and managing security incidents.
  • Policy Development – Establishing security guidelines and reviewing procedures to improve response strategies.
  • Legal and Compliance Review – Ensuring security measures align with laws and regulatory requirements.
  • Threat Analysis and Prevention – Investigating incidents, assessing risks, and implementing preventive security measures.
  • Collaboration with Authorities – Coordinating with law enforcement, government agencies, and key stakeholders for cybersecurity improvements.

Incident response is a systematic approach used to handle cybersecurity incidents effectively. The methodology includes the following phases:

  • Initial Response – Detecting and identifying security incidents while assembling a response team.
  • Investigation – Analyzing the nature, source, and extent of the incident.
  • Remediation – Taking corrective actions to eliminate vulnerabilities and stop further damage.
  • Tracking Significant Investigative Information – Collecting evidence, identifying compromised systems, and monitoring attacker activity.
  • Reporting – Documenting findings, response actions, and lessons learned for future prevention.
  • Containment and Eradication – Isolating affected systems and removing malicious components.
  • Recovery and Post-Incident Analysis – Restoring normal operations, monitoring for further threats, and improving security policies.

Goals of Anti-Forensics

Goals of Anti-Forensics:

  • Disrupt and prevent the collection of forensic evidence.
  • Increase the time required for forensic investigation.
  • Cast doubt on forensic reports and testimonies.
  • Utilize methods to disable forensic tools used by investigators.
  • Leave no evidence of anti-forensic tool usage.

Techniques of Anti-Forensics:

  • Encryption – Protecting data by making it unreadable without a key.
  • Program Packers – Obscuring executable files to evade detection.
  • Overwriting Data – Deleting files permanently by replacing them with random data.
  • Onion Routing – Hiding network traffic using multiple layers of encryption.
  • Steganography – Concealing data within images, audio, or text files.
  • Changing Timestamps – Modifying file metadata to mislead investigators.


Types of Digital Forensics

Types of Digital Forensics Digital forensics is divided into various categories based on the type of digital evidence being analyzed. The main types include:

  • Computer Forensics – Involves identifying, preserving, and analyzing evidence from computers, laptops, and storage media to support investigations.
  • Network Forensics – Focuses on monitoring, capturing, and analyzing network traffic to detect cyber threats, malware attacks, and security breaches.
  • Mobile Device Forensics – Recovers digital evidence from mobile devices, including smartphones, SIM cards, GPS devices, tablets, and game consoles.
  • Digital Image Forensics – Extracts and examines photographic images to verify their authenticity and metadata, helping to track manipulation.
  • Video/Audio Forensics – Deals with analyzing sound and video recordings to determine their authenticity and detect any modifications.
  • Memory Forensics – Involves retrieving data from the RAM of a running system to analyze volatile evidence related to cyberattacks.

The Process of Digital Forensics

The process of digital forensics follows a structured approach to ensure evidence is handled correctly. The key steps include:

  • Identification – Determining the purpose of the investigation and identifying relevant digital evidence sources.
  • Preservation – Isolating, securing, and preserving data to prevent contamination or loss.
  • Analysis – Using forensic tools and techniques to process data, extract useful information, and interpret findings.
  • Documentation – Recording all investigation details, including crime scene photographs, sketches, and evidence logs.
  • Presentation – Summarizing and explaining conclusions in a clear and structured manner for use in court or investigations.

The Chain of Custody

The Chain of Custody refers to the documentation of who had possession of the evidence, from the time of collection to its analysis and beyond. It is essential in forensic investigations to ensure the evidence remains unaltered and admissible in court.

Key Components:

  • Proper Collection Procedures Evidence must be collected systematically to avoid contamination.
  • Marking and Packaging – Proper labeling and sealing of evidence to maintain integrity.
  • Record Keeping – Maintaining logs of every individual who handled the evidence.
  • Preservation and Security – Storing evidence in a secure area to prevent tampering.
  • Documentation – Including crime scene sketches, photos, chain of custody forms, lab reports, and communication records.
  • Legal Admissibility – Ensuring no changes, contamination, or replacement occurred, making the evidence credible in court.


Evidence

Evidence is crucial in legal and investigative processes. It helps establish facts and determine the truth in a case. The main types of evidence include:

  • Illustrative Evidence – Also known as demonstrative evidence, this type visually represents an object to support a claim. Examples include photographs, videos, X-rays, maps, drawings, graphs, and models.
  • Electronic Evidence – Also called digital evidence, it includes any proof obtained from electronic sources, such as emails, hard drives, word-processing documents, ATM transactions, and mobile phone logs.
  • Documented Evidence – This is similar to demonstrative evidence but presented in written form, such as contracts, wills, invoices, and recorded documents like photographs, printed emails, and films.
  • Explainable Evidence (Exculpatory) – Used primarily in criminal cases, this type of evidence supports the accused by partially or completely proving their innocence.
  • Substantial Evidence – Also called physical evidence, it refers to tangible proof such as blood samples, fingerprints, footprints, and objects found at a crime scene.
  • Testimonial Evidence – This consists of spoken or written statements given under oath, including affidavits.

Email Investigation

Email investigation involves analyzing email-related data for cybersecurity, legal, or forensic purposes. The key steps are:

  • Header Analysis of Emails – Examines email headers to trace the sender, time, and path taken. (Tools: Google’s Message Header Analyzer, MxToolbox)
  • Link Analysis – Checks links in the email for malicious or phishing attempts. (Tools: VirusTotal, LinkExpander)
  • Bait Tactics – Identifies social engineering or phishing techniques used by attackers. (Tools: PhishLabs, Email Security Tools)
  • Investigation of Server – Analyzes email servers involved in the email’s journey to determine its origin. (Tools: MxToolbox, DNSstuff)
  • Investigating Network Device – Examines network devices like routers or firewalls to track email traffic. (Tools: Wireshark, Splunk)
  • Fingerprints of Sender Mailers – Identifies unique fingerprints of emails to trace the software or server used for sending. (Tools: Encase, FTK)
  • Software-embedded Identifiers – Detects tracking codes or device information embedded in emails. (Tools: Mail Tester, MxToolbox)


Live Data Collection

Live data collection is the process of gathering volatile data from a running system, such as memory dumps, active processes, and open network ports. It helps determine if the system was used by an attacker or a victim.

Steps for Live Data Collection:

  • Collecting the Tools: Use trusted tools and commands for incident response.
  • Maintain a response toolkit on a CD, USB, or floppy.
  • Preparing the Response Toolkit: Tag the response toolkit media. Check dependencies of the tools. Create a checksum to ensure data integrity.

–Common Live Data Collection Tools for Windows/Unix:

  • cmd.exe – Windows command prompt for executing commands.
  • PsLoggedOn – Lists logged-on users.
  • netstat – Displays active network connections.
  • Fport – Identifies open ports and processes using them.
  • NList – Enumerates running processes.
  • lsmod – Lists loaded kernel modules (Linux).

— Storing Retrieved Information:

  • Save data from the system’s hard drive.
  • Record the extracted information manually.
  • Store data from external storage devices securely.
  • Use forensic tools like cryptcat or netcat for secure storage.

Forensic Image

A forensic image is an exact copy of a digital storage device, preserving all its data for investigation.

Types of Forensic Image Formats:

  • Complete Disk Image: A bit-by-bit copy of an entire storage device, including partitions, file systems, and unallocated space. Ensures no data is left out during forensic analysis.
  • Partition Image: Copies only a specific partition or volume instead of the entire disk. Contains all allocation units from that partition, preserving necessary data without unnecessary files.
  • Logical Image: A simple copy of selected files or directories rather than the entire disk structure.  Less comprehensive but useful for targeted forensic investigations.

Forensic Duplication

Forensic duplication ensures that digital evidence is preserved without altering the original data. It involves:

  • Storing every bit of information in raw bitstream format.
  • Allowing investigators to work with a copy to minimize risks of altering or damaging the original evidence.
  • Making two copies: Working copy (used for analysis). Library/control copy (stored for reference). 
  • Verifying the integrity of all images using hash values.


People Involved in Data Collection Techniques

People Involved in Data Collection Techniques

Several people play a role in evidence collection:

  • First Respondent: The first person at the crime scene, usually an officer or security personnel. Their role includes:
    • Identifying the crime location.
    • Protecting the crime scene.
    • Preserving temporary and tampered evidence.
  • Investigators: Responsible for:
    • Maintaining the chain of custody.
    • Conducting crime scene searches.
    • Preserving evidence integrity.
  • Crime Scene Technicians: Their role includes:
    • Replicating evidence onto disks.
    • Shutting down systems for transport.
    • Marking and packaging evidence.
    • Transporting and processing evidence.

Forensic Duplicates

Forensic duplicates must meet legal standards:

  • Best Evidence Rule: Ensures that only the most reliable form of evidence is presented in court.
  • Federal Rules of Evidence (FRE):
    • FRE §1002: Requires original evidence unless a duplicate is legally acceptable.
    • FRE §1001: States that data stored in computers or printed must be identical to the original.
    • FRE §1003: Allows duplicates if authenticity is confirmed and there’s no dispute over accuracy.

WZtkXswg3wgAAAABJRU5ErkJggg==


HyKEFWWiq7tAAAAAAElFTkSuQmCC

WsNzNaP7d31u7mZizTjWMLZV1RUVFRsVu4GcZXFRUVFTc9lbKuqKiomAIqZV1RUVExBVTKuqKiomIKqJR1RUVFxRRQKeuKioqKKaBS1hUVFRVTQKWsKyoqKqaASllXVFRUTAGVsq6oqKiYAiplXVFRUTEFVMq6oqKiYgqolHVFRUXFFFAp64qKioopoFLWFRUVFVNApawrKioqpoBKWVdUVFRMAZWyrqioqJgCKmVdUVFRMQVUyrqioqJiCqiUdUVFRcUU8P8AS0BrIWDl+BMAAAAASUVORK5CYII=

RRZeMjsyVKixj6q2LLvGVD0qhlh+mjysYCbInSYk69uk6dh7DdF06uaZpIp9OwbRu2bcOyrAutxpQmPcT2wsqNWk78H6kOCoQMb8oWAAAAAElFTkSuQmCC