Unit:3 Public Key And Management

• What Is Public Key Cryptography? (PYQ)

1.Public key cryptography, also known as asymmetric encryption, is a method of securing
digital communication using a pair of keys: a public key and a private key.
2.Unlike symmetric encryption, where the same key is used for both encryption and
decryption, public key encryption ensures that these processes are handled by two separate
but mathematically related keys.

• How Does Public Key Cryptography Work?

Public key cryptography operates through a systematic process involving several key steps.
Each step plays a crucial role in ensuring the confidentiality, authenticity, and integrity of
digital communications.
• Step 1: Key Generation. The process begins with the creation of a pair of
cryptographic keys: a public key and a private key. These keys are mathematically
related but cannot be derived from each other. The public key is shared openly, while
the private key is kept secure by its owner, who maintains exclusive access to their
own private key.
• Step 2: Key Exchange. To establish a secure communication channel, parties
exchange their public keys, which serve as the encryption key for securing messages.
This exchange enables each party to encrypt messages intended for the other using
the recipient’s public key. The private key, however, is never shared, maintaining the
security of the system.

• Step 3: Encryption. When encrypting data, the sender uses the recipient’s public key
to transform plaintext (readable data) into ciphertext (unreadable, encrypted data).
This ensures that the data remains secure during transmission, as only the intended
recipient can decrypt it.

• Step 4: Sending Encrypted Data. The encrypted data is transmitted over standard
communication channels, such as email or web protocols. Even if intercepted, the
ciphertext cannot be read or altered without the private key.

• Step 5: Decryption. Once the recipient receives the ciphertext, they use their private
key to decrypt the data. The private key reverses the encryption process, restoring
the original plaintext.

• Key Components of Public Key Cryptography

Public Key and Private Key
 The public key and private key are the foundation of public key encryption. These
keys work as a pair:
• Public Key: This key is openly shared and used to encrypt data. It ensures that
anyone can send a secure message, but only the intended recipient can decrypt it.
• Private Key: This key is kept confidential by its owner and is used to decrypt data
encrypted with the corresponding public key. The secrecy of the private key is critical
to maintaining the system’s security.
➢ Cryptographic Algorithms
Public and private keys are generated using mathematical algorithms, such as:
• RSA: Based on the difficulty of factoring large prime numbers, RSA is widely used for
secure data transmission.
• Elliptic Curve Cryptography (ECC): A more efficient algorithm that uses elliptic curves
for key generation, providing strong security with shorter key lengths.
➢ Plaintext and Ciphertext
• Plaintext: The original, readable form of data or messages before encryption.
• Ciphertext: The scrambled, unreadable form of data after encryption. Ciphertext can
only be transformed back into plaintext with the private key.
➢ Encryption and Decryption Processes
Encryption transforms plaintext into ciphertext using the recipient’s public key.
Decryption reverses this process using the private key, ensuring that only the
intended recipient can access the original data.
➢ Applications of Public Key Cryptography
Public key cryptography is a versatile tool, enabling secure communication and data
integrity across various domains. Below are some of its most significant applications:
1. Digital Signatures
Digital signatures verify the authenticity and integrity of a message or document. By
signing with a sender’s private key, the recipient can validate the signature using the
sender’s public key..
Example: Signing contracts electronically to verify the sender’s identity and the
document’s integrity.
2. Secure Web Browsing (HTTPS)
Public key encryption underpins HTTPS, the secure protocol for browsing the web. It
ensures:
Example: Online banking and e-commerce rely on HTTPS for secure transactions.
 3. Email Encryption and Secure Messaging
Public key cryptography enables end-to-end encryption for emails and messages.
Only the intended recipient can decrypt and read the content.
Example: Tools like PGP (Pretty Good Privacy) ensure secure communication
between individuals and organizations.
5. Key Exchange Protocols
Protocols like Diffie-Hellman utilize public key encryption to establish a shared secret
key over an insecure channel. This shared key is often used for faster symmetric
encryption.
Example: Securing VPN connections and encrypted chat applications.
Public key cryptography’s ability to ensure confidentiality, authentication, and
integrity makes it a cornerstone of modern digital security.
➢ Key Advantages:
• Secure communication without needing to share private keys.
• Enables digital signatures and identity verification.
➢ Key Disadvantages:
• Slower than symmetric encryption.
• Requires careful key management (especially of private keys).

• RSA Algorithm ( PYQ )

1.RSA (Rivest-Shamir-Adleman) is a famous encryption scheme that makes use of a

combination of public and private keys.

2. This means you have a non-public key and one that can be shared publicly. Each
key can be used to encrypt data, but only the opposite can be decrypted. RSA was
evolved in 1977.

• How does RSA work?

RSA is based on the problem of breaking down large numbers into their top factors.
To create an RSA key pair, you need to pick very big prime numbers, p and q. It is
crucial to pick those primes randomly and ensure they are simply unique from each
different. The product of p and q, represented as n, becomes the modulus for the
public and private keys. While n is publicly known, the values of p and q remain
confidential.

Step 1: Choose two large prime numbers

 Let’s use small primes for simplicity:
• p=61
• q=53

Step 2: Compute n=p×q

• n=61×53=3233
• n is part of the public and private key.

Step 3: Compute Euler’s Totient Function:

• ϕ(n)=(p−1)(q−1)
• ϕ(n)=(61−1)(53−1)=60×52=3120

Step 4: Choose an integer e such that:

• 1<e<ϕ(n)
• gcd(e,ϕ(n))=1 (i.e., e is coprime to ϕ(n)

Let’s choose:
• e=17 (commonly used and satisfies the condition)

Step 5: Compute ddd such that:

• d×e≡1mod ϕ(n)

We find the modular inverse of emod ϕ(n)

d=2753 (because 12753×17mod3120=1)

Final Keys:
• Public Key (e, n) = (17, 3233)
• Private Key (d, n) = (2753, 3233)

➢ RSA Encryption
Let's encrypt the message:
Message (M) = 65
Formula: C=Me modn
C=6517 mod3233 =2790
So the encrypted message is: 2790

➢ RSA Decryption
To decrypt:
M=C dmodn
M=27902753 mod3233=65
We get back the original message: 65

• Applications and Use Cases

 1. Digital Signatures
2. Digital certificates
3. Secure key exchange
4. Secure communication protocols

• Advantages of RSA
There are some advantages of Rivest-Shamir-Adleman −
• Enhanced Security − RSA encryption eliminates the need for sharing secret keys,
minimizing the risk of unauthorized access.
• Verified Communication Authenticity − The interconnectedness of key pairs ensures
only authorized recipients can access messages, preventing interception.
• Efficient Encryption − RSA encryption offers faster encryption compared to the DSA
algorithm, speeding up data transfer.
• Data Integrity − Altering data during transmission will disrupt the key usage,
preventing unauthorized decryption. This ensures that tampering is detected and the
receiver is notified.

Digram:

• Deffie-Hellman Key Exchange

The Diffie-Hellman Key Exchange (DHKE) is a method that allows two parties to securely
share a secret key over an insecure channel, without actually transmitting the key itself.
• Invented by Whitfield Diffie and Martin Hellman in 1976.
• Based on the difficulty of the discrete logarithm problem.

• Idea Behind It
• Two people (say, Alice and Bob) can agree on a shared secret key using math, even if
someone is listening to all the communication. This secret key can then be used for
symmetric encryption.

• Mathematical Foundation
It uses modular arithmetic and exponentiation:
1. Choose:
o A large prime number p
 o A primitive root modulo p, called g
These values (p,g)) are publicly known.

• Step-by-Step Example
Let’s walk through an example using small numbers (for clarity):
Step 1: Publicly Agreed Values
• p=23 (a prime number)
• g=5(a primitive root modulo 23)

Step 2: Private Keys (kept secret)

• Alice chooses a=6
• Bob chooses b=15

Step 3: Compute Public Values

• Alice computes:
A=g amod p=56 mod23=15625 mod23=8
• Bob comutes:
B=g Bmod p=515 mod23=30517578125 mod23=2
Now, Alice sends A=8A = 8A=8 to Bob, and Bob sends B=2B = 2B=2 to Alice.
Step 4: Compute Shared Secret Key

• Alice computes:
s=Ba mod p=26 mod23=64 mod23=18

• Bob computes:
s=Ab modp=815 mod23=18

Both get the same shared secret key: 18

This key can now be used for secure communication (like AES encryption).

Diagram:

Advantages of Diffie-Hellman
1. Secure Key Exchange over Insecure Channels
 • Enables two parties to establish a shared secret without transmitting the secret
itself.
2. Foundation of Many Protocols
• Used in TLS/SSL, IPSec (VPNs), SSH, etc., for secure communications.
3. Simple Concept
• Based on straightforward mathematical principles (modular exponentiation).

Disadvantages of Diffie-Hellman
1. Vulnerable to Man-in-the-Middle (MITM) Attacks
• Since DH doesn't provide authentication, an attacker can intercept and inject keys
unless it’s combined with a digital signature or certificate (like in TLS).
2. No Authentication by Default
• It only provides a shared secret — it does not confirm the identity of the parties
involved.
3. Computational Overhead
• For large primes and secure key lengths, calculations can be CPU-intensive,
especially on low-power devices.

• Elliptic Curve:

➢ What is ECC?
1.Elliptic Curve Cryptography (ECC) is a type of public key cryptography based on the
algebraic structure of elliptic curves over finite fields.
2.ECC offers equivalent security to RSA or Diffie-Hellman but with much smaller key
sizes, making it faster and more resource-efficient — ideal for mobile devices, IoT, and
embedded systems.
3.Mathematical Basis
ECC uses elliptic curves defined by the equation: y2=x3+ax+b
▪ The curve is defined over a finite field (e.g., integers modulo a prime p).
▪ Points on this curve, along with a special operation called point addition, form a
mathematical group used for cryptographic operations.
➢ ECC Key Components
• Elliptic Curve (EC): A specific curve equation over a finite field.
• Base Point (G): A publicly known point on the curve.
• Private Key (d): A randomly chosen integer.
• Public Key (Q): A point on the curve computed as Q=d⋅G

➢ ECC for Digital Signatures (ECDSA)

ECC is also widely used in digital signatures via ECDSA (Elliptic Curve Digital
Signature Algorithm):
1. Signing:
o Uses sender’s private key to sign a hash of the message.
2. Verification:
o Uses sender’s public key to verify that the signature is valid and the message
hasn’t changed.
 ✅ ECC Advantages
Feature Benefit

Strong security even with small keys (e.g., 256-bit ECC ≈ 3072-
Security bit RSA)

Performance Faster key generation, signing, and encryption

Size Smaller keys and signatures save bandwidth and storage

Mobile, IoT, smart cards, cryptocurrencies (e.g., Bitcoin,

Ideal for Ethereum)

❌ ECC Disadvantages
Issue Description

Complexity More mathematically complex than RSA/DH

Historically had licensing issues (now mostly

Patent Concerns expired)

Implementation Needs careful implementation to avoid side-

Sensitivity channel attacks

Note:see the digram of this algo in the book P.No:16

• Authentication methods
1. Password-Based Authentication
➢ What It Is:
• The user provides a username and password.
• The system checks the credentials against stored (usually hashed) values.
➢ Cryptographic Involvement:
• Passwords are hashed (e.g., using SHA-256, bcrypt) before storage.
• Sometimes salted to prevent rainbow table attacks.
➢ Weaknesses:
• Susceptible to brute-force, dictionary, or phishing attacks.
• Depends heavily on user behavior (password strength, reuse, etc.).

2. Public Key Authentication

➢ What It Is:
• Involves a public/private key pair.
• The user signs a message with their private key, and the system verifies it using the
public key.
 ➢ Used In:
• SSH login
• TLS/SSL certificates
• Digital signatures
➢ Cryptographic Algorithms:
• RSA, ECDSA, EdDSA
Example:
• A server authenticates a user by verifying a digital signature generated with the
user's private key.

3. Message Authentication Code (MAC)

➢ What It Is:
• A cryptographic checksum that ensures message integrity and authenticity.
• Generated using a shared secret key and the message.
➢ Cryptographic Algorithms:
• HMAC (Hash-based MAC), CMAC
➢ Use Case:
• Ensures that the message hasn’t been tampered with and was sent by someone with
the shared key.

4. Digital Signatures
➢ What It Is:
• A sender signs a message with a private key.
• Anyone can verify the message using the sender’s public key.
➢ Cryptographic Algorithms:
• RSA, ECDSA, DSA
➢ Used In:
• Secure email (e.g., PGP)
• Blockchain transactions
• Code signing

5. Biometric Authentication
➢ What It Is:
• Uses unique physical traits (fingerprint, iris, face) for identity verification.
➢ Cryptographic Use:
• Often combined with cryptographic techniques (e.g., to encrypt biometric templates
or to unlock private keys).
➢ Challenges:
• Privacy concerns and irreversible if leaked.

6. Multi-Factor Authentication (MFA)

➢ What It Is:
• Combines two or more authentication factors:
o Something you know (password)
 o Something you have (OTP, smart card)
o Something you are (biometric)
➢ Example:
• Google Authenticator + password
• Smart card + PIN

7. Challenge–Response Authentication
➢ What It Is:
• The system sends a challenge (e.g., random number).
• The user encrypts/signs it and sends it back.
➢ Purpose:
• Proves the user possesses a secret (like a private key or password) without sending
the secret.

8. OAuth / Token-Based Authentication

➢ What It Is:
• A token (e.g., JWT) is used instead of repeatedly sending credentials.
• The token can be verified cryptographically.
➢ Cryptographic Involvement:
• Tokens are signed using HMAC or RSA/ECDSA for verification.

• Message Digest:
1.MD5 is a cryptographic hash function algorithm that takes the message as input of any
length and changes it into a fixed-length message of 16 bytes.
2. MD5 algorithm stands for the Message-Digest algorithm. MD5 was developed in 1991
by Ronald Rivest.
3. The output of MD5 (Digest size) is always 128 bits.
4. MD5 is still the most commonly used message digest for non-cryptographic functions,
such as used as a checksum to verify data integrity, compressing large files into smaller
ones securely, etc.

MD5 Algorithm Steps

The algorithm consists of four main sections –

1.Padding Bits
Verify that the input string's size is 64 bits less than a multiple of 512 when you receive
it. In order to round off the extra characters, you must add zeroes after adding one (1) to
the bits of padding.
2.Padding Length
The final string needs to include a few more characters in order to be a multiple of 512.
To achieve this, take the original input's length and represent it as 64 bits. Once the two
are combined, the last string is prepared for hashing.

3.Initialize MD Buffer
The entire string is divided into several blocks, each having 512 bits. In addition, four
buffers (A, B, C, and D) need to be initialised. Each of these 32-bit buffers is initialised as
follows −

4.Process Each Block

A 512-bit block can be further divided into 16 sub-blocks, each containing 32 bits. Each
of the four operation rounds makes use of all of the buffers, constant array values, and
sub-blocks.
You can refer to this constant array as T[1] ⇒ T[64].
The sub-blocks are identifie d by the notation M[0] ⇒ M[15].

Use Cases of Message Digest Algorithms:

1. Digital Signatures
o The digest of the message is signed instead of the whole message (to save
space and speed up signing).
2. Data Integrity
o Verifying that files or messages haven’t been altered.
3. Password Storage
o Storing hashes of passwords (often with salt).
4. Blockchain
o Used to link and verify blocks of data securely.
Advantages of Message Digest Algorithms
1. Data Integrity Verification
• Ensures that data has not been altered during transmission or storage.
2. Efficiency
• Very fast to compute, even for large amounts of data.
3. Compact Representation
• Converts large inputs into small, fixed-size outputs (e.g., 256 bits), which is efficient
for digital signatures and file verification.

Disadvantages of Message Digest Algorithms

1. No Built-in Authentication
• Hashing alone cannot confirm who sent the data — only that it hasn't changed..
2. Collision Vulnerabilities (in older algorithms)
• Algorithms like MD5 and SHA-1 are vulnerable to collision attacks, where two
different inputs produce the same hash.
3. Irreversibility Can Be Exploited
• While irreversibility is a strength, it also means that if weak inputs (like short
passwords) are hashed, attackers can use brute force or rainbow tables to reverse
them if not properly protected (e.g., using salt).

• Kerberos:

➢ What is Kerberos?
Kerberos is a network authentication protocol designed to provide strong
authentication for client/server applications by using secret-key cryptography and a
trusted third party.
It was developed at MIT and is widely used in environments like:
• Microsoft Windows Active Directory
• Linux and Unix systems
• Enterprise single sign-on (SSO)

➢ Key Goals of Kerberos

• Authentication (verifying user identity)
• Mutual authentication (both client and server verify each other)
• Secure ticket-based access (no need to send passwords repeatedly)
• Resistance to replay and eavesdropping attacks

➢ Key Components
 Component Description

KDC (Key Distribution Central authority that manages authentication.

Center) Consists of:

→ AS (Authentication Verifies the user's credentials

Server)
→ TGS (Ticket Granting Issues service access tickets
Server)
TGT (Ticket Granting A reusable ticket to request other tickets
Ticket)
Service Ticket Grants access to a specific service

Client The user or application requesting access

Server The service the client wants to access

➢ Kerberos Workflow (Simplified)

➢ Step-by-Step Operation:
1. Login Request (User → AS)
o User logs in and sends a request to the Authentication Server (AS).
o AS verifies the user and returns a TGT (Ticket Granting Ticket) encrypted with
the user's key (usually derived from their password).
2. Requesting Access to a Service (Client → TGS)
o User presents the TGT to the Ticket Granting Server (TGS) and requests
access to a service (e.g., file server).
o TGS returns a service ticket encrypted with the service’s secret key.
3. Access the Service (Client → Server)
o Client presents the service ticket to the target server.
o Server decrypts it, verifies it, and allows access.

• Kerberos Example (Real-World Analogy):

Think of it like an airport:
1. Check-in Counter (AS): You show ID and get a boarding pass (TGT).
2. Security Checkpoint (TGS): You show the boarding pass and get access to your gate
(service ticket).
3. Boarding Gate (Server): You show the service ticket and get on the plane (access
service).

• Advantages of Kerberos
Advantage Description

Strong security Passwords are never sent over the network directly
 Advantage Description

Single Sign-On (SSO) One login gives access to multiple services

Mutual authentication Both client and server are verified

Auditability Clear ticket logs for activity tracking

• Disadvantages of Kerberos
Disadvantage Description

Requires careful configuration and a trusted time

Complex setup source

Time-sensitive Relies on synchronized clocks (within ~5 minutes)

Single point of If the KDC fails, authentication cannot happen

failure

• Protocols & Technologies Using Kerberos

• Microsoft Active Directory
• SSH with GSSAPI
• NFSv4

• X.509 Authentication service:

1.X.509 is a digital certificate that is built on top of a widely trusted standard known as ITU
or International Telecommunication Union X.509 standard, in which the format of PKI
certificates is defined.
2. X.509 digital certificate is a certificate-based authentication security framework that can
be used for providing secure transaction processing and private information.
3. These are primarily used for handling the security and identity in computer networking
and internet-based communications.

➢ How X.509 Authentication Works

Step-by-step:
1. User or device receives a digital certificate from a Certificate Authority.
2. The certificate contains the user's public key and identity info, digitally signed by the
CA.
3. A recipient (e.g., server or client) verifies the signature using the CA’s public key.
4. If verification succeeds, the identity and public key are trusted.
5. The recipient can now use the public key for secure communication or verifying
signatures.

➢ Structure of an X.509 Certificate (v3)

 An X.509 certificate contains:

Field Description
Version Usually v3 for modern certs
Serial Number Unique number assigned by CA
Algorithm used by CA to sign the certificate (e.g., SHA-256 with
Signature Algorithm
RSA)
Issuer The CA that issued the certificate
Validity Start and end date of certificate validity
Subject Entity (person, device, org) the certificate belongs to
Subject Public Key
Includes the subject's public key
Info
Extensions Additional fields (e.g., key usage, alt names, etc.)
Signature The CA’s digital signature of the certificate data

➢ Benefits of X.509 Authentication

Advantage Description
Links public keys to real identities via a trusted
Strong identity binding
CA
Widely supported Used in HTTPS, email, VPNs, etc.
Supports certificate
Allows delegation of trust (intermediate CAs)
chains

Limitations
Disadvantage Description
Complex PKI
Requires managing CAs, CRLs, policies
management
Expiration and Certificates expire or may be revoked; managing
revocation status is non-trivial
Trust relies on CAs If a CA is compromised, so is the trust model

➢ Applications of X.509 Authentication Service Certificate:

Many protocols depend on X.509 and it has many applications, some of them are
given below:
• Document signing and Digital signature
• Web server security with the help of Transport Layer Security (TLS)/Secure Sockets
Layer (SSL) certificates
• Email certificates
• Code signing
• Secure Shell Protocol (SSH) keys
➢ Distinguish between Kerberos and X.509 authentication service.
X.509 Authentication
Feature Kerberos Service

Network authentication Public key certificate-

Type based authentication
protocol

Authentication Secret-key cryptography Public-key cryptography

Mechanism (symmetric key) (asymmetric key)

Key Distribution Center Certificate Authority

Trusted Authority (CA)
(KDC)
Credential Ticket (e.g., TGT, Service X.509 digital certificate
Format Ticket)
Symmetric keys (shared Asymmetric keys
Key Type Used (public/private key pair)
secrets)
Mutual Supported
Supported
Authentication
No strict clock
Yes — Requires dependency (though
Time Sensitivity
synchronized clocks validity dates apply)

Session Certificates can be long-

Uses short-lived tickets lived
Management

More complex for large More scalable due to

Scalability hierarchical CA structure
distributed systems

Revocation Not built-in; session- CRL (Certificate

Mechanism based Revocation List), OCSP

Windows domains, SSH, HTTPS (SSL/TLS), Email,

Usage Examples VPN, Digital Signatures
internal networks
Certificate proves
Password Password never sent identity without
Exposure Risk directly over network password

Requires centralized Requires PKI setup and

Setup Complexity KDC and careful time certificate lifecycle
management management

Single Sign-On Not inherently SSO, but

Built-in SSO support can be integrated
(SSO)
➢ Digital Signatures:
What is Digital Signature Standard? Explain the DSS approach?
The Digital Signature Standard (DSS) is a U.S. federal standard for creating digital
signatures, issued by NIST (National Institute of Standards and Technology).
• Published as: FIPS PUB 186
• Purpose: To provide a secure method for digital signatures — ensuring authenticity,
integrity, and non-repudiation of messages or documents.

🛠️ DSS Includes Several Algorithms:

Algorithm Description

DSA (Digital Signature The original algorithm defined in DSS

Algorithm)
RSA Included in later versions

ECDSA (Elliptic Curve DSA) More efficient, used in modern systems

Optional in some contexts, highly secure and

EdDSA (Edwards-curve DSA) fast

📘 DSS Approach Using DSA (Digital Signature Algorithm)

Here’s how DSS works using DSA, the core algorithm defined in the standard:

🔧 1. Key Generation
• A pair of keys is generated:
o Private key (x): Kept secret
o Public key (y): Shared publicly
Mathematically:
o Select a large prime p and a smaller prime q, such that q divides p−1
o Choose generator g such that gq mod p=1
o Choose private key xxx (random number where 0<x<q)
o Compute public key y=gx mod p

🖋️ 2. Signature Generation
To sign a message MMM:
1. Compute hash of the message:
H=SHA(M)
2. Choose a random number k where 0<k<q
3. Compute:
o r=(gk mod p)mod q
o s=(k-1(H+xr))mod q
4. Signature is the pair (r,s)
✅ The values k, x, and H are critical — leaking k can compromise the private key!
 ✅ 3. Signature Verification
To verify a message MMM and signature (r,s):
1. Check 0<r<q
2. Compute:
o H=SHA(M)H
o w=s−1mod q
o u1=Hw mod q
o u2=rw mod q
o v=((gu1⋅yu2)
3. Accept the signature if v=r

🔐 What Security Does DSS Provide?

Property Description

Authentication Confirms the sender’s identity

Integrity Detects any modification to the message

Non-repudiation Sender cannot deny having signed the message

✅ Advantages of DSS
• Designed specifically for digital signatures
• Uses SHA family for hashing (e.g., SHA-256)
• Government-approved and widely supported

⚠️ Disadvantages / Limitations
• DSA (original) is slower than RSA for verifying
• Relies on secure randomness — leaking kkk compromises the private key
• Not suitable for encryption (signature-only standard)

(Authentication protocols: prefer online)

 Unit:4 Security Requirements
➢ IP Security:
What is an IP Address?
Definition:
➢ An IP (Internet Protocol) address is a unique numerical identifier assigned to each
device connected to a computer network that uses the Internet Protocol for
communication.
It serves two main purposes:
1. Identification – Who you are (on the network)
2. Location – Where you are (on the network)

➢ Types of IP Addresses
There are two versions of IP addresses:
Introduce
Versio Name Format d
n
Internet
Protoco
IPv4 l 32-bit (e.g., 192.168.1.1) 1983
version
4
Internet
Protoco 128-bit (e.g.,
IPv6 l 2001:0db8:85a3::8a2e:0370:7334 1998
version )
6

➢ IPv4 – Internet Protocol version 4

➢ Key Features:
• 32-bit address (allows ~4.3 billion addresses)
• Written in dotted decimal notation:
e.g., 192.168.0.1
• Commonly used in most networks
➢ Structure:
• Divided into 4 parts (called octets), each ranging from 0 to 255
Example: 192.168.1.10
➢ Limitations:
• Limited number of addresses (exhaustion due to internet growth)
• No built-in security or auto-configuration
• Uses NAT (Network Address Translation) to cope with address shortage

➢ IPv6 – Internet Protocol version 6

➢ Key Features:
• 128-bit address space (allows ~340 undecillion addresses)
• Written in hexadecimal and colon-separated format
e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334
• Supports auto-configuration, multicast, and better routing
➢ Benefits:
• Virtually unlimited address space
• More efficient routing and data flow
• Built-in security (IPSec support)
• No need for NAT in most cases

➢ IPSec architecture :
➢ IPSec (Internet Protocol Security) is a framework of open standards that
provides secure communication over IP networks by authenticating and
encrypting each IP packet.
➢ It operates at the network layer of the OSI model, securing all traffic across
an IP network.

1. Architecture: Architecture or IP Security Architecture covers the general concepts,

definitions, protocols, algorithms, and security requirements of IP Security
technology.

2. ESP Protocol: ESP(Encapsulation Security Payload) provides a confidentiality

service. Encapsulation Security Payload is implemented in either two ways:

• ESP with optional Authentication.

• ESP with Authentication.

Packet Format:
• Security Parameter Index(SPI): This parameter is used by Security Association. It
is used to give a unique number to the connection built between the Client and Server.
• Sequence Number: Unique Sequence numbers are allotted to every packet so that on
the receiver side packets can be arranged properly.
• Payload Data: Payload data means the actual data or the actual message. The
Payload data is in an encrypted format to achieve confidentiality.
• Padding: Extra bits of space are added to the original message in order to ensure
confidentiality. Padding length is the size of the added bits of space in the original
message.
• Next Header: Next header means the next payload or next actual data.
• Authentication Data This field is optional in ESP protocol packet format.

3. Encryption algorithm: The encryption algorithm is the document that describes

various encryption algorithms used for Encapsulation Security Payload.

4. AH Protocol: AH (Authentication Header) Protocol provides both Authentication

and Integrity service. Authentication Header is implemented in one way only:
Authentication along with Integrity.

Authentication Header covers the packet format and general issues related to the use
of AH for packet authentication and integrity.

5. Authentication Algorithm: The authentication Algorithm contains the set of

documents that describe the authentication algorithm used for AH and for the
authentication option of ESP.

6. DOI (Domain of Interpretation): DOI is the identifier that supports both AH and
ESP protocols. It contains values needed for documentation related to each other.

7. Key Management: Key Management contains the document that describes how
the keys are exchanged between sender and receiver.

4. IPSec Modes

Mode Use Case What is Encrypted

End-to-end
Transport Only the payload is
communication (e.g.,
Mode encrypted/authenticated
host-to-host)
Tunnel Gateway-to-gateway or Entire IP packet is
Mode remote access VPN encapsulated and secured
 Benefits of IPSec

• Confidentiality (via ESP encryption)

• Authentication and data integrity
• Access control via policy enforcement
• Protection against replay attacks

Limitations

• Can be complex to configure and troubleshoot

• Requires key management infrastructure
• Performance overhead due to encryption/decryption

IPSec Use Cases

• Site-to-site VPNs (e.g., branch office to HQ)

• Remote access VPNs
• Secure host-to-host communication
• Securing IPv6 (IPSec is mandatory in IPv6)

1. AH – Authentication Header

Purpose:

Provides:

• Data integrity – Ensures the data hasn’t been modified.

• Authentication – Verifies the sender’s identity.
• Anti-replay protection – Stops attackers from reusing captured packets.

❌ Does not provide encryption, so the data remains visible.

🧱 AH Packet Structure:
 | Original IP Header | AH Header | IP Payload |

➢ AH Header Fields:

Field Description
Indicates the protocol of the payload (e.g.,
Next Header
TCP, UDP)
Payload Length Length of the AH in 32-bit words
Reserved Reserved for future use (set to 0)
SPI (Security Parameter
Identifies the SA being used
Index)
Sequence Number Increments with each packet to prevent replay
Integrity check value (hash) calculated over
Authentication Data
the packet

➢ What AH Protects:

• Entire packet (except mutable fields) in transport mode

• Whole encapsulated packet in tunnel mode
➢ Example:

Used in private networks or military where data privacy isn't required but integrity
and origin must be verified.

2. ESP – Encapsulating Security Payload

Purpose:

Provides:

• Confidentiality – via encryption (e.g., AES, 3DES)

• Integrity & Authentication – optional (e.g., HMAC-SHA1)
• Anti-replay protection

ESP can be used with or without AH, but usually replaces it.

ESP Packet Structure (Transport Mode):

| IP Header | ESP Header | Encrypted Payload | ESP Trailer | ESP Authentication Data
|

ESP Fields:
 Section Field Description
Identifies the Security
ESP Header SPI
Association
Sequence Number Prevents replay attacks
Payload Encrypted Data Original packet payload
ESP Trailer Padding Ensures block size alignment
Pad Length Number of padding bytes
Identifies type of data in
Next Header
payload
Integrity Check Optional, protects payload and
Authentication
Value (ICV) parts of ESP header

➢ What ESP Protects:

Mode Protection
Transport Encrypts only the payload, not the IP header
Encrypts the entire IP packet, including the original header, and
Tunnel
adds a new one

Example:

Used in VPNs where encryption is essential — e.g., between a user's laptop and
company firewall.

🔹 3. IKE – Internet Key Exchange Protocol

📌 Purpose:

• Automates secure key exchange

• Negotiates Security Associations (SAs)
• Handles mutual authentication
• Supports Perfect Forward Secrecy

IKE is a control protocol, whereas AH/ESP are data protocols.

🔁 IKE Versions:

Version Description
IKEv1 Two-phase exchange, older, less efficient
Modern (RFC 7296), improved security, NAT traversal, mobility
IKEv2
support
 🧱 IKEv2 Exchange Steps:

Phase 1: IKE_SA_INIT

• Establishes cryptographic parameters

• Performs Diffie-Hellman key exchange
• Derives encryption/authentication keys

Phase 2: IKE_AUTH

• Authenticates peers (via Pre-Shared Key, Certificates, etc.)

• Negotiates and establishes IPSec SAs (ESP/AH)

🔐 Authentication Methods in IKE:

• Pre-shared keys (PSK)

• Digital certificates (X.509)
• EAP (Extensible Authentication Protocol)

🔍 Example:

Used when two firewalls set up a secure VPN tunnel without manually configuring
encryption keys.

🔁
2PSec Modes in Practice

Mode Description Use Case

Only the IP payload is Host-to-host
Transport
protected. The original IP communication (e.g.,
Mode
header remains visible. between two computers)
Entire IP packet is Site-to-site VPN (e.g.,
Tunnel
encrypted. A new IP header between two company
Mode
is added. networks)

➢ What is ISAKMP?

ISAKMP (Internet Security Association and Key Management Protocol) is a

protocol used to establish, negotiate, modify, and delete Security Associations
(SAs) for IPSec and other security protocols.

• Defined in: RFC 2408

• Layer: Operates at the application layer (even though it's used to set up security at
the IP layer)
 • Protocol Number: 50

➢ Purpose of ISAKMP

ISAKMP provides a framework for:

• Establishing and managing Security Associations (SAs)

• Handling key exchange and negotiation
• Supporting multiple authentication methods (e.g., pre-shared keys, digital
certificates)

🔐 It does not define how keys are exchanged, but provides the infrastructure for it. Key
exchange methods like IKE (Internet Key Exchange) are built on top of ISAKMP.

🧱 ISAKMP Structure

ISAKMP messages are made up of:

• A common header
• One or more payloads

🔹 Common Header Fields:

Field Description
Initiator Cookie Unique ID for the sender
Responder Cookie Unique ID for the receiver
Next Payload Indicates the type of the next payload (e.g., SA, KE)
Exchange Type Type of exchange (e.g., Main Mode, Aggressive)
Flags Indicates encryption, commitment, etc.
Message ID Unique identifier for message grouping
Length Total message length

🔹 Payload Types in ISAKMP:

Payload Type Description

SA (Security Association) Proposes security protocols and algorithms
KE (Key Exchange) Carries key exchange data (e.g., Diffie-Hellman)
ID Identification payload (e.g., IP addresses, IDs)
CERT Certificate for authentication
HASH Hash of parts of the message for integrity
 Payload Type Description
SIG Digital signature for authentication
NOTIFY Error or status information
DELETE Deletes existing SAs

🔄 ISAKMP Exchange Process

ISAKMP supports different exchange modes, the most common being:

1. Main Mode

• 6 messages exchanged
• Strongest security
• Negotiates SAs and authenticates peers

2. Aggressive Mode

• 3 messages exchanged
• Faster but less secure (some identity info exposed)

3. Quick Mode

• Used after main/aggressive mode to negotiate the IPSec SAs (ESP/AH)

✅ Features of ISAKMP

Feature Description
Modular Can support multiple key exchange methods
Reusable Not limited to IPSec — other security protocols can use it
Secure Supports mutual authentication, integrity, and replay protection
Flexible Allows negotiation of encryption, hashing, authentication methods

🔍 Example Use Case

When you connect a VPN:

1. ISAKMP establishes a secure control channel between your device and the VPN
server.
2. IKE runs over ISAKMP to exchange keys using Diffie-Hellman.
3. IPSec SAs are negotiated and installed.
4. Your data is encrypted using the negotiated keys and algorithms.
 • VPN:

1. A VPN (Virtual Private Network) is a powerful tool that enhances online privacy,
protects sensitive data, and enables secure access to the internet.
2. In today's interconnected world, online privacy and data security are more important
than ever. One of the best ways to protect yourself and enhance your internet
experience is by using a VPN (Virtual Private Network)

➢ Key Benefits of Using a VPN:

1. Privacy Protection: A VPN hides your IP address, ensuring that your browsing habits
and activities remain private.

2. Security on Public Networks: Public Wi-Fi networks are often insecure, but a VPN
encrypts your connection, making it safer to browse the internet on networks like
those in cafes or airports.
3. Prevent Data Throttling: Some ISPs throttle your connection speed when you
stream or play games. A VPN can bypass this, allowing for faster internet speeds.
4. Accessing Remote Work Resources: A VPN enables secure access to private
networks, making it ideal for businesses and remote workers.

➢ Types of VPN
VPNs come in various types, each catering to different needs, from individual
privacy to enterprise-level solutions. Below are the main types of VPNs:
1. Remote Access VPN
A Remote Access VPN allows individual users to connect to a network remotely,
such as accessing work files from home. It's ideal for people who need secure
access to a private network from anywhere.

2. Site-to-Site VPN
A Site-to-Site VPN is used to connect two networks, often used by businesses with
multiple office locations. It securely links two private networks over the internet,
enabling employees to access resources from both locations.

3. Mobile VPN
A Mobile VPN is designed for mobile devices like smartphones and tablets. It
ensures stable connections even when switching between different networks (such
as from Wi-Fi to mobile data) and is used in industries like healthcare and logistics
where users need continuous access while moving.

4.OpenVPN
OpenVPN is a highly secure, open-source VPN protocol known for its flexibility and
strength in encryption. It’s often used for custom VPN setups and is highly
configurable, making it a popular choice for advanced users.
 Unit 5: Firewall And Intrusion
➢ What is firewall:
A firewall is a network security device either hardware or software-based which monitors all
incoming and outgoing traffic and based on a defined set of security rules it accepts, rejects,
or drops that specific traffic.

It acts like a security guard that helps keep your digital world safe from unwanted visitors
and potential threats.

• Accept: allow the traffic

• Reject: block the traffic but reply with an “unreachable error”
• Drop: block the traffic with no reply

A firewall is a type of network security device that filters incoming and outgoing network
traffic with security policies that have previously been set up inside an organization.

A firewall is essentially the wall that separates a private internal network from the open
Internet at its very basic level.

Working of Firewall
• Firewall match the network traffic against the rule set defined in its table. Once the
rule is matched, associate action is applied to the network traffic. For example, Rules
are defined as any employee from Human Resources department cannot access the
data from code server and at the same time another rule is defined like system
administrator can access the data from both Human Resource and technical
department.
• Rules can be defined on the firewall based on the necessity and security policies of
the organization.
• From the perspective of a server, network traffic can be either outgoing or incoming.
Firewall maintains a distinct set of rules for both the cases. Mostly the outgoing
traffic, originated from the server itself, allowed to pass. Still, setting a rule on
outgoing traffic is always better in order to achieve more security and prevent
unwanted communication. Incoming traffic is treated differently.
• Most traffic which reaches on the firewall is one of these three major Transport Layer
protocols- TCP, UDP or ICMP. All these types have a source address and destination
address. Also, TCP and UDP have port numbers. ICMP uses type code instead of port
number which identifies purpose of that packet.

➢ Types of firewall:
➢ Packet Filtering Firewall
 ➢ Packet filtering firewall is used to control network access by monitoring outgoing
and incoming packets and allowing them to pass or stop based on source and
destination IP address, protocols, and ports. It analyses traffic at the transport
protocol layer (but mainly uses first 3 layers). Packet firewalls treat each packet in
isolation. They have no ability to tell whether a packet is part of an existing stream
of traffic. Only It can allow or deny the packets based on unique packet headers.
Packet filtering firewall maintains a filtering table that decides whether the packet
will be forwarded or discarded. From the given filtering table, the packets will be
filtered according to the following rules:
➢
• Incoming packets from network
192.168.21.0 are blocked.

• Incoming packets destined for the

internal TELNET server (port 23)
are blockeD
• Incoming packets destined for host
192.168.21.3 are blocked.

• All well-known services to the

network 192.168.21.0 are allowed.

2. Stateful Inspection Firewall

Stateful firewalls (performs Stateful Packet
Inspection) are able to determine the
connection state of packet, unlike Packet
filtering firewall, which makes it more efficient.
It keeps track of the state of networks
connection travelling across it, such as TCP
streams. So the filtering decisions would not
only be based on defined rules, but also on
packet’s history in the state table.

3.Application Layer Firewall

Application layer firewall can inspect and filter the packets on any OSI layer, up to the
application layer. It has the ability to block specific content, also recognize when
certain application and protocols (like HTTP, FTP) are being misused. In other words,
Application layer firewalls are hosts that run proxy servers. A proxy firewall prevents
the direct connection between either side of the firewall, each packet has to pass
through the proxy.
4.Next Generation Firewalls (NGFW)
NGFW consists of Deep Packet Inspection, Application Inspection, SSL/SSH inspection
and many functionalities to protect the network from these modern threats.

5.Software Firewall
A software firewall is any firewall that is set up locally or on a cloud server. When it
comes to controlling the inflow and outflow of data packets and limiting the number
of networks that can be linked to a single device, they may be the most
advantageous. But the problem with software firewall is they are time-consuming.

6. Hardware Firewall
They also go by the name "firewalls based on physical appliances." It guarantees that
the malicious data is halted before it reaches the network endpoint that is in danger.

➢ Limitations of Firewalls

1. Cannot Protect Against Internal Threats

o Firewalls are typically placed at the network perimeter.
o They can't detect or block malicious actions by trusted insiders or
compromised internal devices.
2. Can't Stop Attacks via Encrypted Traffic
o Encrypted data (like HTTPS or VPN traffic) can hide threats.
o Unless a firewall does deep packet inspection (DPI), it won’t analyze the
contents of encrypted packets.
3. No Protection Against Social Engineering
o Firewalls can’t stop phishing emails, fake websites, or scams that trick users
into revealing sensitive info.
4. Limited Against Zero-Day Attacks
o Firewalls rely on known signatures or predefined rules.
o They often fail to block new or unknown (zero-day) exploits.
5. Application-Level Attacks May Bypass It
o Basic firewalls don't understand application-level protocols deeply.
 o Web application attacks like SQL injection or XSS may pass through
unnoticed.
6. May Not Detect Malware in Allowed Traffic
o Firewalls allow certain types of traffic (e.g., email or web traffic).
o Malware hidden in those traffic types may still get through.
7. Can't Protect Against Physical Theft or Access
o Firewalls are purely digital barriers.
o They don’t help if someone physically accesses or steals hardware.
8. Rule Misconfiguration Risks
o Human errors in firewall rule configuration can open vulnerabilities.
o Complex rules are hard to manage and audit.
9. Doesn’t Replace Other Security Measures
o A firewall alone is not enough.
o Needs to be part of a multi-layered security strategy (e.g., antivirus, intrusion
detection, security policies).

➢ Advantages:

1.Monitors and Controls Network Traffic

• Firewalls filter incoming and outgoing traffic based on defined security rules.
• This helps prevent unauthorized access to or from a private network.

2. Blocks Unauthorized Access

• Prevents hackers and malicious software from entering your network.

• Acts as the first line of defense against external attacks.

3. Protects Against Malware and Viruses

• Many modern firewalls include features like antivirus scanning and intrusion
prevention.
• They can detect and block known threats before they cause harm.

4.Improves Network Security

• Helps enforce security policies.

• Reduces the risk of data breaches and cyberattacks.

5. Allows Custom Security Rules

• You can define rules based on IP addresses, port numbers, protocols, or applications.
• This gives you control over what’s allowed or denied.

• Differentiate packet filtering router and stateful Inspection firewall:

 ➢ Firewall architecture implementation
There are four common architectural implementations of firewalls widely in use. They are
packet filtering routers, screened host firewalls, dual-homed firewalls and screened subnet
firewalls. Let’s understand each one of them in detail.
Packet filtering routers
Most of organizations have a router as the interface to the Internet. This router is placed at
the perimeter between the organization‘s internal networks and the internet service
provider. These routers can be configured to accept or reject the packets as per the rule of
the organization. This is one of the simple and effective ways to lower down the
organization‘s risk from the internet.
Drawbacks
The length and the complexity of the rule sets implemented to filter the packets can grow
and degrade network performance. Also, it suffers from a lack of auditing and strong
authentication mechanisms.
Screened host firewalls
This firewall combines a packet-filtering router with a discrete firewall such as an application
proxy server. In this approach, the router screens the packet before entering the internal
network and minimizes the traffic and network load on the internal proxy. The application
proxy inspects application layer protocol such as HTTP or HTTPS and performs the proxy
services. This separate host is called a bastion host and can be a rich target for external
attacks, thus it should be thoroughly secured.
The bastion host stores copies of the internal documents, making it a promising target to
the attackers. A bastion host is also commonly referred to as the Sacrificial Host.
Advantage
This configuration requires the attacker to hack and compromise two separate systems,
before accessing the internal data. In this way, the bastion host and router protects the data
and is more effective and secure implementation.
Dual-homed host firewalls
This architecture is a more complex implementation of screened host firewalls. In this
architectural approach, the bastion host accommodates two NICs (Network Interface Cards)
in the bastion host configuration. One of the NIC is connected to the external network, and
the other one is connected to the internal network thus providing an additional layer of
protection.
This architecture often makes use of Network Address Translation (NATs). NAT is a method
of mapping external IP addresses to internal IP addresses, thus forming a barrier to intrusion
from external attackers.
Screened subnet firewalls (with DMZ)(PYQ)
Of all the architecture available, Screened Subnet Firewall is widely used and implemented
in corporate networks. Screened Subnet Firewalls as the name suggests make use of DMZ
and are a combination of dual-homed gateways and screened host firewalls.
In a screened subnet firewall setup, the network architecture has three components and the
setup is as follows:
• 1st component: This component acts as a public interface and connects to the
Internet.
• 2nd component: This component is a middle zone called a demilitarized zone. It acts
as a buffer between 1st and 3rd components.
• 3rd component: The system in this component connects to an intranet or other local
architecture.
Advantage
The use of an additional "layer" and other aspects of the screened subnet firewall makes it a
viable choice for many high-traffic or high-speed traffic sites. Screened subnet firewall also
helps with throughput and flexibility.

Screened Subnet Firewall Architecture (with DMZ)

➢ Definition:
A screened subnet (also known as a DMZ architecture) is a firewall configuration that uses
two firewalls or a single firewall with three interfaces to create a demilitarized zone (DMZ)
between the internal network and the internet.
This setup adds an extra layer of security by isolating public-facing services (like web or mail
servers) in a separate zone.
➢ Key Components:
Component Role
External Firewall Filters incoming traffic from the internet to the DMZ.
DMZ (Screened Hosts public servers (e.g., web, mail, DNS) accessible from the
Subnet) internet.
Component Role
Internal Firewall Filters traffic between the DMZ and the internal network.
Internal Network Contains private resources like databases, file servers, etc.
Internet The untrusted public network.

Screened Subnet Firewall Architecture (Text Diagram)

[Internet]
|
[External Firewall]
|
----------------------------
| |
[DMZ] [Internal Firewall]
(Web, Mail, DNS) |
|
[Internal Network]
(Employees, Databases, etc.)

• DMZ: Servers in the DMZ can be accessed by external users but are isolated from the
internal LAN.
• Two Firewalls:
o The first firewall separates the DMZ from the internet.
o The second firewall separates the DMZ from the internal network.

✅ Advantages:
• Enhanced security through network segmentation.
• Public servers are isolated—even if compromised, internal resources are still
protected.
• Allows controlled access from the internet to public services without exposing
internal systems.
❌ Disadvantages:
• More complex to configure and maintain.
• Slightly higher cost due to extra hardware or configuration.

Note:(Trusted systems do in book)

➢ Access control service:

Access control in cybersecurity refers to the security service that determines who is
allowed to access or use resources in a computing environment. Its main purpose is
to prevent unauthorized access and ensure that legitimate users can only perform
permitted actions.

Key Concepts of Access Control:

1. Authentication – Verifies the identity of a user or system (e.g., using passwords,
biometrics, multi-factor authentication).
2. Authorization – Determines what an authenticated user is allowed to do (e.g., read a
file, modify settings).
3. Access Control Policies – Rules that govern access based on roles, attributes, or
other criteria.
➢ Types :

1. Discretionary Access Control (DAC)

Overview:
• Control is at the discretion of the owner of the resource.
• The owner decides who can access their resources and what operations they can
perform (read, write, execute, etc.).
Key Features:
• Based on user identity and group membership.
• Common in personal operating systems like Windows and Linux.
• Uses Access Control Lists (ACLs) to define permissions.
Example:
A file owner sets read-only access for one user and full access for another.
Pros:
• Flexible and easy to implement.
• Suitable for individual or small group environments.
Cons:
• Security is weaker if users misconfigure permissions.
• Vulnerable to malware or Trojan horses, since users can grant wide access.

2. Mandatory Access Control (MAC)

Overview:
• Access is determined by system-enforced rules, not by users.
• Common in military, government, and high-security environments.
Key Features:
• Every user and resource has a security label (e.g., Top Secret, Secret, Confidential).
• The system compares the security level of the user and the resource before granting
access.
• Users cannot change permissions.
Example:
A user with "Secret" clearance cannot access a file marked "Top Secret", even if they
have full access to other files.
Pros:
• Very secure and centralized.
• Prevents unauthorized access by strict enforcement of policies.
Cons:
• Rigid and complex to manage.
• Not user-friendly for dynamic or open environments.

3. Role-Based Access Control (RBAC)

Overview:
• Access is based on a user’s role within an organization.
• Roles represent job functions (e.g., Manager, HR, Developer).
Key Features:
• Permissions are assigned to roles, not individuals.
• Users are granted roles, and thus inherit permissions.
Example:
A person in the "Finance" role can access payroll data, while someone in the "IT
Support" role cannot.
Pros:
• Scalable and manageable for large organizations.
• Enforces the principle of least privilege.
• Easier to audit and comply with regulations.
Cons:
• Can be inflexible for fine-grained access needs.
• Requires initial planning and periodic reviews of roles and permissions.

4. Attribute-Based Access Control (ABAC)

Overview:
• Access decisions are made based on attributes of the user, resource, environment,
and action.
Key Features:
• Attributes might include: user department, time of access, device type, location,
data sensitivity.
• Policies are written using IF-THEN logic or rules.
• Very dynamic and context-aware.
Example:
Allow access if:
• The user is in the "Engineering" department,
• Accessing from the corporate network,
• During business hours.
Pros:
• Highly flexible and fine-grained control.
• Ideal for complex, cloud-based, or dynamic environments.
• Adapts to changing contexts and conditions.
Cons:
• Complex to implement and manage.
• Requires a strong policy management system.

➢ Intrusion detection :
 1.An Intrusion Detection System (IDS) is a cybersecurity tool or software that
monitors a network or system for malicious activity or policy violations. It acts
like a security camera for your digital environment—watching for suspicious behavior
and alerting you when something looks wrong.

Common Methods of Intrusion

• Address Spoofing: Hiding the source of an attack by using fake or unsecured proxy
servers making it hard to identify the attacker.
• Fragmentation: Sending data in small pieces to slip past detection systems.
• Pattern Evasion: Changing attack methods to avoid detection by IDS systems that
look for specific patterns.
• Coordinated Attack: Using multiple attackers or ports to scan a network, confusing
the IDS and making it hard to see what is happening

Working of Intrusion Detection System(IDS)

• An IDS (Intrusion Detection System) monitors the traffic on a computer network to
detect any suspicious activity.
• It analyzes the data flowing through the network to look for patterns and signs of
abnormal behavior.
• The IDS compares the network activity to a set of predefined rules and patterns to
identify any activity that might indicate an attack or intrusion.
• If the IDS detects something that matches one of these rules or patterns, it sends an
alert to the system administrator.
• The system administrator can then investigate the alert and take action to prevent any
damage or further intrusion.

1. Network Intrusion Detection System (NIDS)

• Placement: NIDS is positioned at strategic points in a network to monitor traffic
across the entire subnet.
• Function: It captures and analyzes network traffic from all devices connected to the
network and compares it with known attack signatures or abnormal patterns. If a
potential threat is identified, it sends an alert to the administrator.
• Example: A NIDS could be placed behind the firewall to analyze inbound traffic and
detect any attempts to bypass the firewall's security measures.
• Use Case: Detects threats such as Denial-of-Service (DoS) attacks, network scanning,
and unauthorized access attempts.
 2. Host Intrusion Detection System (HIDS)
• Placement: HIDS runs on individual host machines (servers, desktops, or any end
device).
• Function: It monitors the incoming and outgoing traffic from the device and checks
for unusual or malicious activities such as unauthorized file changes, system
configuration alterations, or access violations. HIDS can also take snapshots of
system files and compare them over time, raising alerts if any modifications are
detected.
• Example: HIDS is installed on mission-critical systems, such as a server hosting
sensitive data, where the file integrity is important.
• Use Case: Useful for detecting unauthorized modifications to files or configurations
on critical systems and preventing insider threats.

3. Hybrid Intrusion Detection System

• Placement: A hybrid IDS combines the functionalities of NIDS and HIDS to provide
comprehensive monitoring.
• Function: It collects and correlates data from both the network and individual host
systems. By integrating both network traffic and host-level data, a hybrid IDS offers a
more complete and precise view of the network's security posture.
• Example: A system like Prelude integrates NIDS and HIDS data to detect attacks
more effectively and provides more accurate context for administrators.
• Use Case: Beneficial in complex environments where it’s essential to monitor both
network and host activities in real-time.

4. Application Protocol-Based Intrusion Detection System (APIDS)

• Placement: APIDS is usually deployed on a group of servers where application-level
traffic is processed.
• Function: APIDS specifically focuses on application protocols and inspects the traffic
for potential security issues, such as SQL injection, cross-site scripting (XSS), or
other application-layer attacks. It interprets communication based on the protocol
used by specific applications.
• Example: In a web server environment, an APIDS could monitor the SQL traffic
between the web server and database server to detect malicious queries or
unauthorized access attempts.
• Use Case: Ideal for protecting web applications and databases by monitoring
application-specific traffic.

5. Protocol-Based Intrusion Detection System (PIDS)

• Placement: PIDS resides at the front-end of a server or at the interface where
protocols (like HTTP or HTTPS) interact with the server.
• Function: It analyzes and monitors communication protocols between the client and
the server, ensuring that the traffic conforms to expected standards. If malicious or
unusual protocol behavior is detected, it raises an alert or takes action.
• Example: A PIDS might be used to monitor HTTPS traffic to ensure that the
encrypted traffic is legitimate before being processed by the web server.
• Use Case: Prevents attacks targeting protocol vulnerabilities, such as SSL/TLS
attacks or HTTP-based exploits.

➢ Benefits of IDS
• Detects Malicious Activity: IDS can detect any suspicious activities and alert the
system administrator before any significant damage is done.
• Improves Network Performance: IDS can identify any performance issues on the
network, which can be addressed to improve network performance.
• Compliance Requirements: IDS can help in meeting compliance requirements by
monitoring network activity and generating reports.
• Provides Insights: IDS generates valuable insights into network traffic, which can be
used to identify any weaknesses and improve network security.

➢ Disadvantages of IDS
• False Alarms: IDS can generate false positives, alerting on harmless activities and
causing unnecessary concern.
• Resource Intensive: It can use a lot of system resources, potentially slowing down
network performance.
• Requires Maintenance: Regular updates and tuning are needed to keep the IDS
effective, which can be time-consuming.
• Doesn't Prevent Attacks: IDS detects and alerts but doesn’t stop attacks, so
additional measures are still needed.
• Complex to Manage: Setting up and managing an IDS can be complex and may
require specialized knowledge.

➢ Need Of IDS
1. Detect Unauthorized Access
• IDS monitors traffic and system activities.
• Detects if someone tries to break into a network or device.

🛡️ 2. Identify Attacks Early

• Helps in spotting attacks in real-time or as they happen.
• Allows quick response before damage spreads.

📊 3. Monitor Network and System Behavior

• Tracks normal behavior to identify suspicious or unusual activity.
• Useful for spotting malware, data leaks, or insider threats.

📣 4. Alert Administrators
• Automatically sends alerts when threats or anomalies are found.
• Helps security teams respond quickly and effectively.

🧠 5. Learn About Threats

• Provides insights into attack types, sources, and methods.
• Useful for incident analysis, forensics, and improving defenses.

🧾 6. Support Compliance Requirements

• Many standards (like PCI-DSS, HIPAA, ISO 27001) require IDS.
• Helps maintain regulatory compliance.

🔁 7. Complements Other Security Tools

• Works alongside firewalls, antivirus, and access controls.
• Adds an extra layer of security by detecting what others might miss.
 ➢ What is Password Management?
Password Management refers to the strategies, systems, and tools used to:
• Create, store, use, and update passwords securely.
• Protect user credentials from unauthorized access.
• Ensure that accounts and sensitive systems remain safe from attacks like hacking,
phishing, and credential stuffing.
It's used by individuals, enterprises, and IT administrators to handle authentication
safely and efficiently.

✅ Core Components of Password Management

1. Password Creation
• Creating strong, complex passwords using combinations of uppercase, lowercase,
numbers, and symbols.
• Avoiding personal or easily guessable information (e.g., birthdates, pet names).
2. Password Storage
• Securely storing passwords (preferably in encrypted form) using:
o Password Managers (e.g., Bitwarden, 1Password)
o Encrypted files (less secure)
o Enterprise Vaults (for organizations)
3. Password Rotation
• Changing passwords regularly to limit the window of exposure in case of a breach.
4. Access Control
• Limiting who has access to certain passwords and monitoring how they are used.
5. Multi-Factor Authentication (MFA)
• Adding extra layers of security (e.g., OTPs, biometrics) in addition to passwords.

⚙️ Tools for Password Management

• Individual Tools:
o LastPass, Dashlane, Bitwarden, KeePass
• Enterprise Tools:
o CyberArk, Keeper for Business, Microsoft Azure AD Password Protection
• Browsers:
o Chrome, Firefox, and Safari offer built-in password storage (less secure than
dedicated tools)

⚠️ Limitations and Challenges of Password Management (In Depth)

Challenge Explanation Impact
If one account is
Users often reuse the same
🔁 Password breached, all reused
password across multiple
Reuse accounts become
accounts.
vulnerable.
Simple or common
Easily guessed or
📉 Weak passwords (e.g.,
cracked with brute-
Passwords "password123") are still
force attacks.
widely used.
Users have too many Leads to poor habits
🧠 Password accounts and struggle to like writing passwords
Fatigue remember complex down or using simple
passwords. ones.
Users may find password Low adoption leads to
❌ User
managers inconvenient or inconsistent password
Resistance
confusing. practices.
Can lead to a
🔓 Central Point
A breach in a password catastrophic
of Failure
manager can expose all compromise if not
(Password
stored credentials. properly protected
Managers)
with MFA.
If a user forgets their
🔐 Forgotten May result in
master password, recovery
Master permanent loss of
can be difficult or
Passwords access.
impossible.
🔄 Lack of Some users or admins do Increases the risk of
Rotation or not update passwords long-term exploitation
Expiry regularly. by attackers.
Organizations with
🛠️ Enterprise multiple systems may Gaps in password
Integration struggle to manage policies may create
Challenges passwords across security weaknesses.
platforms.
Even strong passwords can Compromises even
🎣 Phishing
be stolen via phishing well-managed
Attacks
emails or fake websites. credentials.

🔑 Best Practices to Mitigate These Challenges

 ✅ For Individuals:
• Use a reputable password manager.
• Enable multi-factor authentication (MFA) on all critical accounts.
• Never reuse passwords across sites.
• Regularly update passwords and avoid storing them in browsers.
✅ For Organizations:
• Implement enterprise password management tools.
• Train employees on phishing awareness and password hygiene.
• Enforce password complexity and expiration policies.
• Monitor for compromised credentials using threat intelligence tools.
• Consider moving towards passwordless authentication (e.g., SSO with biometrics,
security keys).

🔮 Future of Password Management

• Passwordless Authentication: Using biometrics, tokens, or secure login links (e.g.,
FIDO2/WebAuthn).
• Behavioral Biometrics: Verifying users based on typing patterns or mouse
movement.
• AI-Based Monitoring: Detecting anomalies in login behavior to flag suspicious
activity.
 UNIT 6: Cyber Forensic, Hacking& its countermeasures

➢ Personally Identifiable Information (PII)

What Is Personally Identifiable Information (PII)?

➢ Personally identifiable information (PII) is information that, when used alone

or with other relevant data, can identify an individual.
➢ II (Personally Identifiable Information) refers to any data that can be used
to identify a specific individual, either on its own or when combined with
other data.

✅ Examples of PII:
Direct PII Indirect PII

Full name Date of birth

Social Security Number (SSN) Gender

Passport or Driver’s License IP address

Email address Employment info

Phone number Location data (GPS)

Bank account or credit card number Browsing history

🎯 Why is PII Important in Cybersecurity?

PII is a prime target for cybercriminals because it can be used for:
• Identity theft
• Financial fraud
• Phishing attacks
• Social engineering
• Data breaches
Protecting PII is essential to maintain privacy, security, and trust—especially in sectors like
finance, healthcare, and education.

🛡️ How Is PII Protected in Cybersecurity?

🔐 1. Data Encryption
• Converts PII into unreadable code unless decrypted with a key.

🔑 2. Access Control
• Only authorized users can access sensitive PII.

🧾 3. Data Minimization
• Collect only what is necessary and store it for the minimum time needed.

🕵️‍♂️ 4. Monitoring and Auditing

• Logs access to PII and checks for unusual activity.

🧪 5. Data Masking
• Hides parts of sensitive data (e.g., showing only the last 4 digits of a credit card).

📜 6. Compliance with Regulations

• Organizations must follow laws like:
o GDPR (EU)
o CCPA (California)
o HIPAA (USA – healthcare)
o IT Act (India)

⚠️ Risks of PII Exposure

• Financial Loss (fraud, theft)
• Reputational Damage (loss of customer trust)
• Legal Penalties (due to non-compliance)
• Data Breaches (targeted attacks to extract PII)

✅ Best Practices to Protect PII

1. Use strong passwords and MFA.
2. Keep systems and software up to date.
3. Train staff on phishing and data handling.
4. Use data classification and labeling.
5. Implement incident response
PII Confidentiality Safeguards,

1. Access Control

🔎 What It Is:
Access control ensures that only authorized users can access PII. It uses policies and
technologies to limit who can view, modify, or delete data.

🔧 How It Works:
• Role-Based Access Control (RBAC): Users are assigned roles (e.g., HR, IT, Finance),
and each role has specific access rights.
• Least Privilege Principle: Users only get the minimum access needed to do their
job.
• Authentication Systems: Verify a user’s identity before granting access.

🎯 Why It Matters:
Unauthorized access is one of the top causes of data breaches. Proper access control
prevents internal and external threats from accessing sensitive information.

🔐 2. Encryption

🔎 What It Is:
Encryption converts readable data (plaintext) into unreadable form (ciphertext), ensuring
only those with the decryption key can access it.

🔧 How It Works:
• At Rest: Data stored on disks, databases, or backups is encrypted.
• In Transit: Data being transmitted (e.g., via email or websites) is encrypted using
secure protocols like HTTPS (SSL/TLS).

🎯 Why It Matters:
Even if attackers steal encrypted data, they can’t read it without the key. This makes
encryption one of the strongest protections for PII.

🔐 3. Multi-Factor Authentication (MFA)

🔎 What It Is:
MFA requires users to provide two or more forms of verification before accessing data or
systems.

🔧 Common Methods:
• Something you know (password)
• Something you have (smartphone, OTP)
• Something you are (fingerprint, face ID)

🎯 Why It Matters:
If a password is stolen, MFA provides an extra layer of defense, significantly reducing the
risk of unauthorized access.

🔐 4. Data Masking and Redaction

🔎 What It Is:
These techniques hide or obscure parts of sensitive data to reduce exposure while still
allowing data use.

🔧 Examples:
• Masking: ****-****-****-1234 for credit cards
• Redaction: Blotting out text in documents before sharing externally

🎯 Why It Matters:
Prevents full disclosure of PII in non-secure environments like test systems, emails, or
printed reports.

🔐 5. Monitoring and Audit Logging

🔎 What It Is:
Monitoring systems track who accesses PII, what changes are made, and when they occur.
Audit logs record these activities for review.

🔧 Features:
• Real-time alerts for suspicious activity
• Automated logging of access, login attempts, data exports, etc.
• Regular log review to identify anomalies

🎯 Why It Matters:
Provides visibility into how data is used, helps detect breaches early, and supports forensic
investigations after incidents.

🔐 6. Secure Storage and Disposal

🔎 What It Is:
Proper storage ensures PII is kept safe from unauthorized access, while secure disposal
ensures it’s irrecoverable when no longer needed.

🔧 Techniques:
• Use encrypted databases and cloud storage
• Dispose of digital data with data wiping tools
• Shred physical documents containing PII

🎯 Why It Matters:
Even deleted files can be recovered if not properly destroyed. Improper disposal can lead
to accidental leaks or compliance violations.

🔐 7. Data Loss Prevention (DLP)

🔎 What It Is:
DLP tools prevent sensitive data (like PII) from being leaked, misused, or accidentally
shared outside the organization.

🔧 What It Does:
• Scans for PII in emails, file uploads, USB transfers
• Blocks, quarantines, or alerts on policy violations
• Ensures data stays within approved channels

🎯 Why It Matters:
Employees may unknowingly send sensitive info through unsecured channels. DLP systems
automate enforcement of data handling rules.

🔐 8. Employee Training and Awareness

🔎 What It Is:
Regular training ensures that staff understand how to handle PII securely, recognize
threats (like phishing), and follow policies.
🔧 Includes:
• Cybersecurity awareness workshops
• Simulated phishing attacks
• Training on incident reporting and secure communication

🎯 Why It Matters:
Human error is the leading cause of data breaches. Even the best systems can fail if
employees aren’t aware of basic security practices.

➢ Explain PII impact level with examples?

• Low Impact PII
1. Exposure would cause minimal or no harm to the individual.
2. Often includes public or non-sensitive information.
3. Requires basic protection, like limited access control.

Examples:
• Full name (without other identifiers)
• Email address (generic or work)
• Gender
• Language preference
• Country or city of residence
🔥 Potential Impact:
• Mild privacy concerns
• Slight annoyance (e.g., spam emails)
• Low risk of identity theft
🛡️ Protection Needed:
• Basic access controls
• General user awareness

🟡 2. Moderate Impact PII

🔎 What It Is:
1. Exposure may cause noticeable harm, such as identity clues or targeted scams.
2. Includes personal data that, when combined, can increase risk (e.g., email +
birthdate).
3. Needs stronger controls like encryption and access restrictions.

✅ Examples:
• Date of birth
• Mailing address
• Personal phone number
• Educational records
• Employment history
• Login credentials (without MFA)
🔥 Potential Impact:
• Increased phishing or social engineering risk
• Identity fraud using combined information
• Personal embarrassment or professional issues
🛡️ Protection Needed:
• Encryption at rest and in transit
• Role-based access controls
• Employee training and DLP monitoring

🔴 3. High Impact PII

🔎 What It Is:
1. Exposure can lead to serious harm, such as identity theft or financial fraud.
2. Includes highly sensitive data like SSNs, bank details, or health records.
3. Requires maximum security, including encryption, MFA, monitoring, and legal
compliance.

✅ Examples:
• Social Security Number (SSN)
• National ID, passport, or driver’s license number
• Bank account or credit card details
• Medical records
• Biometric data (fingerprint, face scan)
• Login credentials with full access
🔥 Potential Impact:
• Identity theft or impersonation
• Financial loss or account compromise
• Blackmail, discrimination, or legal liability
• Regulatory penalties for the organization
🛡️ Protection Needed:
• Strong encryption, MFA, strict access control
• Continuous monitoring and alerting
• Secure storage, retention limits, and legal compliance (e.g., GDPR, HIPAA)

➢ Cyber Stalking :

Definition:
1.Cyberstalking is the act of harassing, threatening, or intimidating someone using
digital technologies such as the internet, social media, email, messaging platforms,
or other online channels. It often involves persistent and unwanted attention, and it
can escalate into real-world threats.
 Types of Cyberstalker Attacks

1. Email Harassment
• The cyberstalker sends repeated, unwanted emails.
• Content may include threats, blackmail, false accusations, or spam.
• Goal: To intimidate, manipulate, or mentally disturb the victim.

2. Social Media Stalking

• Stalker monitors or harasses victims on platforms like Facebook, Instagram, Twitter.
• May involve:
o Posting defamatory content
o Creating fake profiles to impersonate the victim
o Commenting obsessively or sending DMs
• Goal: To control, shame, or follow the victim's online activities.

Cyberbullying
• Use of insults, threats, or humiliation repeatedly via digital platforms.
• Targets the victim’s mental health and self-esteem.
• Often seen in teenage and school-related cyberstalking cases.

4. Hacking and Surveillance

• Cyberstalker gains unauthorized access to victim’s:
o Email accounts
o Social media
o Webcam or microphone
• May install spyware or keyloggers to monitor communications.
• Goal: To track activities, steal personal info, or blackmail.

5. Doxxing
• The stalker publicly shares private data about the victim:
o Home address
o Phone number
o Work location or family information
• Often posted on forums or social media to encourage others to harass.
• Goal: To threaten physical safety or damage reputation.

6. GPS and Location Tracking

• Stalker uses mobile apps, GPS trackers, or geotags on photos to track the victim.
• May exploit data from:
o Social media check-ins
o Fitness apps
o Shared devices
• Goal: To physically follow or ambush the victim.

7. Fake Identity Creation (Catfishing or Impersonation)

• The stalker creates fake profiles to:
o Pretend to be the victim
 o Engage with the victim’s contacts
o Damage reputation or gain personal information
• Often used for emotional manipulation or spreading lies.

8. Threatening Messages and Online Blackmail

• The stalker threatens to release private content (e.g., photos, videos, chats).
• May demand money, favors, or silence.
• Can escalate into sextortion or criminal harassment.

9. Denial of Service (DoS) or Account Flooding

• Victim’s accounts are overwhelmed with spam, login attempts, or service requests.
• May lead to account suspension or loss of access.
• Goal: To disrupt the victim’s online presence or cause frustration.

➢ Who are cyber criminals? What are types of cyber crimes.

Who Are Cyber Criminals?

Cyber criminals are individuals or groups who use computers, networks, or the
internet to commit illegal activities. Their motives typically include financial gain,
data theft, disruption, espionage, or revenge.
They can range from:
• Individual hackers acting alone
• Organized crime groups
• State-sponsored attackers
• Even insiders (employees misusing access)

Types of Cyber Crimes (In Depth)

1. 🛑 Hacking
What it is:
Gaining unauthorized access to data, systems, or networks with the intent to steal,
alter, or destroy information.
How it works:
• Exploiting system vulnerabilities or weak passwords
• Using tools like keyloggers, brute force attacks, or backdoors
Impact:
• Data breaches, service disruption, or financial loss
• Loss of trust and reputational damage
Example:
The 2017 Equifax hack where sensitive info of over 147 million people was stolen.

2. 🎣 Phishing
 What it is:
Fraudulent attempts to get sensitive information by pretending to be a trustworthy
source.
How it works:
• Fake emails, messages, or websites ask users to enter login details or payment info
• Often impersonates banks, tech support, or government agencies
Impact:
• Identity theft, account hijacking, financial fraud
Example:
An email from a “bank” asking the victim to update their password via a fake
website.

3. 🦠 Malware Attacks
What it is:
Malicious software designed to damage, disrupt, or gain unauthorized access to
systems.
Types of Malware:
• Viruses: Spread by attaching to files
• Worms: Self-replicating and spread without user interaction
• Trojans: Appear legitimate but carry malicious code
• Ransomware: Encrypts data and demands payment to unlock it
• Spyware: Secretly monitors user activity
Impact:
• System failure, data loss, extortion, surveillance
Example:
WannaCry ransomware attack in 2017 affected thousands of organizations globally.

4. 🕵️‍♂️ Cyberstalking
What it is:
Use of the internet to harass or stalk an individual.
How it works:
• Repeated unwanted messages, threats, or surveillance
• May include doxxing (posting personal info), fake profiles, or GPS tracking
Impact:
• Mental health issues, fear, reputational harm, and physical threats
Example:
An ex-partner using fake social media accounts to threaten or monitor their victim.

5. 🧑💼 Identity Theft
What it is:
Stealing someone's personal information to impersonate them online.
How it works:
• Phishing or malware used to collect personal data
• Data sold on the dark web or used for financial gain
Impact:
• Fake loans or credit taken in victim’s name
• Damage to financial standing and legal troubles
Example:
Using someone’s Social Security Number to open a fraudulent bank account.

6. 💳 Online Fraud and Scams

What it is:
Tricking victims into giving money or services through deception.
Types include:
• Lottery scams
• Fake job offers
• Online shopping fraud
• Investment scams
Impact:
• Financial losses
• Emotional stress or legal consequences for victims
Example:
A fake e-commerce site collects payments but never ships products.

7. 🔞 Child Exploitation and Online Abuse

What it is:
Using the internet to target, exploit, or abuse minors.
How it works:
• Sharing or producing child sexual abuse material (CSAM)
• Grooming children via chat or social media
• Luring minors for meetings
Impact:
• Psychological trauma
• Legal penalties for the offender
• Devastating impact on victims and families
Example:
Adults pretending to be teenagers on gaming or chat platforms to target minors.

8. 🧑🎓 Cyber Espionage
What it is:
Spying using digital means to gather classified or sensitive data.
How it works:
• Malware or hacking tools used by nation-states or competitors
• Targets governments, defense, or major corporations
Impact:
• National security threats
• Economic damage or competitive disadvantage
Example:
State-sponsored groups hacking government agencies for intelligence.

9. ⚠️ Cyber Terrorism
What it is:
Use of technology to conduct attacks that cause fear, disruption, or damage.
How it works:
• Attacks on infrastructure (power, water, transport)
• Spreading propaganda or fake news
• Use of DDoS to disrupt critical services
Impact:
• National security threats
• Loss of life or public panic
• Economic instability
Example:
Hacking airport or power grid systems to cause chaos or panic.

10. 🧑💻 Insider Threats

What it is:
Cyber crimes committed by employees or others with internal access.
How it works:
• Stealing sensitive data or sabotaging systems
• Leaking company secrets to competitors or media
Impact:
• Financial loss, trade secret exposure, legal issues
Example:
An employee downloading confidential customer data before quitting.

➢ What Is the IT Act?

The Information Technology Act, 2000, also known as the IT Act, is the primary law
in India that deals with cybercrime and electronic commerce. It provides legal
recognition to electronic documents, digital signatures, and penalizes various
cybercrimes.
Purpose:
To promote secure electronic transactions and prevent cybercrimes such as hacking,
identity theft, data breaches, and online fraud.

⚖️ Objectives of the IT Act

1. Legal recognition of electronic records and digital signatures.
2. Facilitate e-commerce and online business transactions.
3. Prevent and penalize cybercrimes.
4. Provide rules and regulations for cybercafes, digital communication, and IT
infrastructure.
5. Protect privacy and data security of individuals and organizations.

🔍 Key Provisions of the IT Act

1. 📑 Legal Recognition of Electronic Records
• Electronic documents (like e-mails, PDFs) are legally valid, just like paper-based
documents.
2. ✍️ Digital Signatures
• Digital signatures are legally accepted for verifying authenticity of electronic records.
3. 🔐 Cybercrime and Penalties
The IT Act criminalizes various online offenses and prescribes penalties and
punishments.

🚨 Important Sections of the IT Act

Section Description Penalty

Section Unauthorized access, Compensation up to ₹1

43 downloading, virus spreading crore

Section Hacking, data theft, or malicious Imprisonment up to 3

66 cyber activity years + fine

Section Identity theft (using someone's Up to 3 years + ₹1 lakh

66C password or signature) fine

Section Online impersonation or cheating Up to 3 years + ₹1 lakh

66D (phishing, scams) fine

Section Violation of privacy (sharing Up to 3 years + ₹2 lakh

66E private images/videos) fine

Section Publishing obscene or sexually Up to 5 years + ₹10 lakh

67 explicit content online fine

Section Government power to intercept Subject to safeguards

69 or monitor digital info and approval

🛡️ Amendments to the IT Act

• Amendment in 2008 introduced:
o Cyber terrorism (Section 66F)
o Data protection rules
o Liability for intermediaries (like ISPs, social media platforms)
o Stronger privacy and security provisions
 📌 Cybercrimes Covered Under the IT Act
1. Hacking
2. Identity theft and impersonation
3. Cyberstalking
4. Phishing and online fraud
5. Publishing and transmitting obscene content
6. Sending offensive messages through communication services
7. Cyber terrorism

🏛️ Authorities Under the Act

• Controller of Certifying Authorities (CCA): Regulates digital certificates.
• Adjudicating Officers: Handle cybercrime cases with fines below ₹5 crore.
• Cyber Appellate Tribunal: Appeals against adjudicating officers' decisions.
• CERT-In (Indian Computer Emergency Response Team): National agency for
cybersecurity incident response.

📍 Importance of the IT Act

• Provides a legal framework for online activities.
• Ensures accountability and punishment for cybercriminals.
• Boosts trust in digital transactions and the digital economy.
• Helps protect citizens from data breaches and cyber harassment.

➢ List VoIP hacking types and explore any 3? What are the counter measures For it.
1.Voice over IP or Voice over Internet Protocol (VoIP) is a collection of different
technologies and practices that allows the delivery of voice communication,
images, audio, video, through packet data networks over the internet protocol.
2.This makes it very cost-efficient, flexible, and various other advantages as
compared to the older telephonic systems. Hence, it became popular.

3.Voice-over IP hacking is a type of attack carried out by the malicious user for the
purpose of infiltrating the phone system or unauthorized access to the phone
system in order to steal the data

4.This lets the malicious user listen to all the conversations and calls, steal critical
information, to make calls and international calls to frame up huge bills.

5.attacks usually happen when an insider unknowingly gives out information or

conspires with the malicious actors.

Types of VoIP Hacking:

• Unauthorized use: Unauthorized use attack is when the malicious users make use
of the organizations' phone network to make calls to other people or organizations
 pretending to be someone from the organization. The unauthorized malicious
users use auto-dialing and robocalling software with the organization's phone
network system. When a recipient picks up the call, a prerecorded message plays
which might ask them to do some ask such as calling the malicious users, entering
their information or entering their bank or credit card details, etc. These can be
countered by periodically monitoring the history, call logs, etc.
• Toll fraud: When these malicious actors make international calls to other people
and organizations. As the charge of these calls can be fairly expensive and the bill
that will be charged from the organization’s account can often be damaging. This is
called toll fraud.
• Spoofing of Caller ID: In this type of attack, the malicious actors use forged caller
IDs and control them in coordination with other attacks.
• Eavesdropping: Eavesdropping is when an attacker listens to the business calls,
conversations, voicemails, without the user’s knowledge. It usually only happens
when the data is unencrypted or shared over an unencrypted and unsecured
channel.
• Call Tampering: Incall tempering malicious actor tempers a phone call. For
example, the attacker can inject some noise packets to make the quality of the call
bad, or the attacker could hold back the packet delivery in order to create
disturbance in communication.
• Buffer Overflow Attacks: A buffer is a temporary area for data storage. When
more data (than was originally allocated to be stored) gets placed by a program or
system process, the extra data overflow. It causes some of that data to leak out
into other buffers, which can corrupt or overwrite whatever data they were
holding. In a buffer-overflow attack, the extra data sometimes holds specific
instructions for actions intended by a hacker or malicious user; for example, the
data could trigger a response that damages files, change data, or unveils private
information.
• DoS Attacks:n A DDoS attack, the attacker tries to make a particular service
unavailable by directing continuous and huge traffic from multiple end systems.
• Viruses and malware: A virus is a fragment of code embedded in a legitimate
program. Viruses are self-replicating and are designed to infect other programs.
Malware is software that gets into the system without user consent with an
intention to steal private and confidential data of the user that including bank
details and passwords.
• Man-in-the-middle attacks: Man In The Middle Attack implies an active attack
where the attacker/Hacker creates a connection between the victims and sends
messages between them or may capture all the data packets from the victims.

Countermeasures:

• Choose a trusted VoIP provider with a good track record.

• Admin access should be implemented in a controlled and careful manner.
• VPNs should be used in case of remote access.
• Detailed network tests should be done periodically.
• VPNs should be used and their endpoint filtering should be enabled.
• Regularly checking history, access, and call logs.
• Passwords used should be strong.
• 2FA should be enabled.
• VoIP firmware and OS should always be up to date.
• Mobile Hacking:
• What is Mobile Hacking?
1.Mobile hacking is the unauthorized access, control, or surveillance of mobile
devices (like smartphones and tablets). Hackers target these devices to exploit their
connectivity, data storage, and constant use for personal, financial, and business
activities.

• Types of Mobile Hacking Attacks (In Simple Language)

1. Malware (Malicious Software)
What it is: Bad software that sneaks into your phone when you install unknown apps
or click bad links.
What it does:
• Steals your personal info
• Spies on you
• Slows down or controls your phone
Example: A fake game app that steals your photos or messages.

2. Phishing
What it is: Tricks that try to steal your passwords or personal details using fake emails,
texts, or websites.
What it does:
• Makes you think it’s from a bank, friend, or official source
• Gets you to click a fake link and enter your info
Example: A fake message from “your bank” asking for your PIN.

3. Smishing (SMS Phishing)

What it is: Similar to phishing, but happens through text messages.
What it does:
• Sends you a fake SMS with a link
• Clicking the link may install a virus or steal your data
Example: “Your package is delayed. Click here to track it.”

4. Spyware
What it is: Hidden apps that watch what you do on your phone.
What it does:
• Records your messages, calls, and location
• Sends this information to a hacker
Example: An app secretly listening to your conversations.
5. Ransomware
What it is: A type of malware that locks your phone or files.
What it does:
• Blocks access to your data
• Demands money ("ransom") to unlock it
Example: You see a screen saying “Pay $100 or lose your photos.”

6. Man-in-the-Middle Attack (MITM)

What it is: A hacker secretly listens to what you’re doing online.
What it does:
• Happens mostly on public Wi-Fi
• Can read what you send (like passwords or messages)
Example: Using free Wi-Fi in a café, and someone steals your login info.

7. SIM Swapping
What it is: A hacker tricks your mobile provider to take over your phone number.
What it does:
• Gets your calls and texts
• Can break into accounts using text verification (OTP)
Example: You stop receiving calls, and someone hacks your WhatsApp.

9. Bluetooth Hacking
What it is: Hackers connect to your phone through Bluetooth without permission.
What it does:
• Can steal your data or send harmful files
• Works if Bluetooth is left on all the time
Example: Someone nearby hacks your phone via Bluetooth in a public place.

10. Juice Jacking

What it is: Using public USB charging stations that secretly steal your data.
What it does:
• Transfers data without you knowing while you charge
• Installs spyware on your phone
Example: Charging your phone at a mall and it gets hacked.

🔐 Tip: How to Stay Safe

• Download apps only from the Play Store or App Store
• Use strong passwords and avoid clicking unknown links
• Keep your phone updated
• Avoid public Wi-Fi for banking or sensitive work
➢ Signs Your Phone Might Be Hacked
• Sudden battery drain
• Phone heating up for no reason
• Strange apps you didn’t install
• Pop-up ads or crashes
• High data usage

➢ Security Threats of mobile device:

1.Use of Untrusted Mobile Devices
Threat: Using a device that is not properly secured or that has been modified (e.g.,
rooted or jailbroken) increases vulnerability.
Why It’s Risky:
• Could have pre-installed malware or spyware.
• Lacks standard security protections (e.g., encryption, secure boot).
• May be compromised before the user ever turns it on (supply chain attacks).
Real-World Example: Counterfeit or low-cost Android devices with built-in spyware
have been sold in some regions.

2. ✅ Lack of Physical Security Controls

Threat: If a device is physically stolen or lost without protection (e.g., no screen
lock or biometric authentication), all stored data is at risk.
Why It’s Risky:
• Thieves can access photos, messages, emails, apps, and more.
• SIM cards can be removed or used for SIM swapping.
• Attackers can clone the device or extract data from storage.
Best Practice: Always use strong passcodes, biometric locks, and remote wipe
features (like “Find My iPhone” or “Find My Device”).

3. ✅ Use of Untrusted Networks

Threat: Public or unsecured Wi-Fi (e.g., in cafes, airports) can be used to intercept
your data.
Why It’s Risky:
• Susceptible to Man-in-the-Middle (MITM) attacks.
• Data like passwords, emails, or payment details can be intercepted.
• Fake Wi-Fi hotspots (evil twins) can be set up to steal data.
Solution: Use a VPN and avoid logging into sensitive accounts on public Wi-Fi.

4. ✅ Use of Untrusted Applications

Threat: Downloading apps from unofficial sources or unknown developers can
introduce malware.
 Why It’s Risky:
• Apps may contain spyware, adware, ransomware, or keyloggers.
• They can steal data, monitor usage, or control the device.
• Some apps request excessive permissions to access sensitive information.
Best Practice: Install apps only from trusted sources like Google Play or Apple App
Store, and check reviews and permissions.

5. ✅ Interaction with Other Systems

Threat: Connecting mobile devices to other systems (PCs, USB ports, external
storage) can spread malware or leak data.
Why It’s Risky:
• Infected computers can transfer malware to your device.
• USB charging stations can perform juice jacking (data theft through charging).
• Corporate or shared systems may log data or sync confidential info unintentionally.
Advice: Use trusted cables and devices; disable data transfer when charging.

➢ Wireless Hacking:

Wireless hacking is when someone illegally accesses or disrupts a wireless

network (like Wi-Fi or Bluetooth) without permission. Hackers do this to steal
data, spy on users, or take control of devices connected to that network.

🔓 Simple Definition:
Wireless hacking is breaking into a wireless network (such as Wi-Fi or Bluetooth) to steal
information, monitor activity, or perform illegal actions — all without the owner's
permission.

🧠 How It Works (Simply Explained)

Wireless networks use radio waves, which can be intercepted by hackers. If the
network isn’t well protected (e.g., weak passwords, old encryption), hackers can:
• Connect to the network
• Steal sensitive data (like passwords, emails, or bank info)
• Install malware on connected devices
• Monitor traffic or spy on you

📶 Common Types of Wireless Hacking

1. Wi-Fi Hacking
• Breaking into Wi-Fi networks using weak passwords or outdated encryption (like
WEP).
• Example: A hacker nearby connects to your home Wi-Fi and watches what
websites you visit or steals your data.
 2. Evil Twin Attack
• The hacker sets up a fake Wi-Fi hotspot with the same name as a real one (e.g.,
"Starbucks_WiFi").
• You connect by mistake, and the hacker watches your traffic.
3. Packet Sniffing
• Hackers use tools to capture and read the data being sent over a network (like
usernames, passwords, or messages).
• Happens mostly on open or public Wi-Fi networks.
4. Bluetooth Hacking
• Hackers connect to your device using Bluetooth to send viruses, steal data, or
control your phone.
5. Man-in-the-Middle (MITM) Attack
• Hacker secretly places themselves between you and the internet, intercepting
everything you send and receive.

⚠️ Dangers of Wireless Hacking

• Data theft (passwords, banking info)
• Identity theft
• Malware infection
• Device control or spying
• Financial loss
•
🔐 How to Stay Safe from Wireless Hacking
• Use strong Wi-Fi passwords and WPA3 encryption
• Avoid public Wi-Fi or use a VPN
• Turn off Bluetooth when not in use
• Keep your devices and software updated
• Don’t connect to unknown or untrusted networks

➢ Countermeasures Against Wireless Hacking

To protect yourself and your network from wireless hacking, you can take several
simple but powerful security steps. These measures help block hackers from
accessing your Wi-Fi, Bluetooth, or any wireless communication.

🔒 1. Use Strong Wi-Fi Encryption

• Always use WPA2 or WPA3 security for your wireless network.
• Avoid older encryption methods like WEP — they are easy to break.
✅ How to Do It:
Go to your router settings → Wireless Security → Set WPA2/WPA3 and a strong
password.

🧩 2. Set a Strong Wi-Fi Password

 📵 3. Turn Off Unused Features (Bluetooth & Wi-Fi)

🔐 5. Change Default Router Settings

• Change the default router username and password.
• Hackers know the factory settings like “admin/admin.”
✅ Tip: Also change the router’s default SSID (network name) to something unique
and unidentifiable.

🔄 6. Keep Devices & Firmware Updated

🧱 7. Use a Firewall
• A firewall helps block unwanted traffic from reaching your device or network.
• Use the router’s built-in firewall or install one on your device.

🕵️‍♂️ 8. Use a VPN (Virtual Private Network)

• A VPN encrypts your internet traffic, even on public Wi-Fi.
• Makes it very hard for hackers to read or steal your data.

🚫 9. Avoid Connecting to Unknown Wi-Fi

📲 10. Install Mobile Security Apps

✓ Another imp ques:

1. Write Advantages of cyber law.
• What is Cyber Law?
▪ Cyberlaw also referred to as cybercrime law or Internet law, calls to the legal system
that controls behaviors and deals in the digital world.
▪ Through the protection of information access from unauthorized users, Internet-
related freedom of speech, privacy, communications, email, websites, intellectual
property, hardware, and software, including data storage devices, cyber laws help
to lessen or prevent large-scale cybercrime.

Types of Cyber Law

• Cybercrime Laws:
• International Cyber Laws:
• Cybersecurity Laws.
• E-commerce Laws:
• Privacy Laws: .
• Cyber Defamation Laws:

➢ Advantages of Cyber Law

Below are some advantages of cyberlaw
 • Data privacy: One of the main issues covered by cyber laws is the protection of
people's digital information.
• Awareness and Education: India's cyber laws place a strong focus on the need for
education and awareness raising about digital rights and cybersecurity.
• Safe intellectual property: Cyber regulations secures intellectual property rights,
which promote innovation, creativity, and technological advancement.
• Cybersecurity Standards: These laws address the changing cyber threat scenario to
insert in place protection for the security of their networks and systems.
• Prevention of Cybercrimes: Cyber laws are very crucial for stopping and
fighting hacking. By criminalizing such actions, internet laws act as a barrier,
dissuading potential criminals from participating in illegal behavior.
• Encouraging Online Shopping: India's cyber regulations provide a favorable
atmosphere for online business. They provide the legal foundations for digital
signatures, electronic payment methods, and electronic contracts, they ensure the
enforceability of electronic transactions and the legitimacy of digital signatures, and
these rules contribute to the development of confidence between buyers and sellers.
➢ Disadvantages of Cyber Law
Below are some disadvantages of cyberlaw
• Reputational Damage: Cyberattacks have the potential to damage an organization's
reputation by threatening customer assurance and trust.
• Complexity: Because cyber laws are such a complicated topic, specific knowledge
and experience are needed. Effective security measure implementation and
maintenance may be challenging for small enterprises due to a lack of funding for
the employment of specialized cybersecurity personnel.
• Resource constraints: It's viable that law enforcement organizations and court
systems don't have the tools or technology infrastructure needed to successfully
enforce cyber laws and bring charges against offenders.
• Possibility of Human Error: One of the biggest risks to cyber security is human errors.
Employees can unintentionally download a file consisting of a virus or click on a
malicious link, which would compromise the network as a whole. Human mistake
poses a danger even in the presence of strong security measures.

2.Life Cycle of Cyber Forensics (Detailed Explanation)

1. Identification
🔹 What is it?
This is the first step where investigators detect and define the incident. It involves
identifying the scope, impact, and type of cybercrime that has occurred.
🔹 Key Actions:
• Recognize a security breach or suspicious activity (e.g., unauthorized login, data
leak).
• Identify which devices, systems, files, or users may be involved.
• Determine the type of data that might be evidence (emails, logs, databases, USB
devices, etc.).
🔹 Example:
An employee reports their email account was hacked. The forensic team identifies
the email server, user device, and network logs as potential sources of evidence.

2. Preservation
🔹 What is it?
Preservation ensures that digital evidence is not altered or destroyed before or
during the investigation. This step protects the original state of the data.
🔹 Key Actions:
• Isolate affected systems from the network (to prevent further tampering).
• Use write blockers to prevent changes when copying data.
• Make forensic images (exact bit-by-bit copies) of hard drives, mobile devices, or
memory.
• Maintain the chain of custody (a log that documents every person who handles the
evidence).
🔹 Why It Matters:
Even a small change in metadata (like file access time) can invalidate evidence in
court.

3. Collection (Acquisition)
🔹 What is it?
This step is about gathering all relevant digital data from identified sources. It
includes physical devices (laptops, USBs, phones) and digital files (emails, logs, cloud
data).
🔹 Key Actions:
• Collect storage devices, log files, network traffic, chat messages, etc.
• Copy volatile data (RAM contents, running processes) before shutdown.
• Ensure data integrity using hash values (MD5, SHA-1).
🔹 Example:
Extracting email logs and browser history from a suspect’s computer, and memory
data from a compromised server.

4. Examination
🔹 What is it?
Examination involves filtering, recovering, and organizing the collected data to
isolate useful evidence.
🔹 Key Actions:
• Recover deleted files, emails, or browsing history.
• Use forensic tools to search for keywords, file types, IP addresses, and timestamps.
• Identify hidden partitions, steganography, or encryption.
🔹 Tools Used:
 • FTK (Forensic Toolkit)
• Autopsy/Sleuth Kit
• EnCase
• Wireshark (for network analysis)

5. Analysis
🔹 What is it?
Analysis is the most critical stage where investigators connect the dots to explain
what happened, how, when, and who was involved.
🔹 Key Actions:
• Build timelines of events.
• Correlate logs, file actions, emails, and user behavior.
• Identify unauthorized access, data exfiltration, or malware.
🔹 Goal:
To reconstruct the digital crime and support conclusions with strong technical
evidence.

6. Documentation
🔹 What is it?
All findings, tools used, methods followed, and timelines must be documented. This
step ensures the investigation is transparent, repeatable, and legally valid.
🔹 Key Actions:
• Log every step taken, who performed it, and what was found.
• Take screenshots, preserve logs, and record hash values.
• Document the full chain of custody.
🔹 Importance:
Without proper documentation, the investigation may be considered invalid or
incomplete in court.

7. Presentation
🔹 What is it?
This is the final stage where the findings are shared with stakeholders — such as law
enforcement, legal teams, or company management.
🔹 Key Actions:
• Create a clear, non-technical report of what happened.
• Explain the evidence and conclusions in understandable terms.
• Prepare to testify in court or provide expert witness support.
🔹 Example:
A forensic expert presents evidence in court showing that a particular user account
was used to steal company data via USB.

3.What is Botnet? How to protect from botnet?

What is a Botnet?
 A botnet (short for "robot network") is a group of infected devices — such as
computers, smartphones, or IoT devices — that are controlled remotely by a hacker
(called a "botmaster" or "bot herder") without the owners knowing.
Once infected, these devices (called bots or zombies) can be used to perform
cyberattacks like:
• Sending spam emails
• Launching DDoS (Distributed Denial-of-Service) attacks
• Stealing personal data
• Spreading malware to other systems

🕷️ How Botnets Work (Simple Explanation)

1. A user unknowingly installs malware on their device (through a fake email, app, or
download).
2. This malware connects their device to a command-and-control (C&C) server
controlled by a hacker.
3. The hacker can now send commands to thousands or millions of infected devices at
once.
4. These bots perform malicious tasks without the user’s knowledge.

🔥 Real-Life Example
• Mirai Botnet (2016): Infected IoT devices like smart cameras and routers, launching
massive DDoS attacks that shut down big websites like Twitter, Netflix, and Reddit.

🛡️ How to Protect Yourself from a Botnet Infection

Here’s a practical list of actions to protect your devices from becoming part of a
botnet:

✅ 1. Install Antivirus and Anti-Malware Software

• Use reputable security software that can detect and remove botnet malware.
• Keep it updated daily.

✅ 2. Keep Your Devices Updated

• Always install the latest security updates for your OS, apps, and firmware (especially
on routers and IoT devices).
• Botnets often exploit known vulnerabilities.

✅ 3. Avoid Suspicious Links and Downloads

• Don’t click on unknown email attachments or fake links.
• Avoid downloading cracked software, pirated games, or unofficial apps.

✅ 4. Use Strong Passwords

• Use unique, strong passwords for all your accounts and devices.
• Change the default passwords on your router and smart home devices.
 ✅ 5. Enable a Firewall
• Firewalls help block suspicious communication between your device and a botnet
controller.

✅ 6. Secure IoT Devices

• Change factory-set usernames/passwords on smart devices.
• Disable unnecessary features like remote access if not needed.
• Keep their firmware updated.

✅ 7. Monitor Network Activity

• Use tools or routers that let you monitor which devices are connected to your
network.
• Look for suspicious spikes in internet usage or unknown devices.

✅ 8. Educate Yourself and Others

• Learn about common phishing attacks and social engineering tricks.
• Train employees or family members to recognize cyber threats.

⚠️ Signs Your Device May Be in a Botnet

• Device is unusually slow
• Internet data usage is very high
• Battery drains quickly (on phones)
• Device gets hot or freezes often
• Unknown processes running in the background

4.Explain the terms: i) Virus ii) Phishing iii) Spoofing iv) Phone phishing
v) Internet pharming vi) Cyber Forensic

i) Virus
✅ Definition:
A virus is a type of malware (malicious software) that attaches itself to a host file or
program and spreads from one computer to another when the infected file is executed.
🧠 How It Works:
• A virus remains dormant until the infected file is opened.
• Once active, it can replicate itself, infect other files, and spread to other systems
via USB drives, emails, networks, etc.
• It may delete files, corrupt data, steal info, or crash the system.
💥 Example:
You download a free game from an untrusted website. The game contains a virus that,
when run, deletes important files on your computer.
ii) Phishing
✅ Definition:
Phishing is a form of social engineering attack where attackers try to trick users into
revealing sensitive information like passwords, credit card numbers, or personal details
by pretending to be trustworthy sources.
🧠 How It Works:
• Attackers send fake emails, text messages, or links that look like they come from
real companies (like banks or government agencies).
• These messages often lead to fake websites designed to steal your login
credentials or personal information.
💥 Example:
You receive an email saying “Your bank account has been locked. Click here to verify your
account.” When you click the link, it takes you to a fake bank login page that steals your
username and password.

iii) Spoofing
✅ Definition:
Spoofing is the act of disguising a communication from an unknown source to appear as
if it’s coming from a trusted one.
🔍 Types of Spoofing:
• Email Spoofing: The sender’s email address looks legit but is fake.
• IP Spoofing: An attacker sends data using a fake IP address to hide their identity or
impersonate a system.
• Caller ID Spoofing: The number that appears on your phone looks familiar or
trustworthy, but it’s faked.
💥 Example:
A hacker sends an email that appears to be from your boss, asking you to transfer money
to a specific account.

iv) Phone Phishing (Vishing)

✅ Definition:
Phone phishing, also called vishing (voice phishing), is a telephone scam where
cybercriminals try to trick victims into giving confidential information over the phone.
🧠 How It Works:
• The attacker may impersonate a bank representative, government official, or tech
support agent.
• They often use scare tactics like saying your account has been hacked or you owe
money.
💥 Example:
You get a call saying, “This is your bank. We've detected suspicious activity. Please provide
your account number and PIN to verify.”
v) Internet Pharming
✅ Definition:
Pharming is a cyberattack where users are redirected from a real website to a fake one,
even if they typed the correct address.
🧠 How It Works:
• Attackers manipulate the DNS (Domain Name System) or infect your device with
malware.
• You visit your bank's website, but are silently redirected to a fake site that looks
identical to the real one.
• When you enter your login details, they are sent to the hacker.
💥 Example:
Typing www.yourbank.com in your browser takes you to a lookalike fake site where your
credentials are stolen.

vi) Cyber Forensic (Digital Forensics)

✅ Definition:
Cyber forensics is the field of investigation that involves collecting, analyzing, and
preserving digital evidence to solve cybercrimes and support legal proceedings.
🧠 Purpose:
• Investigate crimes like hacking, identity theft, data breaches, and digital fraud.
• Recover deleted files, track online behavior, and find out how a system was
attacked.
🔍 Key Steps:
1. Identification: Recognize that a crime has occurred.
2. Preservation: Secure evidence so it is not altered.
3. Collection: Gather digital evidence legally.
4. Examination & Analysis: Review and interpret the data.
5. Documentation & Presentation: Report findings for court or investigation.
💥 Example:
After a ransomware attack, cyber forensic experts analyze the infected system to trace
the origin, identify the hacker, and recover encrypted data.