Hacking and Unauthorised Access Offences

The core legal question in an unauthorised access case is whether the person had permission. This sounds simple but creates interpretive problems at the boundary: an employee who has access to a database for work purposes but queries it for personal gain may or may not be committing unauthorised access depending on jurisdiction, the scope of the authorisation granted, and the employer's policies.

India's IT Act 2000 was supplemented by the IT Amendment Act 2008, which added sections addressing data theft and identity fraud. Evidence in Indian prosecutions is now governed by the Bharatiya Sakshya Adhiniyam 2023, which replaced the Indian Evidence Act 1872; section 63 of the 2023 Act addresses electronic records and their admissibility. Investigators must ensure that digital evidence is collected and certified in compliance with the current statute, not the superseded one. The Bharatiya Nagarik Suraksha Sanhita 2023 (which replaced the CrPC) governs procedural aspects including search, seizure, and arrest in cybercrime investigations.

Attackers gain initial access through a small number of recurring pathways. Understanding each pathway tells the investigator which logs and artefacts to prioritise.

Password-based attacks remain the most common entry vector. Brute-force attacks systematically try credential combinations; they generate large volumes of failed authentication events in logs. Dictionary attacks use wordlists of common passwords. Credential stuffing uses breached credential pairs from other services and generates far fewer failed attempts per account, making it harder to detect with lockout-based controls. Password spraying tries a small number of commonly used passwords against a large number of accounts to stay below per-account lockout thresholds.

Exploitation of software vulnerabilities is the second major pathway. Attackers target unpatched systems using public exploit code or custom tools. Remote code execution vulnerabilities in internet-facing services, such as web application frameworks, VPN appliances, and email servers, are particularly valuable because they allow initial access without valid credentials. SQL injection attacks against web applications can expose database contents without requiring system-level access. The evidence profile here includes web server access logs showing anomalous requests, error logs showing unexpected exceptions, and file system artefacts from any payload dropped after exploitation.

Social engineering, including phishing and pretexting, obtains credentials or induces a target to execute malicious code. Spear-phishing targets specific individuals with personalised content. Business email compromise attacks impersonate senior executives or suppliers. The entry point in these cases is often a user's endpoint rather than a server, and the initial access evidence may be an email in the user's mailbox and a malicious document execution event in the endpoint detection log, rather than a network intrusion event.

Supply chain compromise, as seen in the SolarWinds incident (2020), inserts malicious code into legitimate software updates distributed to thousands of organisations. This category is notable because the initial access leaves almost no anomalous indicators at the victim's boundary: the malicious update arrives through the legitimate software distribution channel and is signed with the vendor's certificate. Detection relies on behavioural anomalies after installation rather than at the point of entry.

Intrusion investigations are evidence-rich but time-critical. Many log sources are overwritten on short cycles, and volatile memory, which may contain live session tokens, encryption keys, and running process state, is lost when a system is powered down. The sequence of acquisition matters: volatile evidence first, then persistent storage on write-blocked media.

• Authentication logs: Security event logs (Windows Event ID 4624 for successful logon, 4625 for failed logon), Unix/Linux auth.log and secure, and cloud identity provider logs (Azure AD sign-in logs, AWS CloudTrail). These establish who logged in, from where, at what time, and with what method.
• Network flow records: NetFlow, IPFIX, or sFlow records from routers and switches capture source/destination IP, port, protocol, and byte count for every connection. They do not contain payload content but establish the communication pattern.
• Web and application logs: Web server access logs (IIS, Apache, Nginx) record every HTTP request including the source IP, user agent, and response code. Anomalous requests, such as path traversal sequences, SQL metacharacters, or requests for non-existent files in a pattern suggesting scanning, are visible here.
• Endpoint detection and response (EDR) logs: Modern EDR tools record process creation, file writes, registry modifications, and network connections at the host level. These logs often contain the most detailed account of attacker activity post-access.
• Firewall and IDS/IPS logs: Record allowed and blocked traffic at network boundaries and may include signature-based alerts for known attack patterns. Absence of a block alert does not mean no attack occurred: attackers specifically choose techniques that bypass signature detection.
• Volatile memory: RAM acquired using tools such as WinPmem or Magnet RAM Capture may contain running processes, network socket state, cleartext credentials held in memory, and artefacts of fileless malware that leaves no disk artefact.

Attribution is the process of identifying who conducted an intrusion. Technical attribution establishes the infrastructure and tools used. Legal attribution connects those to a specific person in a way that satisfies evidentiary standards. The two are not the same, and conflating them is a common error in investigative reports.

IP address evidence is the starting point in most cases but is rarely sufficient alone. An IP address from a log establishes that a device at that address made a connection; it does not establish who was operating that device, or whether that device was itself a compromised host. The investigative chain must run from the log entry to an ISP subscriber record, from the subscriber record to the physical location, and from the physical location to the specific individual at the keyboard during the session. Each step requires a separate evidential source and, in most countries, a separate legal process.

Corroborating evidence that strengthens attribution includes: device forensics showing the attacker's tools installed on a suspect's device; communications evidence (email, messaging) referencing the target or the intrusion; financial evidence linking the suspect to proceeds; witness evidence; and behavioural analysis showing that sessions occurred during working hours in the suspect's time zone using keyboard layouts consistent with the suspect's language. In nation-state cases, technical indicators such as reuse of infrastructure, code similarities, and targeting patterns may support an attribution assessment, but these are intelligence assessments rather than criminal evidence.

Attackers who use Tor, commercial VPN services, or chains of compromised hosts complicate attribution significantly. ISP subscriber records for a Tor exit node identify the exit node's operator, not the attacker. Investigators must pursue the chain upstream, which typically requires cooperation from multiple jurisdictions. The Council of Europe Budapest Convention article 29 allows a party to request another party to preserve data urgently while the formal MLAT request is processed, which is valuable when logs are about to be overwritten.

Skilled attackers anticipate forensic investigation and take deliberate steps to degrade the evidence they leave. Understanding these techniques allows investigators to know where to look for residual artefacts that survive anti-forensic action.

Log manipulation is the most common technique. Attackers clear Windows Security event logs, delete specific entries from web server logs, or modify syslog files. Countermeasures include forwarding logs to a remote syslog server or SIEM in real time, because clearing the local log does not affect the forwarded copy. Investigators should compare local log state against forwarded log state to detect tampering: a gap in the local log that is absent in the forwarded copy is itself evidence of anti-forensic activity.

Timestomping modifies file metadata (creation, modification, and access timestamps) to make malicious files appear to have existed for a long time or to align with a period when the suspect claims to have had no access. The countermeasure is to compare $STANDARD_INFORMATION timestamps (which can be easily modified) against $FILE_NAME timestamps on NTFS systems (which are harder to modify) and against log entries that recorded the file's actual creation.

Living-off-the-land techniques use legitimate system tools, avoiding the deployment of custom malware that would be detected by antivirus or EDR signatures. PowerShell, WMI, and built-in scripting hosts are frequently abused. Investigators counter this by examining PowerShell transcription logs and ScriptBlock logging (if enabled), WMI event consumer subscriptions, and scheduled task histories, which record LotL activity that would otherwise be invisible.

Placing an intrusion into a threat actor category helps investigators direct their evidence collection and predict the scope of the compromise. Threat intelligence, both from commercial feeds and from open sources such as MITRE ATT&CK, provides structured knowledge about how specific actor groups operate.

Opportunistic attackers use automated scanning tools such as Shodan, Masscan, and Metasploit to identify and exploit known vulnerabilities at scale. They typically do not have a specific target in mind before they find a vulnerable host. The evidence pattern is characterised by generic exploitation tools, short dwell times, and automated post-exploitation scripts. They are often identified by matching their source IPs against threat intelligence blocklists or by the generic nature of their tooling.

Financially motivated groups, including ransomware operators and data brokers, conduct targeted intrusions with clear objectives. They typically maintain longer dwell times, conduct internal reconnaissance, steal credentials, and spread laterally before executing their primary objective. The FIN and UNC group designations used by Mandiant, and the GOLD and CARBON designations used by Secureworks, classify known financially motivated actors by their techniques, infrastructure, and targeting patterns. Investigators working a ransomware case should check whether the TTPs match a known group, because this may indicate the likely exfiltration pathway and the relevant threat intelligence.

Nation-state actors, sometimes termed advanced persistent threat (APT) groups, prioritise stealth and long-term access over speed. They invest in custom malware, zero-day vulnerabilities, and operational security to avoid detection. Dwell times measured in months or years are characteristic. Attribution in these cases, even at the technical level, is typically the work of threat intelligence teams with access to classified or commercially restricted data sets, not individual case investigators. The relevant legal framework for such intrusions includes espionage statutes alongside computer crime laws, and prosecutions are rare due to jurisdictional barriers.

Indicators of compromise (IOCs) including known malicious IP addresses, domain names, file hashes, and registry keys are the primary threat intelligence currency. The Indicators of Compromise topic covers structured IOC formats and their role in detection and investigation in detail.