Figure 5:(shows the number of internet users over the years)

1.1 Sample Case

One of the most famous recent social engineering cases was of one of the corporate titans, the automotive Toyota. Hackers targeted Toyota Boshoku Corporation as part of a business email compromise (BEC) fraud. The BEC scam has resulted in total financial losses of up to $37 million ($4 billion), which the company is now attempting to recoup with the help of law enforcement officers.

The BEC ruse did not appear to be particularly clever on the surface. A BEC scam is essentially an advanced phishing or ransomware fraud in which workers of a multinational firm are urged to wire money to foreign bank accounts under the guise of a phoney business pretext via phoney email accounts. BEC assaults are now commonplace worldwide, mainly targeting finance and accounting departments. The BEC scam was easy in this case: a third-party hacker acting as a Toyota subsidiary business partner sent emails to finance and accounting departments employees, requesting that monies be transmitted to a bank account controlled by the hacker

1.2 Source of Evidence

One source of evidence regarding the social engineering case by the hackers can be found from the email addresses used to facilitate the offence, which was used to email the victim that was trying to pose as someone Toyota would trust. The hackers would make the email sound like an executive was sending it. By using the email addresses, we can find out the IP address of the hackers, which we can be found by the IP addresses of the hacker and of the person they were trying to pose as. If the IP address were to be different, then that means that we have found the hackers' IP addresses. The private IP address found with the emails can be used so that the forensic experts would get their geolocation.

Forensic experts can find another source of evidence on the hackers’ computers. Getting the geolocation of the hackers lets forensic experts able to get a search warrant so that they can seize the hackers’ computers while also finding any other devices. after the seizing of the hackers’ computers, forensic experts can find out what the hackers were searching for, what website they were on, the people they have stalked or the malware that they have used.

1.3 Collection of Evidence

Although not specified in the article, we can theorize that the collection of the evidence of the social engineering by tracing back the email address of all the victim’s email address by looking at the long head of the email, which the forensic experts would look at the IP address of the sender. After looking at all of the email addresses and finding the IP addresses of all of the senders’ email addresses, they can prove that the email addresses that emailed the victims to harass and threaten were not from an executive for Toyota. Verification from the ISP for the IP addresses will let the forensic experts know they have the address of the user of that IP address for that time.

Figure 2 (Shows the long head of the email)

A way to collect the hackers’ internet use is to use a browser forensic. With the help of the cache and cookies, we can use a browser forensic tool to see what website the hackers have opened, searched, and the email that they have sent

Figure 7 (how cache view works)

1.4 Protection of Evidence

As the forensic experts have seized the computers of the hackers, they must first keep the computer in an isolated chamber, which will prevent any connection to the network. Not only do they need to do this, but as stated, “In the chain of custody, the names, titles, and contact information of the individuals who identified, collected, and acquired the evidence should be documented, as well as any other individuals the evidence was transferred to, details about the evidence that was transferred, the time and date of transfer, and the purpose of the transfer”. (Cybercrime Module 6 Key Issues: Handling of Digital Evidence, 2022)

Another step in protecting the evidence is by “imaging”, also known as. “Digital forensic imaging is defined as the processes and tools used in copying a physical storage device for conducting investigations and gathering evidence. This copy doesn't just include files, which are visible to the operating system, but every bit of data, every sector, partition, files, folders, master boot records, deleted files, and unallocated spaces. The image is an identical copy of all the drive structures and contents”.(Digital Forensic Imaging: Types & Examples, 2022) “Forensic imaging is the court of law accepted standard for the preservation of computer-based evidence. As per section 65 (B) of the Indian Evidence Act, 1872, it is admissible in the court of law provided that it is not being tampered.”(KNOWLEDGE, GK and Javaid, 2022)

2. Insider Threats

According to (Mohammed Nasser Al-Mhiqani al., 2020) An insider threat is a malicious threat to a company that arises from persons within the company, such as workers, former employees, contractors, or business allies, who have inside knowledge about the company's security processes, data, and computer systems. Fraud, theft of sensitive or economically valuable information, theft of intellectual property, or sabotage of computer systems are all possible threats. The insider threat has become a well-recognised concern and one of the most significant cybersecurity threats. This phenomenon suggests that dangers need specialized detection systems, methodologies, and instruments, including the capacity to identify a malevolent insider accurately and quickly. Several research on insider threat detection and associated topics have been presented to address this problem. Several research were was conducted to improve the conceptual understanding of insider risks. However, there are a number of several limitations, including a lack of real-world examples, biases in drawing conclusions, which are a major concern and remain unknown, and the lack of a study that examines insider threats from a variety of perspectives and focuses on theoretical, technical, and statistical aspects. The survey aims to present a taxonomy of current insider types, access, level, motivation, insider profiling, effect security property, and methods used by attackers to carry out attacks, as well as a review of notable recent works on insider threat detection, which covers the analysed behaviours, machine-learning techniques, dataset, detection methodology, and evaluation metrics. Insider dangers have been studied in a number ofseveral real-life scenarios in order toto compile statistical data on insiders. The people indicated above are misusing their access to the organization's network, and this survey exposes the issues experienced by other researchers and gives ideas to eliminate hurdles. They put the company's networks, systems, and sensitive data at risk.

i. Departing employees - Employees who have left the firm involuntarily, such as those who have been laid off for a variety of reasons, are the most typical source of threats. When they are forced to quit the firm, they behave irrationally, resulting in infractions. Security evaders - Some employees may find ways to evade the organization's security processes to make things convenient. They pose a threat to the security as they find ways that are not secure.

ii. Malicious insiders - These are the folks that have bad feelings about the company in their heads. They have the ability to can leak, edit, or destroy sensitive information held by the company.

iii. Inside agent - These are the people that have negative thoughts about the firm. They have the capacity can to leak, modify, or delete the company's important material.

iv. Third party Third-party partners - These are the ones who are not on the company's payroll. They are the vendors, trainers, and suppliers who are given access to the company's network.

2.1. Sample Case

It is an insider threat that Vishwanath Akuthota, 27, of Albany, pleaded guilty today to causing harm to computers held by The College of St. Rose. On February 14, 2019, Akuthota acknowledged to inserting a "USB Killer" device onto 66 PCs. When inserted into a computer's USB port, the "USB Killer" device sends a command to the computer's on-board capacitors, causing the computer's USB port and electrical system to be overloaded and physically destroyed, as well as numerous computers monitors, and computer-enhanced podiums owned by the college in Albany. The FBI and APD investigated the matter, and Assistant US Attorney Wayne A. Myers is prosecuting it.

A security researcher uncovered a publicly available Microsoft customer support database with 250 million items gathered over 14 years at the end of December 2019. Customers' emails and IP addresses, customers' geographical locations, and notes made by Microsoft support personnel were all included in the database. These rules were misconfigured by Microsoft workers, resulting in the unintentional release.

2.2. Source of Evidence

According to (Ryan Duquette., 2016) The review of log data of all workers who are expected to leave the organization shortly might be a source of proof. This proof may be obtained via a user data analytics system. This system records of all user's internet/intranet activities from inside the organization's network, among other things. This will tell whether he has been browsing harmful websites. According to sources, ( Routledg.,2022)Security evaders - The analysis of network logs of all actions that occur on the network is another source of evidence. All zip files, for example, should be intercepted. All files larger than a specific size should be intercepted. Also captured should be a collection of possibly suspicious filename extensions. Sources claim that (M.S. Vinay.,2022) For identifying malevolent insiders via insider activity audit data, most insider threat detection systems use supervised learning models. It is critical for managers to maintain checks on their teams from the perspective of the team's managers. This may aid in the prevention of such incidents. It's time to look at log files and employ a user data analytics system once again. The assessment of a watchlist watch list of workers submitted by the HR team to the IT security team might be a source. based on (Yasmin Razack 2022) Apart from verifying the log fields, it's crucial to do a complete background check on new personnel. Employees who are suspect suspected might be put on a watchlist once again. External parties hire these personnel this personnel to steal or corrupt an organization's data. These personnel This personnel may seek retaliation against a company by damaging or selling its data or disrupting operations. Employees that purposefully exploit sensitive company information for personal advantage are known as snoopers.

2.3. Collection of Evidence

According to (Ryan Duquette., 2016) The logs of the user data analytics system may be used as a source of proof. This system might be built to employ AI/machine learning to teach it to gather all important data in a proactive manner proactively. According to sources, (Routledge.,2022) The network communication interceptors' log files. Alternatively, the logs of firewalls that are used to monitor email servers or online traffic. Sources claim that (M.S. Vinay.,2022) analysing user data Employees on the watchlist have their log files kept. These log files come from the user data analytics system's logs. Based on (Yasmin Razack 2022Employees who have been put on a watchlist's user data analytics log file. Employees who are on a watchlist are more likely to be nasty. Third-party collaborators Examining CCTV video and the user analytics system's log files.

2.4. Protection of Evidence

According to (Ryan Duquette., 2016) To establish a chain of custody for legal reasons, the evidence in the log files may be encrypted and sent on to the appropriate institutions. According to sources, ( Routledg.,2022) Once again, evidence in log files may be encrypted and handed on to the appropriate parties in order to preserve a legal chain of custody. Sources claim that (M.S. Vinay.,2022) Proof in the log files, as well as evidence of the workers' previous records, may be retained and handed on to the appropriate parties based on (Yasmin Razack 2022) Information from the two sources - the log files and the dissatisfied employee's watchlist watch list - was correlated. Third- party partners - CCTV video records may be saved and utilised as evidence.

My findings show that it is critical to implement a User Data Analytics system on the organization's internal network. It will enable us to examine all the workers' use patterns, including, for example, the websites they visit. They may be placed on awatchlist watch list if they visit dangerous websites.