Cyber Crime Investigation and Forensics
A PROJECT REPORT
ON
CYBER CRIME INVESTIGATION AND FORENSICS
Contents:
CYBER CRIME INVESTATION ------------------------------------------------------------------------------------------------------------------------------ 4--31
What Is Cyber Crime--------------------Crime---------------------------------------------------------------------------------------------------------------------------- 4--4
Examples Include-----------------Include----------------------------------------------------------------------------------------------------------------------------4 ---4
Definition------------------------------------------------------------------------------------4
Reasons For Cyber Crime----------------------Crime--------------------------------------------------------------------------------------------------------------- 4--5
Capacity To Store Data In Comparatively Small Space-------------------------------5
Easy To Access-------------------Access-------------------------------------------------------------------------------------------------------------------------------5 ----5
Complex--------------------------------------------------------------------------------------5
Negligence---------------------Negligence------------------------------------------------------------------------------------------------------------------------------------5 -------5
Loss Of Evidence---------------------Evidence------------------------------------------------------------------------------------------------------------------5 ----------5
Cyber Criminals-----------------Criminals------------------------------------------------------------------------------------------------------------------------------------------ 5--6
Children And Adolescents Between The Age Group Of 6 – 18 Years --------------6
Organized Hackers-------------------Hackers---------------------------------------------------------------------------------------------------------------------------6 6
Professional Hackers / Crackers -----------------------------------------------------------------------------------------------------------6 -----6
Discontented Employees-------------------Employees------------------------------------------------------------------------------------------------------------6 --6
Mode And Manner Of Committing Cyber Crime---------------------------------------- 6--8
Unauthorized Access To Computer Systems Or Networks / Hacking---------------6
1
Cyber Crime Investigation and Forensics
Theft Of Information Contained In Electronic Form-----------------------------------7
Email Bombing-------------------Bombing-------------------------------------------------------------------------------------------------------------------------------7 ----7
Data Diddling-------------------Diddling----------------------------------------------------------------------------------------------------------------------------------7 -----7
Salami Attacks-----------------Attacks---------------------------------------------------------------------------------------------------------------------------------7 ------7
Denial Of Service Attack----------------------Attack----------------------------------------------------------------------------------------------------------7 -7
Virus / Worm Attacks------------------Attacks------------------------------------------------------------------------------------------------------------7 ---------7
Logic Bombs-------------------Bombs-----------------------------------------------------------------------------------------------------------------------------------8 ------8
Trojan Attacks------------------Attacks---------------------------------------------------------------------------------------------------------------------------------8 -----8
Internet Time Thefts-------------------Thefts--------------------------------------------------------------------------------------------------------------8 ----------8
Web Jacking--------------------Jacking-----------------------------------------------------------------------------------------------------------------------------------8 -----8
Understand The Fundamentals-----------------Fundamentals------------------------------------------------------------------------------------------------------- 9--9
Classification Of Cyber Crime------------------Crime----------------------------------------------------------------------------------------------------- 9--10
Computer As Target------------------Target----------------------------------------------------------------------------------------------------------------9 ---------9
Computer As An Instrumentality------------Instrumentality------------------------------------------------------------------------------------------------9 -9
Computer As An Incidental Or Other Crime-------------------------------------------10
Crime Associated With The Prevalence Of Computers------------------------------10
Why Learn About Cyber Crime---------------------Crime------------------------------------------------------------------------------------------ 10--10
Types Of Cyber Crime-------------------Crime------------------------------------------------------------------------------------------------------------------- 10--14
Email Related Crime-------------------Crime----------------------------------------------------------------------------------------------------------------------- 14--14
Case Studies-------------------Studies-------------------------------------------------------------------------------------------------------------------------------------------- 15--20
Case No.1----------------------No.1-------------------------------------------------------------------------------------------------------------------------------15--16 -15--16
Case No.2----------------------No.2-----------------------------------------------------------------------------------------------------------------------------17--18 ---17--18
Case No.3----------------------No.3----------------------------------------------------------------------------------------------------------------------------------19 --------19
Case No.4----------------------No.4------------------------------------------------------------------------------------------------------------------------------------20 ------20
Characteristics Of Computer Crime-------------------Crime----------------------------------------------------------------------------------- 21--21
Prevention Of Cyber Crime-------------------Crime-------------------------------------------------------------------------------------------------------- 21--22
Questionnaire ----------------------------------------------------------------------------------------------------------------------------------------------------------- 23--25
Relevance Of Evidence--------------------Evidence------------------------------------------------------------------------------------------------------------------ 26--26
Indian Evidence Act (Amended)----------------------------------------------------------26--26
When Oral Admission As To Contents Of Electronic Records Are Relevant—26--27
2
Cyber Crime Investigation and Forensics
Opinion As To Digital Signature Where Relevant------------------------------------- 27--27
Proof As To Digital Signature-----------------------Signature---------------------------------------------------------------------------------------------- 27--27
Proof As To Verification Of Digital Signature----------------------------------------- 27--27
Admissibility Of Electronic Records--------------------Records---------------------------------------------------------------------------------- 27--28
Presumption As To Electronic Records And Digital Signatures------------------- 28--28
Presumption As To Electronic Messages-------------------Messages------------------------------------------------------------------------- 28--29
Presumption As To Electronic Records Five Years Old----------------------------- 29--29
Recent Amendments-------------------Amendments------------------------------------------------------------------------------------------------------------------------- 29--29
Important Amendments To IT Act-----------------Act---------------------------------------------------------------------------------------- 29--30
Cyber Terrorism Is Defined In Section 66F-------------------------------------------- 30--31
Important Amendments To IPC-------------------IPC-------------------------------------------------------------------------------------------- 31--31
Important Amendments To CRPC------------------CRPC--------------------------------------------------------------------------------------- 32--32
Our Analysis-----------------Analysis---------------------------------------------------------------------------------------------------------------------------------------------- 32--32
Conclusion--------------------Conclusion----------------------------------------------------------------------------------------------------------------------------------------------- 32--32
Establishment of PUNE cyber cell---------------------cell-------------------------------------------------------------------------------------- 33--33
FORENSICS-------------------------------------------------------------------------------------------
34--39
What Is Cyber Forensics--------------------Forensics-------------------------------------------------------------------------------------------------------------- 34--34
Different Type’s Of Storage Media--------------------Media------------------------------------------------------------------------------------- 35--35
Electronic Evidence Precautions------------------Precautions--------------------------------------------------------------------------------------------- 35--35
Computer Forensics-------------------Forensics------------------------------------------------------------------------------------------------------------------------- 36--36
Electronic Evidence Considerations--------Considerations---------------------------------------------------------------------------------------------- 36--36
Incident Response-------------------Response------------------------------------------------------------------------------------------------------------------------------ 36--36
Collecting Volatile Data-------------------Data----------------------------------------------------------------------------------------------------------------- 37--37
Imaging Electronic Media (Evidence)------------------(Evidence)---------------------------------------------------------------------------------- 37--37
Forensic Analysis-----------------Analysis---------------------------------------------------------------------------------------------------------------------------------- 37--37
Reasons for Evidence----------------------Evidence-------------------------------------------------------------------------------------------------------------------- 37--38
Evidence Processing Guidelines-------------------Guidelines---------------------------------------------------------------------------------------------- 38--39
Conclusion--------------------Conclusion----------------------------------------------------------------------------------------------------------------------------------------------- 39--39
3
Cyber Crime Investigation and Forensics
What is Cyber crime?
Criminal activity that utilizes as element of a computer or computer network. Cyber crime is the latest and perhaps the most complicated problem in the cyber world. Cyber crime may be said to be those species, of which, genus is the conventional crime, and where either the computer is an object or subject of the conduct constituting crime” Crime is a social and economic phenomenon and is as old as the human society. Crime is a legal concept and has the sanction of the law. Crime or an offence is “a legal wrong that can be followed by criminal proceedings which may result into punishment.” A crime may be said to be any conduct accompanied by act or omission prohibited by law and consequential breach of which is visited by penal consequences Examples Include:
Cyber-extortion
Information theft
Fraud
Identity theft
Exploitation of children
Intellectual property theft
Phishing and Vishing
Definition:
Any criminal activity that uses a computer either as an instrumentality, target or a means for perpetuating further crimes comes within the ambit of cyber crime” “ unlawful acts wherein wherein the computer computer is either a tool or target or both” “Illeg “Illegal al comput computerer-medi mediated ated activi activitie tiess that that can be conduct conducted ed throug through h global global electr electroni onicc networks”
Reasons Reasons For Cyber Crime:
Hart in his work “The Concept of Law” has said ‘human beings are vulnerable so rule of law is required to protect them’. Applying this to the cyberspace we may say that computers are vulnerable so rule of law is required to protect and safeguard them against cyber crime. The reasons reasons for the vulnerability vulnerability of computers may be said to be:
4
Cyber Crime Investigation and Forensics
1. Capacity to store data in comparatively small space-
The computer has unique characteristic of storing data in a very small space. This affords to remove or derive information either through physical or virtual medium makes it much easier. 2. Easy to access-
The problem encountered in guarding a computer system from unauthorised access is that ther theree is every every possib possibil ilit ity y of breac breach h not due to human human erro errorr but due to the the comp comple lex x technology. By secretly implanted logic bomb, key loggers that can steal access codes, advanced voice recorders; retina imagers etc. that can fool biometric systems and bypass firewalls can be utilized to get past many a security system. 3. Complex-
The compu compute ters rs work work on oper operat ating ing syst system emss and thes thesee oper operat ating ing syst systems ems in turn turn are are composed of millions of codes. Human mind is fallible and it is not possible that there might not be a lapse at any stage. The cyber criminals take advantage of these lacunas and penetrate into the computer system. 4. Neglig Negligenc encee-
Negligence is very closely connected with human conduct. It is therefore very probable that while protecting the computer system there might be any negligence, which in turn provides a cyber criminal to gain access and control over the computer system. 5. Loss Loss of evidenc evidencee-
Loss of evidence is a very common & obvious problem as all the data are routinely destro destroyed yed.. Furthe Furtherr collec collectio tion n of data data outside outside the territ territori orial al extent extent also also paraly paralyses ses this this system of crime investigation.
Cyber Criminals
The cyber criminals criminals constitute constitute of various various groups/ groups/ category. category. This division division may be justified justified on the basis of the object that they have in their mind. The following are the category of cyber criminals-
5
Cyber Crime Investigation and Forensics
1. Children Children and adolescent adolescentss between between the age group group of 6 – 18 years –
The simple reason for this type of delinquent behaviour pattern in children is seen mostly due to the inquisitiven inquisitiveness ess to know and explore the things. Other cognate cognate reason may be to prov provee them them to be outst outstan andi ding ng among amongst st othe otherr chil childr dren en in thei theirr group group.. Furt Furthe herr the the reasons may be psychological even. E.g. the BAL Bahrain (Delhi) case was the outcome of harassment of the delinquent by his friends. 2. Organis Organised ed hackers hackers--
These These kinds kinds of hacker hackerss are mostly organise organised d togethe togetherr to fulfil fulfil certain certain object objective ive.. The reason reason may be to fulfil fulfil their political bias, fundamentalis fundamentalism, m, etc. The Pakistanis Pakistanis are said to be one of the best quality hackers hackers in the world. They mainly target the Indian Indian government sites with the purpose to fulfil their political objectives. Further the NASA as well as the Microsoft sites is always under attack by the hackers. 3. Professional Professional hackers / crackers crackers –
Their work is motivated by the colour of money. These kinds of hackers are mostly employed employed to hack the site of the rivals and get credible, reliable reliable and valuable valuable information. information. Further Further they are van employed to crack the system of the employer employer basically as a measure measure to make it safer by detecting detecting the loopholes. loopholes. 4. Discontente Discontented d employeesemployees-
This group include those people who have been either sacked by their employer or are dissat dissatisf isfied ied with with their their employe employer. r. To avenge avenge they normally normally hack the system system of their their employee.
Mode and Manner of Committing Committing Cyber Crime 1. Unauthorized access to computer systems or networks / Hacking-
This kind of offence is normally referred as hacking in the generic sense. However the framers of the information technology act 2000 have no where used this term so to avoid any confusion we would not interchangeably use the word hacking for ‘unauthorized access’ as the latter has wide connotation.
6
Cyber Crime Investigation and Forensics
2. Theft of inform information ation contained contained in in electronic electronic formform-
This includes information stored in computer hard disks, removable storage media etc. Theft may be either by appropriating the data physically or by tampering them through the virtual medium. 3. Email bombing-
This kind of activity refers to sending large numbers of mail to the victim, which may be an indi indivi vidu dual al or a compa company ny or even even mail mail serve servers rs ther theree by ulti ultima mate tely ly resu result ltin ing g into into crashing. 4. Data diddling-
This kind of an attack involves altering altering raw data ust before before a computer computer processes processes it and then then changi changing ng it back back after after the process processing ing is complet completed. ed. The electr electrici icity ty board board faced faced similar problem of data diddling while the department was being computerised. 5. Salami attacks-
This kind of crime crime is normally normally prevalent in the financial financial institutions institutions or for the purpose purpose of committing financial crimes. An important feature of this type of offence is that the alteration is so small that it would normally go unnoticed. E.g. the Ziegler case wherein a logic bomb was introduced in the bank’s system, which deducted 10 cents from every account and deposited it in a particular account 6. Denial of Service Service attackattack-
The computer of the victim is flooded with more requests than it can handle which cause it to crash. crash. Distributed Distributed Denial of Service Service (DDOS) attack is also a type of denial of service attack, attack, in which the offenders are wide in number and widespread. widespread. E.g. Amazon, Yahoo. 7. Virus Virus / worm worm atta attacks cks--
Viruses are programs that attach themselves to a computer or a file and then circulate themselves to other files and to other computers on a network. They usually affect the data on a computer, either by altering or deleting it. Worms, unlike viruses do not need the host to attach themselves to. They merely make functional copies of themselves and do this repeatedly till they eat up all the available space on a computer's memory. E.g. love bug virus, which affected at least 5 % of the computers of the globe. The losses were accounted to be $ 10 million. The world's most famous worm was the Internet worm let
7
Cyber Crime Investigation and Forensics
loose on the Internet by Robert Morris Morris sometime in 1988. Almost Almost brought development development of Internet to a complete halt. 8. Logic Logic bombsbombs-
These are event dependent programs. This implies that these programs are created to do something only when a certain event (known as a trigger event) occurs. E.g. even some viruses may be termed logic bombs because they lie dormant all through the year and become active only on a particular date (like the Chernobyl virus). 9.
Troja Trojan n atta attack ckss-
This term has its origin in the word ‘Trojan horse’. In software field this means an unautho unauthoriz rized ed progra programme mme,, which which passiv passively ely gains gains control control over anothe another’ r’ss syste system m by representing itself as an authorised programme. The most common form of installing a Trojan is through e-mail. E.g. a Trojan was installed in the computer of a lady film director in the U.S. while chatting. The cyber criminal through the web cam installed in the computer obtained her nude photographs. He further harassed this lady. 10. Internet Internet time thefts thefts--
Normally in these kinds of thefts the Internet surfing hours of the victim are used up by another person. This is done by gaining access to the login ID and the password. E.g. Colonel Bajwa’s case- the Internet hours were used up by any other person. This was perhaps one of the first reported cases related to cyber crime in India. However this case made the police infamous as to their lack of understanding understanding of the nature of cyber crime. crime. 11. Web jackingjacking-
This term is derived from the term hi-jacking. In these kinds of offences the hacker gains access and control over the web site of another. He may even mutilate or change the information on the site. This may be done for fulfilling political objectives or for money. E.g. recently the site of MIT (Ministry of Information Technology) was hacked by the Pakis Pakista tani ni hack hacker erss and and some some obsc obscen enee matt matter er was was plac placed ed there therein in.. Furt Further her the the site site of Bombay crime branch was also web jacked. Another case of web jacking is that of the ‘gold fish’ case. In this case the site was hacked and the information pertaining to gold fish was changed. Further a ransom of US $ 1 million was demanded as ransom. Thus web jacking is a process where by control over the site of another is made backed by some consideration for it.
8
Cyber Crime Investigation and Forensics
Understand the Fundamentals
Internet Internet has offered offered us a much more convenient way to share information information across time and place.
Cyberspace also opened a new venue for criminal activities.
Cyber attacks
Distribution of illegal materials in cyberspace
Computer-mediated illegal communications within big crime groups or terrorists
Cybe Cy berr crim crimee has has become become one one of the the majo majorr secu securi rity ty issu issues es for for the the law enfo enforc rceme ement nt community.
The anonymity of cyberspace makes identity tracing a significant problem which hinders investigations.
Classification of Cyber crime 1. Computer as Target 2. Computer as an instrumentality 3. Computer as an incidental or other crime 4. Crime associated with the prevalence of computers.
The above above categor categories ies are not isolat isolated ed compar compartme tments nts.. Crime Crime may often spill spill over over from from one category to the other.
1. Comput Computer er As A Targe Targett Of A Crim Crimee
Physical damage, Theft or destruction of information (data). The spread of viruses, worms, Software piracy, hacking etc. A computer virus is a self-rep self-replicati licating ng computer program written written to alter the way a computer operates, without the permission or knowledge of the user 2. Computer Computer as as an instrumenta instrumentality lity
This category include such crimes were either computers or their contents bare used in furtherance of crime or those offences which are committed by manipulating contents of computer systems. They could include sending e-mails, ransom notes or manipulating computer contents for credit card frauds telecommunication frauds or theft.
9
Cyber Crime Investigation and Forensics
3. Computer Computer as incidental incidental or or other other crime crime
This category includes conventional crimes, and with the advent of computer the criminal have started using the technology as an aid for its perpetuation. They include use of computers as an aid for drug trafficking, money laundering, child pornography etc 4. Crime associ associated ated with with the prevalence prevalence of computers computers..
Copyright violation, Software piracy, Component theft etc. Why Learn About Cyber Crime
Everybody is using Computers.
From white collar criminals to terrorist organizations And from Teenagers to Adults.
Conventional crimes like Forgery, extortion, kidnapping etc. Are being committed with the help of computers.
New generation is growing up with computers.
Most Important - Monetary transactions are moving on to the Internet.
Types of Cyber Crime
Hacking
Denial Of Service Attack
Virus Dissemination
Software Piracy
Pornography
IRC Crime
Credit Card Fraud
Net Extortion
Phishing
Spoofing
Cyber Stalking
Cyber Defamation
Threatening
Salami Attack.
10
Cyber Crime Investigation and Forensics
HACKING
Hacking in simple terms means illegal intrusion into a computer system without the permission of the computer owner/user.
DENIAL OF SERVICE ATTACK
This is an act by the criminal, who floods the bandwidth of the victim's network or fills his e-mail box with spam mail depriving him of the services he is entitled to access or provide
VIRUS DISSEMINATION
Malicious Malicious software software that attaches itself to other software% software% (virus, worms, worms, Trojan Trojan Horse, Horse, Time bomb, Logic Bomb, Rabbit and Bacterium are the malicious software)
SOFTWARE PIRACY
Theft of software through the illegal copying of genuine programs or the counterfeiting and distri distribut bution ion of product productss intende intended d to pass for the origin original. al. Retail Retail revenue revenue losses losses worldwide is ever increasing due to this crime can be done in various ways End user copying, Hard disk loading, Counterfeiting, Illegal downloads from the internet etc.
PORNOGRAPHY
Pornog Pornogra raphy phy is the the firs firstt consi consist sten ently tly succe success ssfu full e- comm commer erce ce produ product ct.. Decep Decepti tive ve marketing tactics and mouse trapping technologies Pornography encourage customers to access their websites. Anybody including children can log on to the internet and access websites with pornographic contents with a click of a mouse. Publishing, transmitting any material in electronic form which is lascivious or appeals to the prurient interest is an offence under the provisions of section 67 of I.T. Act -2000.
IRC CRIME
Internet Relay Chat (IRC) servers have chat rooms in which people from anywhere the world can come together and chat with each other Criminals use it for meeting coconsp conspir irat ator ors. s. Hacker Hackerss use it for for disc discus ussi sing ng their their explo exploit itss I shar sharing ing the the tech techni nique quess Pedophiles use chat rooms to allure small children Cyber Stalking - In order to harass a woman her telephone number is given to others as if she wants to befriend males.
11
Cyber Crime Investigation and Forensics
CREDIT CARD FRAUD
You simply have to type credit card number into www page of the vendor for online transaction if electronic transactions are not secured the credit card numbers can be stolen by the hackers who can misuse misuse this card by impersonating impersonating the credit credit card owner. owner.
Credit card skimmer
12
Cyber Crime Investigation and Forensics
NET EXTORTION
Copying the company's confidential data in order to extort said company for huge amount
PHISHING
It is tech techni niqu quee of pull pullin ing g out out conf confid iden enti tial al info inform rmat atio ion n from from the the bank bank/f /fin inan anci cial al institutional account holders by deceptive means
PHISHING EMAIL From: *****Bank [mailto:support@****Bank.com] Sent: 08 June 2004 03:25 To: India Subject: Official information from ***** Bank
Dear valued ***** Bank Customer! For security purposes your account has been Randomly chosen for verification. To verify Your account information information we are asking you to Provide Provide us with all the data we are requesting. requesting. Otherwise Otherwise we will not be able to verify your identity identity And access to your account will be denied. Please Please click On the link below to get to the bank secure Page and verify your account details. Thank you. https://infinity.*****bank.co.in/Verify.jsp ****** Bank Limited
SPOOFING
Getting one computer on a network to pretend to have the identity of another computer, usually one with special access privileges, so as to obtain access to the other computers on the network network .
CYBER STALKING
The Criminal follows the victim by sending emails, entering the chat rooms frequently.
CYBER DEFAMATION
The Criminal sends emails containing defamatory matters to all concerned of the victim or post the defamatory matters on a website.
13
Cyber Crime Investigation and Forensics
THREATENING
The Criminal sends threatening email or comes in contact in chat rooms with Victim. (Any one disgruntled may do this against boss, friend or official)
SALAMI ATTACK
In such crime criminal makes insignificant changes in such a manner that such changes would get unnoticed. Criminal makes such program that deducts small amount like Rs. 2.@0 per month from the account of all the customer of the Bank and deposit the same in his account. In this case no account holder will approach the bank for such small amount but criminal gains huge amount.
SALE OF NARCOTICS
Sale & Purchase through net. There are web site which offers sale and Shipment of contrabands drugs. They may use the techniques of stenography for hiding the messages. Email related crime 1. Email spoofing 2. Sending malicious codes through email 3. Email bombing 4. Sending threatening emails 5. Defamatory emails 6. Email frauds
14
Cyber Crime Investigation and Forensics
Case Studies Case No.1 Police Station – Vishrambaug (Emphasis)
G.R.N G.R.N .
91/05 91/05
IPC No 467, 467, 468, 468, 471, 471, 419, 419, 420, 420, 379, 379, 34 with with law law of info inform rmat atio ion n&
Technology Technology No. 66 Petitioner
- Jay fin Robert Disuse
Criminals
1) Ivan Samuel Thomas 2) Sheila’s Chanddrakant Burrower 3) Bijou Alexander 4) Siddhartha Mehta 5) Stephen Daniel 6) Marlin Fernandez 7) Prim john Phil poses 8) Soundharajan Jamaican 9) Jinee George 10) Stash Para 11) John Varghese
Date 25/1 25/1/2 /2005 005 Incident- Date
to
4/4/ 4/4/20 2005 05 time time to time time
File Filed d On 5/4/ 5/4/05 05 at
17:1 17:15 5
Evide Evident nt
Sanjay njay Juda udah
Offi Of fice cerr-
Asst
Pol Police
Comm ommissioner
(Fin
&
Cybe Cy berr)
Crime Branch, Pune
Short Story- In the last week of March 2005, Vice Chairman of City Bank notified that
Rs.1,86,23,761(4,27,061 American Dollars) from some of the A/c holders of City Bank of America have been transferred to various banks in Pune. The Above amount has not been deposited deposited in Pune Bank.
15
Cyber Crime Investigation and Forensics
After the case has filed , the bank in which the amount amount has been transf transferr erred ed , Finding- After those banks banks has to intimated intimated in writing writing that if some one comes comes to enquire enquire about deposit deposit of money in the particular particular bank amount to be intimated intimated to Police immediately immediately.. 1. Accordingly Rupees Bank Rajendranagar branch, Pune reported that two person
came for the enquiry 2.
Immediately sent a Police squad and two persons taken in custody. The name were:
Vim Samuel Thomas
Sheila’s Burrower
3. In the enquiry, Ivan Thomas was working in BPO Company in Pune named
Emphasis (This company runs a customer care centre to give service to the City bank bank acco account unt hold holder erss in Amer Americ ica) a).. His His othe otherr Co Coll lloq oqui uies es
Bijo Bijou u Alexa Alexande nder, r,
Siddhartha Mehta, Stephen Daniel, Marlin Fernandez have procured ATM Cards lose as well as their PIN codes Social Security Number and authorized E-mail Id Of 5 Account holders of City Bank by doing Social Engineering . After that they have transferred Rs.1 Cr 86 lace in various banks in Pune by using wire transfer’s facility. This facility is being used to transfers the amount through internet. When you go to City banks website, choose option wire transfer. Then put user ID & password, automatic code is generated. This code is being sent to the authorized E-mail Id of account holder. Then this code is sent to wire transfer page. Then only the account is being accessed to the particular account holder.
4. All the hard disks of those cyber café from where the amount has been transferred
were ceased. Also the full information of E-mail Id from where automatic code was taken with full header was noted. 5. The above criminal has opened fake accounts in various banks supporting proofs
have been taken from the banks. The crime report has been submitted against criminals.
Result Waited.
16
Cyber Crime Investigation and Forensics
Case No.2 Police station- Decca Gymkhana
G.R.N 199/07 199/07
IPC Code. Code. 420, 467, 467, 468, 34 with with law of inform information ation & technolo technology gy of 2000 cool cool
43, a, b, h 66 & 72 Petitioner- Sunil Marianna Made age 32 yrs occupation- service (Rise manager HDFC stargaze,
pane) Residential Address B-402 Uttamnagar, Pune-23 Criminal- Moil Laming Harkin Age-30 Residential Address- Ignore Rd near Vidyasagar High
school, Naphtha, Delhi Native- Churchyard Poor Lama, at & Post Bethel, Manipur
24/4/2007 between 15:45 to 16:00 at Rank Jewelers carve Rd, Pune. Incident- 24/4/2007 Case filed- 24/04/07 at 23:00 hrs Evident officer- Entail Shined Asst. Police Commissioner (Fin & cyber) crime Branch Pune.
Short Story- Criminal lady & her colloquies 1) Utahan 2)Nepali man 3) Lady named Mara all
together on 24/04/07 between 15:45 to 16:00 hrs at Rank Jewelers, Carve Rd Pane Purchased By using HDFC Bank credit card, but this card belongs to Missoula Federal union, USA bank. This was found through Risk monitoring system and also found that the card wad fakes. On the spot lady was arrested, but her other colleagues ran away. Criminal was found with Chinese passport passport on the name of Talon Eyeing. On that Finding- Lady Criminal immigration stamps of Indonesia, Australia, Germany were found, criminal lady was found with credit cards of five banks on Talon Eyeing. letter to Aortal, Aortal, Hutch, Idea & Tate to get the information information of criminal’s criminal’s mobile no 1. Sent a letter 9967674094 9967674094 & her colleagues colleagues mob no 2. Sent a letter to bank for getting information of credits cards holders 3. To verifying reality of passport consumer Chennai, Embassy Mumbai has been
approached by sending letter. 4. Take statements of Mosaic Palace, Shirted Rd Pane where criminals & her colleagues
were staying. staying. And also taken the statements statements of manager & owner of Rank Jewelers. Jewelers. 5. Came to know though HDFC, HSBC and Standard Charted Bank that the criminal lady
holding the credit cards is of Missoula Federal Credit Union, USA.
17
Cyber Crime Investigation and Forensics
6. Sent a letter to Police commissioner Chennai for information as the criminal passport was
emigration stamped by Chennai passport. 7. Sent a wireless to south Manipur Police to get address proof and character information. 8. Sent a Police squad to Delhi for searching for other criminals. 9. Regarding Passport, fax received from Embassy of china that concerned passport was
from Hong Kong Special Special Administrat Administrative ive region and wad expired on 10th Sep 2003. Received Information Information from Manipur police by wireless wireless is as below10. Received
Lady Name- Neural Moil Hop kip Occupation- Service in private company in Delhi Married with Sri Sensing, Resident Chore,
Sandspur Marital Status- 2 Daughters. Etc
After sending criminal criminal reports the court the criminal lady was punished punished by the court.
18
Cyber Crime Investigation and Forensics
Case No- 3 Police Station - Yawed
- 2/8/08 C B V 403419420
G.R.N Applicant
- Swap Swap nil Deli Deli Sail Sail Age 30 30 Son 401/r 401/r Balladic VadyanNagar Vadgensheri Pune 14
Accursed
- Yogis Chowder Chennai
Applied Applied on
- on 25/3/08 25/3/08 Use of credit card stolen.
Enquiry Officer
- Kristi Kumar Patel PSI
Short Story- Yogis has purchased Air tickets on 28/3/08 for Rs.18, 596.10.
Swap nil has City Bank credit card he take online accounts statements, he has seen on 24/4/08 at a bill of Rs.18596.10 Rs.18596.10 as a transaction transaction done on 28/3/08 28/3/08 from Makemytripe.c Makemytripe.com om & Airdeccan.com Airdeccan.com Yogis has taken the tickets.
Enquiry- Used mail ID
[email protected]
[email protected] [email protected] As like this Full IP Address needed.
1. To find out whose IP is This by Domain Tool get name Isaac Telecom India Put Ltd.
Sutra 2. Send Letter to Ibarra to enquire to whom this IP Address is Given Get Information Of IP
Address Address 123.201.56.193 123.201.56.193 is dynamic dynamic and given to Yogis Yogis Chowdery Chennai 9789943185 get details details of this phones & phone calls from 3. Mobile use in No 9884214361, 9789943185 Manager Airtal & Manager Hutch. 4. Visit to Chennai to find out Yogis.
deterrent he has done this crime. 5. Caught him at Chennai he deterrent
19
Cyber Crime Investigation and Forensics
Case No.4 Police Station- Koshered G.R.N 00107 BDV 509 information Security Act 5.67 Apply by -
Miss Sanity Koshered Pane
Against -
Miss Lisa and Pan Pane
Before 26/06/0 26/06/07 7 12:30 12:30 Happened on- Before Recorded on-
28/06/07 5:00 PM
Short Story-
Before 26/06/07 someone stolen password of email Id of Sanity & profile XYZ
Rout website and produce some very bad Exposition on website. Director-
Net Shined PSI
Enquiry-
Send all database link Rout website prepared prepared by Name on what date, Time , IP
Address Address to Google company by e-mail.Saniy e-mail.Saniyaa get knowledge knowledge from friends friends that there is some bad things things on Rout by Lisa Cornello. Cornello.Saniya Saniya before 3 to 4 weeks try to prepare prepare new Account Account
[email protected].. On that website
[email protected] website the bad topic is profiled profiled again. Visited to sanity’s residence residence checked her computer whiter whiter there is any virus or not. Send Read notify to Sanity for stolen by anybody her password at
[email protected].
[email protected]. Read Information from Google 3/7/09. Profile prepared by Sanity was as follows:-
E-mail Profile email Id
[email protected] IP Address 59.161.3.66 59.161.3.66 on 8/5/07 4IS GMT. Secondary email Id LisaCornello@ yahoo.co.in Trace out all information from above address. Received following information from Yahoo on 14/5/09 at 9:36:14
[email protected] and IP Address Address 219.64.160.136 has been prepared .On 5/5/07 3:36:4
[email protected] Email ID and IP Address 59.169.3.66 prepared on 8/05/07 Let following information for Domain tools File Number- 12345678 Name Name - Lisa Lisa Phone - 122344568 122344568 Address- And Pane Red on Lisa Lisa Residence makes all necessary necessary Police Action. Story is Lisa & Sanity were friends friends being affairs affairs with Shoed. The Police ceased the Hard disk & CPU sent it to forensic forensic lab. Lisa Lisa was punished punished by 2 yrs prison prison & 2, 75,000 cash fine.
20
Cyber Crime Investigation and Forensics
Characteristics of Computer Crime
Silent in Nature: Computer crime could be committed in privacy without reaching to scene of crime physically i.e. any eye witnesses. There are no signs of physical violence or struggle.
Global Global in charac character ter:: No nation national al border borders. s. By sittin sitting g comfor comfortabl tably y far away from from the country the entire economy of the country could be destroyed. As digital evidences are fragile in nature one has to respond quickly.
Non existence of Physical Evidence: No physical evidence to indicate that crime has been committed. Only on a closer look the trained person could find out the evidences which are not in the traditional format but are in digital format.
Creates high Impact: Impact is severe and may be long term. It can damage the victim system permanently. Loss of good will.
High Potential and Easy to Perpetrate: A software developer who did not get enough money money or good good job job would would turn turn to crim crimin inal al worl world d for for thei theirr surv surviv ival al.. There Therefo fore re,, the the computer crimes have a potential to increase. Hence organized mafia may enter into this sector.
Prevention of Cyber Crime:
Preven Preventio tion n is always always better than cure. cure. It is always always better to take certain certain precau precautio tion n while while operating the net. A should make them his part of cyber life. Saileshkumar Zackary, technical advisor and network security consultant to the Mumbai Police Cyber crime Cell, advocates the 5P mantra for online security: Precaution, Prevention, Protection, Preservation and Perseverance. A bedizen should keep in mind the following following things1. To prevent cyber stalking avoid disclosing any information pertaining to
one. This is as good as disclosing your identity to strangers in public place. 2. Always avoid sending any photograph online particularly to strangers and
chat friends as there have been incidents of misuse of the photographs. 3. Always use latest and up date anti virus software to guard against virus
attacks. 4. Always keep back up volumes so that one may not suffer data loss in case
of virus contamination 5. Never send your credit card number to any site that is not secured, to
guard against frauds.
21
Cyber Crime Investigation and Forensics
Alwayss keep keep a watc watch h on the the site sitess that that your your child childre ren n are are acce access ssing ing to 6. Alway prevent any kind of harassment or depravation in children. 7. It is better to use a security programme that gives control over the cookies
and send information back to the site as leaving the cookies unguarded might prove fatal. 8. Web site owners should watch traffic and check any irregularity on the
site. Putting host-based intrusion detection devices on servers may do this. 9. Use of firewalls may be beneficial. 10. Web servers running public sites must be physically separate protected
from internal corporate network. Adjudication of a Cyber Crime - On the directions of the Bombay High Court the Central Government has by a notification dated 25.03.03 has decided that the Secretary to the Information Technology Department in each state by designation would be appointed as the AO for each state.
22
Cyber Crime Investigation and Forensics
QUESTIONNAIRE QUESTIONNAIRE RELATED TO THE RECOMMENDATIONS FROM THE FOURTH MEETING OF GOVERNMENTAL EXPERTS ON CYBER-CRIME
which h of the the foll follow owin ing g area areass does does our our coun countr try y have have exis existi ting ng cybe cyberr-cr crim imee 1. In whic legislation in place? act Cy Cyber ber laws laws (e.g. (e.g.,, laws laws proh prohib ibit itin ing g onlin onlinee iden identi tity ty thef theft, t, hack hackin ing, g, a) IT act intrusion intrusion into computer computer syste systems, ms, child pornogra pornography): phy): Yes ___ ___ No ___ If yes, please list and attach copies of all such legislation, preferably in electronic format if possible: 65 – Code Modification Modification 66 – Hacking 67 – Pornography b) Procedural cyber-crime laws (e.g., authority to preserve and obtain electronic
data data from from third third partie parties, s, includ including ing intern internet et service service provid providers ers;; author authority ity to intercept electronic communications; authority to search and seize electronic eviden evidence) ce):: Yes Yes _ ___ __ No ___ ___ If yes, please list and attach copies of all such legislation, preferably in electronic format if possible: 41 CRPC 42 CRPC 100 CRPC 78 – Search and seize 80 – All police rights.
legal assistan assistance ce related related to cyber-crime: cyber-crime: Yes Yes ___ No ___ c) Mutual legal If yes, please list and attach copies of all such legislation, preferably in electronic format if possible: They need only Technical help during case investigation. investigation.
23
Cyber Crime Investigation and Forensics
2. Please identify whether the following forms and means (1) occur frequently, (2) occur
infr infreq eque uent ntly ly,, or (3) (3) have have not not occu occurr rred ed,, by placi placing ng an “X” “X” as appr appropr opria iate te in the the following table:
Forms and Means of Cyber- Crime Online identity theft (including phasing and online trafficking in false identity information) Hacking (illegal intrusion into computer systems; theft of information from computer systems) Malicious code (worms, viruses, malware and spy ware) Illegal interception of computer data
Occur Frequently
Occur Infrequently
Has not Occurred
Online commission of intellectual property crimes Online trafficking in child pornography Intentional damage to computer systems or data Others
24
Cyber Crime Investigation and Forensics
addition, n, to the above, above, if there there are any other other forms forms and means of cybera) In additio crime that have occurred (either frequently or infrequently) in our country, please identify them as well as the frequency with which they occur in the following table. Forms and Means of Conduct Cheating
Occur Frequently
Occur Infrequently Threatening
Cyber Stalking Credit card fraud Copy Right Source Code
Does our our coun countr try y have have any any conc concre rete te expe experi rien ence cess with with resp respec ectt to stren strengt gthe heni ning ng the the 3. Does relationship between the authorities responsible for investigating and/or prosecuting cybercrimes, and internet service providers that may be shared with other States as a best practice in this area? Yes No ___
If yes, yes, please please explain explain: ISP’s ISP’s meetin meeting, g, Bank models models meetin meeting g cyber cyber commit committee tee regular basic interaction. 4. Has our country identified, created, or established a unit or entity specifically charged
with directing directing and developing developing the investigat investigation ion of cyber-crimes? cyber-crimes? Yes No If yes, please provide the following information: CBI Crime cell, CID The institution to which the unit/entity belongs: POLICE The number of officers or investigators in the unit/entity: 4-5 If such a unit/e unit/enti ntity ty has been been create created d or establi establishe shed, d, are its functi functions ons dedica dedicated ted exclusi exclusively vely to the invest investiga igatio tion n of cyber-c cyber-crim rimes? es? Yes No ___ If no, what what othe otherr type typess of offe offens nses es or crim crimes es is this this unit unit/e /ent ntit ity y respo respons nsib ible le for for investigating and/or prosecuting? 5. Has our country identified, created, or established a unit or entity specifically charged with directing and developing developing the prosecution of cyber-crimes? Yes ___ No
25
Cyber Crime Investigation and Forensics
Relevance of Evidence
Main purpose of investigation of any crime is to collect sufficient & legally admissible evidence to ensure conviction of offenders.
Requirements of evidence in Cyber Crimes are not different but its nature has made collection of Evidence a specialized job.
Evidence Act & rules already in existence were considered not sufficient; so IT Act, 2000 made extensive changes changes in Indian Indian Evidence Act, 1872
Indian Evidence Act (Amended)
3. Evidence - "Evidence" means and includes:
All documents including electronic records produced in Court are called documentary evidence.
“Electronic records” has the same meaning as assigned in IT Act,2000, i.e.:
image or sound stored, received or sent in an electronic form; or
micro film or computer generated micro fiche;
17. Admission defined - An admission is a statement, oral or documentary or contained in electronic form which suggests any inference as to any fact in issue or relevant fact.
27. How much of information received from accused may be proved - When any fact is discovered in consequence of information received from a person accused of any offence, in the custody of a police officer, so much of such information, as relates distinctly to the fact thereby discovered, may be proved.
When oral admission as to contents of electronic records is relevant:
22A. Oral admissions as to the contents of electronic records are not relevant, unless the genuineness of the electronic record produced is in question.
59. Proof of facts by oral evidence - All facts, except the contents of documents or electronic electronic records, may be proved by oral evidence. evidence.
39. How much evidence evidence to be given when statement statement forms part of electronic electronic record: record:
When any statement of which evidence is given forms part of an electronic electronic record, record, then
26
Cyber Crime Investigation and Forensics
Evidence shall be given of so much and no more of the electronic record, as the Court considers necessary in that particular case to the full understanding of the nature and effect of the statement, and of the circumstances under which it was made.
Opinion as to digital signature where relevant.
47A. When the Court has to form an opinion as to the digital signature of any person, the opinion of the Certifying Authority which has issued the Digital Signature Certificate is a relevant fact.
Proof as to digital signature.
67A. Except in the case of a secure digital signature, if the digital signature of any subscriber subscriber is alleged to have been affixed affixed to an electronic electronic record, the fact that such digital digital signature is the digital signature of the subscriber must be proved.
Proof as to verification of digital signature.
73A. In order to ascertain whether a digital signature is that of the person by whom it purports purports to have been affixed, affixed, the Court may direct
That That person person or the Controlle Controllerr or the Certifyi Certifying ng Author Authority ity to produc producee the Digital Digital Signature Certificate;
Any other person to apply the public key listed in the Digital Signature Certificate and verify the digital signature purported purported to have been affixed affixed by that person.
Admissibility of electronic records.
65B. (1) Any information contained in an electronic record which is printed on a paper, stored, stored, recorded or copied in optical or magnetic media media produced by a computer computer shall be deemed to be also a document, document, if certain certain conditions conditions are satisfied. satisfied.
It shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein of which direct evidence would be admissible.
27
Cyber Crime Investigation and Forensics
65 B (2) The conditions are as following: following:
The computer output was produced during the period when it was used regularly to store or process information for the purposes of any activities regularly carried on by a person having lawful control over the computer;
During the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities;
65(c) throughout the said period, computer was operating properly or, if not, then that part of the period was not such as to affect the electronic record or the accuracy of its contents
65(d) the information contained in the electronic record reproduced or is derived from such information fed into the computer in the ordinary course of the said activities.
Presumption as to electronic agreements.
85A The Court shall presume that every electronic record purporting to be an agreement containing the digital signatures of the parties was so concluded by affixing the digital signature of the parties.
Presumption as to electronic records and digital signatures:
85B. (1) the Court shall presume that the secure electronic record has not been altered since the specific point of time to which the secure status relates.
(2) In proceedings involving secure digital signature, the Court shall presume that the secure digital signature is affixed by subscriber with the intention of signing or approving the electronic record.
Presumption as to electronic messages:
88A. The Court may presume that an electronic message forwarded by the originator through an electronic mail server to the address to whom the message purports to be addressed corresponds with the message as fed into his computer for transmission;
28
Cyber Crime Investigation and Forensics
But the Court shall not make any presumption as to the person by whom such message was sent.
Presumption as to electronic records five years old.
90A. Where any electronic record, purporting or proved to be five years old, is produced from any custody which the Court in the particular case considers proper, the Court may presum presumee that that the digita digitall signat signature ure which purpor purports ts to be the digita digitall signat signature ure of any particular particular person person was so affixed by him or any person authorized authorized by him in this behalf. behalf.
Recent Amendments
The Information Technology (Amendment) Bill, 2008 (Bill No.96-F of 2008) was passed by the Look Saba on 22-12-2008 and by the Raja Saba on 23-12-2008.
It received His Excellency President’s assent on 5th February, 2009.
The date, from which the amendments amendments are to be applicable, applicable, is yet to be notified. notified.
Important Amendments to ITS Act
In Section 43, two new offences added: added:
Destroying, deleting or altering information in a computer resource to diminish its value.
Stealing, concealing or destroying any computer source code with intention to cause damage.
Sec. 66 has been replaced providing that if any of the acts mentioned in Section 43 was done dishonestly or fraudulently, it is punishable with 3 Years Imprisonment or Fine of Rs.5.00 Lacs or with both.
A new Sec.66A is added providing for three years imprisonment and fine for sending:
Offensive or menacing information; or
False information for causing insult, injury, intimidation, hatred or ill-will; or
E-mail causing annoyance or to deceive or misled recipient about the origin of that email
29
Cyber Crime Investigation and Forensics
Section 66B makes it an offence to dishonestly receive or retain any stolen computer resource resource or communicatio communication n device which is punishable with 3 years years imprisonment imprisonment or fine unto Rs. 1.00 Lac.
Dishone Dishonest st use of Electr Electroni onicc Signatu Signatures res,, passwo password rd or identi identific ficati ation on featur featuree invite invitess punishment up to 3 years and fine up to Rs. 1.00 Lac (Section 66C)
Impersonation with the help of computer or communication device will result in 3 years imprisonment and fine unto Rs.1.00 Lac (Section 66D)
Violation of privacy by way of sending electronic visual images of private parts of body is also punishable with 3 years’ imprisonment or fine unto Rs. 1.00 Lac. (Section 66E).
Cyber Terrorism is defined in Section Section 66F:
Whoever threatens the unity, integrity, security or sovereignty of India or strike terror in people by:
Denying access to computer resource; or
access computer resource without authority; or
Introduce any computer contaminant
and causes death or destruction of property; or
Penetrates restricted computer resources or information affecting sovereignty, integrity, frie friendl ndly y rela relati tion onss with with fore foreig ign n stat states es,, publ public ic orde order, r, decenc decency, y, conte contempt mpt of cour court, t, defamation or to the advantage of foreign state or group of persons.
It is punishable with imprisonment unto life
Obscenity has been defined in new Section 67 punishable with imprisonment for 3 years with fine unto Rs. 5.00 Lacs for first offence and imprisonment for 5 years with fine unto Rs. 10.00 Lacs for subsequent offence.
Section 67A deals with publishing or transmitting sexually explicit material which is punishable with 5 years imprisonment & fine unto 10.00 Laces for first offence and for subsequent offence, imprisonment unto 7 years with fine unto 10.00 Lacs.
Child Pornography has been made a separate offence in Section 67B punishable with 5 years imprisonment & fine unto 10.00 Laces for first offence and for subsequent offence, imprisonment unto 7 years with fine unto 10.00 Lacs.
30
Cyber Crime Investigation and Forensics
Section 69 has been redrafted enabling Government agencies to intercept, monitor or decrypt any electronic information with the help of subscribers, intermediary or person in charge of computer resources.
Non-cooperation by any of the above invites imprisonment up to 7 years with fine.
69A: Government gets power to issue directions for blocking for public access of any information through any computer resource.
An intermediary intermediary who fails to comply with directions directions in this regard shall be punished punished with imprisonment up to 7 years with fine.
sss69B: For cyber security, Government may order any intermediary to allow access to any computer resources and violation results in imprisonment up to 3 years with fine.
Sec.72A Sec.72A provid provides es for punishm punishment ent for disclo disclosur suree of inform informati ation on in breach breach of lawful lawful contract extending up to 3 years or fine to the tune of Rs. 5.00 Lacs or with both.
Section Section 77: confiscation, confiscation, compensation compensation awarded or penalty penalty imposed does not come in the way of penalty, penalty, punishment or compensation compensation under any other Act.
Compo Compound undin ing g of offe offence ncess with with puni punish shme ment nt up to 3 year yearss allo allowe wed d subj subjec ectt to the the conditions that accused has no previous conviction or the offence does not affect the socio-economic conditions or it was not committed against a child or a woman.
Sec. 77B prescribes that notwithstanding CRPC: Offence punishable with imprisonment of 3 years and above is cognizable.
Offence punishable with imprisonment up to 3 years is bail able.
Power to investigate investigate Cyber Crimes Crimes has been now vested vested in Inspector Inspectorss in place of Dy.S.P.
Office of Government Examiner of Electronic Evidence is to be established. (Section 79A).
Important Amendments to IPC
Jurisdiction is not bounded by Country’s boundaries if the target is a computer resource located in India. Section 4(3)
Any act done anywhere in the world is an offence if the said act, if committed in India is an offence. Explanation (a) to Section 4
Voluntary concealment of existence of a design by encryption or any other information hiding tool is an offence.
The words ‘Digital Signatures” have been replaced with “Electronic signatures”.
31
Cyber Crime Investigation and Forensics
Important Amendments to CRPC
Opinion of Examiner of Electronic Evidence has been made relevant. (Section 45A)
Examiner Examiner is to be treated treated as an Expert.
Examiner Examiner is too examined like any other expert from CFSL or other Labs. Labs.
Words ‘Digital Signature” is to be replaced by “Electronic Signature”.
Our Analysis
As we all have seen all the crimes crimes done with the help of computer computer or technology, Has become very serious issue now – days. And victim can be anybody a naïve person or even a tech savvy personal can be a victim. So from above cyber crime conducted we can conclude the to counter these crime the end user should be educated about these cyber crimes. And he/she should should be cautio cautious us in checki checking ng his/he his/herr e-mail e-mails, s, or when when downlo downloadi ading ng files/ files/ softwa software. re. They shou should ld even even chan change ge thei theirr pass passwo word rd afte afterr 45 days days,, and and also also set set a stro strong ng pass passwo word rd with with alphanumeric and special characters used in it, should never used the Administrator account if not required. Always updated the Antivirus. Try keeping licence copy of the software used by the user. Try to secure his/her network both LAN and wireless . Conclusion:
Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime from the cyber space. It is quite possible to check them. History is the witness that no legislation has succeeded in totally eliminating crime from the globe. The only possible step is to make people aware of their rights and duties (to report crime as a collective duty towards the society) and further further making the application application of the laws more stringent stringent to check crime. Undoubtedly Undoubtedly the Act is a historical step in the cyber world. Further I all together do not deny that there is a need to bring changes in the Information Technology Act to make it more effective to combat cyber crime. I would conclude with a word of caution for the pro-legislation school that it should be kept in mind that the provisions of the cyber law are not made so stringent that it may retard the growth of the industry and prove to be counter-productive.
32
Cyber Crime Investigation and Forensics
Establishme Establishment nt of PUNE Cyber Cell It was established on 1st July 2003, under this department there our following officers involved:
Police Commissioner
Two Asst. Police Commissioner
Two Sub Inspector
And ten constables in the team.
In the year 2008 there were 63 cases got registered. And between 2003-2008 total numbers of cases registered with Police were 452.
Police Station under IT Act 2000
Year
2001
2002
2003
2004
2005
2006
2007
2008
2009
total
Total
03
04
09
06
10
10
13
08
09
72
In year 2008 the Cyber Crime Cell has solved 15 cases.
Cyber Crime Cell
Year
2003
2004
2005
2006
200 7
2008
2009
Total
Total
05 05
30
32
79
99
207
92
544
Pune Cyber Lab
On 20th January Pune Cyber Lab was established with the collaboration Of NASSCOM, near Shivaji Shivaji Nagar in Pune. In this department department there are 580 officers officers and 411 staffs staffs in which members members of 76th Batch has been provided with cyber crime investigation training. And 65 judges have attended the program/ training of cyber crime.
33
Cyber Crime Investigation and Forensics
WHAT IS CYBER FORENSICS?
Cyber forensics discovery, analysis, and reconstruction of evidence extracted from any element of computer systems, computer networks, computer media, and computer peripherals that allow investigators to solve the crime.
Four Stages
Acquire
Authenticate
Analyze
Documentation
34
Cyber Crime Investigation and Forensics
DIFFERENT TYPE’S OF STORAGE MEDIA
ELECTRONIC ELECTRONIC EVIDENCE PRECAUTIONS
Static Electricity
Magnetic Fields
Shock
Moisture
35
Cyber Crime Investigation and Forensics
Computer Forensics:-
Computer forensics is a branch of forensic science pertaining to legal evidence found in
computers and digital storage mediums. Compu Compute terr fore forens nsic ics, s, also also call called ed cyber cyber fore forens nsic ics, s, is the the appl applic icat atio ion n of comp comput uter er investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensic is to perform a structured investigation while maintaining a documented chain of find out exactly what happened on a computer and who was responsible for it. Computer forensics experts investigate data storage devices, such as hard drives, USB Drives, CD-ROMs, floppy disks, tape drives, etc., identifying sources of documentary or other digital evidence, preserving and analyzing evidence, and presenting findings. Computer forensics adheres to standards of evidence admissible in a court of law.
Electronic evidence considerations
Electronic evidence can be collected from a variety of sources. Within a company’s network, evidence will be found in any form of technology that can be used to transmit or store data data.. Evid Evidenc encee shou should ld be coll collec ected ted thro throug ugh h three three parts parts of an offe offende nder’ r’ss netwo network rk:: at the workstation of the offender, on the server accessed by the offender, and on the network that connects the both. Investigators can therefore use three different sources to confirm the data’s origin.
Incident Response
An important part of computer forensics lies in the initial response to a computer crime. It is at this point that the suspect computer and related devices are identified and prepared for the forensic response. In a corporate environment, this is simply done by locating the perpetrator's computer workstation and collecting a forensic image of the hard drive, and any related media. In a crimin criminal al situat situation ion with with a law enforc enforceme ement nt respon response, se, the inciden incidentt respons responsee involv involves es the proper serving of a search warrant and lawful collection of evidentiary media. While in some corporate environments the computer is left behind, sometimes to give the impression that the employee is not a targeted suspect, law enforcement will attempt to seize all computer related material (bag and tag) and transfer it to a forensic laboratory for analysis.
36
Cyber Crime Investigation and Forensics
Collecting Volatile Data
If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. drive. If information information stored stored solely in RAM is not recovered recovered before powering down it may be lost. This results in the need to collect volatile data from the computer at the onset of the response.
Imaging electronic media (evidence)
The process of creating an exact duplicate of the original evidenciary media is often called Imaging. Using a standalone hard-drive duplicator or software imaging tools such as AIR, the entire hard drive is completely duplicated. This is usually done at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the file system. The original drive is then moved to secure storag storagee to prevent prevent tamperi tampering. ng. During During imagin imaging, g, a write write protec protectio tion n device device or applic applicati ation on is normally used to ensure that no information is introduced onto the evidentiary media during the forensic process.
Forensic Analysis
All digital evidence must be analyzed to determine the type of information that is stored upon it. For this purpose, specialty tools are used that can display information in a format useful to investigators. Such forensic tools include: Brian Carrier's Sleuth Kit, Foremost and Smart. In many investigations, numerous other tools are used to analyze specific portions of information.
Reasons for Evidence
Wide range of computer crimes and misuses
Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to:
Theft of trade secrets
Fraud
37
Cyber Crime Investigation and Forensics
Extortion
Industrial espionage
Position of pornography
SPAM investigations
Virus/Trojan distribution
Homicide investigations
Intellectual property breaches
Unauthorized use of personal information
Forgery
Perjury
Computer related crime and violations include a range of activities including: o
Business Environment:
Theft of or destruction of intellectual property
Unauthorized activity-
Tracking internet browsing habits
Reconstructing Events
Inferring intentions
Selling company bandwidth
Wrongful dismissal claims
Sexual harassment
Software Piracy
Evidence Processing Guidelines
New Technologies Technologies Inc. recommends recommends following following 16 steps in processing processing evidence
They offer training on properly handling each step o
Step 1: Shut down the computer
Considerations must be given to volatile information
Prevents remote access to machine and destruction of evidence (manual or ant-forensic software)
o
Step 2: Document the Hardware Configuration of The System
38
Cyber Crime Investigation and Forensics
Note everything about the computer configuration prior to re-locating
o
Step 3: Transport Transport the Computer System to A Secure Location Location
Do not leave the computer computer unattended unattended unless it is locked in a secure location
o
Step 4: Make Bit Stream Stream Backups of Hard Disks and Floppy Disks
o
Step 5: Mathematically Authenticate Data on All Storage Devices
Must be able to prove that we did not alter any of the evidence evidence after the computer computer came into our possession
o
Step 6: Document the System Date and Time
o
Step 7: Make a List of Key Search Words
o
Step 8: Evaluate Evaluate the Windows Windows Swap File
o
Step 9: Evaluate Evaluate File Slack
File slack is a data storage area of which most computer users are unaware; a source of significant security leakage.
o
Step 10: Evaluate Unallocated Space (Erased Files)
o
Step 11: Search Files, File Slack and Unallocated Space for Key Words
o
Step 12: Document File Names, Dates and Times
o
Step 13: Identify File, Program and Storage Anomalies
o
Step 14: Evaluate Program Functionality
o
Step 15: Document Our Findings
o
Step 16: Retain Copies of Software Used
Conclusion
Forensics is an extremely valuable tool in the investigation of computer security incidents.
Considerable legal issues arise when investigating computer systems.
Intrusion Detection might support Computer Forensics in the future, and vice versa.
39