Project Report

On ‘Cyber Crime Investigation Manual’

Submitted To: Submitted By:

Mr. Vineet Kumar Kumar Saurabh

(CTO, C.D.R.C) Neel Nayak

Vinamra Rai

Gopal Singh

Vineet Kumar Mishra

Gaurav Chaurasia

(National Law Institute University, Bhopal)

1

Jharkhand Police Initiatives

Jharkhand state government took some useful and big steps to hold the command of Cyber Security by establishing first ever research centre in the field of cyber world i.e., Cyber Defence Research Centre (CDRC), Ranchi which is a joint initiative of the Govt. of State of Jharkhand and the Jharkhand State Police (Special Branch). The organization has been set up with the directive for building capability in proactively controlling Cybercrime and providing Cyber Security across the state. CDRC operates from the State Police HQ in Ranchi and oversees the entire state to identify areas of improvement and implementation of measures to address cybercrime and cyber threats. The goal is to make Jharkhand a model state in the country in respect of cyber security control.

The objective of CDRC is to engage in various activities and research aimed at raising the level of cyber security in Jharkhand State, as indicated in the brief list below:

. Law Enforcement, Investigation and Forensics Assistance to State CID, Cyber cells and Police units . Cyber Café Controls . Cyber Intelligence . Technology Development . Responsible Disclosure . Public and Industry Awareness . Research . Anti-Piracy . Secure Wi-Fi . Cybercrime Helpline, Public Outreach . Telecom Security . Cyber terrorism controls . State Critical Infrastructure . National/International tie-up to further our capabilities in these domains

Vision and Mission of Cyber Defence Research Centre (C.D.R.C.)

2

VISION CDRC has been set up to deal with cyber security, website hacking and to work for overall protection of cyber assets and critical infrastructure in the State of Jharkhand.

MISSION The CDRC team will work as a research team to help build a proactive and resilient cyber defense system and provide solutions to State Government departments and agencies in a guided manner while keeping a watch on malicious attempts for hacking of websites and IT infrastructure belonging to the State Government, private organisations and PSUs. CDRC will endeavor to work in an advisory capacity and not as an investigative body.

Declaration

3

We (Kumar Saurabh, Neel Nayak, Vinamra Rai, Gopal Singh, Vineet Kumar Mishra, Gaurav Chaurasia) the student of M.S. Cyber Law and Information Security hereby declare that the project titled “Cyber Crime Investigation Manual” which is submitted by us to the department of Special Branch, Cyber Defence Research Centre, Jharkhand Police, Ranchi, in partial fulfillment of requirement for the award of the training and internship programme.

Kumar Saurabh

Neel Nayak

Vinamra Rai

Gopal Singh

Gaurav Chaurasia

Vineet Kumar Mishra

4

Acknowledgement

We would like to express our deepest appreciation to Chief Technology Officer Mr. Vineet Kumar (Cyber Defence Research Centre, Ranchi), who has the attitude and the substance of a genius: he continually and convincingly conveyed a spirit of adventure in regard to research and scholarship, and an excitement in regard to teaching by providing us with valuable suggestions & guidance with some techno-legal concept which helps us to complete our project.

We would also like to thank other faculties as well as our friends who have given their timely help, encouragement as well as criticism during the various stages of the project, without which it would not have been easy to complete our task up to the mark.

We also thank Cyber Defence Research Centre (C.D.R.C.) who gave an opportunity to us who all are the students of The National Law Institute University, Bhopal pursuing their Masters of Science in Cyber Law and Information Security (M.S.C.L.I.S.) under the course coordinator Mr. Atul Kumar Pandey (Asstt. Prof. NLIU, Bhopal) to complete our internship program with their organization.

______

Kumar Saurabh

Neel Nayak

Vinamra Rai

Gopal Singh

Gaurav Chaurasia

Vineet Kumar Mishra

INDEX

5

Title Page No.

Need for preparing manual 14

Chapter-I Introduction 16 1.1 Overview of Cyber Crime 16

1.2 Current Scenario 17

1.3 Steps Taken by Government 17

Chapter II: Cybercrime Assessment 19

2.1 Definition 19

2.2 Types of Cyber Crimes 20 2.2.1 Against Persons 20 2.2.2 Against Property 23 2.2.3 Against Government 27 2.3 Sources/Techniques of Cybercrime 29 Chapter III- Law Enforcement Against Cyber Crimes 34 3.1 INFORMATION TECHNOLOGY ACT, 2000: 34

3.2 THE INDIAN PENAL CODE, 1860: 35

3.3 BANKERS’ BOOK EVIDENCE ACT, 1891: 35

3.4 THE INDIAN EVIDENCE ACT, 1872: 36

3.5 THE COPYRIGHT ACT 1956: 38

3.6 TABLE OF CRIMES AND ACT 39

3.7 Case Studies 45

Chapter IV: Evidence Portal 51

4. Digital evidence 51

6

4.1 Introduction- 51

4.2 What can be used as digital evidence (sources)- 51

4.3. What can be considered as evidence? 56

4.4. 57

4.4.1 Computer fraud investigation: 57

4.4.2. Child abuse and pornography investigation: 58

4.4.3. Network intrusion investigation: 58

4.4.4 Homicide investigation: 58

4.4.5. Domestic violence investigation: 59

4.4.6. Financial fraud and counterfeiting investigation: 59

4.4.7. E-mail threats, harassment and stalking investigations: 60

4.4.8. Narcotics investigation: 60

4.4.9. Software piracy investigation: 61

4.4.10 Telecommunication fraud investigation: 61

4.4.11. Identity theft investigation: 61

4.5. Tools Used for Collecting Evidences- 63

4.5.1. : 63

4.5.2. Memory forensics- 65

4.5.3. - 66

4.5.4. - 67

4.5.5. Other- 68 4.6. Search and Seizure- 68

4.6.1. Seizure memo (panchnama) and seizure proceeding- 69

7

4.7. Handling of evidence-(Annexure-3)70

4.7.1. For desktop and laptop computer (which are in switched off state) 70

4.7.2. For desktop and laptop computer (switched on state):- 70

4.7.3. Electronic organizers and personal digital assistants (PDA):- 71

4.7.4. Transportation of evidence:- 72

4.8. Chain of custody-(Annexure-5) 73

4.8.1. Important steps to be kept in mind for chain of custody- 74

4.9. Integrity of digital evidence- 74 4.10. Procedure to file a complaint: 77

4.10.1. Documentation required with digital evidence:- 77

Chapter V: Computer Forensics 79

5.1 Understanding of Forensics 79

5.2 Importance 80

5.3 Techniques 80

5.3.1 Data Seizure 81

5.3.2 Data Duplication and Preservation 81

5.3.3 Data Recovery 81

5.3.4 Document Searches 81

5.3.5 Media Conversion 82

5.3.6 Expert Witness Services 82

5.3.7 Computer Evidence Service Options 82

5.3.8 Other Miscellaneous Services 82

5.4 Computer Forensics Systems 83

8

5.5 Methodology 91

5.5.1 Steps Followed Under Methodology: 91

Chapter VI- Cyber Crime Investigations 94

6.1 Crime Related to Mobile Phones 94

6.1.1 Case Study- 94

6.1.2 Location Mapping of Mobile Phones:- 96

6.1.2.1 PHONE NUMBER TRACING- 96

6.1.2.2 IMEI Tracing 99

6.1.2 TOOL USED FOR MOBILE FORENSICS:- 99

6.1.2.1 Mobile phone inspector utility 99

6.1.2.2 Mobile phone inspection software:- 100

6.1.3 We can use XRY: 101

6.1.4 XRY logical 102

6.1.5 XRY physical 103

6.1.6 XRY complete 103

6.1.7 XACT- Currently used by Jharkhand Police 104

6.1.8 XRY SIM ID-CLONER 105

6.2 Crime related to Web Services 106

6.2.1 Case Study: 106

6.2.2 Block Diagram: 106

9

6.3 Crime Related to Financial Fraud/ Banking Fraud 109

6.3.1 Block Diagram: 110

6.4 Procedure of Forensics 112

6.4.1 EnCase Layout 112 6.4.1.2 Creating a Case 113 6.4.1.2 Creating Case Template on Desktop 115 6.4.1.3 Process 119

6.4.1.4 Countermeasures 120

6.4.2 FTK 121

6.4.2.1 USES OF FTK 121

6.4.2.2 FTK is a solution for Decryption and Password Recovery 122

6.4.2.3 FTK allows for a graphical interface filtering function .123

6.4.2.4 WORKING WITH FTK 124 6.4.2.5 PROCESSING THE CASE: 125 Chapter- VII Challenges in Investigation of Cybercrime 127

7.1 Technical Issues 127

7.1.1 Search and Seizure 127

7.1.2 Understanding of Cryptographic Concept 128 7.2 Legal Issues 129

7.2.1 Difficulties in terminology 130

7.2.2 Choosing of Appropriate Jurisdiction 130 7.3 Other Issues 130

7.3.1 Complexity in collecting evidence 131 7.3.2 Logistical and Practical Barriers 131

10

7.3.3 Identifying Suspects 132 7.3.4 Lack of awareness and knowledge 132

7.3.5 Lack of training 132 7.4 Actions and Power of Police Officials 133

Annexure-1 135

Annexure 2 138

Annexure 3 140

Annexure 4 142

GLOSSARY 145

11

12

“Cyber crime investigation manual”

13 Need for preparing manual

In the era of 21st century which is going more advances and developing day by day, where technologies promote themselves with a rapid rate, which attracts human mind as it is much suitable for them in their busy & hectic schedule. However, all new technologies are less time consuming and much beneficial for human point of view.

Since, 21st century is much popular in itself which is stick in every human mind as it is an era which is now known for the upcoming war i.e., termed as cyber war where the fight is not between arms and explosives but it occurs between computers/laptops or any electronic gadget which consists of web application in it. According, to specialists and experts the war took place anytime across the world. Many people get involve in this war as many of them start getting knowledge and prepare themselves by gathering information about new and advancing technologies also start implement on it. This war involves with many people, technicians and experts where many of them are known as hackers.

The concept of cyber war arises by the experts as this world gets introduce with many technologies which are erode vastly between people. Government organizations, business firms, private sectors and many other sectors start many of their services online which attracts people as it requires less efforts to human body, even services of some important government departments like post offices, banks etc. make their services online for every individual. The point behind it is that if any organization supports some online activity then it is also important for it to provide security at higher level which is only happen with the help of experts or a person who consists of a sound knowledge of all existing technologies running in an organization. However, this is much important for every individual to get proper security against all investments and savings done by him/her.

The challenges in such cases are not only technological, but also jurisdictional. Many countries are involving itself to combating the cybercrime by implementing laws and acts, while India is a country which implement their jurisdictional problems by implementing Information Technology Act,2000 (Amended 2008) with certain guidelines, various laws for cybercrime with its objective.

The issues which are arising with Indian Government are that many of its government officials didn’t know how to investigate cybercrimes. However, this is not the problem of Indian government but many other countries facing the same problem with their officials. To

14 conflict with this issue government have to promote some officials who are experts and consists of a sound or good knowledge of cybercrimes, solution for it and also last but not least an official also consists of a fine knowledge of cyber laws and its implementation. This is important because many of the officials don’t have a proper knowledge of cyber laws and while solving the case they charge sections according to them which creates a problem for accused as he/she has to suffer by paying a handsome fine to government or by spending an imprisonment of long time.

15

Chapter-I Introduction

1.1 Overview of Cyber Crime

“Digital technology and new communication system have made dramatic changes in our lives”. Business transactions are being made with the help of computers in almost all the sectors whether it is a private or a government. Nowadays, the technology and online communication increases with a rapid rate which gives an idea that many companies and organizations uses online services also provide the same for an individual for better conveniences. In current scenario the concept of internet is globally access around the world which gives birth to hackers who are increases worldwide like a population of a country. The main motive of those is to hack the system through the internet and leak the valuable information of any company and organizations; this is the case where security gets compromise. These activities of hackers resulted in various varieties of criminal activities like gaining unauthorized access to computer files, disrupting the operation of remote computers with viruses, worms, logic bombs, Trojan horses, and denial of service attacks, identity theft and many other criminal activities.

Cybercrime is cheap to commit (if one has the know-how to do it), hard to detect (if one knows how to erase one's tracks), and often hard to locate in jurisdictional terms. The investigations of cybercrimes are complex. The evidence is often in an intangible form. Its collection, appreciation, analysis and preservation present unique challenges to the Investigator. The increased use of networks and the growth of the Internet have added to this complexity. Hackers can hack a system of an individual (unknown person) from another country by using the network of other country which is termed as proxy servers in technical concept, where an individual didn’t aware of it as there is a lack of security issues in its network and computer system.

Many commercial enterprises are becoming targets of frauds by intruders, commercial espionage and intellectual property thefts causing enormous damages to reputation and market value of the companies which affect the shares of those and cause huge financial losses. However, Cyberspace is affecting by cybercrime which causes physical crimes in the real world, where computer is either used as an object or subject for causing crime. Therefore, cybercrime is defined as any criminal activity that uses a computer as an

16 instrument, target, or a means for perpetuating further crimes comes within the category of cybercrime, i.e., unlawful acts wherein the computer is either a tool or a target or both.

1.2 Current Scenario

As it is being seen rise in cybercrimes all over the world which also took place in India for which government have to promote some measure to combat this criminal activity. In Indian scenario cybercrimes are reported under ‘The Information Technology Act 2000 (Amended 2008). Apart from the crimes registered under IT Act, there were number of crimes where computers are used for commission of those which are registered under the provisions of Indian Penal Code, 1860. While many lawful act register cybercrime cases under its provisions such as Indian Evidence Act, 1872; Bankers’ Book of Evidence Act,1891; and some are registered in The Indian Telegraph Act, 1885; NDPS Act; Arms Act and Code of Criminal Procedure. In India many cybercrime reported which includes cases like breach of trust and privacy, hacking of computer system, forgery using computers, publication or transmission of obscene material in electronic form etc. Hence, to get rid from these cyber- attacks Indian government establishes Computer Emergency Response Team- Indian (CERT- In) which response and report computer security incidents. Many states in India establish cybercrime police stations and cybercrime cells which register large number of cybercrime cases in their particular locality. According to experts, “Technology has eroded the concept of state boundaries and created a borderless world”.

1.3 Steps Taken by Government

Government of India has led various initiations of a concerted program for cyber security under the department of Information Technology along with the enactment of the provisions of Information Technology Act, 2000 which was later amended in the year 2008 for retrofitting of some latest crimes. As this act describe the punishments and penalties for various criminal offences and contraventions. The IT Act, 2000 also consists of certain guidelines, rules and procedures for ISP’s and other officials. Many law enforcement agencies which includes the Central Bureau of Investigation (CBI) have created separate units or cyber cells for handling cybercrimes, where first cyber cell was established in IT capital of India i.e., Bangalore. Till date there are many different states and units which have created Cyber Crime Police Station and, Cyber Crime Cells to handle the menace of growing cybercrimes. (Details are provided in Annexure - 1)

17

18

Chapter II: Cybercrime Assessment 2.1 Definition

The term 'cybercrime'has not been defined in any Statute or Act, therefore many experts and thinkers gave their own definition for understanding of ‘cybercrime’.  The Oxford Reference Online defines 'cybercrime' as crime committed over the Internet.  The Encyclopedia Britannica defines 'cybercrime' as any crime that is committed by means of special knowledge or expert use of computer technology. So what exactly is Cyber Crime? Cyber Crime could reasonably include a wide variety of criminal offences and activities which includes provisions of various different laws.  CBIManual defines cybercrime as: (i) Crimes committed by using computers as a means, including conventional crimes. (ii)Crimes in which computers are targets.  United Nations defines ‘cybercrime’ in two categories i.e., a. Cybercrime in a narrow sense (computer crime), where it is notify any illegal behavior through electronic operations that targets the security of computer systems and the data processed by them. b. Cybercrime in a broader sense (computer-related crime), where any illegal behavior committed by means of, or in relation to, a computer system or network, that includes crime which involves mens-rea in it like illegal possession, offering or distribution of useful information by means of a computer system or network. FBI in its law enforcement bulletin defines cyber terror as “the intimidation of civilian enterprise through the use of high technology to bring about political, religious, or ideological aims, actions that result in disabling or deleting critical infrastructure data or information A generalized definition of cybercrime may be "unlawful acts wherein the computer is either a tool or target or both". The Information Technology Act, 2000, does not define the term 'cybercrime’. Cybercrime can generally defined as a criminal activity in which information technology systems are the means used for the commission of the crime. 2.2 Types of Cyber Crimes

19

2.2.1 Against Persons Occurrence of crime proceeds with the birth of human society and soon get advanced with human society and culture. Criminals are also using various new technologies to combat with the highly advanced security measures which are taken by human. However, if we talk about current situation then at this time cybercrime is taking place with a rapid rate in which minors are also involved for stealing or doing frauds and other activities.

The expanding reach of computers and the internet has made it easier for people to keep in touch across long distances and collaborate for many purposes which are related to business, education, and also other activities of human culture. However, every new technology which is use for beneficial purposes are also capable for misuse. Hence, it is the job of legal system and regulatory agencies to keep pace with the same and ensure that newer technologies do not become tools of exploitation and harassment. The World Wide Web (WWW) allows users to circulate content in the form of text, images, videos, and sounds. Websites are created and updated for many useful purposes, but as we all know that technology which is helpful and provide great services to us then it is also use for criminal activities. For example, websites are used to circulate offensive content against an individual’s such as pornography, hate speech and defamatory materials. There are various types of cybercrimes which are done against an individual such as:  Harassment via e-mails  E-mail spoofing (process of sending an email message from a fake source, while making it appears to be originating from an authentic source).

20

 Cyber Pornography (where cyberspace is used as a medium to distribute, design or publishing of a pornographic material)

 Cyber-Stalking (arise where an individual pursues or repeatedly attempts to contact someone via internet or any other digital device)

21

 Dissemination of obscene material (widespread publishing an obscene material)  Defamation (injury to the reputation of a person, it is done by publishing false statement which affects someone’s reputation)

 Unauthorized Control/Access over computer system (accessing computer system without any personal consent)

22

 Indecent Exposure ( doing any type of vulgar and offensive nakedness in a public place)  Cheating & Fraud (Something intended to deceive; deliberate trickery intended to gain an advantage)

 Breach of Confidentiality (using the identity of any individual with criminal intentions)

2.2.2 Against Property The second category of cybercrime discusses about cybercrime against property, as there are numerous crimes against property in all statutes and numbers which are simply too vast to discuss.In the age of automation, computer applications are likely targets for theft, fraud,

23 vandalism, extortion, and even espionage, which can be termed the darker side of the computer revolution. Cybercrime has now become reality in India.  Identity Theft (impersonating someone without their knowledge by obtaining their personal and/or confidential information)

 Intellectual Property Theft (any kind of a creation like designs, art work, literature, etc. which is born from ones mental power or intellect is termed as intellectual property. When a criminal with mala fide intent steals this intellectual property, such a crime is known as Intellectual Property Theft. Due to quantum of information flowing in cyberspace and ease of copying such crimes are very much prevalent.)

24

 Forgery (process of creating a fake copy or imitation of a document or an object with the intention to deceive. Digital forgery involves creating the same fakes in electronic form.)

 Salami Attack (an attack on the computer system or network wherein a cybercriminal successfully transfers a small amount of money which is negligible from the victims’ bank account to his account. The transferred amount is a small slice of the big amount and hence the attack occurs.)

 Source Code Attack (a blue-print of software considered as intellectual property. Computer programs or software cannot be created without source code.)  Denial of Service (DoS) Attack (prevents legitimate users from accessing a particular resource making that resource unavailable. The resource is anything like a website, your own computer, email, database or any other information which are accessed by an individual as an authorized person)

25

 Skimming (a kind of credit/debit/ATM/SIM card fraud in which a device is transplant by criminal to capture someone’s personal information, the information like name, credit card number, expiry date, etc. can be used to create fake credit cards.)  Pharming (type of attack in which the user is deceived into entering sensitive data, such as PIN numbers, credit card numbers, passwords etc., into fake website, which impersonates as genuine website.  Spamming (an act of sending unsolicited and junk e-mails or messages by anyone for the purpose of causing annoyance or inconvenience.)  Data Alteration or diddling (process of modifying the data before or after it is entered into the system, generating a faulty output. It can be defined as illegal or unauthorized fraudulent alteration of data).

2.2.3 Against Government

26

Two of the great fears of the late twentieth century are combined in the term “cyber terrorism”. Today, if we are going to ask 10 computer security experts about ‘Cyber Terrorism’ then in this case we find different meanings or definition from them. Difficult to detect, seldom reported and even more difficult to prove, computer-related crime lacks a traditional paper audit trial, which is away from conventional policing and requires specialists with a sound understanding of computer technology. The term ‘cyber terrorism’ was coined by Barry C. Collin. Terrorism is the calculated and unlawful use of force or violence, against persons or property to inculcate fear,coerce government, civilians, or to any part in furtherance of goals that may affect religious political or in any ideological manner. An example of cyber- terrorism could be hacking into a hospital computer system and changing someone's medicine prescription to a lethal dosage as an act of revenge.In today’s scenario Indian government plans for our society which includes military, civilians, and other private sectors to get involved in developing and deploying new and growing communications, advanced technologies and also with a superior technological standard of work and living.

The main purpose of cyber terrorism is to create fear in a population by causing confusion and uncertainty, with the goal of influencing a government or population to conform to a particular political, social or ideological agenda. In this criteria attacks have been made by terrorist in eruption of negative feelings or emotions against any community of persons, country, state, or individual with the goal of causing harm to generate fear, which caused in the case of Assam’s migration controversies, where Pakistani hackers hacked some websites of India and sends a message to the people of India where it shows that north-east people who are the citizens of India have their life in danger, this message creates panic and phobia between the citizens ofthe country. Due to which many of the north-east people went back to

27 their homes and many of them suffers but soon, this problem had been solved by which citizens of north-east came back and continued with their work as many of them left their jobs, studies, businesses etc.

These methods of cyber terrorism are firstly used in reported attack by terrorists against a Sri Lankan country’s computer system in 1998, when the ethnic Tamil Tigers guerrillas overwhelmed Sri Lankan embassies with 800 e-mails a day which continues for a period of two weeks. These messages threatened massive disruption of communications and caused fear and panic among ordinary Sri Lankans as the rebel group was notorious for killing people.

Cyber terrorism once again came to the force in India in the form of the Mumbai attacks. The terrorists were extremely technology savvy, and were using satellite phones with impunity. They not only can spread terror but they are threatening our computer and communication networks. They are having highly qualified engineers in their respective groups. Not only are they having the capability to hack the systems but also capable of damaging them. They also attempt to hack defence sites of the country. It was the year, when country was pushed by the Mumbai attacks; the government swung into action and got the amendments to the Information Technology Act, 2000 passed in both the houses of Parliament.

As, in India’s legislation The Information Technology Amendment Act, 2008 contains a provision on cyber terrorism. Section 66F defines and penalizes cyber terrorism. In order to qualify as a cyber-terroristact, the act must be committed with the intention to threaten the unity, integrity, security or sovereignty of India by way of interfering with authorized access to a computer resource, obtaining unauthorized access to a computer resource or damaging a computer network. The acts are punishable if they cause death or injuries to persons or cause damage or destruction to property, disrupt essential supplies or services or affect critical information infrastructure. The penalties range from three years' imprisonment to life imprisonment and a fine depending on the seriousness of the crime.

2.3 Sources/Techniques of Cybercrime There are various different techniques and sources which are used to commit cybercrimes some of them are as follows: a) Buffer Overflow: Occurs when a program or process tries to store more data in a buffer (temporary data storage area) then it was intended to hold. Since buffers are

28

created to contain a finite amount of data, the extra information- which has to go somewhere –can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.

b) Spyware: Often associated with software that displays advertisements (called adware) or software that tracks personal or sensitive information.

c) Worm:A standalone malware computer program that replicates itself in order to spread other computers, it also uses computer network to spread itself, relying on security failures on the target computer to access it. d) Trojan: A destructive program that masquerades as an application. Unlike viruses Trojan horses do not replicate themselves but they can be just as destructive.

e) Social Engineering:Cybercriminals also use social engineering to convince someone to install malicious software or hand over the personal information under false pretenses. They might convince the victim by e-mailing, calling on cellphones or to download something off of a website.

29

f) Steganography: It is an art and science of hiding information by embedding messages with other, seemingly harmless messages. It is used to supplement encryption. An encrypted file may still hide information using steganography, so even if the encrypted file is deciphered, the hidden message is not seen.

g) Zombie:A computer that has been implanted with a daemon that puts it under the control of a malicious hacker without the knowledge of the computer owner. Zombies are used by malicious hackers to launch DoS attacks. The hacker sends commands to the zombie through an open port. On command, the zombie computer sends an enormous amount of packets of useless information to a targeted website in order to clog the site’s routers and keep legitimate users from gaining access to the site. h) Phishing Attack:A fraudulent attempt to acquire confidential information like usernames, passwords, PIN, credit card numbers, etc. by sending fake emails and/or redirecting an innocent user to a fake website which induce the user to submit his/her personal information.

i) Malware Attacks:one that performs unwanted actions on a computer which could include intentional program crashes, unwanted popups, stealing user confidential data and destruction of data and/or hardware. Based on their characteristics or traits, which can be classifying into the categories of worm, Trojan or keylogger.

30

j) E-mail bombing: An attack which involves sending massive amount of emails to a particular system consuming the system, storage or network resources.

k) Wardriving: The act of seeking out Wi-Fi networks by moving around with a computer or smartphones or equivalent device that detects these networks.

l) Backdoor: It is a means of access to a computer program that bypass security mechanisms. A programmer may sometimes install a backdoor so that the program can be accessed for troubleshooting or other purposes. m) Cyber bullying: When the internet and related technologies are used to bully other people, in a deliberate, repeated, and hostile manner. This could be done via; text messages or images, hate speeches and other activities.

31

n) Sniffing: A program or device that captures vital information from the network traffic specific to a particular network. Its objective is to steal passwords, email text and files which are transferred from source to destination.

o) Rootkit: A computer software which is use to hide that a computer system has been compromised, for example by modifying system commands to conceal changes which are made to system. Rootkit is one of the most feared and undetectable in all types of malware.

32

33

Chapter III- Law Enforcement Against Cyber Crimes

3.1 INFORMATION TECHNOLOGY ACT, 2000:

IT Act 2000: Computers are being used to create, transmit and store the information in electronic form instead of paper documents but the main hurdle in e-Governance is the requirement of writing and signature for legal recognition. At present, many legal provisions require the evidence in the form of paper documents having signatures. The law of evidence is based on paper-based records; hence for success of e-Governance, e- Commerce, legal changes were required. Therefore, Govt. of India introduced a new law for giving legal recognition to electronic records. This gave birth to Information Technology bill, 1999 which was passed by both the houses of Parliament in May 2000 and the President gave his assent in August 2000.This Information Technology bill is called Information Technology Act, 2000 which also contains cyber laws.

Objectives of the Information Technology Act 2000 are:

(a) To grant legal recognition to transactions carried out by means of EDI and E- Commerce in place of paper based methods of communication.

(b) To give legal recognition to digital signatures for authentication of any information.

(c) To facilitate electronic filing of documents with Govt. departments.

(d) To facilitate electronic storage of data.

(e) To facilitate and give legal recognition to electronic fund transfers between bank and financial institutions.

(f) To give legal recognition for keeping books of accounts in electronic form by bankers.

(g) To amend the Indian penal code, the Indian Evidence Act, the Banker's Book Evidence Act and Reserve bank of India Act.

The Act consists of 94 Sections spread over thirteen chapters and four schedules to the Act. The schedules of Act contain related amendments in other acts namely the Indian Penal Code, the India Evidence Act, 1972, the Banker's Book Evidence Act, 1891 and the Reserve Bank of India, 1934.

34

3.2 THE INDIAN PENAL CODE, 1860:

Indian Penal Code is the main criminal code of India. It is a comprehensive code, intended to cover all substantive aspects of criminal law. It was drafted in 1860 and came into force in colonial India during the British Raj in 1862.In independent India, many special laws have been enacted with criminal and penal provisions which are often referred to and relied upon, as an additional legal provision in cases which refer to the relevant provisions of IPC as well.

It has since been amended several times and is now supplemented by other criminal provisions. In the state of Jammu and Kashmir, the IPC is known as Ranbir Penal Code (RPC).

ITA 2000 has amended the sections dealing with records and documents in the IPC by inserting the word ‘electronic’ thereby treating the electronic records and documents on a par with physical records and documents. The Sections dealing with false entry in a record or false document etc (eg 192, 204, 463, 464, 464, 468 to 470, 471, 474, 476 etc) have since been amended as electronic record and electronic document thereby bringing within the ambit of IPC, all crimes to an electronic record and electronic documents just like physical acts of forgery or falsification of physical records.

In practice, however, the investigating agencies file the cases quoting the relevant sections from IPC in addition to those corresponding in ITA like offences under IPC 463,464, 468 and 469 read with the ITA/ITAA Sections 43 and 66, to ensure the evidence or punishment stated at least in either of the legislations can be brought about easily.

3.3 BANKERS’ BOOK EVIDENCE ACT, 1891:

Amendment to this Act has been included as the third schedule in ITA. Prior to the passing of ITA, any evidence from a bank to be produced in a court, necessitated production of the original ledger or other register for verification at some stage with the copy retained in the court records as exhibits. With the passing of the ITA the definitions part of the BBE Act stood amended as: "’bankers ' books’ include ledgers, day-books, cash-books, account-books and all other books used in the ordinary business of a bank whether kept in the written form or as printouts of data stored in a floppy, disc, tape or any other form of electro-magnetic data storage device”. When the books consist of printouts of data stored in a floppy, disc, tape etc, a printout of such entry certified in accordance with the provisions to the effect that it is a

35 printout of such entry or a copy of such printout by the principal accountant or branch manager; and (b) a certificate by a person in-charge of computer system containing a brief description of the computer system and the particulars of the safeguards adopted by the system to ensure that data is entered or any other operation performed only by authorized persons; the safeguards adopted to prevent and detect unauthorized change of data andto retrieve data that is lost due to systemic failure or .....

In short, just like in the Indian Evidence Act, the provisions in Bankers Books Evidence Act make the printout from a computer system or a floppy or disc or a tape as a valid document and evidence, provided, such print-out is accompanied by a certificate stating that it is a true extract from the official records of the bank and that such entries or records are from a computerized system with proper integrity of data, wherein data cannot be manipulated or accessed in an unauthorized manner or is not lost or tamper able due to system failure or such other reasons.

Here again, let us reiterate that the law does not state that any computerized print-out even if not signed, constitutes a valid record. But still even many banks of repute (both public sector and private sector) often send out printed letters to customers with the space for signature at the bottom left blank after the line “Yours faithfully” etc and with a remark as Post Script reading: “This is a computer generated letter and hence does not require signature”. Such interpretation is grossly misleading and sends a message to public that computer generated reports or letters need not be signed, which is never mentioned anywhere in nor is the import of the ITA or the BBE.

3.4 THE INDIAN EVIDENCE ACT, 1872:

This is another legislation amended by the ITA. Prior to the passing of ITA, all evidences in a court were in the physical form only. With the ITA giving recognition to all electronic records and documents, it was but natural that the evidentiary legislation in the nation be amended in tune with it. In the definitions part of the Act itself, the “all documents including electronic records” were substituted. Words like ‘digital signature’, ‘electronic form’, ‘secure electronic record’ ‘information’ as used in the ITA, were all inserted to make them part of the evidentiary mechanism in legislations.

Admissibility of electronic records as evidence as enshrined in Section 65B of the Act assumes significance. This is an elaborate section and a landmark piece of legislation in the

36 area of evidences produced from a computer or electronic device. Any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer shall be treated like a document, without further proof or production of the original, if the conditions like these are satisfied:

(a) The computer output containing the information was produced by the computer during the period over which the computer was used regularly by lawful persons..

(b) The information derived was regularly fed into the computer in the ordinary course of the said activities;

(c) Throughout the material part of the said period, the computer was operating properly and a certificate signed by a person responsible..... etc.

To put it in simple terms, evidences (information) taken from computers or electronic storage devices and produced as print-outs or in electronic media are valid if they are taken from system handled properly with no scope for manipulation of data and ensuring integrity of data produced directly with or without human intervention etc and accompanied by a certificate signed by a responsible person declaring as to the correctness of the records taken from a system a computer with all the precautions as laid down in the Section.

However, this Section is often being misunderstood by one part of the industry to mean that computer print-outs can be taken as evidences and are valid as proper records, even if they are not signed. We find many computer generated letters emanating from big corporate with proper space below for signature under the words “Your faithfully” or “truly” and the signature space left blank, with a Post Script remark at the bottom “This is a computer generated letter and hence does not require signature”. The Act does not anywhere say that ‘computer print-outs need not be signed and can be taken as record’.

3.5 THE COPYRIGHT ACT 1956:

Copyright protects authors and creators from unauthorized reproduction or adaptation of original creations such as books, computer programs, scripts, paintings, sculptures, drawings, photographs, music, film, video, broadcasts and the choreography of a performance. The copyright owner has the exclusive right to copy, publish, perform, broadcast, adapt (for

37 example, a screenplay from a novel), sell, license or import copyright protected creations. Copyright is a type of intellectual property as it protects the creative and inventive endeavors.

3.6 TABLE OF CRIMES AND ACT

38

NATURE OF OFFENCE SECTIONS UNDER IT ACT SECTIONS UNDER AND PUNISHMENT OTHER LAW AND PUNISHMENT

1. Frauds & Crimes by Emails

1.Email Spoofing Section 66C – upto 3 yrs Section 465 IPC – upto 2 yrs imprisonment and fine upto 1 lakh imprisonment or fine or both. rupees. Section 468 IPC – upto 7 yrs imprisonment and fine. 2.Email Abuse Section 66A – upto 3 yrs Section 500 IPC – upto 2 yrs imprisonment and fine or fine or both 3.Sending defamatory messages Sec 66A – upto 3 yrs imprisonment Sec 500 IPC – upto 2 yrs or by email and fine fine or both 4.Sending threatening messages Sec 66A – upto 3 yrs imprisonment Sec 504 IPC – upto 2 yrs or by e- mail and fine fine or both

6.Phishing Email Sec 66D – upto 3 yrs imprisonment Sec 419 IPC – upto 3 yrs and fine upto 2 lakh rupees imprisonment or fine or both 7.Dishonestly read someone Sec 66 – upto 3 yrs imprisonment or emails fine upto 5 lakh rupees or both. Sec 66C – upto 3 yrs imprisonment and fine upto 1 lakh rupees 8.Unsolisticated Email N.A. N.A.

2. STOLEN / THEFT

9.Dishonestly receive/retain stolen Sec 66B – upto 3 yrs imprisonment or Sec 411 IPC upto 3 yrs communication device like upto 1 lakh rupees or both imprisonment or fine or both Mobile- Phone 10.Stolen communication device Sec 379 IPC - upto 3 yrs imprisonment or fine or both 11.Data theft (owned by person or Sec 66 – upto 3 yrs imprisonment or Sec 379 IPC – upto 3 yrs company) fine upto 5 lakh rupees or both imprisonment or fine or both 12.Data theft (from government Sec 66 – upto 3 yrs imprisonment or computer that compromise fine upto 5 lakh rupees or both. national security perspective) Sec 66F – lifetime imprisonment 13. Stealing password, digital Sec 66C – upto 3 yrs imprisonment Sec 419 IPC – upto 3 yrs signature, cookies or any unique and fine upto 1 lakh rupees. imprisonment or fine identification feature and misuse Sec 66 D – upto 3 yrs imprisonment Sec 420 IPC – upto 7 yrs it. and fine upto 5 lakh rupees. imprisonment and fine

3.OBSCENITY

14.Capturing, publishing, Sec 66E – upto 3 yrs imprisonment or Sec 292 IPC – upto 2 yrs transmitting, the image of private fine not exceeding upto 2 lakh rupees imprisonment and fine 2000

39 area without the consent or or both rupees, and upto 5 yrs knowledge of person imprisonment and fine 5000 for second and subsequent conviction 15.Sending offensive message Sec 66A – upto 3 yrs imprisonment Sec 500 IPC- upto 2 yrs or (cyber-stalking and bullying) and fine. fine or both. through communication service, Sec 504 IPC – upto 2 yrs or etc. fine or both. Sec 506 IPC- upto 2 yrs or fine or both. (if threat to be cause death or grievous hurt, etc- upto 7 yrs or fine or both). Sec 507 IPC- upto 2 yrs along with punishment under sec 506 IPC. Sec 508 IPC- upto 1 year or fine or both. Sec 509 IPC- upto 1 year or fine or both

16.Publishing or transmitting Sec 67- upto 3 yrs imprisonment and Sec 292 IPC- upto 2 yrs and obscene material in electronic 5 lakh rupees (first conviction), - upto fine 2000 rupees (first form 5 yrs and fine upto 10 lakh rupees conviction), - upto 5 yrs and (Second and subsequent conviction) fine 5000 rupees (Second and subsequent conviction 17. Publishing or transmitting of Sec 67A- upto 5 yrs imprisonment Sec 292 IPC- upto 2 yrs and material containing sexually and 10 lakh rupees (first conviction), fine 2000 rupees (first explicit act, etc. in electronic form - upto 7 yrs and fine upto 10 lakh conviction), - upto 5 yrs and rupees (Second and subsequent fine 5000 rupees (Second and conviction) subsequent conviction

18. Publishing or transmitting of Sec 67B- upto 5 yrs imprisonment Sec 292 IPC- upto 2 yrs and material depicting children in and 10 lakh rupees (first conviction), fine 2000 rupees (first sexually explicit act, etc. in - upto 7 yrs and fine upto 10 lakh conviction), - upto 5 yrs and electronic form. rupees (Second and subsequent fine 5000 rupees (Second and conviction) subsequent conviction

4.TAMPERING/FORGERY/MODIFICATION

19. Making false document Sec 66D- upto 3 yrs imprisonment Sec 465 IPC- upto 2 yrs and fine upto 1 lakh rupees imprisonment or fine or both

40

20. Forgery for purpose of Sec 66D- upto 3 yrs imprisonment Sec 468 IPC- upto 7 yrs cheating and fine upto 1 lakh rupees imprisonment and fine

21. Forgery for purpose of Sec 66D- upto 3 yrs imprisonment Sec 469 IPC- upto 3 yrs harming reputation and fine upto 1 lakh rupees imprisonment and fine

22. Tampering with computer Sec 65- upto 3 yrs imprisonment or source documents fine upto 2 lakh rupees or both NA Sec 66- upto 3 yrs imprisonment or fine upto 5 lakh rupees or both

23. Data Diddling Sec 66- upto 3 yrs imprisonment or fine upto 5 lakh rupees or both. NA Sec 43(d)- penalty not exceed Rs. 1 crore.

5.SOCIAL NETWORKING CRIMES

24. Fake profile Sec 66D- upto 3 yrs imprisonment Sec 465 IPC- upto 2 yrs and fine upto 1 lakh rupees imprisonment or fine or both

25. Location mapping NA NA 26. Tagging/Upload photo of someone else without his/her consent. NA NA

27. Criminal intimidation by a Sec 66A – upto 3 yrs imprisonment Sec 506 IPC- upto 2 yrs anonymous communication or fine upto 5 lakh rupees or both imprisonment or fine or both e.g. Hate page, Comments, Messaging 28. Cyber bullying

6.COPYRIGHT INFRINGEMENT

29. Deep linking of website NA NA 30. Framing NA NA 31. In-linking NA NA 32. Filtering NA NA 33. Piracy of Software Sec.66- upto 3 yrs imprisonment and Sec 63 and Sec 63B (Knowing use of infringing copy fine. copyright act of computer programme to be an Sec 43 offence. Download copyrighted material/data e.g. music, movies, files, photos is an infringement.

7.TRADE-MARK INFRINGEMENT

41

34. Meta-tagging NA NA 35. Domain name dispute NA (cybersquatting)

8.ATTACKS

36. Denial of Service (DoS) attack Sec 66 – upto 3 yrs imprisonment or and Distributed Denial of Service fine upto 5 lakh rupees or both. NA (DDoS) 37. Salami Attack NA 38. Malware attack NA 40. Spamming NA 41. Spoofing Sec 66A – upto 3 yrs imprisonment and fine., NA Sec 66D- upto 3 yrs imprisonment and fine upto 1 lakh rupees 42. Pharming Sec 66C – upto 3 yrs imprisonment and fine upto 1 lakh rupees, NA Sec 66D- upto 3 yrs imprisonment and fine upto 1 lakh rupees 43. Viruses/ Trojan Sec 66- upto 3 yrs imprisonment or fine upto 5 lakh rupees or both NA Sec 66F – life imprisonment 44. DNS Poisoning attack NA NA 45. Blue-jacking, Blue-bugging, NA Blue-snarfing NA

9.FINANCIAL FRAUDS

46. Card Skimming Sec 66C- – upto 3 yrs imprisonment and fine upto 1 lakh rupees 47. Espionage (Shoulder Surfing) Sec 66 – upto 3 yrs imprisonment or fine upto 5 lakh rupees or both. and Sec 70- upto 10 yrs imprisonment and fine 48. Fake ATM NA 49. Vishing NA 50. E-Shoplifting NA

51. Lottery Scam NA

10.WEB RELATED CRIMES

52. Web Jacking Sec 67- upto 3 yrs imprisonment and Sec 383 IPC- imprisonment 5 lakh rupees (first conviction), - upto may extent to 3 yrs or fine or 5 yrs and fine upto 10 lakh rupees both (Second and subsequent conviction)

42

Sec 66F -life imprisonment (Depend on situation).

53. Web Defacement Sec 66- upto 3 yrs imprisonment or fine upto 5 lakh rupees or both. NA

54. Fake website Sec 66D- upto 3 yrs imprisonment Sec 419 IPC – upto 3 yrs and fine upto 1 lakh rupees imprisonment or fine Sec 420 IPC – upto 7 yrs imprisonment and fine

11.CRIME AGAINST/BY THE ORGANISATION

55. To decrypt the information Sec 69 – upto 7 yrs imprisonment and without the authority fine 56. Dos attack against government Sec 66 – upto 3 yrs imprisonment or computer fine upto 5 lakh rupees or both. NA Sec 66F- life imprisonment 57. Intermediaries not providing Sec 69 – upto 7 yrs imprisonment and access to information to the stored fine. NA in their computer to relevant authorities 58. Intermediaries fail to block the Sec 69A – upto 7 yrs imprisonment NA website, when ordered and fine.

12.CYBER-TERRORISM

59. Fire Sale attack Sec 66F – life imprisonment (Attack on critical infrastructure)

13.OTHER CRIMES

60. Online Gambling NA 61. Online sale of Arms, Drugs, or NA Arms Act, NDPS Act any illegal goods 62. Cyber – Murder NA Sec. 302 IPC- life imprisonment and fine or punished with death

43

3.7 Case Studies

1. OBSCENITY

Case study 01-State of Tamil Nadu VsSuhasKatti

Appellant – SuhasKatti

Judge- Ld. Additional Chief Metropolitan Magistrate, Egmore,

Fact of the case - The case related to posting of obscene, defamatory and annoying message about a divorcee woman in the yahoo message group. E-Mails were also forwarded to the victim for information by the accused through a false e-mail account opened by him in the name of the victim. The posting of the message resulted in annoying phone calls to the lady in the belief that she was soliciting. Based on a complaint made by the victim in February 2004, the Police traced the accused to Mumbai and arrested him within the next few days. The accused was a known family friend of the victim and was reportedly interested in marrying her. She however married another person. This marriage later ended in divorce and the accused started contacting her once again. On her reluctance to marry him, the accused took up the harassment through the Internet.

Order passed by court- Ld. Additional Chief Metropolitan Magistrate, Egmore, delivered the judgement on 5-11-04 as follows: “ The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act 2000 and the accused is convicted and is sentenced for the offence to undergo RI for 2 years under 469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run concurrently.”

2.FINANCIAL FRAUDS Case study 02-SONY.SAMBANDH.COM CASE

Appellant – Sony India Private Ltd,

44

Fact of the case - Sony India Private Ltd, which runs a website called www.sony- sambandh.com, targeting Non Resident Indians. The website enables NRIs to send Sony products to their friends and relatives in India after they pay for it online.In May 2002, someone logged onto the website under the identity of Barbara Campa and ordered a Sony Colour Television set and a cordless head phone. She gave her credit card number for payment and requested that the products be delivered to ArifAzim in Noida. The payment was duly cleared by the credit card agency and the transaction processed.At the time of delivery, the company took digital photographs showing the delivery being accepted by ArifAzim, but after one and a half months the credit card agency informed the company that this was an unauthorized transaction as the real owner had denied having made the purchase.

Case File: The company lodged a complaint for online cheating at the Central Bureau of Investigation which registered a case under Section 418, 419 and 420 of the Indian Penal Code.

Order passed by court- The court, however, felt that as the accused was a young boy of 24 years and a first-time convict, a lenient view needed to be taken. The court therefore released the accused on probation for one year. The judgment is of immense significance for the entire nation. Besides being the first conviction in a cybercrime matter, it has shown that the the Indian Penal Code can be effectively applied to certain categories of cyber crimes which are not covered under the Information Technology Act 2000.

3.TAMPERING/FORGERY/MODIFICATION

Case study 03- Syed Asifuddin v. The State of Andhra Pradesh

Appellant –: Syed Asifuddin and Ors.

Respondent-: The State of Andhra Pradesh and Anr.

Fact of the case – Tata Indicom employees were arrested for manipulation of the electronic 32-bit number (ESN) programmed into cell phones that were exclusively franchised to Reliance Infocomm. The handsets, which were given to Reliance Infocomm subscribers was technologically locked so that it would only work with the Reliance Infocomm services. However, it came to the light during investigations that the supplied handsets could be unlocked for the Tata Indicom service as well.

45

Order passed by high court of Andra Pradesh- 1. A cell phone is a computer as envisaged under the Information Technology Act. 2. ESN and SID come within the definition of “computer source code” under section 65 of the Information Technology Act. 3. When ESN is altered, the offence under Section 65 of Information Technology Act is attracted because every service provider has to maintain its own SID code and also give a customer specific number to each instrument used to avail the services provided. 4. Whether a cell phone operator is maintaining computer source code, is a matter of evidence. 5. In Section 65 of Information Technology Act the disjunctive word "or" is used in between the two phrases – a. "when the computer source code is required to be kept" b. "maintained by law for the time being in force"

4. COPYRIGHT INFRINGEMENT

Case study 04-WASHINGTON POST v. TOTAL NEWS

Appellant –: The Washington Post Company

Respondent- : Total News Inc,

Fact of the case – The defendant, Total News, Inc, was a website owner that provided a portal to various news services available on the internet. Total News’ website, at the time of the complaint, provided links to a variety of other news sites on the web. The linking mechanism was initially implemented in such a way that the news organizations’ web pages appeared to be “on” the Total News page. This particular variant of in-line linking is popularly known as “framing” as it involve a border from one site and m dash’ the frame- surrounding or edging the content from another site. In the Total News situation, the framed content was surrounded by Total News advertising, Order passed by court- UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEWYORK- On June 1997, the case was settled without any judicial decisions on the legality of framing.

46

5. STOLEN / THEFT

Case study 05-

Fact of the case – One day a lady come to cyber cell office and reported that she and her brothers e-mail ID’S had been hacked by someone she suspected him to be her husband. The lady had already lodged a case against him for dowry and was pending for trial in Bhopal court. The suspect had hacked lady’s and her brother e-mail ID account and copied all the information to his e-mail and produced selected e-mails to claim that . She was happy with him and case of dowry is a false one. To malign the image of her brother the suspect sent a copy of FIR lodged against him at police station Habibganj. This indicated that the husband of the lady was behind the whole affair but police had not any evidence against him.

Cyber cell started enquiry by an order of IGP and obtained the login logs from rediff.com. The logs indicated that the email ID’s password were changed and anonymous emails were sent from the house of lady’s husband and sent from his. Cyber cell registered a case under section 66 IT act and submitted Challan has been filed against the suspect and trial is over.

Order passed by court- Court has hold the conviction against the suspect SabrishPillai but found that the matter came before the court as Sabrish was having family dispute with his wife and the, act of hacking was not against the society at large, Hence let him free after warning.

6. WEB RELATED CRIMES

Case study 05-Hacker hacks into a financial website

Fact of the case –

Mumbai police have arrested a hacker named Kalpesh (name change) for hacking into a financial website. As he won’t be able to bypass the main server of the financial institution, which was well secured. The accused person could make some addition to the home page of

47 the financial website and has added a string of text to the news module of the home page of the website. Police were able to crack the case by following the trace left by the hacker on the web server of the financial institution. The financial institution has maintained a separate server for financial online transactions, for which utmost security has been taken by the financial institution. The website was hosted on a different server which comparatively had lesser security.

The hacker Kalpesh (name changed) is a 10th Pass youngster of 23 years old. He has done computer courses like CCNA, MCSE etc. But he is a computer addict. He sits before the computer for almost 16 to 20 times each day. He has mostly used the readymade hacking tools, to hack into any website. He goes to a particular website on the web, which facilitates him to see the entire directory structure of that website. Then using various techniques, such as obtaining a password file, he gets into the administrator’s shoes and hacks the website.

7. ATTACKS Case study 02-Case of Phishing

Case File: One financial Institute registered a crime stating that some persons (“perpetrators”) have perpetrated certain acts through misleading emails ostensibly emanating from ICICI Bank’s email ID. Such acts have been perpetrated with intent to defraud the Customers. The Investigation was carried out with help of those emails received by the customers of that financial Institute and arrested the accused, the place of offence at Vijayawada was searched for the evidence. There one Lap Top and Mobile Phone was seized which was used for the commission of the crime.

Fact of the case –

The arrested accused had used open source code email application software for sending spam emails. He has down loaded the same software from net and then used it as it is. He used only VSNL emails to spam the email to customers of financial Institute because VSNL email service provider do not have spam box to block the unsolicited emails. After spamming emails to financial Institute customers he got the response from around 120 customers of which 80 are genuine and others are not correct because it do not have debit card details as required for e-banking.

48

The financial Institute customers those who have received his email felt that the email was originated from the financial Institute bank. When they filled the confidential information and submitted that time said information was directed to accused. This was possible because the dynamic link was given in the first page (Home page) of the fake web site. The dynamic link means when people click on the link provided in spamming email that time only the link will be activated. The dynamic link was coded by handling the Internet Explorer on click event and the information of the form will be submitted to the web server (Where the fake web site is hosted). Then server will send the data to configured email address and in this case email configured was to the accused email. So on submission of the confidential information the information was directed to email ID accused email .The all the information after fishing (user name, password, Transaction password, Debit card Number and PIN, mother’s maiden name) which he had received through Wi-Fi internet connectivity of Reliance.com which was available on his Acer Lap Top.

Applicable Law: This crime has been registered u/s U/Sec. 66 of IT Act, sec 419, 420, 465, 468, 471 of I.P.C r/w Sections 51, 63 and 65 of Copyright Act, 1957 which attract the punishment of 3 years imprisonment and fine up to 2 lacs rupees which accused never thought of .

Chapter IV: Evidence Portal

4. Digital evidence

4.1 Introduction-

49

Digital evidence or electronic evidence is “any probative information stored or transmitted in digital form that a party may use in court at trail “. Section 78 a of ITAA 2008 defines electronic form of evidence as “ any information of probative value that is either stored or transmitted in electronic form and includes computer evidence ,digital ,audio,digital video,cell phones,digital fax machines”.

The main characteristic of digital evidence are, it is latent as fingerprints and DNA, can go beyond national border with ease and speed highly fragile and can be easily altered, damaged,or destroyed and also time sensitive. For this reason ,special precautions should be taken to document,collect,preserve,and examine this type of evidence .When with digital evidence,the principle that should be applied are, actions to secure and collect digital evidence should not change that evidence; person conducting the examination of digital evidence should be trained for this purpose and activity relating to seizure ,examination ,storage ,or transfer of digital evidence should be fully documented ,preserved ,and available for review.

4.2 What can be used as digital evidence (sources)-

Sr. no. Device(source) Information that can be extracted 1 Laptop, desktop pc With help of computer forensics, information stored on storage on hard drive or any other part of device can be retrieved. Deleted files and information stored on temporary memory can also be extracted. 2 Smart cards , dongles and Information stored on biometric scanners etc. these devices in addition with the devices themselves.

50

3 Screens of devices such as Representation of mobile phones, computer information (graphical (monitor) if they are or files) on screen while connected to these devises connected to system can and are in ON state. be used as electronic evidence. 4 video and image capturing In addition to these devices ( digital cameras, devices itself, camcorders) , audio,videos, still audio devices ( I pod, voice images, and other recording devices) information stored on these devices memory, can be used as evidence. 5 Caller ID/answering Audio and, date and machines time related information. 6 Storage devices ( internal Device, and information hard drives, external hard stored on these device drives, flash drives, can be used as evidence. memory card) 7 Tablets, smart Information stored in phones,PDAs ( personal various applications, digital assistants) user ID, password, communication information can be extracted. 8 Pagers Communication information such as text messages, phone numbers etc. 9 SIM card Mobile number, contacts stored on SIM card, messages and

51

information of mobile phone on which SIM card is used can be extracted. 10 LAN ( local area network / Media access control NIC ( network interface (MAC) address can be card) used to trace a computer on network if obtained.

11 Switches , modems ,hubs These devices contain IP address information and routing information. 12 Networking cables, Can be helpful in connectors identifying types of device used. 13 Servers Information related to web pages, mails, downloaded files etc., user details etc. can be extracted. 14 Printers Number of last prints, logs, time and date information, and network information can be extracted. 15 Xerox machine Information about company, modeletc. of that machine may be extracted. It may contain logs, time and date information. 16 Scanners While connected to a pc or a network, can be

52

used for scanning illegal documents.

17 Removable storage devices Digital form of (CD,floppy drives, information is stored in flashdrives, DVDs, these devices and can be memorycard, harddrives, used as evidence. etc.) 18 Mobile phones Device and information stored in these devices can be used as evidence. Conversation and other information may be extracted. 19 Fixed line telephones( Caller information, wired/wireless) phone number, messagesetc.information can be retrieved. 20 Credit card skimmers These devices may retrieve information from credit / debit card etc. and store them. 21 Fax machines These devices contain information about documents send and received and contact information. 22 GPS ( global positioning These devices may be system) used to trace location, rout followed by that device and other location based information.

53

23 Keyboard,mouse,touchpad Device itself can be and other input devices. used. 24 Digital watches Advance Digital watches may also contain location, contact etc., information which may be stored in memory . 25 USB/Fire wire connected These devices may devices consist of data stored in them. 26 Passwords These authentication ,Encryption,security keys information can be used as evidence 27 Internet enabled digital TV These devices have storage and internet capabilities thus stored information may be extracted and used. 28 Media pc These devices have storage and internet capabilities thus stored information may be extracted and used. 29 HD recorders These devices have storage and internet capabilities thus stored information may be extracted and used. 30 Gaming consoles having These devices have storage capacities storage and internet capabilities thus stored information may be

54

extracted and used.

4.3. What can be considered as evidence?

 Address book and contact list  Audio files and voice recording  Backups to various programs, including backup to mobile devices  Bookmarks and favorites  Browser history  Calendars  Compressed archives ( zip ,rar,etc ) including encrypted archives  Configuration files (may contain information, last access dates, etc.)  Cookies  Database  Documents  Email messages, attachments and email database  Events  Hidden and system files  Log files  Organizer item  Page files, hibernation files and printer spooler files  Pictures, images, digital photos  Videos  Virtual machines  System files  Temporary files

4.4. The following is a list of crimes which may involve the use of computer or other electronic media. Listed below are the crimes

55 and potential evidence which may be recovered from various types of electronic evidence.

4.4.1 Computer fraud investigation:

 Account data from online auctions  Accounting software and files  Address books  Calendar  Chat logs  Customer information  Credit card data  Database  Digital camera software  E-mail, notes and letters  Financial and asset records

4.4.2. Child abuse and pornography investigation:

 Chat logs  Digital camera software  E-mail, notes and letters  Games  Graphic editing and viewing software  Images  Internet activity logs  Movie files  User created directory and file names which classify images

4.4.3. Network intrusion investigation:

 Address books  Configuration files

56

 E-mail, notes and letters  Executable programs  Internet activity logs  Internet protocol address & usernames  Internet relay chat logs  Source code  Text files and documents with usernames and passwords

4.4.4 Homicide investigation:

 Address books  E-mails, notes and letters  Financial asset record  Internet activity logs  Legal documents and wills  Medical records  Telephone records  Diaries  Maps  Photos of victim /suspect

4.4.5. Domestic violence investigation:

 Address books  Diaries  E-mail, notes and letters  Financial asset records  Telephone records

4.4.6. Financial fraud and counterfeiting investigation:

 Address books  Calendar  Currency images

57

 Check and money order images  Customer information  Databases  E-mail, notes and letters  False identification  Financial asset records  Images of signatures  Internet activity logs  Online banking software  Counterfeit currency images  Bank logs  Credit card numbers

4.4.7. E-mail threats, harassment and stalking investigations:

 Address books  Internet activity logs  Diaries  Email, notes, and letters  Financial asset records  Images  Legal documents  Telephone records  Victim background research  Maps to victim locations

4.4.8. Narcotics investigation:

 Address books  Calendar  Databases

58

 Drug recipes  E-mail, notes and letters  False ID  Financial asset records  Internet activity logs  Prescription form images

4.4.9. Software piracy investigation:

 Chat logs  Email, notes and letters  Image file of software certificates  Internet activity logs  Software serial numbers  Software cracking utilities  User created directories and file names which classify copyrighted software

4.4.10 Telecommunication fraud investigation:

 Cloning software  Customer database records  Electronic serial numbers  Mobile identification numbers  Email, notes and letters  Financial asset records  Internet activity logs

4.4.11. Identity theft investigation:

 Hardware and software tools  Backdrops  Credit card reader/writer

59

 Digital camera software  Scanner software

 identification templates:

 Birth certificates  Check cashing cards  Digital photo images  Driver’s license  Electronic signatures  Counterfeit vehicle registration  Counterfeit insurance documents  Social security cards

 Internet activity related to ID theft:

 Email and newspaper posting  Deleted documents  Online orders  Online trading information  Internet activity logs

 Negotiable instruments:  Business checks  Cashier’s checks  Credit card number  Counterfeit court documents  Counterfeit certificates  Counterfeit loan documents  Counterfeit sales receipts

60

 Money orders  Personal checks

4.5. Tools Used for Collecting Evidences-

4.5.1. Computer Forensics:

Tool Platform License Description Backlight Windows/mac Commercial Windows ,MAC, and IOS forensic analysis software MacQuisition Mac Commercial Mac data acquisition and imaging solution Spector CNE Windows Commercial A user activity monitoring investigator solution that allows the replaying of computer activity in detail. SANS Ubuntu Multipurpose forensic investigative operating system forensics toolkit-SIFT Registry recon Windows Commercial Forensics tool that rebuilds windows registries from anywhere on a hard drive and parses them for deep analysis. Encase Windows Commercial Multi-purpose forensic tool EPRB Windows Commercial Set of tools for encrypted system and data decryption and password recovery FTK Windows Commercial Multi-purpose toolcommonlyused to index acquired media. Digital Windows GPL DFF is both a digital

61 forensics /Linux/Mac-OS investigation tool and a framework development platform PTK forensics LAMP Free/commercial GUI for The coroner’s Unix- like IBM public license A suite of programs for Unix toolkit analysis Coffee Windows Proprietary A suite of tools for Windows developed by Microsoft, only available to law enforcement The sleuth kit Unix- IPL,CPL,GPL A library of tools for both like/windows Unix and Windows Categoriser 4 Windows Free Image categorisation tool pictures develop, available to law enforcement Paraben P2 Windows Commercial General purpose forensic tool commander Open computer Linux LGPL/GPL Computer forensics forensics framework for CF-Lab architecture environment Safeback n/a Commercial Digital media (evidence) acquisition and backup Windows to go n/a commercial Bootable operating system Forensic Windows Commercial User activity analyser(E- assistant mail, IM, Docs, Browsers), plus set of forensics tools Nuix Windows Commercial Forensic analysis & fraud prevention software. Full text search, extracts emails, credit card numbers, IP addresses, URLs. Skin tone analysis. Support for ingesting Windows, Mac OS, Linux and mobile device data Peer lab Windows Commercial File Sharing and "Instant

62

Messaging"-analyser OS Forensic Windows Free/commercial General purpose forensic tool for E-mail, Files, Images & browsers X-way forensic Windows Commercial General purpose forensic tool based on Win hex editor Bulk extractor Windows/Linux Public domain Stream-based forensic feature extraction of e-mail addresses, phone numbers, URLs and other identified objects Intella Windows Commercial Forensic Search Software - Email, Data and Cell phone Processing/Investigation CAINE Linux Free/open source Gnu/Linux computer forensics live distro Forensics Windows Commercial Computer Forensics apprentice Investigation Software. Dumpzilla Windows/Linux GPL Forensic tool for Mozilla browsers

4.5.2. Memory forensics- Tool Platform License Vendor/sponsor CMAT Windows Free(AFL) Memoryze Windows Commercial ( Gratis) Mandiant Responder Windows Commercial HBGray Second look Linux Commercial Raytheon pikewerks Windows SCOPE Windows Commercial Blue RISC Volafox Mac OS Free ( GPL) Volatility Windows/Linux Free (GPL) Volatile system Volatilitux Linux Free(GPL) Volatile system

63

4.5.3. Mobile device forensics- Tool Platform License Description Backlight Windows/Mac Commercial IOS forensics analysis software Cellebrite Mobile Windows Commercial Universal forensic forensics extraction device- hardware and software Radiotacticsaceso Windows Commercial "All-in-one" unit with a touch screen Paraben Device Seizure Windows Commercial Hardware/Software package SAFT Mobile Windows Free/Commercial Easy-to-use mobile Forensics forensics application specializes in Android.

Microsystemation Windows Commercial Hardware/Software XRY/XACT package, specialises in deleted data

Oxygen Forensic Suite Windows Commercial Smart forensics for (former Oxygen Phone smartphones Manager ElcimsoftIOS Forensic Windows, Mac Commercial Acquires bit-precise Toolkit (EIFT) images of Apple IOS devices in real time

Elcomsoft Phone Windows Commercial Enables forensic Password Breaker access to password- (EPPB) protected backups for smartphones and portable devices

64

based on RIM BlackBerry and Apple IOS platforms, MOBILedit! Forensic Windows Commercial Hardware- Connection kit/Software package ViaForensicsViaExtract Any (Distributed as Commercial Software package, VM) specializes in Android Forensics

4.5.4. Network Forensics- Name Platform License Description Wire Shark Windows/Mac/Linux Open Source Captures and analyzes packets Network Miner Windows/Linux Open Source (GPL) Extracts files, images and other metadata from PCAP files TCPflow Windows/Mac/Linux GPL3 TCP/IP session reassembler

NetIntercept Appliance Commercial Appliance

65

4.5.5. Other-

Name Platform License Description

Hash keeper Windows Free Database application for storing file hash signatures

Evidence eliminator Windows Commercial Anti-forensics software, claims to delete files securely

DECAF Windows Free Tool which automatically executes a set of user defined actions on detecting Microsoft's COFEE tool

Net sleuth Windows GPL Open-source network forensics and monitoring tool.

4.6. Search and Seizure-

In any crime which involves technology aspect, where collection of evidence is critical task as the evidence can be tampered easily. Digital evidence due to their fragile nature requires utmost care and precaution during search, collection, preservation, transportation and examination of evidence.

The flow of investigation of a crime scene is-(search and seizure)

 Identifying the crime scene and preserving the site.

66

 “As is where is” report of the crime scene must be prepared.  Collecting evidence  From switched off system  From switched on system  Cloning or duplication of evidence  Conducting interviews  Making record and naming/labelling of evidence.  Packing and moving /transporting evidence from the scene.

4.6.1. Seizure memo (panchnama) and seizure proceeding-

The authority of search and seizure is given in section 165 of CRPC and section 80 of ITAA 2008.The steps which should be followed during seizure proceedings are-

 Two independent witnesses and one technical person (responder side) should be part of the process.  Time zone /system time must be noted in panchanama (from switched on systems)  Photograph of devices must be taken at their original place.  The system must be kept in the state as it was found (on or off).  In panchnama,chain of custody and digital evidence collection form, serial number must be mentioned which is allotted to that device.  If any internal part of the device is removed, photograph should be taken of that part.  Serial number along with information such as PF number /crime number/section of law must be mentioned.  Search and seizing information of that system should be recorded in panchnama also.  Witnesses must be brief about the technique / tools used in search and seizure process.  Investigating officers must have the knowledge and ability to identify various digital devices.  All the forms and details filled in forms much be checked and filled completely (Annexure-2).

4.7. Handling of evidence-(Annexure-3)

67

This section is to assist persons who have no skills or have not received any training to carry out search seizure and ensure that their actions won’t affect the evidence.

4.7.1. For desktop and laptop computer (which are in switched off state)

 Secure area around equipment.  Photograph or video recording of scene must be taken, covering all parts of that device.  Check if any other devices are connected to that system  Make sure that some laptop may turn on by opening the lid.  Remove main power (before doing so, check that machine is not in standby mode as it may cause data loss)  Remove the power plug and other devices from the socket.  Label or mark the removed components  Search the area for password often close to computer  Received information such as password, usernameetc. from scene /user etc. may be recorded.  Equipment used must be noted.

4.7.2. For desktop and laptop computer (switched on state):-

 Secure area containing equipment  Photograph or video recording of scene must be taken, covering all parts of that device  Photograph of content on screen must be taken.  Do not touch keyboard or mouse or any input device.  In case of blank screen or screen saver, restore screen and check whether it is password protected?  If any content is displayed, photograph much be taken of screen.  If system is password protected, record the time and activity performed.  If possible, collect data which might be lost (volatile data) if power source is removed.  Information must be treated with caution.  If any process is going on, wait until it is completed.

68

 If no special advice is available, remove power supply from system without closing down any program. Always remove power cable first from system rather that supply end.  Remove the power plug and other devices from the socket.  Label or mark the removed components  Search the area for password often close to computer  Received information such as password, username etc. from scene /user etc. may be recorded.  Equipment used must be noted.

Note-power removed from running system cause evidence in encrypted volumes to be lost, try to obtain key .other volatile, live data may be lost.

4.7.3. Electronic organizers and personal digital assistants (PDA):-

Specialist advice in early stage should be taken regarding charging and /or battery charging, to prevent data loss.

If device is found in off state-

 It should not be turned on-  Placed in sealed envelope/bag.  If device have Wi-Fi/Bluetooth/mobile phone capabilities, must be kept in shield box- Search for associated memory devices must be done.

If device is found in on state –

 Do not turn off the device (volatile data may be lost)  Date, timeetc. information must be recorded  Power cables and device etc. must be labeled.  Battery should not be removed  Security of device must be ensured  Photograph of content on screen must be taken.  In case of blank screen or screen saver, restore screen and check whether it is password protected?  If system is password protected, record the time and activity performed.  If possible, collect data which might be lost (volatile data)

69

 Information must be treated with caution.  If any process is going on, wait until it is completed.  Remove the power plug and other devices from the socket.  Label or mark the removed components  Search the area for password often close to computer  Received information such as password, username etc. from scene /user etc. may be recorded.  Equipment used must be noted.  Competent person should examine the device.  Other steps may be dependent on the model and type of devices. (Annexure-4)

4.7.4. Transportation of evidence:-

Main computer unit-

 Handle with care. If placing in a vehicle, place upright preventing from physical shocks.  Keep away from magnetic sources (loudspeakers, heated seats and windows and police radios)

Storage devices-

 Protect from magnetic fields  Place in anti-static bags

Floppy disk, jar,zip cartridges , memory sticks and PCMCIA cards-

 Protect from magnetic fields  Do not label them directly

Personal digital organizers, electronic organizers and palmtop computer-

 Protect from magnetic fields  If in on state, additional power supply must be provided during transportation

Note-

 devices must be preserved for DNA or fingerprint examination.  using aluminum powder on electronic devices can result in loss of evidence

70

 Devices must be stored in normal temperature and condition  power backup to devices during transportation must be provided.

4.8. Chain of custody-(Annexure-5)

When evidence is seized from the crime scene, the next step is to assign its responsibility and protection.

Chain of custody provides the responsibility and competence of evidence in court of law and minimizes the risk of tampering the evidence. It accounts all the persons who had access to the evidence, such as-

 Who obtained the evidence  Who secured the evidence  Who transferred the evidence  Who had control or possession of the evidence etc.

The evidence should be in control of the law enforcement body, and not with the private citizens. Not following the chain of custody may cause objection by court or opponent party of being that evidence unreliable or fabricated, and doing so may impose liability on investigating officer under section 72 of ITAA 2008.

4.8.1. Important steps to be kept in mind for chain of custody-

 Take pictures and note down observation of crime scene.  Storage medium must be appropriate  Security of the evidence/cloning  Protection of storage media from external electro-magnetically interference.  Details regarding the crime scene must be noted.  Record of personals who have access to that evidence, should be maintained.  No private citizen/ unknown person must have access to that evidence.  Documentation and chain of custody forms must be provided with the evidence  To prove the integrity of that evidence against tampering or modification ,process known as “hashing” is used .the hash value of that evidence collected can be checked again later to prove its integrity.

71

4.9. Integrity of digital evidence-

Proving the integrity of digital evidence is important as not doing so may cause that evidence not to be considered in court of law or objected for alteration or modification. Some of the methods used to check the integrity of digital evidence are shown below-

Method Description Common Advantages Disadvantages types Checksum Check error in CRC 16 -easy to -low digital data. 16- CEC 32 compute assurance Or -32 bit -fast against polynomial is -small data malicious applied to each storage attack byte of digital requirement -simple to data .Result is -useful for create new small integer detecting data with value that is 16 random errors matching or 32 bit in checksum length. Integer -must value must be maintain saved and secure storage secured. To of checksum check the data, values samepolynomial can be applied to data and can be compared with original result for integrity. One-way hash A method for SHA-1 -easy to -must

72 algorithm protecting digital MD5 compute maintain (MD2,MD4,MD5,sha) data against MD4 -can detect both secure storage unauthorised MD2 random errors of hash value changes. The and malicious method produces alteration a fixed length large integer value (from 80- 240 bit) representing the digital data. It has two unique characteristic. First given the hash value it is difficult to find other data matching the same hash value. Digital signature A secure method RSA -Add identity to -slow of binding the DSA the integrity -must protect identity of signer PGP operation private key with digital data -prevents -if key is integrity method unauthorised compromised such as one way regeneration of or certificate hash values. signature unless expires digital These method private key is signature can use a public key compromised invalidated crypto-system where the signer uses a secret key to generate a digital signature.

73

Anyone can then validate the signature generated by using the published public key certificate of the signer. The signature produces a large integer number( 512-4096 bits

Note- hashing method is currently used to check the integrity of evidence.

4.10. Procedure to file a complaint:

A person need to provide a copy (Screen shot) of the crime occurred (in a soft copy as well as print out), with an affidavit in concern with that (person), who is willing to launch an FIR. Other detail as per required by the law enforcement agency (if any) on which police may start its investigation must also be provided.

Section 68B of Indian evidence act , direct us about the evidence which can be produced in front of court of law and are admissible or not.

CFSL (Central lab) Hyderabad is an authority which certify that , which evidence is admissible and which is not in court of law , and certify that the evidence selected from the crime scene are unaltered and is same as collected from the crime scene, after which evidence could be produce before the court.

4.10.1. Documentation required with digital evidence:-

 Evidence handling documentation should include-  Copy of legal authority

74

 Chain of custody  The initial count of evidence to be examined,  Information regarding the packaging and condition of evidence upon receipt by the examiner,  A description of evidence, and  Communication regarding the case.

 Examination documentation should include:  Sufficient details to allow another examiner, competent in the same area of expertise, to be able to access the finding independently.

75

Chapter V: Computer Forensics 5.1 Understanding of Forensics

Electronic evidence and information gathering have become central issues in an increasing number of conflicts and crimes. Electronic or computer evidence used to mean the regular print-out from a computer—and great deals of computer exhibits in court are just those. However, for many years, law enforcement officers have been seizing data media and computers themselves, as they have become smaller and more ubiquitous. In the very recent past, investigators generated their own printouts, sometimes using the original application program, sometimes specialist analytic and examination tools. More recently, investigators have found ways of collecting evidence from remote computers to which they do not have immediate physical access, provided such computers are accessible via a phone line or network connection. It is even possible to track activities across a computer network, including the Internet.

If you manage or administer information systems and networks, you should understand computer forensics. Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. (The word forensics means “to bring to the court”) Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive.

Because computer forensics is a new discipline, there is little standardization and consistency across the courts and industry. As a result, it is not yet recognized as a formal “scientific” discipline. We define computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless

76 communications, and storage devices in a way that is admissible as evidence in a court of law.

In other words, computer forensics is the collection, preservation, analysis, and presentation of computer-related evidence. Computer evidence can be useful in criminal cases, civil disputes, and human resources/employment proceedings. Far more information is retained on a computer than most people realize. It’s also more difficult to completely remove information than is generally thought. For these reasons (and many more), computer forensics can often find evidence of, or even completely recover, lost or deleted information, even if the information was intentionally deleted. Computer forensics, although employing some of the same skills and software as data recovery, is a much more complex undertaking. In data recovery, the goal is to retrieve the lost data. In computer forensics, the goal is to retrieve the data and interpret as much information about it as possible.

5.2 Importance

The objective in computer forensics is quite straightforward. It is to recover, analyze, and present computer-based material in such a way that it is useable as evidence in a court of law. The key phrase here is useable as evidence in a court of law. It is essential that none of the equipment or procedures used during the examination of the computer obviate this. Adding the ability to practice sound computer forensics will help you ensure the overall integrity and survivability of your network infrastructure. You can help your organization if you consider computer forensics as a new basic element in what is known as “Defense in depth” which is designed on the principle that multiple layers of different types of protection from different vendors provide substantially better protection, that actually approach to network and computer security.

5.3 Techniques

A computer forensics professional does more than turn on a computer, make a directory listing, and search through files. Forensics professionals should be able to successfully perform complex evidence recovery procedures with the skill and expertise that lends credibility to case. For example, they should be able to perform the following services:

 Data seizure  Data duplication and preservation

77

 Data recovery  Document searches  Media conversion  Expert witness services  Computer evidence service options  Other miscellaneous services

5.3.1 Data Seizure

Federal rules of civil procedure let a party or their representative inspect and copy designated documents or data compilations that may contain evidence. Computer forensics experts, following federal guidelines, should act as this representative, using their knowledge of data storage technologies to track down evidence. Experts should also be able to assist officials during the equipment seizure process.

5.3.2 Data Duplication and Preservation

When one party must seize data from another, two concerns must be addressed: the data must not be altered in any way, and the seizure must not put an undue burden on the responding party. Computer forensics experts should acknowledge both of these concerns by making an exact duplicate of the needed data. Because duplication is fast, the responding party can quickly resume its normal business functions, and, because your experts work on the duplicated data, the integrity of the original data is maintained.

5.3.3 Data Recovery

Using proprietary tools, your computer forensics experts should be able to safely recover and analyze otherwise inaccessible evidence. The ability to recover lost evidence is made possible by the expert’s advanced understanding of storage technologies. For example, when a user deletes an email, traces of that message may still exist on the storage device. Although the message is inaccessible to the user, your experts should be able to recover it and locate relevant evidence.

78

5.3.4 Document Searches

Computer forensics experts should also be able to search over 200,000 electronic documents in seconds rather than hours. The speed and efficiency of these searches make the discovery process less complicated and less intrusive to all parties involved.

5.3.5 Media Conversion

Some clients need to obtain and investigate computer data stored on old and unreadable devices. Your computer forensics experts should extract the relevant data from these devices, convert it into readable formats, and place it onto new storage media for analysis.

5.3.6 Expert Witness Services

Computer forensics experts should be able to explain complex technical processes in an easy- to-understand fashion. This should help judges and juries comprehend how computer evidence is found, what it consists of, and how it is relevant to a specific situation.

5.3.7 Computer Evidence Service Options

Your computer forensics experts should offer various levels of service, each designed to suit your individual investigative needs. For example, they should be able to offer the following services:

 Standard service  On-site service  Emergency service  Priority service  Weekend service

5.3.8 Other Miscellaneous Services

79

Computer forensics experts should also be able to provide extended services. These services include;

. Analysis of computers and data in criminal investigations . On-site seizure of computer data in criminal investigations . Analysis of computers and data in civil litigation. . On-site seizure of computer data in civil litigation . Analysis of company computers to determine employee activity . Assistance in preparing electronic discovery requests . Reporting in a comprehensive and readily understandable manner . Court-recognized computer expert witness testimony . Computer forensics on both PC and Mac platforms . Fast turnaround time

5.4 Computer Forensics Systems

Computer forensics has become a buzz word in today’s world of increased concern for security. It seems that any product that can remotely be tied to network or computer security is quickly labeled as a “forensics” system. This phenomenon makes designing clear incident response plans and corporate security plans that support computer forensics difficult. Today’s corporate climate of increased competition, cutbacks and layoffs, and outsourcing makes it essential that corporate security policy and practices support the inevitability of future litigation. Due to this raising awareness of the different types of computer forensics systems becomes the need of time. Some of the computers forensic are as follows:-

80

 Internet security systems

 Intrusion detection systems

 Firewall security systems

81

 Storage area network security systems

82

 Network disaster recovery systems

 Public key infrastructure security systems

83

 Wireless network security systems

 Satellite encryption security systems

84

 Instant messaging (IM) security systems

85

 Net privacy systems

 Identity management security systems

 Identity theft prevention systems

86

5.5 Methodology

 3 A’s – An investigator should follow  Acquire: Gather our data  Authenticate: Prove that it was un-altered in the copy process  Analyze: Review the data for artifacts to prosecute suspect

5.5.1 Steps Followed Under Methodology:

 Incident alert or accusation – crime or policy violation

Need to consider the source and reliability of the information. This must weight all factors in making decision and by performing initial fact checking.

 Assessment of worth – prioritize or choose

It must be perform by initial triage. Focus on most severe problems. Output of this step is to determine if no further action is required or to continue to investigate.

 Incident/Crime scene protocols – Actions at the scene

87

Whoever is responsible for securing crime scene must make sure that proper protocols are followed. Safety is first issue. The output of this stage is to make sure that the scene is secure and all the contents are mapped and recorded, with photographs and diagrams.

 Identification or seizure – Recognition and proper packaging.

Informed investigators are to make proper decisions about what is to be seized and in what order of priority. (Servers, workstations, volatile data, etc). Documentation in this step is of extreme importance. Initial interviews should be performed before seizing evidence to establish who knows what, who is involved, what is not know and what needs to be gathered.

 Preservation – Integrity

Proper actions must be used to ensure integrity and proper tools are to be used to ensure acceptance and reliability. Investigators should make a bit-stream copy of the original media. The original media is to never be touched again. It is to be put away in a temperature controlled environment (Chain of custody is key). The duplicate mirror image is to be analyzed. Recommend to make a backup copy of your media to be analyzed in case of a media failure.

 Recovery – Get it all

Focus on recovering all the data whether it is relevant to case or not. The overall output will help provide the most complete timeline.

 Harvesting – Data about data

This is the analysis phase. In this phase we analyze the data to test our theories about our suspects.

 Reduction – Filter

In this phase we eliminate the material from the chaff. We use filters, hash analysis,grep searches all to help refine our focus.

88

 Organization and search – Focus

This is where we bookmark our findings as investigators to help make our reporting phase easier. We also document our case as we go instead of waiting till the end. We might export data out of our image for easier analysis or for viewing.

 Analysis – scrutinize

This phase requires us to cross reference and validate our findings to deliver the proof for prosecution.

 Reporting – Detailed record

The report should contain details from every step including references to tools and protocols used.

 Persuasion and testimony – Translate and explain

89

Chapter VI- Cyber Crime Investigations

6.1 Crime Related to Mobile Phones

Acquiring data from a mobile phone in a forensic manner is an important issue. Information acquired from mobile phones is increasingly required as evidence in criminal investigations. A mobile phone can potentially contain a large amount of information related to the user’s actions, determined by their communication patterns, and information such as images, video and audio recordings. As such, the information stored in a mobile phone may be important in proving or disproving theories and allegations. Today we can considered mobile phones as a threat in the same manner as a computer, or any other electronic device. Before information produced by such a device can be admitted as evidence, it must be shown that the device is functioning correctly, and the procedures used to obtain the information do not adversely affect the validity of the information. Hence, the methods in which information is obtained from a mobile phone may have a direct effect on whether that information will be admissible as evidence. If a certain method can be shown to alter data on the phone, the integrity of that data may be questioned, and even shown to be inaccurate. The desired situation would occur when a method can be proven to acquire data without making any changes to the phone’s memory; information acquired using such a method will be admissible as evidence. There are a number of different methods of acquiring information from a mobile phone. The most convenient, however, is to use a software application running on a desktop computer to send commands to the phone, the response to which contains information stored in the phone’s memory. Such an application communicates with some form of software or hardware contained in the phone, which retrieves the data on behalf of the desktop application.

90

91

92

6.1.3Case Study-

CASE: A girl purchased goods through online. After two days she got a item delivered by courier. A courier man gives receipt to her to sign and write the mobile number. After two days a person send bullying / hate message through SMS (mobile) to a girl. A girl went to police station and files the complaint of the anonymous person who sends her offensive message.

CASE: A boys travelling in the bus, as a boy put his hand in the pocket to make call, he find, he lost his mobile, during the journey someone has stolen his mobile phone. He stopped the bus in near police station and filed the complaint, about the stolen mobile.

6.1.2 Location Mapping of Mobile Phones:-

6.1.2.1 PHONE NUMBER TRACING-

You can easily trace phone number though various software and through many website available on internet, which help to locate the current position of the mobile if any sort of tracking application is running on the lost phone. There are many tracking application for mobile phones which are freely available on internet through which we can trace the lost mobile. Some examples are:-

Avast mobile security

This free invisible security app brings twin security measures for your handset by providing - a mobile antivirus and mobile tracking/controls solution. What is great about the app is that its anti-theft component is invisible to thieves, and provides remote options (via web portal or SMS commands) for locating and recovering your phone. Time to say goodbye to 'lost' phones.

Mobile chase-location tracker

This is another handy app to track your stolen or lost phone. This app checks when the pick- pocketed changes the SIM card and sends SMS in 5 minutes from the new SIM number to

93 your number, which has been stored in the application. The SIM contains GPS location data or current location code to aid in trace.

Thief tracker

This one is our favorite. With Thief tracker app, you get to catch the 'thief' red handed. Any unsuccessful attempt to unlock your mobile will trigger this app to snap a picture from front camera and send you an email without the user even knowing it. However the app has some limitations - like it does not wipe data and an unsuccessful attempt is considered only when 4 dots in the pattern are selected.

Smart look

This software also clicks the pictures of the 'thief' - in fact three of them and, immediately e- mails it to you. It also comes equipped with a GPS continuous tracking system which is linked to the google map and also assists in tracing your lost or stolen phone.

Anti- theft alarm

You will love this app. simply activate the alarm and leave your phone on the table or wherever and if someone moves your phone an alarm will sound. The alarm will only stop after entering a PIN. Those with sticky fingers, beware!

Kaspersky mobile security

Another popular app that provides anti-theft defense, allowing you to block, wipe or find your missing phone. You can also easily filter unwanted SMS texts and calls. Plus, Anti- Virus Lite with cloud-based security scanner alerts you to potentially malicious apps before they can harm your phone.

Lookout security and antivirus

94

This free app houses a slew of features to protect and trace your phone. After downloading the app, you will be able to find your phone on a Google Map instantly from Lookout.com, sound a loud alarm or make your phone SCREAM to find it even if it’s on silent and automatically see your phone's last known location. That's not all, in addition this app provides remotely lock and date wipe out facility. It also offers a lookout premium coverage for a small monthly fee for more stringent security.

Trend Micro mobile security & antivirus

Ranked as one of the top selling security app, Trend Micro mobile provides free antivirus with a premium version which includes privacy scanning, web and contact filtering, parental controls and anti-theft features. You can avail a 30 day free trial to test various features like: --Privacy scanner warns you of apps that potentially steal your information --Surf, Call, Text Security keeps you and your kids safe by avoiding unwanted contact and content --Lost Device Protection includes anti-theft features that let you find, lock and wipe a missing device.

Plan B, Lookout mobile security

Well if plan A doesn't work, you don't need to fear, there is always Plan B. This 'find my phone' app is the only app that you can download even after you have lost your phone. Using 'Plan B' requires access to the Android Market website and your Google account. After you install it, Plan B will start locating your phone using cell towers and GPS. On some phones, Plan B can switch GPS on automatically. Your location will keep updating for 10 minutes, and you will get an email each time it is located, whether the phone is moving or standing still. Information is also sent via SMS.

6.1.2.2 IMEI Tracing

Every smart phone has a unique IMEI number assigned to it and you can access it by dialing *#06#. Once your phone's 15-digit IMEI number is displayed, write it down and keep it safe

95 for future reference. You can also retrieve the IMEI number by removing the battery. It is usually listed on a white sticker along with the phone's serial number.

When you lose your handset, you will need to launch a FIR with the police, attaching a copy of the IMEI number with it. Then give a copy of this to your service provider who can track the phone based on its unique ID number and meanwhile block the handset so that it cannot be used by anyone else. IMEI number helps to tracks the handset, even when the SIM is changed or the SIM card is not activated. Once the phone is traced, the police should be able to retrieve it.

As soon as, location of the mobile is mapped by above mention method we can go for mobile forensics for recovery of data either stored or deleted from the mobile phone.

6.1.4 TOOL USED FOR MOBILE FORENSICS:-

6.1.2.1 Mobile phone inspector utility

Mobile phone inspector utility generates complete report of mobile and SIM card phonebook entries, SMS capacity status and all other general information. Cell phone forensic tool displays detailed information which includes mobile manufacture name, mobile model number, mobile IMEI number, SIM IMSI number, signal quality and battery status of mobile phone. Mobile phone investigation program supports all major bands of mobile manufacturing company including Nokia, Haier, Motorola, Sony Ericsson, LG, Samsung, Spice, i-mate, HP etc. Mobile investigation application facilitates user with VC++ source code useful for educational usage, customized development or in scientific investigation regarding mobile phone technology. Cell phone inspector utility displays all phonebook entries with contact name and number. Mobile phone inspector software displays phonebook and SMS capacity of SIM card and mobile phone memory. Software can be easily install and uninstall on your system having windows operating system such as windows 98, 2000, 2003, ME, NT, XP and windows Vista. Features: * Mobile inspector software provides highly interactive graphical user interface for easy software access. * Cell phone forensic

96

utility supports all brands of mobile phones including Nokia, Samsung, Motorola, Sony, Spice etc. * Mobile investigation utility displays SMS text message along with date/time and sender phone number. * Cell phone inspector program generates complete mobile phone report in a text or html file for further reference. *Software is easy to operate so end user does not require any technical skill to use this tool.

Free download from Shareware Connection - Cell phone forensic tool show battery status, mobile model and SIM IMSI number

6.1.2.2 Mobile phone inspection software:-

Cell phone forensic software is freeware utility that easily extracts your entire mobile and sim related data including IMEI number, SIM IMEI number, phonebook entries with name and number, text message of all Symbian OS based Nokia mobile phones and other supported mobile devices. Mobile phone investigation application with source code in Microsoft Visual C++, MFC, embedded C++ is useful for organizations working on AT+CPBR, AT+CBS, AT+CSQ, AT+CIMI and many mobile technologies. Smart phone inspection program is useful for developers to take detail knowledge about various functions related to mobile phones such as CeCreateFile, CeCreateProcess, CeReadFile, CeGetDeviceId, CeFindAllFiles, CeRegEnumKeyEx and CeRegOpenKey etc. Cell phone forensic application easily gathers all general information from your GSM and CDMA mobile phone. Mobile phone inspector software available with Microsoft Visual C++ source code and supports all windows operating system including windows 98, NT, ME, 2000, 2003, XP and Vista. Smart phone investigation tool supports all branded mobile phones such as Nokia, Motorola,

97

Samsung, LG and Sony Ericsson etc. Mobile phone inspection program is free of cost but user needs to pay if software is required with its source code. Features: * Mobile phone investigation application supports Windows CE and Windows mobiles, WM5, WM6 based PDA cell phones. * Cell phone surveillance tool is an innovative mobile investigator that pulls out SIM details, SMS capacity, memory status, battery usage, IMEI number with model number and phonebook entries. * Mobile phone inspection tool can easily access your mobile phone with the help of port connectivity for gathering general as well as important information. * Smart phone forensic utility is read only tool that provides complete SIM cardinformation. * Freeware mobile phone inspector program allows users to fetch general details of all windows based mobile phones.

NOTE:-

FOR MORE FORENSIC SOFTWARE GO- http://www.sharewareconnection.com/mobile- phone-inspection-software.htm

6.1.3 We can use XRY:

XRY is a software application designed to run on the Windows operating system which allows you to perform a secure forensic extraction of data from a wide variety of mobile devices, such as smartphones, GPS navigation units, 3G modems, portable music players and the latest tablet processors such as the i-Pad.

Extracting data from mobile / cell phones is a specialist skill and not the same as recovering information from computers. Most mobile devices don't share the same operating systems and are proprietary embedded devices which have unique configurations and operating systems. What does that mean in terms of getting data out of them? Well in simple terms, it means it is very difficult to do.XRY has been designed and developed to make that process a lot easier for you, with support for over 8,000 different mobile device profiles. We supply a complete solution to get you what you need and the software guides you through the process step by step to make it as easy as possible.

6.1.4 XRY logical

98

XRY Logical is a software based solution for any Windows based PC, complete with the necessary hardware for forensic investigations of mobile devices. XRY is the standard in mobile device forensics and the first choice among law enforcement agencies worldwide.

XRY Logical provides an intuitive and user friendly interface to analyze a wide range of mobile phones through a secure examination process to recover data in a forensically secure manner. The information gathered from the examined device is instantly available for review in a secure and traceable manner, ensuring its legal standing and credibility in a court of law.

XRY Logical software enables investigators to perform ‘Logical’ data acquisition. This forensic process is used to communicate with, and read the contents of, the device; which typically generates live information. The software’s user interface is simple to navigate, with a user friendly wizard designed to help guide you through the entire process from start to finish so you can immediately start to recover data with confidence.With XRY, a tamper- proof report is created within minutes which can easily be customized to a user’s needs, including references and a user’s own branding as required. The generated report can be printed in its entirety, or selected data required by the investigators can be prepared. Using XRY’s export function, users are afforded a wide range of functionality to facilitate further distribution and analysis of the data.

Included in the XRY Logical package

 XRY Application software  XRY License key  XRY Case with cable organizer  XRY Logical mobile phone cable kit

6.1.5 XRY physical

XRY Physical is a software package for the physical recovery of data from mobile devices. The memory dump from each individual device is a complex data structure, so Micro Systemation has developed XRY Physical to make it easier to navigate this wealth of information.XRY Physical is different because it lets forensics specialists push investigation even further by performing a physical data acquisition – a process generating hex-dumps from the phone memory, typically bypassing the device operating system. This frequently leads to the recovery of deleted information.

99

XRY Physical has the advantage that it can reveal protected and deleted data, which may not be available through a logical analysis. Crucially, using XRY Physical, it is also possible to recover data from security locked phones.Through a process of dumping raw data followed by automated decoding to reconstruct the content – XRY Physical can secure a whole new layer of valuable data for investigators and forensic examiners.

Included with the XRY Physical system

 XRY Physical License key  XRY Case with accessories  XRY Physical Cable Kit  Write protected universal memory card reader  XACT hex-viewer application

6.1.6 XRY complete

THE ALL-IN-ONE MOBILE FORENSIC SYSTEM FROM MICRO SYSTEMATION

XRY Complete is the all-In-one mobile forensic system from Micro Systemation; combining both our logical and physical solutions into one package. XRY Complete allows investigators full access to all the possible methods to recover data from a mobile device.

XRY is a purpose built software based solution, complete with all the necessary hardware for recovering data from mobile devices in a forensically secure manner. With XRY Complete you can achieve more and go deeper into a mobile device to recover vital data. With a combination of logical and physical analysis tools available for supported devices; XRY complete can produce a combined report containing both live and deleted data from the same handset.

The XRY system is the first choice among law enforcement agencies worldwide, and represents a complete mobile forensic system supplied with all the necessary equipment you need to perform a forensic examination of a mobile device - straight out of the box.The supplied XRY software application runs on Windows and is powerful enough to deal with all of the modern demands of forensic examiners. The user interface is simple to navigate, with a

100 user friendly wizard designed to help guide you through the entire process from start to finish, so you can immediately start to recover data with confidence

Included in the XRY Complete package

 XRY Application software and licence key  Briefcase with cable organizer  XRY Communication unit  XRY Complete mobile phone cable kit  SIM id-Cloner device with 12 month license  10 rewritable SIM id-Cloner examination card  Write protected universal memory card reader

6.1.7 XACT- Currently used by Jharkhand Police

XACT is a separate hex viewer software application which complements XRY Physical, allowing examiners to view the raw hexadecimal data extracted during a physical dump of a mobile device.

Whilst XRY Physical supports a considerable amount of automatic decoding, there will always be times when an examiner needs to look at the original data for them to establish the source of information. XACT provides mobile forensics specialists with the ability to examine that data in detail.

With XACT you can import binary files from other sources if required and view the hexadecimal data to see for yourself exactly where the data is.

6.1.8 XRY SIM ID-CLONER

When examining GSM based mobile phones the forensic examiner is faced with two challenges:

 Under the original GSM standards a mobile phone is required to have a SIM card inserted before it will allow full access to the operating system and function normally.

101

 If a GSM device is turned on with a live SIM card inserted, then it will attempt to make a network connection and the risk of data contamination occurs.

The SIM id-Cloner card system solves these problems. It will prevent a GSM network connection without effecting the normal operation of the device allowing an examiner to perform a logical extraction. It will also be of assistance to examiners faced with a mobile phone which does not have the original SIM card present.

Under the GSM standards a mobile device should delete the call history if it detects that a new SIM card has been inserted into it. An examiner who has a mobile without a SIM card can use SIM id-Cloner to create a duplicate SIM card containing the same critical information as the original SIM, which will then give access to the handset without causing the device to delete the call history list. Please note that the examiner needs either the ICCID or IMSI, which normally requires a contact with the mobile network operator to perform this function.

This product is supplied as part of the XRY Logical system as standard, it can however be purchased separately if required.

6 We can also use Encase and FTK as detail working is explained below.

6.2 Crime related to Web Services

6.2.1 Case Study:

Case:Title, an anonymous online group posts false information about Row & Row company on the message board of their website which leads directly to a decrease in stock price or the cancellation of a key deal. This is web defacement.

Case:MaheshMhatre and AnandKhare were arrested in 2002 for allegedly defacing the website of the Mumbai Cyber Crime Cell. They had allegedly used password cracking software to crack the FTP password for the police website. They then replaced the homepage of the website with pornographic content. The duo was also charged with credit card fraud for using 225 credit card numbers, mostly belonging to American citizens.

6.2.2 Block Diagram:

102

103

6.3Crime Related to Financial Fraud/ Banking Fraud

104

Case:The Hyderabad police in India arrested an unemployed computer operator and his friend, a steward in a prominent five-star hotel, for stealing and misusing credit card numbers belonging to hotel customers.

The Steward noted down the various details of the credit cards, which were handed by clients of the hotel for paying their bills. Then, he passed all the details to his computer operator fiend who used the details to make online purchases on various websites.

Case: In 2004, the US Secret Service investigated and shut down and online organization that trafficked in around 1.7 million stolen credit cards and stolen identity information and documents.

This high-profile case, known as “Operation Firewall” focused on a criminal organization of some 4,000 members whose website functioned as a hub for identity theft activity.

6.3.1 Block Diagram:

CREDIT CARD FRAUD / BANKING FRAUD

105

106

6.4 Procedure of Forensics

107

6.4.1 EnCase Layout

EnCase divides its screen real estate into four windows that are named for their primary examinationfunction: the Tree pane (formerly the Left pane), the Table pane (formerly the Rightpane), the View pane (formerly the Bottom pane), and the Filter pane (new to EnCase Version5). Granularity or detail increases as you move through the primarypanes from the Tree pane, to the Table pane, and finally to the View pane. If detail of any object is needed then we have to place the cursor focus on it (in other words,highlight it) in the Tree pane, and the Table pane will display the details about that object. If youwant more details about an object in the Table pane, highlight it in the Table pane and thedetails will appear in the View pane. Once you get down to the data level of granularity in the View pane, you can even view or interpret that data in different ways, effectively getting stillmore information or granularity from the View pane.In addition to letting you work with a case in the Case Entries view, EnCase offers manyother views or features that function in the same manner, providing more granularity as youmove through the viewing panes. EnCase further organizes its views into global views, caselevelviews, and case-level view subtabs. This hierarchical view is controlled with three bars atthe top of the Tree pane, populated with tabs representing the various views. The bars arearranged in a descending hierarchy, with the top bar representing global options, the second barrepresenting case-level options, and the third bar representing case-level view subtabs. As thetabs are highlighted (or brought to the front in a three-dimensional sense), their path becomesvisible in the hierarchical tree. Once you take a few minutes to familiarize yourself with how itworks, it is very intuitive and easy to find your way around.

EnCase divides its screen real estate into the Tree, Table, and View panes

108

6.4.1.2 Creating a Case

The Tree pane is the starting point for the detail that follows in the other two panes. However,before we can work with the Tree pane, or any pane for that matter, we need to have a caseopen. And before we can have a case open, we need to create a case. When EnCase starts, itopens by default in the Case view. In the Case view, you create a case by clicking the New buttonon the toolbar. Alternatively, you could select File-New. After you click the New button, then dialog box will appear.

The Case Options dialog box

109

Name Enter a descriptive name for your case, which may include a case or complaint number.The text you enter here will show in the case folder under the Cases tab view. When you havemany cases to manage, being very descriptive and detailed while still being brief is quite helpful. Examiner Name Enter the examiner’s (your) name in this space. EnCase will not let you proceedif you don’t make an entry, and it will remember your last entry for future cases in thelocal.ini file contained in the EnCase5\Config folder. Default Export Folder This folder will be the default location for files that are exported fromwithinEnCase. Also, when you choose to “copy/unerasefiles, this will be the default locationfor that feature as well. Some EnScripts will use this location for output too.

Temporary Folder

110

The Temp folder is used to store files when EnCase is directed to send a fileto an external viewer. Before the external viewer can see a file, it must first be copied out of EnCaseand into the Windows environment. This folder holds those files for this purpose. When you exitEnCase, files in the Temp folder are removed. If a system crash occurs, this purging won’t takeplace. For this reason, files can accumulate in the Temp folder, and if you have a system crash, youmay wish to delete them as they can sometimes get quite large in number and size.

6.4.1.2 Creating Case Template on Desktop

Create a case file template on your desktop. Whenever you need to create acase, copy this folder into the Cases folder of your case information drive. Rename the templatefolder to your case name, and you are done in seconds.

Case file organization and management are extremely important skills for an examiner toacquire. When computer forensics is done one case image is copied in all drives to prevent cross-contamination of data. As caseloads grew and technology evolved, best practices have been modified accordingly. As EnCase encapsulates a device image into an evidence file that has powerful and redundantinternal integrity checks, cross-contamination of image files is not the issue it was in thepast. In that regard and in many other areas, EnCase has changed the face of computer forensicsand, with it, best practices.Many labs have massive storage servers that store EnCase evidence and case files. Instead ofsegregating storage in separate physical devices as in the past, storage today is often networkedand segregated by distinctive folder-naming conventions that are consistent with best practicesfor case management. In this manner,

111 several examiners can access the same evidence files concurrentlyand work on different facets of the same case as a team.

Multiple cases stored in a single Cases folder.

As soon as you have created your case, you should save it by clicking Save on the toolbar. Consistent with our file-naming and organization conventions, you want to save it in the rootof the folder that names your unique case. The file name will default to the name of the case thatyou entered in the Name field of the Case Options dialog box. It is a good practice to have the case, the case file, and the case folder all named the same. It’salso wise to incorporate the case file name as part of the evidence file name. When they are allnamed consistently, errors and confusion are less likely to occur. If the files are misplaced, the naming conventionalone can associate them with their lost relatives.

After you have created a case and saved it, it is time to add evidence to that case. To do so,click Add Device, which is located on the toolbar. Adding a device is not an option until youeither create a case or open a case. At this stage, you can use the dialog box to add a live devicefor preview and possible acquisition, or you can add an evidence file to your case. If you areoperating in the Enterprise or FIM environment, you can connect to a network device that isrunning the servlet. Once you have added a device to your case, save your case. There is a saying that has its roots in Chicago during its earlier years: “Vote early and voteoften.” In forensics, you should apply similar logic by saving early and saving often. Get intothe habit of clicking the Save button anytime you have completed significant work and whenyou are about to embark on a new task or process.EnCase supports many different file systems, which may be mounted in the same case and searched simultaneously.

112

In the above figure a physical device (live in this case, with a blue triangle in the lower right)and its associated volume. The physical device icon is a depiction of a hard drive with the arm andheads spanning the platter. It takes some imagination, but that’s what it is. The volume icon isa gray 3-D box of some sort.

A “live” physical device and its associated volume, where physical device has a blue triangle in the lower right, indicating it is a live device.

A floppy disk icon is shown with one folder, which has an “X” in it, indicatingit is a “deleted” folder.

You can “expand all” or “contract all” by right-clicking on an object in theTree pane.

113

114

6.4.1.3 Process

1.

PC A PC B

PC A:where image has to be extracted. PC B:whose image has to be extracted?

2. PC A:Settings in PC A Internet Protocol Version TCP/IP v4) -IP address 192.168.0.1 -Subnet mask 255.255.255.0

115 3. PC B: Settings in PC B -insert the boot live CD in CDROM. -boot the PC through CDROM (Bios setting has to be changed)

4. Connect PC A and PC B through cross-cable.

5. Switch on PC B (PC will start in live CD mode)

6. Switch on PC A and start encase software.

[Note:INSERT THE ENCASE DONGLE IN USB PORT OF PCA].

6.4.1.4 Countermeasures

As EnCase is a well-known and popular with law enforcement agencies, considerable research has been conducted into defeating it. Some metaspolit project produces an anti- forensics toolkit, which includes tool to prevent Encase from finding data from all operations.

Furthermore, because law enforcement procedures involving EnCasein a documented way which is available for public scrutiny in many judicial systems, those wishing to defend themselves against its use have a considerable pool of information to study.

Copies of EnCase have been widely leaked on peer-to-peer and other file sharing networks, which allow full analysis of the software. Proof-of-concept code exists that can cause EnCase to crash, or even use buffer overflow exploits to run arbitrary code on the investigator's computer. It is known that EnCase is vulnerable to zip-bombs for example 42.zip.

6.4.2 FTK

6.4.2.1 USES OF FTK

Instant Searching Capability

116

Because all files have been indexed, FTK can make a full-text index of every alpha-numeric string contained in those files. This full-text index allows for instantaneous key word searching across all the data on the hard drive:

Instant key word searching from FTK allows for quicker investigations. Using linear, flat-file imaging technology from the competition makes the investigator wait while the program searches for the particular key word from the beginning of the hard drive to the end.

6.4.2.2 FTK is a solution for Decryption and Password Recovery

Wrong-doers often cover their tracks by deleting or encrypting documents. FTK recovers deleted files and also decrypts files. First off, FTK’s indexing ability identifies all the

117 encrypted documents up front which allow the investigator to quickly begin the decryption process.

6.4.2.3 FTK allows for a graphical interface filtering function.

Filter options allow users to define criteria to speedily locate and identifyevidence. The user doesn’t need to learn to program scripts like you do with competitive software. In FTK, filters are created by a simple click of the mouse. Because all the data is in a database, getting results from the filters are instantaneous.

The screen shot below illustrates the simplicity of creating a custom filter inFTK as well as just some of the items you can filter on:

118

6.4.2.4 WORKING WITH FTK

Identify the basic FTK interface components including the menu and tool bar options and the program tabs.

 Create a case.

 Add evidence to a case.

 Obtain basic analysis data including file and folder properties, file formats, metadata and specific file information such as dates and times.

119

 Export files.

 Use the Copy Special feature to export information about case files.

6.4.2.5 PROCESSING THE CASE:

 Graphics

 Identify the elements of a graphics case.

 Identify standard graphics formats.

 Navigate the FTK Graphics tab.

 Use the List All Descendants feature

 Export graphics files and hash sets.

120

 Tag graphics files using the Bookmarks feature.

 Use the Thumbnail feature.

 E-Mail

 Identify the elements of an e-mail case.

 Identify supported e-mail types.

 Navigate the FTK E-mail tab.

 Find a word or phrase in an e-mail message or attachment.

 Bookmark e-mail items.

 Export e-mail items.

 Print e-mail items.

Chapter- VII Challenges in Investigation of Cybercrime 7.1 Technical Issues

121

Search and Seizure

Technical Issues

Understanding of Cryptographic concept

7.1.1 Search and Seizure

There are two methods through which data can be attained i.e. legal criteria, where spot of the crime is well analyze and search for devices which are helpful and used as evidence. While, the other one is technical method of attaining data in which system or devices are well monitored for transmitting information from it.

122

The major issue in the process of search and seizure arises at the time when seizure of digital evidence is done from hard drives on networked systems where somehow both relevant and irrelevant materials are present together. The practical problem arises when hard drives and other digital devices are analyzed; where officials get confused in data that which is most relevant and which is not.This creates problems with search warrants where non-specified data are included in the hard drive, maybe leading to the invalidity of the whole search and seizure procedure. It is practically impossible to examine the relevancy of 80GB of data which consists in a hard drive.As, this problem of search and seizure of computers is one of the sensitive issue in the legal dimension with request to foreign countries. But, now things get changed many new technologies are eroded and digital devices or PDAs now analyzed only after when cloning of that particular device is done with the help of different forensic tools and methods.

7.1.2 Understanding of Cryptographic Concept

This is one of the major issues that are face by cybercrime investigators or cyber forensics team during the time of investigation. As, the officials found the hard drives or any digital device in the process of search and seizure of the spot or location where crime took place which helps them as evidence. But, in some of the cases these devices are in encrypted form which is done by culprit to hide the information. However, an investigator faces the problem while decrypting that particular data or device to gather the information about culprit or crime done by him. While in many cases investigators didn’t know how to decrypt data but, with the help of some forensics tools and methods this issue is easily handle by the officials.

123

If all else fails, investigators may try to break encryption codes, although this is difficult, time consuming and costly and would be inappropriate in most of the serious matters. 7.2 Legal Issues

Difficulties Choosing in of terminology appropriate juridiction

Legal problems

124 7.2.1Difficulties in terminology

In IT ACT 2000 there are many difficulties in terminology as well as in definitions which creates a difficulty for police officials to understand the basic terms. However, while solving or investigating the case if anyone is found guilty then he/she must be liable under the sections of Information Technology Act, 2000 (Amended 2008) which is read with sections comes under Indian Penal Code, 1860 depending upon the situation of the crime. Hence, investigators also need a basic knowledge of other Indian laws as well. There are many different terms which are not discussed in the IT act, 2000 (Amended 2008) and creates a confusion in the mind of officials some of them are like cybersquatting which is an act of registering a domain name and sell it later for a wealth, while the solution to tackle this issue is not available in IT Act, 2000 several other are some issues which are unsolved in any law proceedings.

7.2.2 Choosing of Appropriate Jurisdiction

Jurisdictional problem is one of the important issues to cop up in the matter of cybercrimes which is also because of advanced universal nature of cyber space. With the help of internet cyber terrorists perform their activities against any country to harm its sovereignty and integrity.Some new methods of dispute resolution took place by international organizations’ like WTO, etc. are different organizations which promote their policies and rules to combat cybercrime in their particular field or domain.

In some cases offences are committed from outside the country by hackers ho sometimes use proxy networks which identify the network of different place or even country. Question arises during investigation that which court should deal with the particular matter.

7.3 Other Issues

There are some more issues or limitations which occur during the time of cybercrime investigation by police officials.

125

7.3.1 Complexity in collecting evidence

Investigators face many complexities while collecting digital devices as evidence. Specially, when they are in encrypted form because it is difficult and time consuming activity to decrypt the device and gather data which takes a long process which affects the further proceedings of investigation.

While the other term for digital devices is electronic record which defines under the IT Act, 2000 (Amended 2008) in section – 2(t) where ‘electronic record’ means data, record, or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche.

Loss of evidence is a very common & obvious problem as all the data are routinely destroyed. Further collection of data outside the territorial extent also paralyses this system of crime investigation.

7.3.2Logistical and Practical Barriers

Conducting investigations across national borders raises many practical problems that affects investigation process and increases the expenses. For example, if any crime commit outside the particular country then it is hard to investigate the whole process of crime. At this situation investigators took the support of teleconferences which difficult to arrange at times suitable for all concerned.

Then at this condition documents often need to be translated, particularly if required for diplomatic purposes. This can cost considerable sums and again delays investigations. Witnesses from non-English speaking countries may need the assistance of interpreters which can also led to expensive and slow down of investigations process.

126

7.3.3 Identifying Suspects

Identification of suspect is also a key problem which is generally face by investigators as there are many cases in which the accused are small children’s who are minors (less than 18yrs). As, noticed by Jharkhand police there are some cases in which culprits are school students between classes 8 – 12, who are involved in financial fraud as well. Occasionally, this can lead to considerable problems whether the wrong person didn’t arrest in that particular crime.

7.3.4 Lack of awareness and knowledge

The main reasons behind these issues are that officials have lack of awareness and knowledge in investigation of cybercrime. Some of them didn’t know about proper jurisdiction and method of collecting as well as analyzing the evidences. Since, their rights and duties are not mentioned clearly anywhere, in which IT-Act 2000 didn’t achieve any kind of great success. While, most of the cases are going unreported because officials didn’t know how to file a report and how the sections are applied on that particular offence.

If the people are vigilant about their rights the law definitely protects their right. When investigator performs the investigation then he suffers such type of problems. Suppose that he is investigating a particular case which is related to the cyber stalking or ICMP mask attack so this term is difficult for police to understand that what it exactly means and how these types of offences are committed?

For example – The Delhi HIGH COURT in October 2002 prevented a person from selling pirated software (Microsoft) over an online auction site. Achievement was also made in the case before the court of metropolitan magistrate Delhi where a person was convicted for online cheatingby buying Sony products using a stolen credit card.

7.3.5Lack of training The major drawback which arises on police officials during the time of investigation of cybercrime is lack of training, where many officials didn’t know about new technologies and if they knew about it then proper functioning skills are still missing in investigation part. For filing evidence in court of law officials must attain a basic knowledge of every sector in the

127 field of information technology with legal aspects which is possible only when police officials receive training or government have to start a campaign to train these officials.

7.4 Actions and Power of Police Officials

Police officials and investigators have to take certain steps and several other actions for solving the case against cyberspace, as their power are mentioned in Indian law proceedings under Code of Criminal Procedure (CrPC) Act, Information Technology Act, 2000 ( Amended 2008) which varies as;

1. Section 80 of IT Act, 2000: Power of police officer to enter any public place and search & arrest. 2. Section 78 of IT Act, 2000: Power to investigate offences (not below rank of inspector). 3. Section 156 Cr.P.C: Power to investigate cognizable offences. 4. Section 155 Cr.P.C: Power to investigate non-cognizable offences. 5. Section 91 Cr.P.C: Summon to produce documents. 6. Section 160 Cr.P.C: Summon to require attendance of witnesses. 7. Section 165 Cr.P.C: Search by police officer. 8. Section 93 Cr.P.C: General provision as to search warrants. 9. Section 47 Cr.P.C: Search to arrest the accused.

128

ANNEXURES

Annexure-1 Cyber Cells In India

State/City Address Contact Website/E-mail ID Details Assam CID HQ Dy. SP, +91-361- [email protected] Assam Police 252-618 +91- 943504524 2

129

Chennai Assistant +91-40- [email protected] Commissioner of 5549-8211 Police, Cyber Crime Cell, Commissioner office campus, Egmore, Chennai- 600008 For Rest of Cyber Crime Cell, +91-44- [email protected] Tamil Nadu CB, CID, Chennai 2250-2512 Bangalore Cyber Crime Police +91-80- http://www.cyberpolicebangalore.nic.in/ (for whole Station, C.O.D. 2220-1026 Email-id: [email protected] of the Headquarters, +91-80- [email protected] Karnataka) Carlton House, # 1, 2294-3050 Palace Road, +91-80- Banglore – 560001 2238-7611 (fax) Hyderabad Cyber Crime Police +91-40- http://www.cidap.gov.in/cybercrimes.asp Station, Crime 2324-0663 x Investigation +91-40- Email-id: [email protected], Department, 3rd 2785-2274 [email protected], Floor, D.G.P. [email protected] office, Lakdikapool, +91-40- Hyderabad- 500004 2758-2040, +91-40- 2329-7474 (fax) Delhi CBI Cyber Crime +91-11- http://cbi.nic.in/ Cell: 4362203 [email protected] Superintendent of +91-11- Police, Cyber Crime 4392424 Investigation Cell, Central Bureau of Investigation, 5th Floor, Block No. 3, CGO Complex, Lodhi Road, New Delhi- 3 Thane 3rd Floor, Police +91-22- www.thanepolice.org Commissioner 2542-4444 Email-id: [email protected] Office, Near Court Naka, Thane West, Thane- 400601 Pune Deputy +91-20- www.punepolice.gov.in Commissioner of 2612-3346 Email-id: [email protected] Police (Crime), [email protected] Office of the Commissioner +91-20- Office, 2, Sadhu 2612-7277 Vaswani Road, +91-20- Camp, Pune-411001 2616-5396

130

+91-20- 2612-8105 (Fax) Gujarat DIG, CID, Crime +91-79- and Railways, Fifth 2325-4384 Floor, Police Bhavan, Sector-18, +91-79- Gandhinagar- 2325-0798 382018 +91-79- 2325- 3917(fax) Jharkhand IG-CID, Organized +91-651- [email protected] Crime, Rajarani 2400- Building, Doranda, 737/738 Ranchi, 834002 Haryana Cyber Crime and Email-id: [email protected] Technical Investigation Cell, Joint Commissioner of Police, old S.P. Office complex, Civil Lines, Gurgaon Mumbai Cyber Crime +91-22- http://www.cybercellmumbai.com Investigation Cell, 2263-0829 E-mail id: Office of +91-22- [email protected] Commissioner of 2264-1261 Police office, Annex-3 Building, 1st floor, Near Crawford Market, Mumbai-01 Himachal CID Office, Dy. SP, +91-94180- Email-id: [email protected] Pradesh Himachal Pradesh 39449 Jammu SSP, Crime, CPO +91-191- Email-id: [email protected] Complex, Panjtirthi, 257-8901 Jammu- 180004 Kerela Hitech cell, Police +91- Email-id: [email protected] HeadQuarters, 471272- Thiruvananthapura 1547 m +91- 471272- 2768 Meghalaya SCRB +91-98630- Email-id: [email protected] Superintendent of 64997 Police, Meghalaya Bihar Cyber Crime +91-94318- Email-id: [email protected] Investigation Unit, 18398 Dy. S.P. Kotwali

131

Police Station, Patna Orissa CID, Crime Branch, +91-94374- Email-id: [email protected] Orissa 50370 Punjab Cyber Crime Police +91-172- Station, DSP Cyber 2748-100 Crime, S.A.S. Nagar, Patiala. Punjab West CID, Cyber Crime, +9133- Email-id: [email protected] Bengal West Bengal 2450-6163 Uttar Cyber Complaints +91-9410- Email-id: [email protected] Pradesh Redressal Cell, 837559 Nodal Officer Cyber cell Agra, Agra Range 7, Kutchery Road, Baluganj, Agra- 232001, Uttar Pradesh UttaraKhan Special Task Force +91-13526- Email-id: [email protected] d Office, Sub 40982 Inspector of Police, +91-94123- Dehradoon 70272 Manipur SP,CID, Crime 0385- Email-id: [email protected] Branch, Jail Road, 2451501, 1st bat Manipur rifle 943602746 campus, Imphal- 5 411001

132