Cyber Crime Investigation and Forensics 1 A PROJECT REPORT ON CYBER CRIME INVESTIGATION AND FORENSICS Contents: CYBER CRIME INVESTATION ------------------------------------------------------------------4--31 What Is Cyber Crime---------------------------------------------------------------------------4--4 Examples Include---------------------------------------------------------------------------4 Definition------------------------------------------------------------------------------------4 Reasons For Cyber Crime---------------------------------------------------------------------4--5 Capacity To Store Data In Comparatively Small Space-------------------------------5 Easy To Access------------------------------------------------------------------------------5 Complex--------------------------------------------------------------------------------------5 Negligence-----------------------------------------------------------------------------------5 Loss Of Evidence---------------------------------------------------------------------------5 Cyber Criminals---------------------------------------------------------------------------------5--6 Children And Adolescents Between The Age Group Of 6 – 18 Years --------------6 Organized Hackers--------------------------------------------------------------------------6 Professional Hackers / Crackers ----------------------------------------------------------6 Discontented Employees-------------------------------------------------------------------6 Mode And Manner Of Committing Cyber Crime----------------------------------------6--8 Unauthorized Access To Computer Systems Or Networks / Hacking---------------6
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Silent in Nature: Computer crime could be committed in privacy without reaching to
scene of crime physically i.e. any eye witnesses. There are no signs of physical violence
or struggle.
Global in character: No national borders. By sitting comfortably far away from the
country the entire economy of the country could be destroyed. As digital evidences are
fragile in nature one has to respond quickly.
Non existence of Physical Evidence: No physical evidence to indicate that crime has been
committed. Only on a closer look the trained person could find out the evidences which
are not in the traditional format but are in digital format.
Creates high Impact: Impact is severe and may be long term. It can damage the victim
system permanently. Loss of good will.
High Potential and Easy to Perpetrate: A software developer who did not get enough
money or good job would turn to criminal world for their survival. Therefore, the
computer crimes have a potential to increase. Hence organized mafia may enter into this
sector.
Prevention of Cyber Crime:
Prevention is always better than cure. It is always better to take certain precaution while
operating the net. A should make them his part of cyber life. Saileshkumar Zackary, technical
advisor and network security consultant to the Mumbai Police Cyber crime Cell, advocates the
5P mantra for online security: Precaution, Prevention, Protection, Preservation and Perseverance.
A bedizen should keep in mind the following things-
1. To prevent cyber stalking avoid disclosing any information pertaining toone. This is as good as disclosing your identity to strangers in publicplace.
2. Always avoid sending any photograph online particularly to strangers andchat friends as there have been incidents of misuse of the photographs.
3. Always use latest and up date anti virus software to guard against virusattacks.
4. Always keep back up volumes so that one may not suffer data loss in caseof virus contamination
5. Never send your credit card number to any site that is not secured, toguard against frauds.
Cyber Crime Investigation and Forensics
22
6. Always keep a watch on the sites that your children are accessing toprevent any kind of harassment or depravation in children.
7. It is better to use a security programme that gives control over the cookiesand send information back to the site as leaving the cookies unguardedmight prove fatal.
8. Web site owners should watch traffic and check any irregularity on thesite. Putting host-based intrusion detection devices on servers may do this.
9. Use of firewalls may be beneficial.
10. Web servers running public sites must be physically separate protectedfrom internal corporate network.
Adjudication of a Cyber Crime - On the directions of the Bombay High Court the CentralGovernment has by a notification dated 25.03.03 has decided that the Secretary to theInformation Technology Department in each state by designation would be appointed asthe AO for each state.
Cyber Crime Investigation and Forensics
23
QUESTIONNAIRE
QUESTIONNAIRE RELATED TO THE RECOMMENDATIONS FROM THE FOURTH
MEETING OF GOVERNMENTAL EXPERTS ON CYBER-CRIME
1. In which of the following areas does our country have existing cyber-crimelegislation in place?
a) IT act Cyber laws (e.g., laws prohibiting online identity theft, hacking,intrusion into computer systems, child pornography): Yes ___ No ___
If yes, please list and attach copies of all such legislation, preferably in electronicformat if possible:
65 – Code Modification
66 – Hacking
67 – Pornography
b) Procedural cyber-crime laws (e.g., authority to preserve and obtain electronicdata from third parties, including internet service providers; authority tointercept electronic communications; authority to search and seize electronicevidence): Yes ___ No ___
If yes, please list and attach copies of all such legislation, preferably in electronicformat if possible:
41 CRPC
42 CRPC
100 CRPC
78 – Search and seize
80 – All police rights.
c) Mutual legal assistance related to cyber-crime: Yes ___ No ___
If yes, please list and attach copies of all such legislation, preferably in electronicformat if possible:
They need only Technical help during case investigation.
Cyber Crime Investigation and Forensics
24
2. Please identify whether the following forms and means (1) occur frequently, (2) occurinfrequently, or (3) have not occurred, by placing an “X” as appropriate in thefollowing table:
Forms andMeans ofCyber- Crime
OccurFrequently
OccurInfrequently
Has notOccurred
Online identitytheft (includingphasing andonline traffickingin false identityinformation)Hacking (illegalintrusion intocomputersystems; theft ofinformation fromcomputersystems)Malicious code(worms, viruses,malware and spyware)Illegalinterception ofcomputer data
a) In addition, to the above, if there are any other forms and means of cyber-crime that have occurred (either frequently or infrequently) in our country,please identify them as well as the frequency with which they occur in thefollowing table.
Forms and Meansof Conduct
Occur Frequently Occur Infrequently
Cheating Threatening
Cyber Stalking
Credit card fraud
Copy Right
Source Code
3. Does our country have any concrete experiences with respect to strengthening therelationship between the authorities responsible for investigating and/or prosecuting cyber-crimes, and internet service providers that may be shared with other States as a best practicein this area? Yes No ___
If yes, please explain: ISP’s meeting, Bank models meeting cyber committeeregular basic interaction.
4. Has our country identified, created, or established a unit or entity specifically chargedwith directing and developing the investigation of cyber-crimes? Yes No
If yes, please provide the following information: CBI Crime cell, CID
The institution to which the unit/entity belongs: POLICE
The number of officers or investigators in the unit/entity: 4-5
If such a unit/entity has been created or established, are its functions dedicatedexclusively to the investigation of cyber-crimes? Yes No ___
If no, what other types of offenses or crimes is this unit/entity responsible forinvestigating and/or prosecuting?
5. Has our country identified, created, or established a unit or entity specifically charged withdirecting and developing the prosecution of cyber-crimes? Yes ___ No
Cyber Crime Investigation and Forensics
26
Relevance of Evidence
Main purpose of investigation of any crime is to collect sufficient & legally admissible
evidence to ensure conviction of offenders.
Requirements of evidence in Cyber Crimes are not different but its nature has made
collection of Evidence a specialized job.
Evidence Act & rules already in existence were considered not sufficient; so IT Act, 2000
made extensive changes in Indian Evidence Act, 1872
Indian Evidence Act (Amended)
3. Evidence - "Evidence" means and includes:
All documents including electronic records produced in Court are called documentary
evidence.
“Electronic records” has the same meaning as assigned in IT Act,2000, i.e.:
image or sound stored, received or sent in an electronic form; or
micro film or computer generated micro fiche;
17. Admission defined - An admission is a statement, oral or documentary or contained in
electronic form which suggests any inference as to any fact in issue or relevant fact.
27. How much of information received from accused may be proved - When any fact is
discovered in consequence of information received from a person accused of any offence,
in the custody of a police officer, so much of such information, as relates distinctly to the
fact thereby discovered, may be proved.
When oral admission as to contents of electronic records is relevant:
22A. Oral admissions as to the contents of electronic records are not relevant, unless the
genuineness of the electronic record produced is in question.
59. Proof of facts by oral evidence - All facts, except the contents of documents or
electronic records, may be proved by oral evidence.
39. How much evidence to be given when statement forms part of electronic record:
When any statement of which evidence is given forms part of an electronic record, then
Cyber Crime Investigation and Forensics
27
Evidence shall be given of so much and no more of the electronic record, as the Court
considers necessary in that particular case to the full understanding of the nature and
effect of the statement, and of the circumstances under which it was made.
Opinion as to digital signature where relevant.
47A. When the Court has to form an opinion as to the digital signature of any person, the
opinion of the Certifying Authority which has issued the Digital Signature Certificate is a
relevant fact.
Proof as to digital signature.
67A. Except in the case of a secure digital signature, if the digital signature of any
subscriber is alleged to have been affixed to an electronic record, the fact that such digital
signature is the digital signature of the subscriber must be proved.
Proof as to verification of digital signature.
73A. In order to ascertain whether a digital signature is that of the person by whom it
purports to have been affixed, the Court may direct-
That person or the Controller or the Certifying Authority to produce the Digital
Signature Certificate;
Any other person to apply the public key listed in the Digital Signature Certificate
and verify the digital signature purported to have been affixed by that person.
Admissibility of electronic records.
65B. (1) Any information contained in an electronic record which is printed on a paper,
stored, recorded or copied in optical or magnetic media produced by a computer shall be
deemed to be also a document, if certain conditions are satisfied.
It shall be admissible in any proceedings, without further proof or production of the
original, as evidence of any contents of the original or of any fact stated therein of
which direct evidence would be admissible.
Cyber Crime Investigation and Forensics
28
65 B (2) The conditions are as following:
The computer output was produced during the period when it was used regularly to
store or process information for the purposes of any activities regularly carried on by
a person having lawful control over the computer;
During the said period, information of the kind contained in the electronic record or
of the kind from which the information so contained is derived was regularly fed into
the computer in the ordinary course of the said activities;
65(c) throughout the said period, computer was operating properly or, if not, then that
part of the period was not such as to affect the electronic record or the accuracy of its
contents
65(d) the information contained in the electronic record reproduced or is derived from
such information fed into the computer in the ordinary course of the said activities.
Presumption as to electronic agreements.
85A The Court shall presume that every electronic record purporting to be an agreement
containing the digital signatures of the parties was so concluded by affixing the digital
signature of the parties.
Presumption as to electronic records and digital signatures:
85B. (1) the Court shall presume that the secure electronic record has not been altered
since the specific point of time to which the secure status relates.
(2) In proceedings involving secure digital signature, the Court shall presume that the
secure digital signature is affixed by subscriber with the intention of signing or approving
the electronic record.
Presumption as to electronic messages:
88A. The Court may presume that an electronic message forwarded by the originator
through an electronic mail server to the address to whom the message purports to be
addressed corresponds with the message as fed into his computer for transmission;
Cyber Crime Investigation and Forensics
29
But the Court shall not make any presumption as to the person by whom such message
was sent.
Presumption as to electronic records five years old.
90A. Where any electronic record, purporting or proved to be five years old, is produced
from any custody which the Court in the particular case considers proper, the Court may
presume that the digital signature which purports to be the digital signature of any
particular person was so affixed by him or any person authorized by him in this behalf.
Recent Amendments
The Information Technology (Amendment) Bill, 2008 (Bill No.96-F of 2008) was passed
by the Look Saba on 22-12-2008 and by the Raja Saba on 23-12-2008.
It received His Excellency President’s assent on 5th February, 2009.
The date, from which the amendments are to be applicable, is yet to be notified.
Important Amendments to ITS Act
In Section 43, two new offences added:
Destroying, deleting or altering information in a computer resource to diminish its
value.
Stealing, concealing or destroying any computer source code with intention to cause
damage.
Sec. 66 has been replaced providing that if any of the acts mentioned in Section 43 was
done dishonestly or fraudulently, it is punishable with 3 Years Imprisonment or Fine of
Rs.5.00 Lacs or with both.
A new Sec.66A is added providing for three years imprisonment and fine for sending:
Offensive or menacing information; or
False information for causing insult, injury, intimidation, hatred or ill-will; or
E-mail causing annoyance or to deceive or misled recipient about the origin of that e-
mail
Cyber Crime Investigation and Forensics
30
Section 66B makes it an offence to dishonestly receive or retain any stolen computer
resource or communication device which is punishable with 3 years imprisonment or fine
unto Rs. 1.00 Lac.
Dishonest use of Electronic Signatures, password or identification feature invites
punishment up to 3 years and fine up to Rs. 1.00 Lac (Section 66C)
Impersonation with the help of computer or communication device will result in 3 years
imprisonment and fine unto Rs.1.00 Lac (Section 66D)
Violation of privacy by way of sending electronic visual images of private parts of body
is also punishable with 3 years’ imprisonment or fine unto Rs. 1.00 Lac. (Section 66E).
Cyber Terrorism is defined in Section 66F:
Whoever threatens the unity, integrity, security or sovereignty of India or strike terror in
people by:
Denying access to computer resource; or
access computer resource without authority; or
Introduce any computer contaminant
and causes death or destruction of property; or
Penetrates restricted computer resources or information affecting sovereignty, integrity,
friendly relations with foreign states, public order, decency, contempt of court,
defamation or to the advantage of foreign state or group of persons.
It is punishable with imprisonment unto life
Obscenity has been defined in new Section 67 punishable with imprisonment for 3 years
with fine unto Rs. 5.00 Lacs for first offence and imprisonment for 5 years with fine unto
Rs. 10.00 Lacs for subsequent offence.
Section 67A deals with publishing or transmitting sexually explicit material which is
punishable with 5 years imprisonment & fine unto 10.00 Laces for first offence and for
subsequent offence, imprisonment unto 7 years with fine unto 10.00 Lacs.
Child Pornography has been made a separate offence in Section 67B punishable with 5
years imprisonment & fine unto 10.00 Laces for first offence and for subsequent offence,
imprisonment unto 7 years with fine unto 10.00 Lacs.
Cyber Crime Investigation and Forensics
31
Section 69 has been redrafted enabling Government agencies to intercept, monitor or
decrypt any electronic information with the help of subscribers, intermediary or person in
charge of computer resources.
Non-cooperation by any of the above invites imprisonment up to 7 years with fine.
69A: Government gets power to issue directions for blocking for public access of any
information through any computer resource.
An intermediary who fails to comply with directions in this regard shall be punished with
imprisonment up to 7 years with fine.
sss69B: For cyber security, Government may order any intermediary to allow access to
any computer resources and violation results in imprisonment up to 3 years with fine.
Sec.72A provides for punishment for disclosure of information in breach of lawful
contract extending up to 3 years or fine to the tune of Rs. 5.00 Lacs or with both.
Section 77: confiscation, compensation awarded or penalty imposed does not come in the
way of penalty, punishment or compensation under any other Act.
Compounding of offences with punishment up to 3 years allowed subject to the
conditions that accused has no previous conviction or the offence does not affect the
socio-economic conditions or it was not committed against a child or a woman.
Sec. 77B prescribes that notwithstanding CRPC:
Offence punishable with imprisonment of 3 years and above is cognizable.
Offence punishable with imprisonment up to 3 years is bail able.
Power to investigate Cyber Crimes has been now vested in Inspectors in place of Dy.S.P.
Office of Government Examiner of Electronic Evidence is to be established. (Section
79A).
Important Amendments to IPC
Jurisdiction is not bounded by Country’s boundaries if the target is a computer resource
located in India. Section 4(3)
Any act done anywhere in the world is an offence if the said act, if committed in India is
an offence. Explanation (a) to Section 4
Voluntary concealment of existence of a design by encryption or any other information
hiding tool is an offence.
The words ‘Digital Signatures” have been replaced with “Electronic signatures”.
Cyber Crime Investigation and Forensics
32
Important Amendments to CRPC
Opinion of Examiner of Electronic Evidence has been made relevant. (Section 45A)
Examiner is to be treated as an Expert.
Examiner is too examined like any other expert from CFSL or other Labs.
Words ‘Digital Signature” is to be replaced by “Electronic Signature”.
Our Analysis
As we all have seen all the crimes done with the help of computer or technology,
Has become very serious issue now – days. And victim can be anybody a naïve person or even a
tech savvy personal can be a victim. So from above cyber crime conducted we can conclude the
to counter these crime the end user should be educated about these cyber crimes. And he/she
should be cautious in checking his/her e-mails, or when downloading files/ software. They
should even change their password after 45 days, and also set a strong password with
alphanumeric and special characters used in it, should never used the Administrator account if
not required. Always updated the Antivirus. Try keeping licence copy of the software used by
the user. Try to secure his/her network both LAN and wireless.
Conclusion:
Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime from the
cyber space. It is quite possible to check them. History is the witness that no legislation has
succeeded in totally eliminating crime from the globe. The only possible step is to make people
aware of their rights and duties (to report crime as a collective duty towards the society) and
further making the application of the laws more stringent to check crime. Undoubtedly the Act is
a historical step in the cyber world. Further I all together do not deny that there is a need to bring
changes in the Information Technology Act to make it more effective to combat cyber crime. I
would conclude with a word of caution for the pro-legislation school that it should be kept in
mind that the provisions of the cyber law are not made so stringent that it may retard the growth
of the industry and prove to be counter-productive.
Cyber Crime Investigation and Forensics
33
Establishment of PUNE Cyber Cell
It was established on 1st July 2003, under this department there our following officers involved:
Police Commissioner
Two Asst. Police Commissioner
Two Sub Inspector
And ten constables in the team.
In the year 2008 there were 63 cases got registered. And between 2003-2008 total numbers of
cases registered with Police were 452.
Police Station under IT Act 2000
Year 2001 2002 2003 2004 2005 2006 2007 2008 2009 total
Total 03 04 09 06 10 10 13 08 09 72
In year 2008 the Cyber Crime Cell has solved 15 cases.
Cyber Crime Cell
Year 2003 2004 2005 2006 2007 2008 2009 Total
Total 05 30 32 79 99 207 92 544
Pune Cyber Lab
On 20th January Pune Cyber Lab was established with the collaboration Of NASSCOM, near
Shivaji Nagar in Pune. In this department there are 580 officers and 411 staffs in which members
of 76th Batch has been provided with cyber crime investigation training.
And 65 judges have attended the program/ training of cyber crime.
Cyber Crime Investigation and Forensics
34
WHAT IS CYBER FORENSICS?
Cyber forensics discovery, analysis, and reconstruction of evidence extracted from any element
of computer systems, computer networks, computer media, and computer peripherals that allow
investigators to solve the crime.
Four Stages
Acquire
Authenticate
Analyze
Documentation
Cyber Crime Investigation and Forensics
35
DIFFERENT TYPE’S OF STORAGE MEDIA
ELECTRONIC EVIDENCE PRECAUTIONS
Static Electricity
Magnetic Fields
Shock
Moisture
Cyber Crime Investigation and Forensics
36
Computer Forensics:-
Computer forensics is a branch of forensic science pertaining to legal evidence found in
computers and digital storage mediums.
Computer forensics, also called cyber forensics, is the application of computer
investigation and analysis techniques to gather evidence suitable for presentation in a court of
law. The goal of computer forensic is to perform a structured investigation while maintaining a
documented chain of find out exactly what happened on a computer and who was responsible for
it.
Computer forensics experts investigate data storage devices, such as hard drives, USB
Drives, CD-ROMs, floppy disks, tape drives, etc., identifying sources of documentary or other
digital evidence, preserving and analyzing evidence, and presenting findings. Computer forensics
adheres to standards of evidence admissible in a court of law.
Electronic evidence considerations
Electronic evidence can be collected from a variety of sources. Within a company’s
network, evidence will be found in any form of technology that can be used to transmit or store
data. Evidence should be collected through three parts of an offender’s network: at the
workstation of the offender, on the server accessed by the offender, and on the network that
connects the both. Investigators can therefore use three different sources to confirm the data’s
origin.
Incident Response
An important part of computer forensics lies in the initial response to a computer crime. It
is at this point that the suspect computer and related devices are identified and prepared for the
forensic response. In a corporate environment, this is simply done by locating the perpetrator's
computer workstation and collecting a forensic image of the hard drive, and any related media.
In a criminal situation with a law enforcement response, the incident response involves the
proper serving of a search warrant and lawful collection of evidentiary media. While in some
corporate environments the computer is left behind, sometimes to give the impression that the
employee is not a targeted suspect, law enforcement will attempt to seize all computer related
material (bag and tag) and transfer it to a forensic laboratory for analysis.
Cyber Crime Investigation and Forensics
37
Collecting Volatile Data
If the machine is still active, any intelligence which can be gained by examining the
applications currently open is recorded. If the machine is suspected of being used for illegal
communications, such as terrorist traffic, not all of this information may be stored on the hard
drive. If information stored solely in RAM is not recovered before powering down it may be lost.
This results in the need to collect volatile data from the computer at the onset of the response.
Imaging electronic media (evidence)
The process of creating an exact duplicate of the original evidenciary media is often
called Imaging. Using a standalone hard-drive duplicator or software imaging tools such as AIR,
the entire hard drive is completely duplicated. This is usually done at the sector level, making a
bit-stream copy of every part of the user-accessible areas of the hard drive which can physically
store data, rather than duplicating the file system. The original drive is then moved to secure
storage to prevent tampering. During imaging, a write protection device or application is
normally used to ensure that no information is introduced onto the evidentiary media during the
forensic process.
Forensic Analysis
All digital evidence must be analyzed to determine the type of information that is stored
upon it. For this purpose, specialty tools are used that can display information in a format useful
to investigators. Such forensic tools include: Brian Carrier's Sleuth Kit, Foremost and Smart. In
many investigations, numerous other tools are used to analyze specific portions of information.
Reasons for Evidence
Wide range of computer crimes and misuses
Non-Business Environment: evidence collected by Federal, State and local authorities for
crimes relating to:
Theft of trade secrets
Fraud
Cyber Crime Investigation and Forensics
38
Extortion
Industrial espionage
Position of pornography
SPAM investigations
Virus/Trojan distribution
Homicide investigations
Intellectual property breaches
Unauthorized use of personal information
Forgery
Perjury
Computer related crime and violations include a range of activities including:
o Business Environment:
Theft of or destruction of intellectual property
Unauthorized activity-
Tracking internet browsing habits
Reconstructing Events
Inferring intentions
Selling company bandwidth
Wrongful dismissal claims
Sexual harassment
Software Piracy
Evidence Processing Guidelines
New Technologies Inc. recommends following 16 steps in processing evidence
They offer training on properly handling each step
o Step 1: Shut down the computer
Considerations must be given to volatile information
Prevents remote access to machine and destruction of evidence (manual or
ant-forensic software)
o Step 2: Document the Hardware Configuration of The System
Cyber Crime Investigation and Forensics
39
Note everything about the computer configuration
prior to re-locating
o Step 3: Transport the Computer System to A Secure Location
Do not leave the computer unattended unless it is locked in a secure
location
o Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks
o Step 5: Mathematically Authenticate Data on All Storage Devices
Must be able to prove that we did not alter
any of the evidence after the computer
came into our possession
o Step 6: Document the System Date and Time
o Step 7: Make a List of Key Search Words
o Step 8: Evaluate the Windows Swap File
o Step 9: Evaluate File Slack
File slack is a data storage area of which most computer users are
unaware; a source of significant security leakage.
o Step 10: Evaluate Unallocated Space (Erased Files)
o Step 11: Search Files, File Slack and Unallocated Space for Key Words
o Step 12: Document File Names, Dates and Times
o Step 13: Identify File, Program and Storage Anomalies
o Step 14: Evaluate Program Functionality
o Step 15: Document Our Findings
o Step 16: Retain Copies of Software Used
Conclusion
Forensics is an extremely valuable tool in the investigation of computer security
incidents.
Considerable legal issues arise when investigating computer systems.
Intrusion Detection might support Computer Forensics in the future, and vice versa.