Cyber Crime Investigation Manual 22

Project Report
On
Cyber Crime Investigation Manual’

‘Cyber
Submitted To: Submitted By:

Mr. Vineet Kumar Kumar Saurabh
(CTO, C.D.R.C) Neel Nayak
Vinamra Rai
Gopal Singh
Vineet Kumar Mishra
Gaurav Chaurasia
(National Law Institute University, Bhopal)
1
Jharkhand Police Initiatives
Jharkhand state
ate government took some useful and big steps to hold the command of Cyber
Security by establishing first ever research centre in the field of cyber world i.e., Cyber
Defence Research Centre (CDRC)
(CDRC), Ranchi which is a joint initiative of the Govt. of State of
Jharkhand and the Jharkhand State Police (Special Branch). The organization has been set up
with the directive for building capability in proactively controlling Cybercrime and providing
Cyber Security across the state. CDRC operates from the State Police Police HQ in Ranchi and
oversees the entire state to identify areas of improvement and implementation of measures to
address cybercrime and cyber threats. The goal is to make Jharkhand a model state in the
country in respect of cyber security control.
The objective
jective of CDRC is to engage in various activities and research aimed at raising the
level of cyber security in Jharkhand State, as indicated in the brief list below:
 Law Enforcement, Investigation and Forensics Assistance to State CID, Cyber cells
and Police units
 Cyber Café Controls
 Cyber Intelligence
 Technology Development
 Responsible Disclosure
 Public and Industry Awareness
 Research
 Anti-Piracy
 Secure Wi-Fi
 Cybercrime Helpline, Public Outreach
 Telecom Security
 Cyber terrorism controls
 State Critical Infrastructure
rastructure
 National/International tie--up to further our capabilities in these domains
Vision and Mission of Cyber Defence Research Centre (C.D.R.C.)

2
VISION
CDRC has been set up to deal with cyber security, website hacking and to work for overall
protection of cyber assets and critical infrastructure in the State of Jharkhand.
MISSION
The CDRC team will work as a research team to help build a proactive and resilient cyber
defense system and provide solutions to State Government departments and agencies in a
guided manner while keeping a watch on malicious attempts for hacking of websites and IT
infrastructure belonging to the State Government, private organisations and PSUs. CDRC
will endeavor to work in an advisory capacity and not as an investigative body.
Declaration
3
We (Kumar Saurabh, Neel Nayak, Vinamra Rai, Gopal Singh, Vineet Kumar
Mishra, Gaurav Chaurasia) the student of M.S. Cyber Law and Information
Security hereby declare that the project titled “Cyber Crime Investigation
Manual” which is submitted by us to the department of Special Branch, Cyber
Defence Research Centre, Jharkhand Police, Ranchi, in partial fulfillment of
requirement for the award of the training and internship programme.
Kumar Saurabh
Neel Nayak
Vinamra Rai
Gopal Singh
Gaurav Chaurasia
Vineet Kumar Mishra
4
Acknowledgement
We would like to express our deepest appreciation to Chief Technology Officer Mr. Vineet
Kumar (Cyber Defence Research Centre, Ranchi), who has the attitude and the substance of a
genius: he continually and convincingly conveyed a spirit of adventure in regard to research
and scholarship, and an excitement in regard to teaching by providing us with valuable
suggestions & guidance with some techno-legal concept which helps us to complete our
project.
We would also like to thank other faculties as well as our friends who have given their timely
help, encouragement as well as criticism during the various stages of the project, without
which it would not have been easy to complete our task up to the mark.
We also thank Cyber Defence Research Centre (C.D.R.C.) who gave an opportunity to us
who all are the students of The National Law Institute University, Bhopal pursuing their
Masters of Science in Cyber Law and Information Security (M.S.C.L.I.S.) under the course
coordinator Mr. Atul Kumar Pandey (Asstt. Prof. NLIU, Bhopal) to complete our internship
program with their organization.
_________________
Kumar Saurabh
Neel Nayak
Vinamra Rai
Gopal Singh
Gaurav Chaurasia
Vineet Kumar Mishra
INDEX
5
Title Page No.
Need for preparing manual 14
Chapter-I Introduction 16
1.1 Overview of Cyber Crime 16
1.2 Current Scenario 17
1.3 Steps Taken by Government 17
Chapter II: Cybercrime Assessment 19
2.1 Definition 19
2.2 Types of Cyber Crimes 20

2.2.1 Against Persons 20
2.2.2 Against Property 23
2.2.3 Against Government 27
2.3 Sources/Techniques of Cybercrime 29
Chapter III- Law Enforcement Against Cyber Crimes 34
3.1 INFORMATION TECHNOLOGY ACT, 2000: 34
3.2 THE INDIAN PENAL CODE, 1860: 35
3.3 BANKERS’ BOOK EVIDENCE ACT, 1891: 35
3.4 THE INDIAN EVIDENCE ACT, 1872: 36
3.5 THE COPYRIGHT ACT 1956: 38
3.6 TABLE OF CRIMES AND ACT 39
3.7 Case Studies 45
Chapter IV: Evidence Portal 51
4. Digital evidence 51
6
4.1 Introduction- 51
4.2 What can be used as digital evidence (sources)- 51
4.3. What can be considered as evidence? 56
4.4. 57
4.4.1 Computer fraud investigation: 57
4.4.2. Child abuse and pornography investigation: 58
4.4.3. Network intrusion investigation: 58
4.4.4 Homicide investigation: 58
4.4.5. Domestic violence investigation: 59
4.4.6. Financial fraud and counterfeiting investigation: 59
4.4.7. E-mail threats, harassment and stalking investigations: 60
4.4.8. Narcotics investigation: 60
4.4.9. Software piracy investigation: 61
4.4.10 Telecommunication fraud investigation: 61
4.4.11. Identity theft investigation: 61
4.5. Tools Used for Collecting Evidences- 63
4.5.1. Computer Forensics: 63
4.5.2. Memory forensics- 65
4.5.3. Mobile device forensics- 66
4.5.4. Network Forensics- 67
4.5.5. Other- 68
4.6. Search and Seizure- 68
4.6.1. Seizure memo (panchnama) and seizure proceeding- 69
7
4.7. Handling of evidence-(Annexure-3)70
4.7.1. For desktop and laptop computer (which are in switched off state) 70
4.7.2. For desktop and laptop computer (switched on state):- 70
4.7.3. Electronic organizers and personal digital assistants (PDA):- 71
4.7.4. Transportation of evidence:- 72
4.8. Chain of custody-(Annexure-5) 73
4.8.1. Important steps to be kept in mind for chain of custody- 74
4.9. Integrity of digital evidence- 74

4.10. Procedure to file a complaint: 77
4.10.1. Documentation required with digital evidence:- 77
Chapter V: Computer Forensics 79
5.1 Understanding of Forensics 79
5.2 Importance 80
5.3 Techniques 80
5.3.1 Data Seizure 81
5.3.2 Data Duplication and Preservation 81
5.3.3 Data Recovery 81
5.3.4 Document Searches 81
5.3.5 Media Conversion 82
5.3.6 Expert Witness Services 82
5.3.7 Computer Evidence Service Options 82
5.3.8 Other Miscellaneous Services 82
5.4 Computer Forensics Systems 83
8
5.5 Methodology 91
5.5.1 Steps Followed Under Methodology: 91
Chapter VI- Cyber Crime Investigations 94
6.1 Crime Related to Mobile Phones 94
6.1.1 Case Study- 94
6.1.2 Location Mapping of Mobile Phones:- 96
6.1.2.1 PHONE NUMBER TRACING- 96
6.1.2.2 IMEI Tracing 99
6.1.2 TOOL USED FOR MOBILE FORENSICS:- 99
6.1.2.1 Mobile phone inspector utility 99
6.1.2.2 Mobile phone inspection software:- 100
6.1.3 We can use XRY: 101
6.1.4 XRY logical 102
6.1.5 XRY physical 103
6.1.6 XRY complete 103
6.1.7 XACT- Currently used by Jharkhand Police 104
6.1.8 XRY SIM ID-CLONER 105
6.2 Crime related to Web Services 106
6.2.1 Case Study: 106
6.2.2 Block Diagram: 106
9
6.3 Crime Related to Financial Fraud/ Banking Fraud 109
6.3.1 Block Diagram: 110
6.4 Procedure of Forensics 112
6.4.1 EnCase Layout 112

6.4.1.2 Creating a Case 113
6.4.1.2 Creating Case Template on Desktop 115
6.4.1.3 Process 119
6.4.1.4 Countermeasures 120
6.4.2 FTK 121
6.4.2.1 USES OF FTK 121
6.4.2.2 FTK is a solution for Decryption and Password Recovery 122
6.4.2.3 FTK allows for a graphical interface filtering function .123
6.4.2.4 WORKING WITH FTK 124

6.4.2.5 PROCESSING THE CASE: 125
Chapter- VII Challenges in Investigation of Cybercrime 127
7.1 Technical Issues 127
7.1.1 Search and Seizure 127
7.1.2 Understanding of Cryptographic Concept 128

7.2 Legal Issues 129
7.2.1 Difficulties in terminology 130
7.2.2 Choosing of Appropriate Jurisdiction 130

7.3 Other Issues 130
7.3.1 Complexity in collecting evidence 131

7.3.2 Logistical and Practical Barriers 131
10
7.3.3 Identifying Suspects 132
7.3.4 Lack of awareness and knowledge 132
7.3.5 Lack of training 132

7.4 Actions and Power of Police Officials 133
Annexure-1 135
Annexure 2 138
Annexure 3 140
Annexure 4 142
GLOSSARY 145
11
12
“Cyber
Cyber crime investigation manual”
manual
13
Need for preparing manual
In the era of 21st century which is going more advances and developing day by day, where
technologies promote themselves with a rapid rate, which attracts human mind as it is much
suitable for them in their busy & hectic schedule. However, all new technologies are less time
consuming and much beneficial for human point of view.
Since, 21st century is much popular in itself which is stick in every human mind as it is an era
which is now known for the upcoming war i.e., termed as cyber war where the fight is not
between arms and explosives but it occurs between computers/laptops or any electronic
gadget which consists of web application in it. According, to specialists and experts the war
took place anytime across the world. Many people get involve in this war as many of them
start getting knowledge and prepare themselves by gathering information about new and
advancing technologies also start implement on it. This war involves with many people,
technicians and experts where many of them are known as hackers.
The concept of cyber war arises by the experts as this world gets introduce with many
technologies which are erode vastly between people. Government organizations, business
firms, private sectors and many other sectors start many of their services online which attracts
people as it requires less efforts to human body, even services of some important government
departments like post offices, banks etc. make their services online for every individual. The
point behind it is that if any organization supports some online activity then it is also
important for it to provide security at higher level which is only happen with the help of
experts or a person who consists of a sound knowledge of all existing technologies running in
an organization. However, this is much important for every individual to get proper security
against all investments and savings done by him/her.
The challenges in such cases are not only technological, but also jurisdictional. Many
countries are involving itself to combating the cybercrime by implementing laws and acts,
while India is a country which implement their jurisdictional problems by implementing
Information Technology Act,2000 (Amended 2008) with certain guidelines, various laws for
cybercrime with its objective.
The issues which are arising with Indian Government are that many of its government
officials didn’t know how to investigate cybercrimes. However, this is not the problem of
Indian government but many other countries facing the same problem with their officials. To
14
conflict with this issue government have to promote some officials who are experts and
consists of a sound or good knowledge of cybercrimes, solution for it and also last but not
least an official also consists of a fine knowledge of cyber laws and its implementation. This
is important because many of the officials don’t have a proper knowledge of cyber laws and
while solving the case they charge sections according to them which creates a problem for
accused as he/she has to suffer by paying a handsome fine to government or by spending an
imprisonment of long time.
15
Chapter-I Introduction
1.1 Overview of Cyber Crime
“Digital technology and new communication system have made dramatic changes in our
lives”. Business transactions are being made with the help of computers in almost all the
sectors whether it is a private or a government. Nowadays, the technology and online
communication increases with a rapid rate which gives an idea that many companies and
organizations uses online services also provide the same for an individual for better
conveniences. In current scenario the concept of internet is globally access around the world
which gives birth to hackers who are increases worldwide like a population of a country. The
main motive of those is to hack the system through the internet and leak the valuable
information of any company and organizations; this is the case where security gets
compromise. These activities of hackers resulted in various varieties of criminal activities
like gaining unauthorized access to computer files, disrupting the operation of remote
computers with viruses, worms, logic bombs, Trojan horses, and denial of service attacks,
identity theft and many other criminal activities.
Cybercrime is cheap to commit (if one has the know-how to do it), hard to detect (if one
knows how to erase one's tracks), and often hard to locate in jurisdictional terms. The
investigations of cybercrimes are complex. The evidence is often in an intangible form. Its
collection, appreciation, analysis and preservation present unique challenges to the
Investigator. The increased use of networks and the growth of the Internet have added to this
complexity. Hackers can hack a system of an individual (unknown person) from another
country by using the network of other country which is termed as proxy servers in technical
concept, where an individual didn’t aware of it as there is a lack of security issues in its
network and computer system.
Many commercial enterprises are becoming targets of frauds by intruders, commercial

espionage and intellectual property thefts causing enormous damages to reputation and
market value of the companies which affect the shares of those and cause huge financial
losses. However, Cyberspace is affecting by cybercrime which causes physical crimes in the
real world, where computer is either used as an object or subject for causing crime.
Therefore, cybercrime is defined as any criminal activity that uses a computer as an
16
instrument, target, or a means for perpetuating further crimes comes within the category of
cybercrime, i.e., unlawful acts wherein the computer is either a tool or a target or both.
1.2 Current Scenario
As it is being seen rise in cybercrimes all over the world which also took place in India for
which government have to promote some measure to combat this criminal activity. In Indian
scenario cybercrimes are reported under ‘The Information Technology Act 2000 (Amended
2008). Apart from the crimes registered under IT Act, there were number of crimes where
computers are used for commission of those which are registered under the provisions of
Indian Penal Code, 1860. While many lawful act register cybercrime cases under its
provisions such as Indian Evidence Act, 1872; Bankers’ Book of Evidence Act,1891; and
some are registered in The Indian Telegraph Act, 1885; NDPS Act; Arms Act and Code of
Criminal Procedure. In India many cybercrime reported which includes cases like breach of
trust and privacy, hacking of computer system, forgery using computers, publication or
transmission of obscene material in electronic form etc. Hence, to get rid from these cyber-
attacks Indian government establishes Computer Emergency Response Team- Indian (CERT-
In) which response and report computer security incidents. Many states in India establish
cybercrime police stations and cybercrime cells which register large number of cybercrime
cases in their particular locality. According to experts, “Technology has eroded the concept
of state boundaries and created a borderless world”.
1.3 Steps Taken by Government
Government of India has led various initiations of a concerted program for cyber security
under the department of Information Technology along with the enactment of the provisions
of Information Technology Act, 2000 which was later amended in the year 2008 for
retrofitting of some latest crimes. As this act describe the punishments and penalties for
various criminal offences and contraventions. The IT Act, 2000 also consists of certain
guidelines, rules and procedures for ISP’s and other officials. Many law enforcement
agencies which includes the Central Bureau of Investigation (CBI) have created separate
units or cyber cells for handling cybercrimes, where first cyber cell was established in IT
capital of India i.e., Bangalore. Till date there are many different states and units which have
created Cyber Crime Police Station and, Cyber Crime Cells to handle the menace of growing
cybercrimes. (Details are provided in Annexure - 1)
17
18
Chapter II: Cybercrime Assessment
2.1 Definition
The term 'cybercrime'has not been defined in any Statute or Act, therefore many experts and
thinkers gave their own definition for understanding of ‘cybercrime’.
 The Oxford Reference Online defines 'cybercrime' as crime committed over the
Internet.
 The Encyclopedia Britannica defines 'cybercrime' as any crime that is committed by
means of special knowledge or expert use of computer technology.
So what exactly is Cyber Crime? Cyber Crime could reasonably include a wide variety of
criminal offences and activities which includes provisions of various different laws.
 CBIManual defines cybercrime as:
(i) Crimes committed by using computers as a means, including conventional crimes.
(ii)Crimes in which computers are targets.
 United Nations defines ‘cybercrime’ in two categories i.e.,
a. Cybercrime in a narrow sense (computer crime), where it is notify any
illegal behavior through electronic operations that targets the security
of computer systems and the data processed by them.
b. Cybercrime in a broader sense (computer-related crime), where any
illegal behavior committed by means of, or in relation to, a computer
system or network, that includes crime which involves mens-rea in it
like illegal possession, offering or distribution of useful information by
means of a computer system or network.
FBI in its law enforcement bulletin deﬁnes cyber terror as “the intimidation of civilian
enterprise through the use of high technology to bring about political, religious, or ideological
aims, actions that result in disabling or deleting critical infrastructure data or information
A generalized definition of cybercrime may be "unlawful acts wherein the computer is either
a tool or target or both".
The Information Technology Act, 2000, does not define the term 'cybercrime’. Cybercrime
can generally defined as a criminal activity in which information technology systems are the
means used for the commission of the crime.
2.2 Types of Cyber Crimes
19
2.2.1 Against Persons
Occurrence of crime proceeds with the birth of human society and soon get advanced with
human society and culture. Criminals are also using various new technologies to combat with
the highly advanced security measures which are taken by human. However, if we talk about
current situation then at this time cybercrime is taking place with a rapid rate in which minors
are also involved for stealing or doing frauds and other activities.
The expanding reach of computers and the internet has made it easier for people to keep in
touch across long distances and collaborate for many purposes which are related to business,
education, and also other activities of human culture. However, every new technology which
is use for beneficial purposes are also capable for misuse. Hence, it is the job of legal system
and regulatory agencies to keep pace with the same and ensure that newer technologies do
not become tools of exploitation and harassment.
The World Wide Web (WWW) allows users to circulate content in the form of text, images,
videos, and sounds. Websites are created and updated for many useful purposes, but as we all
know that technology which is helpful and provide great services to us then it is also use for
criminal activities. For example, websites are used to circulate offensive content against an
individual’s such as pornography, hate speech and defamatory materials.
There are various types of cybercrimes which are done against an individual such as:
 Harassment via e-mails
 E-mail spoofing (process of sending an email message from a fake source,
while making it appears to be originating from an authentic source).
20
 Cyber Pornography (where cyberspace is used as a medium to distribute,
design or publishing of a pornographic material)
 Cyber-Stalking (arise where an individual pursues or repeatedly attempts to contact

someone via internet or any other digital device)
21
 Dissemination of obscene material (widespread publishing an obscene material)
 Defamation (injury to the reputation of a person, it is done by publishing false
statement which affects someone’s reputation)
 Unauthorized Control/Access over computer system (accessing computer system

without any personal consent)
22
 Indecent Exposure ( doing any type of vulgar and offensive nakedness in a public
place)
 Cheating & Fraud (Something intended to deceive; deliberate trickery intended to
gain an advantage)
 Breach of Confidentiality (using the identity of any individual with criminal

intentions)
2.2.2 Against Property

The second category of cybercrime discusses about cybercrime against property, as there are
numerous crimes against property in all statutes and numbers which are simply too vast to
discuss.In the age of automation, computer applications are likely targets for theft, fraud,
23
vandalism, extortion, and even espionage, which can be termed the darker side of the
computer revolution. Cybercrime has now become reality in India.
 Identity Theft (impersonating someone without their knowledge by obtaining their
personal and/or confidential information)
 Intellectual Property Theft (any kind of a creation like designs, art work, literature,
etc. which is born from ones mental power or intellect is termed as intellectual
property. When a criminal with mala fide intent steals this intellectual property, such
a crime is known as Intellectual Property Theft. Due to quantum of information
flowing in cyberspace and ease of copying such crimes are very much prevalent.)
24
 Forgery (process of creating a fake copy or imitation of a document or an object with
the intention to deceive. Digital forgery involves creating the same fakes in electronic
form.)
 Salami Attack (an attack on the computer system or network wherein a cybercriminal
successfully transfers a small amount of money which is negligible from the victims’
bank account to his account. The transferred amount is a small slice of the big amount
and hence the attack occurs.)
 Source Code Attack (a blue-print of software considered as intellectual property.

Computer programs or software cannot be created without source code.)
 Denial of Service (DoS) Attack (prevents legitimate users from accessing a particular
resource making that resource unavailable. The resource is anything like a website,
your own computer, email, database or any other information which are accessed by
an individual as an authorized person)
25
 Skimming (a kind of credit/debit/ATM/SIM card fraud in which a device is transplant
by criminal to capture someone’s personal information, the information like name,
credit card number, expiry date, etc. can be used to create fake credit cards.)
 Pharming (type of attack in which the user is deceived into entering sensitive data,
such as PIN numbers, credit card numbers, passwords etc., into fake website, which
impersonates as genuine website.
 Spamming (an act of sending unsolicited and junk e-mails or messages by anyone for
the purpose of causing annoyance or inconvenience.)
 Data Alteration or diddling (process of modifying the data before or after it is entered
into the system, generating a faulty output. It can be defined as illegal or unauthorized
fraudulent alteration of data).
2.2.3 Against Government
26
Two of the great fears of the late twentieth century are combined in the term “cyber
terrorism”.
Today, if we are going to ask 10 computer security experts about ‘Cyber Terrorism’ then in
this case we find different meanings or definition from them. Difficult to detect, seldom
reported and even more difficult to prove, computer-related crime lacks a traditional paper
audit trial, which is away from conventional policing and requires specialists with a sound
understanding of computer technology. The term ‘cyber terrorism’ was coined by Barry C.
Collin. Terrorism is the calculated and unlawful use of force or violence, against persons or
property to inculcate fear,coerce government, civilians, or to any part in furtherance of goals
that may affect religious political or in any ideological manner. An example of cyber-
terrorism could be hacking into a hospital computer system and changing someone's
medicine prescription to a lethal dosage as an act of revenge.In today’s scenario Indian
government plans for our society which includes military, civilians, and other private sectors
to get involved in developing and deploying new and growing communications, advanced
technologies and also with a superior technological standard of work and living.
The main purpose of cyber terrorism is to create fear in a population by causing confusion
and uncertainty, with the goal of influencing a government or population to conform to a
particular political, social or ideological agenda. In this criteria attacks have been made by
terrorist in eruption of negative feelings or emotions against any community of persons,
country, state, or individual with the goal of causing harm to generate fear, which caused in
the case of Assam’s migration controversies, where Pakistani hackers hacked some websites
of India and sends a message to the people of India where it shows that north-east people who
are the citizens of India have their life in danger, this message creates panic and phobia
between the citizens ofthe country. Due to which many of the north-east people went back to
27
their homes and many of them suffers but soon, this problem had been solved by which
citizens of north-east came back and continued with their work as many of them left their
jobs, studies, businesses etc.
These methods of cyber terrorism are firstly used in reported attack by terrorists against a Sri
Lankan country’s computer system in 1998, when the ethnic Tamil Tigers guerrillas
overwhelmed Sri Lankan embassies with 800 e-mails a day which continues for a period of
two weeks. These messages threatened massive disruption of communications and caused
fear and panic among ordinary Sri Lankans as the rebel group was notorious for killing
people.
Cyber terrorism once again came to the force in India in the form of the Mumbai attacks. The
terrorists were extremely technology savvy, and were using satellite phones with impunity.
They not only can spread terror but they are threatening our computer and communication
networks. They are having highly qualified engineers in their respective groups. Not only are
they having the capability to hack the systems but also capable of damaging them. They also
attempt to hack defence sites of the country. It was the year, when country was pushed by the
Mumbai attacks; the government swung into action and got the amendments to the
Information Technology Act, 2000 passed in both the houses of Parliament.
As, in India’s legislation The Information Technology Amendment Act, 2008 contains a
provision on cyber terrorism. Section 66F defines and penalizes cyber terrorism. In order to
qualify as a cyber-terroristact, the act must be committed with the intention to threaten the
unity, integrity, security or sovereignty of India by way of interfering with authorized access
to a computer resource, obtaining unauthorized access to a computer resource or damaging a
computer network. The acts are punishable if they cause death or injuries to persons or cause
damage or destruction to property, disrupt essential supplies or services or affect critical
information infrastructure. The penalties range from three years' imprisonment to life
imprisonment and a fine depending on the seriousness of the crime.
2.3 Sources/Techniques of Cybercrime

There are various different techniques and sources which are used to commit cybercrimes
some of them are as follows:
a) Buffer Overflow: Occurs when a program or process tries to store more data in a
buffer (temporary data storage area) then it was intended to hold. Since buffers are
28
created to contain a finite amount of data, the extra information- which has to go
somewhere –can overflow into adjacent buffers, corrupting or overwriting the valid
data held in them.
b) Spyware: Often associated with software that displays advertisements (called adware)
or software that tracks personal or sensitive information.
c) Worm:A standalone malware computer program that replicates itself in order to

spread other computers, it also uses computer network to spread itself, relying on
security failures on the target computer to access it.
d) Trojan: A destructive program that masquerades as an application. Unlike viruses
Trojan horses do not replicate themselves but they can be just as destructive.
e) Social Engineering:Cybercriminals also use social engineering to convince someone

to install malicious software or hand over the personal information under false
pretenses. They might convince the victim by e-mailing, calling on cellphones or to
download something off of a website.
29
f) Steganography: It is an art and science of hiding information by embedding messages
with other, seemingly harmless messages. It is used to supplement encryption. An
encrypted file may still hide information using steganography, so even if the
encrypted file is deciphered, the hidden message is not seen.
g) Zombie:A computer that has been implanted with a daemon that puts it under the
control of a malicious hacker without the knowledge of the computer owner. Zombies
are used by malicious hackers to launch DoS attacks. The hacker sends commands to
the zombie through an open port. On command, the zombie computer sends an
enormous amount of packets of useless information to a targeted website in order to
clog the site’s routers and keep legitimate users from gaining access to the site.
h) Phishing Attack:A fraudulent attempt to acquire confidential information like
usernames, passwords, PIN, credit card numbers, etc. by sending fake emails and/or
redirecting an innocent user to a fake website which induce the user to submit his/her
personal information.
i) Malware Attacks:one that performs unwanted actions on a computer which could

include intentional program crashes, unwanted popups, stealing user confidential data
and destruction of data and/or hardware. Based on their characteristics or traits, which
can be classifying into the categories of worm, Trojan or keylogger.
30
j) E-mail bombing: An attack which involves sending massive amount of emails to a
particular system consuming the system, storage or network resources.
k) Wardriving: The act of seeking out Wi-Fi networks by moving around with a
computer or smartphones or equivalent device that detects these networks.
l) Backdoor: It is a means of access to a computer program that bypass security

mechanisms. A programmer may sometimes install a backdoor so that the program
can be accessed for troubleshooting or other purposes.
m) Cyber bullying: When the internet and related technologies are used to bully other
people, in a deliberate, repeated, and hostile manner. This could be done via; text
messages or images, hate speeches and other activities.
31
n) Sniffing: A program or device that captures vital information from the network traffic
specific to a particular network. Its objective is to steal passwords, email text and files
which are transferred from source to destination.
o) Rootkit: A computer software which is use to hide that a computer system has been
compromised, for example by modifying system commands to conceal changes which
are made to system. Rootkit is one of the most feared and undetectable in all types of
malware.
32
33
Chapter III- Law Enforcement Against Cyber Crimes
3.1 INFORMATION TECHNOLOGY ACT, 2000:
IT Act 2000: Computers are being used to create, transmit and store the information in
electronic form instead of paper documents but the main hurdle in e-Governance is the
requirement of writing and signature for legal recognition. At present, many legal provisions
require the evidence in the form of paper documents having signatures. The law of evidence
is based on paper-based records; hence for success of e-Governance, e- Commerce, legal
changes were required. Therefore, Govt. of India introduced a new law for giving legal
recognition to electronic records. This gave birth to Information Technology bill, 1999 which
was passed by both the houses of Parliament in May 2000 and the President gave his assent
in August 2000.This Information Technology bill is called Information Technology Act,
2000 which also contains cyber laws.
Objectives of the Information Technology Act 2000 are:
(a) To grant legal recognition to transactions carried out by means of EDI and E- Commerce
in place of paper based methods of communication.
(b) To give legal recognition to digital signatures for authentication of any information.
(c) To facilitate electronic filing of documents with Govt. departments.
(d) To facilitate electronic storage of data.
(e) To facilitate and give legal recognition to electronic fund transfers between bank and
financial institutions.
(f) To give legal recognition for keeping books of accounts in electronic form by bankers.
(g) To amend the Indian penal code, the Indian Evidence Act, the Banker's Book Evidence
Act and Reserve bank of India Act.
The Act consists of 94 Sections spread over thirteen chapters and four schedules to the Act.
The schedules of Act contain related amendments in other acts namely the Indian Penal
Code, the India Evidence Act, 1972, the Banker's Book Evidence Act, 1891 and the Reserve
Bank of India, 1934.
34
3.2 THE INDIAN PENAL CODE, 1860:
Indian Penal Code is the main criminal code of India. It is a comprehensive code, intended to
cover all substantive aspects of criminal law. It was drafted in 1860 and came into force in
colonial India during the British Raj in 1862.In independent India, many special laws have
been enacted with criminal and penal provisions which are often referred to and relied upon,
as an additional legal provision in cases which refer to the relevant provisions of IPC as well.
It has since been amended several times and is now supplemented by other criminal
provisions. In the state of Jammu and Kashmir, the IPC is known as Ranbir Penal Code
(RPC).
ITA 2000 has amended the sections dealing with records and documents in the IPC by
inserting the word ‘electronic’ thereby treating the electronic records and documents on a par
with physical records and documents. The Sections dealing with false entry in a record or
false document etc (eg 192, 204, 463, 464, 464, 468 to 470, 471, 474, 476 etc) have since
been amended as electronic record and electronic document thereby bringing within the ambit
of IPC, all crimes to an electronic record and electronic documents just like physical acts of
forgery or falsification of physical records.
In practice, however, the investigating agencies file the cases quoting the relevant sections
from IPC in addition to those corresponding in ITA like offences under IPC 463,464, 468 and
469 read with the ITA/ITAA Sections 43 and 66, to ensure the evidence or punishment stated
at least in either of the legislations can be brought about easily.
3.3 BANKERS’ BOOK EVIDENCE ACT, 1891:
Amendment to this Act has been included as the third schedule in ITA. Prior to the passing of
ITA, any evidence from a bank to be produced in a court, necessitated production of the
original ledger or other register for verification at some stage with the copy retained in the
court records as exhibits. With the passing of the ITA the definitions part of the BBE Act
stood amended as: "’bankers ' books’ include ledgers, day-books, cash-books, account-books
and all other books used in the ordinary business of a bank whether kept in the written form
or as printouts of data stored in a floppy, disc, tape or any other form of electro-magnetic data
storage device”. When the books consist of printouts of data stored in a floppy, disc, tape etc,
a printout of such entry certified in accordance with the provisions to the effect that it is a
35
printout of such entry or a copy of such printout by the principal accountant or branch
manager; and (b) a certificate by a person in-charge of computer system containing a brief
description of the computer system and the particulars of the safeguards adopted by the
system to ensure that data is entered or any other operation performed only by authorized
persons; the safeguards adopted to prevent and detect unauthorized change of data andto
retrieve data that is lost due to systemic failure or .....
In short, just like in the Indian Evidence Act, the provisions in Bankers Books Evidence Act
make the printout from a computer system or a floppy or disc or a tape as a valid document
and evidence, provided, such print-out is accompanied by a certificate stating that it is a true
extract from the official records of the bank and that such entries or records are from a
computerized system with proper integrity of data, wherein data cannot be manipulated or
accessed in an unauthorized manner or is not lost or tamper able due to system failure or such
other reasons.
Here again, let us reiterate that the law does not state that any computerized print-out even if
not signed, constitutes a valid record. But still even many banks of repute (both public sector
and private sector) often send out printed letters to customers with the space for signature at
the bottom left blank after the line “Yours faithfully” etc and with a remark as Post Script
reading: “This is a computer generated letter and hence does not require signature”. Such
interpretation is grossly misleading and sends a message to public that computer generated
reports or letters need not be signed, which is never mentioned anywhere in nor is the import
of the ITA or the BBE.
3.4 THE INDIAN EVIDENCE ACT, 1872:
This is another legislation amended by the ITA. Prior to the passing of ITA, all evidences in
a court were in the physical form only. With the ITA giving recognition to all electronic
records and documents, it was but natural that the evidentiary legislation in the nation be
amended in tune with it. In the definitions part of the Act itself, the “all documents including
electronic records” were substituted. Words like ‘digital signature’, ‘electronic form’, ‘secure
electronic record’ ‘information’ as used in the ITA, were all inserted to make them part of the
evidentiary mechanism in legislations.
Admissibility of electronic records as evidence as enshrined in Section 65B of the Act

assumes significance. This is an elaborate section and a landmark piece of legislation in the
36
area of evidences produced from a computer or electronic device. Any information contained
in an electronic record which is printed on a paper, stored, recorded or copied in optical or
magnetic media produced by a computer shall be treated like a document, without further
proof or production of the original, if the conditions like these are satisfied:
(a) The computer output containing the information was produced by the computer during the
period over which the computer was used regularly by lawful persons..
(b) The information derived was regularly fed into the computer in the ordinary course of the
said activities;
(c) Throughout the material part of the said period, the computer was operating properly and
a certificate signed by a person responsible..... etc.
To put it in simple terms, evidences (information) taken from computers or electronic storage
devices and produced as print-outs or in electronic media are valid if they are taken from
system handled properly with no scope for manipulation of data and ensuring integrity of data
produced directly with or without human intervention etc and accompanied by a certificate
signed by a responsible person declaring as to the correctness of the records taken from a
system a computer with all the precautions as laid down in the Section.
However, this Section is often being misunderstood by one part of the industry to mean that
computer print-outs can be taken as evidences and are valid as proper records, even if they
are not signed. We find many computer generated letters emanating from big corporate with
proper space below for signature under the words “Your faithfully” or “truly” and the
signature space left blank, with a Post Script remark at the bottom “This is a computer
generated letter and hence does not require signature”. The Act does not anywhere say that
‘computer print-outs need not be signed and can be taken as record’.
3.5 THE COPYRIGHT ACT 1956:
Copyright protects authors and creators from unauthorized reproduction or adaptation of

original creations such as books, computer programs, scripts, paintings, sculptures, drawings,
photographs, music, film, video, broadcasts and the choreography of a performance. The
copyright owner has the exclusive right to copy, publish, perform, broadcast, adapt (for
37
example, a screenplay from a novel), sell, license or import copyright protected creations.
Copyright is a type of intellectual property as it protects the creative and inventive endeavors.
3.6 TABLE OF CRIMES AND ACT

38
NATURE OF OFFENCE SECTIONS UNDER IT ACT SECTIONS UNDER
AND PUNISHMENT OTHER LAW AND
PUNISHMENT
1. Frauds & Crimes by Emails

1.Email Spoofing Section 66C – upto 3 yrs Section 465 IPC – upto 2 yrs
imprisonment and fine upto 1 lakh imprisonment or fine or both.
rupees. Section 468 IPC – upto 7 yrs
imprisonment and fine.
2.Email Abuse Section 66A – upto 3 yrs Section 500 IPC – upto 2 yrs
imprisonment and fine or fine or both
3.Sending defamatory messages Sec 66A – upto 3 yrs imprisonment Sec 500 IPC – upto 2 yrs or
by email and fine fine or both
4.Sending threatening messages Sec 66A – upto 3 yrs imprisonment Sec 504 IPC – upto 2 yrs or
by e- mail and fine fine or both
6.Phishing Email Sec 66D – upto 3 yrs imprisonment Sec 419 IPC – upto 3 yrs
and fine upto 2 lakh rupees imprisonment or fine or both
7.Dishonestly read someone Sec 66 – upto 3 yrs imprisonment or
emails fine upto 5 lakh rupees or both.
Sec 66C – upto 3 yrs imprisonment
and fine upto 1 lakh rupees
8.Unsolisticated Email N.A. N.A.
2. STOLEN / THEFT
9.Dishonestly receive/retain stolen Sec 66B – upto 3 yrs imprisonment or Sec 411 IPC upto 3 yrs
communication device like upto 1 lakh rupees or both imprisonment or fine or both
Mobile- Phone
10.Stolen communication device Sec 379 IPC - upto 3 yrs
imprisonment or fine or both
11.Data theft (owned by person or Sec 66 – upto 3 yrs imprisonment or Sec 379 IPC – upto 3 yrs
company) fine upto 5 lakh rupees or both imprisonment or fine or both
12.Data theft (from government Sec 66 – upto 3 yrs imprisonment or
computer that compromise fine upto 5 lakh rupees or both.
national security perspective) Sec 66F – lifetime imprisonment
13. Stealing password, digital Sec 66C – upto 3 yrs imprisonment Sec 419 IPC – upto 3 yrs
signature, cookies or any unique and fine upto 1 lakh rupees. imprisonment or fine
identification feature and misuse Sec 66 D – upto 3 yrs imprisonment Sec 420 IPC – upto 7 yrs
it. and fine upto 5 lakh rupees. imprisonment and fine
3.OBSCENITY
14.Capturing, publishing, Sec 66E – upto 3 yrs imprisonment or Sec 292 IPC – upto 2 yrs
transmitting, the image of private fine not exceeding upto 2 lakh rupees imprisonment and fine 2000
39
area without the consent or or both rupees, and upto 5 yrs
knowledge of person imprisonment and fine 5000
for second and subsequent
conviction
15.Sending offensive message Sec 66A – upto 3 yrs imprisonment Sec 500 IPC- upto 2 yrs or
(cyber-stalking and bullying) and fine. fine or both.
through communication service, Sec 504 IPC – upto 2 yrs or
etc. fine or both.
Sec 506 IPC- upto 2 yrs or
fine or both. (if threat to be
cause death or grievous hurt,
etc- upto 7 yrs or fine or
both).
Sec 507 IPC- upto 2 yrs
along with punishment under
sec 506 IPC.
Sec 508 IPC- upto 1 year or
fine or both.
Sec 509 IPC- upto 1 year or
fine or both
16.Publishing or transmitting Sec 67- upto 3 yrs imprisonment and Sec 292 IPC- upto 2 yrs and
obscene material in electronic 5 lakh rupees (first conviction), - upto fine 2000 rupees (first
form 5 yrs and fine upto 10 lakh rupees conviction), - upto 5 yrs and
(Second and subsequent conviction) fine 5000 rupees (Second and
subsequent conviction
17. Publishing or transmitting of Sec 67A- upto 5 yrs imprisonment Sec 292 IPC- upto 2 yrs and
material containing sexually and 10 lakh rupees (first conviction), fine 2000 rupees (first
explicit act, etc. in electronic form - upto 7 yrs and fine upto 10 lakh conviction), - upto 5 yrs and
rupees (Second and subsequent fine 5000 rupees (Second and
conviction) subsequent conviction
18. Publishing or transmitting of Sec 67B- upto 5 yrs imprisonment Sec 292 IPC- upto 2 yrs and
material depicting children in and 10 lakh rupees (first conviction), fine 2000 rupees (first
sexually explicit act, etc. in - upto 7 yrs and fine upto 10 lakh conviction), - upto 5 yrs and
electronic form. rupees (Second and subsequent fine 5000 rupees (Second and
conviction) subsequent conviction
4.TAMPERING/FORGERY/MODIFICATION
19. Making false document Sec 66D- upto 3 yrs imprisonment Sec 465 IPC- upto 2 yrs
40
20. Forgery for purpose of Sec 66D- upto 3 yrs imprisonment Sec 468 IPC- upto 7 yrs
cheating and fine upto 1 lakh rupees imprisonment and fine
21. Forgery for purpose of Sec 66D- upto 3 yrs imprisonment Sec 469 IPC- upto 3 yrs
harming reputation and fine upto 1 lakh rupees imprisonment and fine
22. Tampering with computer Sec 65- upto 3 yrs imprisonment or

source documents fine upto 2 lakh rupees or both NA
Sec 66- upto 3 yrs imprisonment or
fine upto 5 lakh rupees or both
23. Data Diddling Sec 66- upto 3 yrs imprisonment or

fine upto 5 lakh rupees or both. NA
Sec 43(d)- penalty not exceed Rs. 1
crore.
5.SOCIAL NETWORKING CRIMES
24. Fake profile Sec 66D- upto 3 yrs imprisonment Sec 465 IPC- upto 2 yrs
25. Location mapping NA NA

26. Tagging/Upload photo of
someone else without his/her
consent. NA NA
27. Criminal intimidation by a Sec 66A – upto 3 yrs imprisonment Sec 506 IPC- upto 2 yrs
anonymous communication or fine upto 5 lakh rupees or both imprisonment or fine or both
e.g. Hate page, Comments,
Messaging
28. Cyber bullying
6.COPYRIGHT INFRINGEMENT
29. Deep linking of website NA NA

30. Framing NA NA
31. In-linking NA NA
32. Filtering NA NA
33. Piracy of Software Sec.66- upto 3 yrs imprisonment and Sec 63 and Sec 63B
(Knowing use of infringing copy fine. copyright act
of computer programme to be an Sec 43
offence. Download copyrighted
material/data e.g. music, movies,
files, photos is an infringement.
7.TRADE-MARK INFRINGEMENT
41
34. Meta-tagging NA NA
35. Domain name dispute NA
(cybersquatting)
8.ATTACKS
36. Denial of Service (DoS) attack Sec 66 – upto 3 yrs imprisonment or

and Distributed Denial of Service fine upto 5 lakh rupees or both. NA
(DDoS)
37. Salami Attack NA
38. Malware attack NA
40. Spamming NA
41. Spoofing Sec 66A – upto 3 yrs imprisonment
and fine., NA
Sec 66D- upto 3 yrs imprisonment
42. Pharming Sec 66C – upto 3 yrs imprisonment
and fine upto 1 lakh rupees, NA
Sec 66D- upto 3 yrs imprisonment
43. Viruses/ Trojan Sec 66- upto 3 yrs imprisonment or
fine upto 5 lakh rupees or both NA
Sec 66F – life imprisonment
44. DNS Poisoning attack NA NA
45. Blue-jacking, Blue-bugging, NA
Blue-snarfing NA
9.FINANCIAL FRAUDS
46. Card Skimming Sec 66C- – upto 3 yrs imprisonment

47. Espionage (Shoulder Surfing) Sec 66 – upto 3 yrs imprisonment or
fine upto 5 lakh rupees or both. and
Sec 70- upto 10 yrs imprisonment and
fine
48. Fake ATM NA
49. Vishing NA
50. E-Shoplifting NA
51. Lottery Scam NA
10.WEB RELATED CRIMES
52. Web Jacking Sec 67- upto 3 yrs imprisonment and Sec 383 IPC- imprisonment
5 lakh rupees (first conviction), - upto may extent to 3 yrs or fine or
5 yrs and fine upto 10 lakh rupees both
(Second and subsequent conviction)
42
Sec 66F -life imprisonment (Depend
on situation).
53. Web Defacement Sec 66- upto 3 yrs imprisonment or

fine upto 5 lakh rupees or both. NA
54. Fake website Sec 66D- upto 3 yrs imprisonment Sec 419 IPC – upto 3 yrs
and fine upto 1 lakh rupees imprisonment or fine
Sec 420 IPC – upto 7 yrs
imprisonment and fine
11.CRIME AGAINST/BY THE ORGANISATION
55. To decrypt the information Sec 69 – upto 7 yrs imprisonment and

without the authority fine
56. Dos attack against government Sec 66 – upto 3 yrs imprisonment or
computer fine upto 5 lakh rupees or both. NA
Sec 66F- life imprisonment
57. Intermediaries not providing Sec 69 – upto 7 yrs imprisonment and
access to information to the stored fine. NA
in their computer to relevant
authorities
58. Intermediaries fail to block the Sec 69A – upto 7 yrs imprisonment NA
website, when ordered and fine.
12.CYBER-TERRORISM
59. Fire Sale attack Sec 66F – life imprisonment

(Attack on critical infrastructure)
13.OTHER CRIMES
60. Online Gambling NA

61. Online sale of Arms, Drugs, or NA Arms Act, NDPS Act
any illegal goods
62. Cyber – Murder NA Sec. 302 IPC- life
imprisonment and fine or
punished with death
43
3.7 Case Studies
1. OBSCENITY
Case study 01-State of Tamil Nadu VsSuhasKatti

Appellant – SuhasKatti
Judge- Ld. Additional Chief Metropolitan Magistrate, Egmore,
Fact of the case - The case related to posting of obscene, defamatory and annoying message
about a divorcee woman in the yahoo message group. E-Mails were also forwarded to the
victim for information by the accused through a false e-mail account opened by him in the
name of the victim. The posting of the message resulted in annoying phone calls to the lady
in the belief that she was soliciting.
Based on a complaint made by the victim in February 2004, the Police traced the accused to
Mumbai and arrested him within the next few days. The accused was a known family friend
of the victim and was reportedly interested in marrying her. She however married another
person. This marriage later ended in divorce and the accused started contacting her once
again. On her reluctance to marry him, the accused took up the harassment through the
Internet.
Order passed by court- Ld. Additional Chief Metropolitan Magistrate, Egmore, delivered
the judgement on 5-11-04 as follows:
“ The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act 2000
and the accused is convicted and is sentenced for the offence to undergo RI for 2 years under
469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC sentenced to undergo 1
year Simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67 of IT Act
2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run
concurrently.”
2.FINANCIAL FRAUDS
Case study 02-SONY.SAMBANDH.COM CASE

Appellant – Sony India Private Ltd,
44
Fact of the case - Sony India Private Ltd, which runs a website called www.sony-
sambandh.com, targeting Non Resident Indians. The website enables NRIs to send Sony
products to their friends and relatives in India after they pay for it online.In May 2002,
someone logged onto the website under the identity of Barbara Campa and ordered a Sony
Colour Television set and a cordless head phone. She gave her credit card number for
payment and requested that the products be delivered to ArifAzim in Noida. The payment
was duly cleared by the credit card agency and the transaction processed.At the time of
delivery, the company took digital photographs showing the delivery being accepted by
ArifAzim, but after one and a half months the credit card agency informed the company that
this was an unauthorized transaction as the real owner had denied having made the purchase.
Case File: The company lodged a complaint for online cheating at the Central Bureau of
Investigation which registered a case under Section 418, 419 and 420 of the Indian Penal
Code.
Order passed by court- The court, however, felt that as the accused was a young boy of 24
years and a first-time convict, a lenient view needed to be taken. The court therefore released
the accused on probation for one year. The judgment is of immense significance for the entire
nation. Besides being the first conviction in a cybercrime matter, it has shown that the the
Indian Penal Code can be effectively applied to certain categories of cyber crimes which are
not covered under the Information Technology Act 2000.
3.TAMPERING/FORGERY/MODIFICATION
Case study 03- Syed Asifuddin v. The State of Andhra Pradesh

Appellant –: Syed Asifuddin and Ors.
Respondent-: The State of Andhra Pradesh and Anr.
Fact of the case – Tata Indicom employees were arrested for manipulation of the electronic
32-bit number (ESN) programmed into cell phones that were exclusively franchised to
Reliance Infocomm. The handsets, which were given to Reliance Infocomm subscribers was
technologically locked so that it would only work with the Reliance Infocomm services.
However, it came to the light during investigations that the supplied handsets could be
unlocked for the Tata Indicom service as well.
45
Order passed by high court of Andra Pradesh-
1. A cell phone is a computer as envisaged under the Information Technology Act.
2. ESN and SID come within the definition of “computer source code” under section 65 of
the Information Technology Act.
3. When ESN is altered, the offence under Section 65 of Information Technology Act is
attracted because every service provider has to maintain its own SID code and also give a
customer specific number to each instrument used to avail the services provided.
4. Whether a cell phone operator is maintaining computer source code, is a matter of
evidence.
5. In Section 65 of Information Technology Act the disjunctive word "or" is used in between
the two phrases –
a. "when the computer source code is required to be kept"
b. "maintained by law for the time being in force"
4. COPYRIGHT INFRINGEMENT
Case study 04-WASHINGTON POST v. TOTAL NEWS

Appellant –: The Washington Post Company
Respondent- : Total News Inc,
Fact of the case – The defendant, Total News, Inc, was a website owner that provided a
portal to various news services available on the internet. Total News’ website, at the time of
the complaint, provided links to a variety of other news sites on the web. The linking
mechanism was initially implemented in such a way that the news organizations’ web pages
appeared to be “on” the Total News page. This particular variant of in-line linking is
popularly known as “framing” as it involve a border from one site and m dash’ the frame-
surrounding or edging the content from another site. In the Total News situation, the framed
content was surrounded by Total News advertising,
Order passed by court- UNITED STATES DISTRICT COURT SOUTHERN DISTRICT
OF NEWYORK-
On June 1997, the case was settled without any judicial decisions on the legality of framing.
46
5. STOLEN / THEFT
Case study 05-

Fact of the case – One day a lady come to cyber cell office and reported that she and her
brothers e-mail ID’S had been hacked by someone she suspected him to be her husband. The
lady had already lodged a case against him for dowry and was pending for trial in Bhopal
court.
The suspect had hacked lady’s and her brother e-mail ID account and copied all the
information to his e-mail and produced selected e-mails to claim that . She was happy with
him and case of dowry is a false one.
To malign the image of her brother the suspect sent a copy of FIR lodged against him at
police station Habibganj. This indicated that the husband of the lady was behind the whole
affair but police had not any evidence against him.
Cyber cell started enquiry by an order of IGP and obtained the login logs from rediff.com.
The logs indicated that the email ID’s password were changed and anonymous emails were
sent from the house of lady’s husband and sent from his. Cyber cell registered a case under
section 66 IT act and submitted Challan has been filed against the suspect and trial is over.
Order passed by court- Court has hold the conviction against the suspect SabrishPillai but
found that the matter came before the court as Sabrish was having family dispute with his
wife and the, act of hacking was not against the society at large, Hence let him free after
warning.
6. WEB RELATED CRIMES
Case study 05-Hacker hacks into a financial website

Fact of the case –
Mumbai police have arrested a hacker named Kalpesh (name change) for hacking into a
financial website. As he won’t be able to bypass the main server of the financial institution,
which was well secured. The accused person could make some addition to the home page of
47
the financial website and has added a string of text to the news module of the home page of
the website. Police were able to crack the case by following the trace left by the hacker on the
web server of the financial institution. The financial institution has maintained a separate
server for financial online transactions, for which utmost security has been taken by the
financial institution. The website was hosted on a different server which comparatively had
lesser security.
The hacker Kalpesh (name changed) is a 10th Pass youngster of 23 years old. He has done
computer courses like CCNA, MCSE etc. But he is a computer addict. He sits before the
computer for almost 16 to 20 times each day. He has mostly used the readymade hacking
tools, to hack into any website. He goes to a particular website on the web, which facilitates
him to see the entire directory structure of that website. Then using various techniques, such
as obtaining a password file, he gets into the administrator’s shoes and hacks the website.
7. ATTACKS
Case study 02-Case of Phishing

Case File: One financial Institute registered a crime stating that some persons
(“perpetrators”) have perpetrated certain acts through misleading emails ostensibly emanating
from ICICI Bank’s email ID. Such acts have been perpetrated with intent to defraud the
Customers.
The Investigation was carried out with help of those emails received by the customers of that
financial Institute and arrested the accused, the place of offence at Vijayawada was searched
for the evidence. There one Lap Top and Mobile Phone was seized which was used for the
commission of the crime.
Fact of the case –
The arrested accused had used open source code email application software for sending spam
emails. He has down loaded the same software from net and then used it as it is.
He used only VSNL emails to spam the email to customers of financial Institute because
VSNL email service provider do not have spam box to block the unsolicited emails.
After spamming emails to financial Institute customers he got the response from around 120
customers of which 80 are genuine and others are not correct because it do not have debit
card details as required for e-banking.
48
The financial Institute customers those who have received his email felt that the email was
originated from the financial Institute bank. When they filled the confidential information and
submitted that time said information was directed to accused. This was possible because the
dynamic link was given in the first page (Home page) of the fake web site. The dynamic link
means when people click on the link provided in spamming email that time only the link will
be activated. The dynamic link was coded by handling the Internet Explorer on click event
and the information of the form will be submitted to the web server (Where the fake web site
is hosted). Then server will send the data to configured email address and in this case email
configured was to the accused email. So on submission of the confidential information the
information was directed to email ID accused email .The all the information after fishing
(user name, password, Transaction password, Debit card Number and PIN, mother’s maiden
name) which he had received through Wi-Fi internet connectivity of Reliance.com which was
available on his Acer Lap Top.
Applicable Law: This crime has been registered u/s U/Sec. 66 of IT Act, sec 419, 420, 465,
468, 471 of I.P.C r/w Sections 51, 63 and 65 of Copyright Act, 1957 which attract the
punishment of 3 years imprisonment and fine up to 2 lacs rupees which accused never
thought of .
Chapter IV: Evidence Portal
4. Digital evidence
4.1 Introduction-
49
Digital evidence or electronic evidence is “any probative information stored or transmitted in
digital form that a party may use in court at trail “. Section 78 a of ITAA 2008 defines
electronic form of evidence as “ any information of probative value that is either stored or
transmitted in electronic form and includes computer evidence ,digital ,audio,digital
video,cell phones,digital fax machines”.
The main characteristic of digital evidence are, it is latent as fingerprints and DNA, can go
beyond national border with ease and speed highly fragile and can be easily altered,
damaged,or destroyed and also time sensitive. For this reason ,special precautions should be
taken to document,collect,preserve,and examine this type of evidence .When with digital
evidence,the principle that should be applied are, actions to secure and collect digital
evidence should not change that evidence; person conducting the examination of digital
evidence should be trained for this purpose and activity relating to seizure ,examination
,storage ,or transfer of digital evidence should be fully documented ,preserved ,and available
for review.
4.2 What can be used as digital evidence (sources)-
Sr. no. Device(source) Information that can be

extracted
1 Laptop, desktop pc With help of computer
forensics, information
stored on storage on
hard drive or any other
part of device can be
retrieved. Deleted files
and information stored
on temporary memory
can also be extracted.
2 Smart cards , dongles and Information stored on
biometric scanners etc. these devices in addition
with the devices
themselves.
50
3 Screens of devices such as Representation of
mobile phones, computer information (graphical
(monitor) if they are or files) on screen while
connected to these devises connected to system can
and are in ON state. be used as electronic
evidence.
4 video and image capturing In addition to these
devices ( digital cameras, devices itself,
camcorders) , audio,videos, still
audio devices ( I pod, voice images, and other
recording devices) information stored on
these devices memory,
can be used as evidence.
5 Caller ID/answering Audio and, date and
machines time related
information.
6 Storage devices ( internal Device, and information
hard drives, external hard stored on these device
drives, flash drives, can be used as evidence.
memory card)
7 Tablets, smart Information stored in
phones,PDAs ( personal various applications,
digital assistants) user ID, password,
communication
information can be
extracted.
8 Pagers Communication
information such as text
messages, phone
numbers etc.
9 SIM card Mobile number,
contacts stored on SIM
card, messages and
51
information of mobile
phone on which SIM
card is used can be
extracted.
10 LAN ( local area network / Media access control
NIC ( network interface (MAC) address can be
card) used to trace a computer
on network if obtained.
11 Switches , modems ,hubs These devices contain

IP address information
and routing information.
12 Networking cables, Can be helpful in
connectors identifying types of
device used.
13 Servers Information related to
web pages, mails,
downloaded files etc.,
user details etc. can be
extracted.
14 Printers Number of last prints,
logs, time and date
information, and
network information can
be extracted.
15 Xerox machine Information about
company, modeletc. of
that machine may be
extracted. It may
contain logs, time and
date information.
16 Scanners While connected to a pc
or a network, can be
52
used for scanning illegal
documents.
17 Removable storage devices Digital form of

(CD,floppy drives, information is stored in
flashdrives, DVDs, these devices and can be
memorycard, harddrives, used as evidence.
etc.)
18 Mobile phones Device and information
stored in these devices
can be used as evidence.
Conversation and other
information may be
extracted.
19 Fixed line telephones( Caller information,
wired/wireless) phone number,
messagesetc.information
can be retrieved.
20 Credit card skimmers These devices may
retrieve information
from credit / debit card
etc. and store them.
21 Fax machines These devices contain
information about
documents send and
received and contact
information.
22 GPS ( global positioning These devices may be
system) used to trace location,
rout followed by that
device and other
location based
information.
53
23 Keyboard,mouse,touchpad Device itself can be
and other input devices. used.
24 Digital watches Advance Digital
watches may also
contain location, contact
etc., information which
may be stored in
memory .
25 USB/Fire wire connected These devices may
devices consist of data stored in
them.
26 Passwords These authentication
,Encryption,security keys information can be used
as evidence
27 Internet enabled digital TV These devices have
storage and internet
capabilities thus stored
information may be
extracted and used.
28 Media pc These devices have
information may be
extracted and used.
29 HD recorders These devices have
information may be
extracted and used.
30 Gaming consoles having These devices have
storage capacities storage and internet
information may be
54
extracted and used.
4.3. What can be considered as evidence?
 Address book and contact list

 Audio files and voice recording
 Backups to various programs, including backup to mobile devices
 Bookmarks and favorites
 Browser history
 Calendars
 Compressed archives ( zip ,rar,etc ) including encrypted archives
 Configuration files (may contain information, last access dates, etc.)
 Cookies
 Database
 Documents
 Email messages, attachments and email database
 Events
 Hidden and system files
 Log files
 Organizer item
 Page files, hibernation files and printer spooler files
 Pictures, images, digital photos
 Videos
 Virtual machines
 System files
 Temporary files
4.4. The following is a list of crimes which may involve the use of
computer or other electronic media. Listed below are the crimes
55
and potential evidence which may be recovered from various
types of electronic evidence.
4.4.1 Computer fraud investigation:
 Account data from online auctions

 Accounting software and files
 Address books
 Calendar
 Chat logs
 Customer information
 Credit card data
 Database
 Digital camera software
 E-mail, notes and letters
 Financial and asset records
4.4.2. Child abuse and pornography investigation:
 Chat logs
 Digital camera software
 Games
 Graphic editing and viewing software
 Images
 Internet activity logs
 Movie files
 User created directory and file names which classify images
4.4.3. Network intrusion investigation:
 Address books
 Configuration files
56
 Executable programs
 Internet protocol address & usernames
 Internet relay chat logs
 Source code
 Text files and documents with usernames and passwords
4.4.4 Homicide investigation:
 Address books
 E-mails, notes and letters
 Financial asset record
 Legal documents and wills
 Medical records
 Telephone records
 Diaries
 Maps
 Photos of victim /suspect
4.4.5. Domestic violence investigation:
 Address books
 Diaries
 Financial asset records
4.4.6. Financial fraud and counterfeiting investigation:
 Address books
 Calendar
 Currency images
57
 Check and money order images
 Customer information
 Databases
 False identification
 Images of signatures
 Online banking software
 Counterfeit currency images
 Bank logs
 Credit card numbers
4.4.7. E-mail threats, harassment and stalking investigations:
 Address books
 Diaries
 Email, notes, and letters
 Images
 Legal documents
 Victim background research
 Maps to victim locations
4.4.8. Narcotics investigation:
 Address books
 Calendar
 Databases
58
 Drug recipes
 False ID
 Prescription form images
4.4.9. Software piracy investigation:
 Chat logs
 Email, notes and letters
 Image file of software certificates
 Software serial numbers
 Software cracking utilities
 User created directories and file names which classify copyrighted software
4.4.10 Telecommunication fraud investigation:
 Cloning software
 Customer database records
 Electronic serial numbers
 Mobile identification numbers
 Email, notes and letters
4.4.11. Identity theft investigation:
 Hardware and software tools

 Backdrops
 Credit card reader/writer
59
 Digital camera software
 Scanner software
 identification templates:
 Birth certificates
 Check cashing cards
 Digital photo images
 Driver’s license
 Electronic signatures
 Counterfeit vehicle registration
 Counterfeit insurance documents
 Social security cards
 Internet activity related to ID theft:
 Email and newspaper posting

 Deleted documents
 Online orders
 Online trading information
 Internet activity logs
 Negotiable instruments:
 Business checks
 Cashier’s checks
 Credit card number
 Counterfeit court documents
 Counterfeit certificates
 Counterfeit loan documents
 Counterfeit sales receipts
60
 Money orders
 Personal checks
4.5. Tools Used for Collecting Evidences-
4.5.1. Computer Forensics:
Tool Platform License Description

Backlight Windows/mac Commercial Windows ,MAC, and IOS
forensic analysis software
MacQuisition Mac Commercial Mac data acquisition and
imaging solution
Spector CNE Windows Commercial A user activity monitoring
investigator solution that allows the
replaying of computer
activity in detail.
SANS Ubuntu Multipurpose forensic
investigative operating system
forensics
toolkit-SIFT
Registry recon Windows Commercial Forensics tool that rebuilds
windows registries from
anywhere on a hard drive and
parses them for deep
analysis.
Encase Windows Commercial Multi-purpose forensic tool
EPRB Windows Commercial Set of tools for encrypted
system and data decryption
and password recovery
FTK Windows Commercial Multi-purpose
toolcommonlyused to index
acquired media.
Digital Windows GPL DFF is both a digital
61
forensics /Linux/Mac-OS investigation tool and a
framework development platform
PTK forensics LAMP Free/commercial GUI for the sleuth kit
The coroner’s Unix- like IBM public license A suite of programs for Unix
toolkit analysis
Coffee Windows Proprietary A suite of tools for Windows
developed by Microsoft, only
available to law enforcement
The sleuth kit Unix- IPL,CPL,GPL A library of tools for both
like/windows Unix and Windows
Categoriser 4 Windows Free Image categorisation tool
pictures develop, available to law
enforcement
Paraben P2 Windows Commercial General purpose forensic tool
commander
Open computer Linux LGPL/GPL Computer forensics
forensics framework for CF-Lab
architecture environment
Safeback n/a Commercial Digital media (evidence)
acquisition and backup
Windows to go n/a commercial Bootable operating system
Forensic Windows Commercial User activity analyser(E-
assistant mail, IM, Docs, Browsers),
plus set of forensics tools
Nuix Windows Commercial Forensic analysis & fraud
prevention software. Full text
search, extracts emails, credit
card numbers, IP addresses,
URLs. Skin tone analysis.
Support for ingesting
Windows, Mac OS, Linux
and mobile device data
Peer lab Windows Commercial File Sharing and "Instant
62
Messaging"-analyser
OS Forensic Windows Free/commercial General purpose forensic tool
for E-mail, Files, Images &
browsers
X-way forensic Windows Commercial General purpose forensic tool
based on Win hex editor
Bulk extractor Windows/Linux Public domain Stream-based forensic
feature extraction of e-mail
addresses, phone numbers,
URLs and other identified
objects
Intella Windows Commercial Forensic Search Software -
Email, Data and Cell phone
Processing/Investigation
CAINE Linux Free/open source Gnu/Linux computer
forensics live distro
Forensics Windows Commercial Computer Forensics
apprentice Investigation Software.
Dumpzilla Windows/Linux GPL Forensic tool for Mozilla
browsers
4.5.2. Memory forensics-

Tool Platform License Vendor/sponsor
CMAT Windows Free(AFL)
Memoryze Windows Commercial ( Gratis) Mandiant
Responder Windows Commercial HBGray
Second look Linux Commercial Raytheon pikewerks
Windows SCOPE Windows Commercial Blue RISC
Volafox Mac OS Free ( GPL)
Volatility Windows/Linux Free (GPL) Volatile system
Volatilitux Linux Free(GPL) Volatile system
63
4.5.3. Mobile device forensics-
Tool Platform License Description
Backlight Windows/Mac Commercial IOS forensics
analysis software
Cellebrite Mobile Windows Commercial Universal forensic
forensics extraction device-
hardware and
software
Radiotacticsaceso Windows Commercial "All-in-one" unit
with a touch screen
Paraben Device Seizure Windows Commercial Hardware/Software
package
SAFT Mobile Windows Free/Commercial Easy-to-use mobile
Forensics forensics application
specializes in
Android.
Microsystemation Windows Commercial Hardware/Software

XRY/XACT package, specialises
in deleted data
Oxygen Forensic Suite Windows Commercial Smart forensics for

(former Oxygen Phone smartphones
Manager
ElcimsoftIOS Forensic Windows, Mac Commercial Acquires bit-precise
Toolkit (EIFT) images of Apple IOS
devices in real time
Elcomsoft Phone Windows Commercial Enables forensic

Password Breaker access to password-
(EPPB) protected backups
for smartphones and
portable devices
64
based on RIM
BlackBerry and
Apple IOS
platforms,
MOBILedit! Forensic Windows Commercial Hardware-
Connection
kit/Software package
ViaForensicsViaExtract Any (Distributed as Commercial Software package,
VM) specializes in
Android Forensics
4.5.4. Network Forensics-

Name Platform License Description
Wire Shark Windows/Mac/Linux Open Source Captures and
analyzes packets
Network Miner Windows/Linux Open Source (GPL) Extracts files,
images and other
metadata from
PCAP files
TCPflow Windows/Mac/Linux GPL3 TCP/IP session
reassembler
NetIntercept Appliance Commercial Appliance
65
4.5.5. Other-
Name Platform License Description
Hash keeper Windows Free Database

application for
storing file hash
signatures
Evidence eliminator Windows Commercial Anti-forensics

software, claims to
delete files securely
DECAF Windows Free Tool which

automatically
executes a set of
user defined actions
on detecting
Microsoft's COFEE
tool
Net sleuth Windows GPL Open-source

network forensics
and monitoring
tool.
4.6. Search and Seizure-
In any crime which involves technology aspect, where collection of evidence is critical task
as the evidence can be tampered easily. Digital evidence due to their fragile nature requires
utmost care and precaution during search, collection, preservation, transportation and
examination of evidence.
The flow of investigation of a crime scene is-(search and seizure)
 Identifying the crime scene and preserving the site.
66
 “As is where is” report of the crime scene must be prepared.
 Collecting evidence
 From switched off system
 From switched on system
 Cloning or duplication of evidence
 Conducting interviews
 Making record and naming/labelling of evidence.
 Packing and moving /transporting evidence from the scene.
4.6.1. Seizure memo (panchnama) and seizure proceeding-
The authority of search and seizure is given in section 165 of CRPC and section 80 of ITAA
2008.The steps which should be followed during seizure proceedings are-
 Two independent witnesses and one technical person (responder side) should be part
of the process.
 Time zone /system time must be noted in panchanama (from switched on systems)
 Photograph of devices must be taken at their original place.
 The system must be kept in the state as it was found (on or off).
 In panchnama,chain of custody and digital evidence collection form, serial number
must be mentioned which is allotted to that device.
 If any internal part of the device is removed, photograph should be taken of that part.
 Serial number along with information such as PF number /crime number/section of
law must be mentioned.
 Search and seizing information of that system should be recorded in panchnama also.
 Witnesses must be brief about the technique / tools used in search and seizure process.
 Investigating officers must have the knowledge and ability to identify various digital
devices.
 All the forms and details filled in forms much be checked and filled completely
(Annexure-2).
4.7. Handling of evidence-(Annexure-3)
67
This section is to assist persons who have no skills or have not received any training to carry
out search seizure and ensure that their actions won’t affect the evidence.
4.7.1. For desktop and laptop computer (which are in switched off state)
 Secure area around equipment.

 Photograph or video recording of scene must be taken, covering all parts of that
device.
 Check if any other devices are connected to that system
 Make sure that some laptop may turn on by opening the lid.
 Remove main power (before doing so, check that machine is not in standby mode as it
may cause data loss)
 Remove the power plug and other devices from the socket.
 Label or mark the removed components
 Search the area for password often close to computer
 Received information such as password, usernameetc. from scene /user etc. may be
recorded.
 Equipment used must be noted.
4.7.2. For desktop and laptop computer (switched on state):-
 Secure area containing equipment

 Photograph or video recording of scene must be taken, covering all parts of that
device
 Photograph of content on screen must be taken.
 Do not touch keyboard or mouse or any input device.
 In case of blank screen or screen saver, restore screen and check whether it is
password protected?
 If any content is displayed, photograph much be taken of screen.
 If system is password protected, record the time and activity performed.
 If possible, collect data which might be lost (volatile data) if power source is
removed.
 Information must be treated with caution.
 If any process is going on, wait until it is completed.
68
 If no special advice is available, remove power supply from system without closing
down any program. Always remove power cable first from system rather that supply
end.
 Received information such as password, username etc. from scene /user etc. may be
recorded.
Note-power removed from running system cause evidence in encrypted volumes to be lost,
try to obtain key .other volatile, live data may be lost.
4.7.3. Electronic organizers and personal digital assistants (PDA):-
Specialist advice in early stage should be taken regarding charging and /or battery
charging, to prevent data loss.
If device is found in off state-
 It should not be turned on-

 Placed in sealed envelope/bag.
 If device have Wi-Fi/Bluetooth/mobile phone capabilities, must be kept in shield box-
Search for associated memory devices must be done.
If device is found in on state –
 Do not turn off the device (volatile data may be lost)

 Date, timeetc. information must be recorded
 Power cables and device etc. must be labeled.
 Battery should not be removed
 Security of device must be ensured
 Photograph of content on screen must be taken.
 In case of blank screen or screen saver, restore screen and check whether it is
password protected?
 If system is password protected, record the time and activity performed.
 If possible, collect data which might be lost (volatile data)
69
 Information must be treated with caution.
 If any process is going on, wait until it is completed.
 Received information such as password, username etc. from scene /user etc. may be
recorded.
 Competent person should examine the device.
 Other steps may be dependent on the model and type of devices. (Annexure-4)
4.7.4. Transportation of evidence:-
Main computer unit-
 Handle with care. If placing in a vehicle, place upright preventing from physical
shocks.
 Keep away from magnetic sources (loudspeakers, heated seats and windows and
police radios)
Storage devices-
 Protect from magnetic fields

 Place in anti-static bags
Floppy disk, jar,zip cartridges , memory sticks and PCMCIA cards-

 Do not label them directly
Personal digital organizers, electronic organizers and palmtop computer-

 If in on state, additional power supply must be provided during transportation
Note-
 devices must be preserved for DNA or fingerprint examination.

 using aluminum powder on electronic devices can result in loss of evidence
70
 Devices must be stored in normal temperature and condition
 power backup to devices during transportation must be provided.
4.8. Chain of custody-(Annexure-5)
When evidence is seized from the crime scene, the next step is to assign its responsibility and
protection.
Chain of custody provides the responsibility and competence of evidence in court of law and
minimizes the risk of tampering the evidence. It accounts all the persons who had access to
the evidence, such as-
 Who obtained the evidence

 Who secured the evidence
 Who transferred the evidence
 Who had control or possession of the evidence etc.
The evidence should be in control of the law enforcement body, and not with the private
citizens. Not following the chain of custody may cause objection by court or opponent party
of being that evidence unreliable or fabricated, and doing so may impose liability on
investigating officer under section 72 of ITAA 2008.
4.8.1. Important steps to be kept in mind for chain of custody-
 Take pictures and note down observation of crime scene.

 Storage medium must be appropriate
 Security of the evidence/cloning
 Protection of storage media from external electro-magnetically interference.
 Details regarding the crime scene must be noted.
 Record of personals who have access to that evidence, should be maintained.
 No private citizen/ unknown person must have access to that evidence.
 Documentation and chain of custody forms must be provided with the evidence
 To prove the integrity of that evidence against tampering or modification ,process
known as “hashing” is used .the hash value of that evidence collected can be checked
again later to prove its integrity.
71
4.9. Integrity of digital evidence-
Proving the integrity of digital evidence is important as not doing so may cause that evidence
not to be considered in court of law or objected for alteration or modification.
Some of the methods used to check the integrity of digital evidence are shown below-
Method Description Common Advantages Disadvantages

types
Checksum Check error in CRC 16 -easy to -low
digital data. 16- CEC 32 compute assurance
Or -32 bit -fast against
polynomial is -small data malicious
applied to each storage attack
byte of digital requirement -simple to
data .Result is -useful for create new
small integer detecting data with
value that is 16 random errors matching
or 32 bit in checksum
length. Integer -must
value must be maintain
saved and secure storage
secured. To of checksum
check the data, values
samepolynomial
can be applied to
data and can be
compared with
original result
for integrity.
One-way hash A method for SHA-1 -easy to -must
72
algorithm protecting digital MD5 compute maintain
(MD2,MD4,MD5,sha) data against MD4 -can detect both secure storage
unauthorised MD2 random errors of hash value
changes. The and malicious
method produces alteration
a fixed length
large integer
value (from 80-
240 bit)
representing the
digital data. It
has two unique
characteristic.
First given the
hash value it is
difficult to find
other data
matching the
same hash value.
Digital signature A secure method RSA -Add identity to -slow
of binding the DSA the integrity -must protect
identity of signer PGP operation private key
with digital data -prevents -if key is
integrity method unauthorised compromised
such as one way regeneration of or certificate
hash values. signature unless expires digital
These method private key is signature can
use a public key compromised invalidated
crypto-system
where the signer
uses a secret key
to generate a
digital signature.
73
Anyone can then
validate the
signature
generated by
using the
published public
key certificate of
the signer. The
signature
produces a large
integer number(
512-4096 bits
Note- hashing method is currently used to check the integrity of evidence.
4.10. Procedure to file a complaint:
A person need to provide a copy (Screen shot) of the crime occurred (in a soft copy as well as
print out), with an affidavit in concern with that (person), who is willing to launch an FIR.
Other detail as per required by the law enforcement agency (if any) on which police may start
its investigation must also be provided.
Section 68B of Indian evidence act , direct us about the evidence which can be produced in
front of court of law and are admissible or not.
CFSL (Central forensic science lab) Hyderabad is an authority which certify that , which
evidence is admissible and which is not in court of law , and certify that the evidence
selected from the crime scene are unaltered and is same as collected from the crime scene,
after which evidence could be produce before the court.
4.10.1. Documentation required with digital evidence:-
 Evidence handling documentation should include-

 Copy of legal authority
74
 Chain of custody
 The initial count of evidence to be examined,
 Information regarding the packaging and condition of evidence upon receipt
by the examiner,
 A description of evidence, and
 Communication regarding the case.
 Examination documentation should include:

 Sufficient details to allow another examiner, competent in the same area
of expertise, to be able to access the finding independently.
75
Chapter V: Computer Forensics
5.1 Understanding of Forensics
Electronic evidence and information gathering have become central issues in an increasing
number of conflicts and crimes. Electronic or computer evidence used to mean the regular
print-out from a computer—and great deals of computer exhibits in court are just those.
However, for many years, law enforcement officers have been seizing data media and
computers themselves, as they have become smaller and more ubiquitous. In the very recent
past, investigators generated their own printouts, sometimes using the original application
program, sometimes specialist analytic and examination tools. More recently, investigators
have found ways of collecting evidence from remote computers to which they do not have
immediate physical access, provided such computers are accessible via a phone line or
network connection. It is even possible to track activities across a computer network,
including the Internet.
If you manage or administer information systems and networks, you should understand
computer forensics. Forensics is the process of using scientific knowledge for collecting,
analyzing, and presenting evidence to the courts. (The word forensics means “to bring to the
court”) Forensics deals primarily with the recovery and analysis of latent evidence. Latent
evidence can take many forms, from fingerprints left on a window to DNA evidence
recovered from blood stains to the files on a hard drive.
Because computer forensics is a new discipline, there is little standardization and consistency
across the courts and industry. As a result, it is not yet recognized as a formal “scientific”
discipline. We define computer forensics as the discipline that combines elements of law and
computer science to collect and analyze data from computer systems, networks, wireless
76
communications, and storage devices in a way that is admissible as evidence in a court of
law.
In other words, computer forensics is the collection, preservation, analysis, and presentation
of computer-related evidence. Computer evidence can be useful in criminal cases, civil
disputes, and human resources/employment proceedings. Far more information is retained on
a computer than most people realize. It’s also more difficult to completely remove
information than is generally thought. For these reasons (and many more), computer forensics
can often find evidence of, or even completely recover, lost or deleted information, even if
the information was intentionally deleted. Computer forensics, although employing some of
the same skills and software as data recovery, is a much more complex undertaking. In data
recovery, the goal is to retrieve the lost data. In computer forensics, the goal is to retrieve the
data and interpret as much information about it as possible.
5.2 Importance
The objective in computer forensics is quite straightforward. It is to recover, analyze, and

present computer-based material in such a way that it is useable as evidence in a court of law.
The key phrase here is useable as evidence in a court of law. It is essential that none of the
equipment or procedures used during the examination of the computer obviate this. Adding
the ability to practice sound computer forensics will help you ensure the overall integrity and
survivability of your network infrastructure. You can help your organization if you consider
computer forensics as a new basic element in what is known as “Defense in depth” which is
designed on the principle that multiple layers of different types of protection from different
vendors provide substantially better protection, that actually approach to network and
computer security.
5.3 Techniques
A computer forensics professional does more than turn on a computer, make a directory
listing, and search through files. Forensics professionals should be able to successfully
perform complex evidence recovery procedures with the skill and expertise that lends
credibility to case. For example, they should be able to perform the following services:
 Data seizure
 Data duplication and preservation
77
 Data recovery
 Document searches
 Media conversion
 Expert witness services
 Computer evidence service options
 Other miscellaneous services
5.3.1 Data Seizure
Federal rules of civil procedure let a party or their representative inspect and copy designated
documents or data compilations that may contain evidence. Computer forensics experts,
following federal guidelines, should act as this representative, using their knowledge of data
storage technologies to track down evidence. Experts should also be able to assist officials
during the equipment seizure process.
5.3.2 Data Duplication and Preservation
When one party must seize data from another, two concerns must be addressed: the data must
not be altered in any way, and the seizure must not put an undue burden on the responding
party. Computer forensics experts should acknowledge both of these concerns by making an
exact duplicate of the needed data. Because duplication is fast, the responding party can
quickly resume its normal business functions, and, because your experts work on the
duplicated data, the integrity of the original data is maintained.
5.3.3 Data Recovery
Using proprietary tools, your computer forensics experts should be able to safely recover and
analyze otherwise inaccessible evidence. The ability to recover lost evidence is made possible
by the expert’s advanced understanding of storage technologies. For example, when a user
deletes an email, traces of that message may still exist on the storage device. Although the
message is inaccessible to the user, your experts should be able to recover it and locate
relevant evidence.
78
5.3.4 Document Searches
Computer forensics experts should also be able to search over 200,000 electronic documents
in seconds rather than hours. The speed and efficiency of these searches make the discovery
process less complicated and less intrusive to all parties involved.
5.3.5 Media Conversion
Some clients need to obtain and investigate computer data stored on old and unreadable
devices. Your computer forensics experts should extract the relevant data from these devices,
convert it into readable formats, and place it onto new storage media for analysis.
5.3.6 Expert Witness Services
Computer forensics experts should be able to explain complex technical processes in an easy-
to-understand fashion. This should help judges and juries comprehend how computer
evidence is found, what it consists of, and how it is relevant to a specific situation.
5.3.7 Computer Evidence Service Options
Your computer forensics experts should offer various levels of service, each designed to suit
your individual investigative needs. For example, they should be able to offer the following
services:
 Standard service
 On-site service
 Emergency service
 Priority service
 Weekend service
5.3.8 Other Miscellaneous Services
79
Computer forensics experts should also be able to provide extended services. These services
include;
 Analysis of computers and data in criminal investigations

 On-site seizure of computer data in criminal investigations
 Analysis of computers and data in civil litigation.
 On-site seizure of computer data in civil litigation
 Analysis of company computers to determine employee activity
 Assistance in preparing electronic discovery requests
 Reporting in a comprehensive and readily understandable manner
 Court-recognized computer expert witness testimony
 Computer forensics on both PC and Mac platforms
 Fast turnaround time
5.4 Computer Forensics Systems
Computer forensics has become a buzz word in today’s world of increased concern for
security. It seems that any product that can remotely be tied to network or computer security
is quickly labeled as a “forensics” system. This phenomenon makes designing clear incident
response plans and corporate security plans that support computer forensics difficult. Today’s
corporate climate of increased competition, cutbacks and layoffs, and outsourcing makes it
essential that corporate security policy and practices support the inevitability of future
litigation. Due to this raising awareness of the different types of computer forensics systems
becomes the need of time. Some of the computers forensic are as follows:-
80
 Internet security systems
 Intrusion detection systems
 Firewall security systems
81
 Storage area network security systems
82
 Network disaster recovery systems
 Public key infrastructure security systems
83
 Wireless network security systems
 Satellite encryption security systems
84
 Instant messaging (IM) security systems
85
 Net privacy systems
 Identity management security systems
 Identity theft prevention systems
86
5.5 Methodology
 3 A’s – An investigator should follow

 Acquire: Gather our data
 Authenticate: Prove that it was un-altered in the copy process
 Analyze: Review the data for artifacts to prosecute suspect
5.5.1 Steps Followed Under Methodology:
 Incident alert or accusation – crime or policy violation
Need to consider the source and reliability of the information. This must weight all factors in
making decision and by performing initial fact checking.
 Assessment of worth – prioritize or choose
It must be perform by initial triage. Focus on most severe problems. Output of this step is to
determine if no further action is required or to continue to investigate.
 Incident/Crime scene protocols – Actions at the scene
87
Whoever is responsible for securing crime scene must make sure that proper protocols are
followed. Safety is first issue. The output of this stage is to make sure that the scene is secure
and all the contents are mapped and recorded, with photographs and diagrams.
 Identification or seizure – Recognition and proper packaging.
Informed investigators are to make proper decisions about what is to be seized and in what
order of priority. (Servers, workstations, volatile data, etc). Documentation in this step is of
extreme importance. Initial interviews should be performed before seizing evidence to
establish who knows what, who is involved, what is not know and what needs to be gathered.
 Preservation – Integrity
Proper actions must be used to ensure integrity and proper tools are to be used to ensure
acceptance and reliability. Investigators should make a bit-stream copy of the original media.
The original media is to never be touched again. It is to be put away in a temperature
controlled environment (Chain of custody is key). The duplicate mirror image is to be
analyzed. Recommend to make a backup copy of your media to be analyzed in case of a
media failure.
 Recovery – Get it all
Focus on recovering all the data whether it is relevant to case or not. The overall output will
help provide the most complete timeline.
 Harvesting – Data about data
This is the analysis phase. In this phase we analyze the data to test our theories about our
suspects.
 Reduction – Filter
In this phase we eliminate the material from the chaff. We use filters, hash analysis,grep
searches all to help refine our focus.
88
 Organization and search – Focus
This is where we bookmark our findings as investigators to help make our reporting phase
easier. We also document our case as we go instead of waiting till the end. We might export
data out of our image for easier analysis or for viewing.
 Analysis – scrutinize
This phase requires us to cross reference and validate our findings to deliver the proof for
prosecution.
 Reporting – Detailed record
The report should contain details from every step including references to tools and protocols
used.
 Persuasion and testimony – Translate and explain
89
Chapter VI- Cyber Crime Investigations
6.1 Crime Related to Mobile Phones

Acquiring data from a mobile phone in a forensic manner is an important issue. Information
acquired from mobile phones is increasingly required as evidence in criminal investigations.
A mobile phone can potentially contain a large amount of information related to the user’s
actions, determined by their communication patterns, and information such as images, video
and audio recordings. As such, the information stored in a mobile phone may be important in
proving or disproving theories and allegations. Today we can considered mobile phones as a
threat in the same manner as a computer, or any other electronic device. Before information
produced by such a device can be admitted as evidence, it must be shown that the device is
functioning correctly, and the procedures used to obtain the information do not adversely
affect the validity of the information. Hence, the methods in which information is obtained
from a mobile phone may have a direct effect on whether that information will be admissible
as evidence. If a certain method can be shown to alter data on the phone, the integrity of that
data may be questioned, and even shown to be inaccurate. The desired situation would occur
when a method can be proven to acquire data without making any changes to the phone’s
memory; information acquired using such a method will be admissible as evidence. There are
a number of different methods of acquiring information from a mobile phone. The most
convenient, however, is to use a software application running on a desktop computer to send
commands to the phone, the response to which contains information stored in the phone’s
memory. Such an application communicates with some form of software or hardware
contained in the phone, which retrieves the data on behalf of the desktop application.
90
91
92
6.1.3Case Study-
CASE: A girl purchased goods through online. After two days she got a item delivered by
courier. A courier man gives receipt to her to sign and write the mobile number. After two
days a person send bullying / hate message through SMS (mobile) to a girl. A girl went to
police station and files the complaint of the anonymous person who sends her offensive
message.
CASE: A boys travelling in the bus, as a boy put his hand in the pocket to make call, he find,
he lost his mobile, during the journey someone has stolen his mobile phone. He stopped the
bus in near police station and filed the complaint, about the stolen mobile.
6.1.2 Location Mapping of Mobile Phones:-
6.1.2.1 PHONE NUMBER TRACING-
You can easily trace phone number though various software and through many website
available on internet, which help to locate the current position of the mobile if any sort of
tracking application is running on the lost phone. There are many tracking application for
mobile phones which are freely available on internet through which we can trace the lost
mobile. Some examples are:-
Avast mobile security
This free invisible security app brings twin security measures for your handset by providing -
a mobile antivirus and mobile tracking/controls solution. What is great about the app is that
its anti-theft component is invisible to thieves, and provides remote options (via web portal or
SMS commands) for locating and recovering your phone. Time to say goodbye to 'lost'
phones.
Mobile chase-location tracker
This is another handy app to track your stolen or lost phone. This app checks when the pick-
pocketed changes the SIM card and sends SMS in 5 minutes from the new SIM number to
93
your number, which has been stored in the application. The SIM contains GPS location data
or current location code to aid in trace.
Thief tracker
This one is our favorite. With Thief tracker app, you get to catch the 'thief' red handed. Any
unsuccessful attempt to unlock your mobile will trigger this app to snap a picture from front
camera and send you an email without the user even knowing it. However the app has some
limitations - like it does not wipe data and an unsuccessful attempt is considered only when 4
dots in the pattern are selected.
Smart look
This software also clicks the pictures of the 'thief' - in fact three of them and, immediately e-
mails it to you. It also comes equipped with a GPS continuous tracking system which is
linked to the google map and also assists in tracing your lost or stolen phone.
Anti- theft alarm
You will love this app. simply activate the alarm and leave your phone on the table or
wherever and if someone moves your phone an alarm will sound. The alarm will only stop
after entering a PIN. Those with sticky fingers, beware!
Kaspersky mobile security
Another popular app that provides anti-theft defense, allowing you to block, wipe or find
your missing phone. You can also easily filter unwanted SMS texts and calls. Plus, Anti-
Virus Lite with cloud-based security scanner alerts you to potentially malicious apps before
they can harm your phone.
Lookout security and antivirus
94
This free app houses a slew of features to protect and trace your phone. After downloading
the app, you will be able to find your phone on a Google Map instantly from Lookout.com,
sound a loud alarm or make your phone SCREAM to find it even if it’s on silent and
automatically see your phone's last known location. That's not all, in addition this app
provides remotely lock and date wipe out facility. It also offers a lookout premium coverage
for a small monthly fee for more stringent security.
Trend Micro mobile security & antivirus
Ranked as one of the top selling security app, Trend Micro mobile provides free antivirus
with a premium version which includes privacy scanning, web and contact filtering, parental
controls and anti-theft features. You can avail a 30 day free trial to test various features like:
--Privacy scanner warns you of apps that potentially steal your information
--Surf, Call, Text Security keeps you and your kids safe by avoiding unwanted contact and
content
--Lost Device Protection includes anti-theft features that let you find, lock and wipe a missing
device.
Plan B, Lookout mobile security
Well if plan A doesn't work, you don't need to fear, there is always Plan B. This 'find my
phone' app is the only app that you can download even after you have lost your phone. Using
'Plan B' requires access to the Android Market website and your Google account. After you
install it, Plan B will start locating your phone using cell towers and GPS. On some phones,
Plan B can switch GPS on automatically. Your location will keep updating for 10 minutes,
and you will get an email each time it is located, whether the phone is moving or standing
still. Information is also sent via SMS.
6.1.2.2 IMEI Tracing
Every smart phone has a unique IMEI number assigned to it and you can access it by dialing
*#06#. Once your phone's 15-digit IMEI number is displayed, write it down and keep it safe
95
for future reference. You can also retrieve the IMEI number by removing the battery. It is
usually listed on a white sticker along with the phone's serial number.
When you lose your handset, you will need to launch a FIR with the police, attaching a copy
of the IMEI number with it. Then give a copy of this to your service provider who can track
the phone based on its unique ID number and meanwhile block the handset so that it cannot
be used by anyone else. IMEI number helps to tracks the handset, even when the SIM is
changed or the SIM card is not activated. Once the phone is traced, the police should be able
to retrieve it.
As soon as, location of the mobile is mapped by above mention method we can go for mobile
forensics for recovery of data either stored or deleted from the mobile phone.
6.1.4 TOOL USED FOR MOBILE FORENSICS:-
6.1.2.1 Mobile phone inspector utility
Mobile phone inspector utility generates complete report of mobile and SIM
card phonebook entries, SMS capacity status and all other general information. Cell
phone forensic tool displays detailed information which includes mobile manufacture
name, mobile model number, mobile IMEI number, SIM IMSI number, signal quality
and battery status of mobile phone. Mobile phone investigation program supports all
major bands of mobile manufacturing company including Nokia, Haier, Motorola,
Sony Ericsson, LG, Samsung, Spice, i-mate, HP etc. Mobile investigation application
facilitates user with VC++ source code useful for educational usage, customized
development or in scientific investigation regarding mobile phone technology. Cell
phone inspector utility displays all phonebook entries with contact name and number.
Mobile phone inspector software displays phonebook and SMS capacity of SIM card
and mobile phone memory. Software can be easily install and uninstall on your
system having windows operating system such as windows 98, 2000, 2003, ME, NT,
XP and windows Vista. Features: * Mobile inspector software provides highly
interactive graphical user interface for easy software access. * Cell phone forensic
96
utility supports all brands of mobile phones including Nokia, Samsung, Motorola,
Sony, Spice etc. * Mobile investigation utility displays SMS text message along with
date/time and sender phone number. * Cell phone inspector program generates
complete mobile phone report in a text or html file for further reference. *Software is
easy to operate so end user does not require any technical skill to use this tool.
Free download from Shareware Connection - Cell phone forensic tool show battery status,
mobile model and SIM IMSI number
6.1.2.2 Mobile phone inspection software:-
Cell phone forensic software is freeware utility that easily extracts your entire mobile and sim
related data including IMEI number, SIM IMEI number, phonebook entries with name and
number, text message of all Symbian OS based Nokia mobile phones and other supported
mobile devices. Mobile phone investigation application with source code in Microsoft Visual
C++, MFC, embedded C++ is useful for organizations working on AT+CPBR, AT+CBS,
AT+CSQ, AT+CIMI and many mobile technologies. Smart phone inspection program is
useful for developers to take detail knowledge about various functions related to mobile
phones such as CeCreateFile, CeCreateProcess, CeReadFile, CeGetDeviceId,
CeFindAllFiles, CeRegEnumKeyEx and CeRegOpenKey etc. Cell phone forensic application
easily gathers all general information from your GSM and CDMA mobile phone. Mobile
phone inspector software available with Microsoft Visual C++ source code and supports all
windows operating system including windows 98, NT, ME, 2000, 2003, XP and Vista. Smart
phone investigation tool supports all branded mobile phones such as Nokia, Motorola,
97
Samsung, LG and Sony Ericsson etc. Mobile phone inspection program is free of cost but
user needs to pay if software is required with its source code. Features: * Mobile phone
investigation application supports Windows CE and Windows mobiles, WM5, WM6 based
PDA cell phones. * Cell phone surveillance tool is an innovative mobile investigator that
pulls out SIM details, SMS capacity, memory status, battery usage, IMEI number with model
number and phonebook entries. * Mobile phone inspection tool can easily access your mobile
phone with the help of port connectivity for gathering general as well as important
information. * Smart phone forensic utility is read only tool that provides
complete SIM cardinformation. * Freeware mobile phone inspector program allows users to
fetch general details of all windows based mobile phones.
NOTE:-
FOR MORE FORENSIC SOFTWARE GO- http://www.sharewareconnection.com/mobile-

phone-inspection-software.htm
6.1.3 We can use XRY:
XRY is a software application designed to run on the Windows operating system which
allows you to perform a secure forensic extraction of data from a wide variety of mobile
devices, such as smartphones, GPS navigation units, 3G modems, portable music players and
the latest tablet processors such as the i-Pad.
Extracting data from mobile / cell phones is a specialist skill and not the same as recovering
information from computers. Most mobile devices don't share the same operating systems
and are proprietary embedded devices which have unique configurations and operating
systems. What does that mean in terms of getting data out of them? Well in simple terms, it
means it is very difficult to do.XRY has been designed and developed to make that process a
lot easier for you, with support for over 8,000 different mobile device profiles. We supply a
complete solution to get you what you need and the software guides you through the process
step by step to make it as easy as possible.
6.1.4 XRY logical
98
XRY Logical is a software based solution for any Windows based PC, complete with the
necessary hardware for forensic investigations of mobile devices. XRY is the standard in
mobile device forensics and the first choice among law enforcement agencies worldwide.
XRY Logical provides an intuitive and user friendly interface to analyze a wide range of
mobile phones through a secure examination process to recover data in a forensically secure
manner. The information gathered from the examined device is instantly available for review
in a secure and traceable manner, ensuring its legal standing and credibility in a court of law.
XRY Logical software enables investigators to perform ‘Logical’ data acquisition. This
forensic process is used to communicate with, and read the contents of, the device; which
typically generates live information. The software’s user interface is simple to navigate, with
a user friendly wizard designed to help guide you through the entire process from start to
finish so you can immediately start to recover data with confidence.With XRY, a tamper-
proof report is created within minutes which can easily be customized to a user’s needs,
including references and a user’s own branding as required. The generated report can be
printed in its entirety, or selected data required by the investigators can be prepared. Using
XRY’s export function, users are afforded a wide range of functionality to facilitate further
distribution and analysis of the data.
Included in the XRY Logical package
 XRY Application software

 XRY License key
 XRY Case with cable organizer
 XRY Logical mobile phone cable kit
6.1.5 XRY physical
XRY Physical is a software package for the physical recovery of data from mobile devices.
The memory dump from each individual device is a complex data structure, so Micro
Systemation has developed XRY Physical to make it easier to navigate this wealth of
information.XRY Physical is different because it lets forensics specialists push investigation
even further by performing a physical data acquisition – a process generating hex-dumps
from the phone memory, typically bypassing the device operating system. This frequently
leads to the recovery of deleted information.
99
XRY Physical has the advantage that it can reveal protected and deleted data, which may not
be available through a logical analysis. Crucially, using XRY Physical, it is also possible to
recover data from security locked phones.Through a process of dumping raw data followed
by automated decoding to reconstruct the content – XRY Physical can secure a whole new
layer of valuable data for investigators and forensic examiners.
Included with the XRY Physical system
 XRY Physical License key

 XRY Case with accessories
 XRY Physical Cable Kit
 Write protected universal memory card reader
 XACT hex-viewer application
6.1.6 XRY complete
THE ALL-IN-ONE MOBILE FORENSIC SYSTEM FROM MICRO SYSTEMATION
XRY Complete is the all-In-one mobile forensic system from Micro Systemation; combining
both our logical and physical solutions into one package. XRY Complete allows investigators
full access to all the possible methods to recover data from a mobile device.
XRY is a purpose built software based solution, complete with all the necessary hardware for
recovering data from mobile devices in a forensically secure manner. With XRY Complete
you can achieve more and go deeper into a mobile device to recover vital data. With a
combination of logical and physical analysis tools available for supported devices; XRY
complete can produce a combined report containing both live and deleted data from the same
handset.
The XRY system is the first choice among law enforcement agencies worldwide, and
represents a complete mobile forensic system supplied with all the necessary equipment you
need to perform a forensic examination of a mobile device - straight out of the box.The
supplied XRY software application runs on Windows and is powerful enough to deal with all
of the modern demands of forensic examiners. The user interface is simple to navigate, with a
100
user friendly wizard designed to help guide you through the entire process from start to
finish, so you can immediately start to recover data with confidence
Included in the XRY Complete package
 XRY Application software and licence key

 Briefcase with cable organizer
 XRY Communication unit
 XRY Complete mobile phone cable kit
 SIM id-Cloner device with 12 month license
 10 rewritable SIM id-Cloner examination card
 Write protected universal memory card reader
6.1.7 XACT- Currently used by Jharkhand Police
XACT is a separate hex viewer software application which complements XRY Physical,
allowing examiners to view the raw hexadecimal data extracted during a physical dump of a
mobile device.
Whilst XRY Physical supports a considerable amount of automatic decoding, there will
always be times when an examiner needs to look at the original data for them to establish the
source of information. XACT provides mobile forensics specialists with the ability to
examine that data in detail.
With XACT you can import binary files from other sources if required and view the
hexadecimal data to see for yourself exactly where the data is.
6.1.8 XRY SIM ID-CLONER
When examining GSM based mobile phones the forensic examiner is faced with two
challenges:
 Under the original GSM standards a mobile phone is required to have a SIM card
inserted before it will allow full access to the operating system and function
normally.
101
 If a GSM device is turned on with a live SIM card inserted, then it will attempt to
make a network connection and the risk of data contamination occurs.
The SIM id-Cloner card system solves these problems. It will prevent a GSM network
connection without effecting the normal operation of the device allowing an examiner to
perform a logical extraction. It will also be of assistance to examiners faced with a mobile
phone which does not have the original SIM card present.
Under the GSM standards a mobile device should delete the call history if it detects that a
new SIM card has been inserted into it. An examiner who has a mobile without a SIM card
can use SIM id-Cloner to create a duplicate SIM card containing the same critical information
as the original SIM, which will then give access to the handset without causing the device to
delete the call history list. Please note that the examiner needs either the ICCID or IMSI,
which normally requires a contact with the mobile network operator to perform this function.
This product is supplied as part of the XRY Logical system as standard, it can however be
purchased separately if required.
6 We can also use Encase and FTK as detail working is explained below.
6.2 Crime related to Web Services
6.2.1 Case Study:
Case:Title, an anonymous online group posts false information about Row & Row company
on the message board of their website which leads directly to a decrease in stock price or the
cancellation of a key deal. This is web defacement.
Case:MaheshMhatre and AnandKhare were arrested in 2002 for allegedly defacing the
website of the Mumbai Cyber Crime Cell. They had allegedly used password cracking
software to crack the FTP password for the police website. They then replaced the homepage
of the website with pornographic content. The duo was also charged with credit card fraud for
using 225 credit card numbers, mostly belonging to American citizens.
6.2.2 Block Diagram:
102
103
6.3Crime Related to Financial Fraud/ Banking Fraud
104
Case:The Hyderabad police in India arrested an unemployed computer operator and his
friend, a steward in a prominent five-star hotel, for stealing and misusing credit card numbers
belonging to hotel customers.
The Steward noted down the various details of the credit cards, which were handed by clients
of the hotel for paying their bills. Then, he passed all the details to his computer operator
fiend who used the details to make online purchases on various websites.
Case: In 2004, the US Secret Service investigated and shut down and online organization that
trafficked in around 1.7 million stolen credit cards and stolen identity information and
documents.
This high-profile case, known as “Operation Firewall” focused on a criminal organization of

some 4,000 members whose website functioned as a hub for identity theft activity.
6.3.1 Block Diagram:
CREDIT CARD FRAUD / BANKING FRAUD
105
106
6.4 Procedure of Forensics
107
6.4.1 EnCase Layout
EnCase divides its screen real estate into four windows that are named for their primary
examinationfunction: the Tree pane (formerly the Left pane), the Table pane (formerly the
Rightpane), the View pane (formerly the Bottom pane), and the Filter pane (new to EnCase
Version5). Granularity or detail increases as you move through the primarypanes from the
Tree pane, to the Table pane, and finally to the View pane. If detail of any object is needed
then we have to place the cursor focus on it (in other words,highlight it) in the Tree pane, and
the Table pane will display the details about that object. If youwant more details about an
object in the Table pane, highlight it in the Table pane and thedetails will appear in the View
pane. Once you get down to the data level of granularity in the
View pane, you can even view or interpret that data in different ways, effectively getting
stillmore information or granularity from the View pane.In addition to letting you work with
a case in the Case Entries view, EnCase offers manyother views or features that function in
the same manner, providing more granularity as youmove through the viewing panes. EnCase
further organizes its views into global views, caselevelviews, and case-level view subtabs.
This hierarchical view is controlled with three bars atthe top of the Tree pane, populated with
tabs representing the various views. The bars arearranged in a descending hierarchy, with the
top bar representing global options, the second barrepresenting case-level options, and the
third bar representing case-level view subtabs. As thetabs are highlighted (or brought to the
front in a three-dimensional sense), their path becomesvisible in the hierarchical tree. Once
you take a few minutes to familiarize yourself with how itworks, it is very intuitive and easy
to find your way around.
EnCase divides its screen real estate into the Tree, Table, and View panes
108
6.4.1.2 Creating a Case
The Tree pane is the starting point for the detail that follows in the other two panes.
However,before we can work with the Tree pane, or any pane for that matter, we need to
have a caseopen. And before we can have a case open, we need to create a case. When
EnCase starts, itopens by default in the Case view. In the Case view, you create a case by
clicking the New buttonon the toolbar. Alternatively, you could select File-New. After you
click the New button, then dialog box will appear.
The Case Options dialog box
109
Name
Enter a descriptive name for your case, which may include a case or complaint number.The
text you enter here will show in the case folder under the Cases tab view. When you
havemany cases to manage, being very descriptive and detailed while still being brief is quite
helpful.
Examiner Name
Enter the examiner’s (your) name in this space. EnCase will not let you proceedif you don’t
make an entry, and it will remember your last entry for future cases in thelocal.ini file
contained in the EnCase5\Config folder.
Default Export Folder
This folder will be the default location for files that are exported fromwithinEnCase. Also,
when you choose to “copy/unerasefiles, this will be the default locationfor that feature as
well. Some EnScripts will use this location for output too.
Temporary Folder
110
The Temp folder is used to store files when EnCase is directed to send a fileto an external
viewer. Before the external viewer can see a file, it must first be copied out of EnCaseand
into the Windows environment. This folder holds those files for this purpose. When you
exitEnCase, files in the Temp folder are removed. If a system crash occurs, this purging
won’t takeplace. For this reason, files can accumulate in the Temp folder, and if you have a
system crash, youmay wish to delete them as they can sometimes get quite large in number
and size.
6.4.1.2 Creating Case Template on Desktop
Create a case file template on your desktop. Whenever you need to create acase, copy this
folder into the Cases folder of your case information drive. Rename the templatefolder to
your case name, and you are done in seconds.
Case file organization and management are extremely important skills for an examiner
toacquire. When computer forensics is done one case image is copied in all drives to prevent
cross-contamination of data. As caseloads grew and technology evolved, best practices have
been modified accordingly.
As EnCase encapsulates a device image into an evidence file that has powerful and
redundantinternal integrity checks, cross-contamination of image files is not the issue it was
in thepast. In that regard and in many other areas, EnCase has changed the face of computer
forensicsand, with it, best practices.Many labs have massive storage servers that store EnCase
evidence and case files. Instead ofsegregating storage in separate physical devices as in the
past, storage today is often networkedand segregated by distinctive folder-naming
conventions that are consistent with best practicesfor case management. In this manner,
111
several examiners can access the same evidence files concurrentlyand work on different
facets of the same case as a team.
Multiple cases stored in a single Cases folder.
As soon as you have created your case, you should save it by clicking Save on the toolbar.
Consistent with our file-naming and organization conventions, you want to save it in the
rootof the folder that names your unique case. The file name will default to the name of the
case thatyou entered in the Name field of the Case Options dialog box. It is a good practice to
have the case, the case file, and the case folder all named the same. It’salso wise to
incorporate the case file name as part of the evidence file name. When they are allnamed
consistently, errors and confusion are less likely to occur. If the files are misplaced, the
naming conventionalone can associate them with their lost relatives.
After you have created a case and saved it, it is time to add evidence to that case. To do
so,click Add Device, which is located on the toolbar. Adding a device is not an option until
youeither create a case or open a case. At this stage, you can use the dialog box to add a live
devicefor preview and possible acquisition, or you can add an evidence file to your case. If
you areoperating in the Enterprise or FIM environment, you can connect to a network device
that isrunning the servlet. Once you have added a device to your case, save your case.
There is a saying that has its roots in Chicago during its earlier years: “Vote early and
voteoften.” In forensics, you should apply similar logic by saving early and saving often. Get
intothe habit of clicking the Save button anytime you have completed significant work and
whenyou are about to embark on a new task or process.EnCase supports many different file
systems, which may be mounted in the same case and searched simultaneously.
112
In the above figure a physical device (live in this case, with a blue triangle in the lower
right)and its associated volume. The physical device icon is a depiction of a hard drive with
the arm andheads spanning the platter. It takes some imagination, but that’s what it is. The
volume icon isa gray 3-D box of some sort.
A “live” physical device and its associated volume, where physical device has a blue triangle
in the lower right, indicating it is a live device.
A floppy disk icon is shown with one folder, which has an “X” in it, indicatingit is a
“deleted” folder.
You can “expand all” or “contract all” by right-clicking on an object in theTree pane.
113
114
6.4.1.3 Process
1.
PC A PC B
PC A:where image has to be extracted.

PC B:whose image has to be extracted?
2. PC A:Settings in PC A
Internet Protocol Version TCP/IP v4)
-IP address 192.168.0.1
-Subnet mask 255.255.255.0
115
3. PC B: Settings in PC B
-insert the encase boot live CD in CDROM.
-boot the PC through CDROM (Bios setting has to be changed)
4. Connect PC A and PC B through cross-cable.
5. Switch on PC B (PC will start in live CD mode)
6. Switch on PC A and start encase software.
[Note:INSERT THE ENCASE DONGLE IN USB PORT OF PCA].
6.4.1.4 Countermeasures
As EnCase is a well-known and popular with law enforcement agencies, considerable
research has been conducted into defeating it. Some metaspolit project produces an anti-
forensics toolkit, which includes tool to prevent Encase from finding data from all operations.
Furthermore, because law enforcement procedures involving EnCasein a documented way

which is available for public scrutiny in many judicial systems, those wishing to defend
themselves against its use have a considerable pool of information to study.
Copies of EnCase have been widely leaked on peer-to-peer and other file sharing networks,
which allow full analysis of the software. Proof-of-concept code exists that can cause EnCase
to crash, or even use buffer overflow exploits to run arbitrary code on the investigator's
computer. It is known that EnCase is vulnerable to zip-bombs for example 42.zip.
6.4.2 FTK
6.4.2.1 USES OF FTK
Instant Searching Capability
116
Because all files have been indexed, FTK can make a full-text index of every alpha-numeric
string contained in those files. This full-text index allows for instantaneous key word
searching across all the data on the hard drive:
Instant key word searching from FTK allows for quicker investigations. Using linear, flat-file
imaging technology from the competition makes the investigator wait while the program
searches for the particular key word from the beginning of the hard drive to the end.
6.4.2.2 FTK is a solution for Decryption and Password Recovery
Wrong-doers often cover their tracks by deleting or encrypting documents. FTK recovers
deleted files and also decrypts files. First off, FTK’s indexing ability identifies all the
117
encrypted documents up front which allow the investigator to quickly begin the decryption
process.
6.4.2.3 FTK allows for a graphical interface filtering function.
Filter options allow users to define criteria to speedily locate and identifyevidence. The user
doesn’t need to learn to program scripts like you do with competitive software. In FTK,
filters are created by a simple click of the mouse. Because all the data is in a database, getting
results from the filters are instantaneous.
The screen shot below illustrates the simplicity of creating a custom filter inFTK as well as
just some of the items you can filter on:
118
6.4.2.4 WORKING WITH FTK
Identify the basic FTK interface components including the menu and tool bar options and the
program tabs.
 Create a case.
 Add evidence to a case.
 Obtain basic analysis data including file and folder properties, file formats, metadata
and specific file information such as dates and times.
119
 Export files.
 Use the Copy Special feature to export information about case files.
6.4.2.5 PROCESSING THE CASE:
 Graphics
 Identify the elements of a graphics case.
 Identify standard graphics formats.
 Navigate the FTK Graphics tab.
 Use the List All Descendants feature
 Export graphics files and hash sets.
120
 Tag graphics files using the Bookmarks feature.
 Use the Thumbnail feature.
 E-Mail
 Identify the elements of an e-mail case.
 Identify supported e-mail types.
 Navigate the FTK E-mail tab.
 Find a word or phrase in an e-mail message or attachment.
 Bookmark e-mail items.
 Export e-mail items.
 Print e-mail items.
Chapter- VII Challenges in Investigation of

Cybercrime
7.1 Technical Issues
121
Search and
Seizure
Technical
Issues
Understanding
of
Cryptographic
concept
7.1.1 Search and Seizure

There are two methods through which data can be attained i.e. legal criteria, where spot of the
crime is well analyze and search for devices which are helpful and used as evidence. While,
the other one is technical method of attaining data in which system or devices are well
monitored for transmitting information from it.
122
The major issue in the process of search and seizure arises at the time when seizure of digital
evidence is done from hard drives on networked systems where somehow both relevant and
irrelevant materials are present together. The practical problem arises when hard drives and
other digital devices are analyzed; where officials get confused in data that which is most
relevant and which is not.This creates problems with search warrants where non-specified
data are included in the hard drive, maybe leading to the invalidity of the whole search and
seizure procedure. It is practically impossible to examine the relevancy of 80GB of data
which consists in a hard drive.As, this problem of search and seizure of computers is one of
the sensitive issue in the legal dimension with request to foreign countries. But, now things
get changed many new technologies are eroded and digital devices or PDAs now analyzed
only after when cloning of that particular device is done with the help of different forensic
tools and methods.
7.1.2 Understanding of Cryptographic Concept

This is one of the major issues that are face by cybercrime investigators or cyber forensics
team during the time of investigation. As, the officials found the hard drives or any digital
device in the process of search and seizure of the spot or location where crime took place
which helps them as evidence. But, in some of the cases these devices are in encrypted form
which is done by culprit to hide the information. However, an investigator faces the problem
while decrypting that particular data or device to gather the information about culprit or crime
done by him. While in many cases investigators didn’t know how to decrypt data but, with
the help of some forensics tools and methods this issue is easily handle by the officials.
123
If all else fails, investigators may try to break encryption codes, although this is difficult, time
consuming and costly and would
uld be inappropriate in most of the serious matters.
7.2 Legal Issues
Difficulties Choosing
in of
terminology appropriate
juridiction
Legal
problems
124
7.2.1Difficulties in terminology
In IT ACT 2000 there are many difficulties in terminology as well as in definitions which
creates a difficulty for police officials to understand the basic terms. However, while solving
or investigating the case if anyone is found guilty then he/she must be liable under the
sections of Information Technology Act, 2000 (Amended 2008) which is read with sections
comes under Indian Penal Code, 1860 depending upon the situation of the crime. Hence,
investigators also need a basic knowledge of other Indian laws as well.
There are many different terms which are not discussed in the IT act, 2000 (Amended 2008)
and creates a confusion in the mind of officials some of them are like cybersquatting which is
an act of registering a domain name and sell it later for a wealth, while the solution to tackle
this issue is not available in IT Act, 2000 several other are some issues which are unsolved in
any law proceedings.
7.2.2 Choosing of Appropriate Jurisdiction
Jurisdictional problem is one of the important issues to cop up in the matter of cybercrimes
which is also because of advanced universal nature of cyber space. With the help of internet
cyber terrorists perform their activities against any country to harm its sovereignty and
integrity.Some new methods of dispute resolution took place by international organizations’
like WTO, etc. are different organizations which promote their policies and rules to combat
cybercrime in their particular field or domain.
In some cases offences are committed from outside the country by hackers ho sometimes use
proxy networks which identify the network of different place or even country. Question arises
during investigation that which court should deal with the particular matter.
7.3 Other Issues

There are some more issues or limitations which occur during the time of cybercrime
investigation by police officials.
125
7.3.1 Complexity in collecting evidence
Investigators face many complexities while collecting digital devices as evidence. Specially,
when they are in encrypted form because it is difficult and time consuming activity to decrypt
the device and gather data which takes a long process which affects the further proceedings
of investigation.
While the other term for digital devices is electronic record which defines under the IT Act,
2000 (Amended 2008) in section – 2(t) where ‘electronic record’ means data, record, or data
generated, image or sound stored, received or sent in an electronic form or micro film or
computer generated micro fiche.
Loss of evidence is a very common & obvious problem as all the data are routinely
destroyed. Further collection of data outside the territorial extent also paralyses this system of
crime investigation.
7.3.2Logistical and Practical Barriers
Conducting investigations across national borders raises many practical problems that affects
investigation process and increases the expenses. For example, if any crime commit outside
the particular country then it is hard to investigate the whole process of crime. At this
situation investigators took the support of teleconferences which difficult to arrange at times
suitable for all concerned.
Then at this condition documents often need to be translated, particularly if required for
diplomatic purposes. This can cost considerable sums and again delays investigations.
Witnesses from non-English speaking countries may need the assistance of interpreters which
can also led to expensive and slow down of investigations process.
126
7.3.3 Identifying Suspects
Identification of suspect is also a key problem which is generally face by investigators as

there are many cases in which the accused are small children’s who are minors (less than
18yrs). As, noticed by Jharkhand police there are some cases in which culprits are school
students between classes 8 – 12, who are involved in financial fraud as well. Occasionally,
this can lead to considerable problems whether the wrong person didn’t arrest in that
particular crime.
7.3.4 Lack of awareness and knowledge
The main reasons behind these issues are that officials have lack of awareness and knowledge
in investigation of cybercrime. Some of them didn’t know about proper jurisdiction and
method of collecting as well as analyzing the evidences. Since, their rights and duties are not
mentioned clearly anywhere, in which IT-Act 2000 didn’t achieve any kind of great success.
While, most of the cases are going unreported because officials didn’t know how to file a
report and how the sections are applied on that particular offence.
If the people are vigilant about their rights the law definitely protects their right. When
investigator performs the investigation then he suffers such type of problems. Suppose that he
is investigating a particular case which is related to the cyber stalking or ICMP mask attack
so this term is difficult for police to understand that what it exactly means and how these
types of offences are committed?
For example – The Delhi HIGH COURT in October 2002 prevented a person from
selling pirated software (Microsoft) over an online auction site. Achievement was also made
in the case before the court of metropolitan magistrate Delhi where a person was convicted
for online cheatingby buying Sony products using a stolen credit card.
7.3.5Lack of training
The major drawback which arises on police officials during the time of investigation of
cybercrime is lack of training, where many officials didn’t know about new technologies and
if they knew about it then proper functioning skills are still missing in investigation part. For
filing evidence in court of law officials must attain a basic knowledge of every sector in the
127
field of information technology with legal aspects which is possible only when police
officials receive training or government have to start a campaign to train these officials.
7.4 Actions and Power of Police Officials
Police officials and investigators have to take certain steps and several other actions for
solving the case against cyberspace, as their power are mentioned in Indian law proceedings
under Code of Criminal Procedure (CrPC) Act, Information Technology Act, 2000 (
Amended 2008) which varies as;
1. Section 80 of IT Act, 2000: Power of police officer to enter any public place and
search & arrest.
2. Section 78 of IT Act, 2000: Power to investigate offences (not below rank of
inspector).
3. Section 156 Cr.P.C: Power to investigate cognizable offences.
4. Section 155 Cr.P.C: Power to investigate non-cognizable offences.
5. Section 91 Cr.P.C: Summon to produce documents.
6. Section 160 Cr.P.C: Summon to require attendance of witnesses.
7. Section 165 Cr.P.C: Search by police officer.
8. Section 93 Cr.P.C: General provision as to search warrants.
9. Section 47 Cr.P.C: Search to arrest the accused.
128
ANNEXURES
Annexure-1 Cyber Cells In India

State/City Address Contact Website/E-mail ID
Details
Assam CID HQ Dy. SP, +91-361- Ssp_cod@assampolice.com
Assam Police 252-618
+91-
943504524
2
129
Chennai Assistant +91-40- s.balu@nic.in
Commissioner of 5549-8211
Police, Cyber Crime
Cell, Commissioner
office campus,
Egmore, Chennai-
600008
For Rest of Cyber Crime Cell, +91-44- cbcyber@tn.nic.in
Tamil Nadu CB, CID, Chennai 2250-2512
Bangalore Cyber Crime Police +91-80- http://www.cyberpolicebangalore.nic.in/
(for whole Station, C.O.D. 2220-1026 Email-id: ccps@blr.vsnl.net.in
of the Headquarters, +91-80- ccps@kar.nic.in
Karnataka) Carlton House, # 1, 2294-3050
Palace Road, +91-80-
Banglore – 560001 2238-7611
(fax)
Hyderabad Cyber Crime Police +91-40- http://www.cidap.gov.in/cybercrimes.asp
Station, Crime 2324-0663 x
Investigation +91-40- Email-id: cidap@cidap.gov.in,
Department, 3rd 2785-2274 info@cidap.gov.in,
Floor, D.G.P. cybercell_hyd@hyd.appolice.gov.in
office, Lakdikapool, +91-40-
Hyderabad- 500004 2758-2040,
+91-40-
2329-7474
(fax)
Delhi CBI Cyber Crime +91-11- http://cbi.nic.in/
Cell: 4362203 cbiccic@bol.net.in
Superintendent of +91-11-
Police, Cyber Crime 4392424
Investigation Cell,
Central Bureau of
Investigation, 5th
Floor, Block No. 3,
CGO Complex,
Lodhi Road, New
Delhi- 3
Thane 3rd Floor, Police +91-22- www.thanepolice.org
Commissioner 2542-4444 Email-id: police@thaneplice.org
Office, Near Court
Naka, Thane West,
Thane- 400601
Pune Deputy +91-20- www.punepolice.gov.in
Commissioner of 2612-3346 Email-id: crimecomp.pune@nic.in
Police (Crime), punepolice@vsnl.com
Office of the
Commissioner +91-20-
Office, 2, Sadhu 2612-7277
Vaswani Road, +91-20-
Camp, Pune-411001 2616-5396
130
+91-20-
2612-8105
(Fax)
Gujarat DIG, CID, Crime +91-79-
and Railways, Fifth 2325-4384
Floor, Police
Bhavan, Sector-18, +91-79-
Gandhinagar- 2325-0798
382018 +91-79-
2325-
3917(fax)
Jharkhand IG-CID, Organized +91-651- a.gupta@jharkhandpolice.gov.in
Crime, Rajarani 2400-
Building, Doranda, 737/738
Ranchi, 834002
Haryana Cyber Crime and Email-id: jtcp.ggn@hry.nic.in
Technical
Investigation Cell,
Joint Commissioner
of Police, old S.P.
Office complex,
Civil Lines,
Gurgaon
Mumbai Cyber Crime +91-22- http://www.cybercellmumbai.com
Investigation Cell, 2263-0829 E-mail id:
Office of +91-22- officer@cybercellmumbai.com
Commissioner of 2264-1261
Police office,
Annex-3 Building,
1st floor, Near
Crawford Market,
Mumbai-01
Himachal CID Office, Dy. SP, +91-94180- Email-id: soodbrijesh9@gmail.com
Pradesh Himachal Pradesh 39449
Jammu SSP, Crime, CPO +91-191- Email-id: sspcrmjmu-jk@nic.in
Complex, Panjtirthi, 257-8901
Jammu- 180004
Kerela Hitech cell, Police +91- Email-id: hitechcell@keralapolice.gov.in
HeadQuarters, 471272-
Thiruvananthapura 1547
m +91-
471272-
2768
Meghalaya SCRB +91-98630- Email-id: scrb-meg@nic.in
Superintendent of 64997
Police, Meghalaya
Bihar Cyber Crime +91-94318- Email-id: cciu-bih@nic.in
Investigation Unit, 18398
Dy. S.P. Kotwali
131
Police Station,
Patna
Orissa CID, Crime Branch, +91-94374- Email-id: splcidcb.orpol@nic.in
Orissa 50370
Punjab Cyber Crime Police +91-172-
Station, DSP Cyber 2748-100
Crime, S.A.S.
Nagar, Patiala.
Punjab
West CID, Cyber Crime, +9133- Email-id: occyber@cidwestbengal.gov.in
Bengal West Bengal 2450-6163
Uttar Cyber Complaints +91-9410- Email-id: info@cybercellagra.com
Pradesh Redressal Cell, 837559
Nodal Officer
Cyber cell Agra,
Agra Range 7,
Kutchery Road,
Baluganj, Agra-
232001, Uttar
Pradesh
UttaraKhan Special Task Force +91-13526- Email-id: dgc-police-us@nic.in
d Office, Sub 40982
Inspector of Police, +91-94123-
Dehradoon 70272
Manipur SP,CID, Crime 0385- Email-id: cidcb@man.nic.in
Branch, Jail Road, 2451501,
1st bat Manipur rifle 943602746
campus, Imphal- 5
411001
132

Cyber Crime Investigation Manual 22

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Crime Investigation Manual 22

Uploaded by

Copyright:

Available Formats

Project Report

Cyber Crime Investigation Manual’

Submitted To: Submitted By:

(CTO, C.D.R.C) Neel Nayak

Vineet Kumar Mishra

(National Law Institute University, Bhopal)

Vision and Mission of Cyber Defence Research Centre (C.D.R.C.)

Vineet Kumar Mishra

Vineet Kumar Mishra

Need for preparing manual 14

1.2 Current Scenario 17

1.3 Steps Taken by Government 17

Chapter II: Cybercrime Assessment 19

2.2 Types of Cyber Crimes 20

3.2 THE INDIAN PENAL CODE, 1860: 35

3.3 BANKERS’ BOOK EVIDENCE ACT, 1891: 35

3.4 THE INDIAN EVIDENCE ACT, 1872: 36

3.5 THE COPYRIGHT ACT 1956: 38

3.6 TABLE OF CRIMES AND ACT 39

3.7 Case Studies 45

Chapter IV: Evidence Portal 51

4.2 What can be used as digital evidence (sources)- 51

4.3. What can be considered as evidence? 56

4.4.1 Computer fraud investigation: 57

4.4.2. Child abuse and pornography investigation: 58

4.4.3. Network intrusion investigation: 58

4.4.4 Homicide investigation: 58

4.4.5. Domestic violence investigation: 59

4.4.6. Financial fraud and counterfeiting investigation: 59

4.4.7. E-mail threats, harassment and stalking investigations: 60

4.4.8. Narcotics investigation: 60

4.4.9. Software piracy investigation: 61

4.4.10 Telecommunication fraud investigation: 61

4.4.11. Identity theft investigation: 61

4.5. Tools Used for Collecting Evidences- 63

4.5.1. Computer Forensics: 63

4.5.2. Memory forensics- 65

4.5.3. Mobile device forensics- 66

4.5.4. Network Forensics- 67

4.6.1. Seizure memo (panchnama) and seizure proceeding- 69

4.7.2. For desktop and laptop computer (switched on state):- 70

4.7.3. Electronic organizers and personal digital assistants (PDA):- 71

4.7.4. Transportation of evidence:- 72

4.8. Chain of custody-(Annexure-5) 73

4.8.1. Important steps to be kept in mind for chain of custody- 74

4.9. Integrity of digital evidence- 74

4.10.1. Documentation required with digital evidence:- 77

Chapter V: Computer Forensics 79

5.1 Understanding of Forensics 79

5.3.1 Data Seizure 81

5.3.2 Data Duplication and Preservation 81

5.3.3 Data Recovery 81

5.3.4 Document Searches 81

5.3.5 Media Conversion 82

5.3.6 Expert Witness Services 82

5.3.7 Computer Evidence Service Options 82

5.3.8 Other Miscellaneous Services 82

5.4 Computer Forensics Systems 83

5.5.1 Steps Followed Under Methodology: 91

Chapter VI- Cyber Crime Investigations 94

6.1 Crime Related to Mobile Phones 94

6.1.1 Case Study- 94

6.1.2 Location Mapping of Mobile Phones:- 96