Professional Documents
Culture Documents
On
Vinamra Rai
Gopal Singh
Gaurav Chaurasia
1
Jharkhand Police Initiatives
Jharkhand state
ate government took some useful and big steps to hold the command of Cyber
Security by establishing first ever research centre in the field of cyber world i.e., Cyber
Defence Research Centre (CDRC)
(CDRC), Ranchi which is a joint initiative of the Govt. of State of
Jharkhand and the Jharkhand State Police (Special Branch). The organization has been set up
with the directive for building capability in proactively controlling Cybercrime and providing
Cyber Security across the state. CDRC operates from the State Police Police HQ in Ranchi and
oversees the entire state to identify areas of improvement and implementation of measures to
address cybercrime and cyber threats. The goal is to make Jharkhand a model state in the
country in respect of cyber security control.
The objective
jective of CDRC is to engage in various activities and research aimed at raising the
level of cyber security in Jharkhand State, as indicated in the brief list below:
Law Enforcement, Investigation and Forensics Assistance to State CID, Cyber cells
and Police units
Cyber Café Controls
Cyber Intelligence
Technology Development
Responsible Disclosure
Public and Industry Awareness
Research
Anti-Piracy
Secure Wi-Fi
Cybercrime Helpline, Public Outreach
Telecom Security
Cyber terrorism controls
State Critical Infrastructure
rastructure
National/International tie--up to further our capabilities in these domains
MISSION
The CDRC team will work as a research team to help build a proactive and resilient cyber
defense system and provide solutions to State Government departments and agencies in a
guided manner while keeping a watch on malicious attempts for hacking of websites and IT
infrastructure belonging to the State Government, private organisations and PSUs. CDRC
will endeavor to work in an advisory capacity and not as an investigative body.
Declaration
3
We (Kumar Saurabh, Neel Nayak, Vinamra Rai, Gopal Singh, Vineet Kumar
Mishra, Gaurav Chaurasia) the student of M.S. Cyber Law and Information
Security hereby declare that the project titled “Cyber Crime Investigation
Manual” which is submitted by us to the department of Special Branch, Cyber
Defence Research Centre, Jharkhand Police, Ranchi, in partial fulfillment of
requirement for the award of the training and internship programme.
Kumar Saurabh
Neel Nayak
Vinamra Rai
Gopal Singh
Gaurav Chaurasia
4
Acknowledgement
We would like to express our deepest appreciation to Chief Technology Officer Mr. Vineet
Kumar (Cyber Defence Research Centre, Ranchi), who has the attitude and the substance of a
genius: he continually and convincingly conveyed a spirit of adventure in regard to research
and scholarship, and an excitement in regard to teaching by providing us with valuable
suggestions & guidance with some techno-legal concept which helps us to complete our
project.
We would also like to thank other faculties as well as our friends who have given their timely
help, encouragement as well as criticism during the various stages of the project, without
which it would not have been easy to complete our task up to the mark.
We also thank Cyber Defence Research Centre (C.D.R.C.) who gave an opportunity to us
who all are the students of The National Law Institute University, Bhopal pursuing their
Masters of Science in Cyber Law and Information Security (M.S.C.L.I.S.) under the course
coordinator Mr. Atul Kumar Pandey (Asstt. Prof. NLIU, Bhopal) to complete our internship
program with their organization.
_________________
Kumar Saurabh
Neel Nayak
Vinamra Rai
Gopal Singh
Gaurav Chaurasia
INDEX
5
Title Page No.
Chapter-I Introduction 16
1.1 Overview of Cyber Crime 16
2.1 Definition 19
4. Digital evidence 51
6
4.1 Introduction- 51
4.4. 57
4.5.5. Other- 68
4.6. Search and Seizure- 68
7
4.7. Handling of evidence-(Annexure-3)70
4.7.1. For desktop and laptop computer (which are in switched off state) 70
5.2 Importance 80
5.3 Techniques 80
8
5.5 Methodology 91
9
6.3 Crime Related to Financial Fraud/ Banking Fraud 109
10
7.3.3 Identifying Suspects 132
7.3.4 Lack of awareness and knowledge 132
Annexure-1 135
Annexure 2 138
Annexure 3 140
Annexure 4 142
GLOSSARY 145
11
12
“Cyber
Cyber crime investigation manual”
manual
13
Need for preparing manual
In the era of 21st century which is going more advances and developing day by day, where
technologies promote themselves with a rapid rate, which attracts human mind as it is much
suitable for them in their busy & hectic schedule. However, all new technologies are less time
consuming and much beneficial for human point of view.
Since, 21st century is much popular in itself which is stick in every human mind as it is an era
which is now known for the upcoming war i.e., termed as cyber war where the fight is not
between arms and explosives but it occurs between computers/laptops or any electronic
gadget which consists of web application in it. According, to specialists and experts the war
took place anytime across the world. Many people get involve in this war as many of them
start getting knowledge and prepare themselves by gathering information about new and
advancing technologies also start implement on it. This war involves with many people,
technicians and experts where many of them are known as hackers.
The concept of cyber war arises by the experts as this world gets introduce with many
technologies which are erode vastly between people. Government organizations, business
firms, private sectors and many other sectors start many of their services online which attracts
people as it requires less efforts to human body, even services of some important government
departments like post offices, banks etc. make their services online for every individual. The
point behind it is that if any organization supports some online activity then it is also
important for it to provide security at higher level which is only happen with the help of
experts or a person who consists of a sound knowledge of all existing technologies running in
an organization. However, this is much important for every individual to get proper security
against all investments and savings done by him/her.
The challenges in such cases are not only technological, but also jurisdictional. Many
countries are involving itself to combating the cybercrime by implementing laws and acts,
while India is a country which implement their jurisdictional problems by implementing
Information Technology Act,2000 (Amended 2008) with certain guidelines, various laws for
cybercrime with its objective.
The issues which are arising with Indian Government are that many of its government
officials didn’t know how to investigate cybercrimes. However, this is not the problem of
Indian government but many other countries facing the same problem with their officials. To
14
conflict with this issue government have to promote some officials who are experts and
consists of a sound or good knowledge of cybercrimes, solution for it and also last but not
least an official also consists of a fine knowledge of cyber laws and its implementation. This
is important because many of the officials don’t have a proper knowledge of cyber laws and
while solving the case they charge sections according to them which creates a problem for
accused as he/she has to suffer by paying a handsome fine to government or by spending an
imprisonment of long time.
15
Chapter-I Introduction
1.1 Overview of Cyber Crime
“Digital technology and new communication system have made dramatic changes in our
lives”. Business transactions are being made with the help of computers in almost all the
sectors whether it is a private or a government. Nowadays, the technology and online
communication increases with a rapid rate which gives an idea that many companies and
organizations uses online services also provide the same for an individual for better
conveniences. In current scenario the concept of internet is globally access around the world
which gives birth to hackers who are increases worldwide like a population of a country. The
main motive of those is to hack the system through the internet and leak the valuable
information of any company and organizations; this is the case where security gets
compromise. These activities of hackers resulted in various varieties of criminal activities
like gaining unauthorized access to computer files, disrupting the operation of remote
computers with viruses, worms, logic bombs, Trojan horses, and denial of service attacks,
identity theft and many other criminal activities.
Cybercrime is cheap to commit (if one has the know-how to do it), hard to detect (if one
knows how to erase one's tracks), and often hard to locate in jurisdictional terms. The
investigations of cybercrimes are complex. The evidence is often in an intangible form. Its
collection, appreciation, analysis and preservation present unique challenges to the
Investigator. The increased use of networks and the growth of the Internet have added to this
complexity. Hackers can hack a system of an individual (unknown person) from another
country by using the network of other country which is termed as proxy servers in technical
concept, where an individual didn’t aware of it as there is a lack of security issues in its
network and computer system.
16
instrument, target, or a means for perpetuating further crimes comes within the category of
cybercrime, i.e., unlawful acts wherein the computer is either a tool or a target or both.
As it is being seen rise in cybercrimes all over the world which also took place in India for
which government have to promote some measure to combat this criminal activity. In Indian
scenario cybercrimes are reported under ‘The Information Technology Act 2000 (Amended
2008). Apart from the crimes registered under IT Act, there were number of crimes where
computers are used for commission of those which are registered under the provisions of
Indian Penal Code, 1860. While many lawful act register cybercrime cases under its
provisions such as Indian Evidence Act, 1872; Bankers’ Book of Evidence Act,1891; and
some are registered in The Indian Telegraph Act, 1885; NDPS Act; Arms Act and Code of
Criminal Procedure. In India many cybercrime reported which includes cases like breach of
trust and privacy, hacking of computer system, forgery using computers, publication or
transmission of obscene material in electronic form etc. Hence, to get rid from these cyber-
attacks Indian government establishes Computer Emergency Response Team- Indian (CERT-
In) which response and report computer security incidents. Many states in India establish
cybercrime police stations and cybercrime cells which register large number of cybercrime
cases in their particular locality. According to experts, “Technology has eroded the concept
of state boundaries and created a borderless world”.
Government of India has led various initiations of a concerted program for cyber security
under the department of Information Technology along with the enactment of the provisions
of Information Technology Act, 2000 which was later amended in the year 2008 for
retrofitting of some latest crimes. As this act describe the punishments and penalties for
various criminal offences and contraventions. The IT Act, 2000 also consists of certain
guidelines, rules and procedures for ISP’s and other officials. Many law enforcement
agencies which includes the Central Bureau of Investigation (CBI) have created separate
units or cyber cells for handling cybercrimes, where first cyber cell was established in IT
capital of India i.e., Bangalore. Till date there are many different states and units which have
created Cyber Crime Police Station and, Cyber Crime Cells to handle the menace of growing
cybercrimes. (Details are provided in Annexure - 1)
17
18
Chapter II: Cybercrime Assessment
2.1 Definition
The term 'cybercrime'has not been defined in any Statute or Act, therefore many experts and
thinkers gave their own definition for understanding of ‘cybercrime’.
The Oxford Reference Online defines 'cybercrime' as crime committed over the
Internet.
The Encyclopedia Britannica defines 'cybercrime' as any crime that is committed by
means of special knowledge or expert use of computer technology.
So what exactly is Cyber Crime? Cyber Crime could reasonably include a wide variety of
criminal offences and activities which includes provisions of various different laws.
CBIManual defines cybercrime as:
(i) Crimes committed by using computers as a means, including conventional crimes.
(ii)Crimes in which computers are targets.
United Nations defines ‘cybercrime’ in two categories i.e.,
a. Cybercrime in a narrow sense (computer crime), where it is notify any
illegal behavior through electronic operations that targets the security
of computer systems and the data processed by them.
b. Cybercrime in a broader sense (computer-related crime), where any
illegal behavior committed by means of, or in relation to, a computer
system or network, that includes crime which involves mens-rea in it
like illegal possession, offering or distribution of useful information by
means of a computer system or network.
FBI in its law enforcement bulletin defines cyber terror as “the intimidation of civilian
enterprise through the use of high technology to bring about political, religious, or ideological
aims, actions that result in disabling or deleting critical infrastructure data or information
A generalized definition of cybercrime may be "unlawful acts wherein the computer is either
a tool or target or both".
The Information Technology Act, 2000, does not define the term 'cybercrime’. Cybercrime
can generally defined as a criminal activity in which information technology systems are the
means used for the commission of the crime.
19
2.2.1 Against Persons
Occurrence of crime proceeds with the birth of human society and soon get advanced with
human society and culture. Criminals are also using various new technologies to combat with
the highly advanced security measures which are taken by human. However, if we talk about
current situation then at this time cybercrime is taking place with a rapid rate in which minors
are also involved for stealing or doing frauds and other activities.
The expanding reach of computers and the internet has made it easier for people to keep in
touch across long distances and collaborate for many purposes which are related to business,
education, and also other activities of human culture. However, every new technology which
is use for beneficial purposes are also capable for misuse. Hence, it is the job of legal system
and regulatory agencies to keep pace with the same and ensure that newer technologies do
not become tools of exploitation and harassment.
The World Wide Web (WWW) allows users to circulate content in the form of text, images,
videos, and sounds. Websites are created and updated for many useful purposes, but as we all
know that technology which is helpful and provide great services to us then it is also use for
criminal activities. For example, websites are used to circulate offensive content against an
individual’s such as pornography, hate speech and defamatory materials.
There are various types of cybercrimes which are done against an individual such as:
Harassment via e-mails
E-mail spoofing (process of sending an email message from a fake source,
while making it appears to be originating from an authentic source).
20
Cyber Pornography (where cyberspace is used as a medium to distribute,
design or publishing of a pornographic material)
21
Dissemination of obscene material (widespread publishing an obscene material)
Defamation (injury to the reputation of a person, it is done by publishing false
statement which affects someone’s reputation)
22
Indecent Exposure ( doing any type of vulgar and offensive nakedness in a public
place)
Cheating & Fraud (Something intended to deceive; deliberate trickery intended to
gain an advantage)
Intellectual Property Theft (any kind of a creation like designs, art work, literature,
etc. which is born from ones mental power or intellect is termed as intellectual
property. When a criminal with mala fide intent steals this intellectual property, such
a crime is known as Intellectual Property Theft. Due to quantum of information
flowing in cyberspace and ease of copying such crimes are very much prevalent.)
24
Forgery (process of creating a fake copy or imitation of a document or an object with
the intention to deceive. Digital forgery involves creating the same fakes in electronic
form.)
Salami Attack (an attack on the computer system or network wherein a cybercriminal
successfully transfers a small amount of money which is negligible from the victims’
bank account to his account. The transferred amount is a small slice of the big amount
and hence the attack occurs.)
25
Skimming (a kind of credit/debit/ATM/SIM card fraud in which a device is transplant
by criminal to capture someone’s personal information, the information like name,
credit card number, expiry date, etc. can be used to create fake credit cards.)
Pharming (type of attack in which the user is deceived into entering sensitive data,
such as PIN numbers, credit card numbers, passwords etc., into fake website, which
impersonates as genuine website.
Spamming (an act of sending unsolicited and junk e-mails or messages by anyone for
the purpose of causing annoyance or inconvenience.)
Data Alteration or diddling (process of modifying the data before or after it is entered
into the system, generating a faulty output. It can be defined as illegal or unauthorized
fraudulent alteration of data).
26
Two of the great fears of the late twentieth century are combined in the term “cyber
terrorism”.
Today, if we are going to ask 10 computer security experts about ‘Cyber Terrorism’ then in
this case we find different meanings or definition from them. Difficult to detect, seldom
reported and even more difficult to prove, computer-related crime lacks a traditional paper
audit trial, which is away from conventional policing and requires specialists with a sound
understanding of computer technology. The term ‘cyber terrorism’ was coined by Barry C.
Collin. Terrorism is the calculated and unlawful use of force or violence, against persons or
property to inculcate fear,coerce government, civilians, or to any part in furtherance of goals
that may affect religious political or in any ideological manner. An example of cyber-
terrorism could be hacking into a hospital computer system and changing someone's
medicine prescription to a lethal dosage as an act of revenge.In today’s scenario Indian
government plans for our society which includes military, civilians, and other private sectors
to get involved in developing and deploying new and growing communications, advanced
technologies and also with a superior technological standard of work and living.
The main purpose of cyber terrorism is to create fear in a population by causing confusion
and uncertainty, with the goal of influencing a government or population to conform to a
particular political, social or ideological agenda. In this criteria attacks have been made by
terrorist in eruption of negative feelings or emotions against any community of persons,
country, state, or individual with the goal of causing harm to generate fear, which caused in
the case of Assam’s migration controversies, where Pakistani hackers hacked some websites
of India and sends a message to the people of India where it shows that north-east people who
are the citizens of India have their life in danger, this message creates panic and phobia
between the citizens ofthe country. Due to which many of the north-east people went back to
27
their homes and many of them suffers but soon, this problem had been solved by which
citizens of north-east came back and continued with their work as many of them left their
jobs, studies, businesses etc.
These methods of cyber terrorism are firstly used in reported attack by terrorists against a Sri
Lankan country’s computer system in 1998, when the ethnic Tamil Tigers guerrillas
overwhelmed Sri Lankan embassies with 800 e-mails a day which continues for a period of
two weeks. These messages threatened massive disruption of communications and caused
fear and panic among ordinary Sri Lankans as the rebel group was notorious for killing
people.
Cyber terrorism once again came to the force in India in the form of the Mumbai attacks. The
terrorists were extremely technology savvy, and were using satellite phones with impunity.
They not only can spread terror but they are threatening our computer and communication
networks. They are having highly qualified engineers in their respective groups. Not only are
they having the capability to hack the systems but also capable of damaging them. They also
attempt to hack defence sites of the country. It was the year, when country was pushed by the
Mumbai attacks; the government swung into action and got the amendments to the
Information Technology Act, 2000 passed in both the houses of Parliament.
As, in India’s legislation The Information Technology Amendment Act, 2008 contains a
provision on cyber terrorism. Section 66F defines and penalizes cyber terrorism. In order to
qualify as a cyber-terroristact, the act must be committed with the intention to threaten the
unity, integrity, security or sovereignty of India by way of interfering with authorized access
to a computer resource, obtaining unauthorized access to a computer resource or damaging a
computer network. The acts are punishable if they cause death or injuries to persons or cause
damage or destruction to property, disrupt essential supplies or services or affect critical
information infrastructure. The penalties range from three years' imprisonment to life
imprisonment and a fine depending on the seriousness of the crime.
28
created to contain a finite amount of data, the extra information- which has to go
somewhere –can overflow into adjacent buffers, corrupting or overwriting the valid
data held in them.
b) Spyware: Often associated with software that displays advertisements (called adware)
or software that tracks personal or sensitive information.
29
f) Steganography: It is an art and science of hiding information by embedding messages
with other, seemingly harmless messages. It is used to supplement encryption. An
encrypted file may still hide information using steganography, so even if the
encrypted file is deciphered, the hidden message is not seen.
g) Zombie:A computer that has been implanted with a daemon that puts it under the
control of a malicious hacker without the knowledge of the computer owner. Zombies
are used by malicious hackers to launch DoS attacks. The hacker sends commands to
the zombie through an open port. On command, the zombie computer sends an
enormous amount of packets of useless information to a targeted website in order to
clog the site’s routers and keep legitimate users from gaining access to the site.
h) Phishing Attack:A fraudulent attempt to acquire confidential information like
usernames, passwords, PIN, credit card numbers, etc. by sending fake emails and/or
redirecting an innocent user to a fake website which induce the user to submit his/her
personal information.
30
j) E-mail bombing: An attack which involves sending massive amount of emails to a
particular system consuming the system, storage or network resources.
k) Wardriving: The act of seeking out Wi-Fi networks by moving around with a
computer or smartphones or equivalent device that detects these networks.
31
n) Sniffing: A program or device that captures vital information from the network traffic
specific to a particular network. Its objective is to steal passwords, email text and files
which are transferred from source to destination.
o) Rootkit: A computer software which is use to hide that a computer system has been
compromised, for example by modifying system commands to conceal changes which
are made to system. Rootkit is one of the most feared and undetectable in all types of
malware.
32
33
Chapter III- Law Enforcement Against Cyber Crimes
IT Act 2000: Computers are being used to create, transmit and store the information in
electronic form instead of paper documents but the main hurdle in e-Governance is the
requirement of writing and signature for legal recognition. At present, many legal provisions
require the evidence in the form of paper documents having signatures. The law of evidence
is based on paper-based records; hence for success of e-Governance, e- Commerce, legal
changes were required. Therefore, Govt. of India introduced a new law for giving legal
recognition to electronic records. This gave birth to Information Technology bill, 1999 which
was passed by both the houses of Parliament in May 2000 and the President gave his assent
in August 2000.This Information Technology bill is called Information Technology Act,
2000 which also contains cyber laws.
(a) To grant legal recognition to transactions carried out by means of EDI and E- Commerce
in place of paper based methods of communication.
(b) To give legal recognition to digital signatures for authentication of any information.
(e) To facilitate and give legal recognition to electronic fund transfers between bank and
financial institutions.
(f) To give legal recognition for keeping books of accounts in electronic form by bankers.
(g) To amend the Indian penal code, the Indian Evidence Act, the Banker's Book Evidence
Act and Reserve bank of India Act.
The Act consists of 94 Sections spread over thirteen chapters and four schedules to the Act.
The schedules of Act contain related amendments in other acts namely the Indian Penal
Code, the India Evidence Act, 1972, the Banker's Book Evidence Act, 1891 and the Reserve
Bank of India, 1934.
34
3.2 THE INDIAN PENAL CODE, 1860:
Indian Penal Code is the main criminal code of India. It is a comprehensive code, intended to
cover all substantive aspects of criminal law. It was drafted in 1860 and came into force in
colonial India during the British Raj in 1862.In independent India, many special laws have
been enacted with criminal and penal provisions which are often referred to and relied upon,
as an additional legal provision in cases which refer to the relevant provisions of IPC as well.
It has since been amended several times and is now supplemented by other criminal
provisions. In the state of Jammu and Kashmir, the IPC is known as Ranbir Penal Code
(RPC).
ITA 2000 has amended the sections dealing with records and documents in the IPC by
inserting the word ‘electronic’ thereby treating the electronic records and documents on a par
with physical records and documents. The Sections dealing with false entry in a record or
false document etc (eg 192, 204, 463, 464, 464, 468 to 470, 471, 474, 476 etc) have since
been amended as electronic record and electronic document thereby bringing within the ambit
of IPC, all crimes to an electronic record and electronic documents just like physical acts of
forgery or falsification of physical records.
In practice, however, the investigating agencies file the cases quoting the relevant sections
from IPC in addition to those corresponding in ITA like offences under IPC 463,464, 468 and
469 read with the ITA/ITAA Sections 43 and 66, to ensure the evidence or punishment stated
at least in either of the legislations can be brought about easily.
Amendment to this Act has been included as the third schedule in ITA. Prior to the passing of
ITA, any evidence from a bank to be produced in a court, necessitated production of the
original ledger or other register for verification at some stage with the copy retained in the
court records as exhibits. With the passing of the ITA the definitions part of the BBE Act
stood amended as: "’bankers ' books’ include ledgers, day-books, cash-books, account-books
and all other books used in the ordinary business of a bank whether kept in the written form
or as printouts of data stored in a floppy, disc, tape or any other form of electro-magnetic data
storage device”. When the books consist of printouts of data stored in a floppy, disc, tape etc,
a printout of such entry certified in accordance with the provisions to the effect that it is a
35
printout of such entry or a copy of such printout by the principal accountant or branch
manager; and (b) a certificate by a person in-charge of computer system containing a brief
description of the computer system and the particulars of the safeguards adopted by the
system to ensure that data is entered or any other operation performed only by authorized
persons; the safeguards adopted to prevent and detect unauthorized change of data andto
retrieve data that is lost due to systemic failure or .....
In short, just like in the Indian Evidence Act, the provisions in Bankers Books Evidence Act
make the printout from a computer system or a floppy or disc or a tape as a valid document
and evidence, provided, such print-out is accompanied by a certificate stating that it is a true
extract from the official records of the bank and that such entries or records are from a
computerized system with proper integrity of data, wherein data cannot be manipulated or
accessed in an unauthorized manner or is not lost or tamper able due to system failure or such
other reasons.
Here again, let us reiterate that the law does not state that any computerized print-out even if
not signed, constitutes a valid record. But still even many banks of repute (both public sector
and private sector) often send out printed letters to customers with the space for signature at
the bottom left blank after the line “Yours faithfully” etc and with a remark as Post Script
reading: “This is a computer generated letter and hence does not require signature”. Such
interpretation is grossly misleading and sends a message to public that computer generated
reports or letters need not be signed, which is never mentioned anywhere in nor is the import
of the ITA or the BBE.
This is another legislation amended by the ITA. Prior to the passing of ITA, all evidences in
a court were in the physical form only. With the ITA giving recognition to all electronic
records and documents, it was but natural that the evidentiary legislation in the nation be
amended in tune with it. In the definitions part of the Act itself, the “all documents including
electronic records” were substituted. Words like ‘digital signature’, ‘electronic form’, ‘secure
electronic record’ ‘information’ as used in the ITA, were all inserted to make them part of the
evidentiary mechanism in legislations.
36
area of evidences produced from a computer or electronic device. Any information contained
in an electronic record which is printed on a paper, stored, recorded or copied in optical or
magnetic media produced by a computer shall be treated like a document, without further
proof or production of the original, if the conditions like these are satisfied:
(a) The computer output containing the information was produced by the computer during the
period over which the computer was used regularly by lawful persons..
(b) The information derived was regularly fed into the computer in the ordinary course of the
said activities;
(c) Throughout the material part of the said period, the computer was operating properly and
a certificate signed by a person responsible..... etc.
To put it in simple terms, evidences (information) taken from computers or electronic storage
devices and produced as print-outs or in electronic media are valid if they are taken from
system handled properly with no scope for manipulation of data and ensuring integrity of data
produced directly with or without human intervention etc and accompanied by a certificate
signed by a responsible person declaring as to the correctness of the records taken from a
system a computer with all the precautions as laid down in the Section.
However, this Section is often being misunderstood by one part of the industry to mean that
computer print-outs can be taken as evidences and are valid as proper records, even if they
are not signed. We find many computer generated letters emanating from big corporate with
proper space below for signature under the words “Your faithfully” or “truly” and the
signature space left blank, with a Post Script remark at the bottom “This is a computer
generated letter and hence does not require signature”. The Act does not anywhere say that
‘computer print-outs need not be signed and can be taken as record’.
37
example, a screenplay from a novel), sell, license or import copyright protected creations.
Copyright is a type of intellectual property as it protects the creative and inventive endeavors.
6.Phishing Email Sec 66D – upto 3 yrs imprisonment Sec 419 IPC – upto 3 yrs
and fine upto 2 lakh rupees imprisonment or fine or both
7.Dishonestly read someone Sec 66 – upto 3 yrs imprisonment or
emails fine upto 5 lakh rupees or both.
Sec 66C – upto 3 yrs imprisonment
and fine upto 1 lakh rupees
8.Unsolisticated Email N.A. N.A.
2. STOLEN / THEFT
9.Dishonestly receive/retain stolen Sec 66B – upto 3 yrs imprisonment or Sec 411 IPC upto 3 yrs
communication device like upto 1 lakh rupees or both imprisonment or fine or both
Mobile- Phone
10.Stolen communication device Sec 379 IPC - upto 3 yrs
imprisonment or fine or both
11.Data theft (owned by person or Sec 66 – upto 3 yrs imprisonment or Sec 379 IPC – upto 3 yrs
company) fine upto 5 lakh rupees or both imprisonment or fine or both
12.Data theft (from government Sec 66 – upto 3 yrs imprisonment or
computer that compromise fine upto 5 lakh rupees or both.
national security perspective) Sec 66F – lifetime imprisonment
13. Stealing password, digital Sec 66C – upto 3 yrs imprisonment Sec 419 IPC – upto 3 yrs
signature, cookies or any unique and fine upto 1 lakh rupees. imprisonment or fine
identification feature and misuse Sec 66 D – upto 3 yrs imprisonment Sec 420 IPC – upto 7 yrs
it. and fine upto 5 lakh rupees. imprisonment and fine
3.OBSCENITY
14.Capturing, publishing, Sec 66E – upto 3 yrs imprisonment or Sec 292 IPC – upto 2 yrs
transmitting, the image of private fine not exceeding upto 2 lakh rupees imprisonment and fine 2000
39
area without the consent or or both rupees, and upto 5 yrs
knowledge of person imprisonment and fine 5000
for second and subsequent
conviction
15.Sending offensive message Sec 66A – upto 3 yrs imprisonment Sec 500 IPC- upto 2 yrs or
(cyber-stalking and bullying) and fine. fine or both.
through communication service, Sec 504 IPC – upto 2 yrs or
etc. fine or both.
Sec 506 IPC- upto 2 yrs or
fine or both. (if threat to be
cause death or grievous hurt,
etc- upto 7 yrs or fine or
both).
Sec 507 IPC- upto 2 yrs
along with punishment under
sec 506 IPC.
Sec 508 IPC- upto 1 year or
fine or both.
Sec 509 IPC- upto 1 year or
fine or both
16.Publishing or transmitting Sec 67- upto 3 yrs imprisonment and Sec 292 IPC- upto 2 yrs and
obscene material in electronic 5 lakh rupees (first conviction), - upto fine 2000 rupees (first
form 5 yrs and fine upto 10 lakh rupees conviction), - upto 5 yrs and
(Second and subsequent conviction) fine 5000 rupees (Second and
subsequent conviction
17. Publishing or transmitting of Sec 67A- upto 5 yrs imprisonment Sec 292 IPC- upto 2 yrs and
material containing sexually and 10 lakh rupees (first conviction), fine 2000 rupees (first
explicit act, etc. in electronic form - upto 7 yrs and fine upto 10 lakh conviction), - upto 5 yrs and
rupees (Second and subsequent fine 5000 rupees (Second and
conviction) subsequent conviction
18. Publishing or transmitting of Sec 67B- upto 5 yrs imprisonment Sec 292 IPC- upto 2 yrs and
material depicting children in and 10 lakh rupees (first conviction), fine 2000 rupees (first
sexually explicit act, etc. in - upto 7 yrs and fine upto 10 lakh conviction), - upto 5 yrs and
electronic form. rupees (Second and subsequent fine 5000 rupees (Second and
conviction) subsequent conviction
4.TAMPERING/FORGERY/MODIFICATION
19. Making false document Sec 66D- upto 3 yrs imprisonment Sec 465 IPC- upto 2 yrs
and fine upto 1 lakh rupees imprisonment or fine or both
40
20. Forgery for purpose of Sec 66D- upto 3 yrs imprisonment Sec 468 IPC- upto 7 yrs
cheating and fine upto 1 lakh rupees imprisonment and fine
21. Forgery for purpose of Sec 66D- upto 3 yrs imprisonment Sec 469 IPC- upto 3 yrs
harming reputation and fine upto 1 lakh rupees imprisonment and fine
24. Fake profile Sec 66D- upto 3 yrs imprisonment Sec 465 IPC- upto 2 yrs
and fine upto 1 lakh rupees imprisonment or fine or both
27. Criminal intimidation by a Sec 66A – upto 3 yrs imprisonment Sec 506 IPC- upto 2 yrs
anonymous communication or fine upto 5 lakh rupees or both imprisonment or fine or both
e.g. Hate page, Comments,
Messaging
28. Cyber bullying
6.COPYRIGHT INFRINGEMENT
7.TRADE-MARK INFRINGEMENT
41
34. Meta-tagging NA NA
35. Domain name dispute NA
(cybersquatting)
8.ATTACKS
9.FINANCIAL FRAUDS
52. Web Jacking Sec 67- upto 3 yrs imprisonment and Sec 383 IPC- imprisonment
5 lakh rupees (first conviction), - upto may extent to 3 yrs or fine or
5 yrs and fine upto 10 lakh rupees both
(Second and subsequent conviction)
42
Sec 66F -life imprisonment (Depend
on situation).
54. Fake website Sec 66D- upto 3 yrs imprisonment Sec 419 IPC – upto 3 yrs
and fine upto 1 lakh rupees imprisonment or fine
Sec 420 IPC – upto 7 yrs
imprisonment and fine
12.CYBER-TERRORISM
13.OTHER CRIMES
43
3.7 Case Studies
1. OBSCENITY
Fact of the case - The case related to posting of obscene, defamatory and annoying message
about a divorcee woman in the yahoo message group. E-Mails were also forwarded to the
victim for information by the accused through a false e-mail account opened by him in the
name of the victim. The posting of the message resulted in annoying phone calls to the lady
in the belief that she was soliciting.
Based on a complaint made by the victim in February 2004, the Police traced the accused to
Mumbai and arrested him within the next few days. The accused was a known family friend
of the victim and was reportedly interested in marrying her. She however married another
person. This marriage later ended in divorce and the accused started contacting her once
again. On her reluctance to marry him, the accused took up the harassment through the
Internet.
Order passed by court- Ld. Additional Chief Metropolitan Magistrate, Egmore, delivered
the judgement on 5-11-04 as follows:
“ The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act 2000
and the accused is convicted and is sentenced for the offence to undergo RI for 2 years under
469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC sentenced to undergo 1
year Simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67 of IT Act
2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run
concurrently.”
2.FINANCIAL FRAUDS
44
Fact of the case - Sony India Private Ltd, which runs a website called www.sony-
sambandh.com, targeting Non Resident Indians. The website enables NRIs to send Sony
products to their friends and relatives in India after they pay for it online.In May 2002,
someone logged onto the website under the identity of Barbara Campa and ordered a Sony
Colour Television set and a cordless head phone. She gave her credit card number for
payment and requested that the products be delivered to ArifAzim in Noida. The payment
was duly cleared by the credit card agency and the transaction processed.At the time of
delivery, the company took digital photographs showing the delivery being accepted by
ArifAzim, but after one and a half months the credit card agency informed the company that
this was an unauthorized transaction as the real owner had denied having made the purchase.
Case File: The company lodged a complaint for online cheating at the Central Bureau of
Investigation which registered a case under Section 418, 419 and 420 of the Indian Penal
Code.
Order passed by court- The court, however, felt that as the accused was a young boy of 24
years and a first-time convict, a lenient view needed to be taken. The court therefore released
the accused on probation for one year. The judgment is of immense significance for the entire
nation. Besides being the first conviction in a cybercrime matter, it has shown that the the
Indian Penal Code can be effectively applied to certain categories of cyber crimes which are
not covered under the Information Technology Act 2000.
3.TAMPERING/FORGERY/MODIFICATION
Fact of the case – Tata Indicom employees were arrested for manipulation of the electronic
32-bit number (ESN) programmed into cell phones that were exclusively franchised to
Reliance Infocomm. The handsets, which were given to Reliance Infocomm subscribers was
technologically locked so that it would only work with the Reliance Infocomm services.
However, it came to the light during investigations that the supplied handsets could be
unlocked for the Tata Indicom service as well.
45
Order passed by high court of Andra Pradesh-
1. A cell phone is a computer as envisaged under the Information Technology Act.
2. ESN and SID come within the definition of “computer source code” under section 65 of
the Information Technology Act.
3. When ESN is altered, the offence under Section 65 of Information Technology Act is
attracted because every service provider has to maintain its own SID code and also give a
customer specific number to each instrument used to avail the services provided.
4. Whether a cell phone operator is maintaining computer source code, is a matter of
evidence.
5. In Section 65 of Information Technology Act the disjunctive word "or" is used in between
the two phrases –
a. "when the computer source code is required to be kept"
b. "maintained by law for the time being in force"
4. COPYRIGHT INFRINGEMENT
Fact of the case – The defendant, Total News, Inc, was a website owner that provided a
portal to various news services available on the internet. Total News’ website, at the time of
the complaint, provided links to a variety of other news sites on the web. The linking
mechanism was initially implemented in such a way that the news organizations’ web pages
appeared to be “on” the Total News page. This particular variant of in-line linking is
popularly known as “framing” as it involve a border from one site and m dash’ the frame-
surrounding or edging the content from another site. In the Total News situation, the framed
content was surrounded by Total News advertising,
Order passed by court- UNITED STATES DISTRICT COURT SOUTHERN DISTRICT
OF NEWYORK-
On June 1997, the case was settled without any judicial decisions on the legality of framing.
46
5. STOLEN / THEFT
Cyber cell started enquiry by an order of IGP and obtained the login logs from rediff.com.
The logs indicated that the email ID’s password were changed and anonymous emails were
sent from the house of lady’s husband and sent from his. Cyber cell registered a case under
section 66 IT act and submitted Challan has been filed against the suspect and trial is over.
Order passed by court- Court has hold the conviction against the suspect SabrishPillai but
found that the matter came before the court as Sabrish was having family dispute with his
wife and the, act of hacking was not against the society at large, Hence let him free after
warning.
Mumbai police have arrested a hacker named Kalpesh (name change) for hacking into a
financial website. As he won’t be able to bypass the main server of the financial institution,
which was well secured. The accused person could make some addition to the home page of
47
the financial website and has added a string of text to the news module of the home page of
the website. Police were able to crack the case by following the trace left by the hacker on the
web server of the financial institution. The financial institution has maintained a separate
server for financial online transactions, for which utmost security has been taken by the
financial institution. The website was hosted on a different server which comparatively had
lesser security.
The hacker Kalpesh (name changed) is a 10th Pass youngster of 23 years old. He has done
computer courses like CCNA, MCSE etc. But he is a computer addict. He sits before the
computer for almost 16 to 20 times each day. He has mostly used the readymade hacking
tools, to hack into any website. He goes to a particular website on the web, which facilitates
him to see the entire directory structure of that website. Then using various techniques, such
as obtaining a password file, he gets into the administrator’s shoes and hacks the website.
7. ATTACKS
The arrested accused had used open source code email application software for sending spam
emails. He has down loaded the same software from net and then used it as it is.
He used only VSNL emails to spam the email to customers of financial Institute because
VSNL email service provider do not have spam box to block the unsolicited emails.
After spamming emails to financial Institute customers he got the response from around 120
customers of which 80 are genuine and others are not correct because it do not have debit
card details as required for e-banking.
48
The financial Institute customers those who have received his email felt that the email was
originated from the financial Institute bank. When they filled the confidential information and
submitted that time said information was directed to accused. This was possible because the
dynamic link was given in the first page (Home page) of the fake web site. The dynamic link
means when people click on the link provided in spamming email that time only the link will
be activated. The dynamic link was coded by handling the Internet Explorer on click event
and the information of the form will be submitted to the web server (Where the fake web site
is hosted). Then server will send the data to configured email address and in this case email
configured was to the accused email. So on submission of the confidential information the
information was directed to email ID accused email .The all the information after fishing
(user name, password, Transaction password, Debit card Number and PIN, mother’s maiden
name) which he had received through Wi-Fi internet connectivity of Reliance.com which was
available on his Acer Lap Top.
Applicable Law: This crime has been registered u/s U/Sec. 66 of IT Act, sec 419, 420, 465,
468, 471 of I.P.C r/w Sections 51, 63 and 65 of Copyright Act, 1957 which attract the
punishment of 3 years imprisonment and fine up to 2 lacs rupees which accused never
thought of .
4. Digital evidence
4.1 Introduction-
49
Digital evidence or electronic evidence is “any probative information stored or transmitted in
digital form that a party may use in court at trail “. Section 78 a of ITAA 2008 defines
electronic form of evidence as “ any information of probative value that is either stored or
transmitted in electronic form and includes computer evidence ,digital ,audio,digital
video,cell phones,digital fax machines”.
The main characteristic of digital evidence are, it is latent as fingerprints and DNA, can go
beyond national border with ease and speed highly fragile and can be easily altered,
damaged,or destroyed and also time sensitive. For this reason ,special precautions should be
taken to document,collect,preserve,and examine this type of evidence .When with digital
evidence,the principle that should be applied are, actions to secure and collect digital
evidence should not change that evidence; person conducting the examination of digital
evidence should be trained for this purpose and activity relating to seizure ,examination
,storage ,or transfer of digital evidence should be fully documented ,preserved ,and available
for review.
50
3 Screens of devices such as Representation of
mobile phones, computer information (graphical
(monitor) if they are or files) on screen while
connected to these devises connected to system can
and are in ON state. be used as electronic
evidence.
4 video and image capturing In addition to these
devices ( digital cameras, devices itself,
camcorders) , audio,videos, still
audio devices ( I pod, voice images, and other
recording devices) information stored on
these devices memory,
can be used as evidence.
5 Caller ID/answering Audio and, date and
machines time related
information.
6 Storage devices ( internal Device, and information
hard drives, external hard stored on these device
drives, flash drives, can be used as evidence.
memory card)
7 Tablets, smart Information stored in
phones,PDAs ( personal various applications,
digital assistants) user ID, password,
communication
information can be
extracted.
8 Pagers Communication
information such as text
messages, phone
numbers etc.
9 SIM card Mobile number,
contacts stored on SIM
card, messages and
51
information of mobile
phone on which SIM
card is used can be
extracted.
10 LAN ( local area network / Media access control
NIC ( network interface (MAC) address can be
card) used to trace a computer
on network if obtained.
52
used for scanning illegal
documents.
53
23 Keyboard,mouse,touchpad Device itself can be
and other input devices. used.
24 Digital watches Advance Digital
watches may also
contain location, contact
etc., information which
may be stored in
memory .
25 USB/Fire wire connected These devices may
devices consist of data stored in
them.
26 Passwords These authentication
,Encryption,security keys information can be used
as evidence
27 Internet enabled digital TV These devices have
storage and internet
capabilities thus stored
information may be
extracted and used.
28 Media pc These devices have
storage and internet
capabilities thus stored
information may be
extracted and used.
29 HD recorders These devices have
storage and internet
capabilities thus stored
information may be
extracted and used.
30 Gaming consoles having These devices have
storage capacities storage and internet
capabilities thus stored
information may be
54
extracted and used.
4.4. The following is a list of crimes which may involve the use of
computer or other electronic media. Listed below are the crimes
55
and potential evidence which may be recovered from various
types of electronic evidence.
Chat logs
Digital camera software
E-mail, notes and letters
Games
Graphic editing and viewing software
Images
Internet activity logs
Movie files
User created directory and file names which classify images
Address books
Configuration files
56
E-mail, notes and letters
Executable programs
Internet activity logs
Internet protocol address & usernames
Internet relay chat logs
Source code
Text files and documents with usernames and passwords
Address books
E-mails, notes and letters
Financial asset record
Internet activity logs
Legal documents and wills
Medical records
Telephone records
Diaries
Maps
Photos of victim /suspect
Address books
Diaries
E-mail, notes and letters
Financial asset records
Telephone records
Address books
Calendar
Currency images
57
Check and money order images
Customer information
Databases
E-mail, notes and letters
False identification
Financial asset records
Images of signatures
Internet activity logs
Online banking software
Counterfeit currency images
Bank logs
Credit card numbers
Address books
Internet activity logs
Diaries
Email, notes, and letters
Financial asset records
Images
Legal documents
Telephone records
Victim background research
Maps to victim locations
Address books
Calendar
Databases
58
Drug recipes
E-mail, notes and letters
False ID
Financial asset records
Internet activity logs
Prescription form images
Chat logs
Email, notes and letters
Image file of software certificates
Internet activity logs
Software serial numbers
Software cracking utilities
User created directories and file names which classify copyrighted software
Cloning software
Customer database records
Electronic serial numbers
Mobile identification numbers
Email, notes and letters
Financial asset records
Internet activity logs
59
Digital camera software
Scanner software
identification templates:
Birth certificates
Check cashing cards
Digital photo images
Driver’s license
Electronic signatures
Counterfeit vehicle registration
Counterfeit insurance documents
Social security cards
Negotiable instruments:
Business checks
Cashier’s checks
Credit card number
Counterfeit court documents
Counterfeit certificates
Counterfeit loan documents
Counterfeit sales receipts
60
Money orders
Personal checks
61
forensics /Linux/Mac-OS investigation tool and a
framework development platform
PTK forensics LAMP Free/commercial GUI for the sleuth kit
The coroner’s Unix- like IBM public license A suite of programs for Unix
toolkit analysis
Coffee Windows Proprietary A suite of tools for Windows
developed by Microsoft, only
available to law enforcement
The sleuth kit Unix- IPL,CPL,GPL A library of tools for both
like/windows Unix and Windows
Categoriser 4 Windows Free Image categorisation tool
pictures develop, available to law
enforcement
Paraben P2 Windows Commercial General purpose forensic tool
commander
Open computer Linux LGPL/GPL Computer forensics
forensics framework for CF-Lab
architecture environment
Safeback n/a Commercial Digital media (evidence)
acquisition and backup
Windows to go n/a commercial Bootable operating system
Forensic Windows Commercial User activity analyser(E-
assistant mail, IM, Docs, Browsers),
plus set of forensics tools
Nuix Windows Commercial Forensic analysis & fraud
prevention software. Full text
search, extracts emails, credit
card numbers, IP addresses,
URLs. Skin tone analysis.
Support for ingesting
Windows, Mac OS, Linux
and mobile device data
Peer lab Windows Commercial File Sharing and "Instant
62
Messaging"-analyser
OS Forensic Windows Free/commercial General purpose forensic tool
for E-mail, Files, Images &
browsers
X-way forensic Windows Commercial General purpose forensic tool
based on Win hex editor
Bulk extractor Windows/Linux Public domain Stream-based forensic
feature extraction of e-mail
addresses, phone numbers,
URLs and other identified
objects
Intella Windows Commercial Forensic Search Software -
Email, Data and Cell phone
Processing/Investigation
CAINE Linux Free/open source Gnu/Linux computer
forensics live distro
Forensics Windows Commercial Computer Forensics
apprentice Investigation Software.
Dumpzilla Windows/Linux GPL Forensic tool for Mozilla
browsers
63
4.5.3. Mobile device forensics-
Tool Platform License Description
Backlight Windows/Mac Commercial IOS forensics
analysis software
Cellebrite Mobile Windows Commercial Universal forensic
forensics extraction device-
hardware and
software
Radiotacticsaceso Windows Commercial "All-in-one" unit
with a touch screen
Paraben Device Seizure Windows Commercial Hardware/Software
package
SAFT Mobile Windows Free/Commercial Easy-to-use mobile
Forensics forensics application
specializes in
Android.
64
based on RIM
BlackBerry and
Apple IOS
platforms,
MOBILedit! Forensic Windows Commercial Hardware-
Connection
kit/Software package
ViaForensicsViaExtract Any (Distributed as Commercial Software package,
VM) specializes in
Android Forensics
65
4.5.5. Other-
In any crime which involves technology aspect, where collection of evidence is critical task
as the evidence can be tampered easily. Digital evidence due to their fragile nature requires
utmost care and precaution during search, collection, preservation, transportation and
examination of evidence.
66
“As is where is” report of the crime scene must be prepared.
Collecting evidence
From switched off system
From switched on system
Cloning or duplication of evidence
Conducting interviews
Making record and naming/labelling of evidence.
Packing and moving /transporting evidence from the scene.
The authority of search and seizure is given in section 165 of CRPC and section 80 of ITAA
2008.The steps which should be followed during seizure proceedings are-
Two independent witnesses and one technical person (responder side) should be part
of the process.
Time zone /system time must be noted in panchanama (from switched on systems)
Photograph of devices must be taken at their original place.
The system must be kept in the state as it was found (on or off).
In panchnama,chain of custody and digital evidence collection form, serial number
must be mentioned which is allotted to that device.
If any internal part of the device is removed, photograph should be taken of that part.
Serial number along with information such as PF number /crime number/section of
law must be mentioned.
Search and seizing information of that system should be recorded in panchnama also.
Witnesses must be brief about the technique / tools used in search and seizure process.
Investigating officers must have the knowledge and ability to identify various digital
devices.
All the forms and details filled in forms much be checked and filled completely
(Annexure-2).
67
This section is to assist persons who have no skills or have not received any training to carry
out search seizure and ensure that their actions won’t affect the evidence.
4.7.1. For desktop and laptop computer (which are in switched off state)
68
If no special advice is available, remove power supply from system without closing
down any program. Always remove power cable first from system rather that supply
end.
Remove the power plug and other devices from the socket.
Label or mark the removed components
Search the area for password often close to computer
Received information such as password, username etc. from scene /user etc. may be
recorded.
Equipment used must be noted.
Note-power removed from running system cause evidence in encrypted volumes to be lost,
try to obtain key .other volatile, live data may be lost.
Specialist advice in early stage should be taken regarding charging and /or battery
charging, to prevent data loss.
69
Information must be treated with caution.
If any process is going on, wait until it is completed.
Remove the power plug and other devices from the socket.
Label or mark the removed components
Search the area for password often close to computer
Received information such as password, username etc. from scene /user etc. may be
recorded.
Equipment used must be noted.
Competent person should examine the device.
Other steps may be dependent on the model and type of devices. (Annexure-4)
Handle with care. If placing in a vehicle, place upright preventing from physical
shocks.
Keep away from magnetic sources (loudspeakers, heated seats and windows and
police radios)
Storage devices-
Note-
70
Devices must be stored in normal temperature and condition
power backup to devices during transportation must be provided.
When evidence is seized from the crime scene, the next step is to assign its responsibility and
protection.
Chain of custody provides the responsibility and competence of evidence in court of law and
minimizes the risk of tampering the evidence. It accounts all the persons who had access to
the evidence, such as-
The evidence should be in control of the law enforcement body, and not with the private
citizens. Not following the chain of custody may cause objection by court or opponent party
of being that evidence unreliable or fabricated, and doing so may impose liability on
investigating officer under section 72 of ITAA 2008.
71
4.9. Integrity of digital evidence-
Proving the integrity of digital evidence is important as not doing so may cause that evidence
not to be considered in court of law or objected for alteration or modification.
Some of the methods used to check the integrity of digital evidence are shown below-
72
algorithm protecting digital MD5 compute maintain
(MD2,MD4,MD5,sha) data against MD4 -can detect both secure storage
unauthorised MD2 random errors of hash value
changes. The and malicious
method produces alteration
a fixed length
large integer
value (from 80-
240 bit)
representing the
digital data. It
has two unique
characteristic.
First given the
hash value it is
difficult to find
other data
matching the
same hash value.
Digital signature A secure method RSA -Add identity to -slow
of binding the DSA the integrity -must protect
identity of signer PGP operation private key
with digital data -prevents -if key is
integrity method unauthorised compromised
such as one way regeneration of or certificate
hash values. signature unless expires digital
These method private key is signature can
use a public key compromised invalidated
crypto-system
where the signer
uses a secret key
to generate a
digital signature.
73
Anyone can then
validate the
signature
generated by
using the
published public
key certificate of
the signer. The
signature
produces a large
integer number(
512-4096 bits
A person need to provide a copy (Screen shot) of the crime occurred (in a soft copy as well as
print out), with an affidavit in concern with that (person), who is willing to launch an FIR.
Other detail as per required by the law enforcement agency (if any) on which police may start
its investigation must also be provided.
Section 68B of Indian evidence act , direct us about the evidence which can be produced in
front of court of law and are admissible or not.
CFSL (Central forensic science lab) Hyderabad is an authority which certify that , which
evidence is admissible and which is not in court of law , and certify that the evidence
selected from the crime scene are unaltered and is same as collected from the crime scene,
after which evidence could be produce before the court.
74
Chain of custody
The initial count of evidence to be examined,
Information regarding the packaging and condition of evidence upon receipt
by the examiner,
A description of evidence, and
Communication regarding the case.
75
Chapter V: Computer Forensics
5.1 Understanding of Forensics
Electronic evidence and information gathering have become central issues in an increasing
number of conflicts and crimes. Electronic or computer evidence used to mean the regular
print-out from a computer—and great deals of computer exhibits in court are just those.
However, for many years, law enforcement officers have been seizing data media and
computers themselves, as they have become smaller and more ubiquitous. In the very recent
past, investigators generated their own printouts, sometimes using the original application
program, sometimes specialist analytic and examination tools. More recently, investigators
have found ways of collecting evidence from remote computers to which they do not have
immediate physical access, provided such computers are accessible via a phone line or
network connection. It is even possible to track activities across a computer network,
including the Internet.
If you manage or administer information systems and networks, you should understand
computer forensics. Forensics is the process of using scientific knowledge for collecting,
analyzing, and presenting evidence to the courts. (The word forensics means “to bring to the
court”) Forensics deals primarily with the recovery and analysis of latent evidence. Latent
evidence can take many forms, from fingerprints left on a window to DNA evidence
recovered from blood stains to the files on a hard drive.
Because computer forensics is a new discipline, there is little standardization and consistency
across the courts and industry. As a result, it is not yet recognized as a formal “scientific”
discipline. We define computer forensics as the discipline that combines elements of law and
computer science to collect and analyze data from computer systems, networks, wireless
76
communications, and storage devices in a way that is admissible as evidence in a court of
law.
In other words, computer forensics is the collection, preservation, analysis, and presentation
of computer-related evidence. Computer evidence can be useful in criminal cases, civil
disputes, and human resources/employment proceedings. Far more information is retained on
a computer than most people realize. It’s also more difficult to completely remove
information than is generally thought. For these reasons (and many more), computer forensics
can often find evidence of, or even completely recover, lost or deleted information, even if
the information was intentionally deleted. Computer forensics, although employing some of
the same skills and software as data recovery, is a much more complex undertaking. In data
recovery, the goal is to retrieve the lost data. In computer forensics, the goal is to retrieve the
data and interpret as much information about it as possible.
5.2 Importance
5.3 Techniques
A computer forensics professional does more than turn on a computer, make a directory
listing, and search through files. Forensics professionals should be able to successfully
perform complex evidence recovery procedures with the skill and expertise that lends
credibility to case. For example, they should be able to perform the following services:
Data seizure
Data duplication and preservation
77
Data recovery
Document searches
Media conversion
Expert witness services
Computer evidence service options
Other miscellaneous services
Federal rules of civil procedure let a party or their representative inspect and copy designated
documents or data compilations that may contain evidence. Computer forensics experts,
following federal guidelines, should act as this representative, using their knowledge of data
storage technologies to track down evidence. Experts should also be able to assist officials
during the equipment seizure process.
When one party must seize data from another, two concerns must be addressed: the data must
not be altered in any way, and the seizure must not put an undue burden on the responding
party. Computer forensics experts should acknowledge both of these concerns by making an
exact duplicate of the needed data. Because duplication is fast, the responding party can
quickly resume its normal business functions, and, because your experts work on the
duplicated data, the integrity of the original data is maintained.
Using proprietary tools, your computer forensics experts should be able to safely recover and
analyze otherwise inaccessible evidence. The ability to recover lost evidence is made possible
by the expert’s advanced understanding of storage technologies. For example, when a user
deletes an email, traces of that message may still exist on the storage device. Although the
message is inaccessible to the user, your experts should be able to recover it and locate
relevant evidence.
78
5.3.4 Document Searches
Computer forensics experts should also be able to search over 200,000 electronic documents
in seconds rather than hours. The speed and efficiency of these searches make the discovery
process less complicated and less intrusive to all parties involved.
Some clients need to obtain and investigate computer data stored on old and unreadable
devices. Your computer forensics experts should extract the relevant data from these devices,
convert it into readable formats, and place it onto new storage media for analysis.
Computer forensics experts should be able to explain complex technical processes in an easy-
to-understand fashion. This should help judges and juries comprehend how computer
evidence is found, what it consists of, and how it is relevant to a specific situation.
Your computer forensics experts should offer various levels of service, each designed to suit
your individual investigative needs. For example, they should be able to offer the following
services:
Standard service
On-site service
Emergency service
Priority service
Weekend service
79
Computer forensics experts should also be able to provide extended services. These services
include;
Computer forensics has become a buzz word in today’s world of increased concern for
security. It seems that any product that can remotely be tied to network or computer security
is quickly labeled as a “forensics” system. This phenomenon makes designing clear incident
response plans and corporate security plans that support computer forensics difficult. Today’s
corporate climate of increased competition, cutbacks and layoffs, and outsourcing makes it
essential that corporate security policy and practices support the inevitability of future
litigation. Due to this raising awareness of the different types of computer forensics systems
becomes the need of time. Some of the computers forensic are as follows:-
80
Internet security systems
81
Storage area network security systems
82
Network disaster recovery systems
83
Wireless network security systems
84
Instant messaging (IM) security systems
85
Net privacy systems
86
5.5 Methodology
Need to consider the source and reliability of the information. This must weight all factors in
making decision and by performing initial fact checking.
It must be perform by initial triage. Focus on most severe problems. Output of this step is to
determine if no further action is required or to continue to investigate.
87
Whoever is responsible for securing crime scene must make sure that proper protocols are
followed. Safety is first issue. The output of this stage is to make sure that the scene is secure
and all the contents are mapped and recorded, with photographs and diagrams.
Informed investigators are to make proper decisions about what is to be seized and in what
order of priority. (Servers, workstations, volatile data, etc). Documentation in this step is of
extreme importance. Initial interviews should be performed before seizing evidence to
establish who knows what, who is involved, what is not know and what needs to be gathered.
Preservation – Integrity
Proper actions must be used to ensure integrity and proper tools are to be used to ensure
acceptance and reliability. Investigators should make a bit-stream copy of the original media.
The original media is to never be touched again. It is to be put away in a temperature
controlled environment (Chain of custody is key). The duplicate mirror image is to be
analyzed. Recommend to make a backup copy of your media to be analyzed in case of a
media failure.
Focus on recovering all the data whether it is relevant to case or not. The overall output will
help provide the most complete timeline.
This is the analysis phase. In this phase we analyze the data to test our theories about our
suspects.
Reduction – Filter
In this phase we eliminate the material from the chaff. We use filters, hash analysis,grep
searches all to help refine our focus.
88
Organization and search – Focus
This is where we bookmark our findings as investigators to help make our reporting phase
easier. We also document our case as we go instead of waiting till the end. We might export
data out of our image for easier analysis or for viewing.
Analysis – scrutinize
This phase requires us to cross reference and validate our findings to deliver the proof for
prosecution.
The report should contain details from every step including references to tools and protocols
used.
89
Chapter VI- Cyber Crime Investigations
90
91
92
6.1.3Case Study-
CASE: A girl purchased goods through online. After two days she got a item delivered by
courier. A courier man gives receipt to her to sign and write the mobile number. After two
days a person send bullying / hate message through SMS (mobile) to a girl. A girl went to
police station and files the complaint of the anonymous person who sends her offensive
message.
CASE: A boys travelling in the bus, as a boy put his hand in the pocket to make call, he find,
he lost his mobile, during the journey someone has stolen his mobile phone. He stopped the
bus in near police station and filed the complaint, about the stolen mobile.
You can easily trace phone number though various software and through many website
available on internet, which help to locate the current position of the mobile if any sort of
tracking application is running on the lost phone. There are many tracking application for
mobile phones which are freely available on internet through which we can trace the lost
mobile. Some examples are:-
This free invisible security app brings twin security measures for your handset by providing -
a mobile antivirus and mobile tracking/controls solution. What is great about the app is that
its anti-theft component is invisible to thieves, and provides remote options (via web portal or
SMS commands) for locating and recovering your phone. Time to say goodbye to 'lost'
phones.
This is another handy app to track your stolen or lost phone. This app checks when the pick-
pocketed changes the SIM card and sends SMS in 5 minutes from the new SIM number to
93
your number, which has been stored in the application. The SIM contains GPS location data
or current location code to aid in trace.
Thief tracker
This one is our favorite. With Thief tracker app, you get to catch the 'thief' red handed. Any
unsuccessful attempt to unlock your mobile will trigger this app to snap a picture from front
camera and send you an email without the user even knowing it. However the app has some
limitations - like it does not wipe data and an unsuccessful attempt is considered only when 4
dots in the pattern are selected.
Smart look
This software also clicks the pictures of the 'thief' - in fact three of them and, immediately e-
mails it to you. It also comes equipped with a GPS continuous tracking system which is
linked to the google map and also assists in tracing your lost or stolen phone.
You will love this app. simply activate the alarm and leave your phone on the table or
wherever and if someone moves your phone an alarm will sound. The alarm will only stop
after entering a PIN. Those with sticky fingers, beware!
Another popular app that provides anti-theft defense, allowing you to block, wipe or find
your missing phone. You can also easily filter unwanted SMS texts and calls. Plus, Anti-
Virus Lite with cloud-based security scanner alerts you to potentially malicious apps before
they can harm your phone.
94
This free app houses a slew of features to protect and trace your phone. After downloading
the app, you will be able to find your phone on a Google Map instantly from Lookout.com,
sound a loud alarm or make your phone SCREAM to find it even if it’s on silent and
automatically see your phone's last known location. That's not all, in addition this app
provides remotely lock and date wipe out facility. It also offers a lookout premium coverage
for a small monthly fee for more stringent security.
Ranked as one of the top selling security app, Trend Micro mobile provides free antivirus
with a premium version which includes privacy scanning, web and contact filtering, parental
controls and anti-theft features. You can avail a 30 day free trial to test various features like:
--Privacy scanner warns you of apps that potentially steal your information
--Surf, Call, Text Security keeps you and your kids safe by avoiding unwanted contact and
content
--Lost Device Protection includes anti-theft features that let you find, lock and wipe a missing
device.
Well if plan A doesn't work, you don't need to fear, there is always Plan B. This 'find my
phone' app is the only app that you can download even after you have lost your phone. Using
'Plan B' requires access to the Android Market website and your Google account. After you
install it, Plan B will start locating your phone using cell towers and GPS. On some phones,
Plan B can switch GPS on automatically. Your location will keep updating for 10 minutes,
and you will get an email each time it is located, whether the phone is moving or standing
still. Information is also sent via SMS.
Every smart phone has a unique IMEI number assigned to it and you can access it by dialing
*#06#. Once your phone's 15-digit IMEI number is displayed, write it down and keep it safe
95
for future reference. You can also retrieve the IMEI number by removing the battery. It is
usually listed on a white sticker along with the phone's serial number.
When you lose your handset, you will need to launch a FIR with the police, attaching a copy
of the IMEI number with it. Then give a copy of this to your service provider who can track
the phone based on its unique ID number and meanwhile block the handset so that it cannot
be used by anyone else. IMEI number helps to tracks the handset, even when the SIM is
changed or the SIM card is not activated. Once the phone is traced, the police should be able
to retrieve it.
As soon as, location of the mobile is mapped by above mention method we can go for mobile
forensics for recovery of data either stored or deleted from the mobile phone.
Mobile phone inspector utility generates complete report of mobile and SIM
card phonebook entries, SMS capacity status and all other general information. Cell
phone forensic tool displays detailed information which includes mobile manufacture
name, mobile model number, mobile IMEI number, SIM IMSI number, signal quality
and battery status of mobile phone. Mobile phone investigation program supports all
major bands of mobile manufacturing company including Nokia, Haier, Motorola,
Sony Ericsson, LG, Samsung, Spice, i-mate, HP etc. Mobile investigation application
facilitates user with VC++ source code useful for educational usage, customized
development or in scientific investigation regarding mobile phone technology. Cell
phone inspector utility displays all phonebook entries with contact name and number.
Mobile phone inspector software displays phonebook and SMS capacity of SIM card
and mobile phone memory. Software can be easily install and uninstall on your
system having windows operating system such as windows 98, 2000, 2003, ME, NT,
XP and windows Vista. Features: * Mobile inspector software provides highly
interactive graphical user interface for easy software access. * Cell phone forensic
96
utility supports all brands of mobile phones including Nokia, Samsung, Motorola,
Sony, Spice etc. * Mobile investigation utility displays SMS text message along with
date/time and sender phone number. * Cell phone inspector program generates
complete mobile phone report in a text or html file for further reference. *Software is
easy to operate so end user does not require any technical skill to use this tool.
Free download from Shareware Connection - Cell phone forensic tool show battery status,
mobile model and SIM IMSI number
Cell phone forensic software is freeware utility that easily extracts your entire mobile and sim
related data including IMEI number, SIM IMEI number, phonebook entries with name and
number, text message of all Symbian OS based Nokia mobile phones and other supported
mobile devices. Mobile phone investigation application with source code in Microsoft Visual
C++, MFC, embedded C++ is useful for organizations working on AT+CPBR, AT+CBS,
AT+CSQ, AT+CIMI and many mobile technologies. Smart phone inspection program is
useful for developers to take detail knowledge about various functions related to mobile
phones such as CeCreateFile, CeCreateProcess, CeReadFile, CeGetDeviceId,
CeFindAllFiles, CeRegEnumKeyEx and CeRegOpenKey etc. Cell phone forensic application
easily gathers all general information from your GSM and CDMA mobile phone. Mobile
phone inspector software available with Microsoft Visual C++ source code and supports all
windows operating system including windows 98, NT, ME, 2000, 2003, XP and Vista. Smart
phone investigation tool supports all branded mobile phones such as Nokia, Motorola,
97
Samsung, LG and Sony Ericsson etc. Mobile phone inspection program is free of cost but
user needs to pay if software is required with its source code. Features: * Mobile phone
investigation application supports Windows CE and Windows mobiles, WM5, WM6 based
PDA cell phones. * Cell phone surveillance tool is an innovative mobile investigator that
pulls out SIM details, SMS capacity, memory status, battery usage, IMEI number with model
number and phonebook entries. * Mobile phone inspection tool can easily access your mobile
phone with the help of port connectivity for gathering general as well as important
information. * Smart phone forensic utility is read only tool that provides
complete SIM cardinformation. * Freeware mobile phone inspector program allows users to
fetch general details of all windows based mobile phones.
NOTE:-
XRY is a software application designed to run on the Windows operating system which
allows you to perform a secure forensic extraction of data from a wide variety of mobile
devices, such as smartphones, GPS navigation units, 3G modems, portable music players and
the latest tablet processors such as the i-Pad.
Extracting data from mobile / cell phones is a specialist skill and not the same as recovering
information from computers. Most mobile devices don't share the same operating systems
and are proprietary embedded devices which have unique configurations and operating
systems. What does that mean in terms of getting data out of them? Well in simple terms, it
means it is very difficult to do.XRY has been designed and developed to make that process a
lot easier for you, with support for over 8,000 different mobile device profiles. We supply a
complete solution to get you what you need and the software guides you through the process
step by step to make it as easy as possible.
98
XRY Logical is a software based solution for any Windows based PC, complete with the
necessary hardware for forensic investigations of mobile devices. XRY is the standard in
mobile device forensics and the first choice among law enforcement agencies worldwide.
XRY Logical provides an intuitive and user friendly interface to analyze a wide range of
mobile phones through a secure examination process to recover data in a forensically secure
manner. The information gathered from the examined device is instantly available for review
in a secure and traceable manner, ensuring its legal standing and credibility in a court of law.
XRY Logical software enables investigators to perform ‘Logical’ data acquisition. This
forensic process is used to communicate with, and read the contents of, the device; which
typically generates live information. The software’s user interface is simple to navigate, with
a user friendly wizard designed to help guide you through the entire process from start to
finish so you can immediately start to recover data with confidence.With XRY, a tamper-
proof report is created within minutes which can easily be customized to a user’s needs,
including references and a user’s own branding as required. The generated report can be
printed in its entirety, or selected data required by the investigators can be prepared. Using
XRY’s export function, users are afforded a wide range of functionality to facilitate further
distribution and analysis of the data.
XRY Physical is a software package for the physical recovery of data from mobile devices.
The memory dump from each individual device is a complex data structure, so Micro
Systemation has developed XRY Physical to make it easier to navigate this wealth of
information.XRY Physical is different because it lets forensics specialists push investigation
even further by performing a physical data acquisition – a process generating hex-dumps
from the phone memory, typically bypassing the device operating system. This frequently
leads to the recovery of deleted information.
99
XRY Physical has the advantage that it can reveal protected and deleted data, which may not
be available through a logical analysis. Crucially, using XRY Physical, it is also possible to
recover data from security locked phones.Through a process of dumping raw data followed
by automated decoding to reconstruct the content – XRY Physical can secure a whole new
layer of valuable data for investigators and forensic examiners.
XRY Complete is the all-In-one mobile forensic system from Micro Systemation; combining
both our logical and physical solutions into one package. XRY Complete allows investigators
full access to all the possible methods to recover data from a mobile device.
XRY is a purpose built software based solution, complete with all the necessary hardware for
recovering data from mobile devices in a forensically secure manner. With XRY Complete
you can achieve more and go deeper into a mobile device to recover vital data. With a
combination of logical and physical analysis tools available for supported devices; XRY
complete can produce a combined report containing both live and deleted data from the same
handset.
The XRY system is the first choice among law enforcement agencies worldwide, and
represents a complete mobile forensic system supplied with all the necessary equipment you
need to perform a forensic examination of a mobile device - straight out of the box.The
supplied XRY software application runs on Windows and is powerful enough to deal with all
of the modern demands of forensic examiners. The user interface is simple to navigate, with a
100
user friendly wizard designed to help guide you through the entire process from start to
finish, so you can immediately start to recover data with confidence
XACT is a separate hex viewer software application which complements XRY Physical,
allowing examiners to view the raw hexadecimal data extracted during a physical dump of a
mobile device.
Whilst XRY Physical supports a considerable amount of automatic decoding, there will
always be times when an examiner needs to look at the original data for them to establish the
source of information. XACT provides mobile forensics specialists with the ability to
examine that data in detail.
With XACT you can import binary files from other sources if required and view the
hexadecimal data to see for yourself exactly where the data is.
When examining GSM based mobile phones the forensic examiner is faced with two
challenges:
Under the original GSM standards a mobile phone is required to have a SIM card
inserted before it will allow full access to the operating system and function
normally.
101
If a GSM device is turned on with a live SIM card inserted, then it will attempt to
make a network connection and the risk of data contamination occurs.
The SIM id-Cloner card system solves these problems. It will prevent a GSM network
connection without effecting the normal operation of the device allowing an examiner to
perform a logical extraction. It will also be of assistance to examiners faced with a mobile
phone which does not have the original SIM card present.
Under the GSM standards a mobile device should delete the call history if it detects that a
new SIM card has been inserted into it. An examiner who has a mobile without a SIM card
can use SIM id-Cloner to create a duplicate SIM card containing the same critical information
as the original SIM, which will then give access to the handset without causing the device to
delete the call history list. Please note that the examiner needs either the ICCID or IMSI,
which normally requires a contact with the mobile network operator to perform this function.
This product is supplied as part of the XRY Logical system as standard, it can however be
purchased separately if required.
6 We can also use Encase and FTK as detail working is explained below.
Case:Title, an anonymous online group posts false information about Row & Row company
on the message board of their website which leads directly to a decrease in stock price or the
cancellation of a key deal. This is web defacement.
Case:MaheshMhatre and AnandKhare were arrested in 2002 for allegedly defacing the
website of the Mumbai Cyber Crime Cell. They had allegedly used password cracking
software to crack the FTP password for the police website. They then replaced the homepage
of the website with pornographic content. The duo was also charged with credit card fraud for
using 225 credit card numbers, mostly belonging to American citizens.
102
103
6.3Crime Related to Financial Fraud/ Banking Fraud
104
Case:The Hyderabad police in India arrested an unemployed computer operator and his
friend, a steward in a prominent five-star hotel, for stealing and misusing credit card numbers
belonging to hotel customers.
The Steward noted down the various details of the credit cards, which were handed by clients
of the hotel for paying their bills. Then, he passed all the details to his computer operator
fiend who used the details to make online purchases on various websites.
Case: In 2004, the US Secret Service investigated and shut down and online organization that
trafficked in around 1.7 million stolen credit cards and stolen identity information and
documents.
105
106
6.4 Procedure of Forensics
107
6.4.1 EnCase Layout
EnCase divides its screen real estate into four windows that are named for their primary
examinationfunction: the Tree pane (formerly the Left pane), the Table pane (formerly the
Rightpane), the View pane (formerly the Bottom pane), and the Filter pane (new to EnCase
Version5). Granularity or detail increases as you move through the primarypanes from the
Tree pane, to the Table pane, and finally to the View pane. If detail of any object is needed
then we have to place the cursor focus on it (in other words,highlight it) in the Tree pane, and
the Table pane will display the details about that object. If youwant more details about an
object in the Table pane, highlight it in the Table pane and thedetails will appear in the View
pane. Once you get down to the data level of granularity in the
View pane, you can even view or interpret that data in different ways, effectively getting
stillmore information or granularity from the View pane.In addition to letting you work with
a case in the Case Entries view, EnCase offers manyother views or features that function in
the same manner, providing more granularity as youmove through the viewing panes. EnCase
further organizes its views into global views, caselevelviews, and case-level view subtabs.
This hierarchical view is controlled with three bars atthe top of the Tree pane, populated with
tabs representing the various views. The bars arearranged in a descending hierarchy, with the
top bar representing global options, the second barrepresenting case-level options, and the
third bar representing case-level view subtabs. As thetabs are highlighted (or brought to the
front in a three-dimensional sense), their path becomesvisible in the hierarchical tree. Once
you take a few minutes to familiarize yourself with how itworks, it is very intuitive and easy
to find your way around.
EnCase divides its screen real estate into the Tree, Table, and View panes
108
6.4.1.2 Creating a Case
The Tree pane is the starting point for the detail that follows in the other two panes.
However,before we can work with the Tree pane, or any pane for that matter, we need to
have a caseopen. And before we can have a case open, we need to create a case. When
EnCase starts, itopens by default in the Case view. In the Case view, you create a case by
clicking the New buttonon the toolbar. Alternatively, you could select File-New. After you
click the New button, then dialog box will appear.
109
Name
Enter a descriptive name for your case, which may include a case or complaint number.The
text you enter here will show in the case folder under the Cases tab view. When you
havemany cases to manage, being very descriptive and detailed while still being brief is quite
helpful.
Examiner Name
Enter the examiner’s (your) name in this space. EnCase will not let you proceedif you don’t
make an entry, and it will remember your last entry for future cases in thelocal.ini file
contained in the EnCase5\Config folder.
Default Export Folder
This folder will be the default location for files that are exported fromwithinEnCase. Also,
when you choose to “copy/unerasefiles, this will be the default locationfor that feature as
well. Some EnScripts will use this location for output too.
Temporary Folder
110
The Temp folder is used to store files when EnCase is directed to send a fileto an external
viewer. Before the external viewer can see a file, it must first be copied out of EnCaseand
into the Windows environment. This folder holds those files for this purpose. When you
exitEnCase, files in the Temp folder are removed. If a system crash occurs, this purging
won’t takeplace. For this reason, files can accumulate in the Temp folder, and if you have a
system crash, youmay wish to delete them as they can sometimes get quite large in number
and size.
Create a case file template on your desktop. Whenever you need to create acase, copy this
folder into the Cases folder of your case information drive. Rename the templatefolder to
your case name, and you are done in seconds.
Case file organization and management are extremely important skills for an examiner
toacquire. When computer forensics is done one case image is copied in all drives to prevent
cross-contamination of data. As caseloads grew and technology evolved, best practices have
been modified accordingly.
As EnCase encapsulates a device image into an evidence file that has powerful and
redundantinternal integrity checks, cross-contamination of image files is not the issue it was
in thepast. In that regard and in many other areas, EnCase has changed the face of computer
forensicsand, with it, best practices.Many labs have massive storage servers that store EnCase
evidence and case files. Instead ofsegregating storage in separate physical devices as in the
past, storage today is often networkedand segregated by distinctive folder-naming
conventions that are consistent with best practicesfor case management. In this manner,
111
several examiners can access the same evidence files concurrentlyand work on different
facets of the same case as a team.
As soon as you have created your case, you should save it by clicking Save on the toolbar.
Consistent with our file-naming and organization conventions, you want to save it in the
rootof the folder that names your unique case. The file name will default to the name of the
case thatyou entered in the Name field of the Case Options dialog box. It is a good practice to
have the case, the case file, and the case folder all named the same. It’salso wise to
incorporate the case file name as part of the evidence file name. When they are allnamed
consistently, errors and confusion are less likely to occur. If the files are misplaced, the
naming conventionalone can associate them with their lost relatives.
After you have created a case and saved it, it is time to add evidence to that case. To do
so,click Add Device, which is located on the toolbar. Adding a device is not an option until
youeither create a case or open a case. At this stage, you can use the dialog box to add a live
devicefor preview and possible acquisition, or you can add an evidence file to your case. If
you areoperating in the Enterprise or FIM environment, you can connect to a network device
that isrunning the servlet. Once you have added a device to your case, save your case.
There is a saying that has its roots in Chicago during its earlier years: “Vote early and
voteoften.” In forensics, you should apply similar logic by saving early and saving often. Get
intothe habit of clicking the Save button anytime you have completed significant work and
whenyou are about to embark on a new task or process.EnCase supports many different file
systems, which may be mounted in the same case and searched simultaneously.
112
In the above figure a physical device (live in this case, with a blue triangle in the lower
right)and its associated volume. The physical device icon is a depiction of a hard drive with
the arm andheads spanning the platter. It takes some imagination, but that’s what it is. The
volume icon isa gray 3-D box of some sort.
A “live” physical device and its associated volume, where physical device has a blue triangle
in the lower right, indicating it is a live device.
A floppy disk icon is shown with one folder, which has an “X” in it, indicatingit is a
“deleted” folder.
You can “expand all” or “contract all” by right-clicking on an object in theTree pane.
113
114
6.4.1.3 Process
1.
PC A PC B
2. PC A:Settings in PC A
Internet Protocol Version TCP/IP v4)
-IP address 192.168.0.1
-Subnet mask 255.255.255.0
115
3. PC B: Settings in PC B
-insert the encase boot live CD in CDROM.
-boot the PC through CDROM (Bios setting has to be changed)
6.4.1.4 Countermeasures
As EnCase is a well-known and popular with law enforcement agencies, considerable
research has been conducted into defeating it. Some metaspolit project produces an anti-
forensics toolkit, which includes tool to prevent Encase from finding data from all operations.
Copies of EnCase have been widely leaked on peer-to-peer and other file sharing networks,
which allow full analysis of the software. Proof-of-concept code exists that can cause EnCase
to crash, or even use buffer overflow exploits to run arbitrary code on the investigator's
computer. It is known that EnCase is vulnerable to zip-bombs for example 42.zip.
6.4.2 FTK
6.4.2.1 USES OF FTK
Instant Searching Capability
116
Because all files have been indexed, FTK can make a full-text index of every alpha-numeric
string contained in those files. This full-text index allows for instantaneous key word
searching across all the data on the hard drive:
Instant key word searching from FTK allows for quicker investigations. Using linear, flat-file
imaging technology from the competition makes the investigator wait while the program
searches for the particular key word from the beginning of the hard drive to the end.
Wrong-doers often cover their tracks by deleting or encrypting documents. FTK recovers
deleted files and also decrypts files. First off, FTK’s indexing ability identifies all the
117
encrypted documents up front which allow the investigator to quickly begin the decryption
process.
Filter options allow users to define criteria to speedily locate and identifyevidence. The user
doesn’t need to learn to program scripts like you do with competitive software. In FTK,
filters are created by a simple click of the mouse. Because all the data is in a database, getting
results from the filters are instantaneous.
The screen shot below illustrates the simplicity of creating a custom filter inFTK as well as
just some of the items you can filter on:
118
6.4.2.4 WORKING WITH FTK
Identify the basic FTK interface components including the menu and tool bar options and the
program tabs.
Create a case.
Obtain basic analysis data including file and folder properties, file formats, metadata
and specific file information such as dates and times.
119
Export files.
Use the Copy Special feature to export information about case files.
Graphics
120
Tag graphics files using the Bookmarks feature.
121
Search and
Seizure
Technical
Issues
Understanding
of
Cryptographic
concept
122
The major issue in the process of search and seizure arises at the time when seizure of digital
evidence is done from hard drives on networked systems where somehow both relevant and
irrelevant materials are present together. The practical problem arises when hard drives and
other digital devices are analyzed; where officials get confused in data that which is most
relevant and which is not.This creates problems with search warrants where non-specified
data are included in the hard drive, maybe leading to the invalidity of the whole search and
seizure procedure. It is practically impossible to examine the relevancy of 80GB of data
which consists in a hard drive.As, this problem of search and seizure of computers is one of
the sensitive issue in the legal dimension with request to foreign countries. But, now things
get changed many new technologies are eroded and digital devices or PDAs now analyzed
only after when cloning of that particular device is done with the help of different forensic
tools and methods.
123
If all else fails, investigators may try to break encryption codes, although this is difficult, time
consuming and costly and would
uld be inappropriate in most of the serious matters.
Difficulties Choosing
in of
terminology appropriate
juridiction
Legal
problems
124
7.2.1Difficulties in terminology
In IT ACT 2000 there are many difficulties in terminology as well as in definitions which
creates a difficulty for police officials to understand the basic terms. However, while solving
or investigating the case if anyone is found guilty then he/she must be liable under the
sections of Information Technology Act, 2000 (Amended 2008) which is read with sections
comes under Indian Penal Code, 1860 depending upon the situation of the crime. Hence,
investigators also need a basic knowledge of other Indian laws as well.
There are many different terms which are not discussed in the IT act, 2000 (Amended 2008)
and creates a confusion in the mind of officials some of them are like cybersquatting which is
an act of registering a domain name and sell it later for a wealth, while the solution to tackle
this issue is not available in IT Act, 2000 several other are some issues which are unsolved in
any law proceedings.
Jurisdictional problem is one of the important issues to cop up in the matter of cybercrimes
which is also because of advanced universal nature of cyber space. With the help of internet
cyber terrorists perform their activities against any country to harm its sovereignty and
integrity.Some new methods of dispute resolution took place by international organizations’
like WTO, etc. are different organizations which promote their policies and rules to combat
cybercrime in their particular field or domain.
In some cases offences are committed from outside the country by hackers ho sometimes use
proxy networks which identify the network of different place or even country. Question arises
during investigation that which court should deal with the particular matter.
125
7.3.1 Complexity in collecting evidence
Investigators face many complexities while collecting digital devices as evidence. Specially,
when they are in encrypted form because it is difficult and time consuming activity to decrypt
the device and gather data which takes a long process which affects the further proceedings
of investigation.
While the other term for digital devices is electronic record which defines under the IT Act,
2000 (Amended 2008) in section – 2(t) where ‘electronic record’ means data, record, or data
generated, image or sound stored, received or sent in an electronic form or micro film or
computer generated micro fiche.
Loss of evidence is a very common & obvious problem as all the data are routinely
destroyed. Further collection of data outside the territorial extent also paralyses this system of
crime investigation.
Conducting investigations across national borders raises many practical problems that affects
investigation process and increases the expenses. For example, if any crime commit outside
the particular country then it is hard to investigate the whole process of crime. At this
situation investigators took the support of teleconferences which difficult to arrange at times
suitable for all concerned.
Then at this condition documents often need to be translated, particularly if required for
diplomatic purposes. This can cost considerable sums and again delays investigations.
Witnesses from non-English speaking countries may need the assistance of interpreters which
can also led to expensive and slow down of investigations process.
126
7.3.3 Identifying Suspects
The main reasons behind these issues are that officials have lack of awareness and knowledge
in investigation of cybercrime. Some of them didn’t know about proper jurisdiction and
method of collecting as well as analyzing the evidences. Since, their rights and duties are not
mentioned clearly anywhere, in which IT-Act 2000 didn’t achieve any kind of great success.
While, most of the cases are going unreported because officials didn’t know how to file a
report and how the sections are applied on that particular offence.
If the people are vigilant about their rights the law definitely protects their right. When
investigator performs the investigation then he suffers such type of problems. Suppose that he
is investigating a particular case which is related to the cyber stalking or ICMP mask attack
so this term is difficult for police to understand that what it exactly means and how these
types of offences are committed?
For example – The Delhi HIGH COURT in October 2002 prevented a person from
selling pirated software (Microsoft) over an online auction site. Achievement was also made
in the case before the court of metropolitan magistrate Delhi where a person was convicted
for online cheatingby buying Sony products using a stolen credit card.
7.3.5Lack of training
The major drawback which arises on police officials during the time of investigation of
cybercrime is lack of training, where many officials didn’t know about new technologies and
if they knew about it then proper functioning skills are still missing in investigation part. For
filing evidence in court of law officials must attain a basic knowledge of every sector in the
127
field of information technology with legal aspects which is possible only when police
officials receive training or government have to start a campaign to train these officials.
Police officials and investigators have to take certain steps and several other actions for
solving the case against cyberspace, as their power are mentioned in Indian law proceedings
under Code of Criminal Procedure (CrPC) Act, Information Technology Act, 2000 (
Amended 2008) which varies as;
1. Section 80 of IT Act, 2000: Power of police officer to enter any public place and
search & arrest.
2. Section 78 of IT Act, 2000: Power to investigate offences (not below rank of
inspector).
3. Section 156 Cr.P.C: Power to investigate cognizable offences.
4. Section 155 Cr.P.C: Power to investigate non-cognizable offences.
5. Section 91 Cr.P.C: Summon to produce documents.
6. Section 160 Cr.P.C: Summon to require attendance of witnesses.
7. Section 165 Cr.P.C: Search by police officer.
8. Section 93 Cr.P.C: General provision as to search warrants.
9. Section 47 Cr.P.C: Search to arrest the accused.
128
ANNEXURES
129
Chennai Assistant +91-40- s.balu@nic.in
Commissioner of 5549-8211
Police, Cyber Crime
Cell, Commissioner
office campus,
Egmore, Chennai-
600008
For Rest of Cyber Crime Cell, +91-44- cbcyber@tn.nic.in
Tamil Nadu CB, CID, Chennai 2250-2512
Bangalore Cyber Crime Police +91-80- http://www.cyberpolicebangalore.nic.in/
(for whole Station, C.O.D. 2220-1026 Email-id: ccps@blr.vsnl.net.in
of the Headquarters, +91-80- ccps@kar.nic.in
Karnataka) Carlton House, # 1, 2294-3050
Palace Road, +91-80-
Banglore – 560001 2238-7611
(fax)
Hyderabad Cyber Crime Police +91-40- http://www.cidap.gov.in/cybercrimes.asp
Station, Crime 2324-0663 x
Investigation +91-40- Email-id: cidap@cidap.gov.in,
Department, 3rd 2785-2274 info@cidap.gov.in,
Floor, D.G.P. cybercell_hyd@hyd.appolice.gov.in
office, Lakdikapool, +91-40-
Hyderabad- 500004 2758-2040,
+91-40-
2329-7474
(fax)
Delhi CBI Cyber Crime +91-11- http://cbi.nic.in/
Cell: 4362203 cbiccic@bol.net.in
Superintendent of +91-11-
Police, Cyber Crime 4392424
Investigation Cell,
Central Bureau of
Investigation, 5th
Floor, Block No. 3,
CGO Complex,
Lodhi Road, New
Delhi- 3
Thane 3rd Floor, Police +91-22- www.thanepolice.org
Commissioner 2542-4444 Email-id: police@thaneplice.org
Office, Near Court
Naka, Thane West,
Thane- 400601
Pune Deputy +91-20- www.punepolice.gov.in
Commissioner of 2612-3346 Email-id: crimecomp.pune@nic.in
Police (Crime), punepolice@vsnl.com
Office of the
Commissioner +91-20-
Office, 2, Sadhu 2612-7277
Vaswani Road, +91-20-
Camp, Pune-411001 2616-5396
130
+91-20-
2612-8105
(Fax)
Gujarat DIG, CID, Crime +91-79-
and Railways, Fifth 2325-4384
Floor, Police
Bhavan, Sector-18, +91-79-
Gandhinagar- 2325-0798
382018 +91-79-
2325-
3917(fax)
Jharkhand IG-CID, Organized +91-651- a.gupta@jharkhandpolice.gov.in
Crime, Rajarani 2400-
Building, Doranda, 737/738
Ranchi, 834002
Haryana Cyber Crime and Email-id: jtcp.ggn@hry.nic.in
Technical
Investigation Cell,
Joint Commissioner
of Police, old S.P.
Office complex,
Civil Lines,
Gurgaon
Mumbai Cyber Crime +91-22- http://www.cybercellmumbai.com
Investigation Cell, 2263-0829 E-mail id:
Office of +91-22- officer@cybercellmumbai.com
Commissioner of 2264-1261
Police office,
Annex-3 Building,
1st floor, Near
Crawford Market,
Mumbai-01
Himachal CID Office, Dy. SP, +91-94180- Email-id: soodbrijesh9@gmail.com
Pradesh Himachal Pradesh 39449
Jammu SSP, Crime, CPO +91-191- Email-id: sspcrmjmu-jk@nic.in
Complex, Panjtirthi, 257-8901
Jammu- 180004
Kerela Hitech cell, Police +91- Email-id: hitechcell@keralapolice.gov.in
HeadQuarters, 471272-
Thiruvananthapura 1547
m +91-
471272-
2768
Meghalaya SCRB +91-98630- Email-id: scrb-meg@nic.in
Superintendent of 64997
Police, Meghalaya
Bihar Cyber Crime +91-94318- Email-id: cciu-bih@nic.in
Investigation Unit, 18398
Dy. S.P. Kotwali
131
Police Station,
Patna
Orissa CID, Crime Branch, +91-94374- Email-id: splcidcb.orpol@nic.in
Orissa 50370
Punjab Cyber Crime Police +91-172-
Station, DSP Cyber 2748-100
Crime, S.A.S.
Nagar, Patiala.
Punjab
West CID, Cyber Crime, +9133- Email-id: occyber@cidwestbengal.gov.in
Bengal West Bengal 2450-6163
Uttar Cyber Complaints +91-9410- Email-id: info@cybercellagra.com
Pradesh Redressal Cell, 837559
Nodal Officer
Cyber cell Agra,
Agra Range 7,
Kutchery Road,
Baluganj, Agra-
232001, Uttar
Pradesh
UttaraKhan Special Task Force +91-13526- Email-id: dgc-police-us@nic.in
d Office, Sub 40982
Inspector of Police, +91-94123-
Dehradoon 70272
Manipur SP,CID, Crime 0385- Email-id: cidcb@man.nic.in
Branch, Jail Road, 2451501,
1st bat Manipur rifle 943602746
campus, Imphal- 5
411001
132