You are on page 1of 73

July 20, 2015

Cyber Crimes
GUJARAT POLICE

MANOJ AGARWAL

July 20, 2015

The transformation

Two years ago,


we were afraid of
rockets
destroying
buildings and
computer
centres...

Today, we should
be aware of
software
destroying
rockets and
missiles!

GUJARAT POLICE

MANOJ AGARWAL

July 20, 2015

IT Act 2000
Cyber Cases
Investigation & Forensics
GUJARAT POLICE

MANOJ AGARWAL

IT Act 2000
Objectives

July 20, 2015

Legal Recognition for E-Commerce


Digital Signatures and Regulatory Regime
Electronic Documents at par with paper documents

E-Governance
Electronic Filing of Documents

Amend certain Acts


Define Civil wrongs, Offences, punishments
Investigation, Adjudication
Appellate Regime
GUJARAT POLICE

MANOJ AGARWAL

July 20, 2015

Wrongs

Moral Wrongs

Civil Wrongs

Legal Wrongs

Feeling of
Aggrieved
Crimes
Police
has a
guilt
Punishment
Police has aapproaches
very
defined
role
Fine
limited rolethe
to STATE
play
Ortoboth
play Compensation
Criminal Court
GUJARAT POLICE

MANOJ AGARWAL

July 20, 2015

Crimes

Non-Cognizable Offences

Cognizable Offences

Police
has a very
Minor
offences
limitedseeks
role to
Aggrieved
redressalplay

Serious ones
Responsibility of the
STATE to to get the
offender punished

GUJARAT POLICE

MANOJ AGARWAL

July 20, 2015

Cognizability and Bailability


Not mentioned in the Act
Rely on Part II of Schedule I of CrPC
If punishable with death, imprisonment for life or
imprisonment for more than 7 years: Cognizable,
Non-Bailable, Court of Session
If punishable with imprisonment for 3 years and
upwards but not more than 7 years: Cognizable, Non Bailable, Magistrate of First Class
If punishable with imprisonment of less than 3 years:
Non-Cognizable, Bailable, Any Magistrate (or
Controller of CAs)
GUJARAT POLICE

MANOJ AGARWAL

Civil Wrongs under IT Act


Chapter IX of IT Act, Section 43
Whoever without permission of owner of the computer
Secures access (mere U/A access)
Not necessarily through a network

Downloads, copies, extracts any data


Introduces or causes to be introduced any viruses or contaminant
Damages or causes to be damaged any computer resource
Destroy, alter, delete, add, modify or rearrange
Change the format of a file

Disrupts or causes disruption of any computer resource


Preventing normal continuance of
GUJARAT POLICE

MANOJ AGARWAL

Denies or causes denial of access by any means


Denial of service attacks

Assists any person to do any thing above


Rogue Websites, Search Engines, Insiders providing
vulnerabilities

Charges the services availed by a person to the account


of another person by tampering or manipulating any
computer resource
Credit card frauds, Internet time thefts

Liable to pay damages not exceeding one crore to


the affected party
Investigation of
ADJUDICATING OFFICER
Powers of a civil court
GUJARAT POLICE

MANOJ AGARWAL

Section 65: Source Code


Most important asset of software companies
Computer Source Code" means the listing
of programmes, computer commands,
design and layout

GUJARAT POLICE

10

MANOJ AGARWAL

Section 65.. Contd.


Ingredients
Knowledge or intention
Concealment, destruction, alteration
computer source code required to be kept or maintained
by law

Punishment
imprisonment fine up to Rs 2 lakh
up to three years, and / or

Cognizable, Non Bailable, JMIC


GUJARAT POLICE

11

MANOJ AGARWAL

July 20, 2015

Section 66: Hacking


Ingredients
Intention or Knowledge to cause wrongful loss
or damage to the public or any person
Destruction, deletion, alteration, diminishing
value or utility or injuriously affecting
information residing in a computer resource

Punishment
imprisonment up to three years, and / or
fine up to Rs 2 lakh

Cognizable, Non Bailable, JMFC


GUJARAT POLICE

12

MANOJ AGARWAL

July 20, 2015

Hacking (contd.)
Covers crimes like

Trojan, Virus, worm attacks


Logic bombs and Salami attacks
Internet time theft
Analysis of electromagnetic waves generated
by computers

GUJARAT POLICE

13

MANOJ AGARWAL

July 20, 2015

Examples

State versus Amit Pasari and Kapil Juneja


Delhi Police
M/s Softweb Solutions
Website www.go2nextjob.com hosted
Complaint of hacking by web hosting service

State versus Joseph Jose


Delhi Police
Hoax Email - Planting of 6 bombs in Connaught place

State vesus Aneesh Chopra


Delhi Police
Three company websites hacked
Accused: An ex -employee
State versus K R Vijayakumar

Bangalore Cyber Crime Police Station, 2001

Criminal intimidation of employers and crashing the companys


server
Phoenix Global solutions

GUJARAT POLICE

14

MANOJ AGARWAL

Sec. 67. Pornography


Ingredients
Publishing or transmitting or causing to be published
in the electronic form,
Obscene material

Punishment
On first conviction
imprisonment of either description up to five years and
fine up to Rs 1 lakh
On subsequent conviction
imprisonment of either description up to ten years and
fine up to Rs 2 lakh

Section covers
Internet Service Providers,
Search engines,
Pornographic websites

Cognizable, Non-Bailable, JMIC/ Court of Sessions

Sec 69: Decryption of information


Ingredients
Controller issues order to Government agency to intercept
any information transmitted through any computer
resource.
Order is issued in the interest of the

sovereignty or integrity of India,


the security of the State,
friendly relations with foreign States,
public order or
preventing incitement for commission of a cognizable offence

Person in charge of the computer resource fails to extend


all facilities and technical assistance to decrypt the
information.
GUJARAT POLICE

16

MANOJ AGARWAL

Decryption of information (contd.)


Applicability

Email messages (If encrypted)


Encrypted messages
Steganographic images
Password protected files (?)

Punishment
Imprisonment up to 7 years

Cognizable, Non-Bailable, JMIC


GUJARAT POLICE

17

MANOJ AGARWAL

Sec 70 Protected System


Ingredients
Securing unauthorised access or attempting to secure unauthorised
access
to protected system

Acts covered by this section:

Switching computer on / off


Using installed software / hardware
Installing software / hardware
Port scanning

Punishment
Imprisonment up to 10 years and fine
Cognizable, Non-Bailable, Court of Sessions

GUJARAT POLICE

18

MANOJ AGARWAL

July 20, 2015

BUT..
All cyber crimes do not come under the
Information Technology Act, 2000.
Many cyber crimes come under the Indian
Penal Code

GUJARAT POLICE

19

MANOJ AGARWAL

July 20, 2015

Computer Related Crimes under IPC


and Special Laws
Sending threatening messages by email

Sec 503 IPC

Sending defamatory messages by email

Sec 499 IPC

Forgery of electronic records

Sec 463 IPC

Bogus websites, cyber frauds

Sec 420 IPC

Email spoofing

Sec 463 IPC

Online sale of Drugs

NDPS Act

Web-Jacking

Sec. 383 IPC

Online sale of Arms

Arms Act

GUJARAT POLICE

20

MANOJ AGARWAL

July 20, 2015

COMPUTER CRIME
STATISTICS
Average Computer Crime - $500K

Average Bank Robbery - $13K


80% of computer crime involves

Internet
- Internet is in 70 countries
- over 25 million users
- 10%/month growth rate
GUJARAT POLICE

21

MANOJ AGARWAL

Frequency of incidents
Denial of Service: Section
43
Virus: Section: 66, 43
Data Alteration: Sec. 66
U/A Access : Section 43
Email Abuse : Sec. 67,
500, Other IPC Sections
Data Theft: Sec 66, 65

Source: Survey conducted by ASCL


GUJARAT POLICE

22

MANOJ AGARWAL

July 20, 2015

No. of Indian web-sites defaced

Not very serious-some one has just pasted a poster over


GUJARAT POLICE

my poster
23

MANOJ AGARWAL

July 20, 2015

Number of Indian sites hacked

GUJARAT POLICE

Site of BARC-panic all around


24

MANOJ AGARWAL

July 20, 2015

2001 CSI/FBI Computer Crime and Security Survey


Of the organizations suffering security compromises in the last
year 95% had Firewalls and 61%had! IDSs
1998 1999 2000 2001
%
%
%
%

SECURITY TECHNOLOGIES
USED
Intrusion Detection Systems
Firewalls
Encrypted Files
Anti-virus software
Access Control

False sense of security

35
81

42
91

50
78

61
95

50
96
89

61
98
93

62
100
92

64
98
90

We already have a Firewall

GUJARAT POLICE

25

MANOJ AGARWAL

July 20, 2015

COMPUTER CRIME STATISTICS


2002 Computer Crime and Security Survey (CSI)
91% of respondents detected breaches of
their computer security policy.
64% of respondents acknowledged financial
losses due to the breaches.
35% of respondents quantified financial
losses amounting to $377M (up 41% from
$266M).
60% may not have sufficient instrumentation
to detect breaches.
GUJARAT POLICE

26

MANOJ AGARWAL

July 20, 2015

WHY CRIMES WERE NOT


REPORTED

56% of crimes NOT REPORTED


Embarrassment.
loss of public confidence.
False arrest concerns .

GUJARAT POLICE

27

MANOJ AGARWAL

July 20, 2015

COMPUTERS CAN PLAY


THREE ROLES IN A CRIME
Weapon/Target

Storage Facility

Tool

GUJARAT POLICE

28

MANOJ AGARWAL

July 20, 2015

CASE - I

GUJARAT POLICE

29

MANOJ AGARWAL

July 20, 2015

FAKE E-MAIL ID

FAKE E-MAILS
SMS MESSAGES THROUGH NET.

GUJARAT POLICE

30

MANOJ AGARWAL

July 20, 2015

GUJARAT POLICE

31

MANOJ AGARWAL

July 20, 2015

CASE 2

GUJARAT POLICE

32

MANOJ AGARWAL

July 20, 2015

FAKE POLICE
CONSTABLES
CASE:
A PERSON CAUGHT WITH FAKE
MOTOR VEHICLE LICENCE
POLICE SEIZED TWO HARD DISKS

GUJARAT POLICE

33

MANOJ AGARWAL

July 20, 2015

GUJARAT POLICE

34

MANOJ AGARWAL

July 20, 2015

GUJARAT POLICE

35

MANOJ AGARWAL

July 20, 2015

GUJARAT POLICE

36

MANOJ AGARWAL

July 20, 2015

CASE 3

GUJARAT POLICE

37

MANOJ AGARWAL

July 20, 2015

SPECIAL CELL, NEW DELHI


DELHI POLICE ARRESTED
PRESS REPORTER CHANGED IN TO ISI
AGENT
SEIZED A LAPTOP AND WRIST WATCH

GUJARAT POLICE

38

MANOJ AGARWAL

July 20, 2015

CASE 4

GUJARAT POLICE

39

MANOJ AGARWAL

July 20, 2015

A VICTIM OF WORLD CUP?


Ms. MANDIRA BEDI
POOR KNOWLEDGE IN CRICKET
A SHOW PIECE
CRICKET LOVERS ARE AGAINST FOR
HER COMMENTRY , BUT LOVES HER
------

PHOTO APPEARED IN SITE


WWW,INDIANSEX4U.COM
GUJARAT POLICE

40

MANOJ AGARWAL

July 20, 2015

CASE 5

GUJARAT POLICE

41

MANOJ AGARWAL

July 20, 2015

NOT SAFE TO GIVE


VISITING CARD

IS IT SAFE TO GIVE VISITING CARD


TO SOME BODY?
DETAILS KEPT UNDER
INDIATIMES.COM UNDER ROMANCE
COLUMN:

THE ACCUSED HER FORMER


COLLEAGUE
THE MISTAKE SHE HAS DONE
GIVING VISITING
CARD
42

GUJARAT POLICE

MANOJ AGARWAL

July 20, 2015

CASE 6

GUJARAT POLICE

43

MANOJ AGARWAL

July 20, 2015

FIR.NO 581/2001 PS
KOTWALI SPECIAL CELL
WASIM AHMED LILY@
WASIM
ASRAF
ARRESTED ON 12/10/01
ALONG WITH A TWO
SUIT CASES CONTAING
FAKE CURRENCYTO THE
TUNE OF 18.3 LAKHS
(1000,
500
DENOMINATIONS)
SEIZED
A
POLICE
COMPUTER,
SCANNER,
PRINTER
FROM
THE
ACCUSED.

GUJARAT POLICE

44

MANOJ AGARWAL

July 20, 2015

CONTD.
FORENSIC ANALYSIS REVEALED
HOW THE COMPUTER WAS USED IN THE
PRODUCTION OF COUNTERFEIT
CURRENCY
CURRENCY NOTES OF DENOMINATION
OFNOT ONLY 500,1000 BUT ALSO RS 50,
100.

FAKE POSTAL STAMPS


THE ADDRESSES OF THE AGENTS
WHO ARE CIRCULATING
GUJARAT POLICE

45

MANOJ AGARWAL

July 20, 2015

CASE 7

GUJARAT POLICE

46

MANOJ AGARWAL

July 20, 2015

A CASE OF A PLASTIC
COMPANY
THE DIRECTORATE OF CENTRAL EXCISE

INTELLIGENCE PERSONS RAIDED A


PLASTIC COMPANY OWNER RESIDENCE
ON 10/11/2001 AND SEIZED AN AMOUNT OF
RS.2 CRORE.
PRODUCED 6000 CASH BILLS DATED
PRIOR TO DATE OF RAID.
THE BILLS WERE DATED TO APRILOCTOBER 2001
GUJARAT POLICE

47

MANOJ AGARWAL

July 20, 2015

CONTD.
THE DGCEI OFFICILS SEIZED 12
COMPUTERS WITH THE HELP OF
COMPUTER FORENSIC EXPERTS
FORENSIC EXAMINATION OF
COMPUTER SYSTEMS REVALED
EXCISE EVASION TO THE TUNE OF 26
CRORES FROM 2000 ONWARDS
BACK MONEY DETAILS
THE BRIBES PAID TO THE EXCISE OFFICILS
GUJARAT POLICE

48

MANOJ AGARWAL

July 20, 2015

CASE 8

GUJARAT POLICE

49

MANOJ AGARWAL

July 20, 2015

FIR NO 76/02 PS
Mrs.
SONIA GANDHI RECEIVED
PARLIAMENT
STREET

THREATING E-MAILS
E- MAIL FROM

missonrevenge84@khalsa.com
missionrevenge84@hotmail.com

THE CASE WAS REFERRED


ACCUSED PERSON LOST HIS
PARENTS DURING 1984 RIOTS
GUJARAT POLICE

50

MANOJ AGARWAL

July 20, 2015

CASE - 9

GUJARAT POLICE

51

MANOJ AGARWAL

PARLIAMENT ATTACK CASE


- Delhi police seized a laptop where they

stored the incriminating material.


ON FORENSIC ANALYSIS:
ROLE OF Lo e T
IP ADDRESSES OF PAKISTAN
TELEPHONE NUMBERS
CODED MESSAGES
GUJARAT POLICE

52

MANOJ AGARWAL

GUJARAT POLICE

53

MANOJ AGARWAL

GUJARAT POLICE

54

MANOJ AGARWAL

July 20, 2015

CASE-10

GUJARAT POLICE

55

MANOJ AGARWAL

July 20, 2015

KARNATAKA MEDICAL
EXAM(K- CET) SCAM
OCR BASED ANSWERED SHEET.
MODIFIED THE computer
(ANSWERS) PROGRAM AS PER
THE STUDENT ANSWERS SHEET.
MADE FAILED CANDIDATES
SUCCESSFUL.
--- THE AP INTERMEDIATE BOARD
MARKS SCANDAL.
GUJARAT POLICE

56

MANOJ AGARWAL

July 20, 2015

President CLINTONS
IMPEACHMENT TRIAL

GUJARAT POLICE

57

MANOJ AGARWAL

July 20, 2015

CLINTONS IMPEACHMENT
TRIAL
Forensic experts recovered deleted
data from Monica Lewinskyshome
computer as well as her computer at
the pentagon
Computer examinations of deleted
White House e-mail records exposed
the Clinton-Monica Lewinsky scandal
GUJARAT POLICE

58

MANOJ AGARWAL

INVESTIGATION
A good investigation need network forensic, hardware forensic and
software forensic.
The general approach to investigating the technical aspects of any
computer related crime is:

Eliminate the obvious.


Hypothesize the attack.
Collect evidence, including, possibly, the computer themselves.
Reconstruct the crime.
Perform a trace back to the source computer.
Analyze the source, target, and intermediate computer.
Turn your finding and evidentiary material over corporate
investigators or law enforcement for follow-up.

GUJARAT POLICE

59

MANOJ AGARWAL

July 20, 2015

Cyber Crimes ?
Any crime that involves computers and networks
Includes crimes that do not rely heavily on computers

Alibi
Harassment
Black mail
Extortion
Frauds
Murder
GUJARAT POLICE

etc....
60

MANOJ AGARWAL

July 20, 2015

What are we looking for ?


Hardware as contraband or fruits of crime.
Stolen computer system
Hardware as in instrumentality
Hardware designed exclusively to commit crime-sniffer
Hardware as evidence.
CD Writer to copy blue movies Pornography
Information as contraband or fruits of crime.
Pirated software
Information as an instrumentality
Hacking program
Information as evidence.
Key of investigation- we are searching this
GUJARAT POLICE

61

MANOJ AGARWAL

July 20, 2015

How to Proceed ?
Pre-investigation intelligence.
A must
Visualize and access what you would encounter.
Prepare accordingly..
Computer may be on / off
Blank screen does not indicate a off computer
If computer is on
Note what all is on the screen
If the screen saver is operational, move the mouse slightly..

GUJARAT POLICE

Map all the connections & mark the matching ends


Find out whether it is connected to the network.
Decide on the next course of action..
62

MANOJ AGARWAL

July 20, 2015

Strategy
If you shut down the computer in the usual way
Fall in a trap
If you pull out the chord
Loose vital information on the RAM
Good documentation of the Screen (photograph) will help resolve
some of the discrepancies.
Recommended strategy
Ensure that all drives are empty
Pullout the Chord from the computer (not from the electric
board as it may be connected to a UPS)
GUJARAT POLICE

63

MANOJ AGARWAL

July 20, 2015

Seizing the computer


Computers do not have unique identity
It will not help also
Contents have to be seized uniquely.
Hashing
Only solution
Requirements are
Algorithm should run in an trusted environment
Suspect disk should be write-blocked
No time stamps should be altered
GUJARAT POLICE

64

MANOJ AGARWAL

INVESTIGATION OF SEIZED
MATERIAL
WEBSITE RELEATED CRIME

INTERNET CRIME
In a 'simple' case of hacking it
would be possible to trace out
the IP address by the 'who is'
query.

Confirm identity of suspect by


running the "who is' query".

The IP address may be found


in the " page Source " head
(Netscape)and "source" head
in Internet Explorer

The "who isdetails generated


may be genuine or that of a
"compromised" machine.

GUJARAT POLICE

65

MANOJ AGARWAL

E-MAIL CRIMES
The header will give the IP address. Run "who is" to ascertain the
details of the service provider, whose Mail service was used by the
suspect.
If by analyzing circumstances, it is felt that the "who is "result is
genuine, the location of suspect can be traced with the help of ISP.
In case of forged/bogus or disguised/number letter mix-up e-mail
identities, the ISP can help in identifying, the suspect with the help
of the E-mail header by analyzing its contents and "message ID
"(see boxes for forged/bogus, disguised senders details).
The ISP will be able to help in locating a suspect, because when a
person dials up to connect with an ISP, he/she is logged on to one of
the Servers of the ISP. This server assigns ( depending on the port
of entry) a specific IP address to the user. This IP address
temporarily becomes the IP address of the user for that specific
session.

GUJARAT POLICE

66

MANOJ AGARWAL

July 20, 2015

CARDINAL RULES OF
COMPUTER FORENSICS
NEVER TRUST THE SUBJECT
OPERATING SYSTEM
NEVER MISHANDLE EVIDENCE
NEVER WORK ON ORIGINAL
EVIDENCE
USE PROPER SOFTWARE
UTILITIES
DOCUMENT EVERYTHING
GUJARAT POLICE

67

MANOJ AGARWAL

July 20, 2015

NEVER TRUST THE


SUBJECT SYSTEM

GUJARAT POLICE

DONOT BOOT FROM SUSPECT


SYSTEM
DONOT USE SUSPECT OS
CRIMANALS MAY MODIFY ROUTINE
OPERATING SYSTEM COMMANDS TO
PERFORM DESTRUCTIVE COMMANDS.
DISCONNECT HARD DRIVE & BOOT
FROM FLOPPY (THE BIOS MAY
MODIFIED TO ALLOW BOOT FROM A
FLOPPY
68

MANOJ AGARWAL

STEPS TAKEN BY
COMPUTER FORENSIC
EXPERT

GUJARAT POLICE

July 20, 2015

PROTECT THE SUBJECT SYSTEM DURING


EXAMINATION FROM ALTERATION,
DAMAGE, DATA CORRUPTION OR VIRUS
INTRODUCTION
DISCOVER & RECOVER ALL FILES
(active &
deleted)
ACCESS THE CONTENTS OF PROTECTED OR
ENCRYPTED FILES
ANALYZE ALL RELEVANT DATA
PRINTOUT AN OVERALL ANALYSIS
PROVIDE TESTIMONY IN COURT OF LAW
69

MANOJ AGARWAL

July 20, 2015

Where do we find Evidence ?


In
The Computer
Suspect
Victim
The Server
Suspect
Victim
ISPs
Who logged from where & when ?
Computers visited
Backbone Computers
GUJARAT POLICE

70

MANOJ AGARWAL

July 20, 2015

Issues to address
We cannot be masters of all trade
Fighting cyber crimes has to be a team effort involving
Law enforcement agencies
Handle cyber evidence
Use it to generate investigate trails

GUJARAT POLICE

Know when to call an expert for assistance


Computer expert
How to handle cyber evidence
Generate investigative leads
Call enforcement agencies for assistance
Attorneys
How to defend cyber evidence
Determine whether it is admissible
Forensic Scientists
How to process it

71

MANOJ AGARWAL

July 20, 2015

QUESTIONS

GUJARAT POLICE

72

MANOJ AGARWAL

THANK YOU

July 20, 2015

GUJARAT POLICE

73

MANOJ AGARWAL