CYBER

FORENSICS
A brief overview

By
1. Mubin Khan
2. Amruta Naik
Under valuable guidance of
(Prof.)Dr. Shahista Inamdar
 Introduction to Cyber crime
• Computer or Computer networks are used as a tool or a target or a place of Criminal
activity
• First recorded Cyber Crime in the world-1820-France.
• In 1820, Joseph-Marie Jacquard, a textile manufacturer in France, produced the loom.
This device allowed the repetition of a series of steps in the weaving of special fabrics.
This resulted in a fear amongst Jacquard's employees that their traditional employment
and livelihood were being threatened. They committed acts of sabotage to discourage
Jacquard from further use of the new technology. This is the first recorded cyber crime!
• Unauthorized access to Computer systems, data destruction, data alteration,IP theft etc.
• It is becoming a global organized crime.
 How it differs from other crimes?
• Easy to learn
• Requires few resources
• Can be committed from anywhere in the world.
• Different laws in different countries. For eg. betting , lotteries are legal
in many countries.
• Criminals are not easily traceable as physical presence is not required.
• International access over World wide web.
 Types of Cyber crime
• Hacking
• Phishing
• Software Piracy
• Cyber stalking
• Denial of service
• Financial Crimes/Hawala
• IP crimes
• Forgery
Why Cybercrime threat looms India?
• 2nd Largest population in the world
• Highest number of young people in the age group of 18-45 years
• Largest unemployment
• Cheapest Internet in the world
• Large use of Online platforms
• Increase of Social media platforms
• Internet connections growing at approximately 30% per annum
International Legislations for Cybercrimes
• OECD
1.1983-Research in Criminal Law Problems of Computer related crimes
2.1992-Guidelines for security of information systems
• G8
1997-Subgroup of High tech crime
• OAS
1999-Established a group of Government experts on Cyber crime
• APEC
2002-Commitment to enact a comprehensive set of laws relating to Cyber Security
and Cyber Crime.
Forensic Science
• The term ‘Forensic’ is derived from the Latin word ‘forensis/’ which
means belonging to courts of justice or to public discussion and
debate.
• Forensic Sciences can be defined broadly as that Scientific discipline
which is directed to the recognition,identification,individualization and
evaluation of physical evidence by the application of principles and
methods of natural sciences for the purpose of administration of
Criminal justice.
• Criminalistics is another synonymous term which is commonly used in
U.S.A.
Computer Forensics
• Computer forensics (also known as computer forensic science is a branch
of digital forensic science pertaining to evidence found in computers and
digital storage media.
• The goal of computer forensics is to examine digital media in a forensically
sound manner with the aim of identifying, preserving, recovering,
analyzing and presenting facts and opinions about the digital information.
• Although it is most often associated with the investigation of a wide
variety of computer crime, computer forensics may also be used in civil
proceedings. The discipline involves similar techniques and principles
to data recovery, but with additional guidelines and practices designed to
create a legal audit trail.
Advantages of Cyber Forensic
• The ability to reduce or even eliminate sampling risk – This is the biggest advantage of
forensic accountants over the external auditors.
• The comparison of relevant types of data from different systems or sources to show a
more complete picture
• The ability to easily trend relevant data over periods of time; fluctuations in trending
lines can be analyzed further for false positives and potential risk factors
• The quick identification and extraction of certain risk criteria from the entire data
population for further analysis
• The testing for effectiveness of the control environment and policies in place by
identifying attributes that violate rules
• The identifying trends of which company personnel, consultants and forensic
accountants were unaware.
Importance of Cyber Forensics
• Technology combined with forensic paves the way for quicker investigations and
accurate results.
• Cyber forensics helps in collecting important digital evidence to trace the criminal.
• Electronic equipment stores massive amounts of data that a normal person fails to
see. For example: in a smart house, for every word we speak, actions performed by
smart devices, collect huge data which is crucial in cyber forensics.
• It is also helpful for innocent people to prove their innocence via the evidence
collected online.
• It is not only used to solve digital crimes but also used to solve real-world crimes like
theft cases, murder, etc.
• Businesses are equally benefitted from cyber forensics in tracking system breaches and
finding the attackers.
How Cyber Forensic experts work?
• Identification: The first step of cyber forensics experts are to identify what evidence is
present, where it is stored, and in which format it is stored.
• Preservation: After identifying the data the next step is to safely preserve the data and not
allow other people to use that device so that no one can tamper data.
• Analysis: After getting the data, the next step is to analyze the data or system. Here the
expert recovers the deleted files and verifies the recovered data and finds the evidence that
the criminal tried to erase by deleting secret files. This process might take several iterations
to reach the final conclusion.
• Documentation: Now after analyzing data a record is created. This record contains all the
recovered and available(not deleted) data which helps in recreating the crime scene and
reviewing it.
• Presentation: This is the final step in which the analyzed data is presented in front of the
court to solve cases.
Types of Cyber Forensics
• Network forensics: This involves monitoring and analyzing the network traffic to and from the criminal’s
network. The tools used here are network intrusion detection systems and other automated tools.
• Email forensics: In this type of forensics, the experts check the email of the criminal and recover
deleted email threads to extract out crucial information related to the case.
• Malware forensics: This branch of forensics involves hacking related crimes. Here, the forensics expert
examines the malware, trojans to identify the hacker involved behind this.
• Memory forensics: This branch of forensics deals with collecting data from the memory(like cache,
RAM, etc.) in raw and then retrieve information from that data.
• Mobile Phone forensics: This branch of forensics generally deals with mobile phones. They examine and
analyze data from the mobile phone.
• Database forensics: This branch of forensics examines and analyzes the data from databases and their
related metadata.
• Disk forensics: This branch of forensics extracts data from storage media by searching modified,  active,
or deleted files.
Techniques that cyber forensic investigators use

• Reverse steganography: Steganography is a method of hiding important data inside the

digital file, image, etc. So, cyber forensic experts do reverse steganography to analyze the
data and find a relation with the case.
• Stochastic forensics: In Stochastic forensics, the experts analyze and reconstruct digital
activity without using digital artifacts. Here, artifacts mean unintended alterations of data
that occur from digital processes.
• Cross-drive analysis: In this process, the information found on multiple computer drives is
correlated and cross-references to analyze and preserve information that is relevant to the
investigation.
• Live analysis: In this technique, the computer of criminals is analyzed from within the OS in
running mode. It aims at the volatile data of RAM to get some valuable information.
• Deleted file recovery: This includes searching for memory to find fragments of a partially
deleted file in order to recover it for evidence purposes.
What are the required set of skills needed to be a cyber forensic
expert?

• Cyber forensics is based on technology. So, knowledge of various technologies,

computers, mobile phones, network hacks, security breaches, etc. is required.
• The expert should be very attentive while examining a large amount of data to identify
proof/evidence.
• The expert must be aware of criminal laws, a criminal investigation, etc.
• As we know, over time technology always changes, so the experts must be updated with
the latest technology.
• Cyber forensic experts must be able to analyze the data, derive conclusions from it and
make proper interpretations.
• The communication skill of the expert must be good so that while presenting evidence in
front of the court, everyone understands each detail with clarity.
• The expert must have strong knowledge of basic cyber security.
Cyber Forensics and IT Act,2000 and Indian
Evidence act,1872
• The second schedule of The Information Technology Act 2000 is India’s only act dealing with
computer crime, with an intention to introduce the concept of electronic evidence has added
to the provisions of Indian Evidence Act, 1872 which had been drafted earlier keeping in mind
only the physical world. These amendments can be summed up as following:

1. In section 3,—
(a) In the definition of "Evidence", for the words "all documents produced for the inspection of
the Court", the words "all documents including electronic records produced for the inspection
of the Court" have been substituted;

(b) after the definition of "India", the following have been inserted, namely:— 'the expressions
"Certifying Authority", "digital signature", "Digital Signature Certificate", "electronic form",
"electronic records", "information", "secure electronic record", "secure digital signature" and
"subscriber" with the meanings respectively assigned to them in the Information Technology
Act, 2000. '
Continued….
2. In section 17, for the words "oral or documentary,", the words "oral or documentary or contained in
electronic form" have been substituted.

3. After section 22, section 22A has been inserted which says that “Oral admissions as to the contents of
electronic records are not relevant, unless the genuineness of the electronic record produced is in
question.".

4. In section 34, for the words "Entries in the books of account", the words "Entries in the books of account,
including those maintained in an electronic form" have been substituted.

5. In section 35, for the word "record", in both the places where it occurs, the words "record or an electronic
record" have been substituted.

6. For section 39, the following section has been substituted, namely: —
What evidence to be given when statement forms part of a conversation, document, electronic record, book
or series of letters or papers.
Continued….
7 After section 47, section 47A has been inserted, which talks about, Opinion as to digital signature where
relevant.

8. In section 59, for the words "contents of documents" the words "contents of documents or electronic
records" have been substituted.

9. After section 65, section 65A and 65B have been added laying down the provisions about Admissibility of
electronic records.

10. After section 67, section 67A has been inserted, which talks about Proof as to digital signature.

11. After section 73, section 73A has been added which talks about Proof as to verification of digital signature.
Continued….
• 12. After section 81, section 81A has been added which talks about Presumption as to Gazettes in electronic
forms.

• 13. After section 85, the following sections have been inserted, namely: —
i) 85A which talks about Presumption as to electronic agreements
ii) 85B which talks about Presumption as to electronic records and digital signatures.
iii) 85C which talks about Presumption as to Digital Signature Certificates.

14. After section 88, section 88A has been inserted which talks about Presumption as to electronic messages.
•
15. After section 90, section 90A has been added which talks about Presumption as to electronic records five
years old.
•
16. For section 131, the following section has been substituted, namely: — Production of documents or
electronic records which another person, having possession, could refuse to produce.
Cyber Crimes-Pornography
• ‘Obscenity’ means sexual act or language which shocks people or offends
them. When obscenity is committed via the internet it is termed as “cyber
obscenity”
• Cyber obscenity is a trading of sexually expressive materials within cyber
space. Legally cyber obscenity is also termed as ‘pornography’
• According to the honourable Supreme court of India- “ Obscenity has a
tendency to deprave and corrupt those, whose minds are open to such
immoral influence”. 
• Pornography includes pornographic magazines produced using the internet
and the internet transmit pornographic pictures, videos, writing, etc.
Cyber Crime-Pornography In India
• Cyber crime is increasing dreadfully in India and according to Indian courts
‘common law approach of dispute resolution has been adopted. Various cases
were filed in India in recent time which are related to cyber obscenity. For  eg.
“BOYS LOCKER ROOM” case in which the accused used to have indecent
conversation in the group and had shared obscene pictures of girls.
• Similarly, there is a group named “GIRLS LOCKER ROOM” where girls have been
accused of similar obscene comments and conversations.
• In India, where the society is in flux and as people are modifying themselves,
there are certain groups of people who still believe that advertisements related
to spreading awareness of the use of ‘sanitary pads’ and ‘condoms’ publically are
somewhat vulgar. It is very important that people understand its true meaning.
Laws relating to Obscenity and Pornography
in India
Sections related to obscenity under India Penal Code,1860
• Section 292 states that whoever sells, lets to hire, imports or exports any obscene object or whoever takes part in
such business or advertisement of any such object, etc shall be punished with imprisonment and fine.
• Section 293 states that whoever sells, lets to hire, distributes, exhibit or circulate to any person under the age of 20
years, any such obscene object, shall be punished with imprisonment.
• Section 294 states that whoever does any obscene act in any public place or sings, recites or utters any obscene
song, near a public place , shall be punished.
Under Indian Constitution
• The freedom of expression guaranteed under Article 19(1) (a) is subject to some reasonable state restrictions in the
interest of decency or morality. So, it is clear from this Article that no one can do anything in lieu of their
fundamental right guaranteed under Article 19 of Indian constitution. Though the people of India have fundamental
right to Freedom of Speech and Expression, they cannot blindly do any act which is likely to cause obscenity.
Information Technology Act,2000
• Cyber law also provide some relief to cyber obscenity or pornography. Section67 of the act lays down that obscenity
is an offence when it is published or transmitted or caused to be published in any electronic form.
Continued….
The Indecent Representation of Women Act,1986.
• Sec 2(c) of the act defines indecent representation of women. This act also
prohibits publication, sale, etc. containing indecent representation of women
and publication or sending by post or figuring in any form containing indecent
representation of women.
• Sec 6 describes the punishment for contravention of any of the provision of this
act.

Young Person’s Act,1956

• Section 3 of the act, states that if any person advertises of harmful publication,
shall be punishable with imprisonment.
Cyber Stalking
• Cyberstalkers can be either strangers or people you know (sometimes
ex-partners), and there are many different motives. 
• The more determined or obsessive stalkers become, the more likely
they are to move from one online channel to another until your
online presence is fully intruded upon
• They commonly obtain their information about you via your online
details of personal and financial affairs, relationships, social and work
life and your location.
Risks of Cyber Stalking
• Identity theft – having your credentials controlled
• Having your online accounts being taken over
• Having your contact details obtained and used
• Location and tracking of you by GPS on mobiles, tracker devices or
spyware on phones
• Having false profiles posted on social networking and other sites
• being used to stalk others, positioning you as the guilty party
Continued….
• Having malicious websites, blogs and social networking sites created about you
• Impersonation of you discredited in social media and other online communities
• Being discredited in your place of work
• Receiving direct threats through email/instant messaging
• Stalking or harassment of your relatives, friends or colleagues (on average a stalker will
contact 21 people connected to the victim)
• Use of your image
• Others being provoked to attack you
• Escalation to physical violence
• The stalker taking over your online accounts
• Post-Traumatic Stress Disorder
Cyberstalking laws in India
• Section 67 of the Information Technology Act, 2000 punishes a stalker who sends or cause to send or
publish obscene posts or content on electronic media with imprisonment up to three years and a fine.
• Section 67A of the Information Technology Act, 2000 punishes a person who sends or causes to send or
publish any material containing sexually explicit acts or conduct in electronic media. The punishment
 includes imprisonment of up to five years and a fine of up to five lakhs rupees.
•  Section 354D of the Indian Penal Code, 1860 makes punishable the offence of stalking. Under this
section, if a person monitors the use of the internet, email or any other form of electronic
communication by a woman, then that person shall be punished with imprisonment up to three years
and a fine. This offence is bailable for first-time offenders but non-bailable for repeated offenders.
• If a woman faces cyberstalking, she can file a complaint in any cybercrime unit irrespective of where the
incident took place. Cyber cells are established to provide redressal of grievances to the woman victims.
These cells operate as a part of the criminal investigation department for offences related to criminal
activity on the internet. If there is no cyber cell near your vicinity, the woman can also file an FIR in the
local police station.
Cyber Crime Investigation stages
• Assess the Situation

• Conduct the Initial Investigation

• Identify Possible Evidence

• Secure Devices and Obtain Court Orders

• Analyze Results with Prosecutor

Digital Evidence Collection
• To be useful in court, it must be Admissible , Collected legally, not
hearsay ,Credible , Authentic, reliable, not subject to challenges
,Persuasive , Helps the prosecution’s (or plaintiff’s, or defendant’s) case
• The process of collecting, securing and transporting digital evidence
should not change the evidence.
• Digital evidence should be examined only by those trained specifically
for that function.
• Everything done during the seizure, transportation, and storage of
digital evidence should be fully documented, preserved, and available
for review.
Digital Evidence Collection process
• Evaluating the Crime Scene
• Securing the Scene
• Check the state of Computers
• Interview those who are present
• Recording the scene-Photograph or videograph everything before
touching
• Collecting the Evidence(Generic Algorithm)
• Transport and store Evidence
Evidentiary value of Digital evidence
• The Indian Evidence Act, 1872 and Information Technology Act, 2000 grants legal recognition to electronic records and evidence submitted
in form of electronic records. According to section 2(t) of the Information Technology Act, 2000 “electronic record” means data, record or
data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche.
• The evidentiary value of electronic records is widely discussed under section 65A and 65B of the Evidence Act, 1872. The sections provide
that if the four conditions listed are satisfied any information contained in an electronic record which is printed on paper, stored, recorded
or copied in an optical or magnetic media, produced by a computer is deemed to be a document and becomes admissible in proceedings
without further proof or production of the original, as evidence of any contacts of the original or any facts stated therein, which direct
evidence would be admissible.
• The four conditions referred to above are:
• (1) The computer output containing such information should have been produced by the computer during the period when the computer
was used regularly to store or process information for the purpose of any activities regularly carried on during that period by the person
having lawful control over the use of the computer.
• (2) During such period, information of the kind contained in the electronic record was regularly fed into the computer in the ordinary course
of such activities.
• (3) Throughout the material part of such period, the computer must have been operating properly. In case the computer was not properly
operating during such period, it must be shown that this did not affect the electronic record or the accuracy of the contents.
.
• (4) The information contained in the electronic record should be such as reproduces or is derived from such information fed into the
computer in the ordinary course of such activities
Judicial Approach-Landmark cases
Shankar v. State Rep
• Facts: The petitioner approached the Court under Section 482, CrPC
to quash the charge sheet filed against him. The petitioner secured
unauthorized access to the protected system of the Legal Advisor of
Directorate of Vigilance and Anti-Corruption (DVAC) and was charged
under Sections 66, 70, and 72 of the IT Act.
• Decision: The Court observed that the charge sheet filed against the
petitioner cannot be quashed with respect to the law concerning non-
granting of sanction of prosecution under Section 72 of the IT Act.
Continued…
Avnish Bajaj v. State (NCT) of Delhi
• Facts: Avnish Bajaj, the CEO of Bazee.com was arrested under Section 67 of the IT Act for
the broadcasting of cyber pornography. Someone else had sold copies of a CD containing
pornographic material through the bazee.com website.
• Decision: The Court noted that Mr. Bajaj was nowhere involved in the broadcasting of
pornographic material. Also, the pornographic material could not be viewed on the
Bazee.com website. But Bazee.com receives a commission from the sales and earns
revenue for advertisements carried on via its web pages.
• The Court further observed that the evidence collected indicates that the offence of
cyber pornography cannot be attributed to Bazee.com but to some other person. The
Court granted bail to Mr. Bajaj subject to the furnishing of 2 sureties Rs. 1 lakh each.
However, the burden lies on the accused that he was merely the service provider and
does not provide content.
Continued…
Christian Louboutin SAS v. Nakul Bajaj & Ors.
• Facts: The Complainant, a Luxury shoes manufacturer filed a suit seeking an
injunction against an e-commerce portal www.darveys.com for indulging in a
Trademark violation with the seller of spurious goods.
• The question before the Court was whether the defendant’s use of the plaintiff’s
mark, logos, and image are protected under Section 79 of the IT Act.
• Decision: The Court observed that the defendant is more than an intermediary on
the ground that the website has full control over the products being sold via its
platform. It first identifies and then promotes third parties to sell their products.
The Court further said that active participation by an e-commerce platform would
exempt it from the rights provided to intermediaries under Section 79 of the IT
Act.