logging in or signing up Investigation of Cyber Crimes & Forens tabrezahmad Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 783 Category: Entertainment License: All Rights Reserved Like it (2) Dislike it (0) Added: June 26, 2010 This Presentation is Public Favorites: 1 Presentation Description Presentation By Dr. Tabrez Ahmad in Biju Pattnaik State Police Academy Bhubaneswar to train the DSPs in Cyber Crime Investigation and Cyber forensics Comments Posting comment... By: madhuyadav (14 month(s) ago) plz send me this ppt my mail id is: shashibhu2008@gmail.com thank u Saving..... Post Reply Close Saving..... Edit Comment Close By: tapaskumar (18 month(s) ago) plz send me this ppt my mail id is tapas.jitm@gmail.com Saving..... Post Reply Close Saving..... Edit Comment Close By: swadhi (19 month(s) ago) Request you to let me know how to download your presentations. Thanks and regards Saving..... Post Reply Close Saving..... Edit Comment Close By: advonaved (21 month(s) ago) Hi Sir, Myself Naved am an advocate from Delhi and studying cyber laws for professional enhancment. Request you to let me know how to download your presentations. Thanks and regards. Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Session IIInvestigation of Cyber Crimes & Forensics : Biju Pattnaik State Police Academy Bhubaneswar By Dr. Tabrez Ahmad Associate Professor of Law www.site.technolexindia.com tabrezahmad7@gmail.com http://technolexindia.blogspot.com Session IIInvestigation of Cyber Crimes & Forensics Agenda : Agenda Saturday, June 26, 2010 2 The possible reliefs to a cybercrime victim and strategy adoption The preparation for prosecution Admissibility of digital evidence in courts Defending an accused in a computer related crime The techniques of cyber investigation and forensic tools Future course of action Possible reliefs to a cybercrime victim- strategy adoption : Possible reliefs to a cybercrime victim- strategy adoption A victim of cybercrime needs to immediately report the matter to his local police station and to the nearest cybercrime cell Depending on the nature of crime there may be civil and criminal remedies. In civil remedies , injunction and restraint orders may be sought, together with damages, delivery up of infringing matter and/or account for profits. In criminal remedies, a cybercrime case will be registered by police if the offence is cognisable and if the same is non cognisable, a complaint should be filed with metropolitan magistrate For certain offences, both civil and criminal remedies may be available to the victim Saturday, June 26, 2010 3 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Before lodging a cybercrime case : Before lodging a cybercrime case Important parameters- Gather ample evidence admissible in a court of law Fulfill the criteria of the pecuniary ,territorial and subject matter jurisdiction of a court. Determine jurisdiction – case may be filed where the offence is committed or where effect of the offence is felt ( S. 177 to 179, CrPc) Saturday, June 26, 2010 4 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com The criminal prosecution pyramid : The criminal prosecution pyramid 5 Preparation for prosecution : Preparation for prosecution Collect all evidence available & saving snapshots of evidence Seek a cyberlaw expert’s immediate assistance for advice on preparing for prosecution Prepare a background history of facts chronologically as per facts Pen down names and addresses of suspected accused. Form a draft of complaint and remedies a victim seeks Cyberlaw expert & police could assist in gathering further evidence e.g tracing the IP in case of e-mails, search & seizure or arrest as appropriate to the situation A cyber forensic study of the hardware/equipment/ network server related to the cybercrime is generally essential Saturday, June 26, 2010 6 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Government Initiative : Government Initiative The Cyber Crime Investigation cell (CCIC) of the CBI, notified in September 1999, started functioning from 3 March 2000. It is located in New Delhi, Mumbai, Chennai and Bangalore. Jurisdiction of the cell is all over India. Any incident of the cyber crime can be reported to a police station, irrespective of whether it maintains a separate cell or not. The Indian Computer Emergency Response Team (CERT-In) : The Indian Computer Emergency Response Team (CERT-In) IT Amendment ACT 2008. “70A. (1) The Indian Computer Emergency Response Team (CERT-In) shall serve as the national nodal agency in respect of Critical Information Infrastructure for coordinating all actions relating to information security practices, procedures, guidelines, incident prevention, response and report. (2) For the purposes of sub-section (1), the Director of the Indian Computer Emergency Response Team may call for information pertaining to cyber security from the service providers, intermediaries or any other person. Saturday, June 26, 2010 8 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 9: Cognizability and Bailability As per IT Amendment Act 2008 Offences which have not less than 3 years punishment are cognizable and bailable 9 Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 9 Power of Police to Investigate : Power of Police to Investigate Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 10 Section 156 Cr.P.C. : Power to investigate cognizable offences. Section 155 Cr.P.C. : Power to investigate non cognizable offences. Section 91 Cr.P.C. : Summon to produce documents. Section 160 Cr.P.C. : Summon to require attendance of witnesses. Power of Police to investigate (contd.) : Power of Police to investigate (contd.) Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 11 Section 165 Cr.P.C. : Search by police officer. Section 93 Cr.P.C : General provision as to search warrants. Section 47 Cr.P.C. : Search to arrest the accused. Section 78 of IT Act, 2000 : Power to investigate offences-not below rank of Inspector. Section 80 of IT Act, 2000 : Power of police officer to enter any public place and search & arrest. Amendments- Indian Evidence Act 1872 : Amendments- Indian Evidence Act 1872 Section 3 of the Evidence Act amended to take care of admissibility of ER as evidence along with the paper based records as part of the documents which can be produced before the court for inspection. Section 4 of IT Act confers legal recognition to electronic records Saturday, June 26, 2010 12 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Societe Des products Nestle SA case 2006 (33 ) PTC 469 : Societe Des products Nestle SA case 2006 (33 ) PTC 469 By virtue of provision of Section 65A, the contents of electronic records may be proved in evidence by parties in accordance with provision of 65B. Held- Sub section (1) of section 65B makes admissible as a document, paper print out of electronic records stored in optical or magnetic media produced by a computer subject to fulfillment of conditions specified in subsection 2 of Section 65B . The computer from which the record is generated was regularly used to store or process information in respect of activity regularly carried on by person having lawful control over the period, and relates to the period over which the computer was regularly used. Information was fed in the computer in the ordinary course of the activities of the person having lawful control over the computer. The computer was operating properly, and if not, was not such as to affect the electronic record or its accuracy. Information reproduced is such as is fed into computer in the ordinary course of activity. State v Mohd Afzal, 2003 (7) AD (Delhi)1 Saturday, June 26, 2010 13 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com State v Navjot Sandhu (2005)11 SCC 600 : State v Navjot Sandhu (2005)11 SCC 600 Held, while examining Section 65 B Evidence Act, it may be that certificate containing details of subsection 4 of Section 65 is not filed, but that does not mean that secondary evidence cannot be given. Section 63 & 65 of the Indian Evidence Act enables secondary evidence of contents of a document to be adduced if original is of such a nature as not to be easily movable. Saturday, June 26, 2010 14 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Presumptions in law- Section 85 B Indian Evidence Act : Presumptions in law- Section 85 B Indian Evidence Act The law also presumes that in any proceedings, involving secure digital signature, the court shall presume, unless the contrary is proved, that the secure digital signature is affixed by the subscriber with the intention of signing or approving the electronic record In any proceedings involving a secure electronic record, the court shall presume, unless contrary is proved, that the secure electronic record has not been altered since the specific point of time, to which the secure status relates Saturday, June 26, 2010 15 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Presumption as to electronic messages- Section 88A of Evidence Act : Presumption as to electronic messages- Section 88A of Evidence Act The court may treat electronic messages received as if they were sent by the originator, with the exception that a presumption is not to be made as to the person by whom such message was sent. It must be proved that the message has been forwarded from the electronic mail server to the person ( addressee ) to whom such message purports to have been addressed An electronic message is primary evidence of the fact that the same was delivered to the addressee on date and time indicated. Saturday, June 26, 2010 16 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com IT Amendment Act 2008-Section 79A : IT Amendment Act 2008-Section 79A Section 79A empowers the Central govt to appoint any department, body or agency as examiner of electronic evidence for proving expert opinion on electronic form evidence before any court or authority. Till now, government forensic lab of hyderabad was considered of evidentiary value in courts- CFSIL Statutory status to an agency as per Section 79A will be of vital importance in criminal prosecution of cybercrime cases in India Saturday, June 26, 2010 17 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Probable activities for defense by an accused in a cybercrime case : Probable activities for defense by an accused in a cybercrime case Preparation of chain of events table Probing where evidence could be traced? E-mail inbox/files/folders/ web history Has the accused used any erase evidence software/tools Forensically screening the hardware/data/files /print outs / camera/mobile/pendrives of evidentiary value Formatting may not be a solution Apply for anticipatory bail Challenge evidence produced by opposite party and look for loopholes Filing of a cross complaint if appropriate Saturday, June 26, 2010 18 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Sec 69: Decryption of information : Sec 69: Decryption of information Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 19 Ingredients Controller issues order to Government agency to intercept any information transmitted through any computer resource. Order is issued in the interest of the sovereignty or integrity of India, the security of the State, friendly relations with foreign States, public order or preventing incitement for commission of a cognizable offence Person in charge of the computer resource fails to extend all facilities and technical assistance to decrypt the information-punishment upto 7 years. Sec 70 Protected System : Sec 70 Protected System Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 20 Ingredients Securing unauthorised access or attempting to secure unauthorised access to ‘protected system’ Acts covered by this section: Switching computer on / off Using installed software / hardware Installing software / hardware Port scanning Punishment Imprisonment up to 10 years and fine Cognizable, Non-Bailable, Court of Sessions Slide 21: Computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine, preserve and present evidence or information which is magnetically stored or encoded A better definition for law enforcement would be the scientific method of examining and analyzing data from computer storage media so that the data can be used as evidence in court. Media = computers, mobile phones, PDA, digital camera, etc. Computer Forensics and Cyberforensics Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 21 Slide 22: Handling of Evidences by Cyber Analysts Four major tasks for working with digital evidence Identify Collect, Observe & Preserve Analyze and Organize Verify Identify: Any digital information or artifacts that can be used as evidence. Collect, observe and preserve the evidence Analyze, identify and organize the evidence. Rebuild the evidence or repeat a situation to verify the same results every time. Checking the hash value. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 22 Incident Response – a precursor to Techniques of Cyber investigation & forensic tools : Incident Response – a precursor to Techniques of Cyber investigation & forensic tools ‘Incident response’ could be defined as a precise set of actions to handle any security incident in a responsible ,meaningful and timely manner. Goals of incident response- To confirm whether an incident has occurred To promote accumulation of accurate information Educate senior management Help in detection/prevention of such incidents in the future, To provide rapid detection and containment Minimize disruption to business and network operations To facilitate for criminal action against perpetrators Saturday, June 26, 2010 23 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Six steps of Incident response : Six steps of Incident response Pre incident preparation Detection of incidents Initial response Investigate the incident Saturday, June 26, 2010 24 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Techniques of cyber investigation- Cyber forensics : Techniques of cyber investigation- Cyber forensics Computer forensics, also called cyber forensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it. Saturday, June 26, 2010 25 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 6 A’s of digital forensics : 6 A’s of digital forensics Saturday, June 26, 2010 26 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Rules of evidence : Rules of evidence Computer forensic components- Identifying Preserving Analysing Presenting evidence in a legally admissible manner Admissible Relevant Complete Reliable chain of custody Saturday, June 26, 2010 27 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com FBI handbook of forensic investigation-techniques for computer forensics : FBI handbook of forensic investigation-techniques for computer forensics Saturday, June 26, 2010 28 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Sources of Evidence : Sources of Evidence Existing Files Deleted Files Logs Special system files (registry etc.) Email archives, printer spools Administrative settings Internet History Chat archives Misnamed Files Encrypted Files / Password Protected files etc. Saturday, June 26, 2010 29 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Cyberforensics in accounting frauds : Cyberforensics in accounting frauds Use of CAAT –computer assisted audit techniques-spreadsheets, excel, MS access Generalized audit software-PC based file interrogation software- IDEA,ACL Help detect fictitious suppliers, duplicate payments, theft of inventory Tender manipulation, secret commissions False financial reporting Expense account misuse Insider trading Saturday, June 26, 2010 30 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Establishment and maintenance of ‘Chain of Custody : Establishment and maintenance of ‘Chain of Custody Tools required: - Evidence notebook - Tamper evident labels - Permanent ink pen - Camera Document the following: - Who reported the incident along with critical date and times - Details leading up to formal investigation - Names of all people conducting investigation - Establish and maintain detailed ‘activity log’ Saturday, June 26, 2010 31 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Maintaining Chain Of Custody : Maintaining Chain Of Custody Take pictures of the evidence - Document ‘crime scene’ details Document identifiable markings on evidence Catalog the system contents Document serial numbers, model numbers, asset tags “Bag” it! Maintain Chain Of Custody on tamperproof evidence bag Take a picture! Saturday, June 26, 2010 32 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com E-mail forensics : E-mail forensics E-mail composed of two parts- header and body Examine headers Request information from ISP Trace the IP Tools-Encase,FTK,Final email Sawmill groupwise Audimation for logging Cracking the password- brute force attack, smart search, dictionary search, date search, customised search, guaranteed decryption, plaintext attack Passware, ultimate zip cracker,office recovery enterprise,etc Saturday, June 26, 2010 33 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Computer forensic analysis within the forensic tradition. : Computer forensic analysis within the forensic tradition. Alphonse Bertillon- [freezing the scene]: in 1879 introduce a methodical way of documenting the scene by photographing, for example, bodies, items, footprints, bloodstains in situ with relative measurements of location, position, and size Bertillon is thus the first known forensic photographer. Bertillonage : system of identifying individuals over 200 separate body measurements, was in use till 1910 and was only rendered obsolete by the discovery that fingerprints were unique. Saturday, June 26, 2010 34 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Key Principal of Forensics : Key Principal of Forensics Edmond Locard articulated one of the forensic science’s key rules, known as Locard’s Exchange Principle. “The principle states that when two items or persons come into contact, there will be an exchange of physical traces. Something is brought, and something is taken away, so that suspects can be tied to a crime scene by detecting these traces”. Saturday, June 26, 2010 35 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Stakeholders: : Stakeholders: National security Custom & Excise Law enforcement agents Businesses (embezzlement, industrial espionage, stealing confidential information, and racial or sexual harassment). Corporate crime [according to report the accountants and auditors for Enron not only used e-mail to communicate but also subsequently deleted these e-mails] Saturday, June 26, 2010 36 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Problems In Indian Context. : Problems In Indian Context. No Standard for Computer Forensic is yet developed. No Guidelines for Companies dealing with electronic data, during disputes. No recognition to any of the forensics tool. Issues related to anti-forensics are not talked about. ……………… Saturday, June 26, 2010 37 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Over All Scenario : Over All Scenario To date, computer forensics has been primarily driven by vendors and applied technologies with very little consideration being given to establishing a sound theoretical foundation The national and international judiciary has already begun to question the ‘‘scientific’’ validity of many of the ad hoc procedures and methodologies and is demanding proof of some sort of theoretical foundation and scientific rigor. Saturday, June 26, 2010 38 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com CONTD.. : CONTD.. Commercial software tools are also a problem because software developers need to protect their code to prevent competitors from stealing their product. However, since most of the code is not made public, it is very difficult for the developers to verify error rates of the software, and so reliability of performance is still questionable. Saturday, June 26, 2010 39 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com CONTD.. : CONTD.. The specialized tools used by a computer forensic expert are viewed as intolerably expensive by many corporations, and as a result many corporations simply choose not to invest any meaningful money into computer forensics. This trend amplifies cyber crime rates Open source software’s were also not been tested or verified for the effectiveness to serve the above purposes (Open for research) Saturday, June 26, 2010 40 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Legal Aspects : Legal Aspects Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 41 The growing demand for security and certainty in cyber space leads to more stringent laws. The violation and maintaining of these laws (cyber laws) must be distinguished from classical criminal activities and criminal law enforcement. The dynamics between these different forms of law violation and law enforcement is important and shall be addressed. Computer Forensic Tools : Computer Forensic Tools Forensic Tool Kit: FTK is developed by Access Data Corporation (USA); it enables law enforcement and corporate security professionals to perform complete and in-depth computer forensic analysis. Main Window of FTK Saturday, June 26, 2010 42 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com TYPICAL TOOLS : TYPICAL TOOLS Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 43 EMAIL TRACER TRUEBACK CYBERCHECK MANUAL Slide 44: Current and Emerging Cyber Forensic Tools of Law Enforcement Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 44 Slide 45: ENCASE FORENSIC: Encase Forensic developed by Guidance Software USA is the industry standard in computer forensic investigation technology. With an intuitive Graphical User Interface (GUI), superior analytics, enhanced email/Internet support and a powerful scripting engine, EnCase provides investigators with a single robust tool, capable of conducting large-scale and very complex investigations from beginning to end. Main Window of Encase Saturday, June 26, 2010 45 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 46: Encase Forensic is very useful forensic solution but it lacks following important feature: In Encase forensic there is no password cracking/recovery facility. So if during investigation process the examiner detected any password protected files then he had to rely on third party tools. Saturday, June 26, 2010 46 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com EMAIL TRACER FORENSIC TOOL : EMAIL TRACER FORENSIC TOOL FEATURES OF EMAIL TRACER : FEATURES OF EMAIL TRACER Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 48 Display of Actual Mail Content for Outlook Express, Eudora, MS Outlook and mail clients with MBOX mailbox. Display the Mail Content (HTML / Text) Display the Mail Attributes for Outlook Express. Display of extracted E-mail header information Save Mail Content as .EML file. Display of all Email attachments and Extraction. Display of E-mail route. IP trace to the sender’s system. Domain name look up. Display of geographical location of the sender’s gateway on a world map. Mail server log analysis for evidence collection. Access to Database of Country code list along with IP address information. EMAIL TRACING OVER WEB : AS A PRE-EMPTIVE TOOL EMAIL TRACING OVER WEB EMAIL TRACING SERVICE : EMAIL TRACING SERVICE Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 50 Users can submit their tracing task to Email Tracer through web. Tracing IP Address upto city level (non-spoofed) Detection of spoofed mail Detailed report Slide 51: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 51 Slide 52: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 52 Slide 53: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 53 SEIZURE & ACQUISITION TOOLTRUEBACK : SEIZURE & ACQUISITION TOOLTRUEBACK FEATURES OF TRUE BACK : FEATURES OF TRUE BACK Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 55 DOS application with event based Windowing System. Self-integrity check. Minimum system configuration check. Extraction of system information Three modes of operation: - Seize - Acquire - Seize and Acquire Slide 56: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 56 Disk imaging through Parallel port. Disk imaging using Network Interface Card. Block by Block acquisition with data integrity check on each block. IDE/SCSI, USB, CD and Floppy acquisition. Acquisition of floppies and CDs in Batch mode. Write protection on all storage media except destination media. Checking for sterile destination media. Progress Bar display on all modes of operation. Report generation on all modes of operation. BIOS and ATA mode acquisition ANALYSIS TOOL : CYBER CHECK ANALYSIS TOOL Slide 58: Cyber Check Suites: The IT Act 2000 is India's first attempt to combat cyber crime. To assist in the enforcement of the IT Act, the Department of Information Technology, Ministry of Communications and Information Technology, has setup a Technical Resource Centre for Cyber Forensics at C-DAC, Thiruvananthapuram. Cyber Check is a forensic analysis tool developed by C-DAC Thiruvanathapuram, Probe Window of Cyber Check Suite Saturday, June 26, 2010 58 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 59: CyberCheck - Features Standard Windows application. Self-integrity check. Minimum system configuration check. Analyses evidence file containing FAT12, FAT16, FAT32, NTFS and EXT2FS file system. Analyses evidence files created by the following disk imaging tools: TrueBack LinkMasster Encase User login facilities. Saturday, June 26, 2010 59 Slide 60: CyberCheck– Features (Contd …) Creates log of each analysis session and Analyzing officer’s details. Block by block data integrity verification while loading evidence file. Explorer type view of contents of the whole evidence file. Display of folders and files with all attributes. Show/Hide system files. Sorting of files based on file attributes. Text/Hex view of the content of a file. Picture view of an image file. Gallery view of images. Saturday, June 26, 2010 60 Slide 61: CyberCheck– Features (Contd …) Graphical representation of the following views of an evidence file: Disk View. Cluster View. Block view. Timeline view of: All files Deleted files. Time anomaly files. Signature mismatched files. Files created within a time frame. Saturday, June 26, 2010 61 Slide 62: CyberCheck– Features (Contd …) Display of cluster chain of a file. Single and Multiple Keyword search. Extraction of Disk, Partition, File and MBR slacks. Exclusive search in slack space. Extraction of unused unallocated clusters and exclusion from search space. Exclusive search in used unallocated clusters . Extraction of lost clusters. Exclusive search in data extracted from lost clusters. Extraction of Swap files. Exclusive search in data extracted from Swap files. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 62 Slide 63: CyberCheck– Features (Contd …) File search based on file extension. File search based on hash value. Exclusion of system files from search space. Data recovery from deleted files, slack space, used unallocated clusters and lost clusters. Recovery of formatted partitions. Recovery of deleted partitions. Exporting files, folders and slack content. Exporting folder structure including file names into a file. Exporting files on to external viewer. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 63 Slide 64: CyberCheck– Features (Contd …) Local preview of storage media. Network preview of storage media using cross-over cable. Book marking of folders, files and data. Adding book marked items into report. Restoration of storage media. Creating raw image. Raw image analysis. Facility for viewing Mailbox files of Microsoft Outlook Express, Microsoft Outlook, Eudora and Linux Mail clients. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 64 Slide 65: CyberCheck– Features (Contd …) Registry viewer. Hash set of system files. Identification of encrypted & password protected files. Identification of steganographed image files. Generation of analysis report with the following features. Complete information of the evidence file system. Complete information of the partitions and drive geometry. Hash verification details. User login and logout information. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 65 Slide 66: CyberCheck– Features (Contd …) Exported content of text file and slack information. Includes picture file as image. Saving report, search hits and book marked items for later use. Password protection of report. Print report. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 66 PASSWORD CRACKING : PASSWORD CRACKING Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 67 GRID Enabled Password Cracker Slide 68: GRID GRID SERVER FSL POLICE CRIME CELL CBI INTERNET PASSWORD CRACKING OF ZIP FILES USING GRID CYBER FORENSICS LAB Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 68 Slide 69: GRID GRID SERVER FSL POLICE CRIME CELL CBI INTERNET PASSWORD CRACKING OF ZIP FILES USING GRID 1.ZIPPED FILE SUBMISSION 2. SERVER RECEIVES AND DISTRIBUTES TO GRID CLIENTS 3. CLIENTS COMPUTES AND SEND RESULTS TO SERVER 4. GRID SERVER SENDS RESULTS OVER INTERNET Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 69 WHO’S AT THE KEYBOARD? : WHO’S AT THE KEYBOARD? Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 70 BIOMETRICS A software driver associated with the keyboard records the user’s rhythm in typing. These rhythms are then used to generate a profile of the authentic user. WHO’S AT THE KEYBOARD? : WHO’S AT THE KEYBOARD? Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 71 FORENSIC STYLISTICS A qualitative approach to authorship assesses errors and “idiosyncrasies” based on the examiner’s experience. This approach could be quantified through Databasing. WHO’S AT THE KEYBOARD? : WHO’S AT THE KEYBOARD? Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 72 STYLOMETRY It is quantitative and computational method, focusing on readily computable and countable language features, e.g. word length, phrase length, sentence length, vocabulary frequency, distribution of words of different lengths. Comparison between Encase Version 6.0, FTK, and Cyber Check Suite. : Comparison between Encase Version 6.0, FTK, and Cyber Check Suite. 73 MULTI DIMENSIONAL CHALLENGES : MULTI DIMENSIONAL CHALLENGES TECHNICAL : TECHNICAL Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 75 Ubiquity Of Computers Crimes Occur In All Jurisdictions Training Law Enforcement Agencies Becomes a Challenge Technology Revolution Leads To Newer Systems, Devices Etc.. OPERATIONAL : OPERATIONAL Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 76 ALL DATA MUST BE GATHERED AND EXAMINED FOR EVIDENCE GIGABYTES OF DATA PROBLEMS OF STORAGE ANALYSIS PRESENTATION.. NO STANDARD SOLUTION AS YET SOCIAL : SOCIAL Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 77 IT RESULTS IN UNCERTAINITIES ABOUT EFFECTIVENESS OF CURRENT INVESTIGATION TECHNIQUES SUB OPTIMAL USE OF RESOURCES PRIVACY CONCERNS LEGAL : LEGAL Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 78 USES & BOUNDARIES OF DIGITAL EVIDENCE IN LEGAL PROCEDURES STILL UNCLEAR CURRENT TOOLS & TECHNIQUES NOT RIGOROUSLY USED / CONTESTED IN COURT Slide 79: Awareness: Technology is changing very rapidly. So does the increase in Cyber crimes, No proper awareness shared with regard to crime and latest tools. People are so ignorant that makes it effortless for cyber criminals to attack. People fear to report crimes and some crimes are not properly recorded. The reason behind this is that the victim is either scared of police harassment or wrong media publicity. For minority and marginalised groups who already bear the brunt of media bias, reporting online harassment to the police may simply draw further unwanted attention. The public is not aware of the resources and services that law enforcement could provide them if being a victim of crime or witness. Challenges faced by Law Enforcement Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 79 Slide 80: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 80 Technical Issues: Large amount of storage space required for storing the imaged evidences and also for storing retrieved evidence after analysis. Retrieved evidence might contain documents, pictures, videos and audio files which takes up a lot of space. Technical issues can further be categorised into software and hardware issues. Slide 81: Software and Hardware Issues: The growth of Cyber crime as given rise to numerous Forensic software vendors. The challenge being to choose among them and no single forensic tool solves the entire case, there are loads of third party tools available. So is the case with Hardware tools, Most common and liable h/w tool is the FRED. But when it comes to Mobile forensics it is a challenge to decide the compatibility of different phones and which h/w to rely on.. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 81 Slide 82: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 82 Recently China has been manufacturing mobile phones that have cloned IME numbers which is a current challenge faced in Mobile forensics. Information sharing: Information sharing is a best practice and can be accomplished by a variety of means such as interacting with industry groups, attending briefings, meetings, seminars and conferences, and working actively with forensic bodies like CDAC.. Slide 83: Inadequate Training and Funds: Due to the growing of cyber forensic tools law enforcement does not get adequate training and awareness on innovative tools. Training bodies are limited and are pricey. Insufficient funding in order to send officers for training and investing on future enhancements. Transfers and recruiting officers adds to the loss of experienced staff and spending for training the newcomers. Cases become pending in such circumstances. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 83 Slide 84: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 84 Global Issues: Most of the IP addresses retrieved during investigation leads to servers or computers located abroad which have no identity, hence further investigations are blocked and closed. Correspondence with bodies such as Google, Yahoo, Hotmail is quite time consuming and prolong the investigations. Wireless or Wi-Fi, Bluetooth, Infrared Issues: Latest wireless technologies which provide internet connections causes exploitation especially when it is not secured. This is the present technology terrorists and radical activists exploit. This is another vulnerability that law enforcement faces. References : References Computer forensics by Michael Sheetz published by John Wiley and Sons Cyber crime Impact in the new millennium by R.C Mishra. Roadmap for digital forensic Research [Report From the First Digital Forensic Research Workshop] Forensic Corpora: A Challenge for Forensic Research Simson L. Garfinkel April 10, 2007 Computer and Intrusion Forensics by Mohay,Anderson Collie,Devel Published by Artech House. Saturday, June 26, 2010 85 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Future Course of Action : Future Course of Action Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 86 Mumbai Cyber lab is a joint initiative of Mumbai police and NASSCOM –more exchange and coordination of this kind More Public awareness campaigns Training of police officers to effectively combat cyber crimes More Cyber crime police cells set up across the country Effective E-surveillance Websites aid in creating awareness and encouraging reporting of cyber crime cases. Specialised Training of forensic investigators and experts Active coordination between police and other law enforcement agencies and authorities is required. Do you have any question? : Do you have any question? Slide 88: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 88 Thanks You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Investigation of Cyber Crimes & Forens tabrezahmad Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 783 Category: Entertainment License: All Rights Reserved Like it (2) Dislike it (0) Added: June 26, 2010 This Presentation is Public Favorites: 1 Presentation Description Presentation By Dr. Tabrez Ahmad in Biju Pattnaik State Police Academy Bhubaneswar to train the DSPs in Cyber Crime Investigation and Cyber forensics Comments Posting comment... By: madhuyadav (14 month(s) ago) plz send me this ppt my mail id is: shashibhu2008@gmail.com thank u Saving..... Post Reply Close Saving..... Edit Comment Close By: tapaskumar (18 month(s) ago) plz send me this ppt my mail id is tapas.jitm@gmail.com Saving..... Post Reply Close Saving..... Edit Comment Close By: swadhi (19 month(s) ago) Request you to let me know how to download your presentations. Thanks and regards Saving..... Post Reply Close Saving..... Edit Comment Close By: advonaved (21 month(s) ago) Hi Sir, Myself Naved am an advocate from Delhi and studying cyber laws for professional enhancment. Request you to let me know how to download your presentations. Thanks and regards. Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Session IIInvestigation of Cyber Crimes & Forensics : Biju Pattnaik State Police Academy Bhubaneswar By Dr. Tabrez Ahmad Associate Professor of Law www.site.technolexindia.com tabrezahmad7@gmail.com http://technolexindia.blogspot.com Session IIInvestigation of Cyber Crimes & Forensics Agenda : Agenda Saturday, June 26, 2010 2 The possible reliefs to a cybercrime victim and strategy adoption The preparation for prosecution Admissibility of digital evidence in courts Defending an accused in a computer related crime The techniques of cyber investigation and forensic tools Future course of action Possible reliefs to a cybercrime victim- strategy adoption : Possible reliefs to a cybercrime victim- strategy adoption A victim of cybercrime needs to immediately report the matter to his local police station and to the nearest cybercrime cell Depending on the nature of crime there may be civil and criminal remedies. In civil remedies , injunction and restraint orders may be sought, together with damages, delivery up of infringing matter and/or account for profits. In criminal remedies, a cybercrime case will be registered by police if the offence is cognisable and if the same is non cognisable, a complaint should be filed with metropolitan magistrate For certain offences, both civil and criminal remedies may be available to the victim Saturday, June 26, 2010 3 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Before lodging a cybercrime case : Before lodging a cybercrime case Important parameters- Gather ample evidence admissible in a court of law Fulfill the criteria of the pecuniary ,territorial and subject matter jurisdiction of a court. Determine jurisdiction – case may be filed where the offence is committed or where effect of the offence is felt ( S. 177 to 179, CrPc) Saturday, June 26, 2010 4 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com The criminal prosecution pyramid : The criminal prosecution pyramid 5 Preparation for prosecution : Preparation for prosecution Collect all evidence available & saving snapshots of evidence Seek a cyberlaw expert’s immediate assistance for advice on preparing for prosecution Prepare a background history of facts chronologically as per facts Pen down names and addresses of suspected accused. Form a draft of complaint and remedies a victim seeks Cyberlaw expert & police could assist in gathering further evidence e.g tracing the IP in case of e-mails, search & seizure or arrest as appropriate to the situation A cyber forensic study of the hardware/equipment/ network server related to the cybercrime is generally essential Saturday, June 26, 2010 6 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Government Initiative : Government Initiative The Cyber Crime Investigation cell (CCIC) of the CBI, notified in September 1999, started functioning from 3 March 2000. It is located in New Delhi, Mumbai, Chennai and Bangalore. Jurisdiction of the cell is all over India. Any incident of the cyber crime can be reported to a police station, irrespective of whether it maintains a separate cell or not. The Indian Computer Emergency Response Team (CERT-In) : The Indian Computer Emergency Response Team (CERT-In) IT Amendment ACT 2008. “70A. (1) The Indian Computer Emergency Response Team (CERT-In) shall serve as the national nodal agency in respect of Critical Information Infrastructure for coordinating all actions relating to information security practices, procedures, guidelines, incident prevention, response and report. (2) For the purposes of sub-section (1), the Director of the Indian Computer Emergency Response Team may call for information pertaining to cyber security from the service providers, intermediaries or any other person. Saturday, June 26, 2010 8 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 9: Cognizability and Bailability As per IT Amendment Act 2008 Offences which have not less than 3 years punishment are cognizable and bailable 9 Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 9 Power of Police to Investigate : Power of Police to Investigate Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 10 Section 156 Cr.P.C. : Power to investigate cognizable offences. Section 155 Cr.P.C. : Power to investigate non cognizable offences. Section 91 Cr.P.C. : Summon to produce documents. Section 160 Cr.P.C. : Summon to require attendance of witnesses. Power of Police to investigate (contd.) : Power of Police to investigate (contd.) Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 11 Section 165 Cr.P.C. : Search by police officer. Section 93 Cr.P.C : General provision as to search warrants. Section 47 Cr.P.C. : Search to arrest the accused. Section 78 of IT Act, 2000 : Power to investigate offences-not below rank of Inspector. Section 80 of IT Act, 2000 : Power of police officer to enter any public place and search & arrest. Amendments- Indian Evidence Act 1872 : Amendments- Indian Evidence Act 1872 Section 3 of the Evidence Act amended to take care of admissibility of ER as evidence along with the paper based records as part of the documents which can be produced before the court for inspection. Section 4 of IT Act confers legal recognition to electronic records Saturday, June 26, 2010 12 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Societe Des products Nestle SA case 2006 (33 ) PTC 469 : Societe Des products Nestle SA case 2006 (33 ) PTC 469 By virtue of provision of Section 65A, the contents of electronic records may be proved in evidence by parties in accordance with provision of 65B. Held- Sub section (1) of section 65B makes admissible as a document, paper print out of electronic records stored in optical or magnetic media produced by a computer subject to fulfillment of conditions specified in subsection 2 of Section 65B . The computer from which the record is generated was regularly used to store or process information in respect of activity regularly carried on by person having lawful control over the period, and relates to the period over which the computer was regularly used. Information was fed in the computer in the ordinary course of the activities of the person having lawful control over the computer. The computer was operating properly, and if not, was not such as to affect the electronic record or its accuracy. Information reproduced is such as is fed into computer in the ordinary course of activity. State v Mohd Afzal, 2003 (7) AD (Delhi)1 Saturday, June 26, 2010 13 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com State v Navjot Sandhu (2005)11 SCC 600 : State v Navjot Sandhu (2005)11 SCC 600 Held, while examining Section 65 B Evidence Act, it may be that certificate containing details of subsection 4 of Section 65 is not filed, but that does not mean that secondary evidence cannot be given. Section 63 & 65 of the Indian Evidence Act enables secondary evidence of contents of a document to be adduced if original is of such a nature as not to be easily movable. Saturday, June 26, 2010 14 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Presumptions in law- Section 85 B Indian Evidence Act : Presumptions in law- Section 85 B Indian Evidence Act The law also presumes that in any proceedings, involving secure digital signature, the court shall presume, unless the contrary is proved, that the secure digital signature is affixed by the subscriber with the intention of signing or approving the electronic record In any proceedings involving a secure electronic record, the court shall presume, unless contrary is proved, that the secure electronic record has not been altered since the specific point of time, to which the secure status relates Saturday, June 26, 2010 15 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Presumption as to electronic messages- Section 88A of Evidence Act : Presumption as to electronic messages- Section 88A of Evidence Act The court may treat electronic messages received as if they were sent by the originator, with the exception that a presumption is not to be made as to the person by whom such message was sent. It must be proved that the message has been forwarded from the electronic mail server to the person ( addressee ) to whom such message purports to have been addressed An electronic message is primary evidence of the fact that the same was delivered to the addressee on date and time indicated. Saturday, June 26, 2010 16 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com IT Amendment Act 2008-Section 79A : IT Amendment Act 2008-Section 79A Section 79A empowers the Central govt to appoint any department, body or agency as examiner of electronic evidence for proving expert opinion on electronic form evidence before any court or authority. Till now, government forensic lab of hyderabad was considered of evidentiary value in courts- CFSIL Statutory status to an agency as per Section 79A will be of vital importance in criminal prosecution of cybercrime cases in India Saturday, June 26, 2010 17 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Probable activities for defense by an accused in a cybercrime case : Probable activities for defense by an accused in a cybercrime case Preparation of chain of events table Probing where evidence could be traced? E-mail inbox/files/folders/ web history Has the accused used any erase evidence software/tools Forensically screening the hardware/data/files /print outs / camera/mobile/pendrives of evidentiary value Formatting may not be a solution Apply for anticipatory bail Challenge evidence produced by opposite party and look for loopholes Filing of a cross complaint if appropriate Saturday, June 26, 2010 18 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Sec 69: Decryption of information : Sec 69: Decryption of information Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 19 Ingredients Controller issues order to Government agency to intercept any information transmitted through any computer resource. Order is issued in the interest of the sovereignty or integrity of India, the security of the State, friendly relations with foreign States, public order or preventing incitement for commission of a cognizable offence Person in charge of the computer resource fails to extend all facilities and technical assistance to decrypt the information-punishment upto 7 years. Sec 70 Protected System : Sec 70 Protected System Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 20 Ingredients Securing unauthorised access or attempting to secure unauthorised access to ‘protected system’ Acts covered by this section: Switching computer on / off Using installed software / hardware Installing software / hardware Port scanning Punishment Imprisonment up to 10 years and fine Cognizable, Non-Bailable, Court of Sessions Slide 21: Computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine, preserve and present evidence or information which is magnetically stored or encoded A better definition for law enforcement would be the scientific method of examining and analyzing data from computer storage media so that the data can be used as evidence in court. Media = computers, mobile phones, PDA, digital camera, etc. Computer Forensics and Cyberforensics Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 21 Slide 22: Handling of Evidences by Cyber Analysts Four major tasks for working with digital evidence Identify Collect, Observe & Preserve Analyze and Organize Verify Identify: Any digital information or artifacts that can be used as evidence. Collect, observe and preserve the evidence Analyze, identify and organize the evidence. Rebuild the evidence or repeat a situation to verify the same results every time. Checking the hash value. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 22 Incident Response – a precursor to Techniques of Cyber investigation & forensic tools : Incident Response – a precursor to Techniques of Cyber investigation & forensic tools ‘Incident response’ could be defined as a precise set of actions to handle any security incident in a responsible ,meaningful and timely manner. Goals of incident response- To confirm whether an incident has occurred To promote accumulation of accurate information Educate senior management Help in detection/prevention of such incidents in the future, To provide rapid detection and containment Minimize disruption to business and network operations To facilitate for criminal action against perpetrators Saturday, June 26, 2010 23 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Six steps of Incident response : Six steps of Incident response Pre incident preparation Detection of incidents Initial response Investigate the incident Saturday, June 26, 2010 24 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Techniques of cyber investigation- Cyber forensics : Techniques of cyber investigation- Cyber forensics Computer forensics, also called cyber forensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it. Saturday, June 26, 2010 25 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 6 A’s of digital forensics : 6 A’s of digital forensics Saturday, June 26, 2010 26 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Rules of evidence : Rules of evidence Computer forensic components- Identifying Preserving Analysing Presenting evidence in a legally admissible manner Admissible Relevant Complete Reliable chain of custody Saturday, June 26, 2010 27 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com FBI handbook of forensic investigation-techniques for computer forensics : FBI handbook of forensic investigation-techniques for computer forensics Saturday, June 26, 2010 28 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Sources of Evidence : Sources of Evidence Existing Files Deleted Files Logs Special system files (registry etc.) Email archives, printer spools Administrative settings Internet History Chat archives Misnamed Files Encrypted Files / Password Protected files etc. Saturday, June 26, 2010 29 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Cyberforensics in accounting frauds : Cyberforensics in accounting frauds Use of CAAT –computer assisted audit techniques-spreadsheets, excel, MS access Generalized audit software-PC based file interrogation software- IDEA,ACL Help detect fictitious suppliers, duplicate payments, theft of inventory Tender manipulation, secret commissions False financial reporting Expense account misuse Insider trading Saturday, June 26, 2010 30 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Establishment and maintenance of ‘Chain of Custody : Establishment and maintenance of ‘Chain of Custody Tools required: - Evidence notebook - Tamper evident labels - Permanent ink pen - Camera Document the following: - Who reported the incident along with critical date and times - Details leading up to formal investigation - Names of all people conducting investigation - Establish and maintain detailed ‘activity log’ Saturday, June 26, 2010 31 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Maintaining Chain Of Custody : Maintaining Chain Of Custody Take pictures of the evidence - Document ‘crime scene’ details Document identifiable markings on evidence Catalog the system contents Document serial numbers, model numbers, asset tags “Bag” it! Maintain Chain Of Custody on tamperproof evidence bag Take a picture! Saturday, June 26, 2010 32 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com E-mail forensics : E-mail forensics E-mail composed of two parts- header and body Examine headers Request information from ISP Trace the IP Tools-Encase,FTK,Final email Sawmill groupwise Audimation for logging Cracking the password- brute force attack, smart search, dictionary search, date search, customised search, guaranteed decryption, plaintext attack Passware, ultimate zip cracker,office recovery enterprise,etc Saturday, June 26, 2010 33 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Computer forensic analysis within the forensic tradition. : Computer forensic analysis within the forensic tradition. Alphonse Bertillon- [freezing the scene]: in 1879 introduce a methodical way of documenting the scene by photographing, for example, bodies, items, footprints, bloodstains in situ with relative measurements of location, position, and size Bertillon is thus the first known forensic photographer. Bertillonage : system of identifying individuals over 200 separate body measurements, was in use till 1910 and was only rendered obsolete by the discovery that fingerprints were unique. Saturday, June 26, 2010 34 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Key Principal of Forensics : Key Principal of Forensics Edmond Locard articulated one of the forensic science’s key rules, known as Locard’s Exchange Principle. “The principle states that when two items or persons come into contact, there will be an exchange of physical traces. Something is brought, and something is taken away, so that suspects can be tied to a crime scene by detecting these traces”. Saturday, June 26, 2010 35 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Stakeholders: : Stakeholders: National security Custom & Excise Law enforcement agents Businesses (embezzlement, industrial espionage, stealing confidential information, and racial or sexual harassment). Corporate crime [according to report the accountants and auditors for Enron not only used e-mail to communicate but also subsequently deleted these e-mails] Saturday, June 26, 2010 36 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Problems In Indian Context. : Problems In Indian Context. No Standard for Computer Forensic is yet developed. No Guidelines for Companies dealing with electronic data, during disputes. No recognition to any of the forensics tool. Issues related to anti-forensics are not talked about. ……………… Saturday, June 26, 2010 37 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Over All Scenario : Over All Scenario To date, computer forensics has been primarily driven by vendors and applied technologies with very little consideration being given to establishing a sound theoretical foundation The national and international judiciary has already begun to question the ‘‘scientific’’ validity of many of the ad hoc procedures and methodologies and is demanding proof of some sort of theoretical foundation and scientific rigor. Saturday, June 26, 2010 38 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com CONTD.. : CONTD.. Commercial software tools are also a problem because software developers need to protect their code to prevent competitors from stealing their product. However, since most of the code is not made public, it is very difficult for the developers to verify error rates of the software, and so reliability of performance is still questionable. Saturday, June 26, 2010 39 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com CONTD.. : CONTD.. The specialized tools used by a computer forensic expert are viewed as intolerably expensive by many corporations, and as a result many corporations simply choose not to invest any meaningful money into computer forensics. This trend amplifies cyber crime rates Open source software’s were also not been tested or verified for the effectiveness to serve the above purposes (Open for research) Saturday, June 26, 2010 40 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Legal Aspects : Legal Aspects Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 41 The growing demand for security and certainty in cyber space leads to more stringent laws. The violation and maintaining of these laws (cyber laws) must be distinguished from classical criminal activities and criminal law enforcement. The dynamics between these different forms of law violation and law enforcement is important and shall be addressed. Computer Forensic Tools : Computer Forensic Tools Forensic Tool Kit: FTK is developed by Access Data Corporation (USA); it enables law enforcement and corporate security professionals to perform complete and in-depth computer forensic analysis. Main Window of FTK Saturday, June 26, 2010 42 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com TYPICAL TOOLS : TYPICAL TOOLS Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 43 EMAIL TRACER TRUEBACK CYBERCHECK MANUAL Slide 44: Current and Emerging Cyber Forensic Tools of Law Enforcement Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 44 Slide 45: ENCASE FORENSIC: Encase Forensic developed by Guidance Software USA is the industry standard in computer forensic investigation technology. With an intuitive Graphical User Interface (GUI), superior analytics, enhanced email/Internet support and a powerful scripting engine, EnCase provides investigators with a single robust tool, capable of conducting large-scale and very complex investigations from beginning to end. Main Window of Encase Saturday, June 26, 2010 45 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 46: Encase Forensic is very useful forensic solution but it lacks following important feature: In Encase forensic there is no password cracking/recovery facility. So if during investigation process the examiner detected any password protected files then he had to rely on third party tools. Saturday, June 26, 2010 46 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com EMAIL TRACER FORENSIC TOOL : EMAIL TRACER FORENSIC TOOL FEATURES OF EMAIL TRACER : FEATURES OF EMAIL TRACER Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 48 Display of Actual Mail Content for Outlook Express, Eudora, MS Outlook and mail clients with MBOX mailbox. Display the Mail Content (HTML / Text) Display the Mail Attributes for Outlook Express. Display of extracted E-mail header information Save Mail Content as .EML file. Display of all Email attachments and Extraction. Display of E-mail route. IP trace to the sender’s system. Domain name look up. Display of geographical location of the sender’s gateway on a world map. Mail server log analysis for evidence collection. Access to Database of Country code list along with IP address information. EMAIL TRACING OVER WEB : AS A PRE-EMPTIVE TOOL EMAIL TRACING OVER WEB EMAIL TRACING SERVICE : EMAIL TRACING SERVICE Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 50 Users can submit their tracing task to Email Tracer through web. Tracing IP Address upto city level (non-spoofed) Detection of spoofed mail Detailed report Slide 51: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 51 Slide 52: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 52 Slide 53: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 53 SEIZURE & ACQUISITION TOOLTRUEBACK : SEIZURE & ACQUISITION TOOLTRUEBACK FEATURES OF TRUE BACK : FEATURES OF TRUE BACK Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 55 DOS application with event based Windowing System. Self-integrity check. Minimum system configuration check. Extraction of system information Three modes of operation: - Seize - Acquire - Seize and Acquire Slide 56: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 56 Disk imaging through Parallel port. Disk imaging using Network Interface Card. Block by Block acquisition with data integrity check on each block. IDE/SCSI, USB, CD and Floppy acquisition. Acquisition of floppies and CDs in Batch mode. Write protection on all storage media except destination media. Checking for sterile destination media. Progress Bar display on all modes of operation. Report generation on all modes of operation. BIOS and ATA mode acquisition ANALYSIS TOOL : CYBER CHECK ANALYSIS TOOL Slide 58: Cyber Check Suites: The IT Act 2000 is India's first attempt to combat cyber crime. To assist in the enforcement of the IT Act, the Department of Information Technology, Ministry of Communications and Information Technology, has setup a Technical Resource Centre for Cyber Forensics at C-DAC, Thiruvananthapuram. Cyber Check is a forensic analysis tool developed by C-DAC Thiruvanathapuram, Probe Window of Cyber Check Suite Saturday, June 26, 2010 58 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 59: CyberCheck - Features Standard Windows application. Self-integrity check. Minimum system configuration check. Analyses evidence file containing FAT12, FAT16, FAT32, NTFS and EXT2FS file system. Analyses evidence files created by the following disk imaging tools: TrueBack LinkMasster Encase User login facilities. Saturday, June 26, 2010 59 Slide 60: CyberCheck– Features (Contd …) Creates log of each analysis session and Analyzing officer’s details. Block by block data integrity verification while loading evidence file. Explorer type view of contents of the whole evidence file. Display of folders and files with all attributes. Show/Hide system files. Sorting of files based on file attributes. Text/Hex view of the content of a file. Picture view of an image file. Gallery view of images. Saturday, June 26, 2010 60 Slide 61: CyberCheck– Features (Contd …) Graphical representation of the following views of an evidence file: Disk View. Cluster View. Block view. Timeline view of: All files Deleted files. Time anomaly files. Signature mismatched files. Files created within a time frame. Saturday, June 26, 2010 61 Slide 62: CyberCheck– Features (Contd …) Display of cluster chain of a file. Single and Multiple Keyword search. Extraction of Disk, Partition, File and MBR slacks. Exclusive search in slack space. Extraction of unused unallocated clusters and exclusion from search space. Exclusive search in used unallocated clusters . Extraction of lost clusters. Exclusive search in data extracted from lost clusters. Extraction of Swap files. Exclusive search in data extracted from Swap files. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 62 Slide 63: CyberCheck– Features (Contd …) File search based on file extension. File search based on hash value. Exclusion of system files from search space. Data recovery from deleted files, slack space, used unallocated clusters and lost clusters. Recovery of formatted partitions. Recovery of deleted partitions. Exporting files, folders and slack content. Exporting folder structure including file names into a file. Exporting files on to external viewer. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 63 Slide 64: CyberCheck– Features (Contd …) Local preview of storage media. Network preview of storage media using cross-over cable. Book marking of folders, files and data. Adding book marked items into report. Restoration of storage media. Creating raw image. Raw image analysis. Facility for viewing Mailbox files of Microsoft Outlook Express, Microsoft Outlook, Eudora and Linux Mail clients. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 64 Slide 65: CyberCheck– Features (Contd …) Registry viewer. Hash set of system files. Identification of encrypted & password protected files. Identification of steganographed image files. Generation of analysis report with the following features. Complete information of the evidence file system. Complete information of the partitions and drive geometry. Hash verification details. User login and logout information. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 65 Slide 66: CyberCheck– Features (Contd …) Exported content of text file and slack information. Includes picture file as image. Saving report, search hits and book marked items for later use. Password protection of report. Print report. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 66 PASSWORD CRACKING : PASSWORD CRACKING Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 67 GRID Enabled Password Cracker Slide 68: GRID GRID SERVER FSL POLICE CRIME CELL CBI INTERNET PASSWORD CRACKING OF ZIP FILES USING GRID CYBER FORENSICS LAB Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 68 Slide 69: GRID GRID SERVER FSL POLICE CRIME CELL CBI INTERNET PASSWORD CRACKING OF ZIP FILES USING GRID 1.ZIPPED FILE SUBMISSION 2. SERVER RECEIVES AND DISTRIBUTES TO GRID CLIENTS 3. CLIENTS COMPUTES AND SEND RESULTS TO SERVER 4. GRID SERVER SENDS RESULTS OVER INTERNET Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 69 WHO’S AT THE KEYBOARD? : WHO’S AT THE KEYBOARD? Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 70 BIOMETRICS A software driver associated with the keyboard records the user’s rhythm in typing. These rhythms are then used to generate a profile of the authentic user. WHO’S AT THE KEYBOARD? : WHO’S AT THE KEYBOARD? Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 71 FORENSIC STYLISTICS A qualitative approach to authorship assesses errors and “idiosyncrasies” based on the examiner’s experience. This approach could be quantified through Databasing. WHO’S AT THE KEYBOARD? : WHO’S AT THE KEYBOARD? Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 72 STYLOMETRY It is quantitative and computational method, focusing on readily computable and countable language features, e.g. word length, phrase length, sentence length, vocabulary frequency, distribution of words of different lengths. Comparison between Encase Version 6.0, FTK, and Cyber Check Suite. : Comparison between Encase Version 6.0, FTK, and Cyber Check Suite. 73 MULTI DIMENSIONAL CHALLENGES : MULTI DIMENSIONAL CHALLENGES TECHNICAL : TECHNICAL Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 75 Ubiquity Of Computers Crimes Occur In All Jurisdictions Training Law Enforcement Agencies Becomes a Challenge Technology Revolution Leads To Newer Systems, Devices Etc.. OPERATIONAL : OPERATIONAL Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 76 ALL DATA MUST BE GATHERED AND EXAMINED FOR EVIDENCE GIGABYTES OF DATA PROBLEMS OF STORAGE ANALYSIS PRESENTATION.. NO STANDARD SOLUTION AS YET SOCIAL : SOCIAL Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 77 IT RESULTS IN UNCERTAINITIES ABOUT EFFECTIVENESS OF CURRENT INVESTIGATION TECHNIQUES SUB OPTIMAL USE OF RESOURCES PRIVACY CONCERNS LEGAL : LEGAL Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 78 USES & BOUNDARIES OF DIGITAL EVIDENCE IN LEGAL PROCEDURES STILL UNCLEAR CURRENT TOOLS & TECHNIQUES NOT RIGOROUSLY USED / CONTESTED IN COURT Slide 79: Awareness: Technology is changing very rapidly. So does the increase in Cyber crimes, No proper awareness shared with regard to crime and latest tools. People are so ignorant that makes it effortless for cyber criminals to attack. People fear to report crimes and some crimes are not properly recorded. The reason behind this is that the victim is either scared of police harassment or wrong media publicity. For minority and marginalised groups who already bear the brunt of media bias, reporting online harassment to the police may simply draw further unwanted attention. The public is not aware of the resources and services that law enforcement could provide them if being a victim of crime or witness. Challenges faced by Law Enforcement Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 79 Slide 80: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 80 Technical Issues: Large amount of storage space required for storing the imaged evidences and also for storing retrieved evidence after analysis. Retrieved evidence might contain documents, pictures, videos and audio files which takes up a lot of space. Technical issues can further be categorised into software and hardware issues. Slide 81: Software and Hardware Issues: The growth of Cyber crime as given rise to numerous Forensic software vendors. The challenge being to choose among them and no single forensic tool solves the entire case, there are loads of third party tools available. So is the case with Hardware tools, Most common and liable h/w tool is the FRED. But when it comes to Mobile forensics it is a challenge to decide the compatibility of different phones and which h/w to rely on.. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 81 Slide 82: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 82 Recently China has been manufacturing mobile phones that have cloned IME numbers which is a current challenge faced in Mobile forensics. Information sharing: Information sharing is a best practice and can be accomplished by a variety of means such as interacting with industry groups, attending briefings, meetings, seminars and conferences, and working actively with forensic bodies like CDAC.. Slide 83: Inadequate Training and Funds: Due to the growing of cyber forensic tools law enforcement does not get adequate training and awareness on innovative tools. Training bodies are limited and are pricey. Insufficient funding in order to send officers for training and investing on future enhancements. Transfers and recruiting officers adds to the loss of experienced staff and spending for training the newcomers. Cases become pending in such circumstances. Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 83 Slide 84: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 84 Global Issues: Most of the IP addresses retrieved during investigation leads to servers or computers located abroad which have no identity, hence further investigations are blocked and closed. Correspondence with bodies such as Google, Yahoo, Hotmail is quite time consuming and prolong the investigations. Wireless or Wi-Fi, Bluetooth, Infrared Issues: Latest wireless technologies which provide internet connections causes exploitation especially when it is not secured. This is the present technology terrorists and radical activists exploit. This is another vulnerability that law enforcement faces. References : References Computer forensics by Michael Sheetz published by John Wiley and Sons Cyber crime Impact in the new millennium by R.C Mishra. Roadmap for digital forensic Research [Report From the First Digital Forensic Research Workshop] Forensic Corpora: A Challenge for Forensic Research Simson L. Garfinkel April 10, 2007 Computer and Intrusion Forensics by Mohay,Anderson Collie,Devel Published by Artech House. Saturday, June 26, 2010 85 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Future Course of Action : Future Course of Action Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 86 Mumbai Cyber lab is a joint initiative of Mumbai police and NASSCOM –more exchange and coordination of this kind More Public awareness campaigns Training of police officers to effectively combat cyber crimes More Cyber crime police cells set up across the country Effective E-surveillance Websites aid in creating awareness and encouraging reporting of cyber crime cases. Specialised Training of forensic investigators and experts Active coordination between police and other law enforcement agencies and authorities is required. Do you have any question? : Do you have any question? Slide 88: Saturday, June 26, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 88 Thanks