logging in or signing up Cyberforensics tabrezahmad Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 248 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: June 26, 2010 This Presentation is Public Favorites: 0 Presentation Description Presentation by Dr. Tabrez Ahmad in Training to Deputy SPs Organised by Bureau of Police Research & Development Govt. of India Comments Posting comment... By: palamino (15 month(s) ago) a great ppt...great job man.. Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Cyber Forensics : Cyber Forensics Training to Deputy SPs Organised by Bureau of Police Research & Development Govt. of India Dr. Tabrez Ahmad Associate Professor of Law www.site.technolexindia.com tabrezahmad7@gmail.com http://technolexindia.blogspot.com Wednesday,Feb 03, 2010 1 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 2: Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 2 Slide 3: Digital Revolution Internet Infra in INDIA 3 IT / ITES BPO Targetted Broadband connection = 10 Mil. (2010) Wednesday,Feb 03, 2010 3 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Agenda : Background of Cyberlaw Development of Internet regulation Types of Cybercrimes Computer viruses Combating Cyber Crimes New Scheme of Cybercrime Prevention, Control and Regulation Vicarious Liability of ISPs and Govt. Cases Cyberforensics Future course of action Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 4 Agenda Real-world & Virtual- world : Real-world & Virtual- world Current approaches evolved to deal with real-world crime Cybercrime occurs in a virtual-world and therefore presents different issues Wednesday,Feb 03, 2010 5 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Example : Theft : Example : Theft Real-world theft: Possession of property shifts completely from A to B, i.e., A had it now B has it Theft in Virtual-world (Cyber-theft): Property is copied, so A “has” it and so does B Wednesday,Feb 03, 2010 6 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Development of Cyberlaw and need of regulation : Development of Cyberlaw and need of regulation Internet for Security USA ARPANET Internet for Research Internet for e-commerce UNCITRAL Model Law 1996 I.T Act 2000 Internet for e-governance Internet regulation – serious matter after 9/11 attack on World Trade Centre US Patriot Act I.T Amendment Act 2008 Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 7 Types of Cyber crimes : Types of Cyber crimes Credit card frauds Cyber pornography Sale of illegal articles-narcotics, weapons, wildlife Online gambling Intellectual Property crimes- software piracy, copyright infringement, trademarks violations, theft of computer source code Email spoofing Forgery Defamation Cyber stalking (section 509 IPC) Phising Cyber terrorism Wednesday,Feb 03, 2010 8 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 9: Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 9 Slide 10: Virus, Worms and Trojan attacks: Viruses are basically programs that are attached to a file which then gets circulated to other files and gradually to other computers in the network. Worms unlike Viruses do not need a host for attachments they make copies of themselves and do this repeatedly hence eating up all the memory of the computer. Trojans are unauthorized programs which functions from inside what seems to be an authorized program, thereby concealing what it is actually doing. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 10 Computer Viruses : Computer Viruses Viruses A computer virus is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of it. Note that a program does not have to perform outright damage (such as deleting or corrupting files) in order to be called a "virus". Wednesday,Feb 03, 2010 11 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Combating cyber crimes : Combating cyber crimes Technological measures-Public key cryptography, Electronic signatures ,Firewalls, honey pots Cyber investigation- Computer forensics is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in courts of law. These rules of evidence include admissibility (in courts), authenticity (relation to incident), completeness, reliability and believability. Legal framework-laws & enforcement Wednesday,Feb 03, 2010 12 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com I.T. ACT, 2000: OBJECTIVES : I.T. ACT, 2000: OBJECTIVES Different approaches for controlling, regulating and facilitating electronic communication and commerce. Aim to provide legal infrastructure for e-commerce in India. To provide legal recognition for e-transactions Wednesday,Feb 03, 2010 13 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com OBJECTIVES (Contd.) : OBJECTIVES (Contd.) Carried out by means of electronic data interchange, and Other means of electronic communication, commonly referred to as "electronic commerce", involving the use of alternatives to paper-based methods of communication and storage of information. To facilitate electronic filing of documents with the Government agencies To amend the Indian Penal Code, the Indian Evidence Act, 1872, the Banker's Book Evidence Act, 1891 and the Reserve Bank of India Act, 1934 Wednesday,Feb 03, 2010 14 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com GOVERNMENT –NSP?? : GOVERNMENT –NSP?? Governments Providing Services On The Network Governments Are Intermediaries. Sec 79 IT Act. Under The It Act, 2000, All Governments, Central And State, All Governmental Bodies Are “Network Service Providers” Wednesday,Feb 03, 2010 15 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Section 79 : Section 79 For the removal of doubts, it is hereby declared that no person providing any service as a network service provider shall be liable under this Act, rules or regulations made thereunder for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention. Wednesday,Feb 03, 2010 16 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Network Service Providers:When Not Liable : Network Service Providers:When Not Liable Explanation.—For the purposes of this section, — (a) "network service provider" means an intermediary; (b) "third party information" means any information dealt with by a network service provider in his capacity as an intermediary. Wednesday,Feb 03, 2010 17 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Tansparency In E-governance : Tansparency In E-governance Need For Transparent E-governance Right To Information Act Government Would Now Not Be Able To Hide Records Concerning E-governance Wednesday,Feb 03, 2010 18 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com AUTHENTICATION OF ELECTRONIC RECORDS : AUTHENTICATION OF ELECTRONIC RECORDS Any subscriber may authenticate an electronic record Authentication by affixing his digital signature. Any person by the use of a public key of the subscriber can verify the electronic record Wednesday,Feb 03, 2010 19 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com LEGALITY OF ELECTRONIC SIGNATURES : LEGALITY OF ELECTRONIC SIGNATURES Legal recognition of digital signatures. Electronic Signatures not yet legal in India. Certifying Authorities for Digital Signatures. Scheme for Regulation of Certifying Authorities for Digital Signatures Wednesday,Feb 03, 2010 20 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com CONTROLLER OF CERTIFYINGAUTHORITIES : CONTROLLER OF CERTIFYINGAUTHORITIES Shall exercise supervision over the activities of Certifying Authorities Lay down standards and conditions governing Certifying Authorities Specify various forms and content of Digital Signature Certificates Wednesday,Feb 03, 2010 21 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com DIGITAL SIGNATURES & ELECTRONIC RECORDS : DIGITAL SIGNATURES & ELECTRONIC RECORDS Use of Electronic Records and Electronic Signatures in Government Agencies. Publications of rules and regulations in the Electronic Gazette. MCA –21 Project- Usage of Digital Signatures Wednesday,Feb 03, 2010 22 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com International initiatives : International initiatives Representatives from the 26 Council of Europe members, the United States, Canada, Japan and South Africa in 2001 signed a convention on cybercrime in efforts to enhance international cooperation in combating computer-based crimes. The Convention on Cybercrime, drawn up by experts of the Council of Europe, is designed to coordinate these countries' policies and laws on penalties on crimes in cyberspace, define the formula guaranteeing the efficient operation of the criminal and judicial authorities, and establish an efficient mechanism for international cooperation. In 1997, The G-8 Ministers agreed to ten "Principles to Combat High-Tech Crime" and an "Action Plan to Combat High-Tech Crime." Main objectives- Create effective cyber crime laws Handle jurisdiction issues Cooperate in international investigations Develop acceptable practices for search and seizure Establish effective public/private sector interaction Wednesday,Feb 03, 2010 23 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 24: Computer Related Crimes under IPC and Special Laws 24 Wednesday,Feb 03, 2010 24 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 25: Cognizability and Bailability As per IT Amendment Act 2008 Offences which have not less than 3 years punishment are cognizable and bailable 25 Wednesday,Feb 03, 2010 25 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Power of Police to Investigate : Power of Police to Investigate Section 156 Cr.P.C. : Power to investigate cognizable offences. Section 155 Cr.P.C. : Power to investigate non cognizable offences. Section 91 Cr.P.C. : Summon to produce documents. Section 160 Cr.P.C. : Summon to require attendance of witnesses. Wednesday,Feb 03, 2010 26 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Power of Police to investigate (contd.) : Power of Police to investigate (contd.) Section 165 Cr.P.C. : Search by police officer. Section 93 Cr.P.C : General provision as to search warrants. Section 47 Cr.P.C. : Search to arrest the accused. Section 78 of IT Act, 2000 : Power to investigate offences-not below rank of Inspector. Section 80 of IT Act, 2000 : Power of police officer to enter any public place and search & arrest. Wednesday,Feb 03, 2010 27 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com New Scheme of Cybercrime Prevention, Control and Regulation : New Scheme of Cybercrime Prevention, Control and Regulation IT amendment Act 2008, Sec. 70-B(1) Establishment of Indian Computer Emergency Response Team- to serve as a national agency for incident response. Provide guidelines and may ask information from intermidiaries. Sec 70-B ( 8) No Court shall take cognizance of any offence under this section except on a complaint made by an officer authorised in this behalf by the agency referred to in Sub-sec (1). Sec. 79-A Central Govt. to notify examiner of electronic evidence- for expert opinion- the same will be relevant fact. Sec. 84-A Central govt. provide modes or methods of encryption. Sec. 78 Investigation can be made by police officer not below the rank of Inspector. Sec. 49 Composition of Cyber Appellate Tribunal Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 28 Case Study- BPO Data Theft : Case Study- BPO Data Theft The recently reported case of a Bank Fraud in Pune in which some ex employees of BPO arm of MPhasis Ltd MsourcE, defrauded US Customers of Citi Bank to the tune of RS 1.5 crores has raised concerns of many kinds including the role of "Data Protection". Wednesday,Feb 03, 2010 29 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Case Study (contd.) : Case Study (contd.) The crime was obviously committed using "Unauthorized Access" to the "Electronic Account Space" of the customers. It is therefore firmly within the domain of "Cyber Crimes". ITA-2000 is versatile enough to accommodate the aspects of crime not covered by ITA-2000 but covered by other statutes since any IPC offence committed with the use of "Electronic Documents" can be considered as a crime with the use of a "Written Documents". "Cheating", "Conspiracy", "Breach of Trust" etc are therefore applicable in the above case in addition to section in ITA-2000. Under ITA-2000 the offence is recognized both under Section 66 and Section 43. Accordingly, the persons involved are liable for imprisonment and fine as well as a liability to pay damage to the victims to the maximum extent of Rs 1 crore per victim for which the "Adjudication Process" can be invoked. Wednesday,Feb 03, 2010 30 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Case Study (contd.) : Case Study (contd.) The BPO is liable for lack of security that enabled the commission of the fraud as well as because of the vicarious responsibility for the ex-employee's involvement. The process of getting the PIN number was during the tenure of the persons as "Employees" and hence the organization is responsible for the crime. Some of the persons who have assisted others in the commission of the crime even though they may not be directly involved as beneficiaries will also be liable under Section 43 of ITA-2000. Under Section 79 and Section 85 of ITA-2000, vicarious responsibilities are indicated both for the BPO and the Bank on the grounds of "Lack of Due Diligence". At the same time, if the crime is investigated in India under ITA-2000, then the fact that the Bank was not using digital signatures for authenticating the customer instructions is a matter which would amount to gross negligence on the part of the Bank. (However, in this particular case since the victims appear to be US Citizens and the Bank itself is US based, the crime may come under the jurisdiction of the US courts and not Indian Courts). Wednesday,Feb 03, 2010 31 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Case Study- Case of Extortion of Money Through Internet : Case Study- Case of Extortion of Money Through Internet The complainant has received a threatening email demanding protection from unknown person claiming to be the member of Halala Gang, Dubai. Police registered a case u/s. 384/506/511 IPC. The sender of the email used the email ID xyz@yahoo.com & abc@yahoo.com and signed as Chengez Babar. Wednesday,Feb 03, 2010 32 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Case Study (contd.) : Case Study (contd.) Both the email accounts were tracked, detail collected from ISP’s & locations were identified. The Cyber cafes from which the emails has been made were monitored and the accused person was nabbed red handed. Wednesday,Feb 03, 2010 33 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com FIR NO 76/02 PS PARLIAMENT STREET : FIR NO 76/02 PS PARLIAMENT STREET Mrs. SONIA GANDHI RECEIVED THREATING E-MAILS E- MAIL FROM missonrevenge84@khalsa.com missionrevenge84@hotmail.com THE CASE WAS REFERRED ACCUSED PERSON LOST HIS PARENTS DURING 1984 RIOTS 34 Wednesday,Feb 03, 2010 34 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com PM office computers attacked : PM office computers attacked In the month of December 2009, PM office computers were attacked by Chinese hackers On the same day Google and other sites were also attacked by the Chinese hackers. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 35 Threat mail to our CM : Threat mail to our CM Mr. Navin Pattanaik got threat mail last week from a cybercafe in Bhubaneswar. Police traced the cybercafe but no record was maintained by the café owner. 2 days ago Central University Koraput V C Mr. Banerjee’s email was hacked and mail was send to different officials Still police is unable to find out the hackers Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 36 Survey published in March 2003-Incidence of Cyber crime in India : Survey published in March 2003-Incidence of Cyber crime in India Non Reporting-causes 60% feared negative publicity 23% did not know police equipped to handle cyber crimes 9% feared further cyber attacks 8% had no awareness of cyber laws False arrest concerns Wednesday,Feb 03, 2010 37 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com The Information Technology (Amendment) Act, 2008 has come into force on 27th October, 2009. : The Information Technology (Amendment) Act, 2008 has come into force on 27th October, 2009. Almost Nine years and 10 days after the birth of cyber laws in India, the new improved cyber law regime in India has become a reality. The Information Technology Act initially came into force on 17th October 2000 on the model UNCITRAL of UNO 1996. Major changes to the IT Act 2000 have now come into force with effect from 27th October 2009. There are around 17 changes and out of that most of the changes relate to cyber crimes. The last decade has seen a spurt in crimes like cyber stalking and voyeurism, cyber pornography, email frauds, phishing and crimes through social networking. All these and more are severely dealt with under the new laws. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 38 Some of the major modifications are: : Some of the major modifications are: 1. A special liability has been imposed on call centers, BPOs, banks and others who hold or handle sensitive personal data. If they are negligent in "implementing and maintaining reasonable security practices and procedures", they will be liable to pay compensation. It may be recalled that India's first major BPO related scam was the multi crore MphasiS-Citibank funds siphoning case in 2005. Under the new law, in such cases, the BPOs and call centers could also be made liable if they have not implemented proper security measures. 2. Compensation on cyber crimes like spreading viruses, copying data, unauthorised access, denial of service etc is not restricted to Rs 1 crore anymore. The Adjudicating Officers will have jurisdiction for cases where the claim is upto Rs. 5 crore. Above that the case will need to be filed before the civil courts. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 39 Slide 40: 3.The offence of cyber terrorism has been specially included in the law. A cyber terrorist can be punished with life imprisonment. 4. Sending threatening emails and sms are punishable with jail upto 3 years. 5. Publishing sexually explicit acts in the electronic form is punishable with jail upto 3 years. This would apply to cases like the Delhi MMS scandal where a video of a young couple having sex was spread through cell phones around the country. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 40 Slide 41: 6.Voyeurism is now specifically covered. Acts like hiding cameras in changing rooms, hotel rooms etc is punishable with jail upto 3 years. This would apply to cases like the infamous Pune spycam incident where a 58-year old man was arrested for installing spy cameras in his house to 'snoop' on his young lady tenants. 7. Cyber crime cases can now be investigated by Inspector rank police officers. Earlier such offences could not be investigated by an officer below the rank of a deputy superintendent of police. 8. Collecting, browsing, downloading etc of child pornography is punishable with jail upto 5 years for the first conviction. For a subsequent conviction, the jail term can extend to 7 years. A fine of upto Rs 10 lakh can also be levied. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 41 Slide 42: 9. The punishment for spreading obscene material by email, websites, sms has been reduced from 5 years jail to 3 years jail. This covers acts like sending 'dirty' jokes and pictures by email or sms. 10. Refusing to hand over passwords to an authorized official could land a person in prison for upto 7 years. 11. Hacking into a Government computer or website, or even trying to do so in punishable with imprisonment upto 10 years. 12. Rules pertaining to section 52 (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members), Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 42 Slide 43: 13. Rules pertaining to section 69 (Procedure and Safeguards for Interception, Monitoring and Decryption of Information), 14. Rules pertaining to section 69A (Procedure and Safeguards for Blocking for Access of Information by Public), 15. Rules pertaining to section 69B (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) and 16. Notification under section 70B for appointment of the Indian Computer Emergency Response Team. 17. Rules Rules pertaining to section 54 (Procedure for Investigation of Misbehaviour or Incapacity of Chairperson and Members), Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 43 Slide 44: Computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine, preserve and present evidence or information which is magnetically stored or encoded A better definition for law enforcement would be the scientific method of examining and analyzing data from computer storage media so that the data can be used as evidence in court. Media = computers, mobile phones, PDA, digital camera, etc. Computer Forensics and Cyberforensics Wednesday,Feb 03, 2010 44 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 45: Handling of Evidences by Cyber Analysts Four major tasks for working with digital evidence Identify Collect, Observe & Preserve Analyze and Organize Verify Identify: Any digital information or artifacts that can be used as evidence. Collect, observe and preserve the evidence Analyze, identify and organize the evidence. Rebuild the evidence or repeat a situation to verify the same results every time. Checking the hash value. Wednesday,Feb 03, 2010 45 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com MULTI DIMENSIONAL CHALLENGES : MULTI DIMENSIONAL CHALLENGES WHY IS IT UNIQUE ? Wednesday,Feb 03, 2010 46 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com MULTI DIMENSIONAL CHALLENGE : MULTI DIMENSIONAL CHALLENGE TECHNICAL OPERATIONAL SOCIAL LEGAL Wednesday,Feb 03, 2010 47 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com TECHNICAL : TECHNICAL TECHNOLOGY IS CHANGING RAPIDLY CYBER CRIMES ARE ALSO CHANGING RAPIDLY SYSTEMS AND CRIMES EVOLVE MORE RAPIDLY THAN THE TOOLS THAT EXAMINE THEM Wednesday,Feb 03, 2010 48 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 49: TECHNOLOGY EVOLUTION OBSOLESENCE NEWER DEVICES NEW TOOLS NEW METHODOLOGIES Wednesday,Feb 03, 2010 49 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Digital Evidence : Digital Evidence Criminals Hide Evidence Delete their files and emails Hide their files by encryption, password protection, or embedding them in unrelated files (dll, os etc) Use Wi-Fi networks and cyber cafes to cover their tracks Forensics Uncover Evidence Restore deleted files and emails – they are still really there! Find the hidden files through complex password, encryption programs, and searching techniques Track them down through the digital trail - IP addresses to ISPs to the offender Not obvious…….it’s most likely hidden on purpose or needs to be unearthed by forensics experts Wednesday,Feb 03, 2010 50 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com The Crime Scene (with Computer Forensics) : Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com The Crime Scene (with Computer Forensics) Similar to traditional crime scenes Must acquire the evidence while preserving the integrity of the evidence No damage during collection, transportation, or storage Document everything Collect everything the first time Establish a chain of custody But also different……. Can perform analysis of evidence on exact copy! Make many copies and investigate them without touching original Can use time stamping/hash code techniques to prove evidence hasn’t been compromised Wednesday,Feb 03, 2010 51 TECHNICAL : TECHNICAL Ubiquity Of Computers Crimes Occur In All Jurisdictions Training Law Enforcement Agencies Becomes a Challenge Technology Revolution Leads To Newer Systems, Devices Etc.. Wednesday,Feb 03, 2010 52 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com OPERATIONAL : OPERATIONAL ALL DATA MUST BE GATHERED AND EXAMINED FOR EVIDENCE GIGABYTES OF DATA PROBLEMS OF STORAGE ANALYSIS PRESENTATION.. NO STANDARD SOLUTION AS YET Wednesday,Feb 03, 2010 53 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com SOCIAL : SOCIAL IT RESULTS IN UNCERTAINITIES ABOUT EFFECTIVENESS OF CURRENT INVESTIGATION TECHNIQUES SUB OPTIMAL USE OF RESOURCES PRIVACY CONCERNS Wednesday,Feb 03, 2010 54 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com LEGAL : LEGAL USES & BOUNDARIES OF DIGITAL EVIDENCE IN LEGAL PROCEDURES STILL UNCLEAR CURRENT TOOLS & TECHNIQUES NOT RIGOROUSLY USED / CONTESTED IN COURT Wednesday,Feb 03, 2010 55 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com TYPICAL TOOLS : TYPICAL TOOLS EMAIL TRACER TRUEBACK CYBERCHECK MANUAL Wednesday,Feb 03, 2010 56 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 57: Current and Emerging Cyber Forensic Tools of Law Enforcement Wednesday,Feb 03, 2010 57 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com EMAIL TRACER FORENSIC TOOL : EMAIL TRACER FORENSIC TOOL Wednesday,Feb 03, 2010 58 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com FEATURES OF EMAIL TRACER : FEATURES OF EMAIL TRACER Display of Actual Mail Content for Outlook Express, Eudora, MS Outlook and mail clients with MBOX mailbox. Display the Mail Content (HTML / Text) Display the Mail Attributes for Outlook Express. Display of extracted E-mail header information Save Mail Content as .EML file. Display of all Email attachments and Extraction. Display of E-mail route. IP trace to the sender’s system. Domain name look up. Display of geographical location of the sender’s gateway on a world map. Mail server log analysis for evidence collection. Access to Database of Country code list along with IP address information. Wednesday,Feb 03, 2010 59 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com EMAIL TRACING OVER WEB : EMAIL TRACING OVER WEB AS A PRE-EMPTIVE TOOL Wednesday,Feb 03, 2010 60 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com EMAIL TRACING SERVICE : EMAIL TRACING SERVICE Users can submit their tracing task to Email Tracer through web. Tracing IP Address upto city level (non-spoofed) Detection of spoofed mail Detailed report Wednesday,Feb 03, 2010 61 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 62: Wednesday,Feb 03, 2010 62 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 63: Wednesday,Feb 03, 2010 63 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 64: Wednesday,Feb 03, 2010 64 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com SEIZURE & ACQUISITION TOOLTRUEBACK : SEIZURE & ACQUISITION TOOLTRUEBACK Wednesday,Feb 03, 2010 65 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com FEATURES OF TRUE BACK : FEATURES OF TRUE BACK DOS application with event based Windowing System. Self-integrity check. Minimum system configuration check. Extraction of system information Three modes of operation: - Seize - Acquire - Seize and Acquire Wednesday,Feb 03, 2010 66 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 67: Disk imaging through Parallel port. Disk imaging using Network Interface Card. Block by Block acquisition with data integrity check on each block. IDE/SCSI, USB, CD and Floppy acquisition. Acquisition of floppies and CDs in Batch mode. Write protection on all storage media except destination media. Checking for sterile destination media. Progress Bar display on all modes of operation. Report generation on all modes of operation. BIOS and ATA mode acquisition Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 67 ANALYSIS TOOL : ANALYSIS TOOL CYBER CHECK Wednesday,Feb 03, 2010 68 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 69: CyberCheck - Features Standard Windows application. Self-integrity check. Minimum system configuration check. Analyses evidence file containing FAT12, FAT16, FAT32, NTFS and EXT2FS file system. Analyses evidence files created by the following disk imaging tools: TrueBack LinkMasster Encase User login facilities. Wednesday,Feb 03, 2010 69 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 70: CyberCheck– Features (Contd …) Creates log of each analysis session and Analyzing officer’s details. Block by block data integrity verification while loading evidence file. Explorer type view of contents of the whole evidence file. Display of folders and files with all attributes. Show/Hide system files. Sorting of files based on file attributes. Text/Hex view of the content of a file. Picture view of an image file. Gallery view of images. Wednesday,Feb 03, 2010 70 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 71: CyberCheck– Features (Contd …) Graphical representation of the following views of an evidence file: Disk View. Cluster View. Block view. Timeline view of: All files Deleted files. Time anomaly files. Signature mismatched files. Files created within a time frame. Wednesday,Feb 03, 2010 71 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 72: CyberCheck– Features (Contd …) Display of cluster chain of a file. Single and Multiple Keyword search. Extraction of Disk, Partition, File and MBR slacks. Exclusive search in slack space. Extraction of unused unallocated clusters and exclusion from search space. Exclusive search in used unallocated clusters . Extraction of lost clusters. Exclusive search in data extracted from lost clusters. Extraction of Swap files. Exclusive search in data extracted from Swap files. Wednesday,Feb 03, 2010 72 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 73: CyberCheck– Features (Contd …) File search based on file extension. File search based on hash value. Exclusion of system files from search space. Data recovery from deleted files, slack space, used unallocated clusters and lost clusters. Recovery of formatted partitions. Recovery of deleted partitions. Exporting files, folders and slack content. Exporting folder structure including file names into a file. Exporting files on to external viewer. Wednesday,Feb 03, 2010 73 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 74: CyberCheck– Features (Contd …) Local preview of storage media. Network preview of storage media using cross-over cable. Book marking of folders, files and data. Adding book marked items into report. Restoration of storage media. Creating raw image. Raw image analysis. Facility for viewing Mailbox files of Microsoft Outlook Express, Microsoft Outlook, Eudora and Linux Mail clients. Wednesday,Feb 03, 2010 74 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 75: CyberCheck– Features (Contd …) Registry viewer. Hash set of system files. Identification of encrypted & password protected files. Identification of steganographed image files. Generation of analysis report with the following features. Complete information of the evidence file system. Complete information of the partitions and drive geometry. Hash verification details. User login and logout information. Wednesday,Feb 03, 2010 75 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 76: CyberCheck– Features (Contd …) Exported content of text file and slack information. Includes picture file as image. Saving report, search hits and book marked items for later use. Password protection of report. Print report. Wednesday,Feb 03, 2010 76 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com ISSUES AHEAD.. &.. TECHNOLOGY BEHIND.. : ISSUES AHEAD.. &.. TECHNOLOGY BEHIND.. Wednesday,Feb 03, 2010 77 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com CASE #4 : CASE #4 A young girl had been involved in a series of sexually explicit exchanges via instant messenger system and email. Upon investigation, the perpetrator was tracked to the home of a 50 year old prominent local physician. Computers seized from the physician’s house had 240GB hard disk each, full of files. Wednesday,Feb 03, 2010 78 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com ISSUE #1 : ISSUE #1 How to get convincing leads to go ahead with the case in a short time from among the overload of available material. Wednesday,Feb 03, 2010 79 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com ADVANCED CONCEPT SEARCH : ADVANCED CONCEPT SEARCH Wednesday,Feb 03, 2010 80 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com ISSUE #2 : ISSUE #2 Computers contained many password protected/encrypted files. How to get into these files in a short time. Wednesday,Feb 03, 2010 81 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com PASSWORD CRACKING : PASSWORD CRACKING GRID Enabled Password Cracker Wednesday,Feb 03, 2010 82 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 83: GRID GRID SERVER FSL POLICE CRIME CELL CBI INTERNET PASSWORD CRACKING OF ZIP FILES USING GRID CYBER FORENSICS LAB Wednesday,Feb 03, 2010 83 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 84: GRID GRID SERVER FSL POLICE CRIME CELL CBI INTERNET PASSWORD CRACKING OF ZIP FILES USING GRID 1.ZIPPED FILE SUBMISSION 2. SERVER RECEIVES AND DISTRIBUTES TO GRID CLIENTS 3. CLIENTS COMPUTES AND SEND RESULTS TO SERVER 4. GRID SERVER SENDS RESULTS OVER INTERNET Wednesday,Feb 03, 2010 84 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com ISSUE #3 : ISSUE #3 However, the case took a twist when it came to light that the doctor’s 13-year-old son and 15 year old nephew had also been using the doctor’s account. Who was at the keyboard then? Wednesday,Feb 03, 2010 85 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com WHO’S AT THE KEYBOARD? : WHO’S AT THE KEYBOARD? BIOMETRICS A software driver associated with the keyboard records the user’s rhythm in typing. These rhythms are then used to generate a profile of the authentic user. Wednesday,Feb 03, 2010 86 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com WHO’S AT THE KEYBOARD? : WHO’S AT THE KEYBOARD? FORENSIC STYLISTICS A qualitative approach to authorship assesses errors and “idiosyncrasies” based on the examiner’s experience. This approach could be quantified through Databasing. Wednesday,Feb 03, 2010 87 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com WHO’S AT THE KEYBOARD? : WHO’S AT THE KEYBOARD? STYLOMETRY It is quantitative and computational method, focusing on readily computable and countable language features, e.g. word length, phrase length, sentence length, vocabulary frequency, distribution of words of different lengths. Wednesday,Feb 03, 2010 88 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com REAL CYBER FORENSIC CHALLENGE IS YET TO COME.. : REAL CYBER FORENSIC CHALLENGE IS YET TO COME.. …. Wednesday,Feb 03, 2010 89 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 90: Awareness: Technology is changing very rapidly. So does the increase in Cyber crimes, No proper awareness shared with regard to crime and latest tools. People are so ignorant that makes it effortless for cyber criminals to attack. People fear to report crimes and some crimes are not properly recorded. The reason behind this is that the victim is either scared of police harassment or wrong media publicity. For minority and marginalised groups who already bear the brunt of media bias, reporting online harassment to the police may simply draw further unwanted attention. The public is not aware of the resources and services that law enforcement could provide them if being a victim of crime or witness. Challenges faced by Law Enforcement Wednesday,Feb 03, 2010 90 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 91: Technical Issues: Large amount of storage space required for storing the imaged evidences and also for storing retrieved evidence after analysis. Retrieved evidence might contain documents, pictures, videos and audio files which takes up a lot of space. Technical issues can further be categorised into software and hardware issues. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 91 Slide 92: Software and Hardware Issues: The growth of Cyber crime as given rise to numerous Forensic software vendors. The challenge being to choose among them and no single forensic tool solves the entire case, there are loads of third party tools available. So is the case with Hardware tools, Most common and liable h/w tool is the FRED. But when it comes to Mobile forensics it is a challenge to decide the compatibility of different phones and which h/w to rely on.. Wednesday,Feb 03, 2010 92 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Future Course of Action : Future Course of Action Recently China has been manufacturing mobile phones that have cloned IME numbers which is a current challenge faced in Mobile forensics. Information sharing: Information sharing is a best practice and can be accomplished by a variety of means such as interacting with industry groups, attending briefings, meetings, seminars and conferences, and working actively with forensic bodies like CDAC.. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 93 Slide 94: Inadequate Training and Funds: Due to the growing of cyber forensic tools law enforcement does not get adequate training and awareness on innovative tools. Training bodies are limited and are pricey. Insufficient funding in order to send officers for training and investing on future enhancements. Transfers and recruiting officers adds to the loss of experienced staff and spending for training the newcomers. Cases become pending in such circumstances. Wednesday,Feb 03, 2010 94 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 95: Global Issues: Most of the IP addresses retrieved during investigation leads to servers or computers located abroad which have no identity, hence further investigations are blocked and closed. Correspondence with bodies such as Google, Yahoo, Hotmail is quite time consuming and prolong the investigations. Wireless or Wi-Fi, Bluetooth, Infrared Issues: Latest wireless technologies which provide internet connections causes exploitation especially when it is not secured. This is the present technology terrorists and radical activists exploit. This is another vulnerability that law enforcement faces. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 95 Future Course of Action (Contd.) : Future Course of Action (Contd.) Mumbai Cyber lab is a joint initiative of Mumbai police and NASSCOM –more exchange and coordination of this kind More Public awareness campaigns Training of police officers to effectively combat cyber crimes More Cyber crime police cells set up across the country Effective E-surveillance Websites aid in creating awareness and encouraging reporting of cyber crime cases. Specialised Training of forensic investigators and experts Active coordination between police and other law enforcement agencies and authorities is required. Wednesday,Feb 03, 2010 96 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Do you have any question? : Do you have any question? Wednesday,Feb 03, 2010 97 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 98: Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 98 Thanks You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Cyberforensics tabrezahmad Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 248 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: June 26, 2010 This Presentation is Public Favorites: 0 Presentation Description Presentation by Dr. Tabrez Ahmad in Training to Deputy SPs Organised by Bureau of Police Research & Development Govt. of India Comments Posting comment... By: palamino (15 month(s) ago) a great ppt...great job man.. Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Cyber Forensics : Cyber Forensics Training to Deputy SPs Organised by Bureau of Police Research & Development Govt. of India Dr. Tabrez Ahmad Associate Professor of Law www.site.technolexindia.com tabrezahmad7@gmail.com http://technolexindia.blogspot.com Wednesday,Feb 03, 2010 1 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 2: Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 2 Slide 3: Digital Revolution Internet Infra in INDIA 3 IT / ITES BPO Targetted Broadband connection = 10 Mil. (2010) Wednesday,Feb 03, 2010 3 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Agenda : Background of Cyberlaw Development of Internet regulation Types of Cybercrimes Computer viruses Combating Cyber Crimes New Scheme of Cybercrime Prevention, Control and Regulation Vicarious Liability of ISPs and Govt. Cases Cyberforensics Future course of action Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 4 Agenda Real-world & Virtual- world : Real-world & Virtual- world Current approaches evolved to deal with real-world crime Cybercrime occurs in a virtual-world and therefore presents different issues Wednesday,Feb 03, 2010 5 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Example : Theft : Example : Theft Real-world theft: Possession of property shifts completely from A to B, i.e., A had it now B has it Theft in Virtual-world (Cyber-theft): Property is copied, so A “has” it and so does B Wednesday,Feb 03, 2010 6 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Development of Cyberlaw and need of regulation : Development of Cyberlaw and need of regulation Internet for Security USA ARPANET Internet for Research Internet for e-commerce UNCITRAL Model Law 1996 I.T Act 2000 Internet for e-governance Internet regulation – serious matter after 9/11 attack on World Trade Centre US Patriot Act I.T Amendment Act 2008 Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 7 Types of Cyber crimes : Types of Cyber crimes Credit card frauds Cyber pornography Sale of illegal articles-narcotics, weapons, wildlife Online gambling Intellectual Property crimes- software piracy, copyright infringement, trademarks violations, theft of computer source code Email spoofing Forgery Defamation Cyber stalking (section 509 IPC) Phising Cyber terrorism Wednesday,Feb 03, 2010 8 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 9: Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 9 Slide 10: Virus, Worms and Trojan attacks: Viruses are basically programs that are attached to a file which then gets circulated to other files and gradually to other computers in the network. Worms unlike Viruses do not need a host for attachments they make copies of themselves and do this repeatedly hence eating up all the memory of the computer. Trojans are unauthorized programs which functions from inside what seems to be an authorized program, thereby concealing what it is actually doing. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 10 Computer Viruses : Computer Viruses Viruses A computer virus is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of it. Note that a program does not have to perform outright damage (such as deleting or corrupting files) in order to be called a "virus". Wednesday,Feb 03, 2010 11 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Combating cyber crimes : Combating cyber crimes Technological measures-Public key cryptography, Electronic signatures ,Firewalls, honey pots Cyber investigation- Computer forensics is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in courts of law. These rules of evidence include admissibility (in courts), authenticity (relation to incident), completeness, reliability and believability. Legal framework-laws & enforcement Wednesday,Feb 03, 2010 12 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com I.T. ACT, 2000: OBJECTIVES : I.T. ACT, 2000: OBJECTIVES Different approaches for controlling, regulating and facilitating electronic communication and commerce. Aim to provide legal infrastructure for e-commerce in India. To provide legal recognition for e-transactions Wednesday,Feb 03, 2010 13 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com OBJECTIVES (Contd.) : OBJECTIVES (Contd.) Carried out by means of electronic data interchange, and Other means of electronic communication, commonly referred to as "electronic commerce", involving the use of alternatives to paper-based methods of communication and storage of information. To facilitate electronic filing of documents with the Government agencies To amend the Indian Penal Code, the Indian Evidence Act, 1872, the Banker's Book Evidence Act, 1891 and the Reserve Bank of India Act, 1934 Wednesday,Feb 03, 2010 14 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com GOVERNMENT –NSP?? : GOVERNMENT –NSP?? Governments Providing Services On The Network Governments Are Intermediaries. Sec 79 IT Act. Under The It Act, 2000, All Governments, Central And State, All Governmental Bodies Are “Network Service Providers” Wednesday,Feb 03, 2010 15 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Section 79 : Section 79 For the removal of doubts, it is hereby declared that no person providing any service as a network service provider shall be liable under this Act, rules or regulations made thereunder for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention. Wednesday,Feb 03, 2010 16 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Network Service Providers:When Not Liable : Network Service Providers:When Not Liable Explanation.—For the purposes of this section, — (a) "network service provider" means an intermediary; (b) "third party information" means any information dealt with by a network service provider in his capacity as an intermediary. Wednesday,Feb 03, 2010 17 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Tansparency In E-governance : Tansparency In E-governance Need For Transparent E-governance Right To Information Act Government Would Now Not Be Able To Hide Records Concerning E-governance Wednesday,Feb 03, 2010 18 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com AUTHENTICATION OF ELECTRONIC RECORDS : AUTHENTICATION OF ELECTRONIC RECORDS Any subscriber may authenticate an electronic record Authentication by affixing his digital signature. Any person by the use of a public key of the subscriber can verify the electronic record Wednesday,Feb 03, 2010 19 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com LEGALITY OF ELECTRONIC SIGNATURES : LEGALITY OF ELECTRONIC SIGNATURES Legal recognition of digital signatures. Electronic Signatures not yet legal in India. Certifying Authorities for Digital Signatures. Scheme for Regulation of Certifying Authorities for Digital Signatures Wednesday,Feb 03, 2010 20 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com CONTROLLER OF CERTIFYINGAUTHORITIES : CONTROLLER OF CERTIFYINGAUTHORITIES Shall exercise supervision over the activities of Certifying Authorities Lay down standards and conditions governing Certifying Authorities Specify various forms and content of Digital Signature Certificates Wednesday,Feb 03, 2010 21 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com DIGITAL SIGNATURES & ELECTRONIC RECORDS : DIGITAL SIGNATURES & ELECTRONIC RECORDS Use of Electronic Records and Electronic Signatures in Government Agencies. Publications of rules and regulations in the Electronic Gazette. MCA –21 Project- Usage of Digital Signatures Wednesday,Feb 03, 2010 22 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com International initiatives : International initiatives Representatives from the 26 Council of Europe members, the United States, Canada, Japan and South Africa in 2001 signed a convention on cybercrime in efforts to enhance international cooperation in combating computer-based crimes. The Convention on Cybercrime, drawn up by experts of the Council of Europe, is designed to coordinate these countries' policies and laws on penalties on crimes in cyberspace, define the formula guaranteeing the efficient operation of the criminal and judicial authorities, and establish an efficient mechanism for international cooperation. In 1997, The G-8 Ministers agreed to ten "Principles to Combat High-Tech Crime" and an "Action Plan to Combat High-Tech Crime." Main objectives- Create effective cyber crime laws Handle jurisdiction issues Cooperate in international investigations Develop acceptable practices for search and seizure Establish effective public/private sector interaction Wednesday,Feb 03, 2010 23 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 24: Computer Related Crimes under IPC and Special Laws 24 Wednesday,Feb 03, 2010 24 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 25: Cognizability and Bailability As per IT Amendment Act 2008 Offences which have not less than 3 years punishment are cognizable and bailable 25 Wednesday,Feb 03, 2010 25 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Power of Police to Investigate : Power of Police to Investigate Section 156 Cr.P.C. : Power to investigate cognizable offences. Section 155 Cr.P.C. : Power to investigate non cognizable offences. Section 91 Cr.P.C. : Summon to produce documents. Section 160 Cr.P.C. : Summon to require attendance of witnesses. Wednesday,Feb 03, 2010 26 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Power of Police to investigate (contd.) : Power of Police to investigate (contd.) Section 165 Cr.P.C. : Search by police officer. Section 93 Cr.P.C : General provision as to search warrants. Section 47 Cr.P.C. : Search to arrest the accused. Section 78 of IT Act, 2000 : Power to investigate offences-not below rank of Inspector. Section 80 of IT Act, 2000 : Power of police officer to enter any public place and search & arrest. Wednesday,Feb 03, 2010 27 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com New Scheme of Cybercrime Prevention, Control and Regulation : New Scheme of Cybercrime Prevention, Control and Regulation IT amendment Act 2008, Sec. 70-B(1) Establishment of Indian Computer Emergency Response Team- to serve as a national agency for incident response. Provide guidelines and may ask information from intermidiaries. Sec 70-B ( 8) No Court shall take cognizance of any offence under this section except on a complaint made by an officer authorised in this behalf by the agency referred to in Sub-sec (1). Sec. 79-A Central Govt. to notify examiner of electronic evidence- for expert opinion- the same will be relevant fact. Sec. 84-A Central govt. provide modes or methods of encryption. Sec. 78 Investigation can be made by police officer not below the rank of Inspector. Sec. 49 Composition of Cyber Appellate Tribunal Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 28 Case Study- BPO Data Theft : Case Study- BPO Data Theft The recently reported case of a Bank Fraud in Pune in which some ex employees of BPO arm of MPhasis Ltd MsourcE, defrauded US Customers of Citi Bank to the tune of RS 1.5 crores has raised concerns of many kinds including the role of "Data Protection". Wednesday,Feb 03, 2010 29 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Case Study (contd.) : Case Study (contd.) The crime was obviously committed using "Unauthorized Access" to the "Electronic Account Space" of the customers. It is therefore firmly within the domain of "Cyber Crimes". ITA-2000 is versatile enough to accommodate the aspects of crime not covered by ITA-2000 but covered by other statutes since any IPC offence committed with the use of "Electronic Documents" can be considered as a crime with the use of a "Written Documents". "Cheating", "Conspiracy", "Breach of Trust" etc are therefore applicable in the above case in addition to section in ITA-2000. Under ITA-2000 the offence is recognized both under Section 66 and Section 43. Accordingly, the persons involved are liable for imprisonment and fine as well as a liability to pay damage to the victims to the maximum extent of Rs 1 crore per victim for which the "Adjudication Process" can be invoked. Wednesday,Feb 03, 2010 30 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Case Study (contd.) : Case Study (contd.) The BPO is liable for lack of security that enabled the commission of the fraud as well as because of the vicarious responsibility for the ex-employee's involvement. The process of getting the PIN number was during the tenure of the persons as "Employees" and hence the organization is responsible for the crime. Some of the persons who have assisted others in the commission of the crime even though they may not be directly involved as beneficiaries will also be liable under Section 43 of ITA-2000. Under Section 79 and Section 85 of ITA-2000, vicarious responsibilities are indicated both for the BPO and the Bank on the grounds of "Lack of Due Diligence". At the same time, if the crime is investigated in India under ITA-2000, then the fact that the Bank was not using digital signatures for authenticating the customer instructions is a matter which would amount to gross negligence on the part of the Bank. (However, in this particular case since the victims appear to be US Citizens and the Bank itself is US based, the crime may come under the jurisdiction of the US courts and not Indian Courts). Wednesday,Feb 03, 2010 31 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Case Study- Case of Extortion of Money Through Internet : Case Study- Case of Extortion of Money Through Internet The complainant has received a threatening email demanding protection from unknown person claiming to be the member of Halala Gang, Dubai. Police registered a case u/s. 384/506/511 IPC. The sender of the email used the email ID xyz@yahoo.com & abc@yahoo.com and signed as Chengez Babar. Wednesday,Feb 03, 2010 32 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Case Study (contd.) : Case Study (contd.) Both the email accounts were tracked, detail collected from ISP’s & locations were identified. The Cyber cafes from which the emails has been made were monitored and the accused person was nabbed red handed. Wednesday,Feb 03, 2010 33 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com FIR NO 76/02 PS PARLIAMENT STREET : FIR NO 76/02 PS PARLIAMENT STREET Mrs. SONIA GANDHI RECEIVED THREATING E-MAILS E- MAIL FROM missonrevenge84@khalsa.com missionrevenge84@hotmail.com THE CASE WAS REFERRED ACCUSED PERSON LOST HIS PARENTS DURING 1984 RIOTS 34 Wednesday,Feb 03, 2010 34 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com PM office computers attacked : PM office computers attacked In the month of December 2009, PM office computers were attacked by Chinese hackers On the same day Google and other sites were also attacked by the Chinese hackers. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 35 Threat mail to our CM : Threat mail to our CM Mr. Navin Pattanaik got threat mail last week from a cybercafe in Bhubaneswar. Police traced the cybercafe but no record was maintained by the café owner. 2 days ago Central University Koraput V C Mr. Banerjee’s email was hacked and mail was send to different officials Still police is unable to find out the hackers Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 36 Survey published in March 2003-Incidence of Cyber crime in India : Survey published in March 2003-Incidence of Cyber crime in India Non Reporting-causes 60% feared negative publicity 23% did not know police equipped to handle cyber crimes 9% feared further cyber attacks 8% had no awareness of cyber laws False arrest concerns Wednesday,Feb 03, 2010 37 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com The Information Technology (Amendment) Act, 2008 has come into force on 27th October, 2009. : The Information Technology (Amendment) Act, 2008 has come into force on 27th October, 2009. Almost Nine years and 10 days after the birth of cyber laws in India, the new improved cyber law regime in India has become a reality. The Information Technology Act initially came into force on 17th October 2000 on the model UNCITRAL of UNO 1996. Major changes to the IT Act 2000 have now come into force with effect from 27th October 2009. There are around 17 changes and out of that most of the changes relate to cyber crimes. The last decade has seen a spurt in crimes like cyber stalking and voyeurism, cyber pornography, email frauds, phishing and crimes through social networking. All these and more are severely dealt with under the new laws. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 38 Some of the major modifications are: : Some of the major modifications are: 1. A special liability has been imposed on call centers, BPOs, banks and others who hold or handle sensitive personal data. If they are negligent in "implementing and maintaining reasonable security practices and procedures", they will be liable to pay compensation. It may be recalled that India's first major BPO related scam was the multi crore MphasiS-Citibank funds siphoning case in 2005. Under the new law, in such cases, the BPOs and call centers could also be made liable if they have not implemented proper security measures. 2. Compensation on cyber crimes like spreading viruses, copying data, unauthorised access, denial of service etc is not restricted to Rs 1 crore anymore. The Adjudicating Officers will have jurisdiction for cases where the claim is upto Rs. 5 crore. Above that the case will need to be filed before the civil courts. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 39 Slide 40: 3.The offence of cyber terrorism has been specially included in the law. A cyber terrorist can be punished with life imprisonment. 4. Sending threatening emails and sms are punishable with jail upto 3 years. 5. Publishing sexually explicit acts in the electronic form is punishable with jail upto 3 years. This would apply to cases like the Delhi MMS scandal where a video of a young couple having sex was spread through cell phones around the country. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 40 Slide 41: 6.Voyeurism is now specifically covered. Acts like hiding cameras in changing rooms, hotel rooms etc is punishable with jail upto 3 years. This would apply to cases like the infamous Pune spycam incident where a 58-year old man was arrested for installing spy cameras in his house to 'snoop' on his young lady tenants. 7. Cyber crime cases can now be investigated by Inspector rank police officers. Earlier such offences could not be investigated by an officer below the rank of a deputy superintendent of police. 8. Collecting, browsing, downloading etc of child pornography is punishable with jail upto 5 years for the first conviction. For a subsequent conviction, the jail term can extend to 7 years. A fine of upto Rs 10 lakh can also be levied. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 41 Slide 42: 9. The punishment for spreading obscene material by email, websites, sms has been reduced from 5 years jail to 3 years jail. This covers acts like sending 'dirty' jokes and pictures by email or sms. 10. Refusing to hand over passwords to an authorized official could land a person in prison for upto 7 years. 11. Hacking into a Government computer or website, or even trying to do so in punishable with imprisonment upto 10 years. 12. Rules pertaining to section 52 (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members), Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 42 Slide 43: 13. Rules pertaining to section 69 (Procedure and Safeguards for Interception, Monitoring and Decryption of Information), 14. Rules pertaining to section 69A (Procedure and Safeguards for Blocking for Access of Information by Public), 15. Rules pertaining to section 69B (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) and 16. Notification under section 70B for appointment of the Indian Computer Emergency Response Team. 17. Rules Rules pertaining to section 54 (Procedure for Investigation of Misbehaviour or Incapacity of Chairperson and Members), Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 43 Slide 44: Computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine, preserve and present evidence or information which is magnetically stored or encoded A better definition for law enforcement would be the scientific method of examining and analyzing data from computer storage media so that the data can be used as evidence in court. Media = computers, mobile phones, PDA, digital camera, etc. Computer Forensics and Cyberforensics Wednesday,Feb 03, 2010 44 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 45: Handling of Evidences by Cyber Analysts Four major tasks for working with digital evidence Identify Collect, Observe & Preserve Analyze and Organize Verify Identify: Any digital information or artifacts that can be used as evidence. Collect, observe and preserve the evidence Analyze, identify and organize the evidence. Rebuild the evidence or repeat a situation to verify the same results every time. Checking the hash value. Wednesday,Feb 03, 2010 45 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com MULTI DIMENSIONAL CHALLENGES : MULTI DIMENSIONAL CHALLENGES WHY IS IT UNIQUE ? Wednesday,Feb 03, 2010 46 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com MULTI DIMENSIONAL CHALLENGE : MULTI DIMENSIONAL CHALLENGE TECHNICAL OPERATIONAL SOCIAL LEGAL Wednesday,Feb 03, 2010 47 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com TECHNICAL : TECHNICAL TECHNOLOGY IS CHANGING RAPIDLY CYBER CRIMES ARE ALSO CHANGING RAPIDLY SYSTEMS AND CRIMES EVOLVE MORE RAPIDLY THAN THE TOOLS THAT EXAMINE THEM Wednesday,Feb 03, 2010 48 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 49: TECHNOLOGY EVOLUTION OBSOLESENCE NEWER DEVICES NEW TOOLS NEW METHODOLOGIES Wednesday,Feb 03, 2010 49 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Digital Evidence : Digital Evidence Criminals Hide Evidence Delete their files and emails Hide their files by encryption, password protection, or embedding them in unrelated files (dll, os etc) Use Wi-Fi networks and cyber cafes to cover their tracks Forensics Uncover Evidence Restore deleted files and emails – they are still really there! Find the hidden files through complex password, encryption programs, and searching techniques Track them down through the digital trail - IP addresses to ISPs to the offender Not obvious…….it’s most likely hidden on purpose or needs to be unearthed by forensics experts Wednesday,Feb 03, 2010 50 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com The Crime Scene (with Computer Forensics) : Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com The Crime Scene (with Computer Forensics) Similar to traditional crime scenes Must acquire the evidence while preserving the integrity of the evidence No damage during collection, transportation, or storage Document everything Collect everything the first time Establish a chain of custody But also different……. Can perform analysis of evidence on exact copy! Make many copies and investigate them without touching original Can use time stamping/hash code techniques to prove evidence hasn’t been compromised Wednesday,Feb 03, 2010 51 TECHNICAL : TECHNICAL Ubiquity Of Computers Crimes Occur In All Jurisdictions Training Law Enforcement Agencies Becomes a Challenge Technology Revolution Leads To Newer Systems, Devices Etc.. Wednesday,Feb 03, 2010 52 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com OPERATIONAL : OPERATIONAL ALL DATA MUST BE GATHERED AND EXAMINED FOR EVIDENCE GIGABYTES OF DATA PROBLEMS OF STORAGE ANALYSIS PRESENTATION.. NO STANDARD SOLUTION AS YET Wednesday,Feb 03, 2010 53 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com SOCIAL : SOCIAL IT RESULTS IN UNCERTAINITIES ABOUT EFFECTIVENESS OF CURRENT INVESTIGATION TECHNIQUES SUB OPTIMAL USE OF RESOURCES PRIVACY CONCERNS Wednesday,Feb 03, 2010 54 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com LEGAL : LEGAL USES & BOUNDARIES OF DIGITAL EVIDENCE IN LEGAL PROCEDURES STILL UNCLEAR CURRENT TOOLS & TECHNIQUES NOT RIGOROUSLY USED / CONTESTED IN COURT Wednesday,Feb 03, 2010 55 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com TYPICAL TOOLS : TYPICAL TOOLS EMAIL TRACER TRUEBACK CYBERCHECK MANUAL Wednesday,Feb 03, 2010 56 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 57: Current and Emerging Cyber Forensic Tools of Law Enforcement Wednesday,Feb 03, 2010 57 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com EMAIL TRACER FORENSIC TOOL : EMAIL TRACER FORENSIC TOOL Wednesday,Feb 03, 2010 58 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com FEATURES OF EMAIL TRACER : FEATURES OF EMAIL TRACER Display of Actual Mail Content for Outlook Express, Eudora, MS Outlook and mail clients with MBOX mailbox. Display the Mail Content (HTML / Text) Display the Mail Attributes for Outlook Express. Display of extracted E-mail header information Save Mail Content as .EML file. Display of all Email attachments and Extraction. Display of E-mail route. IP trace to the sender’s system. Domain name look up. Display of geographical location of the sender’s gateway on a world map. Mail server log analysis for evidence collection. Access to Database of Country code list along with IP address information. Wednesday,Feb 03, 2010 59 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com EMAIL TRACING OVER WEB : EMAIL TRACING OVER WEB AS A PRE-EMPTIVE TOOL Wednesday,Feb 03, 2010 60 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com EMAIL TRACING SERVICE : EMAIL TRACING SERVICE Users can submit their tracing task to Email Tracer through web. Tracing IP Address upto city level (non-spoofed) Detection of spoofed mail Detailed report Wednesday,Feb 03, 2010 61 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 62: Wednesday,Feb 03, 2010 62 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 63: Wednesday,Feb 03, 2010 63 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 64: Wednesday,Feb 03, 2010 64 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com SEIZURE & ACQUISITION TOOLTRUEBACK : SEIZURE & ACQUISITION TOOLTRUEBACK Wednesday,Feb 03, 2010 65 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com FEATURES OF TRUE BACK : FEATURES OF TRUE BACK DOS application with event based Windowing System. Self-integrity check. Minimum system configuration check. Extraction of system information Three modes of operation: - Seize - Acquire - Seize and Acquire Wednesday,Feb 03, 2010 66 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 67: Disk imaging through Parallel port. Disk imaging using Network Interface Card. Block by Block acquisition with data integrity check on each block. IDE/SCSI, USB, CD and Floppy acquisition. Acquisition of floppies and CDs in Batch mode. Write protection on all storage media except destination media. Checking for sterile destination media. Progress Bar display on all modes of operation. Report generation on all modes of operation. BIOS and ATA mode acquisition Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 67 ANALYSIS TOOL : ANALYSIS TOOL CYBER CHECK Wednesday,Feb 03, 2010 68 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 69: CyberCheck - Features Standard Windows application. Self-integrity check. Minimum system configuration check. Analyses evidence file containing FAT12, FAT16, FAT32, NTFS and EXT2FS file system. Analyses evidence files created by the following disk imaging tools: TrueBack LinkMasster Encase User login facilities. Wednesday,Feb 03, 2010 69 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 70: CyberCheck– Features (Contd …) Creates log of each analysis session and Analyzing officer’s details. Block by block data integrity verification while loading evidence file. Explorer type view of contents of the whole evidence file. Display of folders and files with all attributes. Show/Hide system files. Sorting of files based on file attributes. Text/Hex view of the content of a file. Picture view of an image file. Gallery view of images. Wednesday,Feb 03, 2010 70 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 71: CyberCheck– Features (Contd …) Graphical representation of the following views of an evidence file: Disk View. Cluster View. Block view. Timeline view of: All files Deleted files. Time anomaly files. Signature mismatched files. Files created within a time frame. Wednesday,Feb 03, 2010 71 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 72: CyberCheck– Features (Contd …) Display of cluster chain of a file. Single and Multiple Keyword search. Extraction of Disk, Partition, File and MBR slacks. Exclusive search in slack space. Extraction of unused unallocated clusters and exclusion from search space. Exclusive search in used unallocated clusters . Extraction of lost clusters. Exclusive search in data extracted from lost clusters. Extraction of Swap files. Exclusive search in data extracted from Swap files. Wednesday,Feb 03, 2010 72 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 73: CyberCheck– Features (Contd …) File search based on file extension. File search based on hash value. Exclusion of system files from search space. Data recovery from deleted files, slack space, used unallocated clusters and lost clusters. Recovery of formatted partitions. Recovery of deleted partitions. Exporting files, folders and slack content. Exporting folder structure including file names into a file. Exporting files on to external viewer. Wednesday,Feb 03, 2010 73 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 74: CyberCheck– Features (Contd …) Local preview of storage media. Network preview of storage media using cross-over cable. Book marking of folders, files and data. Adding book marked items into report. Restoration of storage media. Creating raw image. Raw image analysis. Facility for viewing Mailbox files of Microsoft Outlook Express, Microsoft Outlook, Eudora and Linux Mail clients. Wednesday,Feb 03, 2010 74 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 75: CyberCheck– Features (Contd …) Registry viewer. Hash set of system files. Identification of encrypted & password protected files. Identification of steganographed image files. Generation of analysis report with the following features. Complete information of the evidence file system. Complete information of the partitions and drive geometry. Hash verification details. User login and logout information. Wednesday,Feb 03, 2010 75 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 76: CyberCheck– Features (Contd …) Exported content of text file and slack information. Includes picture file as image. Saving report, search hits and book marked items for later use. Password protection of report. Print report. Wednesday,Feb 03, 2010 76 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com ISSUES AHEAD.. &.. TECHNOLOGY BEHIND.. : ISSUES AHEAD.. &.. TECHNOLOGY BEHIND.. Wednesday,Feb 03, 2010 77 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com CASE #4 : CASE #4 A young girl had been involved in a series of sexually explicit exchanges via instant messenger system and email. Upon investigation, the perpetrator was tracked to the home of a 50 year old prominent local physician. Computers seized from the physician’s house had 240GB hard disk each, full of files. Wednesday,Feb 03, 2010 78 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com ISSUE #1 : ISSUE #1 How to get convincing leads to go ahead with the case in a short time from among the overload of available material. Wednesday,Feb 03, 2010 79 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com ADVANCED CONCEPT SEARCH : ADVANCED CONCEPT SEARCH Wednesday,Feb 03, 2010 80 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com ISSUE #2 : ISSUE #2 Computers contained many password protected/encrypted files. How to get into these files in a short time. Wednesday,Feb 03, 2010 81 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com PASSWORD CRACKING : PASSWORD CRACKING GRID Enabled Password Cracker Wednesday,Feb 03, 2010 82 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 83: GRID GRID SERVER FSL POLICE CRIME CELL CBI INTERNET PASSWORD CRACKING OF ZIP FILES USING GRID CYBER FORENSICS LAB Wednesday,Feb 03, 2010 83 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 84: GRID GRID SERVER FSL POLICE CRIME CELL CBI INTERNET PASSWORD CRACKING OF ZIP FILES USING GRID 1.ZIPPED FILE SUBMISSION 2. SERVER RECEIVES AND DISTRIBUTES TO GRID CLIENTS 3. CLIENTS COMPUTES AND SEND RESULTS TO SERVER 4. GRID SERVER SENDS RESULTS OVER INTERNET Wednesday,Feb 03, 2010 84 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com ISSUE #3 : ISSUE #3 However, the case took a twist when it came to light that the doctor’s 13-year-old son and 15 year old nephew had also been using the doctor’s account. Who was at the keyboard then? Wednesday,Feb 03, 2010 85 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com WHO’S AT THE KEYBOARD? : WHO’S AT THE KEYBOARD? BIOMETRICS A software driver associated with the keyboard records the user’s rhythm in typing. These rhythms are then used to generate a profile of the authentic user. Wednesday,Feb 03, 2010 86 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com WHO’S AT THE KEYBOARD? : WHO’S AT THE KEYBOARD? FORENSIC STYLISTICS A qualitative approach to authorship assesses errors and “idiosyncrasies” based on the examiner’s experience. This approach could be quantified through Databasing. Wednesday,Feb 03, 2010 87 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com WHO’S AT THE KEYBOARD? : WHO’S AT THE KEYBOARD? STYLOMETRY It is quantitative and computational method, focusing on readily computable and countable language features, e.g. word length, phrase length, sentence length, vocabulary frequency, distribution of words of different lengths. Wednesday,Feb 03, 2010 88 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com REAL CYBER FORENSIC CHALLENGE IS YET TO COME.. : REAL CYBER FORENSIC CHALLENGE IS YET TO COME.. …. Wednesday,Feb 03, 2010 89 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 90: Awareness: Technology is changing very rapidly. So does the increase in Cyber crimes, No proper awareness shared with regard to crime and latest tools. People are so ignorant that makes it effortless for cyber criminals to attack. People fear to report crimes and some crimes are not properly recorded. The reason behind this is that the victim is either scared of police harassment or wrong media publicity. For minority and marginalised groups who already bear the brunt of media bias, reporting online harassment to the police may simply draw further unwanted attention. The public is not aware of the resources and services that law enforcement could provide them if being a victim of crime or witness. Challenges faced by Law Enforcement Wednesday,Feb 03, 2010 90 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 91: Technical Issues: Large amount of storage space required for storing the imaged evidences and also for storing retrieved evidence after analysis. Retrieved evidence might contain documents, pictures, videos and audio files which takes up a lot of space. Technical issues can further be categorised into software and hardware issues. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 91 Slide 92: Software and Hardware Issues: The growth of Cyber crime as given rise to numerous Forensic software vendors. The challenge being to choose among them and no single forensic tool solves the entire case, there are loads of third party tools available. So is the case with Hardware tools, Most common and liable h/w tool is the FRED. But when it comes to Mobile forensics it is a challenge to decide the compatibility of different phones and which h/w to rely on.. Wednesday,Feb 03, 2010 92 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Future Course of Action : Future Course of Action Recently China has been manufacturing mobile phones that have cloned IME numbers which is a current challenge faced in Mobile forensics. Information sharing: Information sharing is a best practice and can be accomplished by a variety of means such as interacting with industry groups, attending briefings, meetings, seminars and conferences, and working actively with forensic bodies like CDAC.. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 93 Slide 94: Inadequate Training and Funds: Due to the growing of cyber forensic tools law enforcement does not get adequate training and awareness on innovative tools. Training bodies are limited and are pricey. Insufficient funding in order to send officers for training and investing on future enhancements. Transfers and recruiting officers adds to the loss of experienced staff and spending for training the newcomers. Cases become pending in such circumstances. Wednesday,Feb 03, 2010 94 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 95: Global Issues: Most of the IP addresses retrieved during investigation leads to servers or computers located abroad which have no identity, hence further investigations are blocked and closed. Correspondence with bodies such as Google, Yahoo, Hotmail is quite time consuming and prolong the investigations. Wireless or Wi-Fi, Bluetooth, Infrared Issues: Latest wireless technologies which provide internet connections causes exploitation especially when it is not secured. This is the present technology terrorists and radical activists exploit. This is another vulnerability that law enforcement faces. Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 95 Future Course of Action (Contd.) : Future Course of Action (Contd.) Mumbai Cyber lab is a joint initiative of Mumbai police and NASSCOM –more exchange and coordination of this kind More Public awareness campaigns Training of police officers to effectively combat cyber crimes More Cyber crime police cells set up across the country Effective E-surveillance Websites aid in creating awareness and encouraging reporting of cyber crime cases. Specialised Training of forensic investigators and experts Active coordination between police and other law enforcement agencies and authorities is required. Wednesday,Feb 03, 2010 96 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Do you have any question? : Do you have any question? Wednesday,Feb 03, 2010 97 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com Slide 98: Wednesday,Feb 03, 2010 Dr. Tabrez ahmad, www.site.technolexindia.com, http://technolexindia.blogspot.com 98 Thanks