Cyber Crime Investigation And Cyber Forensic

Cyber Crime Investigation and Forensics

A PROJECT REPORT

ON

CYBER CRIME INVESTIGATION AND FORENSICS

Contents: CYBER CRIME INVESTATION ------------------------------------------------------------------4--31  What Is Cyber Crime---------------------------------------------------------------------------4--4 

Examples Include---------------------------------------------------------------------------4



Definition------------------------------------------------------------------------------------4

 Reasons For Cyber Crime---------------------------------------------------------------------4--5 

Capacity To Store Data In Comparatively Small Space-------------------------------5



Easy To Access------------------------------------------------------------------------------5



Complex--------------------------------------------------------------------------------------5



Negligence-----------------------------------------------------------------------------------5



Loss Of Evidence---------------------------------------------------------------------------5

 Cyber Criminals---------------------------------------------------------------------------------5--6 

Children And Adolescents Between The Age Group Of 6 – 18 Years --------------6



Organized Hackers--------------------------------------------------------------------------6



Professional Hackers / Crackers ----------------------------------------------------------6



Discontented Employees-------------------------------------------------------------------6

 Mode And Manner Of Committing Cyber Crime----------------------------------------6--8 

Unauthorized Access To Computer Systems Or Networks / Hacking---------------6

1

Cyber Crime Investigation and Forensics



Theft Of Information Contained In Electronic Form-----------------------------------7



Email Bombing------------------------------------------------------------------------------7



Data Diddling--------------------------------------------------------------------------------7



Salami Attacks-------------------------------------------------------------------------------7



Denial Of Service Attack-------------------------------------------------------------------7



Virus / Worm Attacks----------------------------------------------------------------------7



Logic Bombs---------------------------------------------------------------------------------8



Trojan Attacks-------------------------------------------------------------------------------8



Internet Time Thefts------------------------------------------------------------------------8



Web Jacking---------------------------------------------------------------------------------8

 Understand The Fundamentals---------------------------------------------------------------9--9  Classification Of Cyber Crime--------------------------------------------------------------9--10 

Computer As Target------------------------------------------------------------------------9



Computer As An Instrumentality---------------------------------------------------------9



Computer As An Incidental Or Other Crime-------------------------------------------10



Crime Associated With The Prevalence Of Computers------------------------------10

 Why Learn About Cyber Crime----------------------------------------------------------10--10  Types Of Cyber Crime----------------------------------------------------------------------10--14  Email Related Crime------------------------------------------------------------------------14--14  Case Studies-----------------------------------------------------------------------------------15--20 

Case No.1------------------------------------------------------------------------------15--16



Case No.2------------------------------------------------------------------------------17--18



Case No.3-----------------------------------------------------------------------------------19



Case No.4-----------------------------------------------------------------------------------20

 Characteristics Of Computer Crime-----------------------------------------------------21--21  Prevention Of Cyber Crime----------------------------------------------------------------21--22  Questionnaire ---------------------------------------------------------------------------------23--25  Relevance Of Evidence----------------------------------------------------------------------26--26  Indian Evidence Act (Amended)----------------------------------------------------------26--26  When Oral Admission As To Contents Of Electronic Records Are Relevant—26--27

2

Cyber Crime Investigation and Forensics

 Opinion As To Digital Signature Where Relevant-------------------------------------27--27  Proof As To Digital Signature-------------------------------------------------------------27--27  Proof As To Verification Of Digital Signature-----------------------------------------27--27  Admissibility Of Electronic Records-----------------------------------------------------27--28  Presumption As To Electronic Records And Digital Signatures-------------------28--28  Presumption As To Electronic Messages------------------------------------------------28--29  Presumption As To Electronic Records Five Years Old-----------------------------29--29  Recent Amendments-------------------------------------------------------------------------29--29  Important Amendments To IT Act-------------------------------------------------------29--30  Cyber Terrorism Is Defined In Section 66F--------------------------------------------30--31  Important Amendments To IPC----------------------------------------------------------31--31  Important Amendments To CRPC-------------------------------------------------------32--32  Our Analysis-----------------------------------------------------------------------------------32--32  Conclusion-------------------------------------------------------------------------------------32--32  Establishment of PUNE cyber cell--------------------------------------------------------33--33

FORENSICS-------------------------------------------------------------------------------------------34--39  What Is Cyber Forensics--------------------------------------------------------------------34--34  Different Type’s Of Storage Media-------------------------------------------------------35--35  Electronic Evidence Precautions----------------------------------------------------------35--35  Computer Forensics-------------------------------------------------------------------------36--36  Electronic Evidence Considerations------------------------------------------------------36--36  Incident Response----------------------------------------------------------------------------36--36  Collecting Volatile Data---------------------------------------------------------------------37--37  Imaging Electronic Media (Evidence)----------------------------------------------------37--37  Forensic Analysis-----------------------------------------------------------------------------37--37  Reasons for Evidence------------------------------------------------------------------------37--38  Evidence Processing Guidelines-----------------------------------------------------------38--39  Conclusion-------------------------------------------------------------------------------------39--39

3

Cyber Crime Investigation and Forensics

What is Cyber crime? Criminal activity that utilizes as element of a computer or computer network. Cyber crime is the latest and perhaps the most complicated problem in the cyber world. Cyber crime may be said to be those species, of which, genus is the conventional crime, and where either the computer is an object or subject of the conduct constituting crime” Crime is a social and economic phenomenon and is as old as the human society. Crime is a legal concept and has the sanction of the law. Crime or an offence is “a legal wrong that can be followed by criminal proceedings which may result into punishment.” A crime may be said to be any conduct accompanied by act or omission prohibited by law and consequential breach of which is visited by penal consequences Examples Include:  Cyber-extortion  Information theft  Fraud  Identity theft  Exploitation of children  Intellectual property theft  Phishing and Vishing

Definition: Any criminal activity that uses a computer either as an instrumentality, target or a means for perpetuating further crimes comes within the ambit of cyber crime” “ unlawful acts wherein the computer is either a tool or target or both” “Illegal computer-mediated activities that can be conducted through global electronic networks”

Reasons For Cyber Crime: Hart in his work “The Concept of Law” has said ‘human beings are vulnerable so rule of law is required to protect them’. Applying this to the cyberspace we may say that computers are vulnerable so rule of law is required to protect and safeguard them against cyber crime. The reasons for the vulnerability of computers may be said to be:

4

Cyber Crime Investigation and Forensics

1. Capacity to store data in comparatively small space-

The computer has unique characteristic of storing data in a very small space. This affords to remove or derive information either through physical or virtual medium makes it much easier. 2. Easy to access-

The problem encountered in guarding a computer system from unauthorised access is that there is every possibility of breach not due to human error but due to the complex technology. By secretly implanted logic bomb, key loggers that can steal access codes, advanced voice recorders; retina imagers etc. that can fool biometric systems and bypass firewalls can be utilized to get past many a security system. 3. Complex-

The computers work on operating systems and these operating systems in turn are composed of millions of codes. Human mind is fallible and it is not possible that there might not be a lapse at any stage. The cyber criminals take advantage of these lacunas and penetrate into the computer system. 4. NegligenceNegligence is very closely connected with human conduct. It is therefore very probable that while protecting the computer system there might be any negligence, which in turn provides a cyber criminal to gain access and control over the computer system. 5. Loss of evidenceLoss of evidence is a very common & obvious problem as all the data are routinely destroyed. Further collection of data outside the territorial extent also paralyses this system of crime investigation. Cyber Criminals The cyber criminals constitute of various groups/ category. This division may be justified on the basis of the object that they have in their mind. The following are the category of cyber criminals-

5

Cyber Crime Investigation and Forensics

1. Children and adolescents between the age group of 6 – 18 years – The simple reason for this type of delinquent behaviour pattern in children is seen mostly due to the inquisitiveness to know and explore the things. Other cognate reason may be to prove them to be outstanding amongst other children in their group. Further the reasons may be psychological even. E.g. the BAL Bahrain (Delhi) case was the outcome of harassment of the delinquent by his friends. 2. Organised hackersThese kinds of hackers are mostly organised together to fulfil certain objective. The reason may be to fulfil their political bias, fundamentalism, etc. The Pakistanis are said to be one of the best quality hackers in the world. They mainly target the Indian government sites with the purpose to fulfil their political objectives. Further the NASA as well as the Microsoft sites is always under attack by the hackers. 3. Professional hackers / crackers – Their work is motivated by the colour of money. These kinds of hackers are mostly employed to hack the site of the rivals and get credible, reliable and valuable information. Further they are van employed to crack the system of the employer basically as a measure to make it safer by detecting the loopholes. 4. Discontented employeesThis group include those people who have been either sacked by their employer or are dissatisfied with their employer. To avenge they normally hack the system of their employee. Mode and Manner of Committing Cyber Crime 1. Unauthorized access to computer systems or networks / Hacking-

This kind of offence is normally referred as hacking in the generic sense. However the framers of the information technology act 2000 have no where used this term so to avoid any confusion we would not interchangeably use the word hacking for ‘unauthorized access’ as the latter has wide connotation.

6

Cyber Crime Investigation and Forensics

2. Theft of information contained in electronic formThis includes information stored in computer hard disks, removable storage media etc. Theft may be either by appropriating the data physically or by tampering them through the virtual medium. 3. Email bombing-

This kind of activity refers to sending large numbers of mail to the victim, which may be an individual or a company or even mail servers there by ultimately resulting into crashing. 4. Data diddling-

This kind of an attack involves altering raw data just before a computer processes it and then changing it back after the processing is completed. The electricity board faced similar problem of data diddling while the department was being computerised. 5. Salami attacks-

This kind of crime is normally prevalent in the financial institutions or for the purpose of committing financial crimes. An important feature of this type of offence is that the alteration is so small that it would normally go unnoticed. E.g. the Ziegler case wherein a logic bomb was introduced in the bank’s system, which deducted 10 cents from every account and deposited it in a particular account 6. Denial of Service attackThe computer of the victim is flooded with more requests than it can handle which cause it to crash. Distributed Denial of Service (DDOS) attack is also a type of denial of service attack, in which the offenders are wide in number and widespread. E.g. Amazon, Yahoo. 7. Virus / worm attacksViruses are programs that attach themselves to a computer or a file and then circulate themselves to other files and to other computers on a network. They usually affect the data on a computer, either by altering or deleting it. Worms, unlike viruses do not need the host to attach themselves to. They merely make functional copies of themselves and do this repeatedly till they eat up all the available space on a computer's memory. E.g. love bug virus, which affected at least 5 % of the computers of the globe. The losses were accounted to be $ 10 million. The world's most famous worm was the Internet worm let

7

Cyber Crime Investigation and Forensics

loose on the Internet by Robert Morris sometime in 1988. Almost brought development of Internet to a complete halt. 8. Logic bombsThese are event dependent programs. This implies that these programs are created to do something only when a certain event (known as a trigger event) occurs. E.g. even some viruses may be termed logic bombs because they lie dormant all through the year and become active only on a particular date (like the Chernobyl virus). 9.

Trojan attacksThis term has its origin in the word ‘Trojan horse’. In software field this means an unauthorized programme, which passively gains control over another’s system by representing itself as an authorised programme. The most common form of installing a Trojan is through e-mail. E.g. a Trojan was installed in the computer of a lady film director in the U.S. while chatting. The cyber criminal through the web cam installed in the computer obtained her nude photographs. He further harassed this lady.

10. Internet time theftsNormally in these kinds of thefts the Internet surfing hours of the victim are used up by another person. This is done by gaining access to the login ID and the password. E.g. Colonel Bajwa’s case- the Internet hours were used up by any other person. This was perhaps one of the first reported cases related to cyber crime in India. However this case made the police infamous as to their lack of understanding of the nature of cyber crime. 11. Web jackingThis term is derived from the term hi-jacking. In these kinds of offences the hacker gains access and control over the web site of another. He may even mutilate or change the information on the site. This may be done for fulfilling political objectives or for money. E.g. recently the site of MIT (Ministry of Information Technology) was hacked by the Pakistani hackers and some obscene matter was placed therein. Further the site of Bombay crime branch was also web jacked. Another case of web jacking is that of the ‘gold fish’ case. In this case the site was hacked and the information pertaining to gold fish was changed. Further a ransom of US $ 1 million was demanded as ransom. Thus web jacking is a process where by control over the site of another is made backed by some consideration for it.

8

Cyber Crime Investigation and Forensics

Understand the Fundamentals  Internet has offered us a much more convenient way to share information across time and place.  Cyberspace also opened a new venue for criminal activities.  Cyber attacks  Distribution of illegal materials in cyberspace  Computer-mediated illegal communications within big crime groups or terrorists  Cyber crime has become one of the major security issues for the law enforcement community.  The anonymity of cyberspace makes identity tracing a significant problem which hinders investigations. Classification of Cyber crime 1. Computer as Target 2. Computer as an instrumentality 3. Computer as an incidental or other crime 4. Crime associated with the prevalence of computers. The above categories are not isolated compartments. Crime may often spill over from one category to the other. 1. Computer As A Target Of A Crime  Physical damage,  Theft or destruction of information (data).  The spread of viruses, worms,  Software piracy, hacking etc.  A computer virus is a self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user 2. Computer as an instrumentality This category include such crimes were either computers or their contents bare used in furtherance of crime or those offences which are committed by manipulating contents of computer systems. They could include sending e-mails, ransom notes or manipulating computer contents for credit card frauds telecommunication frauds or theft.

9

Cyber Crime Investigation and Forensics

3. Computer as incidental or other crime This category includes conventional crimes, and with the advent of computer the criminal have started using the technology as an aid for its perpetuation. They include use of computers as an aid for drug trafficking, money laundering, child pornography etc 4. Crime associated with the prevalence of computers.  Copyright violation,  Software piracy,  Component theft etc. Why Learn About Cyber Crime 

Everybody is using Computers.



From white collar criminals to terrorist organizations And from Teenagers to Adults.



Conventional crimes like Forgery, extortion, kidnapping etc. Are being committed with the help of computers.



New generation is growing up with computers.



Most Important - Monetary transactions are moving on to the Internet.

Types of Cyber Crime  Hacking  Denial Of Service Attack  Virus Dissemination  Software Piracy  Pornography  IRC Crime  Credit Card Fraud  Net Extortion  Phishing  Spoofing  Cyber Stalking  Cyber Defamation  Threatening  Salami Attack.

10

Cyber Crime Investigation and Forensics

 HACKING Hacking in simple terms means illegal intrusion into a computer system without the permission of the computer owner/user.  DENIAL OF SERVICE ATTACK This is an act by the criminal, who floods the bandwidth of the victim's network or fills his e-mail box with spam mail depriving him of the services he is entitled to access or provide  VIRUS DISSEMINATION Malicious software that attaches itself to other software% (virus, worms, Trojan Horse, Time bomb, Logic Bomb, Rabbit and Bacterium are the malicious software)  SOFTWARE PIRACY Theft of software through the illegal copying of genuine programs or the counterfeiting and distribution of products intended to pass for the original. Retail revenue losses worldwide is ever increasing due to this crime can be done in various ways End user copying, Hard disk loading, Counterfeiting, Illegal downloads from the internet etc.  PORNOGRAPHY Pornography is the first consistently successful e- commerce product. Deceptive marketing tactics and mouse trapping technologies Pornography encourage customers to access their websites. Anybody including children can log on to the internet and access websites with pornographic contents with a click of a mouse. Publishing, transmitting any material in electronic form which is lascivious or appeals to the prurient interest is an offence under the provisions of section 67 of I.T. Act -2000.  IRC CRIME Internet Relay Chat (IRC) servers have chat rooms in which people from anywhere the world can come together and chat with each other Criminals use it for meeting coconspirators. Hackers use it for discussing their exploits I sharing the techniques Pedophiles use chat rooms to allure small children Cyber Stalking - In order to harass a woman her telephone number is given to others as if she wants to befriend males.

11

Cyber Crime Investigation and Forensics

 CREDIT CARD FRAUD You simply have to type credit card number into www page of the vendor for online transaction if electronic transactions are not secured the credit card numbers can be stolen by the hackers who can misuse this card by impersonating the credit card owner.

Credit card skimmer

12

Cyber Crime Investigation and Forensics

 NET EXTORTION Copying the company's confidential data in order to extort said company for huge amount  PHISHING It is technique of pulling out confidential information from the bank/financial institutional account holders by deceptive means  PHISHING EMAIL From: *****Bank [mailto:support@****Bank.com] Sent: 08 June 2004 03:25 To: India Subject: Official information from ***** Bank Dear valued ***** Bank Customer! For security purposes your account has been Randomly chosen for verification. To verify Your account information we are asking you to Provide us with all the data we are requesting. Otherwise we will not be able to verify your identity And access to your account will be denied. Please click On the link below to get to the bank secure Page and verify your account details. Thank you. https://infinity.*****bank.co.in/Verify.jsp ****** Bank Limited  SPOOFING Getting one computer on a network to pretend to have the identity of another computer, usually one with special access privileges, so as to obtain access to the other computers on the network.  CYBER STALKING The Criminal follows the victim by sending emails, entering the chat rooms frequently.  CYBER DEFAMATION The Criminal sends emails containing defamatory matters to all concerned of the victim or post the defamatory matters on a website.

13

Cyber Crime Investigation and Forensics

 THREATENING The Criminal sends threatening email or comes in contact in chat rooms with Victim. (Any one disgruntled may do this against boss, friend or official)  SALAMI ATTACK In such crime criminal makes insignificant changes in such a manner that such changes would get unnoticed. Criminal makes such program that deducts small amount like Rs. 2.@0 per month from the account of all the customer of the Bank and deposit the same in his account. In this case no account holder will approach the bank for such small amount but criminal gains huge amount.  SALE OF NARCOTICS Sale & Purchase through net. There are web site which offers sale and Shipment of contrabands drugs. They may use the techniques of stenography for hiding the messages. Email related crime 1. Email spoofing 2. Sending malicious codes through email 3. Email bombing 4. Sending threatening emails 5. Defamatory emails 6. Email frauds

14

Cyber Crime Investigation and Forensics

Case Studies Case No.1 Police Station – Vishrambaug (Emphasis) G.R.N .

91/05

IPC No 467, 468, 471, 419, 420, 379, 34 with law of information &

Technology No. 66 Petitioner

- Jay fin Robert Disuse

Criminals

1) Ivan Samuel Thomas 2) Sheila’s Chanddrakant Burrower 3) Bijou Alexander 4) Siddhartha Mehta 5) Stephen Daniel 6) Marlin Fernandez 7) Prim john Phil poses 8) Soundharajan Jamaican 9) Jinee George 10) Stash Para 11) John Varghese

Incident- Date 25/1/2005 Filed On 5/4/05 at

to

4/4/2005 time to time

17:15

Evident Officer- Sanjay Judah Asst Police Commissioner (Fin & Cyber) Crime Branch, Pune

Short Story- In the last week of March 2005, Vice Chairman of City Bank notified that Rs.1,86,23,761(4,27,061 American Dollars) from some of the A/c holders of City Bank of America have been transferred to various banks in Pune. The Above amount has not been deposited in Pune Bank.

15

Cyber Crime Investigation and Forensics

Finding- After the case has filed , the bank in which the amount has been transferred , those banks has to intimated in writing that if some one comes to enquire about deposit of money in the particular bank amount to be intimated to Police immediately. 1. Accordingly Rupees Bank Rajendranagar branch, Pune reported that two person came for the enquiry 2.

Immediately sent a Police squad and two persons taken in custody. The name were: Vim Samuel Thomas  Sheila’s Burrower

3. In the enquiry, Ivan Thomas was working in BPO Company in Pune named Emphasis (This company runs a customer care centre to give service to the City bank account holders in America). His other Colloquies

Bijou Alexander,

Siddhartha Mehta, Stephen Daniel, Marlin Fernandez have procured ATM Cards lose as well as their PIN codes Social Security Number and authorized E-mail Id Of 5 Account holders of City Bank by doing Social Engineering . After that they have transferred Rs.1 Cr 86 lace in various banks in Pune by using wire transfer’s facility. This facility is being used to transfers the amount through internet. When you go to City banks website, choose option wire transfer. Then put user ID & password, automatic code is generated. This code is being sent to the authorized E-mail Id of account holder. Then this code is sent to wire transfer page. Then only the account is being accessed to the particular account holder.

4. All the hard disks of those cyber café from where the amount has been transferred were ceased. Also the full information of E-mail Id from where automatic code was taken with full header was noted. 5. The above criminal has opened fake accounts in various banks supporting proofs have been taken from the banks. The crime report has been submitted against criminals.

Result Waited.

16

Cyber Crime Investigation and Forensics

Case No.2 Police station- Decca Gymkhana G.R.N 199/07

IPC Code. 420, 467, 468, 34 with law of information & technology of 2000 cool

43, a, b, h 66 & 72 Petitioner- Sunil Marianna Made age 32 yrs occupation- service (Rise manager HDFC stargaze, pane) Residential Address B-402 Uttamnagar, Pune-23 Criminal- Moil Laming Harkin Age-30 Residential Address- Ignore Rd near Vidyasagar High school, Naphtha, Delhi Native- Churchyard Poor Lama, at & Post Bethel, Manipur Incident- 24/4/2007 between 15:45 to 16:00 at Rank Jewelers carve Rd, Pune. Case filed- 24/04/07 at 23:00 hrs Evident officer- Entail Shined Asst. Police Commissioner (Fin & cyber) crime Branch Pune.

Short Story- Criminal lady & her colloquies 1) Utahan 2)Nepali man 3) Lady named Mara all together on 24/04/07 between 15:45 to 16:00 hrs at Rank Jewelers, Carve Rd Pane Purchased By using HDFC Bank credit card, but this card belongs to Missoula Federal union, USA bank. This was found through Risk monitoring system and also found that the card wad fakes. On the spot lady was arrested, but her other colleagues ran away. Finding- Lady Criminal was found with Chinese passport on the name of Talon Eyeing. On that immigration stamps of Indonesia, Australia, Germany were found, criminal lady was found with credit cards of five banks on Talon Eyeing. 1. Sent a letter to Aortal, Hutch, Idea & Tate to get the information of criminal’s mobile no 9967674094 & her colleagues mob no 2. Sent a letter to bank for getting information of credits cards holders 3. To verifying reality of passport consumer Chennai, Embassy Mumbai has been approached by sending letter. 4. Take statements of Mosaic Palace, Shirted Rd Pane where criminals & her colleagues were staying. And also taken the statements of manager & owner of Rank Jewelers. 5. Came to know though HDFC, HSBC and Standard Charted Bank that the criminal lady holding the credit cards is of Missoula Federal Credit Union, USA.

17

Cyber Crime Investigation and Forensics

6. Sent a letter to Police commissioner Chennai for information as the criminal passport was emigration stamped by Chennai passport. 7. Sent a wireless to south Manipur Police to get address proof and character information. 8. Sent a Police squad to Delhi for searching for other criminals. 9. Regarding Passport, fax received from Embassy of china that concerned passport was from Hong Kong Special Administrative region and wad expired on 10th Sep 2003. 10. Received Information from Manipur police by wireless is as below-

Lady Name- Neural Moil Hop kip Occupation- Service in private company in Delhi Married with Sri Sensing, Resident Chore, Sandspur Marital Status- 2 Daughters. Etc

After sending criminal reports the court the criminal lady was punished by the court.

18

Cyber Crime Investigation and Forensics

Case No- 3 Police Station - Yawed G.R.N

- 2/8/08 C B V 403419420

Applicant

- Swap nil Deli Sail Age 30 Son 401/r Balladic VadyanNagar Vadgensheri Pune 14

Accursed

- Yogis Chowder Chennai

Applied on

- on 25/3/08 Use of credit card stolen.

Enquiry Officer

- Kristi Kumar Patel PSI

Short Story- Yogis has purchased Air tickets on 28/3/08 for Rs.18, 596.10. Swap nil has City Bank credit card he take online accounts statements, he has seen on 24/4/08 at a bill of Rs.18596.10 as a transaction done on 28/3/08 from Makemytripe.com & Airdeccan.com Yogis has taken the tickets.

Enquiry- Used mail ID [email protected] [email protected] [email protected] As like this Full IP Address needed.

1. To find out whose IP is This by Domain Tool get name Isaac Telecom India Put Ltd. Sutra 2. Send Letter to Ibarra to enquire to whom this IP Address is Given Get Information Of IP Address 123.201.56.193 is dynamic and given to Yogis Chowdery Chennai 3. Mobile use in No 9884214361, 9789943185 get details of this phones & phone calls from Manager Airtal & Manager Hutch. 4. Visit to Chennai to find out Yogis. 5. Caught him at Chennai he deterrent he has done this crime.

19

Cyber Crime Investigation and Forensics

Case No.4 Police Station- Koshered G.R.N 00107 BDV 509 information Security Act 5.67 Apply by -

Miss Sanity Koshered Pane

Against -

Miss Lisa and Pane

Happened on- Before 26/06/07 12:30 Recorded on-

28/06/07 5:00 PM

Short Story-

Before 26/06/07 someone stolen password of email Id of Sanity & profile XYZ

Rout website and produce some very bad Exposition on website. Director-

Net Shined PSI

Enquiry-

Send all database link Rout website prepared by Name on what date, Time , IP

Address to Google company by e-mail.Saniya get knowledge from friends that there is some bad things on Rout by Lisa Cornello.Saniya before 3 to 4 weeks try to prepare new Account [email protected]. On that website the bad topic is profiled again. Visited to sanity’s residence checked her computer whiter there is any virus or not. Send Read notify to Sanity for stolen by anybody her password at [email protected]. Read Information from Google 3/7/09. Profile prepared by Sanity was as follows:-

E-mail Profile email Id [email protected] IP Address 59.161.3.66 on 8/5/07 4IS GMT. Secondary email Id LisaCornello@ yahoo.co.in Trace out all information from above address. Received following information from Yahoo on 14/5/09 at 9:36:14 [email protected] and IP Address 219.64.160.136 has been prepared .On 5/5/07 3:36:4 [email protected] Email ID and IP Address 59.169.3.66 prepared on 8/05/07 Let following information for Domain tools File Number- 12345678 Name - Lisa Phone - 122344568 Address- And Pane Red on Lisa Residence makes all necessary Police Action. Story is Lisa & Sanity were friends being affairs with Shoed. The Police ceased the Hard disk & CPU sent it to forensic lab. Lisa was punished by 2 yrs prison & 2, 75,000 cash fine.

20

Cyber Crime Investigation and Forensics

Characteristics of Computer Crime  Silent in Nature: Computer crime could be committed in privacy without reaching to scene of crime physically i.e. any eye witnesses. There are no signs of physical violence or struggle.  Global in character: No national borders. By sitting comfortably far away from the country the entire economy of the country could be destroyed. As digital evidences are fragile in nature one has to respond quickly.  Non existence of Physical Evidence: No physical evidence to indicate that crime has been committed. Only on a closer look the trained person could find out the evidences which are not in the traditional format but are in digital format.  Creates high Impact: Impact is severe and may be long term. It can damage the victim system permanently. Loss of good will.  High Potential and Easy to Perpetrate: A software developer who did not get enough money or good job would turn to criminal world for their survival. Therefore, the computer crimes have a potential to increase. Hence organized mafia may enter into this sector. Prevention of Cyber Crime: Prevention is always better than cure. It is always better to take certain precaution while operating the net. A should make them his part of cyber life. Saileshkumar Zackary, technical advisor and network security consultant to the Mumbai Police Cyber crime Cell, advocates the 5P mantra for online security: Precaution, Prevention, Protection, Preservation and Perseverance. A bedizen should keep in mind the following things1. To prevent cyber stalking avoid disclosing any information pertaining to one. This is as good as disclosing your identity to strangers in public place. 2. Always avoid sending any photograph online particularly to strangers and chat friends as there have been incidents of misuse of the photographs. 3. Always use latest and up date anti virus software to guard against virus attacks. 4. Always keep back up volumes so that one may not suffer data loss in case of virus contamination 5. Never send your credit card number to any site that is not secured, to guard against frauds.

21

Cyber Crime Investigation and Forensics

6. Always keep a watch on the sites that your children are accessing to prevent any kind of harassment or depravation in children. 7. It is better to use a security programme that gives control over the cookies and send information back to the site as leaving the cookies unguarded might prove fatal. 8. Web site owners should watch traffic and check any irregularity on the site. Putting host-based intrusion detection devices on servers may do this. 9. Use of firewalls may be beneficial. 10. Web servers running public sites must be physically separate protected from internal corporate network. Adjudication of a Cyber Crime - On the directions of the Bombay High Court the Central Government has by a notification dated 25.03.03 has decided that the Secretary to the Information Technology Department in each state by designation would be appointed as the AO for each state.

22

Cyber Crime Investigation and Forensics

QUESTIONNAIRE QUESTIONNAIRE RELATED TO THE RECOMMENDATIONS FROM THE FOURTH MEETING OF GOVERNMENTAL EXPERTS ON CYBER-CRIME 1. In which of the following areas does our country have existing cyber-crime legislation in place? a) IT act Cyber laws (e.g., laws prohibiting online identity theft, hacking, intrusion into computer systems, child pornography): Yes ___ No ___ If yes, please list and attach copies of all such legislation, preferably in electronic format if possible: 65 – Code Modification 66 – Hacking 67 – Pornography b) Procedural cyber-crime laws (e.g., authority to preserve and obtain electronic data from third parties, including internet service providers; authority to intercept electronic communications; authority to search and seize electronic evidence): Yes ___ No ___ If yes, please list and attach copies of all such legislation, preferably in electronic format if possible: 41 CRPC 42 CRPC 100 CRPC 78 – Search and seize 80 – All police rights. c) Mutual legal assistance related to cyber-crime: Yes ___ No ___ If yes, please list and attach copies of all such legislation, preferably in electronic format if possible: They need only Technical help during case investigation.

23

Cyber Crime Investigation and Forensics

2. Please identify whether the following forms and means (1) occur frequently, (2) occur infrequently, or (3) have not occurred, by placing an “X” as appropriate in the following table:

Forms and Means of Cyber- Crime

Occur Frequently

Occur Infrequently

Has not Occurred

Online identity theft (including phasing and online trafficking in false identity information) Hacking (illegal intrusion into computer systems; theft of information from computer systems) Malicious code (worms, viruses, malware and spy ware) Illegal interception of computer data Online commission of intellectual property crimes Online trafficking in child pornography Intentional damage to computer systems or data Others

24

Cyber Crime Investigation and Forensics

a) In addition, to the above, if there are any other forms and means of cybercrime that have occurred (either frequently or infrequently) in our country, please identify them as well as the frequency with which they occur in the following table. Forms and Means of Conduct

Occur Frequently

Cheating

Occur Infrequently Threatening

Cyber Stalking Credit card fraud Copy Right Source Code

3. Does our country have any concrete experiences with respect to strengthening the relationship between the authorities responsible for investigating and/or prosecuting cybercrimes, and internet service providers that may be shared with other States as a best practice in this area? Yes No ___

If yes, please explain: ISP’s meeting, Bank models meeting cyber committee regular basic interaction. 4. Has our country identified, created, or established a unit or entity specifically charged with directing and developing the investigation of cyber-crimes? Yes No If yes, please provide the following information: CBI Crime cell, CID The institution to which the unit/entity belongs: POLICE The number of officers or investigators in the unit/entity: 4-5 If such a unit/entity has been created or established, are its functions dedicated exclusively to the investigation of cyber-crimes? Yes No ___ If no, what other types of offenses or crimes is this unit/entity responsible for investigating and/or prosecuting? 5. Has our country identified, created, or established a unit or entity specifically charged with directing and developing the prosecution of cyber-crimes? Yes ___ No

25

Cyber Crime Investigation and Forensics

Relevance of Evidence  Main purpose of investigation of any crime is to collect sufficient & legally admissible evidence to ensure conviction of offenders.  Requirements of evidence in Cyber Crimes are not different but its nature has made collection of Evidence a specialized job.  Evidence Act & rules already in existence were considered not sufficient; so IT Act, 2000 made extensive changes in Indian Evidence Act, 1872

Indian Evidence Act (Amended) 3. Evidence - "Evidence" means and includes:  All documents including electronic records produced in Court are called documentary evidence. 

“Electronic records” has the same meaning as assigned in IT Act,2000, i.e.:  image or sound stored, received or sent in an electronic form; or  micro film or computer generated micro fiche;

 17. Admission defined - An admission is a statement, oral or documentary or contained in electronic form which suggests any inference as to any fact in issue or relevant fact.  27. How much of information received from accused may be proved - When any fact is discovered in consequence of information received from a person accused of any offence, in the custody of a police officer, so much of such information, as relates distinctly to the fact thereby discovered, may be proved.

When oral admission as to contents of electronic records is relevant:  22A. Oral admissions as to the contents of electronic records are not relevant, unless the genuineness of the electronic record produced is in question.  59. Proof of facts by oral evidence - All facts, except the contents of documents or electronic records, may be proved by oral evidence.  39. How much evidence to be given when statement forms part of electronic record:  When any statement of which evidence is given forms part of an electronic record, then

26

Cyber Crime Investigation and Forensics

 Evidence shall be given of so much and no more of the electronic record, as the Court considers necessary in that particular case to the full understanding of the nature and effect of the statement, and of the circumstances under which it was made. Opinion as to digital signature where relevant.  47A. When the Court has to form an opinion as to the digital signature of any person, the opinion of the Certifying Authority which has issued the Digital Signature Certificate is a relevant fact.

Proof as to digital signature.  67A. Except in the case of a secure digital signature, if the digital signature of any subscriber is alleged to have been affixed to an electronic record, the fact that such digital signature is the digital signature of the subscriber must be proved.

Proof as to verification of digital signature.  73A. In order to ascertain whether a digital signature is that of the person by whom it purports to have been affixed, the Court may direct That person or the Controller or the Certifying Authority to produce the Digital Signature Certificate;  Any other person to apply the public key listed in the Digital Signature Certificate and verify the digital signature purported to have been affixed by that person.

Admissibility of electronic records.  65B. (1) Any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer shall be deemed to be also a document, if certain conditions are satisfied.  It shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein of which direct evidence would be admissible.

27

Cyber Crime Investigation and Forensics

 65 B (2) The conditions are as following:  The computer output was produced during the period when it was used regularly to store or process information for the purposes of any activities regularly carried on by a person having lawful control over the computer;  During the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities;  65(c) throughout the said period, computer was operating properly or, if not, then that part of the period was not such as to affect the electronic record or the accuracy of its contents 

65(d) the information contained in the electronic record reproduced or is derived from such information fed into the computer in the ordinary course of the said activities.

 Presumption as to electronic agreements.  85A The Court shall presume that every electronic record purporting to be an agreement containing the digital signatures of the parties was so concluded by affixing the digital signature of the parties.

Presumption as to electronic records and digital signatures:  85B. (1) the Court shall presume that the secure electronic record has not been altered since the specific point of time to which the secure status relates.  (2) In proceedings involving secure digital signature, the Court shall presume that the secure digital signature is affixed by subscriber with the intention of signing or approving the electronic record.

Presumption as to electronic messages:  88A. The Court may presume that an electronic message forwarded by the originator through an electronic mail server to the address to whom the message purports to be addressed corresponds with the message as fed into his computer for transmission;

28

Cyber Crime Investigation and Forensics

 But the Court shall not make any presumption as to the person by whom such message was sent.

Presumption as to electronic records five years old.  90A. Where any electronic record, purporting or proved to be five years old, is produced from any custody which the Court in the particular case considers proper, the Court may presume that the digital signature which purports to be the digital signature of any particular person was so affixed by him or any person authorized by him in this behalf.

Recent Amendments  The Information Technology (Amendment) Bill, 2008 (Bill No.96-F of 2008) was passed by the Look Saba on 22-12-2008 and by the Raja Saba on 23-12-2008.  It received His Excellency President’s assent on 5th February, 2009.  The date, from which the amendments are to be applicable, is yet to be notified.

Important Amendments to ITS Act  In Section 43, two new offences added:  Destroying, deleting or altering information in a computer resource to diminish its value.  Stealing, concealing or destroying any computer source code with intention to cause damage.  Sec. 66 has been replaced providing that if any of the acts mentioned in Section 43 was done dishonestly or fraudulently, it is punishable with 3 Years Imprisonment or Fine of Rs.5.00 Lacs or with both.  A new Sec.66A is added providing for three years imprisonment and fine for sending:  Offensive or menacing information; or  False information for causing insult, injury, intimidation, hatred or ill-will; or  E-mail causing annoyance or to deceive or misled recipient about the origin of that email

29

Cyber Crime Investigation and Forensics

 Section 66B makes it an offence to dishonestly receive or retain any stolen computer resource or communication device which is punishable with 3 years imprisonment or fine unto Rs. 1.00 Lac.  Dishonest use of Electronic Signatures, password or identification feature invites punishment up to 3 years and fine up to Rs. 1.00 Lac (Section 66C)  Impersonation with the help of computer or communication device will result in 3 years imprisonment and fine unto Rs.1.00 Lac (Section 66D)  Violation of privacy by way of sending electronic visual images of private parts of body is also punishable with 3 years’ imprisonment or fine unto Rs. 1.00 Lac. (Section 66E).

Cyber Terrorism is defined in Section 66F:  Whoever threatens the unity, integrity, security or sovereignty of India or strike terror in people by:  Denying access to computer resource; or  access computer resource without authority; or  Introduce any computer contaminant  and causes death or destruction of property; or  Penetrates restricted computer resources or information affecting sovereignty, integrity, friendly relations with foreign states, public order, decency, contempt of court, defamation or to the advantage of foreign state or group of persons.  It is punishable with imprisonment unto life  Obscenity has been defined in new Section 67 punishable with imprisonment for 3 years with fine unto Rs. 5.00 Lacs for first offence and imprisonment for 5 years with fine unto Rs. 10.00 Lacs for subsequent offence.  Section 67A deals with publishing or transmitting sexually explicit material which is punishable with 5 years imprisonment & fine unto 10.00 Laces for first offence and for subsequent offence, imprisonment unto 7 years with fine unto 10.00 Lacs.  Child Pornography has been made a separate offence in Section 67B punishable with 5 years imprisonment & fine unto 10.00 Laces for first offence and for subsequent offence, imprisonment unto 7 years with fine unto 10.00 Lacs.

30

Cyber Crime Investigation and Forensics

 Section 69 has been redrafted enabling Government agencies to intercept, monitor or decrypt any electronic information with the help of subscribers, intermediary or person in charge of computer resources.  Non-cooperation by any of the above invites imprisonment up to 7 years with fine.  69A: Government gets power to issue directions for blocking for public access of any information through any computer resource.  An intermediary who fails to comply with directions in this regard shall be punished with imprisonment up to 7 years with fine.  sss69B: For cyber security, Government may order any intermediary to allow access to any computer resources and violation results in imprisonment up to 3 years with fine.  Sec.72A provides for punishment for disclosure of information in breach of lawful contract extending up to 3 years or fine to the tune of Rs. 5.00 Lacs or with both.  Section 77: confiscation, compensation awarded or penalty imposed does not come in the way of penalty, punishment or compensation under any other Act.  Compounding of offences with punishment up to 3 years allowed subject to the conditions that accused has no previous conviction or the offence does not affect the socio-economic conditions or it was not committed against a child or a woman.  Sec. 77B prescribes that notwithstanding CRPC: 

Offence punishable with imprisonment of 3 years and above is cognizable.

 Offence punishable with imprisonment up to 3 years is bail able.  Power to investigate Cyber Crimes has been now vested in Inspectors in place of Dy.S.P.  Office of Government Examiner of Electronic Evidence is to be established. (Section 79A). Important Amendments to IPC  Jurisdiction is not bounded by Country’s boundaries if the target is a computer resource located in India. Section 4(3)  Any act done anywhere in the world is an offence if the said act, if committed in India is an offence. Explanation (a) to Section 4  Voluntary concealment of existence of a design by encryption or any other information hiding tool is an offence.  The words ‘Digital Signatures” have been replaced with “Electronic signatures”.

31

Cyber Crime Investigation and Forensics

Important Amendments to CRPC  Opinion of Examiner of Electronic Evidence has been made relevant. (Section 45A)  Examiner is to be treated as an Expert.  Examiner is too examined like any other expert from CFSL or other Labs.  Words ‘Digital Signature” is to be replaced by “Electronic Signature”.

Our Analysis As we all have seen all the crimes done with the help of computer or technology, Has become very serious issue now – days. And victim can be anybody a naïve person or even a tech savvy personal can be a victim. So from above cyber crime conducted we can conclude the to counter these crime the end user should be educated about these cyber crimes. And he/she should be cautious in checking his/her e-mails, or when downloading files/ software. They should even change their password after 45 days, and also set a strong password with alphanumeric and special characters used in it, should never used the Administrator account if not required. Always updated the Antivirus. Try keeping licence copy of the software used by the user. Try to secure his/her network both LAN and wireless. Conclusion:

Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime from the cyber space. It is quite possible to check them. History is the witness that no legislation has succeeded in totally eliminating crime from the globe. The only possible step is to make people aware of their rights and duties (to report crime as a collective duty towards the society) and further making the application of the laws more stringent to check crime. Undoubtedly the Act is a historical step in the cyber world. Further I all together do not deny that there is a need to bring changes in the Information Technology Act to make it more effective to combat cyber crime. I would conclude with a word of caution for the pro-legislation school that it should be kept in mind that the provisions of the cyber law are not made so stringent that it may retard the growth of the industry and prove to be counter-productive.

32

Cyber Crime Investigation and Forensics

Establishment of PUNE Cyber Cell It was established on 1st July 2003, under this department there our following officers involved:  Police Commissioner  Two Asst. Police Commissioner  Two Sub Inspector  And ten constables in the team.

In the year 2008 there were 63 cases got registered. And between 2003-2008 total numbers of cases registered with Police were 452.

Police Station under IT Act 2000

Year

2001

2002

2003

2004

2005

2006

2007

2008

2009

total

Total

03

04

09

06

10

10

13

08

09

72

In year 2008 the Cyber Crime Cell has solved 15 cases.

Cyber Crime Cell

Year

2003

2004

2005

2006

2007

2008

2009

Total

Total

05

30

32

79

99

207

92

544

Pune Cyber Lab

On 20th January Pune Cyber Lab was established with the collaboration Of NASSCOM, near Shivaji Nagar in Pune. In this department there are 580 officers and 411 staffs in which members of 76th Batch has been provided with cyber crime investigation training. And 65 judges have attended the program/ training of cyber crime.

33

Cyber Crime Investigation and Forensics

WHAT IS CYBER FORENSICS?

Cyber forensics discovery, analysis, and reconstruction of evidence extracted from any element of computer systems, computer networks, computer media, and computer peripherals that allow investigators to solve the crime.

Four Stages  Acquire  Authenticate  Analyze  Documentation

34

Cyber Crime Investigation and Forensics

DIFFERENT TYPE’S OF STORAGE MEDIA

ELECTRONIC EVIDENCE PRECAUTIONS

Static Electricity  Magnetic Fields  Shock  Moisture

35

Cyber Crime Investigation and Forensics

Computer Forensics:-

Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums. Computer forensics, also called cyber forensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensic is to perform a structured investigation while maintaining a documented chain of find out exactly what happened on a computer and who was responsible for it. Computer forensics experts investigate data storage devices, such as hard drives, USB Drives, CD-ROMs, floppy disks, tape drives, etc., identifying sources of documentary or other digital evidence, preserving and analyzing evidence, and presenting findings. Computer forensics adheres to standards of evidence admissible in a court of law.

Electronic evidence considerations Electronic evidence can be collected from a variety of sources. Within a company’s network, evidence will be found in any form of technology that can be used to transmit or store data. Evidence should be collected through three parts of an offender’s network: at the workstation of the offender, on the server accessed by the offender, and on the network that connects the both. Investigators can therefore use three different sources to confirm the data’s origin.

Incident Response An important part of computer forensics lies in the initial response to a computer crime. It is at this point that the suspect computer and related devices are identified and prepared for the forensic response. In a corporate environment, this is simply done by locating the perpetrator's computer workstation and collecting a forensic image of the hard drive, and any related media. In a criminal situation with a law enforcement response, the incident response involves the proper serving of a search warrant and lawful collection of evidentiary media. While in some corporate environments the computer is left behind, sometimes to give the impression that the employee is not a targeted suspect, law enforcement will attempt to seize all computer related material (bag and tag) and transfer it to a forensic laboratory for analysis.

36

Cyber Crime Investigation and Forensics

Collecting Volatile Data If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down it may be lost. This results in the need to collect volatile data from the computer at the onset of the response.

Imaging electronic media (evidence) The process of creating an exact duplicate of the original evidenciary media is often called Imaging. Using a standalone hard-drive duplicator or software imaging tools such as AIR, the entire hard drive is completely duplicated. This is usually done at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the file system. The original drive is then moved to secure storage to prevent tampering. During imaging, a write protection device or application is normally used to ensure that no information is introduced onto the evidentiary media during the forensic process.

Forensic Analysis All digital evidence must be analyzed to determine the type of information that is stored upon it. For this purpose, specialty tools are used that can display information in a format useful to investigators. Such forensic tools include: Brian Carrier's Sleuth Kit, Foremost and Smart. In many investigations, numerous other tools are used to analyze specific portions of information.

Reasons for Evidence  Wide range of computer crimes and misuses  Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: 

Theft of trade secrets



Fraud

37

Cyber Crime Investigation and Forensics



Extortion



Industrial espionage



Position of pornography



SPAM investigations



Virus/Trojan distribution



Homicide investigations



Intellectual property breaches



Unauthorized use of personal information



Forgery



Perjury

 Computer related crime and violations include a range of activities including: o Business Environment: 

Theft of or destruction of intellectual property



Unauthorized activity-



Tracking internet browsing habits



Reconstructing Events



Inferring intentions



Selling company bandwidth



Wrongful dismissal claims



Sexual harassment



Software Piracy

Evidence Processing Guidelines  New Technologies Inc. recommends following 16 steps in processing evidence  They offer training on properly handling each step o Step 1: Shut down the computer 

Considerations must be given to volatile information



Prevents remote access to machine and destruction of evidence (manual or ant-forensic software)

o Step 2: Document the Hardware Configuration of The System

38

Cyber Crime Investigation and Forensics



Note everything about the computer configuration prior to re-locating

o Step 3: Transport the Computer System to A Secure Location 

Do not leave the computer unattended unless it is locked in a secure location

o Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks o Step 5: Mathematically Authenticate Data on All Storage Devices 

Must be able to prove that we did not alter any of the evidence after the computer came into our possession

o Step 6: Document the System Date and Time o Step 7: Make a List of Key Search Words o Step 8: Evaluate the Windows Swap File o Step 9: Evaluate File Slack 

File slack is a data storage area of which most computer users are unaware; a source of significant security leakage.

o Step 10: Evaluate Unallocated Space (Erased Files) o Step 11: Search Files, File Slack and Unallocated Space for Key Words o Step 12: Document File Names, Dates and Times o Step 13: Identify File, Program and Storage Anomalies o Step 14: Evaluate Program Functionality o Step 15: Document Our Findings o Step 16: Retain Copies of Software Used Conclusion  Forensics is an extremely valuable tool in the investigation of computer security incidents.  Considerable legal issues arise when investigating computer systems.  Intrusion Detection might support Computer Forensics in the future, and vice versa.

39