Cyber Crime Investigation

Session II
Investigation of Cyber Crimes

& Forensics
Biju Pattnaik State Police Academy
Bhubaneswar
By
Dr. Tabrez Ahmad
Associate Professor of Law
www.site.technolexindia.com
tabrezahmad7@gmail.com
http://technolexindia.blogspot.com
Agenda
1. The possible reliefs to a cybercrime victim

and strategy adoption
2. The preparation for prosecution
3. Admissibility of digital evidence in courts
4. Defending an accused in a computer
related crime
5. The techniques of cyber investigation and
forensic tools
6. Future course of action

2 12/7/21
Possible reliefs to a cybercrime victim-
strategy adoption
 A victim of cybercrime needs to immediately report the matter to his
local police station and to the nearest cybercrime cell
 Depending on the nature of crime there may be civil and criminal
remedies.
 In civil remedies , injunction and restraint orders may be sought,
together with damages, delivery up of infringing matter and/or account
for profits.
 In criminal remedies, a cybercrime case will be registered by police if
the offence is cognisable and if the same is non cognisable, a complaint
should be filed with metropolitan magistrate
 For certain offences, both civil and criminal remedies may be available
to the victim
Dr. Tabrez ahmad, www.site.technolexindia.com,

3 http://technolexindia.blogspot.com 12/7/21
Before lodging a cybercrime case
 Important parameters-
 Gather ample evidence admissible in a court of law
 Fulfill the criteria of the pecuniary ,territorial and subject
matter jurisdiction of a court.
 Determine jurisdiction – case may be filed where the
offence is committed or where effect of the offence is felt
( S. 177 to 179, CrPc)

The criminal prosecution pyramid
Con
victi
on
/
acqu
ittal
Trial
Contents of charge
Issue of process –summons, warrant
Examine the witnesses
Examine the complainant on oath
Initiation of criminal proceedings-cognizance of offences by magistrates

5
Preparation for prosecution
 Collect all evidence available & saving snapshots of evidence
 Seek a cyberlaw expert’s immediate assistance for advice on preparing
for prosecution
 Prepare a background history of facts chronologically as per facts
 Pen down names and addresses of suspected accused.
 Form a draft of complaint and remedies a victim seeks
 Cyberlaw expert & police could assist in gathering further evidence e.g
tracing the IP in case of e-mails, search & seizure or arrest as
appropriate to the situation
 A cyber forensic study of the hardware/equipment/ network server
related to the cybercrime is generally essential

Government Initiative
 The Cyber Crime Investigation cell (CCIC) of
the CBI, notified in September 1999, started
functioning from 3 March 2000.
 It is located in New Delhi, Mumbai, Chennai
and Bangalore.
 Jurisdiction of the cell is all over India.
 Any incident of the cyber crime can be
reported to a police station, irrespective of
whether it maintains a separate cell or not.
The Indian Computer Emergency Response
Team (CERT-In)
IT Amendment ACT 2008.
“70A. (1) The Indian Computer Emergency Response Team (CERT-In) shall
serve as the national nodal agency in respect of Critical Information
Infrastructure for coordinating all actions relating to information security
practices, procedures, guidelines, incident prevention, response and report.
(2) For the purposes of sub-section (1), the Director of the Indian Computer
Emergency Response Team may call for information pertaining to cyber
security from the service providers, intermediaries or any other person.

Cognizability and Bailability
As per IT Amendment Act 2008
Offences which have not less than 3 years

punishment are cognizable and bailable

9
Power of Police to Investigate
· Section 156 Cr.P.C. : Power to investigate
cognizable offences.
· Section 155 Cr.P.C. : Power to investigate
non cognizable offences.
· Section 91 Cr.P.C. : Summon to produce
documents.
· Section 160 Cr.P.C. : Summon to require
attendance of witnesses.

Power of Police to investigate (contd.)
· Section 165 Cr.P.C. : Search by police officer.
· Section 93 Cr.P.C : General provision as to
search warrants.
· Section 47 Cr.P.C. : Search to arrest the
accused.
· Section 78 of IT Act, 2000 : Power to
investigate offences-not below rank of
Inspector.
· Section 80 of IT Act, 2000 : Power of police
officer to enter any public place and search &
arrest.
Amendments- Indian Evidence Act
1872
 Section 3 of the Evidence Act amended to take care of admissibility of
ER as evidence along with the paper based records as part of the
documents which can be produced before the court for inspection.
 Section 4 of IT Act confers legal recognition to electronic records
Dr. Tabrez ahmad,

12/7/21 www.site.technolexindia.com, 12
Societe Des products Nestle SA case 2006 (33 ) PTC 469
 By virtue of provision of Section 65A, the contents of electronic records may be proved
in evidence by parties in accordance with provision of 65B.
 Held- Sub section (1) of section 65B makes admissible as a document, paper print out of
electronic records stored in optical or magnetic media produced by a computer subject to
fulfillment of conditions specified in subsection 2 of Section 65B .
a) The computer from which the record is generated was regularly used to store or process
information in respect of activity regularly carried on by person having lawful control
over the period, and relates to the period over which the computer was regularly used.
b) Information was fed in the computer in the ordinary course of the activities of the person
having lawful control over the computer.
c) The computer was operating properly, and if not, was not such as to affect the electronic
record or its accuracy.
d) Information reproduced is such as is fed into computer in the ordinary course of activity.
 State v Mohd Afzal, 2003 (7) AD (Delhi)1

State v Navjot Sandhu
(2005)11 SCC 600
 Held, while examining Section 65 B Evidence Act, it may
be that certificate containing details of subsection 4 of
Section 65 is not filed, but that does not mean that
secondary evidence cannot be given.
 Section 63 & 65 of the Indian Evidence Act enables

secondary evidence of contents of a document to be
adduced if original is of such a nature as not to be easily
movable.

Presumptions in law- Section 85 B Indian
Evidence Act
 The law also presumes that in any proceedings, involving secure digital
signature, the court shall presume, unless the contrary is proved, that
the secure digital signature is affixed by the subscriber with the
intention of signing or approving the electronic record
 In any proceedings involving a secure electronic record, the court shall

presume, unless contrary is proved, that the secure electronic record
has not been altered since the specific point of time, to which the
secure status relates

Presumption as to electronic messages-
Section 88A of Evidence Act
 The court may treat electronic messages received as if they
were sent by the originator, with the exception that a
presumption is not to be made as to the person by whom
such message was sent.
 It must be proved that the message has been forwarded
from the electronic mail server to the person ( addressee )
to whom such message purports to have been addressed
 An electronic message is primary evidence of the fact that
the same was delivered to the addressee on date and time
indicated.

IT Amendment Act 2008-Section 79A
 Section 79A empowers the Central govt to appoint any
department, body or agency as examiner of electronic evidence
for proving expert opinion on electronic form evidence before
any court or authority.
 Till now, government forensic lab of hyderabad was considered
of evidentiary value in courts- CFSIL
 Statutory status to an agency as per Section 79A will be of vital
importance in criminal prosecution of cybercrime cases in India

Probable activities for defense by an accused in
a cybercrime case
 Preparation of chain of events table
 Probing where evidence could be traced? E-mail
inbox/files/folders/ web history
 Has the accused used any erase evidence software/tools
 Forensically screening the hardware/data/files /print outs /
camera/mobile/pendrives of evidentiary value
 Formatting may not be a solution
 Apply for anticipatory bail
 Challenge evidence produced by opposite party and look
for loopholes
 Filing of a cross complaint if appropriate

Sec 69: Decryption of information
Ingredients
Controller issues order to Government agency to intercept
any information transmitted through any computer
resource.
Order is issued in the interest of the
 sovereignty or integrity of India,
 the security of the State,
 friendly relations with foreign States,
 public order or
 preventing incitement for commission of a cognizable offence
Person in charge of the computer resource fails to extend
all facilities and technical assistance to decrypt the
information-punishment upto 7 years.
Sec 70 Protected System
Ingredients
Securing unauthorised access or attempting to secure
unauthorised access
to ‘protected system’
Acts covered by this section:
Switching computer on / off
Using installed software / hardware
Installing software / hardware
Port scanning
Punishment
Imprisonment up to 10 years and fine
 Cognizable, Non-Bailable, Court of Sessions

Computer Forensics and Cyberforensics
Computer forensics is considered to be the use of analytical and
investigative techniques to identify, collect, examine, preserve
and present evidence or information which is magnetically
stored or encoded
A better definition for law enforcement would be the scientific
method of examining and analyzing data from computer storage
media so that the data can be used as evidence in court.
Media = computers, mobile phones, PDA, digital camera, etc.

Handling of Evidences by Cyber Analysts
Collect, Analyze and

Identify Observe & Verify
Organize
Preserve
Four major tasks for working with digital evidence

Identify: Any digital information or artifacts that can be
used as evidence.
Collect, observe and preserve the evidence
Analyze, identify and organize the evidence.
Rebuild the evidence or repeat a situation to verify the
same results every time. Checking the hash value.
Incident Response – a precursor to Techniques of
Cyber investigation & forensic tools
 ‘Incident response’ could be defined as a precise set of actions to
handle any security incident in a responsible ,meaningful and timely
manner.
 Goals of incident response-

 To confirm whether an incident has occurred
 To promote accumulation of accurate information
 Educate senior management
 Help in detection/prevention of such incidents in the future,
 To provide rapid detection and containment
 Minimize disruption to business and network operations
 To facilitate for criminal action against perpetrators

Six steps of Incident response
Detection of incidents
Pre incident preparation
Initial response
Investigate the incident

Techniques of cyber investigation- Cyber
forensics
 Computer forensics, also called cyber forensics, is the application of
computer investigation and analysis techniques to gather evidence
suitable for presentation in a court of law.
 The goal of computer forensics is to perform a structured investigation

while maintaining a documented chain of evidence to find out exactly
what happened on a computer and who was responsible for it.

6 A’s of digital forensics
Assessment
Acquisition
Authentication
Analysis
Articulation

Rules of evidence
 Computer forensic
components-
 Identifying
 Preserving
 Analysing
 Presenting evidence in a legally
admissible manner
Dr. Tabrez ahmad,

FBI handbook of forensic investigation-
techniques for computer forensics
Examine type of content in Comparison of data files
computer
Transactions-to know time Data files can be extracted

and sequence when data files from computer
were created
Deleted data files can be Data files can be converted
recovered from the computer from one format to the other
Key word searching passwords
Limited source code can be Storage media with

analysed and compared standalone word processors
can be examined
Dr. Tabrez ahmad,
Sources of Evidence
 Existing Files
 Deleted Files
 Logs
 Special system files (registry etc.)
 Email archives, printer spools
 Administrative settings
 Internet History
 Chat archives
 Misnamed Files
 Encrypted Files / Password Protected files etc.

Cyberforensics in accounting frauds
 Use of CAAT –computer assisted audit techniques-spreadsheets, excel,
MS access
 Generalized audit software-PC based file interrogation software-
IDEA,ACL
 Help detect fictitious suppliers, duplicate payments, theft of inventory
 Tender manipulation, secret commissions
 False financial reporting
 Expense account misuse
 Insider trading

Establishment and maintenance of ‘Chain of Custody
 Tools required:
 - Evidence notebook
 - Tamper evident labels
 - Permanent ink pen
 - Camera
 Document the following:
 - Who reported the incident along with critical date and times
 - Details leading up to formal investigation
 - Names of all people conducting investigation
 - Establish and maintain detailed ‘activity log’

Maintaining Chain Of Custody
 Take pictures of the evidence
 - Document ‘crime scene’ details
 Document identifiable markings
on evidence
 Catalog the system contents
 Document serial numbers, model
numbers, asset tags
 “Bag” it!
 Maintain Chain Of Custody on
tamperproof
 evidence bag
 Take a picture!
Dr. Tabrez ahmad,

E-mail forensics
 E-mail composed of two parts- header and body
 Examine headers
 Request information from ISP
 Trace the IP
 Tools-Encase,FTK,Final email
 Sawmill groupwise
 Audimation for logging
 Cracking the password- brute force attack, smart search, dictionary
search, date search, customised search, guaranteed decryption,
plaintext attack
 Passware, ultimate zip cracker,office recovery enterprise,etc

Computer forensic analysis within the forensic tradition.
 Alphonse Bertillon- [freezing the scene]: in 1879

introduce a methodical way of documenting the scene by
photographing, for example, bodies, items, footprints, bloodstains
in situ with relative measurements of location, position, and size
Bertillon is thus the first known forensic photographer.
 Bertillonage : system of identifying individuals over 200

separate body measurements, was in use till 1910 and was only
rendered obsolete by the discovery that fingerprints were unique.

Key Principal of Forensics
Edmond Locard articulated one of the forensic science’s

key rules, known as Locard’s Exchange Principle.
“The principle states that when two items or persons

come into contact, there will be an exchange of physical
traces. Something is brought, and something is taken
away, so that suspects can be tied to a crime scene by
detecting these traces”.

Stakeholders:
National security
Custom & Excise
Law enforcement agents

Businesses (embezzlement, industrial espionage, stealing
confidential information, and racial or sexual harassment).
 Corporate crime [according to report the accountants and
auditors for Enron not only used e-mail to communicate but also
subsequently deleted these e-mails]

Problems In Indian Context.
 No Standard for Computer Forensic is yet developed.
 No Guidelines for Companies dealing with electronic

data, during disputes.
 No recognition to any of the forensics tool.
 Issues related to anti-forensics are not talked about.

………………

Over All Scenario
 To date, computer forensics has been primarily driven by

vendors and applied technologies with very little consideration
being given to establishing a sound theoretical foundation
 The national and international judiciary has already begun

to question the ‘‘scientific’’ validity of many of the ad hoc
procedures and methodologies and is demanding proof of
some sort of theoretical foundation and scientific rigor.

CONTD..
 Commercial software tools are also a problem

because software developers need to protect their
code to prevent competitors from stealing their
product.
However, since most of the code is not made

public, it is very difficult for the developers to verify
error rates of the software, and so reliability of
performance is still questionable .

CONTD..
The specialized tools used by a computer forensic
expert are viewed as intolerably expensive by many
corporations, and as a result many corporations
simply choose not to invest any meaningful money
into computer forensics. This trend amplifies cyber
crime rates
Open source software’s were also not been tested

or verified for the effectiveness to serve the above
purposes (Open for research)

Legal Aspects
 The growing demand for security and certainty in cyber
space leads to more stringent laws.
 The violation and maintaining of these laws (cyber laws)

must be distinguished from classical criminal activities and
criminal law enforcement.
 The dynamics between these different forms of law

violation and law enforcement is important and shall be
addressed.

Computer Forensic Tools
Forensic Tool Kit:
FTK is developed by
Access Data Corporation
(USA); it enables law
enforcement and corporate
security professionals to
perform complete and in-
depth computer forensic
analysis.
42
Dr. Tabrez ahmad, www.site.technolexindia.com, Main Window of FTK
12/7/21
TYPICAL TOOLS
EMAIL TRACER
TRUEBACK
CYBERCHECK
MANUAL

Current and Emerging Cyber Forensic Tools of Law Enforcement

ENCASE FORENSIC:

Encase Forensic developed by Guidance
Software USA is the industry standard in
computer forensic investigation technology. With
an intuitive Graphical User Interface (GUI),
superior analytics, enhanced email/Internet
support and a powerful scripting engine, EnCase
provides investigators with a single robust tool,
capable of conducting large-scale and very
complex investigations from beginning to end.
Dr. Tabrez ahmad, www.site.technolexindia.com, Main Window of

Encase
Encase Forensic is very useful forensic solution but it
lacks following important feature:
In Encase forensic there is no password

cracking/recovery facility. So if during investigation
process the examiner detected any password protected
files then he had to rely on third party tools.

EMAIL TRACER FORENSIC TOOL
FEATURES OF EMAIL TRACER
•Display of Actual Mail Content for Outlook Express, Eudora, MS Outlook
and mail clients with MBOX mailbox.
•Display the Mail Content (HTML / Text)
•Display the Mail Attributes for Outlook Express.
•Display of extracted E-mail header information
•Save Mail Content as .EML file.
•Display of all Email attachments and Extraction.
•Display of E-mail route.
•IP trace to the sender’s system.
•Domain name look up.
•Display of geographical location of the sender’s gateway on a world map.
•Mail server log analysis for evidence collection.
•Access to Database of Country code list along with IP address
information.

EMAIL TRACING OVER WEB
AS A PRE-EMPTIVE TOOL
EMAIL TRACING SERVICE
Users can submit their tracing task to Email Tracer
through web.
Tracing IP Address upto city level (non-spoofed)
Detection of spoofed mail
Detailed report

SEIZURE & ACQUISITION TOOL
TRUEBACK
FEATURES OF TRUE BACK
DOS application with event based Windowing
System.
Self-integrity check.
Minimum system configuration check.
Extraction of system information
Three modes of operation:
- Seize
- Acquire
- Seize and Acquire

Disk imaging through Parallel port.
Disk imaging using Network Interface Card.
Block by Block acquisition with data integrity check
on each block.
IDE/SCSI, USB, CD and Floppy acquisition.
Acquisition of floppies and CDs in Batch mode.
Write protection on all storage media except
destination media.
Checking for sterile destination media.
Progress Bar display on all modes of operation.
Report generation on all modes of operation.
BIOS and ATA mode acquisition
ANALYSIS TOOL
CYBER CHECK
Cyber Check Suites:
The IT Act 2000 is India's first attempt to

combat cyber crime. To assist in the
enforcement of the IT Act, the Department of
Information Technology, Ministry of
Communications and Information
Technology, has setup a Technical Resource
Centre for Cyber Forensics at C-DAC,
Thiruvananthapuram.
Cyber Check is a forensic analysis tool

developed by C-DAC Thiruvanathapuram,
Dr. Tabrez ahmad, www.site.technolexindia.com, Probe Window of Cyber Check

Suite
CyberCheck - Features
Standard Windows application.
Self-integrity check.
Minimum system configuration check.
Analyses evidence file containing FAT12, FAT16,
FAT32, NTFS and EXT2FS file system.
Analyses evidence files created by the following disk
imaging tools:
TrueBack
LinkMasster
Encase
User login facilities.
59 12/7/21
CyberCheck– Features (Contd …)
Creates log of each analysis session and Analyzing officer’s
details.
Block by block data integrity verification while loading
evidence file.
Explorer type view of contents of the whole evidence file.
Display of folders and files with all attributes.
Show/Hide system files.
Sorting of files based on file attributes.
Text/Hex view of the content of a file.
Picture view of an image file.
Gallery view of images.
60 12/7/21
Graphical representation of the following views of an
evidence file:
Disk View.
Cluster View.
Block view.
Timeline view of:
All files
Deleted files.
Time anomaly files.
Signature mismatched files.
Files created within a time frame.
61 12/7/21
Display of cluster chain of a file.
Single and Multiple Keyword search.
Extraction of Disk, Partition, File and MBR slacks.
Exclusive search in slack space.
Extraction of unused unallocated clusters and exclusion from search
space.
Exclusive search in used unallocated clusters .
Extraction of lost clusters.
Exclusive search in data extracted from lost clusters.
Extraction of Swap files.
Exclusive search in data extracted from Swap files.

File search based on file extension.
File search based on hash value.
Exclusion of system files from search space.
Data recovery from deleted files, slack space, used unallocated clusters
and lost clusters.
Recovery of formatted partitions.
Recovery of deleted partitions.
Exporting files, folders and slack content.
Exporting folder structure including file names into a file.
Exporting files on to external viewer.

Local preview of storage media.
Network preview of storage media using cross-over cable.
Book marking of folders, files and data.
Adding book marked items into report.
Restoration of storage media.
Creating raw image.
Raw image analysis.
Facility for viewing Mailbox files of Microsoft Outlook Express,
Microsoft Outlook, Eudora and Linux Mail clients.

Registry viewer.
Hash set of system files.
Identification of encrypted & password protected files.
Identification of steganographed image files.
Generation of analysis report with the following features.
Complete information of the evidence file system.
Complete information of the partitions and drive geometry.
Hash verification details.
User login and logout information.

Exported content of text file and slack information.

Includes picture file as image.
Saving report, search hits and book marked items for later
use.
Password protection of report. Print report.

PASSWORD CRACKING
GRID Enabled Password Cracker

PASSWORD CRACKING OF ZIP FILES USING GRID
CYBER FORENSICS LAB
INTERNET
GRID
GRID SERVER
FSL CBI
POLICE CRIME CELL

PASSWORD CRACKING OF ZIP FILES USING GRID
4. GRID SERVER SENDS

3. CLIENTS COMPUTES AND
RESULTS OVER INTERNET
SEND RESULTS TO SERVER
INTERNET
GRID
GRID SERVER
1.ZIPPED FILE SUBMISSION
CBI
2. SERVER FSL
RECEIVES AND
DISTRIBUTES TO POLICE CRIME CELL
GRID CLIENTS

WHO’S AT THE KEYBOARD?
BIOMETRICS
A software driver associated with the keyboard
records the user’s rhythm in typing.
These rhythms are then used to generate a
profile of the authentic user.

FORENSIC STYLISTICS
A qualitative approach to authorship assesses
errors and “idiosyncrasies” based on the
examiner’s experience.
 This approach could be quantified through
Databasing.

STYLOMETRY
It is quantitative and computational method,
focusing on readily computable and countable
language features, e.g. word length, phrase
length, sentence length, vocabulary frequency,
distribution of words of different lengths.

Comparison between Encase Version 6.0, FTK, and Cyber Check
Suite.
73
MULTI DIMENSIONAL CHALLENGES
TECHNICAL
Ubiquity Of Computers
Crimes Occur In All Jurisdictions
Training Law Enforcement Agencies Becomes a
Challenge
 Technology Revolution Leads To Newer Systems, Devices
Etc..

OPERATIONAL
ALL DATA MUST BE GATHERED AND
EXAMINED FOR EVIDENCE
 GIGABYTES OF DATA
 PROBLEMS OF
o STORAGE
o ANALYSIS
o PRESENTATION..
NO STANDARD SOLUTION AS YET

SOCIAL
IT RESULTS IN
UNCERTAINITIES ABOUT EFFECTIVENESS OF
CURRENT INVESTIGATION TECHNIQUES
SUB OPTIMAL USE OF RESOURCES
PRIVACY CONCERNS

LEGAL
USES & BOUNDARIES OF DIGITAL EVIDENCE
IN LEGAL PROCEDURES STILL UNCLEAR
CURRENT TOOLS & TECHNIQUES NOT
RIGOROUSLY USED / CONTESTED IN COURT

Challenges faced by Law Enforcement
Awareness: Technology is changing very rapidly. So does the increase in

Cyber crimes, No proper awareness shared with regard to crime and latest
tools. People are so ignorant that makes it effortless for cyber criminals to
attack. People fear to report crimes and some crimes are not properly
recorded. The reason behind this is that the victim is either scared of police
harassment or wrong media publicity. For minority and marginalised groups
who already bear the brunt of media bias, reporting online harassment to
the police may simply draw further unwanted attention. The public is not
aware of the resources and services that law enforcement could provide
them if being a victim of crime or witness.

 Technical Issues: Large amount of storage space
required for storing the imaged evidences and also for
storing retrieved evidence after analysis. Retrieved
evidence might contain documents, pictures, videos and
audio files which takes up a lot of space. Technical issues
can further be categorised into software and hardware
issues.

Software and Hardware Issues: The growth of Cyber crime as
given rise to numerous Forensic software vendors. The challenge
being to choose among them and no single forensic tool solves the
entire case, there are loads of third party tools available. So is the
case with Hardware tools, Most common and liable h/w tool is the
FRED. But when it comes to Mobile forensics it is a challenge to
decide the compatibility of different phones and which h/w to rely
on..

Recently China has been manufacturing mobile
phones that have cloned IME numbers which is a
current challenge faced in Mobile forensics.
Information sharing: Information sharing is a best

practice and can be accomplished by a variety of means
such as interacting with industry groups, attending
briefings, meetings, seminars and conferences, and
working actively with forensic bodies like CDAC..
Inadequate Training and Funds:
Due to the growing of cyber forensic tools law enforcement

does not get adequate training and awareness on innovative
tools. Training bodies are limited and are pricey. Insufficient
funding in order to send officers for training and investing on
future enhancements. Transfers and recruiting officers adds to
the loss of experienced staff and spending for training the
newcomers. Cases become pending in such circumstances.

Global Issues: Most of the IP addresses retrieved during
investigation leads to servers or computers located abroad which
have no identity, hence further investigations are blocked and
closed. Correspondence with bodies such as Google, Yahoo,
Hotmail is quite time consuming and prolong the investigations.
Wireless or Wi-Fi, Bluetooth, Infrared Issues: Latest wireless

technologies which provide internet connections causes
exploitation especially when it is not secured. This is the present
technology terrorists and radical activists exploit. This is another
vulnerability that law enforcement faces.
References
 Computer forensics by Michael Sheetz published by John Wiley

and Sons
 Cyber crime Impact in the new millennium by R.C Mishra.
 Roadmap for digital forensic Research [Report From the First

Digital Forensic Research Workshop]
 Forensic Corpora: A Challenge for Forensic Research Simson

L. Garfinkel April 10, 2007
 Computer and Intrusion Forensics by Mohay,Anderson

Collie,Devel Published by Artech House.
Future Course of Action
 Mumbai Cyber lab is a joint initiative of Mumbai police and
NASSCOM –more exchange and coordination of this kind
 More Public awareness campaigns
 Training of police officers to effectively combat cyber crimes
 More Cyber crime police cells set up across the country
 Effective E-surveillance
 Websites aid in creating awareness and encouraging
reporting of cyber crime cases.
 Specialised Training of forensic investigators and experts
 Active coordination between police and other law
enforcement agencies and authorities is required.

Do you have any question?
Thanks


Cyber Crime Investigation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Crime Investigation

Uploaded by

Copyright:

Available Formats

Session II

Investigation of Cyber Crimes

1. The possible reliefs to a cybercrime victim

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad, www.site.technolexindia.com,

Issue of process –summons, warrant

Examine the witnesses

Examine the complainant on oath

Initiation of criminal proceedings-cognizance of offences by magistrates

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad, www.site.technolexindia.com,

Offences which have not less than 3 years

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad, www.site.technolexindia.com,

 Section 4 of IT Act confers legal recognition to electronic records

Dr. Tabrez ahmad,

Dr. Tabrez ahmad, www.site.technolexindia.com,

 Section 63 & 65 of the Indian Evidence Act enables

Dr. Tabrez ahmad, www.site.technolexindia.com,

 In any proceedings involving a secure electronic record, the court shall

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad, www.site.technolexindia.com,

Collect, Analyze and

Four major tasks for working with digital evidence

 Goals of incident response-

Dr. Tabrez ahmad, www.site.technolexindia.com,

Investigate the incident

Dr. Tabrez ahmad, www.site.technolexindia.com,

 The goal of computer forensics is to perform a structured investigation

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad,

Transactions-to know time Data files can be extracted

Key word searching passwords

Limited source code can be Storage media with

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad, www.site.technolexindia.com,

Dr. Tabrez ahmad,

Dr. Tabrez ahmad, www.site.technolexindia.com,

 Alphonse Bertillon- [freezing the scene]: in 1879

 Bertillonage : system of identifying individuals over 200

Dr. Tabrez ahmad, www.site.technolexindia.com,

Edmond Locard articulated one of the forensic science’s

“The principle states that when two items or persons

Dr. Tabrez ahmad, www.site.technolexindia.com,

Custom & Excise

Law enforcement agents

Dr. Tabrez ahmad, www.site.technolexindia.com,

 No Guidelines for Companies dealing with electronic

 No recognition to any of the forensics tool.

 Issues related to anti-forensics are not talked about.

Dr. Tabrez ahmad, www.site.technolexindia.com,

 To date, computer forensics has been primarily driven by

 The national and international judiciary has already begun

Dr. Tabrez ahmad, www.site.technolexindia.com,

 Commercial software tools are also a problem

However, since most of the code is not made

Dr. Tabrez ahmad, www.site.technolexindia.com,

Open source software’s were also not been tested