Computer Crime and

Computer Forensics
Investigative Techniques
Computer Power
Computer is a powerful tool in a limitless
cyberspace. Power of one computer is the power of
‘all connected computers’.
Cyberspace is a new space with new risks. It is a
Virtual Medium.
It has its own dark corners and alleys visited by
Cyber Criminals.
Cyber Crime & Importance of
Computer
- Cyber crimes originate from the abuse of computer.
- The law has been able to recognize the computer as
tool in criminal activity.
- A computer could be referred to as a ‘weapon of
offence’ as well as a ‘victim of crime’.
Advantages of Being a Cyber Criminal
- Complete Anonymity
- No Immediate Physical Risk
- Prevention Expensive and Uncertain
- Lag Between Action and Detection
- The Tools of Offence are Legitimate
 Investigation of Cyber
Crimes:
Computer Forensics & Its
Tools
Starting point of a Cyber Crime
- Unauthorized access to computer
programmes or data
- Unauthorized access with a further criminal
intent
- Unauthorized modification of computer
material
Establishing the Nature of the Offence
that the computer performed a function as a consequence
of seeking or gaining access
•that the access was unauthorized
•that the person concerned knew that the access was
unauthorized
•that the access was a preliminary to the commission or
facilitation of a further serious offence
•that the intention behind the modification was to impair
the operation of the computer in some way.
Classification of Cyber Crimes
Cyber crimes could be categorized as :
•Data-related theft and interception
•Network intrusion and sabotage
•Hacking and virus distribution
•Fraud, forgery and

•obscenity, breach of privacy etc.

 Classification of Cyber Offences contd.
S. 65 Tampering with Cognizable, Non-
computer source bailable
documents
S. 66 Hacking with Cognizable, Non-
computer system bailable

S. 67 Publishing of Cognizable, Non-

obscene bailable
information in
electronic form
 Classification of Cyber Offences Cont…

S. 70 Protected Cognizable,
System Non-bailable

S. 72 Breach of Non-
confidentiality cognizable.
and privacy Bailable
 Power to Investigate Offences (S.78)

Notwithstanding anything contained in

the Code of Criminal Procedure, a police
officer not below the rank of DSP shall
investigate any offence under this Act.
 Power of police officers and other officers to
enter, search, etc.
Any police officer, not below the rank of a DSP or any other
officer of the Central Govt. or a State Govt. authorised by
the Central Govt. in this behalf may enter any public place
and search and arrest without warrant any person found
therein who is reasonably suspected of having committed
or of committing or of being about to commit any offence
under this Act. [S.80(1)]
Explanation. For the purposes of this sub-section, the
expression “public place” includes any public conveyance, any
hotel, any shop or any other place intended for use by, or
accessible to the public.
Computer Forensics
The Department of Justice (DoJ) of U.S. defines
computer forensics as the science of acquiring,
preserving, retrieving, and presenting data that has been
processed electronically and stored on computer media.
It also includes the formalized and approved
methodology to collect, analyze and present data in a
court of law.
Computer forensics is all about ‘forensic
processes’. It includes:
(a) Collection
(b) Preservation
(c) Examination and
(d) Analysis
of information (evidence) in an electronic form.
a. Collection of Evidence: It involves the search for,
recognition, and collection of electronic information
(evidence). It requires precision and expertise. Any
misstep and the crucial evidence is lost forever.
b. Preservation of Evidence: It primarily deals with
storing the ‘collectables’ in a storage media.
It requires knowledge and skills in preserving the
‘collectables’ in a proper storage media with back ups.
c. Examination of Evidence
It helps to make the evidence visible and explain its
origin and significance. It is painstaking process,
whereby an examiner ‘unlocks’ both visible and
invisible information.
d. Analysis of Evidence: It is more like an investigation
process, where, a holistic view of ‘captured evidence’ is
taken into account. The investigator recreates a scene of
crime, by drawing inferences from the pieces of
‘electronic puzzle’ presented to him.
Required Capabilities
•Data Protection
•Data Acquisition
•Imaging
•Extraction
•Interrogation
•Ingestion/Normalization
•Analysis
•Reporting
Data Protection: Identifying the digital information
source and protecting the said information from being
destroyed or becoming unavailable.
Data Acquisition: Involves practice of transferring data
from out of physical or administrative control of the
investigator into a controlled location.
Imaging:The creation of a bit-for-bit copy of seized
data for the purposes of providing an indelible facsimile
upon which multiple analysis may be performed,
without corrupting the original data sheet.
Extraction: The identification and separating of
potentially useful data from imaged data set. This
encompasses the recovery of damaged, corrupted, or
destroyed data or data that has been manipulated
algorithmically to prevent its detection.
Interrogation:The querying of extracted data to
determine if a priori indicators or relationships exist in
the data.Examples, include looking for known telephone
numbers, IP Addresses and names of individuals.
Ingestion/Normalization: The storage and transfer of
extracted data in a format or nomenclature that is easily
or commonly understood by investigators. This includes
the conversion of hexadecimal or binary information into
readable characters etc.
Analysis: The fusion, correlation, graphing, mapping, or
timelining of data to determine possible relationships
within the data, and to develop investigative hypothesis
Reporting
The presentation of analyzed data in a persuasive and
evident form to a investigating authorities.
Presenting e-Evidence
It is obligatory to note that the evidence in electronic
form is in ‘intangible form’ and the bottom line is –
admissibility of such evidence in a court of law.
Analysis Tools
EnCase Forensic Edition by Guidance Software
(Windows, Mac OS, Linux, Solaris etc)
•Can analyse computer media, HDD, Zip drive, USB device
•Create binary duplicate of original media
•Image is verified using MD-5
•Data Lifter
•Disk2File
•LC-Tech – forensics tools developed to recover lost and
deleted data
•Safe Back – Evidence Preservation Tool – Image backup
Evidence Capturing – Software
EnCase (www.guidancesoftware.com),
SafeBack, SilentRunner, SnapBack,
ByteBack, WinHex
Evidence Capturing – Hardware
ImageMaster Solo 2 – Hardware
duplicator, Solitare, Forensic Steel
Towers, Forensic AirLite
Important Certifications…
- www.cert.org
- www.giac.org
- www.cops.org
IACIS – International Association of Computer
Investigative Specialists
www.Foundstone.com
 Investigation of Cyber Crimes
Typically, an individual uses his computer to
connect to Internet via an Internet Service
Provider (ISP) by using either a dial-up
connection or a leased line / broadband
facility. There are two levels at which
evidence of Internet usage exists:
 I. Individual Level

(i) on an individual’s own computer, computer

system or computer network,
(ii) on the websites accessed by the individual
using his own computer, computer system or
computer network.
II. ISP Level
On the servers of individual’s ISP.
 Collecting Evidence @ Individual’s Level

Computers usually store text, graphic, image files, emails

messages etc. in the hard disk during its routine use.
User may keep on deleting the unwanted material
regularly to free up disk space. Similarly, Chat rooms,
Internet Relay Chat (IRC), Internet telephony sessions
are real-time discussions happening on the Internet; it
is optional for the user to maintain logging files of these
sessions.
It is possible to determine what the user of a specific
computer has been actually viewing / browsing; it may
further give the date-and-time of viewing / browsing.
 Collecting Evidence @ ISP Level
Logs maintained by the users using dial up
connections to connect to ISP indicate the time
and duration on Internet usage / connectivity.
It will corroborate other types of evidence that has
already been gathered during investigation.
Admissibility of such an evidence cannot be
questioned as it clearly highlights not only the time
and duration of computer’s Internet usage /
connectivity, but also the fact that during a specific
time period, the user’s computer had been working
as a sort of ‘computer network’.
 Problems with Preserving Computer Evidence

(a) Some of the facilities within the browsers to save WWW

pages to the disk are imperfect- as it may save the text
but not the associated images.
(b) In case of some very complex pages, involving “frames”
and “templates”, there could be perceptible difference in
what is seen on screen and what is saved on the disk.
(c) It is difficult to tell when a specific page was last acquired,
thanks to browser cache facility.
Thus if one examines a whole series of cached pages, it
is not easy to pinpoint which page came first and which
later.
Problems with Preserving Computer
Evidence Cont…
(d) It should not be forgotten that many ISPs
use proxy servers to speed up the delivery of
popular pages. Thus a user of such an ISP
may not be sure that what he has received
on his computer is the latest version from the
source computer (website) as opposed to an
earlier cached version held by his ISP.
Common Computer Forensic Techniques cont…

An understanding of common computer

forensic techniques will go a long way to
obtain and preserve - authentic, accurate
and complete evidence:
(i) Carrying out a pre-raid intelligence review
to assess what types of hardware, software
and back-ups might be expected.
(ii) Photographing (video) the computer(s) in
situ, particularly any cabling of peripherals
and ancillaries,
 Common Computer Forensic Techniques cont..

(iii) Every computer and its input and output

devices carry a product number, it is thus
advisable that these numbers be duly
recorded
(iv) Careful identification and labeling of all
items, including cables, peripherals, external
data storage medium, like CDs, disks and
tapes
(v)Precautions to prevent the data being
destroyed by hostile individuals immediately
prior to the raid,
 Common Computer Forensic Techniques cont..

(vi) Proper handling of computers that are

running, at the time of the raid,
(vii) Following proper procedures for safe shutting
down,
(ix) Noting of the time on the computer’s internal
clock which provides date and time stamps on
computer files
(x) Making of an exact sector-by-sector copy of
every hard disk
 Common Computer Forensic Techniques cont..
The method consists of starting (or “booting”) the
computer not from the hard disk but through a
floppy (Drive: A).
The operating system will make an “image” of the hard
disk on the external device. The image is an exact
copy, also referred as ‘bit copy’ or ‘sector-by-sector
copy’ of the original.
It includes not only the visible files on the original hard
disk but other which would not be seen, the parts of
the disk that contain the information from which the
directory details are obtained (file names, sizes, date
and time stamp) and also certain other forensic
segments from previously deleted files can
sometimes be recovered.
Hacking: Ingredients of Hacking
Whoever
Intention or knowledge
Causing wrongful loss or damage
To the public or any person
Destroying or altering any information
residing in a Computer Resource
Or diminishes its value or utility
Or affects it injuriously by any means
Commits hacking
 Computer Virus
VIRUS (Vital Information Under Siege)
They require a “host” to function.
They replicate and spread without the
users knowledge.
Case studies
 Cyber Stalking
The effects of this behaviour on the victim include
distinct psychological impairments and behaviour
change that brought about the loss of the victim's
home and job. While the offender may never have
intended for the victim to come to physical harm, the
presence of the threat was always real, and the
possibility that this harm came through a third party
was ever present. Despite issues relating to her
personal safety, the psychological effects of this
harassment are unmistakable.