1 of 134

Cyber Law �& �Security Policy

2 of 134

REFERENCE

Cyber Security

by

Nina Godbole & Sunit Belapure

Wiley India Publication

3 of 134

Contents

  • Module 1A: Introduction of Cybercrime

  • Module 1B: Category of Cybercrime

  • Module 4B: Cybercrime & Cybersecurity

4 of 134

INTRODUCTION OF CYBERCRIME

5 of 134

Cybercrime

  • It is a crime committed using computer Internet , cyberspace and WWW to steal a person’s identity or self contraband or stalk victims or disrupt operations with malevolent programs
  • Some people think that cybercrime is a crime against software and not against a person or property and so it is not a crime at all.

What is your opinion?

6 of 134

Cybercrime

Two types of attacks are prevalent

    • Cyber Crime
      • Techno-crime

      • Techno-vandalism

7 of 134

Cybercrime

Techno-crime: A planned act against a system or systems, with the intent to copy, steal, prevent access, corrupt or otherwise deface or damage parts of or the complete computer system

This is possible due to 24x7 Internet connection from anywhere in the world leaving few fingerprints

8 of 134

Cybercrime

Techno-vandalism: These acts of “brainless” defacement of websites and other activities like copying files and publicizing their contents publicly

Tight internal security allied to strong technical safeguards should be used to prevent such incidents

9 of 134

Cybercrime

Examples:

  • Tampering computer source documents
  • Hacking with computer systems
  • Obscene publication/transmission in electronic form
  • Failure of compliance/orders of certifying authority
  • Unauthorized access/ attempt to access to protected computer system

10 of 134

Cybercrime

Examples:

  • Obtaining license or digital signature certificate misrepresentation/suppression of facts
  • Publishing false digital signature
  • Offences by/against public servant
  • Destruction e-evidence
  • Forgery
  • Criminal breach of trust/fraud
  • Counterfeiting property, tampering, currency stamps

11 of 134

Cybercrime

Cybercrime vs Terrestrial crime

  1. How to commit them is easier
  2. They require few resources relative to the potential damage caused
  3. They can be committed in a jurisdiction without being physically present in it
  4. They are often not clearly illegal

12 of 134

Cybercrime

Associated Terms

Cyberspace

Cyberpunk

Cybersquatting

Cyberwarfare

Cyberterrorism

13 of 134

Cybercrime

Cyberspace

It is a worldwide network of computer networks that uses TCP/IP for communication to facilitate transmission and exchange of data

14 of 134

Cybercrime

It is the practice of buying “domain names” that have existing business names and selling it back to the rightful owner at much higher price

It means registering, selling, or using a domain name with the intent of profiting from the goodwill of someone else’s trademark

Cybersquatting

15 of 134

Cybercrime

It is defined as “anarchy via machines

The word first appeared as the title of a short story “Cyberpunk” by Bruce Bethke published in Science fiction magazine, AMAZING ,1983

It is about a bunch of teenage hackers/crackers that expresses the combination of punk attitudes and high technology

Cyberpunk

16 of 134

Cybercrime

It means information warriors unleashing vicious attacks against an unsuspecting opponent’s computer networks, wreaking havoc and paralyzing nations

It is attack against information infrastructure which includes information resources and communication systems that support an industry, institution or population

Cyberwarfare

17 of 134

Cybercrime

Narrow Definition: It relates to deployments by known terrorist organizations, of disruption attacks against information systems for the primary purpose of creating alarm and panic

Broad Definition: The premeditated use of disruptive activities or the threat thereof against computers and or networks with the intention to cause harm or further social ideological religious political or similar objectives or to intimidate any person in furtherance of such objectives

Cyberterrorism

18 of 134

Cybercrime

19 of 134

Cybercrime

Botnet Menace

20 of 134

Cybercrime

Botnet Menace

Botnet refers to a group of compromised computers (zombie computers, i.e., computers secretly under the control of hackers) running malwares under a common command and control infrastructure

21 of 134

Cybercrime

22 of 134

Forgery

  • Counterfeit currency notes, postage and revenue stamps, marksheets, etc. can be forged using sophisticated computers, printers and scanners
  • Outside colleges sale of fake marksheets and degree certificates prevail
  • These are made using high quality scanners and printers
  • This has become a booming business

23 of 134

Hacking

  • Every act committed toward breaking into a computer and/or network is hacking and it is an offense
  • Attackers write or use ready-made computer programs to attack the target computer for enjoyment or for personal monetary gains
  • The steal credit card information, transfer money from various banks to their account
  • They extort money from some corporate giant threatening him to publish some stolen information critical in nature

24 of 134

Hacking

  • Purpose :
    • Greed
    • Power
    • Publicity
    • Revenge
    • Adventure
    • Desire to access forbidden information
    • Destructive mindset

25 of 134

Software Piracy

  • Defined as theft of software through the illegal copying of genuine programs or the counterfeiting and distribution of products intended to pass for the original
  • Examples:
    • End-user copying
    • Hard disk loading with illicit means
    • Illegal downloads from the Internet

26 of 134

Software Piracy

  • You have lots to lose:
    • Getting untested software that may have been copied thousands of times over
    • Software may contain hard-drive infecting viruses
    • Lack of technical support
    • No warranty protection
    • No legal right to use the product

27 of 134

Computer Network Intrusion

  • Computer networks pose a problem by way of security threat as people can get into them from anywhere
  • Hackers or crackers can break into computer systems from anywhere and steal data, plant viruses, create backdoors, insert Trojan Horses

28 of 134

Computer Network Intrusion

29 of 134

Computer Network Intrusion

30 of 134

CATEGORY OF CYBERCRIME

31 of 134

Cybercriminals

Cybercrime involves such activities as

  • credit card fraud
  • cyberstalking
  • defaming another online
  • gaining unauthorized access to computer systems
  • ignoring copyright, software licensing, trademark protection
  • overriding encryption to make illegal copies
  • software piracy, stealing another’s identity to perform criminal acts

Cybercriminals are those who perform these acts

32 of 134

Cybercriminals

Categories :

  1. Type I: Cybercriminals – hungry for recognition
  2. Type II: Cybercriminals – not interested in recognition
  3. Type III: Cybercriminals – the insiders

33 of 134

Cybercriminals

Categories :

Type I: Cybercriminals – hungry for recognition

  • Hobby hackers
  • IT professionals (threat – social engineering)
  • Politically motivated hackers
  • Terrorist organizations

34 of 134

Cybercriminals

Categories :

Type II: Cybercriminals – not interested in recognition

  • Psychological perverts
  • Financially motivated hackers (corporate espionage)
  • State-sponsored hacking (national espionage, sabotage)
  • Organized criminals

35 of 134

Cybercriminals

Categories :

Type III: Cybercriminals – the insiders

  • Disgruntled or former employees seeking revenge
  • Competing companies using employees to gain economic advantage through damage and/or theft

36 of 134

Classification of Cybercrimes

  1. Cybercrime against individual
  2. Cybercrime against property
  3. Cybercrime against organization
  4. Cybercrime against society
  5. Crimes emanating from Usenet groups

37 of 134

Classification of Cybercrimes

Cybercrime against individual

  • Electronic mail
  • Phishing, Spear Phishing
  • Spamming
  • Cyberdefamation
  • Cyberstalking and harassment
  • Computer sabotage
  • Password sniffing

38 of 134

Classification of Cybercrimes

Cybercrime against property

  • Credit card frauds
  • Intellectual Property (IP) crimes
  • Internet time theft

39 of 134

Classification of Cybercrimes

Cybercrime against organization

  • Unauthorized accessing of computer
  • Password sniffing
  • Denial-of-service
  • Virus attack/dissemination of viruses
  • E-mail bombing/mail bombs
  • Salami attack/Salami technique
  • Logic bomb
  • Tojan Horse
  • Data didling
  • Software piracy
  • Computer Network Intrusions
  • Software piracy

40 of 134

Classification of Cybercrimes

Cybercrime against society

  • Forgery
  • Cyberterrorism
  • Web jacking

41 of 134

Classification of Cybercrimes

Crimes emanating from Usenet groups

  • These groups may carry very offensive, harmful, inaccurate or inappropriate material
  • So we must use caution and common sense and exercise proper judgment when using Usenet

42 of 134

Classification of Cybercrimes

Based on :

  • Target of the crime

  • Whether crime occurs as a single event or as a

series of events

43 of 134

Classification of Cybercrimes

  • Target of the crime:
    • Crimes targeted at individuals
    • Crimes targeted at property

    • Crimes targeted at organizations

Goal is to exploit human weakness such as greed and naivety

Goal is to steal cell phones, laptops, PDAs, CDs and pendrives, transmitting harmful programs to destroy devices etc

Goal is Cyberterrorism by planting programs to get control of the network

44 of 134

Classification of Cybercrimes

  • Single event of cybercrime:
    • It is the single event from the perspective of the victim
    • Unknowingly opening a virus affected attachment that may infect the system (PC/laptop)
    • This is known as hacking or fraud

45 of 134

Classification of Cybercrimes

  • Series of events:
    • This involves attacker interacting with victims repetitively
    • Attacker interacts with the victim on the phone and/or via chat rooms to establish relationship first and then they exploit that relationship to commit assault

46 of 134

Planning Attack

Steps:

  • Reconnaissance (information gathering)
    • Passive
    • Active
  • Scanning and scrutinizing information for its validity
  • Identifying existing vulnerabilities
  • Launching an attack (gaining and maintaining system access)

47 of 134

Passive Attack

  • Involves gathering information about a target without his/her knowledge
  • May be done with
    • Google or Yahoo search
    • Organization’s website
    • Surfing online community groups like Orkut/Facebook
    • Blogs, newsgroups, press releases
    • Job postings in particular job profiles

48 of 134

Passive Attack

    • Google Earth
    • Internet Archive
    • Professional Community
    • People Search
    • Domain Name Confirmation
    • WQHOIS
    • Nsloookup

    • Dnsstuff
    • Traceroute
    • VisualRoute Trace
    • eMailTrackerPro
    • HTTrack
    • Website Watcher
    • Competitive Intelligence

Tools used during passive attacks

49 of 134

Active Attack

  • Involves probing the network to discover individual hosts to confirm the information (IP address, OS type & version, services on the network) gathered in passive attack
  • It is called “Rattling the doorknobs” or “Active reconnaissance
  • It provides confirmation about security measures – but is risky

50 of 134

Active Attack

    • Arphound
    • Arping
    • Bing
    • Bugtraq
    • Dig
    • DNStracer
    • Dsniff
    • Filesnarf
    • FindSMB
    • Fping
    • Fragroute
    • Fragtest
    • Hackbot

    • Hmap
    • Hping
    • Httping
    • Hunt
    • Libwhisker
    • Mailsnarf
    • Msgsnarf
    • NBTScan
    • Nessus
    • Netcat
    • Nikto
    • Nmap

Tools used during active attacks

51 of 134

Active Attack

    • Pathchar
    • Ping
    • ScanSSH
    • SMBclient
    • SMTPscan
    • TCPdump
    • TCPreplay
    • THC-Amap
    • Traceroute
    • URLsnarf
    • XProbe2

Tools used during active attacks

52 of 134

Scanning & Scrutinizing

Objectives:

    • Port scanning – Identifying open/close ports and services
    • Network scanning - Understanding IP Addresses and related information about computer network systems
    • Vulnerability scanning – Understanding existing weaknesses in the system

53 of 134

Scanning & Scrutinizing

Ports

    • A port is an interface on a computer to which one can connect a device
    • TCP/IP has ports 0 through 65536 (i.e., from 20 to 216 for binay address)
    • Port numbers are divided into 3 ranges:
      • Well-known ports (from 0 to 1023)
      • Registered ports
      • Dynamic and/or private ports

54 of 134

Scanning & Scrutinizing

Well-known Ports

55 of 134

Scanning & Scrutinizing

  • Port Scanning
    • Ports are entry/exit points that any computer has to be able to communicate with external machines
    • Each computer has 3 or more external ports
    • These are used to communicate with printers, modems, mouse, scanner, video game etc
    • Nmap is used for port scanning (to see which ports are open and what OS is being used by the system)

56 of 134

Scanning & Scrutinizing

  • Port Scanning
    • In “portscan” a host scans for listening ports on a single target host
    • In “portsweep” a host scans multiple hosts for a specific listening port

57 of 134

Scanning & Scrutinizing

  • Port Scanning
    • The result of port scanning is categorized into:
      • Open or accepted: The host sent a reply indicating that a service is listening on the port
      • Closed or not listening: The host sent a reply indicating that connections will be denied to the port
      • Filtered or blocked: There was no reply from the host

58 of 134

Scanning & Scrutinizing

  • Ports for TCP/IP
    • Ports 20 and 21 – File Transfer Protocols (FTP) – are used for uploading and downloading of information
    • Port 25 – Simple Mail Transfer Protocol (SMTP) – is used for sending/receiving E-Mails
    • Port 23 – Telnet Protocol – is used to connect directly to a remote host and Internet control message
    • Port 80 – It is used for Hypertext Transfer Protocol (HTTP)
    • Internet Control Message Protocol (ICMP) – It does not have a port abstraction and is used for checking network errors, viz. ping

59 of 134

Scanning & Scrutinizing

  • Vulnerabilities of ports
    • Vulnerabilities associated with the program that is delivering the service
    • Vulnerabilities associated with the OS that is running on the host – closed ports

Usually most of the attackers consume 90% of the time in scanning scrutinizing and gathering information on a target and 10% of the time in launching the attack

60 of 134

Scanning & Scrutinizing

  • Attack (Gaining and Maintaining the System Access
    • Crack the password
    • Exploit the privileges
    • Execute the malicious commands/applications
    • Hide the files (if required)
    • Cover the tracks – delete the access logs, so as to remove trail of illicit activity

61 of 134

Social Engineering

62 of 134

Social Engineering

    • Human-based
      • Impersonating an employee or valid user
      • Posing as an important user
      • Using a third person
      • Calling technical support
      • Shoulder surfing
      • Dumpster diving

63 of 134

Social Engineering

    • Computer-based
      • Fake E-Mails
      • E-Mail attachments
      • Pop-up windows

Social engineering and dumpster diving are also considered passive information-gathering methods

64 of 134

Social Engineering

65 of 134

Social Engineering

66 of 134

Cyberstalking

  • Stalking means “act or process of following prey stealthily – trying to approach somecody or something”
  • Cyberstalking means “use of information and communications technology by an individual or group to harass another individual, group, organization
  • Behaviour includes false accusations, monitoring, threats, ID theft, damage to data or equipment

67 of 134

Cyberstalking

  • Types of stalkers:
    • Online stalkers – Internet, Email, chat room

    • Offline stalkers – following the victim, watching the daily routine of the victim, searching on personal websites about the victim outside the knowledge of the victim

68 of 134

Cyberstalking

Foursquare is a location-based social networking website for mobile devices, such as smart phones. Users "check in at venues using a mobile website, text messaging or a device-specific application by selecting from a list of venues the application locates nearby. Location is based on GPS in the mobile device or network location provided by the application, and the map is based on data from the OpenStreetMap project.

69 of 134

Cyberstalking

Case Study

- Mrs. Joshi of Delhi received almost 40 calls a day for 3 days at odd hours from Kuwait, Cochin, Bombay and Ahmadabad that created havoc in her personal life

- She registered a complaint with Delhi Police

- Actually a person was using her ID to chat over the Internet at www.micr.com for 4 consecutive days using obscene language and gave Mrs. Joshi’s telephone no. to other chatters encouraging them to call her at odd hours

70 of 134

Cyberstalking

71 of 134

Cyberstalking

72 of 134

73 of 134

CYBERCRIME AND CYBER SECURITY

74 of 134

Legal Aspects

  • Cybercrime is the largest illegal industry
  • It involves massive, coordinated attacks against the information infrastructure of a country
  • So knowledge of cyber laws is essential for people who interact with networked services either over
    • Internet
    • Banks
    • Stock brokers
    • Intra-or inter-company information exchange systems
    • Involved in social networking sites

75 of 134

Legal Aspects

  • We must have a sound knowledge about digital evidence as given by the Indian Information Technology Act (ITA) 2000
  • For global business – besides Indian legislations, world scenario may be considered
  • At 10th United Nations Congress on Prevention of Crime and Treatment of Offenders, in a workshop devoted to the issues of crimes related to computer networks, cyber crime was broken into two categories
    • Computer crime
    • Computer-related crime

76 of 134

Legal Aspects

  • Cybercrime in a restrictive sense (computer crime)

Any illegal behavior carried out by electronic means targeting the security of computer system

    • Cybercrime in a general sense (computer-related crime)

Any illegal behavior carried out by means of or in relation to a computer system or network including such crimes as

  • illegal possession
  • offering or distributing information by means of

computer system or network

77 of 134

Legal Aspects

  • Some more examples are:
    • Unauthorized access to computer
    • Causing damage to computer data or programs
    • An act of computer sabotage
    • Doing unauthorized interception of communications
    • Carrying out computer espionage

78 of 134

Legal Aspects

  • Degree of Unlawful Access to Computer
    • First-degree access
    • Second-degree access
    • Third-degree access
    • Fourth-degree access
    • Computer trespassing

79 of 134

Legal Aspects

  • Degree of Unlawful Access to Computer
    • First-degree access: crime is of first-degree when a person accesses, causes to be accessed or attempts to access a computer system and computer software for the purpose of defrauding or obtaining money, property or services by fraudulent pretense – This crime is a Class C felony

80 of 134

Legal Aspects

  • Degree of Unlawful Access to Computer
    • Second-degree access: crime is of second-degree when a person accesses, causes to be accessed or attempts to access a computer system and computer software and the crime results in damages or losses of value considered high enough by the law– This crime is a Class D felony

81 of 134

Legal Aspects

  • Degree of Unlawful Access to Computer
    • Third-degree access: crime is of third degree~ when a person accesses, causes to be accessed or attempts to access a computer system and computer software and the crime results in loss or damage of less than the value that is considered “high” by the prevailing law in the country– This crime is a Class A misdemeanor

82 of 134

Legal Aspects

  • Degree of Unlawful Access to Computer
    • Fourth-degree access: crime is of fourth-degree when a person accesses, causes to be accessed or attempts to access a computer system and computer software but there is no loss or damage – This crime is a Class B misdemeanor

83 of 134

Legal Aspects

  • Degree of Unlawful Access to Computer
    • Computer trespassing: involves using a computer with the knowledge that such use is without authority and with the intention of:

a) deleting temporarily or permanently any computer data

b) altering, damaging or causing malfunction of a computer

84 of 134

Indian Cyber Laws

  • Under the purview of cyber law, the different aspects are:
    • Intellectual Property
    • Data protection and privacy
    • Freedom of expression
    • Crimes committed using computers

85 of 134

Indian Cyber Laws

  • ITA 2000 aimed at providing the legal infrastructure for E-Commerce in India to
    • Manage all aspects, issues, legal consequences and conflict in the world of cyberspace, Internet or WWW
    • Provide legal recognition for transactions carried out by electronic data interchange and other means of electronic communication – E-Commerce

86 of 134

Indian Cyber Laws

  • Reasons for enactment of cyber laws in India:
    • Well-defined legal system of India lacks in many aspects when it comes to Internet Technology
    • Need to have some legal recognition to the Internet – the most dominating source of business
    • Cyberterrorism came into existence – an old offence in an innovative way

87 of 134

Indian Cyber Laws

  • A legal framework for cyberworld was conceived in India in the form of a draft E-Commerce Act 1998
  • Thereafter the basic law for the cyberspace transactions in India has emerged in the form of the ITA 2000
  • ITA 2000 amended the Indian Penal Code (IPC) 1962, the Indian Evidence Act 1872, the Banker’s Book Evidence Act 1891, the Reserve Bank of India Act 1934

88 of 134

Indian IT Act

  • Contents:
    • Cybercrimes punishable under Indian IT Act
    • Digital Evidence and its Admissibility in Courts
    • Admissibility of E-Records: Amendments made in the Indian ITA 2000
    • Positive Aspects of ITA 2000
    • Weak Areas of ITA 2000
    • Challenges to Indian Law and Cybercrime Scenario in India
    • Consequences of not Addressing the Weakness in ITA 2000

89 of 134

Cybercrimes punishable under �Indian IT Act

  • Under section 65 of Indian Copyright Act- making copies of any work in which Copyright subsists is punishable with imprisonment of up to 2 years with fine
  • Under section 67 of IT Act - sending obscene E-Mails are punishable with imprisonment of up to 5 years and with fine (~ 1 L)
  • Under section 500 of IPC - defamatory E-Mails are punishable with imprisonment of up to 2 years or a fine or both
  • Under provisions of IPC - threatening E-Mails are punishable pertaining to criminal intimidation, insult and annoyance and extortion
  • Under provisions of IPC - E-Mail spoofing is punishable with regard to fraud, cheating by impersonation and forgery

90 of 134

Sections of Indian IT Act Relevant to �Cybercrime in legal context�

  • Section 65: Tampering with computer source documents
    • Imprisonment of 3 years, fine 2L or both
  • Section 66: Computer related offenses
    • Imprisonment of 3 years, fine 5L or both
  • Section 67L : Punishment for publishing or transmitting obscene material in electronic form
    • Imprisonment – 3 years, fine 5L for first conviction
    • Imprisonment – 5 years, fine 10L for second and subsequent conviction

91 of 134

Sections of Indian IT Act Relevant to �Cybercrime in legal context�

  • Section 71: Penalty for misrepresentation
    • Imprisonment of 2 years, fine 1L or both
  • Section 72: Penalty for breach of confidentiality and privacy
    • Imprisonment of 2 years, fine 1L or both
  • Section 73: Penalty for publishing Digital Signature Certificate false in certain particulars
    • Imprisonment of 2 years, fine 1L or both
  • Section 74: Publication for fraudulent purpose
    • Imprisonment of 2 years, fine 1L or both

92 of 134

Digital Evidence and its Admissibility �in Courts

    • Digital Electronic evidence is probative information stored in digital form that a party may use at trial

    • It includes:
      • Computer printouts
      • E-Mails
      • Digital photographs
      • ATM transaction logs
      • Spreadsheets

    • With increased computerization and technology as well rise of digital office, courts have been forced to allow for the admittance of digital evidence

93 of 134

Digital Evidence and its Admissibility �in Courts

    • Challenges in digital evidence handling:
      • Extensive usage of computers in spite of complex computer technology
      • Extensive data stored on today’s computers
      • Limited resources available to analyze computer evidence causes delay in return of digital evidence

94 of 134

Digital Evidence and its Admissibility �in Courts

    • Challenges in digital evidence handling:
      • Cybercrime occurring from anywhere in the world causes difficulty in obtaining evidence and enforcing warrants for searches and seizures of digital evidence stored abroad
      • Courts have noted that as compared to traditional evidence digital version is more voluminous, difficult to destroy, easily modified, easily duplicated, potentially more expressive and more readily available

95 of 134

Sources of Digital Evidence

  • More than the obvious
    • PCs
    • PDAs
    • Mobile Phones
    • GPS
    • Digital TV systems
    • CCTV
    • Other Embedded Devices

96 of 134

Forensic Computing � Purpose

  • Forensic computing techniques may be deployed to :
      • Recover evidence from digital sources
      • Witness – factual only
      • Interpret recovered evidence
      • Expert witness – opinion & experience

97 of 134

Forensic Computing �Definition

  • Forensic
      • Relating to the recovery, examination and/or production of evidence for legal purposes
  • Computing
      • Through the application of computer-based techniques

98 of 134

Forensic Computing : �Alternative Definition�

“...the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and law”

99 of 134

Forensic Computing�Background

  • Role of the forensic examiner
    • Retrieve any and all evidence
    • Provide possible interpretations
      • How the evidence got there
      • What it may mean
    • Implication
      • The “illicit” activity has already been identified
      • Challenge is to determine who did it and how

100 of 134

Forensic Computing�Single Source Cases

  • According to Marshall &Tompsett [1]
    • Any non-internet connected system can be treated as a single source of evidence, following the same examination principles as a single computer

    • Even a large network�
    • Is this a valid proposition ?

101 of 134

Forensic Computing�Single Source

  • Implies that the locus of evidence can be determined
    • i.e. There are no unidentified or external entities involved
  • Even in a large network, all nodes can be identified
    • as long as the network is closed (i.e. The limit of extent of the network can be determined)
  • “Computer-assisted/enabled/only” categories

102 of 134

Forensic Computing�Static Evidence��

  • Time is the enemy
    • Primary sources of evidence are storage devices
      • Floppies, hard disks, CD, Zip etc.
      • Log files, swap files, slack space, temporary files
    • Data may be deleted, overwritten, damaged or compromised if not captured quickly
    • (See ACPO guidelines – No.1)

103 of 134

Forensic Computing��

Standard seizure procedure

  1. Quarantine the scene
    • Move everyone away from the suspect equipment
  2. Kill communications
    • Modem, network
  3. Visual inspection
    • Photograph, notes
    • Screensavers ?
  1. Kill power
  2. Seize all associated equipment and removable media
    • Bag 'n' tag immediately
    • Record actions
  3. Ask user/owner for passwords

104 of 134

Forensic Computing��

Imaging and Checksumming

  • After seizure, before examination
    • Make forensically sound copies of media
    • Produce image files on trusted workstation
    • Produce checksums
      • For integrity checking

105 of 134

Forensic Computing��

Why image ?

  • Why not just boot the suspect equipment and check it directly

106 of 134

Forensic Computing��

Forensically sound copy

  • Byte by byte, block by block copy of ALL data on the medium, including deleted and/or bad blocks.
    • Device level and logical level (partitions)
  • Identical to the original
  • Specialist programs
    • (e.g. Encase)
  • Adapt standard tools
    • (e.g. “dd” on Unix/Linux/*BSD MacOS X)

107 of 134

Forensic Computing��

Checksumming

  • During/immediately after imaging
    • Calculate checksum files for the image. Ideally 1 per block.
    • Use later to verify that
      • Image file has not changed
      • Source media has not been modified
        • Difficult at device level – differences between devices. (manufacturing defects)
    • Possible algorithms
      • MD5, SHA, SNEFRU

108 of 134

Forensic Computing��

Sources of evidence in the image

  • Image is a forensically sound copy
    • Can be treated as the original disk
    • Examine for
      • “live” files
      • Deleted files
      • Swap space
      • Slack space

109 of 134

Live Files

  • “live” files
    • Files in use on the system
    • Saved data
    • Temporary files
    • Cached files

  • Rely on suspect not having time to take action

110 of 134

Deleted files

  • O/S rarely deletes all data associated with a file
    • More commonly marks space used by file as available for re-use
    • e.g.
      • In FAT systems, change 1st character of name to “deleted” marker
      • In Unix/Linux – add nodes to free list
    • Data may still be on disk, recoverable using sector-level tools

111 of 134

Swap space

  • Both O/S and program swap
    • Areas of 10 memory swapped out to disk may contain usable data
    • Created by O/S during scheduling
    • Created by programs when required

112 of 134

Slack space

  • Files rarely completely fill all allocated sectors
    • e.g. Sector size of 512 bytes, file size 514 bytes – 2 sectors, but one only contains 2 bytes of real data
    • Disk controller must write a complete sector.
      • Using DMA, grabs “spare” bytes from 10 memory and pads the sector
      • Padding may contain useful evidence, potentially from past programs – same rules apply to RAM as Disk! (unless powered down)

113 of 134

What about edited files ?

  • e.g.
    • Entries deleted from log files ?

114 of 134

Recovered data

  • Needs thorough analysis to reconstruct full or partial files
  • May not contain sufficient contextual information
    • e.g. missing file types, timestamps, filenames etc.

115 of 134

Challenges

Current & Future

116 of 134

Challenges - Current

  • Recovered data may be
    • Hashed
    • Encrypted
    • Steganographic

  • Analytical challenges

117 of 134

Hashed Data

  • Non-reversible process
    • i.e. Original data cannot be determined from the hashed value
      • cf. Unix/Linux password files
    • Aka (erroneously) “one-way” encryption
    • “Brute Force” attack may be required
      • Is this good enough for legal purposes ?

118 of 134

Encryption

  • Purpose
    • To increase the cost of recovery to a point where it is not worth the effort
      • Symmetric and Asymmetric
      • Reversible – encrypted version contains full representation of original��
  • Costly for criminal, �costly for investigator

119 of 134

Steganography

  • Information hiding
    • e.g.
      • Maps tattooed on heads
      • Books with pinpricks through letters
      • Low-order bits in image files
    • Difficult to detect, plenty of free tools
    • Often combined with cryptographic techniques.

120 of 134

Worse yet

  • CryptoSteg
  • SteganoCrypt��
  • Combination of two techniques...
    • layered

121 of 134

Additional challenges

  • Emerging technologies
  • Wireless
    • Bluetooth
      • “Bluejacking”, bandwidth theft
    • 802.11 b/g/a
      • Insecure networks, Insecure devices
      • Bandwidth theft, storage space theft
    • Forms of identity theft

122 of 134

Additional challenges

  • Viral propagation
    • Proxy implantation
      • Sobig, SuperZonda
        • obscene
    • Evidence “planting”�
  • Proven defence

123 of 134

Case studies

  • Choose from :
    • IPR theft
    • Identity theft & financial fraud
    • Murder
    • Street crime (mugging)
    • Blackmail
    • Fraudulent trading
    • etc. etc. etc.

124 of 134

Admissibility of E-Records �Amendments made in the Indian ITA 2000��

    • The Second Schedule of Indian ITA 2000: Amendment to the Indian Evidence Act
    • The Third Schedule of Indian ITA 2000: Amendment to the Banker’s Books Evidence Act
    • The Fourth Schedule of Indian ITA 2000: Amendment to the Reserve Bank of India Act

125 of 134

Admissibility of E-Records �Amendments made in the Indian ITA 2000��

    • The Second Schedule of Indian ITA 2000: Amendment to the Indian Evidence Act

      • “Evidence” 🡪 The word Electronic records to be included

126 of 134

Admissibility of E-Records �Amendments made in the Indian ITA 2000��

    • The Third Schedule of Indian ITA 2000: Amendment to the Banker’s Books Evidence Act
      • “Banker’s Books” 🡪 The word ledgers, data-books, cash-books, account-books and all other books used in the written form or as printouts of data store in a floppy, disc, tape or any other form of electro-magnetic data storage device to be included
      • “Certified copy” 🡪 consists of printouts with such statements certified to be included

127 of 134

Admissibility of E-Records �Amendments made in the Indian ITA 2000��

    • The Fourth Schedule of Indian ITA 2000: Amendment to the Reserve Bank of India Act
      • the regulation of fund transfer through electronic means between banks or between banks and other financial institutions, including laying down of the conditions subject to which banks and other finanlcial institutions shall participate in such fund transfers, the manner of such fund transfers and rights and obligations of the participants in such fund transfers” to be inserted

128 of 134

Positive Aspects of ITA 2000��

    • Acceptance of E-Mail as a legal form of communication
    • Growth of E-Commerce using the legal infrastructure provided by ITA 2000
    • Use of digital evidence to carry out online transactions
    • Statutory remedy for anyone breaking into computer systems and networks of companies and causing damage or copying data
    • Definition of cybercrimes and legal redress for them

129 of 134

Weak Areas of ITA 2000��

    • Causes a conflict of jurisdiction
    • Domain names on which E-Commerce is based, have not been defined and the rights and liabilities of domain name owners are not mentioned in the law
    • The law lacks proper Intellectual Property Protection for Electronic Information and Data
    • The law does not cover various kinds of cybercrimes and Internet-based crimes like
      • Cybertheft, cyberstalking, cyberharassmemt, cyberdefamation, cyberfraud, misuse of credit card numbers, chat room abuse, theft of Internet hours, cybersquatting

130 of 134

Challenges to Indian Law and Cybercrime Scenario in India���

    • Indian law does not provide definition of cybercrime
    • Indian cyberlaw even after amendment does not use the term cybercrime – has a chapter entitled offences in which cybercrimes has been declared as penal offences punishable with imprisonment and fine viz.,
      • Tampering with computer source code
      • Un-authorized access to computer
      • Failure to decrypt information in the interest of sovereignty or integrity of India, security of state

131 of 134

Challenges to Indian Law and Cybercrime Scenario in India���

Offences:

      • Securing access or attempting to secure access to a protected system
      • Misrepresentation while obtaining any license to act as a Certifying Authority (CA) or a digital signature certificate
      • Breach of confidentiality and privacy
      • Publication of false digital signature certificates
      • Publication of digital signature certificates for fraudulent purposes

132 of 134

Challenges to Indian Law and Cybercrime Scenario in India���

So with respect to the previous discussion –

      • Legal drawbacks with regard to cybercrimes addressed in India exists – need to improve legal scenario
      • Law enforcement agencies in India are neither well equipped nor knowledgeable about cybercrime – training is necessary
      • Lack of cybercrime courts in India – lack of cyber savvy judges – cyber cell officials need a sound technical training
      • People need to be encouraged to report the matter to the law enforcement
      • Need for a distinct law on cybercrime and appropriate changes should be made in IPC and IT Act

133 of 134

Consequences of not Addressing the Weakness in ITA 2000��

    • India’s outsourcing sector may get impacted
    • There are many news about overseas customer worrying about data breaches data leakages in India
    • This can result in breaking India’s IT business leadership in international outsourcing market

If the weaknesses in ITA 2000 are not addressed in the near future then the dream of India ruling the world’s outsourcing market may not come true

134 of 134

Thank You