Cyber Crimes & Cyber Forensics

CYBER CRIMES

CDAC

&CYBER FORENSICS

&

TECHNOLOGY

CYBER CRIMES ARE…

CYBERCRIME GRAPH

0

50

100

150

200

250

300

350

2000 2001 2002 2003 2004

CYBER CRIMES ARE…

NEITHER FORWARD..NOR BACKWARD..BUT AWKWARD:

CASE #1.

TM5/2004/PS_WRD_MINISTER

NARRATION

“Y” RECEIVES AN EMAIL FROM PROF.(MRS).X INTRODUCING HERSELF AS TECHNOLOGIST WORKING IN THE AREA OF AFFORDABLE DRINKING WATER PROJECT AND SEEKING A DATE FOR APPOINTMENT “Y” RESPONDS FAVOURABLY WITH A DATE.

NARRATION(CONTD)

“Y” RECEIVES A EMAIL FROM SECURITY CHIEF OF PROF.(MRS).X FROM HONGKONG TELLING THAT HE IS DOING THE DUE DILIGENCE CHECK“Y” RESPONDS FAVOURABLY.

NARRATION(CONTD)

“Y” RECEIVES A EMAIL FROM PROTOCOL OFFICER OF PROF.(MRS).X FROM MUMBAI TELLING THAT SHE IS DOING THE DUE DILIGENCE CHECK“Y” RESPONDS FAVOURABLY.

NARRATION(CONTD)

APPOINTED DATE COMES“X” DOESNOT SHOW UPNEXT DAY, “Y” GETS MAIL FROM SECURITY CHIEF ASKING FOR WHEREABOUTS OF “X”…“Y” IS THREATENED OF CONSEQUENCES …

SUBMIT OR FIGHT PANIC, ANXIETY & DESPAIR

WE SAW…

CONVENTIONAL CRIMES BEING COMMITTED WITH EASE AND SOPHISTICATION, USING COMPUTER AND INFORMATION TECHNOLOGY.

CASE #2.

RC05/ …/93/2005

NARRATIONCOMPANY “X” GETS AN OFFSHORE S/W DELIVERY JOB FROM COMPANY “Y”“Y” INSISTS ON LOTS OF CUSTOMISATION“X” DEPUTES TWO ENGINEERS WITH SOURCE CODE TO CARRY OUT CUSTOMISATION AT THE “Y”’s PREMISESCONTRACT GETS TERMINATEDENGINEERS RESIGN ON COMING BACK“Y” LAUNCHES NEW S/W WITH SIMILAR FEATURES

YET, CREATES SIMPLE & EASY PLATFORMS

# Case Referred by : Judicial First Class Magistrate # Case Registered under Sec 65 and 72 of IT act

# Complainant : Software Company # Accused : Two Former Employees # Nature of Crime : Source Code Theft

WE ARE SEEING…

NEW VERSIONS OF CONVENTIONAL CRIMES EMERGING, TARGETTING COMPUTERS AND INFORMATION TECHNOLOGY.

CASE #3.

RC11(A)/2004/…/…./22004S-0001

NARRATION

“X” IS CAUGHT IN A CYBER CRIME“X” CLAIMS HE CAN CRACK PASSWORDS, BREAK INTO EMAIL ACCOUNTS, INTERCEPT CHATS ETC“X” PRODUCES EMAIL/CHAT PRINT OUTS WHICH SHOW POSSIBILITY OF TERRORIST ATTACK

REWARD OR PUNISH…….. ARRAY OF CONFUSION

NOW WE SEE…

NEW CRIMES BEING INVENTED, CONFUSING COMPUTERS AND INFORMATION TECHNOLOGY

NEED…

EFFECTIVE MEANS TO PRE-EMPT CYBER CRIMESEFFECTIVE WAY TO ENSURE DEFINITE PUNISHMENT AS DETERENT AGAINST CYBER CRIMES

CYBER FORENSICS CAN BE AN EFFECTIVE TOOL

CYBER FORENSICS IS……

“The unique process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally accepted.”

MULTI DIMENSIONAL CHALLENGES

WHY IS IT UNIQUE ?

MULTI DIMENSIONAL CHALLENGE

TECHNICALOPERATIONALSOCIALLEGAL

TECHNICAL

TECHNOLOGY IS CHANGING RAPIDLYCYBER CRIMES ARE ALSO CHANGING RAPIDLYSYSTEMS AND CRIMES EVOLVE MORE RAPIDLY THAN THE TOOLS THAT EXAMINE THEM

TECHNOLOGYEVOLUTION

OBSOLESENCE

NEWERDEVICES

NEWTOOLS

NEWMETHODOLOGIES

TECHNICAL

UBIQUITY OF COMPUTERS CRIMES OCCUR IN ALL JURISDICTIONS

TRAINING LEA BECOMES A CHALLENGE

TECHNOLOGY REVOLUTION LEADS TO NEWER SYSTEMS, DEVICES ETC..

OPERATIONAL

ALL DATA MUST BE GATHERED AND EXAMINED FOR EVIDENCE

GIGABYTES OF DATA PROBLEMS OF

STORAGE ANALYSIS PRESENTATION..

NO STANDARD SOLUTION AS YET

SOCIAL

IT RESULTS IN UNCERTAINITIES ABOUT

EFFECTIVENESS OF CURRENT INVESTIGATION TECHNIQUES

SUB OPTIMAL USE OF RESOURCES

PRIVACY CONCERNS

LEGAL

USE & BOUNDS OF DIGITAL EVIDENCE IN LEGAL PROCEDURES STILL UNCLEARCURRENT TOOLS & TECHNIQUES NOT RIGOROUSLY USED / CONTESTED IN COURT

TYPICAL TOOLS

EMAIL TRACERTRUEBACKCYBERCHECK

MANUAL

EMAIL TRACER FORENSIC TOOL

FEATURES OF EMAIL TRACER

•Display of Actual Mail Content for Outlook Express, Eudora, MS Outlook and mail clients with MBOX mailbox.•Display the Mail Content (HTML / Text)•Display the Mail Attributes for Outlook Express.•Display of extracted E-mail header information •Save Mail Content as .EML file.•Display of all Email attachments and Extraction.•Display of E-mail route.•IP trace to the sender’s system.•Domain name look up.•Display of geographical location of the sender’s gateway on a world map.•Mail server log analysis for evidence collection.•Access to Database of Country code list along with IP address information.

EMAIL TRACING OVER WEB

AS A PRE-EMPTIVE TOOL

EMAIL TRACING SERVICE

Users can submit their tracing task to Email Tracer through web.Tracing IP Address upto city level (non-spoofed)Detection of spoofed mailDetailed report

SEIZURE & ACQUISITION TOOL

TRUEBACK

FEATURES OF TRUE BACKDOS application with event based Windowing System.Self-integrity check.Minimum system configuration check.Extraction of system informationThree modes of operation:

- Seize- Acquire - Seize and Acquire

 Disk imaging through Parallel port.Disk imaging using Network Interface Card.

Block by Block acquisition with data integrity check on each block.IDE/SCSI, USB, CD and Floppy acquisition.Acquisition of floppies and CDs in Batch mode.Write protection on all storage media except destination media.Checking for sterile destination media.Progress Bar display on all modes of operation.Report generation on all modes of operation.BIOS and ATA mode acquisition

ANALYSIS TOOL

CYBER CHECK

CyberCheck - FeaturesCyberCheck - Features

Standard Windows application.Standard Windows application.

Self-integrity check.Self-integrity check.

Minimum system configuration check.Minimum system configuration check.

Analyses evidence file containing FAT12, FAT16, Analyses evidence file containing FAT12, FAT16, FAT32, NTFS and EXT2FS file system.FAT32, NTFS and EXT2FS file system.

Analyses evidence files created by the following disk Analyses evidence files created by the following disk imaging tools:imaging tools:

TrueBackTrueBack

LinkMassterLinkMasster

EncaseEncase

User login facilities.User login facilities.

CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)

Creates log of each analysis session and Analyzing Creates log of each analysis session and Analyzing officer’s details. officer’s details.

Block by block data integrity verification while loading Block by block data integrity verification while loading evidence file. evidence file.

Explorer type view of contents of the whole evidence Explorer type view of contents of the whole evidence file. file.

Display of folders and files with all attributes.Display of folders and files with all attributes.

Show/Hide system files.Show/Hide system files.

Sorting of files based on file attributes.Sorting of files based on file attributes.

Text/Hex view of the content of a file.Text/Hex view of the content of a file.

Picture view of an image file.Picture view of an image file.

Gallery view of images.Gallery view of images.

CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)

Graphical representation of the following views of an Graphical representation of the following views of an evidence file: evidence file:

Disk View.Disk View.

Cluster View.Cluster View.

Block view.Block view.

Timeline view of:Timeline view of:

All filesAll files

Deleted files.Deleted files.

Time anomaly files.Time anomaly files.

Signature mismatched files.Signature mismatched files.

Files created within a time frame.Files created within a time frame.

CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)

Display of cluster chain of a file.Display of cluster chain of a file.

Single and Multiple Keyword search.Single and Multiple Keyword search.

Extraction of Disk, Partition, File and MBR slacks.Extraction of Disk, Partition, File and MBR slacks.

Exclusive search in slack space.Exclusive search in slack space.

Extraction of unused unallocated clusters and Extraction of unused unallocated clusters and exclusion from search space. exclusion from search space.

Exclusive search in used unallocated clusters .Exclusive search in used unallocated clusters .

Extraction of lost clusters.Extraction of lost clusters.

Exclusive search in data extracted from lost clusters.Exclusive search in data extracted from lost clusters.

Extraction of Swap files.Extraction of Swap files.

Exclusive search in data extracted from Swap files.Exclusive search in data extracted from Swap files.

CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)

File search based on file extension.File search based on file extension.

File search based on hash value.File search based on hash value.

Exclusion of system files from search space.Exclusion of system files from search space.

Data recovery from deleted files, slack space, Data recovery from deleted files, slack space, used unallocated clusters and lost clusters.used unallocated clusters and lost clusters.

Recovery of formatted partitions.Recovery of formatted partitions.

Recovery of deleted partitions.Recovery of deleted partitions.

Exporting files, folders and slack content.Exporting files, folders and slack content.

Exporting folder structure including file names into a Exporting folder structure including file names into a file. file.

Exporting files on to external viewer.Exporting files on to external viewer.

CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)

Local preview of storage media.Local preview of storage media.

Network preview of storage media using cross-over Network preview of storage media using cross-over cable.cable.

Book marking of folders, files and data.Book marking of folders, files and data.

Adding book marked items into report.Adding book marked items into report.

Restoration of storage media.Restoration of storage media.

Creating raw image.Creating raw image.

Raw image analysis.Raw image analysis.

Facility for viewing Mailbox files of Microsoft Outlook Facility for viewing Mailbox files of Microsoft Outlook Express, Microsoft Outlook, Eudora and Linux Express, Microsoft Outlook, Eudora and Linux Mail clients.Mail clients.

CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)

Registry viewer.Registry viewer.

Hash set of system files.Hash set of system files.

Identification of encrypted & password protected files.Identification of encrypted & password protected files.

Identification of steganographed image files.Identification of steganographed image files.

Generation of analysis report with the following Generation of analysis report with the following features. features.

Complete information of the evidence file Complete information of the evidence file system.system.

Complete information of the partitions and drive Complete information of the partitions and drive geometry.geometry.

Hash verification details.Hash verification details.

User login and logout information.User login and logout information.

CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)

Exported content of text file and slack Exported content of text file and slack information.information.

Includes picture file as image.Includes picture file as image.

Saving report, search hits and book marked Saving report, search hits and book marked items for later use.items for later use.

Password protection of report.Password protection of report.

Print report.Print report.

ISSUES AHEAD.. &.. TECHNOLOGY BEHIND..

CASE #4

A young girl had been involved in a series of sexually explicit exchanges via instant messenger system and email.

Upon investigation, the perpetrator was tracked to the home of a 50 year old prominent local physician.

Computers seized from the physician’s house had 240GB hard disk each, full of files.

ISSUE #1

How to get convincing leads to go ahead with the case in a short time from among the overload of available material.

ADVANCED CONCEPT SEARCH

ISSUE #2

Computers contained many password protected/encrypted files.

How to get into these files in a short time.

PASSWORD CRACKING

GRID Enabled Password

Cracker

GRIDGRID

SERVER

FSL

POLICE CRIME CELL

CBI

INTERNET

PASSWORD CRACKING OF ZIP FILES USING GRID

CYBER FORENSICS LAB

GRIDGRID

SERVER

FSL

POLICE CRIME CELL

CBI

INTERNET

PASSWORD CRACKING OF ZIP FILES USING GRID

1.ZIPPED FILE SUBMISSION

2. SERVER RECEIVES AND DISTRIBUTES TO GRID CLIENTS

3. CLIENTS COMPUTES AND SEND RESULTS TO SERVER

4. GRID SERVER SENDS RESULTS OVER INTERNET

ISSUE #3

However, the case took a twist when it came to light that the doctor’s 13-year-old son and 15 year old nephew had also been using the doctor’s account.

Who was at the keyboard then?

WHO’S AT THE KEYBOARD?

BIOMETRICSA software driver associated with the keyboard records the user’s rhythm in typing.

These rhythms are then used to generate a profile of the authentic user.

WHO’S AT THE KEYBOARD?

FORENSIC STYLISTICS

A qualitative approach to authorship assesses errors and “idiosyncrasies” based on the examiner’s experience.

This approach could be quantified through Databasing.

WHO’S AT THE KEYBOARD?

STYLOMETRY

It is quantitative and computational method, focusing on readily computable and countable language features, e.g. word length, phrase length, sentence length, vocabulary frequency, distribution of words of different lengths.

REAL CYBER FORENSIC CHALLENGE IS YET TO COME.. ….

GOA’s SKYBUS MISHAP

Konkan Railway Corporation Ltd's Skybus Metro dashed against a pole on the track during its trial run at Madgoan in Goa. "The skybus should have approached the station at the speed of 20 kmph. However, it was driving at 50 kmph. The sudden jerk after it hit the pole caused one person standing at the door, to fall off and two others to suffer major injuries."

QUESTIONS BEING ASKEDHad the SKYBUS been tested sufficiently and should this controller bug have been found out during testing?WHO developed the control system software?Who carried out the design and who carried out the design approval?