Digital Forensics best practices with the use of open source tools and admissibility of digital evidence in courts
Upcoming SlideShare
Loading in...5
×
 

Digital Forensics best practices with the use of open source tools and admissibility of digital evidence in courts

on

  • 334 views

 

Statistics

Views

Total Views
334
Views on SlideShare
323
Embed Views
11

Actions

Likes
0
Downloads
10
Comments
0

1 Embed 11

http://www.slideee.com 11

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Digital Forensics best practices with the use of open source tools and admissibility of digital evidence in courts Presentation Transcript

  • 1. Digital Forensics Best Practices with the use of Open Source Tools and Admissibility of Digital Evidence in Courts Mr. Ninad Nawaghare CFE CFAP DEA CSIR Mr. Sagar Rahurkar CFE BLS LLB LLM CCI
  • 2. The boy is accused of sending an obscene sms As per National Crime Research Bureau, during 2012, 587 cases were registered under cyber crime category for eve teasing / harassment Illustration 1 Source: National Crime Research Bureau - http://ncrb.gov.in/
  • 3. The origin of threatening email was traced back to a cyber café. Illustration 2 As per National Crime Research Bureau, during 2012 , total 135 cases were registered under cyber crime category for extortion & revenge settling. Source: National Crime Research Bureau - http://ncrb.gov.in/
  • 4. Illustration 3 Accounting software is stolen from a server located in Country A. With minor alterations, same software is sold at a cheaper cost in Country B As per National Crime Research Bureau, during 2012, total 624 cases were registered under cyber crime category for greed of money and 668 cases were registered for fraud/ illegal gain. Source: National Crime Research Bureau - http://ncrb.gov.in/
  • 5. Illustration 4 With an intention to revenge the management, disgruntled employee sends a fake mail to the stake holders mentioning irregularities in the company affairs. As per National Crime Research Bureau, during 2012, total 117 cases were registered under cyber crime category for causing disrepute either to an individual, government or organizations Source: National Crime Research Bureau - http://ncrb.gov.in/
  • 6. Vexing Questions with respect to the illustrations Where is the evidence? How do I investigate? How to prove the crime? What is the evidence?
  • 7. Solution is “Digital Forensics” 2‘Digital’ is defined in Oxford Dictionary as: (of signals or data) expressed as series of the digits 0 and 1, typically represented by values of a physical quantity such as voltage or magnetic polarization. Often contrasted with analogue. • involving or relating to the use of computer technology: the digital revolution 3‘Forensics’ is defined in Oxford Dictionary as: Scientific tests or techniques used in connection with the detection of crime Thus Digital Forensics can be defined as: Discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications and storage devices in a way that is admissible as evidence in a court of law. Source: 2http://oxforddictionaries.com/definition/english/digital?q=Digital / 3http://oxforddictionaries.com/definition/english/forensic
  • 8. Expected outcome of “Digital Forensics” is “Digital Evidence” Digital evidence can be defined as : Information and data of value to an investigation that is stored on, received, or transmitted by an electronic device. This evidence is acquired when data or electronic devices are seized and secured for examination. Traits of Digital Evidence May be found in Storage devices like hard disc, CD, DVD, memory card, USB drive, mobile phones & SIM card & Online resource like mail servers & cloud servers Can be hidden in Password protected files, Encrypted files , Steganography files, Formatted hard disc , HPA (Host Protected Area) or DCO (Device Configuration Overlay) of the hard drives Can relate to Online fraud , Organized crime , Identity theft , Data theft , Unauthorized access, Malicious files (Virus attack) , Data alteration , Cyber defamation , Cyber pornography, Online gambling ,Sale of illegal items etc..
  • 9. Phases in “Digital Forensics” process Phase 1: Identification of storage media for potential evidence Phase 2: Acquisition of the storage media Phase 3: Forensic analysis of the acquired media Phase 4: Documentation & Reporting
  • 10. Forensic analysis of the acquired media involves…. Analyzing digital information Identifying traces of network / computer intrusion Identifying & examining malicious files. Employing techniques to crack file & system passwords. Detecting steganography Recovering deleted, fragmented & corrupted data Maintaining evidence custody procedures Courtroom PresentationAnalyzing Online Activities
  • 11. Digital Forensics Process Subjected To Storage Media Digital Evidence Acquires Digital Forensics Process can be implemented either by using commercial tools a.k.a. proprietary tools or open source free tools. Commercial / Proprietary Tools are software applications designed with a commercial objective. The source code & the internal working of the software application is privileged and concealed from the user. Open Source Free Tools are software applications available for usage at no cost. The source code & the internal working of the software application is known to the user. Further more, user has the liberty of altering the source code as per the requirements. To Recapitulate
  • 12. ISSUES with Commercial / Proprietary Tools  High capital cost  High operational cost  High maintenance cost (Paid updates or bugs fixing)  Algorithm/logic not known  Source code is strictly privileged  Heavy dependency on the software manufacturer  Restricted usage ADVANTAGES with Open Source Tools  Zero capital cost  Minimal / No operational cost  Minimal / No maintenance cost  Algorithm/logic is known to the user  Source code is freely available for access , editing & customization  Extensive support from the open source community  Free usage to any number of users
  • 13. Law Enforcement initiative in “Open Source Digital Forensics Tools” By: Belgian Federal Computer Crime Unit (FCCU) http://www.lnx4n6.be/index.php An advanced network forensic framework By: Australian Federal Police, Brisbane, Australia http://sourceforge.net/projects/pyflag/files/ Project in The Software and Systems Division supported by Law Enforcement Standards Office and Department of Homeland Security. http://www.cftt.nist.gov/index.html
  • 14. The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency Law Enforcement initiative in “Open Source Digital Forensics Tools” cont. http://ocfa.sourceforge.net/ ForeIndex: A Framework for Analysis and Triage of Data Forensics By: Forensic Expert of Brazilian Federal Police & Researcher of the Brazilian Space Agency http://www.basistech.com/about-us/events/open-source-forensics-conference/2011/presentations/
  • 15. Proprietary Tools EnCase Forensic - Guidance Software www.guidancesoftware.com/encase-forensic.htm FTK – AccessData www.accessdata.com/products/digital-forensics/ftk WinHex - X-Ways Software Technology AG www.x-ways.net/winhex/ Forensics Apprentice www.registryforensics.com/ BlackLight www.blackbagtech.com/blacklight-1.html Cellebrite - Mobile Forensics and Data transfer solutions www.cellebrite.com/ Paraben – Handheld Digital Forensics http://www.paraben.com/handheld-forensics.html Open Source Tools Digital Forensics Framework www.digital-forensic.org CAINE www.caine-live.net/ DEFT www.deftlinux.net/ Open source tools listed below may not be limited to the same Commercial / Proprietary & Open Source Tools for Imaging in Acquisition Phase
  • 16. Proprietary Tools EnCase Forensic - Guidance Software www.guidancesoftware.com/encase- forensic.htm FTK – AccessData www.accessdata.com/products/digital- forensics/ftk WinHex - X-Ways Software Technology AG www.x-ways.net/winhex/ Forensics Apprentice www.registryforensics.com/ BlackLight www.blackbagtech.com/blacklight-1.html Cellebrite - Mobile Forensics and Data transfer solutions www.cellebrite.com/ Paraben – Handheld Digital Forensics http://www.paraben.com/handheld- forensics.html Open Source Tools Digital Forensics Framework www.digital-forensic.org CAINE www.caine-live.net/ DEFT www.deftlinux.net/ SAFT Mobile Forensics www.signalsec.com/saft/ Analyzing digital information Identifying & examining malicious files Recovering deleted, fragmented, corrupted data Analyzing Online Activities Open source tools listed below may not be limited to the same Commercial / Proprietary & Open Source Tools for Forensic Analysis Analyzing mobiles
  • 17. Analyzing RAM Free Tools CMAT http://sourceforge.net/projects/cmat Volafox https://www.volatilesystems.com/default/volatility Volatile https://www.volatilesystems.com/default/volatility Proprietary Tools Second Look http://secondlookforensics.com/ Windows Scope http://windowsscope.com/ Memoryze http://www.mandiant.com/resources/download/memoryze/ Network Forensics : capturing / analyzing network packets Free Tools WireShark http://www.wireshark.org/ NetworkMinor http://networkminer.en.malavida.com/ Proprietary Tools NetIntercept http://www.securitywizardry.com/index.php/produ cts/forensic-solutions/network-forensic- tools/niksun-netintercept.html Registry analysis Free Tools Registry Decoder http://www.digitalforensicssolutions.com/registrydecoder/ Proprietary Tools Registry Recon http://arsenalrecon.com/apps/ Open source tools listed below may not be limited to the same Commercial / Proprietary & Open Source Tools for Forensic Analysis cont. Identifying traces of network / computer intrusion
  • 18. Password cracking Free Tools John the Ripper www.openwall.com/john Cracking Passwords for Windows, PDF, Word RAR , ZIP & Excel http://pcsupport.about.com/od/toolsofthetrade/t p/password-cracker-recovery.htm Proprietary Tools Password Recovery www.elcomsoft.com/products.html Passware http://www.lostpassword.com/ Detecting Pornography Free Tools Redlight Porn Scanner http://dfcsc.uri.edu/research/redLightTrial [NIJ Funded Project: http://www.nij.gov/topics/technology/software- tools.htm] Proprietary Tools SurfRecon http://www.surfrecon.com/products/home-edition.php Open source tools listed below may not be limited to the same Employing techniques to crack file & system passwords Commercial / Proprietary & Open Source Tools for Forensic Analysis cont.
  • 19. Admissibility of Digital Evidence in Courts
  • 20. Orientation • Digital Evidence - Meaning • Requirements U/Sec. 65B of the Indian Evidence Act • Expert Examiner of Electronic Evidence • Daubert Principle for Expert Witness
  • 21. Digital Evidence Evidence as defined U/Sec. 3 of the Indian Evidence Act means and includes – All statements and all documents including electronic records produced for the inspection of the Court.
  • 22. Requirement U/Sec. 65B of the Indian Evidence Act Sec. 65B - Admissibility of electronic records • Any information contained in an electronic record, • If printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer shall deemed to be a document, • If the conditions mentioned in this section are satisfied in relation to the information and computer in question and • Shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein or which direct evidence would be admissible.
  • 23. Conditions U/Sec. 65B (a) Regular use of Computer by the authorised person The computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer. (b) Regular feeding of information in the system in the ordinary course of Business During the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities;
  • 24. Conditions U/Sec. 65B (c) Working state of the media Throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and (d) The information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities.
  • 25. Requirement of an Affidavit • To demonstrate compliance with the requirements of conditions, a statement in form of affidavit is required to be made in the court. • It should be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities • Section 65B(4).
  • 26. Is it really necessary ? • The requirement to file an affidavit under Sec. 65B is not absolute. Supreme Court, in the case of State v. Navjot Sandhu , while examining Section 65B, held that, even when an affidavit/certificate under Sec. 65B is not filed it would not foreclose the Court from examining such evidence provided it complies with the requirements of Section 63 and 65 of the Evidence Act (refer to Para 150 of the judgement). • Vodafone Essar Ltd. Vs. Raju Sud the Bombay High Court dispensed with the requirement under Sec. 65B.
  • 27. Expert Witness • Witness, who by virtue of education, training, skill, or experience, is believed to have knowledge in a particular subject beyond an average person. • In a famous Scottish case, Davie v Edinburgh Magistrates (1953), the function of an expert witness is discussed as, ‘to furnish the judge with the necessary scientific criteria for testing the accuracy of their conclusions, so as to enable them to form their own independent judgment by the application of these criteria to the facts provided in evidence’.
  • 28. If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education and may testify his opinion. Criteria for expert U/the principle – 1) Whether the expert has used scientific methods/discovery techniques? 2) Whether method/s used by the expert in the case has ever been used by any other expert or same expert in any other case? 3) Whether the testimony is the product of reliable principles and methods? 4) Whether the expert has applied the principles and methods reliably to the facts of the case? Daubert Principle for Expert Witness
  • 29. Sec. 79A – The Information Technology Act, 2000 • The Central Government may, for the purposes of providing expert opinion on electronic evidence before any court or other authority specify, by notification in the official Gazette, any department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence. Examiner of Electronic Evidence
  • 30. Sagar Rahurkar @ - contact@sagarrahurkar.com # - +91-9623444448 Ninad Nawaghare @ - ninad.nawaghare@gmail.com # - +91-9004094463