9. 1 Dirty SMS = 3 Years of Jail
Case Study 1
WHY r u sending me
DIRTY SMS ?
----------------------
Don’t lie UR cell no
has flashed on my
screen
SORRY !!! But I don’t
know you.
You are lying!!!
10. Threatening email was
sent from this cyber café.
Cyber Café has 100 machines & so many
customers.
HOW do I Investigate. ?
1 Threatening Email = 3 Years of Jail
Case Study 2
11. Accounting Software worth
crores is stolen.
Interested in buying Accounting
Software at a cheap cost ?
Call 100-999-9999-22Location :India
SALE!! SALE !! SALE!!
Accounting Software
Location: Finland
Case Study 3
12. Case Study
4
Stake Holders
Fake complaint via E-mail
Employee upset with
management
Demand an ImmediateDemand an Immediate
Explanation ?????Explanation ?????
13. Case Study 5
LOSS LOSS LOSS ?????
I am losing all my tenders.
SERVER
CRIME SERVERCRIME SERVER
Scenario at the officeScenario at the office
14. Where is the
evidence ?
Mobile Tower / Phones
Finland OR Indian Server
Cloud
Internet
How to Investigate ?
Employees / People
How to PROVE the CRIME?
How to decipher 010101 ?
Can I submit the media in Court ?
VEXING Questions
15. Forensics is the process of using scientific
knowledge for collecting, analyzing, and
presenting evidence to the courts. (The
word forensics means “to bring to the
court.” )
Computer Forensics as the discipline that combines
elements of law and computer science to collect and
analyze data from computer systems, networks,
wireless communications, and storage devices in a
way that is admissible as evidence in a court of law.
Source : http://www.us-cert.gov/reading_room/forensics.pdf
Forensics & Computer
Forensics
16. Digital Evidence
Digital evidence is information and data of
value to an investigation that is stored on,
received, or transmitted by an electronic device.
This evidence is acquired when data or
electronic devices are seized and secured for
examination.
Computer Forensics
process
Subjected
To
Storage Media
DIGITAL EVIDENCE
Acquires
Sample illustrationSample illustration
17. May be found in:
Can be hidden in:
Can relate to :
Digital Evidence
19. Computer Forensics process would involve…..
Forensic analysis of
digital information
Identifying network computer
intrusion evidence
Identifying & examining
malicious files.
Employing techniques to
crack file & system
passwords.
Detecting
steganography
Recovering deleted,
fragmented & corrupted data
Maintaining evidence
custody procedures
Courtroom Presentation
20. Steps in Computer Forensics
1.Identification of Digital Evidence
2.Acquisition of Media
3.Forensic Analysis of Media
4.Documentation & Reporting
21. THE A TEAM
Domain Expert
Computer Forensics expert
Forensics Accounting expert
Software expert
Lawyer
22. Acquisition of Media
Authenticate the confiscated media
Hash value of the
suspect media
Hash value of the
cloned image file
If acquisition hash equals verification hash,
image is authentic.
SHA 1/256
24. Documentation & Reporting
Broad outline of Computer Forensic Report
1.Introduction to the case
2.Background of the issue
3.Details of forensic analysis carried out
4.Certification
25. Evidence Forms
A detailed sheet about each evidence item
Item serial number
Item detailed description
Type
Make
Model
Date and time collected
Notes
Any serial numbers, labels
26. Chain of Custody
The movement and location of physical evidence from the
time it is obtained until the time it is presented in court
Logs all evidence moves
HANDED BY
HANDED TO
DATE & TIME
Item serial number
Reason
27. Creating an Image of Media
Image is a bit-for-bit copy of the original
If a disk has 5000 sectors, then the image created will
have an exact copy of all 5000 sectors in the same order
Media (evidence) must be protected from accidental
writes / alterations
Hard disk (media)
Write-blocker
Device Imaging workstation
28. Write blockers & alternatives
Write-blocker is a device that sits in between the
computer and the media
Blocks all write commands
Lets through all read commands
Prevents accidental alteration / deletion / addition or
data
Alternatives include using a forensic live boot CD or a
drive duplicator
29. Indian Evidence Act
Sec. 3 (a) – Scope of definition of evidence
expanded to include electronic records
30. Sec. 65B - Admissibility of electronic records
The person owning or in-charge of the computer
from which the evidence is taken has to give
certificate as to the genuineness of electronic
record.
INDIAN EVIDENCE ACT
31. Sec. 88A - Presumption as to electronic messages
The Court may presume that an electronic message
forwarded by the originator through an electronic mail
server to the addressee to whom the message
purports to be addressed corresponds with the
message as fed into his computer for transmission;
but the Court shall not make any presumption as to
the person by whom such message was sent.
INDIAN EVIDENCE ACT
32. The Information Technology Act
Sec. 79A - Central Government to notify
Examiner of Electronic Evidence
The Central Government may, for the purposes of
providing expert opinion on electronic evidence
before any court or other authority specify, by
notification in the Official Gazette, any
Department, body or agency of the Central
Government or a State Government as an
Examiner of Electronic Evidence
34. Section 43
Unauthorised Access
Remedy – Damages by the way of compensation
Amount – Unlimited
What needs to be proved – Amount of damages
suffered
37. Shri. Thomas Raju Vs
ICICI Bank
Case decided by – the Adjudicating officer, Government of Tamilnadu
Petitioner suffered a loss of Rs. 1,62,800/- as a result of the phishing
attack
Amount was supposed to have been transferred on the account of
another customer of ICICI Bank
Petitioner claimed that he had suffered a loss due to unauthorised access
to his account
Petitioner further claimed that he had suffered a loss as bank has failed
to establish a due diligence and in providing adequate checks and
safeguards to prevent unauthorised access into his account. Bank had
also not adhered to the KYC norms given by the RBI.
38. Section 66
Removal of definition of “hacking”
Section renamed as Computer related offences
All the acts referred under Section 43, are covered
u/Sec. 66 if they are done “dishonestly” or
“fraudulently”
39. Section 43(A) – Compensation for failure to
protect data
If body corporate, possessing, dealing or handling any
sensitive personal data or information in a computer
resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security
practices and procedures and thereby causes wrongful loss
or wrongful gain to any person
Liability – Damages by the way of Compensation
40. HSBC - Nadeem Kashmiri case
Based on complaints from customers - HSBC carried
internal investigation - registers case
Involvement of Call centre employee (Nadeem Kashmiri)
He was arrested U/Sec. 66 & 72
HSBC also sued Call centre for the loss
49. Privacy and Disclosure of Information
policy
Rule 4 - IT (Reasonable security practices and procedures and sensitive
personal data or information) Rules, 2011
51. Disclosure
Rule 6 - IT (Reasonable security practices and procedures and sensitive
personal data or information) Rules, 2011
52. Transfer of information
Rule 7 - IT (Reasonable security practices and procedures and sensitive
personal data or information) Rules, 2011
53. Sec 72(A) (Criminal offence)
Punishment for Disclosure of information in breach of
lawful contract -
Knowingly or intentionally disclosing “Personal
Information" in breach of lawful contract
Imprisonment up to 3 years or fine up to 5 lakh or with
both (Cognizable but Bailable)
55. Section 66 A
• Sending of offensive or false messages
• Covers following sent by sms / email:-
grossly offensive messages
menacing messages
false information sent for causing annoyance,
inconvenience, danger, obstruction, insult, injury,
criminal intimidation, enmity, hatred or ill will..
phishing, email spoofing, Spam mails, Threat mails
• Punishment – imprisonment upto 3 years and fine
56. Section 66 B
• Dishonestly receiving stolen computer
resource or communication device
• Covers use of stolen Computers,
mobile phones, SIM Cards, etc
• Punishment – imprisonment upto 3 years
and fine
57. Section 66 C
• Identity theft
• Fraudulently or dishonestly using someone
else’s electronic signature, password or any
other unique identification feature
• Punishment - imprisonment
upto 3 years and fine
58. Section 66 D
• Cheating by Personation
• Cheating by pretending to be some other person
• To create an e-mail account, Social networking a/c
on someone else's name
• Punishment – imprisonment upto 3 years and fine
59. Investigation Powers
Section 78
Cyber crime cases can now be investigated by
Inspector rank police officers (PI)
Earlier such powers were with the “DYSP/ACP”
60. Sec. 79
Liability of Intermediary
Intermediary is not liable for any third party information, data, or
communication link made available or hosted by him –
if his function is limited to providing access to such link
the intermediary does not—
initiate the transmission,
select the receiver of the transmission, and
select or modify the information contained in the transmission;
61. Sec. 79
Liability of Intermediary
Observing due diligence –
The Information Technology (Intermediaries guidelines)
Rules, 2011
62. Compounding of Offences
Section 77 (A)
Compounding – “Out of court settlement”
Offences -
for which less than three years imprisonment
has been provided and
Which are not committed against women or children
can be compounded
Acquisition method:
Acquired image name:
Software with version number used for acquisition:
The Chain of Custody file also has a running log that tracks evidence movement. Every time evidence is handed from one person to another an entry must be created here.
Electronic records – Sec. 2(1)(t) - "electronic record" means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche.
Rule 3. Sensitive personal data or information.— Sensitive personal data or information
of a person means such personal information which consists of information relating
to;―
(i) password;
(ii) financial information such as Bank account or credit card or debit card or
other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for
providing service; and
(viii) any of the information received under above clauses by body corporate
for processing, stored or processed under lawful contract or otherwise:
provided that, any information that is freely available or accessible in public
domain or furnished under the Right to Information Act, 2005 or any other law for the
time being in force shall not be regarded as sensitive personal data or information for
the purposes of these rules.