Cyber Forensic - Policing the Digital Domain


Published on

I presented this lecture at Ramkrishna Mission Vidyamandir, Belur under Soft Computing Techniques and their Applications Seminar in March, 2009

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • UGC sponsored National level Seminar on Soft Computing and Its Applications in the Department of Computer Science and Applications
  • Two separate mails were sent – one to Actel guys (our client) and the other to Broadcom guys (our prospect)
  • Behind the Name: “Madhabhushi Venkata Narasimha Sesha Pundarikaksha Madhava Ravikumar” -
  • 13-Feb-2009, Sindh Today:
  • Behind the Name: “Madhabhushi Venkata Narasimha Sesha Pundarikaksha Madhava Ravikumar” -
  • Behind the Name: “Madhabhushi Venkata Narasimha Sesha Pundarikaksha Madhava Ravikumar” -
  • The Processes include: Specification Development Process : After a tool category and at least one tool is selected by the steering committee NIST and law enforcement staff develops a requirements, assertions and test cases document (called the tool category specification). The tool category specification is posted to the web for peer review by members of the computer forensics community and for public comment by other interested parties. Relevant comments and feedback are then incorporated into the specification. Finally a test environment is designed for the tool category. Tool Test Process : After a category specification has been developed and a tool selected, NIST goes ahead with the test process. It acquires the tool to be tested, reviews the tool documentation, selects relevant test cases depending on features supported by the tool, develops the test strategy, executes tests and finally produces test report. Steering Committee and Vendor, then reviews the test report. At the end, NIST posts support software & test report to web.
  • CATEGORIES OF CYBER LAWS •  Laws Relating to Digital Contracts •  Laws Relating to Digital Property •  Laws Relating to Digital Rights •  Law of Cyber Crimes
  • CATEGORIES OF CYBER LAWS •  Laws Relating to Digital Contracts •  Laws Relating to Digital Property •  Laws Relating to Digital Rights •  Law of Cyber Crimes
  • Cyber Action Teams (CATs) : These are small, highly-trained teams of FBI agents, analysts, and computer forensics and malicious code experts who travel the world on a moment’s notice to respond to fast-moving cyber threats. Computer Crimes Task Force : An FBI agent takes a call from an Internet scam victim. Down the hall in a computer lab, a police detective poses undercover as a teenage girl in an online chat room. Steps away, a forensic examiner is breaking passwords and decrypting files on a suspected hacker’s computer. Internet Crime Complaint Center (IC3) [13]: The FBI and the National White Collar Crime Center have set up a clearinghouse for triaging cyber crime complaints called the Internet Crime Complaint Center, or IC3. Based in West Virginia, it works closely with a range of law enforcement agencies and private sector organizations.
  • Cyber Forensic - Policing the Digital Domain

    1. 1. March 7, 2009 Cyber Forensic Dr. Partha Pratim Das Interra Systems (India) Pvt. Ltd. Policing the Digital Domain Soft Computing Techniques and their Applications Ramkrishna Mission Vidyamandir, Belur
    2. 2. Risks in the Cyber World What we live with today
    3. 3. Defamation Attack @ Interra
    4. 4. Defamation Attack @ Interra <ul><li>Mon, 19 Mar 2007 </li></ul><ul><li>We start getting a series of defamatory mails from ( <AA> ) </li></ul><ul><li>Mails are received by: </li></ul><ul><ul><li>CEO </li></ul></ul><ul><ul><li>VP </li></ul></ul><ul><ul><li>MD </li></ul></ul><ul><ul><li>HR </li></ul></ul><ul><ul><li>Client’s Executives </li></ul></ul><ul><ul><li>Prospect’s Executives </li></ul></ul>
    5. 5. Sample Mails <ul><li>From: <Attacker> </li></ul><ul><li>To: [email_address] </li></ul><ul><li>CC:,, </li></ul><ul><li>Subject: Law suits </li></ul><ul><li>Date: Mon, 19 Mar 2007 07:02:15 -0700 (PDT) </li></ul><ul><li>Hi guys, </li></ul><ul><li>  </li></ul><ul><li>I am hearing that you guys cheat, poach employees from other companies and try to steal IP secrets. Don't get into this game. If you keep doing this, your operation will be exposed and there may be even Lawsuits. All your client companies will be alerted. </li></ul><ul><li>  </li></ul><ul><li>Be careful and watch for yourself! </li></ul><ul><li>  </li></ul><ul><li>Regards, <AA> </li></ul>
    6. 6. Sample Mails <ul><li>From: <Attacker> </li></ul><ul><li>To: <CEO>, <MD> </li></ul><ul><li>Cc: <VP> </li></ul><ul><li>Sent: Monday, March 19, 2007 7:51 PM </li></ul><ul><li>Subject: Unethical hiring practice </li></ul><ul><li><CEO>, <MD> : </li></ul><ul><li>  </li></ul><ul><li>I know you guys. If you use unethical practices to hire people in India, you will loose major clients. We can decimate you into pieces. You are a service company and you should not play with companies who would be your potential clients. If you want to play, we know how to tarnish your name. </li></ul><ul><li>  </li></ul><ul><li>If people come to know of your unethical practices, they wills screw you. </li></ul><ul><li>  </li></ul><ul><li>Be careful... </li></ul><ul><li>  </li></ul><ul><li>Regards, <AA> </li></ul>
    7. 7. Sample Mails <ul><li>From: <Attacker> </li></ul><ul><li>To: <List of Top Executives from a Client / Prospect> </li></ul><ul><li>Cc: <Attacker> </li></ul><ul><li>Bcc: <CEO>, <MD> </li></ul><ul><li>Sent: Monday, March 19, 2007 8:02 PM </li></ul><ul><li>Subject: Your partner company into unethical practices </li></ul><ul><li>Hi <Client> Executives: </li></ul><ul><li>  </li></ul><ul><li>I am just warning you that your partner company, &quot;Interra Systems&quot; is into unethical practices, which may drag you into lawsuits. They don't observe and hire employees from your competitive companies and put them into your project. Just be careful. A major company found this and preparing a lawsuit against Interra and potentially against you </li></ul><ul><li>  </li></ul><ul><li>Regards, <AA> </li></ul>
    8. 8. What do we do? <ul><li>Identify Evidence (Collect carefully): </li></ul><ul><ul><li>Mail Headers – As these provide route info </li></ul></ul><ul><ul><li>Address books – As generate spamming IDs </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Preserve all Trace: </li></ul><ul><ul><li>Start dumping all mails at Server </li></ul></ul><ul><ul><li>Freeze address books for all laptops </li></ul></ul><ul><ul><li>… </li></ul></ul>
    9. 9. Header under Scanner <ul><li>From: - Mon Mar 19 19:33:57 2007 <X Fields> </li></ul><ul><li>Received: from ( []) by (8.11.4/8.11.4) with ESMTP id l2JDvNd02284; Mon, 19 Mar 2007 19:27:24 +0530 (IST) </li></ul><ul><li>Received: from ( []) by (8.11.6/8.11.6) with SMTP id l2JF0nM18267 for <>; Mon, 19 Mar 2007 07:00:49 -0800 (PST) </li></ul><ul><li>Received: from source ([]) by ([]) with SMTP; Mon, 19 Mar 2007 06:02:15 PST </li></ul><ul><li>Received: (qmail 21835 invoked by uid 60001); 19 Mar 2007 14:02:15 -0000 </li></ul><ul><li>DomainKey-Signature: <…> X-YMail-OSG: <…> </li></ul><ul><li>Received: from [ aaa.bbb.ccc.ddd ] by web62012.mail.re1. <publicmail> .com via HTTP; Mon, 19 Mar 2007 07:02:15 PDT </li></ul><ul><li>Date: Mon, 19 Mar 2007 07:02:15 -0700 (PDT) </li></ul><ul><li>From: <AA> Subject: Law suits To: [email_address] </li></ul><ul><li>Cc:,, </li></ul><ul><li>MIME-Version: 1.0 <Content-…> Message-ID: <255593.21124.qm@web62012.mail.re1. <publicmail> .com> </li></ul><ul><li><X Fields> </li></ul>
    10. 10. What’s coming out? <ul><li>Analysis: </li></ul><ul><ul><li>Header Trace route: </li></ul></ul><ul><ul><ul><li>All mails follow the same route </li></ul></ul></ul><ul><ul><ul><li>All mails sent from same address [aaa.bbb.ccc.ddd] </li></ul></ul></ul><ul><ul><ul><li>All mails sent within a small time window </li></ul></ul></ul><ul><ul><li>Address Book </li></ul></ul><ul><ul><ul><li>IDs of Client’s Executives found in 3 laptops </li></ul></ul></ul><ul><ul><ul><li>IDs of Prospect’s Executives were not found in any laptop </li></ul></ul></ul><ul><ul><li>Attacker is using a public mail account </li></ul></ul><ul><ul><ul><li>Even when writing to client / prospect </li></ul></ul></ul><ul><ul><li>In Client-Addressed mail, CEO & MD are BCC </li></ul></ul><ul><ul><ul><li>Attacker wants us to know – motive blackmail? </li></ul></ul></ul><ul><ul><li>Attacker uses 2 IDs and sends 4 mails with mostly same content </li></ul></ul><ul><ul><ul><li>Attacker is used to spamming </li></ul></ul></ul><ul><ul><ul><li>Attacker is trying to create nuisance </li></ul></ul></ul>
    11. 11. How to get to the Attacker? <ul><li>Presentation </li></ul><ul><ul><li>Publicmail was requested to identify the IDs </li></ul></ul><ul><ul><ul><li>They challenged the validity of the Mails / Mail Headers </li></ul></ul></ul><ul><ul><ul><ul><li>No sanitized environment was used </li></ul></ul></ul></ul><ul><ul><ul><ul><li>No chain of custody was maintained </li></ul></ul></ul></ul><ul><ul><ul><ul><li>No neutral agency was engaged </li></ul></ul></ul></ul><ul><ul><ul><li>They refused on legal context (IT Act is weak) </li></ul></ul></ul><ul><ul><li>Client was informed of the incidence </li></ul></ul><ul><ul><ul><li>They informed that they could not recognize the Attacker. </li></ul></ul></ul><ul><ul><ul><li>They advised us to seek legal help </li></ul></ul></ul><ul><ul><li>Prospect’s information was checked from alternate sources </li></ul></ul><ul><ul><ul><li>The Executives existed, but the mail IDs were wrong </li></ul></ul></ul><ul><ul><ul><li>Names of Executives feature on website </li></ul></ul></ul><ul><ul><li>ISP was requested to track the attacker </li></ul></ul><ul><ul><ul><li>IP address was found to be a dynamic one allocated by an ISP </li></ul></ul></ul><ul><ul><ul><li>From the time window, the ISP surely could identify the Attacker </li></ul></ul></ul><ul><ul><ul><li>ISP refused to produce the Attacker’s ID to us on legal context. </li></ul></ul></ul>
    12. 12. The Attacker – who? <ul><li>Possibly a disgruntled ex-employee </li></ul><ul><li>Some parts of his otherwise long name matched </li></ul><ul><ul><li>Example of a long Name: </li></ul></ul><ul><ul><ul><li>M V N S P M Ravikumar – Madhabhushi Venkata Narasimha Sesha Pundarikaksha Madhava Ravikumar </li></ul></ul></ul><ul><li>Writing style had strong resemblance </li></ul><ul><li>He was known for behind-the-back traits </li></ul>
    13. 13. Politicians’ Pictures Morphed @ Haryana
    14. 14. Politicians’ Morphed Pictures <ul><li>Haryana Politicians’ morphed porn pictures were placed on the Internet </li></ul><ul><ul><li>Of 3 Senior Haryana Jat Politicians </li></ul></ul><ul><ul><li>13-Feb-2009, Sindh Today </li></ul></ul><ul><ul><li>Through Google Account </li></ul></ul><ul><ul><li>Haryana Cyber Crime Cell on charge </li></ul></ul><ul><ul><li>Google asked to do forensic </li></ul></ul>
    15. 15. Wrongful Termination? @ Oracle
    16. 16. Wrongful Termination at Oracle? <ul><li>Oracle CEO Larry Ellison had been dating Adelyn Lee, the administrative assistant </li></ul><ul><li>In 1997, Adelyn Lee filed a wrongful termination case against Oracle. </li></ul><ul><li>A mail from Lee‘s supervisor to Ellison was discovered. The mail stated “I have terminated Adelyn per your request”. </li></ul><ul><li>Oracle paid $100,000 to settle the lawsuit. </li></ul>
    17. 17. Wrongful Termination? <ul><li>The supervisor persisted in denying that he had sent the e-mail. </li></ul><ul><li>Time analysis was done </li></ul><ul><ul><li>Supervisor’s Cell Phone </li></ul></ul><ul><ul><li>Supervisor’s Travel Records </li></ul></ul><ul><ul><li>Time stamp on the mail </li></ul></ul><ul><li>Supervisor was traveling in his car at the time the e-mail was sent. </li></ul><ul><li>Lee had sent the e-mail to plant e-evidence. </li></ul>
    18. 18. Truth in Financial Fraud @ Satyam
    19. 19. Satyam Probe <ul><li>Over Terabytes of data </li></ul><ul><li>From </li></ul><ul><ul><li>Laptops of B Ramalinga Raju, Rama Raju and V Srinivas, </li></ul></ul><ul><ul><li>Several computers of Satyam Computer Services. </li></ul></ul><ul><li>Duration - 2 months from 09-Feb-2009 </li></ul><ul><li>Agencies </li></ul><ul><ul><li>CID & Cyber Crime Cell, AP </li></ul></ul><ul><ul><li>AP State Forensic Laboratory </li></ul></ul>
    20. 20. Serial Killer @ Kansas
    21. 21. BTK Serial Murder Case Dennis Rader, March 9, 1945
    22. 22. BTK Serial Murder Case <ul><li>BTK – &quot;bind, torture and kill&quot; </li></ul><ul><li>Murdered 10 people in Sedgwick County, Kansas, between 1974 and 1991. </li></ul><ul><li>Used to send murder details to police and to local media. </li></ul><ul><li>By 2004, the investigation of the BTK Killer went cold. </li></ul><ul><li>BTK Killer (Rader) sent a letter to the police for a killing that was not known. </li></ul><ul><li>DNA was collected from under the fingernails of the victim </li></ul><ul><li>Over 1100 DNA samples were tested </li></ul><ul><li>None matched. </li></ul><ul><li>Police kept corresponding with the BTK Killer. </li></ul>
    23. 23. BTK Serial Murder Case <ul><li>BTK had asked if information can be traced from floppies. </li></ul><ul><li>Police replied “No way”. </li></ul><ul><li>Rader sent his message and floppy to the police. </li></ul><ul><li>Police checked the metadata of the Microsoft Word document. </li></ul><ul><li>Metadata showed the document had been made by a “Dennis”. </li></ul><ul><li>Found a link to the Lutheran Church. </li></ul><ul><li>Google for 'Lutheran Church Wichita Dennis', found his family name. </li></ul><ul><li>Dennis Rader, a Lutheran Deacon. </li></ul>
    24. 24. BTK Serial Murder Case <ul><li>Police knew BTK owned a black Jeep Cherokee. Investigators found a black Jeep Cherokee at Dennis’. </li></ul><ul><li>Police obtained a warrant to test the DNA of a Pap smear Rader's daughter taken at the Univ. of Kansas Clinic. </li></ul><ul><li>The DNA of the Pap smear was a near match to the DNA of the sample taken from the victim's fingernails. </li></ul><ul><li>Police arrested Dennis on February 25, 2005 and accused of the BTK killings. </li></ul><ul><li>He was sentenced to serve 10 consecutive life sentences, one life sentence per murder victim. </li></ul>
    25. 25. Zotob Worm @ Internet
    26. 26. Zotob Worm <ul><li>Turkish & Moroccan hackers’ moneymaking scheme </li></ul><ul><ul><li>Release a computer worm “Zotob” into cyber space, </li></ul></ul><ul><ul><li>Watch it steal credit card numbers and other financial information from around the globe. </li></ul></ul><ul><li>Scheme backfired </li></ul><ul><ul><li>“ Zotob” code did not digitally hijack masses of credit card numbers </li></ul></ul><ul><ul><li>It caused countless computer systems worldwide to sputter and crash </li></ul></ul><ul><ul><li>Operations at major U.S. corporations ground to a halt as computers began to reboot. </li></ul></ul>
    27. 27. FBI Action against Zotob <ul><li>With Microsoft and other partners traced the worm to Turkey and Morocco. </li></ul><ul><li>Two Cyber Action Teams (CATs) reached to Turkey and Morocco within 72 hours. </li></ul><ul><li>Forensically analyzed the malicious code and gathered lot of data including </li></ul><ul><ul><li>IP addresses, </li></ul></ul><ul><ul><li>e-mail addresses, </li></ul></ul><ul><ul><li>names linked to those addresses, </li></ul></ul><ul><ul><li>hacker nicknames, and </li></ul></ul><ul><ul><li>other clues uncovered in the computer code. </li></ul></ul><ul><li>Suspects of Zotob perpetrators were arrested within eight days after the malicious code hit the Internet. </li></ul>
    28. 28. What’s Common? @ Computer
    29. 29. What’s Common in these Cases? <ul><li>All are Criminal Cases </li></ul><ul><li>All involve Computers </li></ul><ul><li>All illustrate the use of Computer Forensic </li></ul>
    30. 30. Agenda <ul><li>Risks in the Cyber World </li></ul><ul><li>What is Cyber Forensic? </li></ul><ul><li>Glimpses of Forensic Science </li></ul><ul><li>Cyber Evidence </li></ul><ul><li>Technology in Cyber Forensic </li></ul><ul><li>Cyber Forensic Work Process </li></ul><ul><li>Cyber Forensic in Vogue </li></ul><ul><li>Conclusion </li></ul>
    31. 31. Cyber Forensic A new horizon in Forensic Science
    32. 32. What is Forensic? <ul><li>Collection and analysis of evidence </li></ul><ul><ul><li>Using Scientific Tests or Techniques </li></ul></ul><ul><ul><li>To Establish facts against Crime </li></ul></ul><ul><ul><li>For Presenting in a legal proceeding </li></ul></ul><ul><li>Derived from the Latin forensis </li></ul><ul><ul><li>Meaning “in open court or public” </li></ul></ul>
    33. 33. What is Cyber Forensic? <ul><li>Analysis of information contained within and created with </li></ul><ul><ul><li>Computers or </li></ul></ul><ul><ul><li>Digital Devices like </li></ul></ul><ul><ul><ul><li>Network Devices and Internet </li></ul></ul></ul><ul><ul><ul><li>Cell Phones and PDAs </li></ul></ul></ul><ul><ul><ul><li>Other Systems with Embedded Devices </li></ul></ul></ul><ul><li>In the interest of figuring out </li></ul><ul><ul><li>What happened </li></ul></ul><ul><ul><li>When it happened </li></ul></ul><ul><ul><li>How it happened, and </li></ul></ul><ul><ul><li>Who was involved </li></ul></ul>
    34. 34. What is Cyber Forensic? <ul><li>Forensic engaging a Computer </li></ul><ul><ul><li>As a Weapon </li></ul></ul><ul><ul><li>As a Victim </li></ul></ul><ul><ul><li>As a Witness </li></ul></ul><ul><li>Mere use of Computers in Forensic Analysis may or may not be Computer Forensic depending on above parameters </li></ul>
    35. 35. Computer as a Weapon <ul><li>As observed in </li></ul><ul><ul><li>Zotob @ Internet </li></ul></ul><ul><ul><li>Defamation Attack @ Interra </li></ul></ul><ul><ul><li>Wrongful Termination? @ Oracle </li></ul></ul><ul><ul><li>Morphed Pictures @ Haryana </li></ul></ul><ul><li>Common in </li></ul><ul><ul><ul><li>Threats, Hate Crime, Child Pornography, Fraud, etc. </li></ul></ul></ul>
    36. 36. Computer as a Victim <ul><li>As observed in </li></ul><ul><ul><li>Zotob @ Internet </li></ul></ul><ul><li>Common in </li></ul><ul><ul><li>Hacking, Unauthorized access, Mischief to data, Port Scans etc. </li></ul></ul>
    37. 37. Computer as a Witness <ul><li>As observed in </li></ul><ul><ul><li>BTK @ Kansas </li></ul></ul><ul><ul><li>Financial Fraud @ Satyam </li></ul></ul><ul><ul><li>Zotob @ Internet </li></ul></ul><ul><ul><li>Defamation Attack @ Interra </li></ul></ul><ul><ul><li>Wrongful Termination? @ Oracle </li></ul></ul><ul><li>Common in </li></ul><ul><ul><li>Disk Discovery or Email Exploration, etc. </li></ul></ul>
    38. 38. Applications of Cyber Forensic <ul><li>Criminal Prosecution </li></ul><ul><ul><li>Child Pornography (Michael Jackson Case) </li></ul></ul><ul><ul><li>Homicides (Scott Peterson Trial) </li></ul></ul><ul><ul><li>Paedophiliac Rings </li></ul></ul><ul><ul><li>Embezzlement (John Gotti, Bugsy Siegal) </li></ul></ul><ul><ul><li>Financial Fraud (ENRON) </li></ul></ul><ul><ul><li>Immigration Fraud </li></ul></ul><ul><ul><li>Extortion </li></ul></ul><ul><ul><li>Gambling </li></ul></ul><ul><ul><li>N arcotics Trafficking </li></ul></ul><ul><ul><li>Prostitution and the like. </li></ul></ul>
    39. 39. Applications of Cyber Forensic <ul><li>Civil Litigations </li></ul><ul><ul><li>Fraud </li></ul></ul><ul><ul><li>Perjury (Clinton Lewinsky Case) </li></ul></ul><ul><ul><li>Divorce / Breach of Contract </li></ul></ul><ul><ul><li>Copyright / Software Piracy </li></ul></ul><ul><ul><li>Forgery etc. </li></ul></ul><ul><li>Insurance Claim and Settlement </li></ul><ul><ul><li>False Accident Reports </li></ul></ul><ul><ul><li>Workman’s Compensation Cases and </li></ul></ul><ul><ul><li>Medical Insurance. </li></ul></ul>
    40. 40. Applications of Cyber Forensic <ul><li>Use in Large Corporations </li></ul><ul><ul><li>Embezzlement </li></ul></ul><ul><ul><ul><li>Email Threats data theft – industrial espionage </li></ul></ul></ul><ul><ul><li>Pornography </li></ul></ul><ul><ul><ul><li>Web-porn Scandal at White House </li></ul></ul></ul><ul><ul><li>Hacking and </li></ul></ul><ul><ul><li>Insider Trading (Martha Stewart Case). </li></ul></ul><ul><li>Law Enforcement </li></ul><ul><ul><li>Electoral law </li></ul></ul>
    41. 41. Applications of Cyber Forensic <ul><li>Individual Claims </li></ul><ul><ul><li>Sexual harassment </li></ul></ul><ul><ul><li>Domestic Violence </li></ul></ul><ul><ul><li>Age discrimination </li></ul></ul><ul><ul><li>Wrongful termination from job </li></ul></ul><ul><ul><li>Identity Theft </li></ul></ul><ul><ul><li>Background checks </li></ul></ul><ul><ul><li>Defamation </li></ul></ul>
    42. 42. Few Landmarks in Cyber Forensic <ul><li>1984 : FBI Magnetic Media Program (Computer Analysis and Response Team) </li></ul><ul><li>1987 : AccessData – Cyber Forensic Company formed </li></ul><ul><li>1993 : First Conference on Computer Evidence </li></ul><ul><li>1995 : International Organization for Computer Evidence (IOCE) Formed </li></ul><ul><li>1997 : With the support of G8, IOCE calls for Standards </li></ul><ul><li>2000 : IT Bill passed in India </li></ul><ul><li>2008 : IT Act Amended </li></ul>
    43. 43. Glimpses of Forensic Science It’s Elementary – My dear, Watson
    44. 44. Branches of Forensic <ul><li>Fingerprint Forensic </li></ul><ul><li>Ballistic Forensic </li></ul><ul><li>Psychological Forensic </li></ul><ul><li>Serological Forensic </li></ul><ul><li>Physical Forensic </li></ul><ul><li>Chemical Forensic </li></ul><ul><li>Computer Forensic </li></ul>
    45. 45. Fingerprint Forensic <ul><li>Emerged in 19 th Century </li></ul><ul><li>Replaced anthropometric measurements </li></ul><ul><li>International Association for Identification (IAI): 1915 </li></ul><ul><li>IAI's Certified Latent Print Examiner program: 1977 </li></ul><ul><li>Mostly applicable for Hand & Foot Finger Prints </li></ul>
    46. 46. Fingerprint Forensic <ul><li>Brain Fingerprint </li></ul><ul><ul><li>Uses P300 Pattern in EEG </li></ul></ul><ul><ul><li>Invented by Lawrence Farwell </li></ul></ul><ul><ul><li>Admissible in Court </li></ul></ul><ul><ul><li>Used </li></ul></ul><ul><ul><ul><li>To catch serial killer JB Grinder and to exonerate Terry Harrington </li></ul></ul></ul><ul><ul><ul><li>In Sister Abhaya murder case </li></ul></ul></ul>
    47. 47. Fingerprint Forensic <ul><li>DNA Fingerprint </li></ul><ul><ul><li>Reported by Sir Alec Jeffreys at the Univ. of Leicester: 1985 </li></ul></ul><ul><ul><li>99.9% of human DNA sequences are the same in every person. </li></ul></ul><ul><ul><li>Still enough is different to distinguish one individual from another. </li></ul></ul><ul><ul><li>Variable Number Tandem Repeats (VNTR) repetitive sequences </li></ul></ul><ul><ul><li>VNTRs loci are very similar between closely related humans. </li></ul></ul><ul><ul><li>Used on Saddam Hussain </li></ul></ul>
    48. 48. Fingerprint Forensic <ul><li>Biometrics </li></ul><ul><ul><li>Dynamic Signature </li></ul></ul><ul><ul><li>Face Recognition </li></ul></ul><ul><ul><li>Fingerprint Recognition </li></ul></ul><ul><ul><li>Hand Geometry </li></ul></ul><ul><ul><li>Iris Recognition </li></ul></ul><ul><ul><li>Palm Print Recognition </li></ul></ul><ul><ul><li>Speech Recognition </li></ul></ul><ul><ul><li>Vascular Pattern Recognition </li></ul></ul>
    49. 49. Ballistic Forensic <ul><li>Science of analyzing firearm usage in crimes. </li></ul><ul><li>Ballistics – study of the flight, behavior, and effects of projectiles, especially bullets, gravity bombs or rockets </li></ul><ul><li>Gun ballistics </li></ul><ul><ul><li>Internal </li></ul></ul><ul><ul><li>Transition </li></ul></ul><ul><ul><li>External </li></ul></ul><ul><ul><li>Terminal </li></ul></ul>
    50. 50. Psychological Forensic <ul><li>Malingering </li></ul><ul><li>Competency Evaluation </li></ul><ul><li>Sanity Evaluation </li></ul><ul><li>Sentence Mitigation </li></ul>
    51. 51. Computer Forensic <ul><li>Electronic Discovery </li></ul><ul><li>Undelete Files </li></ul><ul><li>Trace Route (mails) </li></ul><ul><li>Intrusion Detection </li></ul>
    52. 52. Cyber Evidence Mining for what, when, where, how, whom …
    53. 53. Evidence <ul><li>A piece of information that supports a conclusion </li></ul><ul><li>Defendant is found guilty, if there is </li></ul><ul><ul><li>A means to commit the crime </li></ul></ul><ul><ul><li>A motive to commit the crime </li></ul></ul><ul><ul><li>An opportunity to commit the crime </li></ul></ul>
    54. 54. Characteristics of an Evidence <ul><li>An Evidence must be: </li></ul><ul><ul><li>Admissible </li></ul></ul><ul><ul><ul><li>In front of law in “proving” documents and copies. </li></ul></ul></ul><ul><ul><li>Authentic </li></ul></ul><ul><ul><ul><li>In linking data to specific individuals and events </li></ul></ul></ul><ul><ul><li>Accurate </li></ul></ul><ul><ul><ul><li>In terms of the reliability of the computer process </li></ul></ul></ul><ul><ul><li>Complete </li></ul></ul><ul><ul><ul><li>With a full story of particular circumstances. </li></ul></ul></ul><ul><ul><li>Convincing to juries </li></ul></ul><ul><ul><ul><li>To have probative value, subjective and practical test of presentation. </li></ul></ul></ul>
    55. 55. Examples of Cyber Evidence <ul><li>User Files </li></ul><ul><li>Metadata </li></ul><ul><li>Deleted Files / Info Files </li></ul><ul><li>Temporary Files </li></ul><ul><li>Spooler Files </li></ul><ul><li>Virtual Memory and Swap Files </li></ul><ul><li>Automatic Back Up Files </li></ul><ul><li>Power Saver Features </li></ul><ul><li>Internet Browser and History Files </li></ul><ul><li>Temporary Internet files </li></ul><ul><li>Recent Link Files </li></ul><ul><li>Emails </li></ul><ul><li>Web base emails </li></ul><ul><li>Programs </li></ul>
    56. 56. Cyber vis-à-vis non-Cyber Evidence <ul><li>Computer Evidence must carry the characteristics of ‘Evidence’ </li></ul><ul><li>Yet, Computer Evidence distinguishes itself as: </li></ul><ul><ul><li>Computer data is mutable </li></ul></ul><ul><ul><ul><li>Easily alterable without trace </li></ul></ul></ul><ul><ul><ul><li>Can change during evidence collection </li></ul></ul></ul><ul><ul><ul><li>Cannot be read by humans </li></ul></ul></ul><ul><ul><ul><li>Can create evidence as well as record it </li></ul></ul></ul><ul><ul><ul><li>Is based on technology that changes often. </li></ul></ul></ul><ul><ul><li>Cyber Evidencing creates many opportunities </li></ul></ul><ul><ul><ul><li>It provides threats as many commercial transactions are recorded </li></ul></ul></ul><ul><ul><ul><li>It is much easier to trace a person’s history and activities </li></ul></ul></ul><ul><ul><ul><li>Computer-assisted investigation methods have become possible. </li></ul></ul></ul>
    57. 57. Technology in Cyber Forensic Security and beyond
    58. 58. Technology <ul><li>Computer Science – general </li></ul><ul><li>Networking – Security </li></ul><ul><li>Cryptography </li></ul><ul><li>Steganography </li></ul><ul><li>Pattern Recognition </li></ul><ul><li>Image / Speech Processing </li></ul><ul><li>Artificial Intelligence </li></ul><ul><li>Data Mining </li></ul><ul><li>Hacking & Anti-Hacking </li></ul><ul><li>… </li></ul>
    59. 59. yhpargotpyrC es qbsuib qsbujn ebt lqwhuud vbvwhpv lqgld syw owg
    60. 60. Cryptography es qbsuib qsbujn ebt lqwhuud vbvwhpv lqgld syw owg Transposition Cipher
    61. 61. Cryptography dr partha pratim das lqwhuud vbvwhpv lqgld syw owg Transposition Cipher Substitution Cipher (next letter)
    62. 62. Cryptography dr partha pratim das interra systems india pvt ltd Transposition Cipher Substitution Cipher (next letter) Caesar Cipher = 3
    63. 63. Cryptography Dr Partha Pratim Das Interra Systems India Pvt Ltd Title Case Restored
    64. 64. Steganography <ul><li>I love you </li></ul><ul><li>I hate you </li></ul>
    65. 65. Pattern Matching
    66. 66. Cyber Forensic Process Electronic Data Recovery Model
    67. 67. Broad Process Steps <ul><li>Identification </li></ul><ul><li>Preservation </li></ul><ul><li>Analysis </li></ul><ul><li>Presentation </li></ul>
    68. 68. Identification <ul><li>The first step in the forensic process. </li></ul><ul><li>Process for Recovery Guided by </li></ul><ul><ul><li>What evidence is present </li></ul></ul><ul><ul><li>Where it is stored and </li></ul></ul><ul><ul><li>How it is stored </li></ul></ul><ul><li>Electronic Stores can be </li></ul><ul><ul><li>Personal computers </li></ul></ul><ul><ul><li>Mobile phones </li></ul></ul><ul><ul><li>PDAs </li></ul></ul><ul><ul><li>Smart Cards … </li></ul></ul><ul><li>Key Parameters in Identification </li></ul><ul><ul><li>Type of information </li></ul></ul><ul><ul><li>Format </li></ul></ul>
    69. 69. Preservation <ul><li>Critical element in the forensic process. </li></ul><ul><li>Examination must be done in least intrusive manner. </li></ul><ul><li>If change is inevitable it is essential that the nature of, and reason for, the change can be explained. </li></ul><ul><li>Alteration to data must be accounted for and justified. </li></ul>
    70. 70. Analysis <ul><li>The extraction, processing and interpretation of digital data –regarded as the main element of cyber forensics. </li></ul><ul><li>Once extracted, digital evidence usually requires processing before it can be read by people. </li></ul><ul><li>When the contents of a hard disk drive are imaged, the data contained within the image needs to be extracted in a humanly meaningful manner. </li></ul><ul><li>The processing of the extracted product may occur as a separate step, or it may be integrated with extraction. </li></ul>
    71. 71. Presentation <ul><li>Involves the actual presentation in a court of law. </li></ul><ul><li>Depends on </li></ul><ul><ul><li>The manner of presentation, </li></ul></ul><ul><ul><li>The expertise and qualifications of the presenter </li></ul></ul><ul><ul><li>The credibility of the processes employed to produce the evidence being tendered. </li></ul></ul>
    72. 72. Word of Caution! <ul><li>Debugging is not Forensic! </li></ul><ul><ul><li>An Approach to Analysis </li></ul></ul><ul><li>Audit Trail is not Forensic! </li></ul><ul><ul><li>An Evidence </li></ul></ul>
    73. 73. EDRM: Electronic Data Recovery Model
    74. 74. Cyber Forensic in Vogue Players in Practice
    75. 75. Types of Agencies <ul><li>International Bodies </li></ul><ul><ul><li>Builds Collaboration at National & International Levels </li></ul></ul><ul><ul><li>Spreads Legal, Social, Political and Technological Awareness </li></ul></ul><ul><li>National Governments </li></ul><ul><ul><li>Make Cyber Laws </li></ul></ul><ul><ul><li>Form Agencies & Practices </li></ul></ul><ul><li>National Bodies </li></ul><ul><ul><li>Certifies Tools </li></ul></ul><ul><ul><ul><li>Defines Specification </li></ul></ul></ul><ul><ul><ul><li>Tests Conformance </li></ul></ul></ul><ul><li>Law Enforcement Agencies </li></ul><ul><ul><li>Engages in the Forensic Exercise </li></ul></ul><ul><li>Corporate Bodies </li></ul><ul><ul><li>Technology Innovator </li></ul></ul><ul><ul><li>Tool Builders </li></ul></ul><ul><ul><li>Educators </li></ul></ul><ul><li>Anti-Hacker Community </li></ul>
    76. 76. International Bodies <ul><li>International Organization on Computer Evidence (IOCE) </li></ul><ul><ul><li>Provides an international Forum for law enforcement agencies to exchange information on computer investigation & digital forensic.  </li></ul></ul><ul><ul><li>Objectives of IOCE are: </li></ul></ul><ul><ul><ul><li>To identify and discuss issues of common interest. </li></ul></ul></ul><ul><ul><ul><li>To facilitate the international dissemination of information. </li></ul></ul></ul><ul><ul><ul><li>To develop recommendations for consideration by the member agencies. </li></ul></ul></ul><ul><ul><li>Principles preached by IOCE (on Digital Evidence) are </li></ul></ul><ul><ul><ul><li>Apply general forensic and procedural principles </li></ul></ul></ul><ul><ul><ul><li>Upon seizing, actions taken should not change that evidence. </li></ul></ul></ul><ul><ul><ul><li>Only trained personnel should access original digital evidence </li></ul></ul></ul><ul><ul><ul><li>Seizure / access / storage / transfer to be auditable </li></ul></ul></ul><ul><ul><ul><li>Anyone in possession of digital evidence is fully responsible for it. </li></ul></ul></ul><ul><ul><ul><li>Every agency must comply with the principles. </li></ul></ul></ul>
    77. 77. National Bodies <ul><li>National Institute of Standards and Technology (NIST) – Computer Forensic Tool Testing (CFTT) Project </li></ul><ul><ul><li>The Goal is to establish a methodology for testing computer forensic software tools by development of generic </li></ul></ul><ul><ul><ul><li>Tool specifications, </li></ul></ul></ul><ul><ul><ul><li>Test procedures, </li></ul></ul></ul><ul><ul><ul><li>Test criteria, </li></ul></ul></ul><ul><ul><ul><li>Test sets, and </li></ul></ul></ul><ul><ul><ul><li>Test hardware. </li></ul></ul></ul><ul><ul><li>The Outcome is Information </li></ul></ul><ul><ul><ul><li>For toolmakers to improve tools, </li></ul></ul></ul><ul><ul><ul><li>For users to make informed choices on acquiring and using tools, </li></ul></ul></ul><ul><ul><ul><li>For interested parties to understand the tools capabilities. </li></ul></ul></ul><ul><ul><li>The Processes include: </li></ul></ul><ul><ul><ul><li>Specification Development Process </li></ul></ul></ul><ul><ul><ul><li>Tool Test Process </li></ul></ul></ul>
    78. 78. National Bodies: India <ul><li>CDAC – Cyber Forensic India </li></ul><ul><ul><li>Mission </li></ul></ul><ul><ul><ul><li>To attain self reliance in Information Security and Cyber Forensics </li></ul></ul></ul><ul><ul><ul><li>To create awareness about cyber crimes </li></ul></ul></ul><ul><ul><ul><li>To provides services such as cyber forensics analysis </li></ul></ul></ul><ul><ul><li>Services </li></ul></ul><ul><ul><ul><li>Data Recovery </li></ul></ul></ul><ul><ul><ul><li>Evidence Collection, Analysis & Reporting (Disk based) </li></ul></ul></ul><ul><ul><ul><li>Analysis of log files for intrusion detection and Email Tracing </li></ul></ul></ul><ul><ul><ul><li>Cyber Crime Prevention Program Development </li></ul></ul></ul><ul><ul><li>Tools </li></ul></ul><ul><ul><ul><li>CyberCheck Suite 3.1 </li></ul></ul></ul><ul><ul><ul><li>Cyber Forensics Tools Repository </li></ul></ul></ul><ul><ul><li>Training </li></ul></ul><ul><ul><ul><li>Cyber Crimes and Cyber Laws </li></ul></ul></ul><ul><ul><ul><li>Cyber Forensics Methods </li></ul></ul></ul><ul><ul><ul><li>Digital Evidence Preparation </li></ul></ul></ul>
    79. 79. National Government <ul><li>US Cyber Laws </li></ul><ul><ul><li>Internet Gambling Prohibition and Enforcement </li></ul></ul><ul><ul><li>Electronic Communications Privacy Act of 1986 </li></ul></ul><ul><ul><li>Unlawful Access to Stored Communications </li></ul></ul><ul><ul><li>Criminal Infringement of Copyright </li></ul></ul><ul><ul><li>Access Device Fraud </li></ul></ul><ul><ul><li>Counterfeit Trademarks </li></ul></ul><ul><ul><li>Identity Theft and Assumption Deterrence Act </li></ul></ul><ul><ul><li>Children's Online Privacy Protection Act of 1998 </li></ul></ul><ul><ul><li>Computer Fraud and Abuse </li></ul></ul><ul><ul><li>Uniform Domain Name Dispute Resolution Policy </li></ul></ul><ul><ul><li>CAN-SPAM Act </li></ul></ul><ul><ul><li>The Digital Millennium Copyright Act of 1998 </li></ul></ul><ul><ul><li>… </li></ul></ul>
    80. 80. National Government: India <ul><li>Information Technology Act, 2000 (IT Bill) </li></ul><ul><ul><li>Legal Recognition of Electronic Document </li></ul></ul><ul><ul><li>Legal recognition of Electronic commerce Transactions </li></ul></ul><ul><ul><li>Admissibility of Electronic data/evidence in a Court of Law </li></ul></ul><ul><ul><li>Legal Acceptance of digital signatures </li></ul></ul><ul><ul><li>Punishment for Cyber obscenity and crimes </li></ul></ul><ul><ul><li>Establishment of Cyber regulations advisory Committee and the Cyber Regulations – Appellate Tribunal. </li></ul></ul><ul><ul><li>Facilitation of electronic filing maintenance of electronic records. </li></ul></ul><ul><li>Information Technology Act, 2008 (Amendment) </li></ul>
    81. 81. National Government: India <ul><li>Law against Cyber Crime </li></ul><ul><ul><li>Sending threatening messages by email: Section 506 IPC </li></ul></ul><ul><ul><li>Sending defamatory messages by email : Section 499 IPC </li></ul></ul><ul><ul><li>Forgery of electronic records: Section 465 IPC </li></ul></ul><ul><ul><li>Bogus websites, cyber frauds: Section 420 IPC </li></ul></ul><ul><ul><li>Email spoofing: Section 465, 419 IPC </li></ul></ul><ul><ul><li>Web-jacking: Section 383 IPC </li></ul></ul><ul><ul><li>Hacking, Email bombing, Salami attacks : Section 66 IT Act </li></ul></ul><ul><ul><li>Pornography: Section 67 IT Act </li></ul></ul><ul><ul><li>Denial of Service attacks: Section 43 IT Act </li></ul></ul><ul><ul><li>Virus attacks, Logic bombs : Section 43, 66 IT Act </li></ul></ul><ul><li>Karnataka Cyber Café Regulations, 2004 </li></ul><ul><li>Gujrat Information Technology Rules, 2004 </li></ul>
    82. 82. Law Enforcement Agencies <ul><li>Federal Bureau of Investigation </li></ul><ul><ul><li>Pursues a 4-fold Cyber Mission </li></ul></ul><ul><ul><ul><li>Prevent computer intrusions and the spread of malicious code </li></ul></ul></ul><ul><ul><ul><li>Thwart online sexual predators in child pornography </li></ul></ul></ul><ul><ul><ul><li>Safe Guard U.S. intellectual property and national security </li></ul></ul></ul><ul><ul><ul><li>Deter national and transnational organized Internet fraud. </li></ul></ul></ul><ul><ul><li>Has Cyber Operations in 3 Segments </li></ul></ul><ul><ul><ul><li>Cyber Action Teams (CATs): </li></ul></ul></ul><ul><ul><ul><li>Computer Crimes Task Force: </li></ul></ul></ul><ul><ul><ul><li>Internet Crime Complaint Center (IC3) </li></ul></ul></ul>
    83. 83. Law Enforcement Agencies: India <ul><li>Central Bureau of Investigation (CBI) </li></ul><ul><ul><li>Lists the IT Bill 2000 on the site </li></ul></ul><ul><ul><li>Central Forensic Science Laboratory (CFSL) </li></ul></ul><ul><ul><ul><li>Computer Forensic Division </li></ul></ul></ul><ul><ul><ul><li>Performing Digital Discovery since Jan-2004 </li></ul></ul></ul>
    84. 84. Law Enforcement Agencies: India <ul><li>Kerala Police </li></ul><ul><ul><li>Hi-Tech Crime Enquiry Cell (HTCEC) </li></ul></ul><ul><ul><ul><li>Constituted on 5 th May, 2006 </li></ul></ul></ul><ul><li>Kolkata Police </li></ul><ul><ul><li> : Suspect site by Google! </li></ul></ul><ul><ul><li>McAfee removed a trojan </li></ul></ul><ul><ul><li>Lists a page on ‘Computer & Internet related crime’ </li></ul></ul>
    85. 85. Corporate Bodies: Services <ul><li>Computer Forensics </li></ul><ul><li>Data Recovery </li></ul><ul><li>Digital Discovery </li></ul><ul><li>Incident Response </li></ul><ul><li>Internal Investigations </li></ul><ul><li>System Audits </li></ul><ul><li>Training </li></ul><ul><li>Certification </li></ul><ul><ul><li>On specific Tools </li></ul></ul>
    86. 86. Corporate Bodies: Tools <ul><li>AccessData </li></ul><ul><ul><li>Forensic Toolkit® </li></ul></ul><ul><ul><li>AccessData® Enterprise </li></ul></ul><ul><li>Digital-Assembly </li></ul><ul><ul><li>Adroit Photo Recovery </li></ul></ul><ul><li>Guidance Software </li></ul><ul><ul><li>EnCase Enterprise </li></ul></ul><ul><ul><li>EnCase eDiscovery </li></ul></ul><ul><li>New Technologies, Inc (NTI) </li></ul><ul><ul><li>Stealth Suite </li></ul></ul><ul><ul><li>NTI Secure ToolKit </li></ul></ul>
    87. 87. Corporate Bodies: Tools <ul><li>Technology Pathways </li></ul><ul><ul><li>ProDiscover </li></ul></ul><ul><ul><ul><li>ProDiscover® for Windows </li></ul></ul></ul><ul><ul><ul><li>ProDiscover® Forensics </li></ul></ul></ul><ul><ul><ul><li>ProDiscover® Investigator </li></ul></ul></ul><ul><ul><ul><li>ProDiscover® Incident Response </li></ul></ul></ul><ul><li>X-Ways Software Technology AG </li></ul><ul><ul><li>WinHex </li></ul></ul><ul><ul><li>X-Ways Forensics </li></ul></ul>
    88. 88. Corporate Bodies in India: Tools <ul><li>CDAC: Cyber Forensic India </li></ul><ul><ul><li>CyberCheck Suite 3.1 </li></ul></ul><ul><ul><li>Cyber Forensics Tools Repository </li></ul></ul><ul><li>Forensic Guru </li></ul><ul><ul><li>Dealer for </li></ul></ul><ul><ul><ul><li>i2 </li></ul></ul></ul><ul><ul><ul><li>AccessData </li></ul></ul></ul><ul><li>Lab Systems </li></ul><ul><ul><li>Distributor for </li></ul></ul><ul><ul><ul><li>EnCase </li></ul></ul></ul><ul><li>Pro Data Doctor </li></ul><ul><ul><li>Wide Range of Data Recovery Software </li></ul></ul>
    89. 89. Cyber Forensic in Future What’s lacking?
    90. 90. What does Cyber Forensic need? <ul><li>Better Technology </li></ul><ul><ul><li>Ability to handle volume </li></ul></ul><ul><ul><li>Ability to handle complexity </li></ul></ul><ul><li>Better Research </li></ul><ul><ul><li>Formal Methods of Analysis </li></ul></ul><ul><ul><li>Intelligent Data Mining </li></ul></ul><ul><ul><li>Structured Processes </li></ul></ul><ul><li>Better Communication </li></ul><ul><ul><li>Computer Scientists </li></ul></ul><ul><ul><li>Legal Experts </li></ul></ul>
    91. 91. Credit <ul><li>Ms Madhubanti Dasgupta </li></ul><ul><ul><li>Computer Forensic on Computer Forensic </li></ul></ul>
    92. 92. References <ul><li>AccessData: </li></ul><ul><li>Brief History of Cybercrime, </li></ul><ul><li>Brief History of Malware and Cybercrime, </li></ul><ul><li>CBI: </li></ul><ul><li>CDAC: Cyber Forensic India: </li></ul><ul><li>CFSL: </li></ul><ul><li>Computer Forensic Software Downloads: </li></ul><ul><li>Computer Forensics Laboratory And Tools by Guillermo A Francia III and Keion Clinton, Journal of Computing Sciences in Colleges, Volume 20 ,  Issue 6  (June 2005), pp 143 – 150. </li></ul><ul><li>(The) Computer Forensic Process: </li></ul>
    93. 93. References <ul><li>Electronic Evidence In Small Cases And Private Litigation by Linda Volonino, </li></ul><ul><li>FBI, Cyber Investigations: </li></ul><ul><li>FBI’s Cyber Case Archive: </li></ul><ul><li>Forensic Guru: </li></ul><ul><li>Formalizing Computer Forensics Process with UML: </li></ul><ul><li>Guidance Software: </li></ul><ul><li>Gujrat Information Technology Rules, 2004: </li></ul><ul><li>(The) History of Computer Forensic, </li></ul><ul><li>HTCEC: Kerala Police: </li></ul><ul><li>International Organization on Computer Evidence (IOCE), </li></ul><ul><li>Internet Crime Complaint Center (IC3): </li></ul>
    94. 94. References <ul><li>Karnataka Cyber Café Regulations, 2004:,145.0.html </li></ul><ul><li>Lab Systems: </li></ul><ul><li>Law against Cyber Crime: </li></ul><ul><li>National Institute of Standards and Technology (NIST) – Computer Forensic Tool Testing (CFTT) Project: </li></ul><ul><li>New Technologies, Inc. (NTI) </li></ul><ul><li>Pro Data Doctor: </li></ul><ul><li>Technology Pathways: </li></ul><ul><li>Web-porn scandal rocks White House – West Wingers downloaded gay, bestial, teen sex videos, jamming firewall system by By Paul Sperry, 2000. </li></ul><ul><li>What is Computer Forensic? by Steve Hailey, 2003. </li></ul><ul><li>What is Forensic?, </li></ul><ul><li>X-Ways Software Technology AG: </li></ul>
    95. 95. Thank You