AN INTEGRATED APPRAOCH
TO
DIGITAL CRIME
INVESTIGATION
BY
SMT SARADA AVADHANAM
ADFS
APPA
FOREWORD
This book is prepared by Smt Sharada Avadhanam keeping in view the present two day workshop being organized by APPA for supervisory police officers. A gamut of issues relating to digital crime has been discussed at length in this book from the view point of the IO. Focus is kept on various crimes that the investigator is likely to encounter in his day to day working. do’s and don’t s, rules regarding evidence, and types of evidence that are of value, legal provisions that govern the crimes, are given in an easy to use format that will be of immense help in practical policing. I am sure this book will help the police officer to get a hold on the new emerging crime scenario in the digitalized and globalised world, we live in today. The technicalities and jargon have been reduced to the barest minimum so as to make the content intelligible even to a lay man.
Krishna Prasad
IGP and Director
APPA
Index
Chapter no
Title of the chapter
Page no
1
SCOPE AND INTRODUCTION TO DIGITAL CRIMES
1
2
CREDIT CARD FRAUDS
3
MOBILE PHONE FRAUDS
4
CYBER CRIME & COMPUTER CRIME
5
LEGAL PROVISIONS : IPC
6
IT ACT 2000
CHAPTER 1
SCOPE AND INTRODUCTION TO DIGITAL CRIMES
Digital crime?
The term encompasses all types of crimes in which the tools or the objects of crime employ digital technology.
Cyber crime?
Cyber crime pertains to those crimes committed in a networked environment especially on the internet or intranet, LAN OR WAN
Computer crime?
It is broadly used to describe a crime that involves computers or other such electronic devices.
Cyber crime is a subset of computer crime which itself is a subset of digital crime which is a universal set.
E commerce?
E commerce means doing business online. They also include digital products such as audio, video, data base etc.
Electronic markets?
They refer to online trading and auction, eBay , 5 paisa .com are example.
The transaction takes place via data interchange between firms. Consumer oriented electronic commerce has a long history. Each time you use ATM or present your credit card you transact business electronically.
Payment gateway?
Example is ‘verisign’. It is the agency which secures the transaction of payment and receipt of money electronically with least amount of loss of confidentiality or personal data to third parties.
CHAPTER 2
CREDIT CARD FRAUDS
Credit card numbers are stolen from the online databases bulletin Boards and other online services are frequent targets.
Giving away your personal details , name , address , credit card number while you are shopping on internet can be a grave mistake.
At the same time at the other end the fraudster might be copying your credit card number for future use for his own transactions.
Caution while making a purchase on the internet:
One must look for the address and phone number of the retailer. A padlock icon present at the bottom of the browser window ensures that the server uses an encrypted form.
ATM frauds:
There are no legal provisions to cover ATM related frauds. All the ATMs of a bank are connected through a dedicated computer network and hence are vulnerable to fraudulent access. The modus operandi of ATM frauds is similar to credit card frauds. PIN is obtained by hacking the database maintained by the concerned bank. ATM card itself can be manipulated due to inadequate security measures implemented in its design. The card usually has two or three data recording tracks on magnetic strip and each track has many fields within it. Most of the banks ignore track 1 and put card holders name in the fifth field and the account number in second field of track 2. The PIN verification field held in field 9 on track 1. A stolen ATM card can be read with the help of magnetic strip reader. The stolen identification number can be later put on another card with the help of a magnetic strip writer. Alternatively if you know what numbers you want to put in what fields you can write another person’s account number on your own card and use your own pin to rob their account.
CREDIT CARD FRAUDS: EXPLANATIONS
(1) What is a Credit Card?
-- It is an alternative method of paying for goods and services instead of cash.
(2) Explanation of the terms – Credit Card, Charge Card and Debit Card
Credit Card
Ø Credit given
Ø Repayment
Y Monthly
Y Minimum Amount
Y Full Amount
Charge Card
Ø Credit given
Ø Repayment
Y Monthly
Instalments
Y Full Amount
Debit Card
Ø No Credit
Ø Linked to bank account
Ø Immediate payment
(3) Explanation of how the system works –
Ø Visa and Master Card are Associations
Y With trademark
Y With vast electronic network
Y They license financial institutions like Banks to issue cards & contract with merchants
Process:-
a) Applicant applies for Credit Card.
b) Licensed Bank (SBI etc.) or Financial Institution (American Express) checks his credit worthiness and issues card. Hence agency which issues card is called ISSUER.
c) VISA/ Master Card through Licensed Banks enter into contract with
Merchants/ shop keepers to accept Credit Cards. These agencies promise the merchants that they will acquire the money from the customer and give it to them, if they accept payment by Credit Card.
Hence the bank/ agency which have a contract with the merchants are called ACQUIRER.
In other words,
American Express,
VISA,
Master Card,
Banks – SBI,
ICICI etc.
Individual Applies for Credit Card
(I)
Issue Cards (Issuer)
Jewellery Shops,
Airline Tickets,
Electronic Goods
Hotels, Big Shops etc.Purchases goods & services from
Customer with Credit CardMerchants who have already
Agreed to accept Credit Cards.
(II)
Through
a) Appearance of card
b) Comparison of signature
c) Telephone to his Acquirer Bank who in turn checks on the Computer or
d) Point of sale terminals which read the magnetic code on the card and check electronically.
Checks whether
Credit Card
Is genuine
Shop Keeper
(III)
Submits bills to his Acquirer Bank
If Shop Keepers receives clearance that the card is O.K.(iv)
Acquirer Bank sends bills to Issuer Bank
Issuer Bank pays the Acquirer Bank and collects the money from the individual.
(V)
Thus on behalf of the shopkeeper, the acquirer bank collects the money from the individual through the Issuer Bank.
OVERVIEW:-
(1) Individual applies to Issuer Bank
(2) Issuer issues Card to individual who becomes card holder.
(3) Card holder goes to Shop keeper who has prior contract with Acquirer Bank
(4) Shop keeper submits bills to Acquirer Bank
(5) Acquirer Bank submits bills to Issuer Bank
(6) Issuer Bank pays Acquirer Bank and collects money from Cardholder.
(4) TYPES OF FRAUDS:-
Credit Cards -Type of Frauds an overview
nISSUER FRAUDS
nfraudulent application
nLost and Stolen cards
nCard not recvd / intercepted
nfirst party fraud
naccount take over fraud
nemployee fraud
nsoftware generated Cd Nos
ncounterfeit Cards
nACQUIRER
nFraudeulent ME application
nMerchant Fraud
nMultiple Imprints
nSold Paper
nPOC pumping
Credit Cards-Type of Frauds
lFraudulent cardholder applications. What is involved?
nWhen a card application is made using data which is intended to mislead the issuer into believing that the applicant is worthy of receiving a card
Fraudulent cardholder applications
nIndividual or organized - misrepresenting some material facts like salary on application or using details of other persons.
nPossibly result of card center’s lax screening or internal collusion.
Application Fraud- Controls
nConcentration of applications with same handwriting, from same postal code etc.
nMisspellings of commonly used names of persons, addresses and businesses
nTelephone prefix versus address
nEmployer telephone number missing
nAge inconsistent with salary
nFalse or altered information, financial or personal
Lost / stolen cards- Definition
nA lost card is one that the rightful cardholder reports as lost.
nA stolen card is one that the rightful cardholder reports as stolen.
nOnce the card is lost or stolen a fraudster uses it to obtain merchandise, services or cash.
Lost / Stolen Cards- Characteristics
· Fraud usually takes place within 24 hours. Accused uses the card to buy lots of expensive goods within 24-72 hrs. (72% of loss comes from this type of fraud)
nOften sold to counterfeiters for re-embossing/ re-encoding.
nSometimes involves cardholder participation.
nLosses represent approximately 47% of all frauds.
Lost/Stolen Cards - Controls
nCardholder education
lCard is as important as any other personal document like identity card- Your identity card can be assumed by another
ltreat card as cash
lcard to be returned after usage
ldon’t write PIN on card
lencourage prompt reporting of any loss or theft
Card not Received / Intercepted-Definition
nA card despatched to a cardholder is intercepted in transit and then used fraudulently.
Card not Received / Characteristics
nUnsigned card[signature comparison becomes worthless]
nLonger activity period before identification.
Card not Received / Intercepted-Risk Points
nInternal - distribution centre
nPostal staff - sorting / delivery
nTransportation staff - bulk delivery
nOpportunities - mailbox theft
-misrepresentation
Card not Received / Intercepted - Control
nNew, replacement and/ or renewal cards to be sent via registered mail, or other secure means or arrange for cardholder pickup.
nNo recipient other than addressee acceptable
nFollow-up with call or mail to confirm receipt
nCard activation programmes -card activated only upon cardholder confirmation of receipt
nSend PIN separately
First Party Fraud-What is involved?
nWhen a cardholder denies ever receiving a new or replacement card when he in fact has, or lodges a false lost / stolen report.
-Continues to spend on the card and subsequently disputes the charges
nWhen a cardholder sells his card to a third party and lodges a lost / stolen report and disputes the charges on the card.
Skimming Today-Detection and Availability
nEasily moved or passed between individuals
nThey are small, light and easily concealed.
nCan be sent by post or courier anywhere in the world quickly and cheaply.
nOnly be used several hours per single location.]
nMass production ensures a ready supply and cheap cost.
Skimming-If you recover a skimming Device
nDon’t ask someone to demonstrate how the device worked using the device devices have innocuous self destruct mechanisms that delete all memory
nDon’t press and hold buttons down when on or when turning the device on.
nDo recover all cables, dongles, plug packs, cards [even non credit cards], CDs, floppies, fax machines and personal computers including printers and printouts.
nDo record what instructions someone was given to operate the device, but do not try this on this device.
Also look out for
nPlastic cards[may be found in transit unaccompanied by persons]
-with / without embossing
-with / without printing on card face front or back
-with / without magnetic stripes
nSales Drafts or transaction Receipts
-reveal where, when and what purchases were made
nWritten notes bearing names and numbers [loose leaf sheets or notepad]
Also look out for
nNotebook computer and diskettes [may contain account numbers or account generating software]
nRelated computer paraphernalia [cables, connectors etc.]
nPoint - of - sale [POS] terminal units
nhand phones
nPlastic card printing equipment [desktop plastic card printer, paint, proofs etc.]
nPlastic card finishing equipment [embosser, encoder, hot-stamping machine, magnetic tape, metallic foil etc]
Skimming Controls
nMerchant staff must verify the identity of any terminal vendor who makes maintenance or service calls.
nMerchant staff must be vigilant to the presence of any suspicious - looking devices connected to the POS equipment
nMerchant management may consider adopting tracking staff who handle card transactions
Action on Frauds-Police help requested
nInvestigate Fraudulent cases
nIdentify points of compromise
nIdentification of the persons responsible
nInterrogation of the persons identified to find out the other accomplices.
nIdentify if any professional gang of frauds has been working
nTracing a missing asset or absconding customer.
nRecovery of the product / dues from customer/ user.
nArrest of the persons responsible.
a) Merchant Fraud – submission of fake At the time of application –
(5) WHO IS THE LOSER?
a) Individual
b) Banks – Financial System
c) Financial Services become costly. Hence ultimately, Citizen.
(6) ROLE OF POLICE:-
Type of Fraud
Action needed
1) False Applications – obtain, spend, disappear
a) Trace accused
b) Look for collusion of issuer
2) Lost/ Stolen Cards
a) Report to Issuer at once
b) Alert shops, airline ticketing
Agencies.
c) Set up Video Cameras in big shops
d) Get shop owner/ assistants to detain/ identify the customer.
e) Look for Card holder collusion.
f) Handwriting comparisons
3) Merchant Fraud
a) Check bills
4) Employee Fraud
a) Look for collusion
b) Handwriting comparisons
5) Counterfeit Cards
a) Know Security features incorporated in Credit Cards
b) Look for equipment used for counterfeiting credit cards such as Plastic Cards, Plastic Card printing equipment, embosser, encoder, hot stamping machine, magnetic tape, metallic foil etc.
(7) SECURITY FEATURES IN A CREDIT CARD :-
i) HOLOGRAM –
Colourful – mirror effect.
ii) Name of Issue Agency – VISA, Master Card etc.
i) Embossed Name, Number and validity period
ii) Embossed Issue Agency Symbol – V MC
iii) First four embossed numbers should be the same as the printed numbers
iv) Angled Issue Agency name on Signature Pads.
Smart cards
The use of smart card and biometrics has been on the rise. Smart card is card fitted with microprocessor chip that can dynamically process data.
Security related use of it include
Banking applications
Identification
Physical access control
Inside the card, single chip computers with extensive memory is used.
Java card allows multiple functions protected by firewalls. It allows new functions to be added.
Java card provides functionality within the card. Data can be stored and modified safely within the card itself. Additional security matching a person’s biometric template to one stored on a card can be carried out on a card itself.
Contact-less cards:
The contact-less card in addition to processing capabilities they have the ability for a new code to be created on a card each time it is held up to reader for added security. It has faster data processing, greater memory capability. They can hold information such as employee medical history, encryption algorithm, and biometric identifiers. They last longer and you need not have to touch anything.
Hybrid cards:
It has built in back up system. If one of the technologies fails the rest of the card is still accessible and useable.
Modus operandi:
1 using misplaced or stolen credit cards to purchase goods or withdraw cash
Securing genuine credit cards from banks using data collected through fraudulent means or forged documents and misusing the same.
Preparing duplicate cards after copying electronic code data stored on the magnetic strip of the credit debit ATM card using a skimmer having special computer software and re-encodes the same on a fabricated card. Counterfeiting credit cards in bulk using skimmer technology is the latest. Police has limited role in preventing of such crimes as they are private in nature. Customers have a larger role to play.
They must ensure the personal credit card details are not revealed to others. If card is misplaced or lost, the customer should alert the bank to get the card blocked. Delay even for a few minutes can prove disastrous. Never give your card to strangers which may be copied/ duplicated.
It is observed that the offenders using fake credit cards collude with shop owners who would give false purchase slips. With people having several credit cards at a time it is difficult to remember the card numbers. It is better to keep the numbers recorded either in print or mobile phones so that they can be fished out when alerting the banks to get them blocked.
Case:
Counterfeit credit card ring busted in city: four persons who allegedly duped banks in the city using counterfeit credit cards supplied by a gang operating from abroad were arrested by the Hyderabad police. In this racket 24 fabricated credit cards were seized from the arrested persons. The fraudsters revealed that they purchased these cards from agents in Chennai at the rate of 15000 per each.
Modus:
International gangs were collecting electronic code data through fraudulent means with the help of technicians they were preparing c0unterfdiet credit cards my reproducing the magnetic strips in bulk using the stolen code. Though their networking of agents, the gangs were selling such cards to local gangs that want to earn money overnight. They are striking illegal deals with some shop owners to misuse the card. The shop owners would issue false purchase slips and give cash to the offenders after discounting the same for their own profit. All the cards purchased were fabricated using magnetic strip data of the genuine cards issued by American banks. In one case an international bank called up a local bank in the city saying its original user was in America and the question of he using the card in Hyderabad did not arise. The local bank approached the police with a complaint. Investigation revealed that the owner of the shop colluded with the gang and issued false purchase slips.
CHAPTER 3
Mobile phone frauds
India plays host to FOUR types of phones
1 Landlines
2 Mobile phones based on
a. GSM technology
b. CDMA technology
c. WLL technology
3 INTERNET [ IP] PHONY
4 SATELLITE TELEPHONY
What is the Difference Between GSM and CDMA?
initFade();
In cellular service there are two main competing network technologies: Global System for Mobile Communications (GSM) and Code Division Multiple Access (CDMA). The GSM Association is an international organization founded in 1987, dedicated to providing, developing, and overseeing the worldwide wireless standard of GSM. CDMA, a proprietary standard designed by Qualcomm in the United States, has been the dominant network standard for North America and parts of Asia and Reliance network in india.: CDMA has been traditionally faster than GSM in Data Transfer Speed. only GSM phones use SIM cards. The removable SIM card allows phones to be instantly activated, interchanged, swapped out and upgraded, all without carrier intervention. The SIM [Subscriber Identity Module (SIM) cards] itself is tied to the network, rather than the actual phone. Phones that are card-enabled can be used with any GSM carrier. CDMA carriers at present require proprietary handsets that are linked to one carrier only and are not card-enabled. GSM carriers, however, have roaming contracts with other GSM carriers. CDMA networks may not cover rural areas as well as GSM carriers. a GSM carrier can offer international roaming, as GSM networks dominate the world market. If you travel to other countries you can even use your GSM cell phone abroad, CDMA phones that are not card-enabled do not have this capability. CDMA phones can become R-UIM enabled in future.
The GSM system has become the most popular cell phone system in the world. They are reaching global scale. It allows roaming seamlessly between networks. It provides a separate user identity [sim card] from the phone equipment.
GSM is a fully digital system, allowing both speech and data services with roaming facility. GSM has been chosen has a trademark for the system and exists in all continents: global system for mobile communications.
Overview:
The different entities contained in it are connected through interfaces. viz: mobile station, base transreceiver station; base station controller; mobile switching center; local registers; equipment identity register;
Mobile station is the user equipment in GSM. It has got mobile equipment that is phone itself and the SIM subscriber identity module in the form of smart card contained inside the phone. The MEs in GSM are independent from network providers. The identity of the subscriber is obtained from the SIM. SIM contains IMSI international mobile subscriber identity which uniquely identifies the subscriber to the network. It also contains information necessary to encrypt connections on the radio interface. ME is identified by IMEI international mobile equipment identity number which can be obtained from the network upon request. SIM exists in two forms large or small. BTS have antenna with several radio transreceiver, each communicating on one radio frequency. Speech and data transmission from mobile station is recoded in base transreceiver station. Base station controller controls the magnitude of several hundred base transreceiver stations. They will take care of call setup, location, update and handover for each MS.
The basic function of mobile switching center is to switch speech and data connections between base station controllers GSM net works and external noon mobile networks. Registration location updating and handover is done by this.
Local registers:
Each mobile switching center is associated a visitor location register which is associated with one or several MSCs. It stores data about all customers who are roaming within local area of that mobile switching center. The data is updated.
Equipment identity register: it registers IMEIs of MS in use.
The network provider can blacklist stolen or malfunctioning MS so that their use is not allowed by the network.
GSM security:
It provides authentication of users and encryption of the traffic across the air interface. Each time the mobile connects to the network, the networks authenticate the user by sending a random number to the mobile. The SIM then uses an authentication algorithm to compute an authentication token using he random number received. Another key is used for encryption of subsequent traffic across the air interface. Since the key changes each time the authentication procedure is performed.
Evidence in the SIM:
SIM contains information that can be of value as evidence:
Name of the network provider.
Unique identification number that can be used to get information from the provider such as subscriber name address phone number associated with the sim. Phone records can also be retrieved from this number.
Access to SIM:
A pin code is required to access the SIM. A four digit code that must be entered to gain access. This number must be entered whenever the phone is turned on. If the user fails to enter valid pin in three attempts the card becomes blocked. The user must instead enter an 8 digit code to reopen it. If the user fails to enter the correct 8 digit code in ten attempts the card becomes permanently blocked and cannot be reopened. PIN can be changed or deactivated by the user. The network operator keeps tack of the 8 digit codes for all its users.
Forensic analysis of SIM cards:
SIM card can be accessed by mounting the card on standard smart card reader. To access it software is needed. The content of SIM is organized a series of files containing binary data that can be downloaded. Once the user has authenticated himself with a pin. There are tools available to download binary content of the individual files. There are also administrative tools which synchronize data such as text messages between SIM and the computer.
Location information, serial number, IMSI, MSISDN:
Local area identifier gives information as to where the mobile is currently located. This value will be retained in the SIM card when the mobile is shut off. Os it is possible for an IO to determine in which location area the mobile was located when it last was operating/ switched off. Location area can contain hundreds and even thousands of cells. Which cell the mobile was last camping is not stored in the SIM. The serial number IMSI and MSISDN provide unique identification of the customer. The serial number identifies the SIM itself. The IMSI is the customer identification number. And the MSISDN is the phone number of the mobile. The SIM provides storage space for text messages. A common configuration is that all incoming messages are stored by default and outgoing messages are stored only at the user’s explicit request. When a user deletes a message, the status byte is set to zero. Thus deleted text messages can be recovered for the status byte as long as the slot has not been overwritten by a new message.
Short dial numbers:
To aid the user in remembering numbers, most phones have an ability to store commonly dialed phone numbers. Around 100 such slots are available.
Last number dialed:
SIM has the ability to store the numbers last dialed. Usually 5 such slots are available.
Call logs and phone memory:
Some phones have call logs and phone memory for both dialed and received or missed numbers.
Attacks on SIM:
The most obvious attack method is removal of evidence by overwriting storage space. For instance, a person knowing that deleted text messages care still accessible could use the card editor to overwrite the messages with other information. SIM is often attacked to impersonate another subscriber. Protection against impersonation relies on the SIM security features like PIN code.
Access to mobile equipment:
SIM PIN code when the phone is turned on. And a separate access code to access the phone memory.
Forensic analysis of GSM phones:
Digitally image the content the phone memory chip and analyze the contents offline. Tools for accessing the phone memory directly are available on the internet called flashers. Most phones can be connected to a computer for data transfer by a special cable from the manufacturer or by using blue tooth wireless interface.
Third method of forensic analysis is to use the key pad of the phone to access the stored information and photograph it as it comes on the screen. Most information stored on the phones can be accessed using the phone menu system. The IMEI for example is available by typing ‘*#06#’.
The following contents of mobile phones can have values as evidence:
1 IMEI
2 Short dial numbers
3 Text messages
4 Settings language, date/ time, tone /volume
5 Stored audio recordings
6 Stored computer files
7 Logged incoming calls, dialed numbers
8 Stored executable programs
9 Stored calendar events
10 Internet settings
11 Direct analysis of the memory reveal hidden information such as deleted text messages.
The most common access constraint one would want to remove is service provider lock SP LOCK. A SP LOCKED phone is locked to SIM cards from a certain service provider.
Cases:
1 In Haren pandya murder case, the case was largely worked out based on call analysis.
2 In madumita shukla murder case call analysis played a vital and significant role.
CHAPTER 4
Cyber crime & Computer crime
DEFINITIONS
•“Computer network” means the interconnection of one or more computers through the use of satellite, microwave, terrestrial line or other communication media; and terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained
• “Computer resource” means computer, computer system, computer network, data, computer database or software;
•“Digital signature” means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3;
•(Source: Information Technology Act, 2000)
Are we really secure ?
•Is holding a credit card safe?
–Purchase a shirt on some body credit card without his knowledge
• Is Holding a bank account safe?
–Without your knowledge money can be withdrawn
• Are we safe in our homes?
•Bring floods in a USA state by sitting in Russia
•Are we safe in hospital?
•Kill a patient in Carewell Hospital, Newyork from Benaras by changing the dosage of medicines to be administered by hacking the hospital records
• Are our leaders untouched ?
•threaten prime minister on somebody else’s cellphone without touching his/her phone
Hacking -extortion
•Gorshkov and Ivanov of Russia attacked companies in 10 states of America and extorted money by threatening to sell stolen data/return and cause damage
Motives for computer crime
Financial gain
Revenge
Challenge
Fun
Vandalism
Accidental causes
Research
Computer as a tool for unlawful act
Modification of a conventional crime by use of computers
Some examples
Financial crimes
Cheating
Credit card frauds
Money laundering
Computer as tool for unlawful act
•Cyber pornography
•Porno websites
•Porno magazines
•Porno marketers
•Porno groups
•Sale of narcotics
•Weapons
•Wildlife
•Online gambling
•On-line gambling/betting eg:
•Mr. Mehta was caught on betting charges
•Two laptops seized.
•An excellent software
•Amount involved is in crores
•Betting on world cup cricket/hockey matches
Intellectual property crimes
•E mail spoofing
•Forgery
•Cyber defamation
•Cyber stalking
•Theft of e- info
•Denial of service attack [ salami attack]
Denial of service - 02/2000
•YAHOO, AMAZON, EBAY, CNN & BUY.com were all attacked. A 15-year-old pleaded guilty to the attacks, which did an estimated $1.7 billion in damage. He was awarded 8 months in a juvenile detention center
•Virus / worm attacks
•Internet time theft
•Web jacking
Case 1:
CITI-BANK
•Vladimir Levin-St. Petersburg, Russia
•Attacked Citi-Bank system and obtained user-ids and passwords
•Setup accounts in banks throughout the world
–Bank of America, Banco Del Sud Argentina, Bank Artha Graha Indonesia
•Transferred $12 million to the various accounts
Case 2:
Terrorist Web Browsing
•Sept 11 hijackers sent e-mail
–Used public sites - libraries, cyber cafes,
–Used anonymous accounts – hotmail, yahoo!
•Shoe bomber sent e-mails before his flight
•Kidnappers of wall street journal reporter Daniel Pearl sent demands via e-mail
•Al Qaeda used web to gather information and software relating to critical infrastructures, including utilities
–Information acquired could support physical or cyber attacks.
Case 3:
•Indian parliament attack
•Delhi police seized a laptop where they stored the incriminating material.
•on forensic analysis the CFSL could identify :
•How the computer was used to produce the MHA sticker
•IP addresses of Pakistan
•Telephone numbers
•Coded messages
Case 4:
Killing a patient
•Doctor entered the dosage of insulin to be given
•Criminal entered the computer system of carewell hospital.
•Criminal modified the dosage to a higher level
–Chemist issued as per data
–Nurse injected
•Patient died
•Criminal modified data to normal dosage.
Case 5:
E-mail cheating (Mumbai)
•Mr. Vijay Ninwane works at Abudhabi
–Made friendship with “x” (a beautiful girl)- chatting, nude photos, erotic stories.
–“x” introduced her friends y1,y2,y3,y4,------
–Vijay could not meet x as promised
–X committed suicide.
Case 6:
E-MAIL CHEATING (MUMBAI)
•Vijay received mail from
–Www.kolkatta_police.com
–Www.cbi_hq.com
•Vijay contacted y1 for help
•Y1 appointed mr. Pranab Mitra of Mitra & Mitra associates leading lawyers
•Total Rs.70 lakhs (Rs.1.19 crore as per IO)
Case 7:
E-mail cheating (mumbai)
•Two desk top computers, two laptops were sent for forensic analysis
•Analysis proved
–All was done by a single man named Mr.Pranab Mitra, general manager, Ambuja Cements
Case 8:
Web page defacement
•Web pages are computer files stored in directories on a server computer.
•If a hacker gains access to these files, he or she can replace or alter them in any way.
•The CIA and the New York Times web pages have been attacked in the past.
case 9 in Hyderabad :
specimen case diary and FIR :
• that today i.e., on 02/01/2003 at about 1430 hours received a complaint from Sri R.S.Nishtala S/o Late N.Krishna Murthy, Age: 52 yrs, Occ: Sky Travels, C/o 3/6/419, Second Floor, Plot No.94, Street No.3, Himayathnagar, Hyderabad-29 in which he stated that on 30/12/2002 his friends in the travel industry have informed him that a deformity email said to have been sent by him is being circulated and the mail as apparently been sent as if he has sent the same. When he tried to open his mail ID he observed that his mail account has been hacked and the password was changed. He strongly suspected one of his ex-employee Mr. N. Uma Shanker who has done this act and presently he is working in a travel agency at Vishakapatnam and he requested to take action.
On receipt of above complaint
•and as per the instructions of the Addl. DGP, CID, AP registered a case in Cr.No.01/2003 U/S 67 I.T.Act and took up investigation.During the course of investigation examined the complainant and recorded his detailed statement which was incorporated in case dairy part-II. He corroborated with the facts of FIR. He further stated that one Mr. N.Umashankar who is an ex-employee in Guntur Branch Office and was removed for misbehaviour. While he was working he used to operate his mail ID with password as such he strongly suspects him for sending the obscene mail from his mall ID.
IO secured the email printout with header particulars
•from the complainant. As per the header of the email it was generated from the I.P. Address 210.214.222.231 which belongs to Satyam Info way Ltd. Hence a letter was addressed to Satyam Info. Way Ltd. to know the user details of the above IP Address on 30/12/2002 at about 10:30 AM. Soon after getting the reply from Satyam Info Way Ltd further action will be taken.Closed the C.D. for the day. Further progress follows.
case 10:
A fraud was reported, during 1984,
• in processing the results of Delhi University MBBS entrance examination, wherein the computer programme was manipulated to alter the marks of a candidate.
case 11:
The NDMC Electricity Billing Fraud Case is a typical example of a computer fraud that took place in 1996. The computer network was used for receipt and accounting of electricity bills by the NDMC, Delhi. Collection of money, computerised accounting, record maintenance and remittance in bank was exclusively left to a private contractor who was a computer professional. He misappropriated huge amount of funds by manipulating data files to show less receipt and bank remittance.
Evidence collection kit
kit
•Permanent markers
•Set of utility software
•Antivirus software
•Labels
•Seals
•Packing material
•Imaging toll kit
Register investigate arrest are the three essential steps of Cyber crime investigation which consist of :
Register a case on receipt of information under acts IT act 2k and relevant provisions of IPC. Go to spot with computer expert and Conduct examination. Secure the place and don’t let anyone touch the systems in operation.
Investigation
Shut down the computer and transfer the computer to a secure location. Document the hardware Configuration. Observe unobtrusively. Seize the hardware properly. Do not lose files or data Get expert to retrieve data don’t lose info. Document the system date and time. Draw scene of crime Photograph and sketch the Scene of crime
IMAGE HARD DISK
. Image to a wiped and formatted hard disk.
Investigation consists of the following steps:
Collect info on names details of victims Accused Witnesses. Secure them.
Work out how the offence took Place and for how long.
Estimate losses and consequences.
Scientific packing
Labelling
Transportation Of material evidence
Send for expert opinion.
Collect evidence
Record the Detailed version of complainant
Record the version of Witness if any
Other material
Technical evidence
Interrogate suspect
Interrogate the Accused
Reconstruct the crime
Initiate action for arrest Of accused
Recover incriminating documents
Record confessions
Prepare charge sheet
Document findings meticulously
Document soft ware used and its effects/ results.
The computer forensics process consists of four stages [A3D]
•acquire
•authenticate
•analyze
•document
Computer forensic scientist will ACQUIRE
•true mirror image
•cloning the hard disk, which is different from copying and backup
Image hard disk
•Image to wiped and formatted hard disk
Authenticate
•Is the duplicate authentic ?
• justified with hash value
–Acquisition hash value = verification hash
•Md5 hash value
Analysis
•Extract, process, interpret
–Every file should be viewed.
•Remember analysis should be repeatable
Good documentation
•Exercise to make the judiciary to appreciate
–Software used & versions
–Report should be in simple terms
–Hash results
–All storage media numbers, model make
–Supported by photographs
Computer forensic analysis procedures
•Well defined tools and procedures to handle different tasks in the extracting of digital evidence
•Demonstrate
•Authenticity
•Reliability
•Completeness
•Non contaminator
•Repeatability
•Identify, retrieve maximum possible evidence on a suspect computer system—
•fully protected against – alteration, damage, data corruption, virus introduction
step by step procedures in computer forensics:
•Power shut down for the computer
•Document the Hard ware configuration of the system
•Make a bit stream backups of hard disk and floppy disks
•Authenticate the data mathematically on all storage devices
•Document the system date and time
•List the key words for the search
•Evaluate the windows swap files
•Evaluate file slack
•Evaluate UAS[ erased files]
•Document file names dates and times
•Document your findings
•Data validation using the md5 hash
Ram slack and Drive slack contain deleted data, data from earlier files which is not overwritten
The clusters are rounded off using sectors.
–RAM slack – only last sector of a file
–1 or 2 sectors to round off the block size of the last cluster assigned to the file
•in such a situation, another type of slack Drive slack, is made
•Drive slack is padded by the operating system with data that was stored earlier on the storage drive.
–This data is from the deleted files
–Or the format pattern associated with the unused space by the computer.
SWAP file:
•SwF or paging file is a major source of evidence information for forensic scientist. SwF is a large space on a hard disk where windows place anything that currently resides in RAM memory. Whenever additional RAM is needed by the windows based operating system like a scratch pad, it uses swap files as a special file to write the data . in windows 3.x/9x it is called windows swap files and win NT /2000, windows paging file.
•The sizes of these swap files are huge and range from 20 million bytes to 200 million bytes. The amount of space allocated to the swap file on a disk is determined by windows itself but can be altered by the individual user.
•There are high chances of finding remnants of word fields, email messages and history of the Internet browsing. Including any work that might have been in the Windows sections in the past. These files provide vital investigation lead from a computer, which would have never been, discovered other wise.
Characteristics of computer criminals
•Young and highly intelligent cherishing challenge
–Monetary profits
–Intellectual challenge
–To take revenge
–Vandalism
–To wage a war against a state
–For fun
•Insider – computer crime
•White collar crime- specialists in technology
–Introverts
–Do not exhibit social skill
–Presume to be worthies than they actually are
–Emotionally distressed/ disappointed in life
–Disgruntled lot
Common mistakes or do’s / don’ts
dos and don'ts by IOs
•The power supply should not be disconnected before a competent computer expert evaluates the overall problem
•The key board as far as possible should not be touched
•Do not change the computer’s current state or abandon the program
•Do not disconnect the telephone or auto dialler from its source , if it is connected to the net, without ascertaining the identity of the user at the other end
•If the user is hostile, disconnect before he can cause damage to the suspect system
•Do not allow the storage media to get damaged by mechanical , magnetic or e.m. means
•The chain of custody of the evidence collected should be maintained to avoid the accusation of evidence manipulation
Guidelines:
• Chain of custody
• Custodian must strictly control access and keep accurate records to show who has examined the evidence and when
• Make an image copy
• The IO should make an image copy of the hard disk and conduct their investigations on that copy
• Computer Hard ware
• Secure the Hard ware drive r/w heads with the appropriate soft ware commands
•Do not remove the internal hard drive from the computer
•Secure the r/w heads in the floppy drivers with a blank floppy drive disk
Label all the cables and ports
•Both ends of the cables should be labelled
•The connections to PC, printer should be labelled
•Initial and date the PC/.CPU, monitor, kb, hard disk drive, the floppy disk drive
•The tape drive, modem or acoustic coupler and floppy disks
•Wrap the Hard ware in plastic envelopes and place them in a box for subsequent dispatch to FSL.
•Disks should not be kept in plastic envelopes [ risk of static electricity discharge]
•The box containing magnetic media during shipment should be marked ‘ do not x ray’ to warn the evidence should be kept away from the em fields
Keeping records
• IO should
•Document their investigative activities—keep track by IO / attorney, reconstructing the case
•Log that describes each item seized
•When items are returned , the receipt should contain—description of item; the person who received it; when the item was released; photographs of property returned ; should be kept to avoid dispute later.
Warrants include
•Computer books , programming guides, user manuals – evidence significance in several ways,
•proprietary Soft ware , Hard ware, manuals themselves -- were obtained illegally
•Hand written notes about how the subject used the machine
•Items which contain no evidence should be returned
•Notes and papers often contain extremely valuable information like password , login sequence and other suspect’s telephone nos or names.
1 Search warrant must contain
i. The scope of the search
ii. The reason to search
iii. The reason to seize
iv. Role of computer in the offence
v. What is to be seized
vi. How long it is to be retained
vii. Counterfeiting case
viii. A computer
ix. A scanner
x. A colour printer
Grey areas in cyber crime busting
1. it is difficult to identify the culprit as
a. the net can be accessed from any part of the globe
b. establishing the exact identity of the hacker/ criminal is highly problematic
c. extradition and the legal framework for prosecution needs clarity
d. lack of trained cops to investigate cyber crimes is a handicap which works in favour of the criminals
e. low penalty for hackers
f. no special mention of credit card frauds
g. an international agreement on dealing with cyber crime is not in place
h. increasing distances and international dimensions between criminals and authorities
i. act does not cover cyber stalking and child abuse
j. data can be easily destroyed
k. clinching evidence is difficult to collect from hard disk and network providers.
Legal challenges
•Effective legal framework which fully supports the detection and prosecution of cyber criminals
•No consensus in the definition of computer crime among various countries in the world
•The crime in a country may not be termed as a crime in another
•12 countries that have effective computer crime laws
•rate at which the computer crimes are increasing in the world
•G8 nations cyber crimes conference in Paris , the French president Chirac had stated ‘ what we need is the rule of law at an international level and a universal legal framework , which is equal to the world wide reach of the internet’
Operational challenges
•Evidence is electronically stored
•Computer forensics and computer forensic analysis : special procedures are to be evolved to identify and extract computer evidence , which will be admissible in court
•Computer crimes are receiving high profile media coverage
•Dedicated team of professionals who thoroughly understand computer as well as communication technology
•Response time is paramount in most of the cases
Jurisdictional challenge
•Jurisdiction and identification of crimes perpetrated on the internet
•Internet makes interstate and international crimes significantly easier
•Internet enables the criminals to victimize consumers all over the world in simple and inexpensive ways
•After the pokhran II atomic test in India, BARC computers were hacked though it was claimed that no sensitive data was lost
•successful investigation of the denial of service attacks by the US law enforcement agencies indicated the level of cooperation of expertise required for successful crime investigation
•No geographical boundaries – need a multilateral approach of investigation and prosecution
Technical challenges
•Investigating the internet crimes
•Hacking of a website
•Stealing data stored in the computer
•Espionage
•Exchange of pornographic material
Technology needs group effort
CHAPTER 5
LEGAL PROVISIONS : IPC
India leads the way as it has enacted an IT legislation much before the majority of nations have woken up it.
Acts amended were :
RBI act 1934
IPC 1860
IEA 1872
Indian telegraph act 1885
The bankers book of evidence act
General clauses act
Offences incorporated under the Indian Penal Code
•Electronic records defined in S/29A inserted after S/29
•What is a document? (S/29)
•“Documents” substituted with “documents or electronic records”
•Public servant framing incorrect electronic record with intent to cause injury (S/167)
Ingredients
a. Public servant in charge of preparation or translation of electronic records
b. Knowingly changing electronic record with intent to cause injury (3 yrs or fine or both)
2. Absconding to prevent summons for producing electronic records (S/172)
Ingredients
–Summons, notice or order from legally competent authority or Court
–For production of electronic records in Court or before such legal authority (S.I. for 6 months or up to 1000 rupees or both)
3. Preventing in any manner service of summons to produce electronic record (S/173)
Ingredients
a. Summons, notice or order from a Court
b. For production of electronic record in such
record (up to 6 months or up to 1000 rupees or
both
4. Intentional omission to produce electronic
records by person legally bound (S/175)
Ingredients
a. Person must be legally bound to produce
electronic record
b. Intentional omission to produce electronic
records (up to 6 months, or Rs 1000 or both)
•Fabricating false evidence (S/192)
Ingredients
a. making false entry or false statement in
electronic record
b. intention must be to produce such electronic
record as evidence
c. such an electronic record may cause forming of
erroneous opinion by a judicial authority
5. Destroying electronic record to prevent its
production as evidence (S/204)
Ingredients
a. Secreting or destroying electronic record
b. There must be legal compulsion
c. Act must be intentional to prevent production of
electronic record as evidence (2 yrs or fine or
both)
•Forgery (S/463)
Ingredients
a. Existence of a false electronic record
b. The intention behind such act must be to:
1. Cause damage or injury
2. Support any claim or title
3. Cause person to part with property
4. Enter into contract
5. Commit fraud
•Making false electronic record (S/464)
Ingredients
a. Making, signing, sealing or executing electronic
record fraudulently or
b. Altering electronic record without authorization
or
c. Causing an innocent person to sign, seal, execute or alter
an electronic record document who is unaware of
contents of electronic records
6. Forgery of certain electronic records (S/466)
Ingredients
a. Forgery essential
b. Forgery must be of certain kinds of records
( records of Courts, registers of birth, etc., record maintained by a public servant, authority to carry on judicial proceedings, power of attorney)
( 7 yrs & fine)
7. Forgery for cheating (S/468)
Ingredients
a. Forging of document/electronic record
b. Forgery must be for cheating (7 yrs and fine)
Cheating
Deceiving a person dishonestly to do certain acts.
8. Forgery of electronic record for defamation (s/469)
Ingredients
a. Forgery
b. It must harm someone’s reputation (up to 3ys and
fine)
9. Using forged electronic record
Ingredients
a. Using forged electronic record as genuine
b. Knowingly uses such forged electronic record
•Forged electronic record (S/470)
–False electronic record made wholly or partly by forgery
10. Knowingly possessing forged document
and intending to use it as genuine (S/474)
Ingredients
a. Possessing forged electronic record
b. Intention is to use it as genuine
( 7 yrs and fine in case of official records under S/466. Under S/467, life)
11. Counterfeiting device or mark (S/476)
Ingredients
–Forging a device or mark upon any electronic record to authenticate the electronic record
–Possessing the device upon which counterfeited
–Intention to use the mark or device as being genuine (up to 7 years and fine)
12. Falsifying accounts (S/477-A)
Ingredients
a. Willfully destroying or altering electronic
record with intent to defraud
b. electronic record in his possession is that of his
employer (7 yrs or fine)
CHAPTER 6
IT ACT 2000
Chapter XI of the IT Act
•Sections 65 to 74 are the penal provisions
•Imprisonment up to 10 years provided for
•Network Service providers given some relief
Chapter XI of the IT Act
•Sections 65 to 74 are the penal provisions
•Sec 65 Source code
•Sec 66 Hacking
•Sec 67 Pornography
•Sec 68 Controller’s directions
•Sec 69 Decryption of information
•Sec 70 Protected System
•Sec 71 Misrepresentation
•Sec 72 Breach of Privacy
•Sec 73 Publishing false Digital Signature Certificate
•Sec 74 Publication for fraudulent purpose
•Chapter IX of the IT Act Penalties
•Section 43 Unauthorized access
•Section 44 Failure to furnish document, return or report to Controller or CA
•Section 45 Residuary penalty
Sec 65 Source code
•Most important asset of software companies
•Imprisonment up to 3 years and / or fine up to Rs 2 lakh for altering / concealing source code required to be maintained by law
Following are punishable in respect of computer source code:
•Knowingly or intentionally
–Concealing
–Destroying
–altering
•Knowingly or intentionally causing another to do so
Sec 66 Hacking
•Very wide definition
•Covers following in relation to information:
–Destruction,
–deletion,
–Alteration
–Diminishing value
–Diminishing utility
–Affecting injuriously
•Knowledge or intention must be proven
•Sablan case
•Covers crimes like
–Salami attacks,
–data diddling, etc
Sec 67 Pornography
•Publishing, transmitting and causing to be published porn is an offence
•ISPs, search engines and websites are covered
•Up to 5 years imprisonment and fine up to Rs 1 lakh (10 years and Rs 2 lakh for subsequent offence)
Sec 68 Controller’s directions
•Controller may order CA or CA’s employee to
–Take measures
–Cease measures
to ensure compliance with the IT Act / rules
•Imprisonment up to 3 years and fine up to Rs 2 lakh
Sec 69 Decryption of information
•Controller can direct for interception of any information on following grounds:
–Sovereignty / security / integrity of India
–Friendly relations with foreign States
–Prevent incitement of cognizable offence
•Failure to assist in decryption makes person liable to 7 years imprisonment
•Section 69 likely to be used for following:
–Email messages
–Encrypted messages
–Steganographic images
–Password protected files
Sec 70 Protected System
•Gazette notification for ‘protected system’
•Govt. order authorizing persons who will have access
•Securing unauthorized access or attempting to secure unauthorized access punishable with 10 years imprisonment and fine.
•Acts covered by section 70:
–Switching computer on / off
–Using installed software / hardware
–Installing software / hardware
–Pinging
–Viewing floppy or CD ROM
Sec 71 Misrepresentation
•Misrepresenting / suppressing material fact from:
–CA for obtaining certificate
–Controller for obtaining license
•Imprisonment up to 2 years and or fine up to Rs. 1 lakh
Sec 72 Breach of Privacy
•Unauthorized disclosure of information obtained in pursuance of powers conferred by the IT Act or rules
•Imprisonment up to 2 years and or fine up to Rs. 1 lakh
Sec 73 Publishing false Digital Signature Certificate
•Publishing Certificate knowing that:
–CA listed in it has not issued it
–Subscriber listed in it has not accepted it
–Certificate has been revoked / suspended (*)
•Imprisonment up to 2 years and or fine up to Rs. 1 lakh
Sec 74 Publication for fraudulent purpose
•Creating, publishing or making available Certificate for fraudulent or unlawful purpose is made punishable
•Imprisonment up to 2 years and or fine up to Rs. 1 lakh
Penalties
•Chapter IX of the IT Act
•Compensation up to Rs. 1 crore under section 43
•Knowledge or intention is not required to be proven
Section 43 Unauthorized accesses
•Downloading, copying or extracting information
•Introduction of viruses and contaminants
•Damaging computer
•Disruption of computer
•Denial of access
•Assisting in illegal access
•Tampering or manipulating computer
Section 44
•Failure to furnish document, return or report to Controller or CA (Rs 1.5 lakh)
•Failure to file return or furnish information within time (Rs. 5000 per day)
•Failure to maintain books of accounts or records (Rs 10,000 per day)
Section 45: Residuary penalty (Rs 25,000)
|
