workshop on cyber crimes technology, evidence & forensic ... · • uniform resource locator...

© All Rights Reserved

Workshop on Cyber Crimes –

Technology, Evidence & Forensic

Challenges

CERT-In, DEITY & C-DAC

Contents

1. Emerging Cyber Crimes & Threats in Cyberspace

2. Technical & Legal Challenges in Cyber Space

3. Electronic Evidence Attribution

4. Appreciation of Electronic Evidence & Case Studies

5. Crimes in Cyber Space

6. Digital Evidence & Cyber Forensics

7. Mobile Forensics

2 © All Rights Reserved


Emerging Cyber Crimes &

Threats in Cyberspace

Department of Electronics & Information Technology

History of Communication

Telegraph

Telephone

Computer

Communications • X.25 • ISDN • FR etc.

ATM

Optical

Network


© All Rights Reserved 5

11.47 Mil. High speed Internet

Overall Tele-density – 70 %

Internet 6

Bharti

Mail Servers 180 M email accounts

14 Mil. All Domains (1.9Mil. “.in”)

DNS

260+ IDCs

`

VOIP, IPTV

Digital Revolution Internet Infra in INDIA

Govt.

Academia

Enterprise

Home

IT / ITES BPO

Targeted Broadband connections= 22 Mil. (by 2014)

NIC

ERNET

BSNL

Reliance

TATA Communications

STPI

400 Mil. Internet

Users

950 Mil. Mobile

Phones

MTNL

134 Major

ISPs


International Submarine Cable

Network

Source: Global Marine Systems Ltd

International Submarine Cable Network

Game Changers

5 billion devices has plugged into

Internet, expect 22 billion by 2020

In 2012, global mobile data traffic reached 225,000 terabytes per month – more

than 2x growth over 2011, growing at 10x the rate of voice traffic

Internet based TV is growing rapidly

with around 50% growth rate

The number of mobile phone subscriptions will exceed 7 billion globally by the

year end 2013

The world wide smart phone application

market will exceed $15 billion in 2013

and increase to $16 billion by 2014

The no. of mobile broadband

subscriber will reach 3 billion in

2015


Recent Smart Phone /Tablet Phenomenon is

fuelling the mobile transformation

Users expect mobile phones to

replace GPS System, MP3 Players,

and / or digital cameras by 2015

Cell Phones now being increasingly

used for Data apart from talking….

people are using it to browse the net,

listen to music, play games, send

email and SMS

1.China

2. India

3. Facebook

4. Google

5.United States

6. Brazil

If Facebook were a Country,

it would be the world’s 3rd

largest. One of every three College

Students and employees surveyed

globally believes the Internet is

fundamental resource for the

human race – as important as

air, water, food and shelter


Advanced Technology & Solutions for a wide

range of applications

TV tuners video processors Routers & Switches Video Game Consoles

SmartPhones

Servers Optical networks

WiFi, WiMAX Infrastructure

Wireless Base Stations Radio network

Controllers Storage Satellites


Cloud Computing

Cloud computing offers

a seemingly infinite pool

of readily available

computing resources,

typically housed in a

data center. Cloud

promises to eliminate

the necessity of upfront

hardware investment

and is typically available

on a short-term, pay-as-

you go basis



Three Outstanding Features Which

Make Digital Revolution Unique

1. Cyberspace

2. Knowledge Economy

3. Speed with which it has transformed

industrial economy into a knowledge

Economy

Standalone Computers

Input

Information

Run Programs

Output Processed

Output


Internet

Connecting to Internet :

ISP



1010101010

1010101010

0101010101

0101010101

1001010101

0101010101

0101010101

0101010101

Sequence number

Checksum number

Originator IP add

Receiver IP add

Part of the message

Checksum

Verified

Headers

are

Removed &

And

message

reassembled

1010101010

1010101010

0101010101

0101010101

1001010101

0101010101

0101010101

0101010101

Accuracy & Integrity

Packet Switching


Transmission

Privacy & Accessibility


192.168.2.22 192.168.4.24

203.155.53.57 69.34.32.27

Local IP

address Local IP

address

clients clients

server server

firewall firewall

Internet

Client creates

packet

192.168.2.21

192.168.2.20

192.168.2.19

router router

192.168.4.27

192.168.4.26

192.168.4.25

Public IP

Address

Public IP

Address

Communication Via Internet

Packet

Packet Packet

Packet

Packet Packet

Packet

Packet Packet

Packet

Packet

IPv4 Packet Header


IP Address

Example 128.172.101.102

• 128 – a section of the main Internet system.

• 172 - identifies a specific network (ISP).

• 101 - identifies organisation of the specific network.

• 102 - identifies a specific computer


URL & DNS

• DNS is a name resolution service which resolves

host names into IP addresses.

• Uniform Resource Locator (URL)

• URL is the address of an object like specific Web site

(address of the hosting website), email, and/or file /

Page on the Internet.

• Example

www.mit.gov.in = 164.100.52.211

URL

The Web Site Address

- Network ID

- Network ID-ISP

- Subnetwork-ISP

- Host-User

http://www.mit.gov.in/

DNS Naming Convention

• “gates.microsoft.com.”

• “.” Root

• “.com” Top-Level Domain

• “microsoft.com” Second-Level Domain

“gates.microsoft.com” Sub-Domain

• Gates user

URL of Website



The World Wide Web

• URL has two components: host name and path name – Path Name – Path going to

the page & identifies the page

– Host Name: Name of the Machine hosting the Web site/page

• User agent for Web is called a

browser:

– MS Internet Explorer

– Mozilla Firefox

– Google Chrome

• Server for Web is called Web

server:

www.deity.gov.in/cyberlaw/pic.gif


The Web: the http protocol

http: hypertext transfer protocol

• Web’s application layer protocol

• client/server model

– client: browser that requests, receives, “displays” Web objects

– server: Web server sends objects in response to requests

PC running Explorer

Server running

DeitY Web server

PC running Firefox

© All Rights Reserved © All Rights Reserved 22

Application layer protocols

Protocol Application

HTTP: Hypertext Transfer Retrieve and view Web pages

FTP: File Transfer Copy files from client to server or from server

to client

SMTP: Simple Mail Transport Send email

POP: Post Office Read email

Telnet

Provides access to remote computers.

Through Telnet an administrator or another

user can access someone else’s computer

remotely.

E-mail Address

• [email protected]

[email protected]

[email protected]

Local Part Domain Part

• The local-part of the address is often the username of the

recipient

• The domain-part may be a host name/service provider name

which can be looked up in the Domain Name System (DNS)

• eis – sub domain

• ernet – service provider

• in – Country code for India - top level domain


mailto:[email protected]

mailto:[email protected]


Electronic Mail

Three major components: • user agents

• mail servers

• simple mail transfer protocol: smtp

User Agent

• “mail reader”

• composing, editing, reading mail messages

• e.g. Outlook, Eudora

• outgoing, incoming messages stored on server

user mailbox

outgoing message queue

mail server

user agent

user agent

user agent

mail server

user agent

user agent

mail server

user agent

SMTP

SMTP

SMTP


Wi-Fi / WiMax

• Wi-Fi (Wireless Fidelity) is a wireless technology.

•Wi-Fi enables Digital devices to send and receive data indoors and

outdoors; anywhere within the range of a Wi-Fi Access Point.

• Allows to access the Internet while moving from one area to another,

within a complex / building without a disconnection or loss in coverage.

• WiMAX (Worldwide Interoperability for Microwave Access) is a wireless

communications technology designed to provide 30 to 40 megabit-per-

second data rates. WiMax enables last mile wireless broadband

connectivity as a replacement to cable & ADSL Modems.


WiFi Illustration

WiFi Enabled Places

Basically, any location which caters to business users,

and where people with laptops make frequent visits is

an ideal choice to install WiFi.

Airports

Hotels & Resorts

Restaurants

Coffee Shops

Shopping Malls


Wi-Fi HotSpots

• A HotSpot is a geographic area that has a readily accessible wireless network.

• HotSpots are equipped with a Broadband Internet connection through one or more Access Points that allow users to access the Internet wirelessly.

• HotSpots can be setup in any public location that can support an Internet connection. All the locations discussed previously are examples of HotSpots.



Thank you


Electronic Evidence

Attribution


Electronic Record

1. Very easy to make copies

2. Very fast distribution

3. Easy archiving and retrieval

4. Copies are as good as original

5. Easily modifiable

6. Environmental Friendly

Because of 4 & 5 together, these lack authenticity


Why Digital Signatures?

• To provide Authenticity, Integrity and Non-repudiation to

electronic documents

• To use the Internet as the safe and secure medium for e-

Commerce and e-Governance

Digital Signature

• Combines one-way secure hash functions with public key cryptography – Hash function generates fixed length value

– No two documents produce the same hash value

– Secure Hash Algorithm 1 (SHA-1)

• Characteristics – Data Integrity - hash value

– Non-repudiation – encrypted with private key

– Does NOT provide confidentiality


Example – PGP Signed Email

From [email protected]

Sent Tuesday, November 7, 2006 5:56 pm

To [email protected]

Subject Email authentication

Test mail for email authentication from CERT-In regards CERT-In Information Desk e-mail : [email protected] Phone : 1800-11-4949 FAX : 1800-11-6969 Web : http://www.cert-in.org.in

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1202) wsBVAwUBRVCBPnWXeYNsoT30AQpLmgf8DkQe9751xJ+xaFNhKCy/Oz/q8rpdHxfQ 6aFGHmDQ2gXPTelj4mFC95Rmda6uLN+nHd7GrxuFtwLqVBL6k1iuZGeuR797WqWP comFszCeVcRWtZFk8Mqxe7WbMGJc976ycD1K9IkBou6KgXopVso+JWkde+lfIbjP ijWKlrkyzrgAsz9mY6s0Cz/5T27aJAoN+Sb1gnIn2X6g+lEJuUiI7J8Fa8vpOnYL oMlF8jjNJjCVFslrnXOY0udK3qbOkLPidGCcHsod3UMre0ugJPZhXc8bMIA7g5uj FR0NJkKW6pIUCmAPKmE+JhjnE15nS9XpRJ0ryl2dBuF24q69oHNWDA== =jFzx ----

-END PGP SIGNATURE-----


http://www.cert-in.org.in/



PGP Signed Email - Verification

From [email protected]

Sent Tuesday, November 7, 2006 5:56 pm

To [email protected]

Subject Email authentication

*** PGP SIGNATURE VERIFICATION ***

*** Status: Good Signature

*** Signer: CERT-In Information Desk <[email protected]> (0x6CA13DF4)

*** Signed: 11/7/2006 6:21:10 PM

*** Verified: 11/7/2006 6:22:08 PM

*** BEGIN PGP VERIFIED MESSAGE ***

Test mail for email authentication

from CERT-In

regards

CERT-In Information Desk

e-mail : [email protected]

Phone : 1800-11-4949

FAX : 1800-11-6969

Web : http://www.cert-in.org.in

*** END PGP VERIFIED MESSAGE ***


Comparison of two messages


Hash: SHA1

kill him not, let him free !!! -----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.5 (MingW32)

iQCVAwUBRVBsx68nxMrmF4C7AQLYKAP+OtxpsrZX8QRRxB2cfU/vc3e/j6jen8SGWayfRgj8fHVIXeBRwpt/8UlQ5yo0b/BHpQ3gweoEIIHzqEa58WjCvhVIYCsP9FdeIRN2I9soVhSIKp+Rh6DPl2R1PG2ZAlMT0N1KacJyw5rCSggk0dn99sQWoCHshv/rJcZMqBYrns==FkLz

-----END PGP SIGNATURE-----

----------------------------------------------------------------------------------------------------------------------------------------


Hash: SHA1

kill him, not let him free !!! -----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.5 (MingW32)

iQCVAwUBRVBs2q8nxMrmF4C7AQKo9AP+O+oEzYpQO4D7cI8Xttepgk6C1FVx+goE/1NR9oBMD86WRrQGAnlnJzXMu//NRppy+b02bbACpU2cm/GsFud4j884vjmDTnzbqRRPzzPQKmhGwAckmwxi2lAFY3Ec/9jHzGUKmiXeTX2guc9BWaJhc/Jk/ie1s5NaBUnsMXZvDvY==hpWK


Change in Signature reflecting Tampering



Paper signatures v/s Digital Signatures

Parameter Paper Electronic

Authenticity May be forged Can not be copied

Integrity Signature

independent of the

document

Signature depends

on the contents of

the document

Non-

repudiation

a. Handwriting

expert needed

b. Error prone

a. Any computer

user

b. Error free

V/s


Public Key Infrastructure

Public Key Infrastructure (PKI) provides the means to

bind public keys to their owners and helps in the

distribution of reliable public keys in large

heterogeneous networks.

The set of hardware, software, people, policies and

procedures needed to create, manage, store,

distribute, and revoke Public Key Certificates based

on public-key cryptography.

CA model (Trust model)

CCA Root Certificate

CA Certificate

Browser Cert.

CA Certificate

Server Cert.



Hash Function

Message

(Any Length) HASH

Hash is a fixed length string

128 bit MD5

160 bit SHA-1

256 bit SHA-2

Hash Function


Digital Signature Creation

Dear Mr. Ram:

We have asked the

Court to issue a

warrant against X.

Sincerely,

XXXXXX

Sender Dear Mr. Ram:

We have asked the

Court to issue a

warrant against X.

Sincerely,

XXXXXX

Sender

encrypt

Sender’s Private Key

Hash

Function

Sender

0F47CEFF

AE0317DB

AA567C29

Hash

Value

0101011110000110101

1011110101111010111

Digital

Signature


Digital Signature Validation

Dear Mr. Ram:

We have asked the

Court to issue a

warrant against X.

Sincerely,

XXXXXX

Sender

0101011110000110101

1011110101111010111

Sender's Public Key

decrypt 0F47CEFF

AE0317DB

AA567C29

0F47CEFF

AE0317DB

AA567C29 Signature is valid if the two hashes match

Recipient

Hash

Function Hash

Value

Hash

Value

DEMO


Public & Private Key pair

Private Key 3082 010a 0282 0101 00b1 d311 e079 5543 0708 4ccb 0542 00e2 0d83 463d e493 bab6

06d3 0d59 bd3e c1ce 4367 018a 21a8 efbc ccd0 a2cc b055 9653 8466 0500 da44 4980

d854 0aa5 2586 94ed 6356 ff70 6ca3 a119 d278 be68 2a44 5e2f cfcc 185e 47bc 3ab1

463d 1ef0 b92c 345f 8c7c 4c08 299d 4055 eb3c 7d83 deb5 f0f7 8a83 0ea1 4cb4 3aa5

b35f 5a22 97ec 199b c105 68fd e6b7 a991 942c e478 4824 1a25 193a eb95 9c39 0a8a

cf42 b2f0 1cd5 5ffb 6bed 6856 7b39 2c72 38b0 ee93 a9d3 7b77 3ceb 7103 a938 4a16

6c89 2aca da33 1379 c255 8ced 9cbb f2cb 5b10 f82e 6135 c629 4c2a d02a 63d1 6559

b4f8 cdf9 f400 84b6 5742 859d 32a8 f92a 54fb ff78 41bc bd71 28f4 bb90 bcff 9634

04e3 459e a146 2840 8102 0301 0001

Public Key 3082 01e4 f267 0142 0f61 dd12 e089 5547 0f08 4ccb 0542 00e2 0d83 463d e493 bab6

0673 0d59 bf3e c1ce 4367 012a 11a8 efbc ccd0 a2cc b055 9653 8466 0500 da44 4980

d8b4 0aa5 2586 94ed 6356 ff70 6ca3 a119 d278 be68 2a44 5e2f cfcc 185e 47bc 3ab1

463d 1df0 b92c 345f 8c7c 4c08 299d 4055 eb3c 7d83 deb5 f0f7 8a83 0ea1 4cb4 3aa5

b35f 5a22 97ec 199b c105 68fd e6b7 a991 942c e478 4824 1a25 193a eb95 9c39 0a8a

cf42 b250 1cd5 5ffb 6bed 6856 7b39 2c72 38b0 ee93 a9d3 7b77 3ceb 7103 a938 4a16

6c89 2aca da33 1379 c255 8ced 9cbb f2cb 5b10 f82e 6135 c629 4c2a d02a 63d1 6559

b4f8 cdf9 f400 84b6 5742 859d 32a8 f92a 54fb ff78 41bc bd71 28f4 bb90 bcff 9634

04de 45de af46 2240 8410 02f1 0001


Smart Cards

• The Private key is generated in the crypto module residing in the smart card.

• The key is kept in the memory of the smart card.

• The key is highly secured as it doesn’t leave the card, the message digest is sent inside the card for signing, and the signatures leave the card.

• The card gives mobility to the key and signing can be done on any system (Having smart card reader).

Source of Public Key

• Public Key with Certificate can be published anywhere

• Browsers contain Certificates from reputed CA’s

• Attached as a signature to e-mail

– Pretty Good Privacy (PGP)

-----BEGIN PGP SIGNATURE-----

Version: PGP 7.0.4

iQCVAwUBOx6SgoFNSxzKNZKFAQGK+gP6AnCVghZqbL3+rM5JMSqoC5OEYIkbvYZN

92CL+YSCj/EkdZnjxFmU9+wGsWiCwxvs/TzSX6SZxlpG1bHFKf0OPu7+JEfJ7J5z

cPCSqbFXiXzmukMl5KNx0p0veIDW4DmwleDpkmhT05qnCheweoNyvTSzfA1TGeLl

mpjBi6zUjiY=

=Xq10




CCA’s PUBLIC KEY 2048 bit

3082 010a 0282 0101 00aa d454 b97c 73bf 177a 0b2f

85ab 0738 3d76 8637 980c c815 52de 2fc6 9d09 3548

9c75 1dbe c705 3ad1 cfc7 db51 033c ebf6 a367 d693

b669 29b8 c147 851a b4f9 f1e4 e361 e1e8 91ea 8283

fe2f f3d4 7fdd fbb7 d761 ebb0 4cee 41e3 6e8d 3cd9

4ae0 569c 4270 9c5a 8725 cff7 bf2a b079 cb09 de1d

22e7 0bcc 800b 6118 fa28 963f d1c6 86c1 75b2 8f80

ff5c 83a7 7310 1f03 db26 1639 61cf db36 3a2b e5a5

8aa8 c9d6 c10d 5d03 b274 b36e 1c90 d8bc d561 9278

a3d7 146f 7006 f386 8cc6 3fae 5e99 b071 7f23 fcaa

4853 e2ff 5561 5bc8 1747 42f2 c180 79fe 7d74 0ea8

4550 69e0 e0e9 d91d 75a4 c144 6211 de1f 0a0d b295

9831 8c99 ae7e 5e0e da89 0f84 14d7 5b80 373f 57cc

70ec 7232 0502 0301 0001

This key is available at cca.gov.in and can be downloaded


Controller of Certifying Authorities as the “Root”

Authority certifies the technologies, infrastructure

and practices of all the Certifying Authorities

licensed to issue Digital Signature Certificates

Role of Controller of Certifying Authority


IDRBT Certificate

Paper Electronic

C:/Documents and Settings/KRISHNAN/kgupta/Desktop/certs/IDRBT-0608/IDRBT_CA.cer

C:/Documents and Settings/KRISHNAN/kgupta/Desktop/cca-pres/IDRBT_CA.cer


Thank you


Appreciation of Electronic

Evidence & Case Studies

Appreciation of Evidence

“The process by which a judge concludes

whether or not a fact is proved is called

appreciation of evidence. It is a duty of the

court to appreciate evidence minutely,

carefully, and to analyse it.”

Kajal Sen v.State of Assam AIR 2002 SC617



Electronic Evidence

Electronic evidence means that the “evidence

which existed in electronic (intangible) form is

being produced in tangible form.

Electronic Record

S.2(1)(t) “Electronic record” means data,

record or data generated, image or sound

stored, received or sent in an electronic

form or micro film or computer generated

micro fiche;


Human Intervention

The entire process of procuring electronic

evidence is controlled by human agencies.

Can it be manipulated, tampered with?

The science may be infallible, but human action,

which controls the result of the scientific forensic

examination, may be fallible.


Appreciating Technology

Applying technology and getting desired

results is one thing, but appreciating the

value of the ‘evidence’ is another.

One may lose evidence not because of ‘lack

of technology’, but because of ‘lack of

appreciation of technology’.


The Questions are:

• Did the investigators/litigants take care in

gathering the evidence?

• Could they fake the evidence?


Courts and tribunals have to judge the

evidence before them by applying the test

of human probabilities”.

Commissioner of Income Tax, West Bengal II v. Durga Prasad More AIR 1971 SC 2439


Mohammed Ajmal Mohammad Amir

Kasab v State of Maharashtra & Ors*

The Hon’ble Supreme Court appreciated

the electronic evidence, whether in the

form of CCTV footage, mobile devices,

memory cards, data storage devices,

intercepted communications over VoIP, IP

Addresses, etc. while delivering the

judgment.

* (2012) 9 SCC 1


In all human affairs absolute certainty is myth. Prof.Brett

puts it, “all exactness is fake”. Ordinarily, E.L.Dorado

theory of “absolute proof” being unattainable, the law

accepts for it probability as a working substitute.

Hardly one come across a case, where Court does not

resort to “certain probability” as working substitute for

proof beyond all reasonable doubt. However, in the

case in hand, from the evidence, oral and documentary,

reference of which have copiously been made in the

judgment by my noble and learned Brother Aftab Alam,

J. make me believe that “absolute certainty” may not

necessarily be a myth or fake in all cases and can be a

reality.

J. Chandramauli Kr. Prasad


In State of Gujarat v. Shailendra Kamal

Kishor Pande & Ors*., it was held that

“..….CD itself is primary and direct evidence admissible as

to what has been said and picked up by the recorder……it

has to be proved that the same has been prepared and

preserved safely by independent authority, like Police….”

* 2008 CRI.L.J.953


Tukaram S.Dighole v.Manikrao Shivaji Kokate*

Hon’ble Supreme Court held that “standard

of proof” in the form of electronic evidence

should be “more accurate and stringent”

compared to other documentary

evidence….

* (2010) 4 SCC 329


In Jagjit Singh v State of Haryana*, it was

held by the court that “…original CDs

received from Zee Telefilms and…..an

opportunity had been given to the parties to

review the materials….there is no infirmity in

speaker’s reliance on the digital

evidence…..”

* AIR 2007SC 950


In Court on its own motion v. State*, the

court viewed that even in the absence of

original recordings (like negative of a

photograph), reliance may be placed on

‘positive’.

* WP (Crl) No. 796 of 2007. Judgment delivered on

21.08.2008.


In Trimex International FZE Ltd.v. Vedanta Aluminium Ltd. India*

The Court held that in the absence of signed agreement

between the parties, it would be possible to infer from various documents duly approved and signed by the parties in the form of exchange of e-mails, letter, telex,

telegrams and other means of telecommunications.

*(2010)3 SCC1

Similarly in Shakti Bhog Foods Ltd. v. Kola Shipping Ltd., (2009) 2 SCC 134


Sanjay Kumar Kedia v. Narcotics Control Bureau & Anr

CRIMINAL APPEAL NO. 1659 OF 2007

(SLP (Crl.) No. 3892 of 2007)

The company (Xponse Technologies Ltd. And Xpose IT Services Pvt.

Ltd. Headed by Sanjay Kedia) has designed, developed, hosted the

pharmaceutical websites and using these websites, huge quantity of

psychotropic substances (Phentermine and Butalbital) have been

distributed in USA with the help of his associates.

ALADIESPHARMACY.com, EXPRESSPHENTERMINE.com,

FAMILYYONLINEPHARMACY.com

ONLINEEXPRESSPHARMACY.com, SHIPPEDLIPITOR.com

DELIVEREDMEDICINE.COM ,TRUEVALUEPRESCRIPTIONS.COM

That IP address was 203.86.100.76


S.B.SINHA & HARJIT SINGH BEDI, JJ. :

That the Xponse Technologies Ltd and Xponse IT Services

Pvt Ltd were not acting merely as a network service

provider but were actually running internet pharmacy and

dealing with prescription drugs like Phentermine and

Butalbital."


In Ravi Kant Sharma & Ors. v State, the

court held that “…call details record is not a

direct computer printout of the data available

in the computer/servers of the telephone

company….”

CRL.A. 357/2008. Judgment delivered on 12.10.2011


Rohit Vedpaul Kaushal v. State of Maharashtra

The Bombay High Court, after examining the

SMS messages sent by the accused held:

“ that some of the SMS sent by the

accused certainly fall within the scope of

Section 67 of the IT Act”

* 2007 INDLAW MUM 755


In Mrs.Nidhi Kakkar v Munish Kakkar*, the

court held “ If person produced text of

information generated through computer, it

should be admissible in evidence, provided

proof was tendered in manner brought

through Evidence Act…”

* (2011)162 PLR113


Dharambir v.CBI

The Delhi High Court has held:

“Given the wide definition of the words ‘document’

and ‘evidence’ in the amended Section 3 of the

IEA, read with section 2(o) and 2(t), of IT Act, a

hard disc which at any time has been subject to

a change of any kind is an electronic record

would therefore be a document within the

meaning of section 3 of IEA.”

* 148 (2008) DLT 289


Presenting e-Evidence

It is obligatory to note that the evidence in

electronic form is in ‘intangible form’ and

the bottomline is – admissibility of such

evidence in a court of law.


For example, if an exhibit is an electronic

record or data produced by a computer,

the “accuracy” of such an exhibit must

encompass the accuracy of the

process, which produced the said

record, as well as accuracy of content.


Accuracy of the processes depends on the quality of original source, the quality of the internal computer manipulation, the audit mechanism which might reduce error or provide corroboration, the integrity of the way in which the exhibit –what the court actually considers- has been derived, perhaps even the integrity of the way in which the exhibit has been handled by investigators.


Also, it is crucial that there should be a clear chain of custody or continuity of evidence, i.e., from collectors to preservers to examiners to analysts.

It is thus imperative that hash function should be calculated by the collector(s) and subsequently verified by the examiner(s).


Hence, it is pertinent that one must not be

swayed by the technicality of electronic

evidence but should appreciate the entire

evidence gathering and evaluation

mechanism.



Section 65 B of IEA

S.65 B Admissibility of Electronic Records

(1)Any information contained in an electronic

record which is printed on a paper, stored,

recorded or copied in optical or magnetic

media produced by a computer shall be

deemed to be also a document, if the

conditions mentioned in this section are

satisfied in relation to the information and

computer in question and shall be admissible

in any proceedings, without further proof or

production of the original …….


(2) The conditions:

(a) the computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried over that period by the person having lawful control over the use of the computer;

(b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into computer in the ordinary course of said activities;


(c) throughout the said period, the computer was operating properly or if not then in respect of any period in which it was not operating properly or was out of operation…..was not as such to affect the electronic record or the accuracy of its contents; and

(d) the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of said activities.


(3) Where over any period, the function of storing

or processing information …..regularly

performed by computers, whether in

combination, or succession, or by different

combinations………..in whatever order,

all the computers used for that purpose during that

period shall be treated ……as constituting a

single computer


(4) A certificate signed by a person occupying a responsible official position in relation to operation of the relevant device or the management of the relevant activities to include any of the following things:

· identifying the electronic record containing the statement and describing the manner in which it was produced

· giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer


The objective behind aforesaid step-by-step

processes is to identify whether the

computer in question has properly

processed, stored and reproduced

whatever information it received.


State v. Mohd. Afzal*

Held. That under S.65 B, computer generated electronic records is an admissible evidence at trial if proved in manner specified by section.

Electronic record in the form of a print out…..compliance with sub-section Sub-section (1) and (2) of section 65 B is enough to make admissible and prove electronic records. This conclusion flows out, even from the language of sub-section (4).

* 107(2003) Delhi Law Times 385 (DB)


P.Padmanabh v. Syndicate Bank Ltd., Bangalore

The High Court of Karnataka held:

“Clear admission of malfunctioning of either

ATM machine or computer…..provisions of

section 65B cannot be pressed into

service by plaintiff”.

* 2008 (2) Kar.L.J. 153



Is it a Primary Evidence or Secondary

Evidence?

Under the IE Act, the contents of documents may be proved either by primary or secondary evidence. Section 62 of the Act defines “Primary evidence” as “….the document itself produced for the inspection of the Court”.

The Act, also defines, “Secondary Evidence” as the “certified copies made from the original by mechanical processes which in themselves ensure the accuracy of the copy, and copies compared with such copies”[section 63(2)]


• Section 65. Cases in which secondary evidence relating to documents may be given –

(d) When the original of such a nature as not to be easily movable;

• Section 65 A. Special provisions as to evidence relating to electronic record – The contents of electronic records may be proved in accordance with the provisions of section 65B.


In State v. Navjot Sandhu*…It is not in dispute that the information

contained in the call records is stored in huge servers which

cannot be easily moved and produced in the court…..Hence,

printouts taken from the computers/servers by mechanical

process and certified by a responsible official of the service

providing company can be led in evidence through a witness

who can identify the signatures of the certifying officer or

otherwise speak of the facts based on his personal knowledge.

Irrespective of the compliance with the requirements of section

65B, which is a provision dealing with admissibility of electronic

records, there is no bar to adducing secondary evidence under

the other provisions of the Evidence Act, namely sections 63

and 65. It may be noted that the certificate containing the details

in sub-section (4) of section 65B is not filed in the instant case,

but that does not mean that secondary evidence cannot be

given in the circumstances mentioned in the relevant provisions,

namely sections 63 and 65.

* (2005)11 SCC 600


Vodafone Essar Ltd. v Raju Sud, concerned a

dispute with regard to the subscriber, inter alia,

challenging the authenticity of computer

generated bills, which contained the charges.

The court held, “….printouts taken from the

computer/server by mechanical process as

contemplated under section 65 and 65A of the

Evidence Act is permitted, irrespective of the

compliance with the requirement of section 65B

of the Act.”

* Pronounced on Nov. 22, 2011, Suit no. 3264/2009, BHC


Irrespective of the compliance with the

requirements of section 65B, which is a

provision dealing with admissibility of

electronic records, there is no bar to

adducing secondary evidence under the

other provisions of the Evidence Act,

namely sections 63 and 65.


For the purpose of admissibility of electronic record produced by a computer, a three prong test is important:

1. Document in question – is an electronic record [as defined under S.2(1)(t) of the IT Act, 2000],

2. Produced by a computer [as defined under S.2(1)(i) of the IT Act, 2000], and

3. Accompanied by a certificate, fulfilling the conditions laid down S.65 (B)(2)-(B)(4) or proven by way of secondary evidence.


For the purpose of admissibility of electronic record produced by any other device other than a computer, a two prong test is important:

1. Document in question – is an electronic record [as defined under S.2(1)(t) of the IT Act, 2000],

2. Accompanied by an affidavit, or proven by way of secondary evidence.


Section 79A* Examiner of Electronic Evidence

Central Government may, for the purpose of

providing expert opinion on electronic form

evidence before any

court……specify…any Department, body

or agency of the Central Government or a

State Government as an Examiner of

Electronic Evidence Electronic form Evidence means any information, of probative value

that is either stored or transmitted in electronic form and includes

computer evidence, digital audio, digital video, cell phones, digital

fax machines.


In SIL Import, USA v. Exim Aides Silk

Importers*, the Hon’ble Supreme Court

observed the need of the judiciary to

interpret a statute by making allowances for

any relevant technological change that has

occurred.

* (1999) 4 SCC 567



Case Studies


Phishing


Phishing

• Facts Victim received on his personal email an email from Income Tax Department ([email protected] ) mentioning that he had refund on the tax paid.

Mistaking it as genuine refund he clicked the attachment which led him to a webpage where he keyed in the critical information i.e., username, password etc. of his bank account.

After twenty days he received a SMS from the bank authorities that a transaction was made and hence Rs.94100/- was debited from his account

Case No./Crime No.

35/2011

City: Hyderabad


Investigation

The deceptive e-mail that was sent to him as if from Income Tax Department was analysed and the IP Address from which it originated was identified as 78.94.188.22 which, however was traced to Germany (Herne Unitymedia Nrw Gmbh).

The print of the deceptive e-mail was collected to prove case as per section 471 IPC that is a false electronic record was produced as genuine.

Inquiries with the bank revealed that an amount of Rs 94,100/- was debited towards a merchandise transaction through eBay an online marketing place


Investigation

Identification of buyer’s mobile no.

and address as shipping address for

delivery.

The IP Address (180.215.151.190)

pertaining to the fraudulent

transaction was collected and it was

traced to MTS Network.

From the call data records the tower

locations of the mobile numbers

were figured out.

Culprit was arrested.


Investigation

From the possession of the accused

a laptop and MTS Internet Data

Card that he used for sending

phishing e-mails were recovered.

The laptop was examined

forensically and traces of phishing

emails sent by the accused were

recovered.

A case under sections 66- C

(Identity theft) & 66-D (Cheating by

personation) and IPC Provisions

i.e., 420 & 471 registered.


Child Pornography


Child Pornography

• Facts A complaint was received on email

from Interpol against an IP address

involved in sending child

pornography images.

Interpol was briefed by the Child

Exploitation Online Protection

Centre(CEoP)

The email mentioned the uploading

of child pornography images and

receipt of payment using Internet

account from Chennai.

FIR No. 0554/2009

City: Chennai


Investigation

IP address revealed BSNL network. It led to the identification of Wilheum (a foreign national).

His laptop was seized and examined forensically.

It revealed hundreds of child pornography images. His bank account also showed payment details.

A case was registered including section 67B of the IT Act.


Cyber terrorism


Cyber Terrorism

• Facts On September 7, 2011 a bomb blast

took place outside Gate No. 5 of

Delhi High Court around 10AM.

Around 4pm an email received by

the police taking responsibility of the

blast and further identifying

Ahmedabad as the next target.

This email was sent in the name of

a terrorist, who was on the most

wanted list of FBI.

FIR No. DCB – II –

3050/2011

City: Ahmedabad


Investigation

IP address revealed as if email was

sent from Moscow.

Further use of forensic tools

revealed that this email was sent

using a Virtual Private Network

(VPN) and with the same email id

some blog-sites were also

accessed.

Using web-log analysis the culprit

was identified and charged under

section 66 F (cyber terrorism) of the

IT Act.


Thank You


Crimes in Cyber Space

Questions being asked now-a-days

• What is the cyber space?

• What are cyber crimes and the most

damaging new attack patterns?

• Who are the cyber criminals?

• What are the most promising initiatives to

deter cyber attacks?


The Nature of Cyber Space

• Proliferation of Information Technology

• Rapid growth in Internet

• Increasing online transactions

• Information systems are essential part of critical

infrastructure



Why cyber space is at risk?

Defending is difficult Risk v/s convenience Increasing complexity Security was never a

part of Internet Varied threats and

threat actors

Attacking is easy Attacker’s anonymity Attribution challenges Inconsistent laws Proximity no longer a

requirement

Cyber space is getting target-rich

Increasingly valuable Increasingly online Increasing dependency Technical convergence

Three faces of cyber crime

• Organised Crime

• Terrorist Groups

• Nation States


Computer is incidental to

other Crimes

Computer is not essential for the crime to occur, but it is used in the Criminal Act

• The Crime, in general, could occur without the technology

• The Computer helps the crime to occur faster, easier

• Permits processing of greater amounts of information

• Makes the crime more difficult to identify and trace


Crimes associated with the

prevalence of computers

The presence of computers generates new

versions of traditional crimes

• Piracy

• Copyright violation

• Blackmarketing, Public Order

• Murder

• Outage

Technological growth essentially creates new

crime targets



Cyber Crimes – increasing ??

• The anonymity of cyberspace makes identity

tracing a significant problem which hinders

investigations.

• Most Computer Crimes go undetected by their

victims

• Of the crimes / attacks which are detected, few

are reported

Cyber Crimes being observed in India

• Hacking

• Hactivism

• ATM & Credit/Debit/Gift Card Frauds

• Web defacement

• Proxy Scan

• Denial of Service

• Distributed Denial of Service

• Malicious Codes

– Virus

– Bots

• Data Theft and Data Manipulation

– Identity Theft

– Financial Frauds



Targeted attacks

• Targeted attacks - espionage

• social engineering

– specially drafted email & sender's account

• spoofed/compromised email accounts

• vulnerabilites and exploits

– MS office, pdf etc.

• Malware - known and crafted

– poor detection

• stealth channels and information theft

• Resilient Command & Control


`

`

`

`

``

``

Recon

Access

Infiltration

Internet

Hosts

Firewall

Public

Servers

Private

Servers

Network Hosts

Phase 1

Discover / Map

Phase 2

Penetrate

Perimeter

Phase 3

Attack

Resources

A typical penetration or hacking


DDoS / BOTs

Command and

Control Servers

BOTS

Victim

Bot-Herder


Command and

Control Servers

BOTS

Spammer

Internet

Spam using BOTs/ Mass Mailing Worms

Spyware

• Spyware is used by companies to gather the surfing habits of

the users.

• Pop-up ads are usually a result of spyware being present on

a computer.

• Keyloggers are a form of spyware that secretly record

keystrokes and have the ability to email them back to the

intruder.


Cyber Crimes through e-mails

• Examples of crimes involving e-mails:

– Spam – Unwanted emails

– Passing confidential or secret information

– Extortion: Illegal means of acquiring things

– Sexual harassment

– Misuse of compromised e-mail accounts for

demanding money in distress


Wi-Fi Hijacking

• Approx. 60-70% of the wi-fi networks are

estimated to be insecure & available for

unauthorised internet access

• Why are so many wi-fi networks insecure? – Lack of user awareness for its possible misuses

– How to configure the wi-fi access point for a secure wi-fi

network

– But… criminals look for insecure wi-fi networks to commit

their crimes

– And… the authorities will come knocking on your door….


Phishing

The term Phishing is derived from ‘fishing’ password + fishing = phishing

“Phishing is the act of sending a communication

(Email/Message/Fax/SMS) to a user falsely

claiming to be an legitimate enterprise/Brand in an

attempt to scam the unsuspecting user into

disclosing sensitive private information that will be

used for identity theft. ”


Mechanics of Phishing

Phishing Website

1. Attacker hosts Phishing Website

- Insecure webserver

- Free hosting

- Fast-flux, Rock phish

- `

Web Server

2. Attacker sends

spam mails/SMSes

etc. containing

Phishing links

Data collection point



Phishing Web site

Legitimate Web Site

Phishing – PayPal Website

Phishing e-mail: Income Tax Deptt.


Phishing in the name of

Tax Refund


On click to ‘Tax Refund Form’


Data Didling

• BIHAR SECONDARY STATE BOARD

• PRIVATE STUDENTS TOPPED OVER GOVT STUDENTS

– 6 DIGIT ROLL NUMBER

• GOVT STUDENTS STARTS WITH 3

• PRIVATE STUDENTS STARTS WITH 4

• SOFTWARE MANIPULATION

– 300000 > ROLL_No < 400000 DEDUCT 9

– 400000> ROLL_No < 500000 ADD 9


Cyber terrorism

• Attack on critical national infrastructure, such as

electricity, gas, water; banking and finance;

transport systems; telecommunications


SPAM - Mail

• Terrorist often exchange their message via

SPAM Messages

• All email servers filter as SPAM

• Group – A accesses http://www.spammimic.com

site and encode the messages to be sent

• Copies encoded text and sending to Group

– B

• Group – B checks mail in SPAM folder copy the

content of the mail then decode original content

from aforesaid site.


http://www.spammimic.com/







Terrorists communication via SPAM mails

Group A

Click Encode

Type your text: This is private

Text

Click Encode

Copy the text and send as mail. All mail

server classifies as SPAM

Now Group B (Recipient will receive mail

from SPAM folder and copy the text

accesses same web site and getting

decode the original (hidden)text)


Terrorists communication via SPAM mails

Group B

Click Decode

Copy the text from mail under

SPAM folder

Click Decode

Decoded text: This is private

Text



Thank You