Cyber Forensics - Cyber Crime
Investigation
By
Puneet Nagpal
(Master of Science Cyber Law and
Information Security)
Indian Institute of Information
Technology, Allahabad.
FORENSICS:-
Forensic science (often shortened to
forensics) is the application of a broad spectrum of sciences to answer
questions of interest to the legal system. This may be in relation to a crime
or to a civil action.
COMPUTER
FORENSICS
It is the art of finding the attacker that what is he doing in the cyber world?
Locard's Exchange Principal -
"ANYONE OR ANYTHING ENTERING IN THE CRIME SCENE TAKES SOMETHING OF THE
SCENE WITH THEM & LEAVES SOMETHING OF THEMSELVES BEHIND THEY
DEPART"
Also the GOLDEN RULE
of forensic says-"IF U WANT TO FIND OUT A CRIMINAL THEN U SHOULD ALSO A
CRIMINAL"
Because the hackers/crackers are
almost 2-steps further than a simple one.
->Possible suspects of
computer crime-
.internal disgruntled employees
.visitors steel data using pen drives etc.
.external attackers
.company associates
Another one is that your opposing companies can hire an hacker
->Motive-
.profit
.unhappy
.accidental
.blackmail
->Medium of attack-
.internet
.chat
.internal networks
.e-mail
.phone/fax
Cyber
Crime Investigation:- 
Steps to
follow by Investigation Team on Spot :-
.Data imaging- Never use the suspect pc.
.Evidence preservation-
Store the data on more than one places
.Data discovery- From
each & every location
.Evidence study- Look
for possible suspects & motives
.Non-Electric Study-
Interview witness & colleagues
.Preparing the report-
Make sure that Ur report will be able to convince someone from the
non-technical background
.Challenges faced-
Identity thefts & Data hiding techniques
If you are able to make a good final
report u will find out the criminal very easily.
In case of network security, you can
easily find out the attacker by tracing e-mail id.
(A)
DATA IMAGING :- 
Never use the original suspect
computer because use may destroy date by time dependent viruses from attacker. A good computer forensic expert never user original suspect
computer.
- Pull the plug and shutdown the
machine
- Use Hard disk on another computer foe backup copy of suspect machine hard
disk.
- Create a sector by sector Image/Clone of hard disk
Image: - Disk to File
Clone: - Disk to Disk
- Remove the link from Operating System stored on hard disk are known as
Live Files and the files which are not accessed after removing from
operating system are Known as Dead Files.
( B ) EVIDENCE
PRESERVATION :- 
The Image/clone copy of evidence
must be stored in secure storage to avoid any alteration of data. It should
store on some optical media. Floppy is not reliable at all.
-Store data on more than one location.
-Always use write-protect all image/clone copy media to ensure secured
continues preservation.
-Any delay potentionally lead to loss.
(C)
DATA DISCOVERY :- 
All type of data /evidence must be
discovered from various locations.
Discovery of active data: - These
are encrypted hidden active files like Ms-word, Pdf,
E-mails,*.mdb
Discovery of Backup data using recovery
Temporary swap files. Eg . Autos in Ms-office.
Discovery from residual data .- From bad sectors
Discovery of other data as follows :-
System files
Access control lists
E-mail accounts
Internet cookies
System Registry and security policies
Interview the people involved
History
Gain access to encrypted/password protected files etc.
(D) EVIDENCE STUDY :-
a) Study the proofs and look for
possible suspects and motives
b) Analyze evidence and look for proof which is acceptable in court of law and
can be used to convict the suspect.
(E)
NON-ELECTRIC STUDY :- 
a) Interview with colleagues to gain
more insight into case
b) Look for both a possible suspect
and probable motive then finally match them to proof
c) Don't forget to examine the
suspect's home desktop, laptop, or any other removable media. They may contain
vital proofs.
(F) PREPARING
THE REPORT :- 
Make sure that your report will be
able to convince someone from non-technical back round
that suspect is indeed guilty.
Don't forget to provide a non-technical overview and explanation of Cyber
Crime.
Also always add technical evidence in your report
Investigation
agencies in India :-
Government
(Central & State Law Enforcement) Sector:
The State Forensics Science
Laboratory, New Delhi
The State Forensics Science Laboratory, Gujarat
The Delhi Police- Special Cell
CID Police Hyderabad
CBI New Delhi
Anti-terror squad
EOW and RAW
Cyber Crime Investigation Cell of Crime Branch, C.I.D.,Mumbai
What
investigation agencies do ?
Professional Computer Forensics
E-discovery
Investigations & Incident Response Services to Corporate, Law Enforcement, Law firms, Fraud Investigators and individuals around the
world.
Various Types of kits and technologies used by investigation agencies are
discussed as follows :-
1 ) Cloning/Imaging:- This is done by using various type of
hardware tools on the spot. According to spot process is used either cloning or
imaging. Two main things are -
Source and Destination. In case of Cloning destination can be equal in size as
of source but in Imaging always destination should
large in size than source.
2 ) Write Blockers:- Write blocker plays
an important role in the investigation activities. Using them a Cyber Crime
Analyst is free to do the cloning and imaging. These are always in read only
mode and helps to clone and image the suspect hard drive without changing its
hash value.
3 ) Data Recovery:- This is one of the
favorite process used by the cyber crime investigator because it is used to
recover the data from various locations which makes the investigation so easy
as per investigation rule that 'Information Gathering Is The Basic Step of
Investigation. Various locations includes:-
Discovery of active data: - These
are encrypted hidden active files like Ms-word, pdf,
E-mails,*.mdb
Discovery of Backup data using recovery
Temporary swap files. Eg . Autos in Ms-office.
Discovery from residual data.- From bad sectors
Discovery of other data as follows :-
System files
Access control lists
E-mail accounts
Internet cookies
System Registry and security policies
Interview the people involved
History
Gain access to encrypted/password protected files etc.
We can recover the formatted data from the format media but we can never
recover the data from wiped media. Because while on formatting the address is
deleted from the FAT/FAT32 table not the content but while on wiping the media
the content is also deleted.
4 ) Movement Analysis:- This process is
used to identify the actual location of the criminal on the spot. This is done
by using various investigation processes (Cdr Plays Interesting Role)
5 ) Password Cracking:- Investigation
agencies love to do the technique of Password Cracking using various hardware
tools. The cracking is done at various levels as follows:
-Cracking physical media
-Wireless detectives
-Network password cracking-LAN password cracking
-Handling Cryptography
-E-mail Cracking
-Files / Applications password cracking using Hardware or portable software's
using special dongles
6) Financial Crime analysis: - Investigation Agencies are using
various techniques and tools under Law on the Financial Crime Investigation
Service Act.
7 ) Mobile phone Investigation: The recovered mobile phones are examined by the special
investigation officers using various tools that
Extract data for all mobile phones includes:-
Phonebook, Videos, Text messages,
Call Logs , ESN(Electrinic
Serial No.) and IMEI(International Mobile Equipment Identity) , IMSI
(International Mobile Subscriber Identity) information.
8) Network Forensics: - Network forensics is the
capture, recording, and analysis of network events in order to discover the
source of security attacks or other problem incidents. There are various tools
and techniques used by Cyber crime investigation cells in the area. This
investigation includes :-
Live network investigation
Live forensic discovery and triage
of simultaneous target systems
Acquire system information
Physical memory imaging
Remote screen shot
Active port mapping
Windows service discovery
File system blueprinting
Installed software cataloging
Network state and open connections
Intelligent file acquisition and
safeguarding
Dynamic indexing and analysis (Memory, Registry, File
System, Image, etc.)
CHALLENGES
FACED :
-
Anonymous web activity through proxy
Internet cafes
IP Spoofing
Identity Thefts
Common using systems like in colleges /offices
Encryption of data
Steganography
Safety and
Precautions : - 
Precautions- Cyber Crime
Investigator's safety comes first
Safety tips :-
-To secure the crime scene, always
wear gloves to prevent distributing potentional
evidence
-Must documents, video tapes or photographs and write all notes about all that
is on the scene of digital devices.
-Seal computer or any other digital device by placing evidence tape along the
edges of computer housing panel
-Place your initiates date and time over the seal with permanent ink
-When you are removing the cables or devices, label each part and empty sockets
as MTY.
This helps in establishing a proper Chain of Custody. 
These precautions are followed in searching and seizing operation by
investigation agencies.
Always we deal with the two main
states of computers in investigation either on or off. Intelligent
investigation says that never change the state of evidence use it its
pre-existing state.
Cyber
Crime Police Stations in Different States of India
|
Location |
Address |
Telephone
No |
E-mail |
|
Chennai |
Assistant
Commissioner of Police |
55498211
|
|
|
Chennai
for Rest of Tamil Nadu
|
Cyber
Crime Cell |
Mobile:
98410-13541 |
|
|
Bangalore
for the Whole of Karnataka
|
Cyber
Crime Police Station |
22201026
|
ccps@kar.nic.in |
|
Hyderabad |
Crime
Investigation Department, |
23240663,
27852274 |
cidap@cidap.gov.in |
|
Mumbai |
Cyber
Crime Investigation Cell |
22630829
|
|
|
Delhi |
CBI Cyber
Crime Cell Supdt. of Police, Cyber Crime
Investigation Cell Central Bureau of Investigation, |
4362203,
4392424 : |
|
|
Trivandrum |
Cyber
Crime Reporting Center |
Call
center |
Hence
in last I would like to address one thing that please never hesitate
while lodging complaint of Cyber Crime. Do not take it easy it's a serious
matter and it's our responsibility to fight against it. But one question I want
to ask:-
Is War
against Crime a Crime?