Presentation made by Dr Tabrez Ahmad in Biju Pattanaik State Police Academy Bhubaneswar. To train DSP,s on Cyber Crime Investigation and Cyber Forensics.
1. Investigation of Cyber
Crimes & Forensics
Biju Pattnaik State Police Academy
Bhubaneswar
By
Dr. Tabrez Ahmad
Professor of Law
www.technolexindia.com
1 Dr. Tabrez Ahmad http://technolexindia.blogspot.com
2. Agenda
1. The possible reliefs to a cybercrime
victim and strategy adoption
2. The preparation for prosecution
3. Admissibility of digital evidence in
courts
4. Defending an accused in a computer
related crime
5. The techniques of cyber investigation
and forensic tools
6. Future course of action
2 Dr. Tabrez Ahmad
3. Possible reliefs to a cybercrime
victim- strategy adoption
A victim of cybercrime needs to immediately report the matter to
his local police station and to the nearest cybercrime cell
Depending on the nature of crime there may be civil and criminal
remedies.
In civil remedies , injunction and restraint orders may be
sought, together with damages, delivery up of infringing matter
and/or account for profits.
In criminal remedies, a cybercrime case will be registered by
police if the offence is cognisable and if the same is non
cognisable, a complaint should be filed with metropolitan
magistrate
For certain offences, both civil and criminal remedies may be
available to the victim
3 Dr. Tabrez Ahmad
4. Before lodging a cybercrime case
Important parameters-
Gather ample evidence admissible in a court of law
Fulfill the criteria of the pecuniary ,territorial and
subject matter jurisdiction of a court.
Determine jurisdiction – case may be filed where the
offence is committed or where effect of the offence is
felt ( S. 177 to 179, CrPc)
4 Dr. Tabrez Ahmad
5. The criminal prosecution pyramid
Conviction
/acquittal
Trial
Contents of charge
Issue of process –summons,
warrant
Examine the witnesses
Examine the complainant on oath
Initiation of criminal proceedings-cognizance of
offences by magistrates
5 Dr. Tabrez Ahmad
6. Preparation for prosecution
Collect all evidence available & saving snapshots of evidence
Seek a cyberlaw expert‟s immediate assistance for advice on
preparing for prosecution
Prepare a background history of facts chronologically as per
facts
Pen down names and addresses of suspected accused.
Form a draft of complaint and remedies a victim seeks
Cyberlaw expert & police could assist in gathering further
evidence e.g tracing the IP in case of e-mails, search & seizure
or arrest as appropriate to the situation
A cyber forensic study of the hardware/equipment/ network
server related to the cybercrime is generally essential
6 Dr. Tabrez Ahmad
7. Government Initiative
• The Cyber Crime Investigation cell (CCIC) of
the CBI, notified in September 1999, started
functioning from 3 March 2000.
• It is located in New Delhi, Mumbai, Chennai
and Bangalore.
• Jurisdiction of the cell is all over India.
• Any incident of the cyber crime can be
reported to a police station, irrespective of
whether it maintains a separate cell or not.
7 Dr. Tabrez Ahmad
8. The Indian Computer Emergency Response
Team (CERT-In)
IT Amendment ACT 2008.
“70A. (1) The Indian Computer Emergency Response Team (CERT-In)
shall serve as the national nodal agency in respect of Critical
Information Infrastructure for coordinating all actions relating to
information security practices, procedures, guidelines, incident
prevention, response and report.
(2) For the purposes of sub-section (1), the Director of the Indian
Computer Emergency Response Team may call for information
pertaining to cyber security from the service providers, intermediaries or
any other person.
8 Dr. Tabrez Ahmad
9. Cognizability and Bailability
As per IT Amendment Act 2008
Offences which have not less than 3 years
punishment are cognizable and bailable
9 Dr. Tabrez Ahmad
9
10. Power of Police to Investigate
Section 156 Cr.P.C. : Power to
investigate cognizable offences.
Section 155 Cr.P.C. : Power to
investigate non cognizable offences.
Section 91 Cr.P.C. : Summon to
produce documents.
Section 160 Cr.P.C. : Summon to
require attendance of witnesses.
10 Dr. Tabrez Ahmad
11. Power of Police to investigate (contd.)
Section 165 Cr.P.C. : Search by police
officer.
Section 93 Cr.P.C : General provision as to
search warrants.
Section 47 Cr.P.C. : Search to arrest the
accused.
Section 78 of IT Act, 2000 : Power to
investigate offences-not below rank of
Inspector.
Section 80 of IT Act, 2000 : Power of police
officer to enter any public place and
search & arrest.
11 Dr. Tabrez Ahmad
12. Amendments- Indian Evidence
Act 1872
Section 3 of the Evidence Act amended to take care of
admissibility of ER as evidence along with the paper based records
as part of the documents which can be produced before the court
for inspection.
Section 4 of IT Act confers legal recognition to electronic records
Dr. Tabrez Ahmad 12
13. Societe Des products Nestle SA case 2006 (33 ) PTC 469
By virtue of provision of Section 65A, the contents of electronic records may be
proved in evidence by parties in accordance with provision of 65B.
Held- Sub section (1) of section 65B makes admissible as a document, paper
print out of electronic records stored in optical or magnetic media produced by a
computer subject to fulfillment of conditions specified in subsection 2 of Section
65B .
a) The computer from which the record is generated was regularly used to store or
process information in respect of activity regularly carried on by person having
lawful control over the period, and relates to the period over which the computer
was regularly used.
b) Information was fed in the computer in the ordinary course of the activities of the
person having lawful control over the computer.
c) The computer was operating properly, and if not, was not such as to affect the
electronic record or its accuracy.
d) Information reproduced is such as is fed into computer in the ordinary course of
activity.
State v Mohd Afzal, 2003 (7) AD (Delhi)1
13 Dr. Tabrez Ahmad
14. State v Navjot Sandhu
(2005)11 SCC 600
Held, while examining Section 65 B Evidence Act, it
may be that certificate containing details of subsection
4 of Section 65 is not filed, but that does not mean
that secondary evidence cannot be given.
Section 63 & 65 of the Indian Evidence Act enables
secondary evidence of contents of a document to be
adduced if original is of such a nature as not to be
easily movable.
14 Dr. Tabrez Ahmad
15. Presumptions in law- Section 85 B
Indian Evidence Act
The law also presumes that in any proceedings, involving secure
digital signature, the court shall presume, unless the contrary is
proved, that the secure digital signature is affixed by the
subscriber with the intention of signing or approving the
electronic record
In any proceedings involving a secure electronic record, the
court shall presume, unless contrary is proved, that the secure
electronic record has not been altered since the specific point of
time, to which the secure status relates
15 Dr. Tabrez Ahmad
16. Presumption as to electronic messages-
Section 88A of Evidence Act
The court may treat electronic messages received as
if they were sent by the originator, with the exception
that a presumption is not to be made as to the person
by whom such message was sent.
It must be proved that the message has been
forwarded from the electronic mail server to the
person ( addressee ) to whom such message
purports to have been addressed
An electronic message is primary evidence of the fact
that the same was delivered to the addressee on date
and time indicated.
16 Dr. Tabrez Ahmad
17. IT Amendment Act 2008-Section 79A
Section 79A empowers the Central govt to appoint any
department, body or agency as examiner of electronic
evidence for proving expert opinion on electronic form
evidence before any court or authority.
Till now, government forensic lab of hyderabad was
considered of evidentiary value in courts- CFSIL
Statutory status to an agency as per Section 79A will be of
vital importance in criminal prosecution of cybercrime
cases in India
17 Dr. Tabrez Ahmad
18. Probable activities for defense by an
accused in a cybercrime case
Preparation of chain of events table
Probing where evidence could be traced? E-mail
inbox/files/folders/ web history
Has the accused used any erase evidence
software/tools
Forensically screening the hardware/data/files /print
outs / camera/mobile/pendrives of evidentiary value
Formatting may not be a solution
Apply for anticipatory bail
Challenge evidence produced by opposite party and
look for loopholes
Filing of a cross complaint if appropriate
18 Dr. Tabrez Ahmad
19. Sec 69: Decryption of information
Ingredients
Controller issues order to Government agency to
intercept any information transmitted through any
computer resource.
Order is issued in the interest of the
sovereignty or integrity of India,
the security of the State,
friendly relations with foreign States,
public order or
preventing incitement for commission of a cognizable
offence
Person in charge of the computer resource fails to
extend all facilities and technical assistance to
decrypt the information-punishment upto 7 years.
19 Dr. Tabrez Ahmad
20. Sec 70 Protected System
Ingredients
Securing unauthorised access or attempting to secure
unauthorised access
to „protected system‟
Acts covered by this section:
Switching computer on / off
Using installed software / hardware
Installing software / hardware
Port scanning
Punishment
Imprisonment up to 10 years and fine
Cognizable, Non-Bailable, Court of Sessions
20 Dr. Tabrez Ahmad
21. Computer Forensics and Cyberforensics
Computer forensics is considered to be the use of analytical
and investigative techniques to
identify, collect, examine, preserve and present evidence or
information which is magnetically stored or encoded
A better definition for law enforcement would be the scientific
method of examining and analyzing data from computer storage
media so that the data can be used as evidence in court.
Media = computers, mobile phones, PDA, digital camera, etc.
21 Dr. Tabrez Ahmad
22. Handling of Evidences by Cyber Analysts
Collect, Obs Analyze and
Identify erve & Verify
Organize
Preserve
Four major tasks for working with digital evidence
Identify: Any digital information or artifacts that can be
used as evidence.
Collect, observe and preserve the evidence
Analyze, identify and organize the evidence.
Rebuild the evidence or repeat a situation to verify the
same results every time. Checking the hash value.
22 Dr. Tabrez Ahmad
23. Incident Response – a precursor to Techniques of
Cyber investigation & forensic tools
„Incident response‟ could be defined as a precise set of actions
to handle any security incident in a responsible ,meaningful and
timely manner.
Goals of incident response-
To confirm whether an incident has occurred
To promote accumulation of accurate information
Educate senior management
Help in detection/prevention of such incidents in the future,
To provide rapid detection and containment
Minimize disruption to business and network operations
To facilitate for criminal action against perpetrators
23 Dr. Tabrez Ahmad
24. Six steps of Incident response
Detection of incidents
Pre incident preparation
Resolution Initial response
Investigate the incident
Reporting
24 Dr. Tabrez Ahmad
25. Techniques of cyber investigation-
Cyber forensics
Computer forensics, also called cyber forensics, is the
application of computer investigation and analysis techniques to
gather evidence suitable for presentation in a court of law.
The goal of computer forensics is to perform a structured
investigation while maintaining a documented chain of evidence
to find out exactly what happened on a computer and who was
responsible for it.
25 Dr. Tabrez Ahmad
26. 6 A‟s of digital forensics
Assessment
Acquisition
Authentication
Analysis
Articulation
26 Dr. Tabrez Ahmad
27. Rules of evidence
Computer forensic
components-
Identifying
Preserving
Analysing
Presenting evidence in a
legally admissible manner
Dr. Tabrez Ahmad 27
28. FBI handbook of forensic investigation-
techniques for computer forensics
Examine type of content in Comparison of data files
computer
Transactions-to know time Data files can be extracted
and sequence when data files from computer
were created
Deleted data files can be Data files can be converted
recovered from the computer from one format to the other
Key word searching passwords
Limited source code can be Storage media with
analysed and compared standalone word processors
can be examined
Dr. Tabrez Ahmad 28
29. Sources of Evidence
Existing Files
Deleted Files
Logs
Special system files (registry etc.)
Email archives, printer spools
Administrative settings
Internet History
Chat archives
Misnamed Files
Encrypted Files / Password Protected files etc.
29 Dr. Tabrez Ahmad
30. Cyberforensics in accounting frauds
Use of CAAT –computer assisted audit techniques-
spreadsheets, excel, MS access
Generalized audit software-PC based file interrogation software-
IDEA,ACL
Help detect fictitious suppliers, duplicate payments, theft of
inventory
Tender manipulation, secret commissions
False financial reporting
Expense account misuse
Insider trading
30 Dr. Tabrez Ahmad
31. Establishment and maintenance of „Chain of
Custody
Tools required:
- Evidence notebook
- Tamper evident labels
- Permanent ink pen
- Camera
Document the following:
- Who reported the incident along with critical date and times
- Details leading up to formal investigation
- Names of all people conducting investigation
- Establish and maintain detailed „activity log‟
31 Dr. Tabrez Ahmad
32. Maintaining Chain Of Custody
Take pictures of the evidence
- Document „crime scene‟
details
Document identifiable markings
on evidence
Catalog the system contents
Document serial
numbers, model
numbers, asset tags
“Bag” it!
Maintain Chain Of Custody on
tamperproof
evidence bag
Take a picture!
Dr. Tabrez Ahmad 32
33. E-mail forensics
E-mail composed of two parts- header and body
Examine headers
Request information from ISP
Trace the IP
Tools-Encase,FTK,Final email
Sawmill groupwise
Audimation for logging
Cracking the password- brute force attack, smart
search, dictionary search, date search, customised
search, guaranteed decryption, plaintext attack
Passware, ultimate zip cracker,office recovery enterprise,etc
33 Dr. Tabrez Ahmad
34. Computer forensic analysis within the forensic
tradition.
Alphonse Bertillon- [freezing the scene]: in 1879
introduce a methodical way of documenting the scene by
photographing, for
example, bodies, items, footprints, bloodstains in situ with
relative measurements of location, position, and size
Bertillon is thus the first known forensic photographer.
Bertillonage : system of identifying individuals over 200
separate body measurements, was in use till 1910 and was
only rendered obsolete by the discovery that fingerprints
were unique.
34 Dr. Tabrez Ahmad
35. Key Principal of Forensics
Edmond Locard articulated one of the forensic
science‟s key rules, known as Locard’s Exchange
Principle.
“The principle states that when two items or
persons come into contact, there will be an
exchange of physical traces. Something is
brought, and something is taken away, so that
suspects can be tied to a crime scene by detecting
these traces”.
35 Dr. Tabrez Ahmad
36. Stakeholders:
National security
Custom & Excise
Law enforcement agents
Businesses (embezzlement, industrial
espionage, stealing confidential information, and racial or
sexual harassment).
Corporate crime [according to report the accountants and
auditors for Enron not only used e-mail to communicate but also
subsequently deleted these e-mails]
36 Dr. Tabrez Ahmad
37. Problems In Indian Context.
No Standard for Computer Forensic is yet
developed.
No Guidelines for Companies dealing with
electronic data, during disputes.
No recognition to any of the forensics tool.
Issues related to anti-forensics are not talked
about. ………………
37 Dr. Tabrez Ahmad
38. Over All Scenario
To date, computer forensics has been primarily driven by
vendors and applied technologies with very little consideration
being given to establishing a sound theoretical foundation
The national and international judiciary has already begun
to question the ‘‘scientific’’ validity of many of the ad hoc
procedures and methodologies and is demanding proof of
some sort of theoretical foundation and scientific rigor.
38 Dr. Tabrez Ahmad
39. CONTD..
Commercial software tools are also a problem
because software developers need to protect their
code to prevent competitors from stealing their
product.
However, since most of the code is not made
public, it is very difficult for the developers to verify
error rates of the software, and so reliability of
performance is still questionable .
39 Dr. Tabrez Ahmad
40. CONTD..
The specialized tools used by a computer forensic
expert are viewed as intolerably expensive by many
corporations, and as a result many corporations
simply choose not to invest any meaningful money
into computer forensics. This trend amplifies cyber
crime rates
Open source software‟s were also not been tested
or verified for the effectiveness to serve the above
purposes (Open for research)
40 Dr. Tabrez Ahmad
41. Legal Aspects
The growing demand for security and certainty in
cyber space leads to more stringent laws.
The violation and maintaining of these laws (cyber
laws) must be distinguished from classical criminal
activities and criminal law enforcement.
The dynamics between these different forms of law
violation and law enforcement is important and shall
be addressed.
41 Dr. Tabrez Ahmad
42. Computer Forensic Tools
Forensic Tool Kit:
FTK is developed by
Access Data Corporation
(USA); it enables law
enforcement and
corporate security
professionals to perform
complete and in-depth
computer forensic
analysis.
42 Dr. Tabrez Ahmad Main Window of FTK
43. TYPICAL TOOLS
EMAIL TRACER
TRUEBACK
CYBERCHECK
MANUAL
43 Dr. Tabrez Ahmad
44. Current and Emerging Cyber Forensic Tools of Law Enforcement
44 Dr. Tabrez Ahmad
45. ENCASE FORENSIC:
Encase Forensic developed by Guidance
Software USA is the industry standard in
computer forensic investigation technology.
With an intuitive Graphical User Interface
(GUI), superior analytics, enhanced
email/Internet support and a powerful
scripting engine, EnCase provides
investigators with a single robust
tool, capable of conducting large-scale and
very complex investigations from beginning
to end.
45 Dr. Tabrez Ahmad Main Window of
Encase
46. Encase Forensic is very useful forensic solution
but it lacks following important feature:
In Encase forensic there is no password
cracking/recovery facility. So if during investigation
process the examiner detected any password
protected files then he had to rely on third party
tools.
46 Dr. Tabrez Ahmad
48. FEATURES OF EMAIL TRACER
•Display of Actual Mail Content for Outlook Express, Eudora, MS Outlook
and mail clients with MBOX mailbox.
•Display the Mail Content (HTML / Text)
•Display the Mail Attributes for Outlook Express.
•Display of extracted E-mail header information
•Save Mail Content as .EML file.
•Display of all Email attachments and Extraction.
•Display of E-mail route.
•IP trace to the sender’s system.
•Domain name look up.
•Display of geographical location of the sender’s gateway on a world map.
•Mail server log analysis for evidence collection.
•Access to Database of Country code list along with IP address information.
48 Dr. Tabrez Ahmad
50. EMAIL TRACING SERVICE
Users can submit their tracing task to Email
Tracer through web.
Tracing IP Address upto city level (non-spoofed)
Detection of spoofed mail
Detailed report
50 Dr. Tabrez Ahmad
55. FEATURES OF TRUE BACK
DOS application with event based
Windowing System.
Self-integrity check.
Minimum system configuration check.
Extraction of system information
Three modes of operation:
- Seize
- Acquire
- Seize and Acquire
55 Dr. Tabrez Ahmad
56. Disk imaging through Parallel port.
Disk imaging using Network Interface Card.
Block by Block acquisition with data integrity
check on each block.
IDE/SCSI, USB, CD and Floppy acquisition.
Acquisition of floppies and CDs in Batch mode.
Write protection on all storage media except
destination media.
Checking for sterile destination media.
Progress Bar display on all modes of operation.
Report generation on all modes of operation.
BIOS and ATA mode acquisition
56 Dr. Tabrez Ahmad
58. Cyber Check Suites:
The IT Act 2000 is India's first attempt to
combat cyber crime. To assist in the
enforcement of the IT Act, the
Department of Information
Technology, Ministry of Communications
and Information Technology, has setup a
Technical Resource Centre for Cyber
Forensics at C-
DAC, Thiruvananthapuram.
Cyber Check is a forensic analysis tool
developed by C-DAC
Thiruvanathapuram,
58 Dr. Tabrez Ahmad Probe Window of Cyber Check
Suite
59. CyberCheck - Features
Standard Windows application.
Self-integrity check.
Minimum system configuration check.
Analyses evidence file containing FAT12, FAT16,
FAT32, NTFS and EXT2FS file system.
Analyses evidence files created by the following disk
imaging tools:
TrueBack
LinkMasster
Encase
User login facilities.
59 Dr. Tabrez Ahmad
60. CyberCheck– Features (Contd …)
Creates log of each analysis session and Analyzing officer‟s
details.
Block by block data integrity verification while loading
evidence file.
Explorer type view of contents of the whole evidence file.
Display of folders and files with all attributes.
Show/Hide system files.
Sorting of files based on file attributes.
Text/Hex view of the content of a file.
Picture view of an image file.
GalleryTabrez Ahmadimages.
60 Dr. view of
61. CyberCheck– Features (Contd …)
Graphical representation of the following views of an
evidence file:
Disk View.
Cluster View.
Block view.
Timeline view of:
All files
Deleted files.
Time anomaly files.
Signature mismatched files.
Files created within a time frame.
61 Dr. Tabrez Ahmad
62. CyberCheck– Features (Contd …)
Display of cluster chain of a file.
Single and Multiple Keyword search.
Extraction of Disk, Partition, File and MBR slacks.
Exclusive search in slack space.
Extraction of unused unallocated clusters and exclusion from search
space.
Exclusive search in used unallocated clusters .
Extraction of lost clusters.
Exclusive search in data extracted from lost clusters.
Extraction of Swap files.
Exclusive search in data extracted from Swap files.
62 Dr. Tabrez Ahmad
63. CyberCheck– Features (Contd …)
File search based on file extension.
File search based on hash value.
Exclusion of system files from search space.
Data recovery from deleted files, slack space, used unallocated clusters
and lost clusters.
Recovery of formatted partitions.
Recovery of deleted partitions.
Exporting files, folders and slack content.
Exporting folder structure including file names into a file.
Exporting files on to external viewer.
63 Dr. Tabrez Ahmad
64. CyberCheck– Features (Contd …)
Local preview of storage media.
Network preview of storage media using cross-over cable.
Book marking of folders, files and data.
Adding book marked items into report.
Restoration of storage media.
Creating raw image.
Raw image analysis.
Facility for viewing Mailbox files of Microsoft Outlook
Express, Microsoft Outlook, Eudora and Linux Mail clients.
64 Dr. Tabrez Ahmad
65. CyberCheck– Features (Contd …)
Registry viewer.
Hash set of system files.
Identification of encrypted & password protected files.
Identification of steganographed image files.
Generation of analysis report with the following features.
Complete information of the evidence file system.
Complete information of the partitions and drive geometry.
Hash verification details.
User login and logout information.
65 Dr. Tabrez Ahmad
66. CyberCheck– Features (Contd …)
Exported content of text file and slack information.
Includes picture file as image.
Saving report, search hits and book marked items for later
use.
Password protection of report. Print report.
66 Dr. Tabrez Ahmad
68. PASSWORD CRACKING OF ZIP FILES USING GRID
CYBER FORENSICS LAB
INTERNET
GRID
GRID SERVER
FSL CBI
POLICE CRIME CELL
68 Dr. Tabrez Ahmad
69. PASSWORD CRACKING OF ZIP FILES USING GRID
4. GRID SERVER SENDS
3. CLIENTS COMPUTES AND
RESULTS OVER INTERNET
SEND RESULTS TO SERVER
INTERNET
GRID
GRID SERVER
1.ZIPPED FILE SUBMISSION
FSL CBI
2. SERVER
RECEIVES AND
DISTRIBUTES TO POLICE CRIME CELL
GRID CLIENTS
69 Dr. Tabrez Ahmad
70. WHO’S AT THE KEYBOARD?
BIOMETRICS
A software driver associated with the keyboard
records the user’s rhythm in typing.
These rhythms are then used to generate a
profile of the authentic user.
70 Dr. Tabrez Ahmad
71. WHO’S AT THE KEYBOARD?
FORENSIC STYLISTICS
A qualitative approach to authorship assesses
errors and “idiosyncrasies” based on the
examiner’s experience.
This approach could be quantified through
Databasing.
71 Dr. Tabrez Ahmad
72. WHO’S AT THE KEYBOARD?
STYLOMETRY
It is quantitative and computational
method, focusing on readily computable and
countable language features, e.g. word
length, phrase length, sentence
length, vocabulary frequency, distribution of
words of different lengths.
72 Dr. Tabrez Ahmad
75. TECHNICAL
Ubiquity Of Computers
Crimes Occur In All Jurisdictions
Training Law Enforcement Agencies Becomes a
Challenge
Technology Revolution Leads To Newer
Systems, Devices Etc..
75 Dr. Tabrez Ahmad
76. OPERATIONAL
ALL DATA MUST BE GATHERED AND
EXAMINED FOR EVIDENCE
GIGABYTES OF DATA
PROBLEMS OF
o STORAGE
o ANALYSIS
o PRESENTATION..
NO STANDARD SOLUTION AS YET
76 Dr. Tabrez Ahmad
77. SOCIAL
IT RESULTS IN
UNCERTAINITIES ABOUT EFFECTIVENESS OF
CURRENT INVESTIGATION TECHNIQUES
SUB OPTIMAL USE OF RESOURCES
PRIVACY CONCERNS
77 Dr. Tabrez Ahmad
78. LEGAL
USES & BOUNDARIES OF DIGITAL EVIDENCE
IN LEGAL PROCEDURES STILL UNCLEAR
CURRENT TOOLS & TECHNIQUES NOT
RIGOROUSLY USED / CONTESTED IN COURT
78 Dr. Tabrez Ahmad
79. Challenges faced by Law Enforcement
Awareness: Technology is changing very rapidly. So does the increase in
Cyber crimes, No proper awareness shared with regard to crime and latest
tools. People are so ignorant that makes it effortless for cyber criminals to
attack. People fear to report crimes and some crimes are not properly
recorded. The reason behind this is that the victim is either scared of police
harassment or wrong media publicity. For minority and marginalised groups
who already bear the brunt of media bias, reporting online harassment to
the police may simply draw further unwanted attention. The public is not
aware of the resources and services that law enforcement could provide
them if being a victim of crime or witness.
79 Dr. Tabrez Ahmad
80. Technical Issues: Large amount of storage space
required for storing the imaged evidences and also for
storing retrieved evidence after analysis. Retrieved
evidence might contain documents, pictures, videos and
audio files which takes up a lot of space. Technical issues
can further be categorised into software and hardware
issues.
80 Dr. Tabrez Ahmad
81. Software and Hardware Issues: The growth of Cyber crime
as given rise to numerous Forensic software vendors. The
challenge being to choose among them and no single forensic
tool solves the entire case, there are loads of third party tools
available. So is the case with Hardware tools, Most common
and liable h/w tool is the FRED. But when it comes to Mobile
forensics it is a challenge to decide the compatibility of
different phones and which h/w to rely on..
81 Dr. Tabrez Ahmad
82. Recently China has been manufacturing mobile
phones that have cloned IME numbers which is a
current challenge faced in Mobile forensics.
Information sharing: Information sharing is a best
practice and can be accomplished by a variety of
means such as interacting with industry
groups, attending briefings, meetings, seminars and
conferences, and working actively with forensic
bodies like CDAC..
82 Dr. Tabrez Ahmad
83. Inadequate Training and Funds:
Due to the growing of cyber forensic tools law enforcement
does not get adequate training and awareness on innovative
tools. Training bodies are limited and are pricey. Insufficient
funding in order to send officers for training and investing on
future enhancements. Transfers and recruiting officers adds to
the loss of experienced staff and spending for training the
newcomers. Cases become pending in such circumstances.
83 Dr. Tabrez Ahmad
84. Global Issues: Most of the IP addresses retrieved during
investigation leads to servers or computers located abroad which
have no identity, hence further investigations are blocked and
closed. Correspondence with bodies such as
Google, Yahoo, Hotmail is quite time consuming and prolong the
investigations.
Wireless or Wi-Fi, Bluetooth, Infrared Issues: Latest wireless
technologies which provide internet connections causes
exploitation especially when it is not secured. This is the present
technology terrorists and radical activists exploit. This is another
vulnerability that law enforcement faces.
84 Dr. Tabrez Ahmad
85. References
Computer forensics by Michael Sheetz published by John
Wiley and Sons
Cyber crime Impact in the new millennium by R.C Mishra.
Roadmap for digital forensic Research [Report From the
First Digital Forensic Research Workshop]
Forensic Corpora: A Challenge for Forensic Research
Simson L. Garfinkel April 10, 2007
Computer and Intrusion Forensics by Mohay,Anderson
Collie,Devel Published by Artech House.
85 Dr. Tabrez Ahmad
86. Future Course of Action
Mumbai Cyber lab is a joint initiative of Mumbai police and
NASSCOM –more exchange and coordination of this kind
More Public awareness campaigns
Training of police officers to effectively combat cyber crimes
More Cyber crime police cells set up across the country
Effective E-surveillance
Websites aid in creating awareness and encouraging
reporting of cyber crime cases.
Specialised Training of forensic investigators and experts
Active coordination between police and other law
enforcement agencies and authorities is required.
86 Dr. Tabrez Ahmad