Date post: | 24-May-2015 |
Category: |
Documents |
Upload: | jahanzebmunawar |
View: | 984 times |
Download: | 8 times |
CYBER CRIMES
CDAC
&CYBER FORENSICS
&
TECHNOLOGY
CYBER CRIMES ARE…
CYBERCRIME GRAPH
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004
CYBER CRIMES ARE…
NEITHER FORWARD..NOR BACKWARD..BUT AWKWARD:
CASE #1.
TM5/2004/PS_WRD_MINISTER
NARRATION
“Y” RECEIVES AN EMAIL FROM PROF.(MRS).X INTRODUCING HERSELF AS TECHNOLOGIST WORKING IN THE AREA OF AFFORDABLE DRINKING WATER PROJECT AND SEEKING A DATE FOR APPOINTMENT “Y” RESPONDS FAVOURABLY WITH A DATE.
NARRATION(CONTD)
“Y” RECEIVES A EMAIL FROM SECURITY CHIEF OF PROF.(MRS).X FROM HONGKONG TELLING THAT HE IS DOING THE DUE DILIGENCE CHECK“Y” RESPONDS FAVOURABLY.
NARRATION(CONTD)
“Y” RECEIVES A EMAIL FROM PROTOCOL OFFICER OF PROF.(MRS).X FROM MUMBAI TELLING THAT SHE IS DOING THE DUE DILIGENCE CHECK“Y” RESPONDS FAVOURABLY.
NARRATION(CONTD)
APPOINTED DATE COMES“X” DOESNOT SHOW UPNEXT DAY, “Y” GETS MAIL FROM SECURITY CHIEF ASKING FOR WHEREABOUTS OF “X”…“Y” IS THREATENED OF CONSEQUENCES …
SUBMIT OR FIGHT PANIC, ANXIETY & DESPAIR
WE SAW…
CONVENTIONAL CRIMES BEING COMMITTED WITH EASE AND SOPHISTICATION, USING COMPUTER AND INFORMATION TECHNOLOGY.
CASE #2.
RC05/ …/93/2005
NARRATIONCOMPANY “X” GETS AN OFFSHORE S/W DELIVERY JOB FROM COMPANY “Y”“Y” INSISTS ON LOTS OF CUSTOMISATION“X” DEPUTES TWO ENGINEERS WITH SOURCE CODE TO CARRY OUT CUSTOMISATION AT THE “Y”’s PREMISESCONTRACT GETS TERMINATEDENGINEERS RESIGN ON COMING BACK“Y” LAUNCHES NEW S/W WITH SIMILAR FEATURES
YET, CREATES SIMPLE & EASY PLATFORMS
# Case Referred by : Judicial First Class Magistrate # Case Registered under Sec 65 and 72 of IT act
# Complainant : Software Company # Accused : Two Former Employees # Nature of Crime : Source Code Theft
WE ARE SEEING…
NEW VERSIONS OF CONVENTIONAL CRIMES EMERGING, TARGETTING COMPUTERS AND INFORMATION TECHNOLOGY.
CASE #3.
RC11(A)/2004/…/…./22004S-0001
NARRATION
“X” IS CAUGHT IN A CYBER CRIME“X” CLAIMS HE CAN CRACK PASSWORDS, BREAK INTO EMAIL ACCOUNTS, INTERCEPT CHATS ETC“X” PRODUCES EMAIL/CHAT PRINT OUTS WHICH SHOW POSSIBILITY OF TERRORIST ATTACK
REWARD OR PUNISH…….. ARRAY OF CONFUSION
NOW WE SEE…
NEW CRIMES BEING INVENTED, CONFUSING COMPUTERS AND INFORMATION TECHNOLOGY
NEED…
EFFECTIVE MEANS TO PRE-EMPT CYBER CRIMESEFFECTIVE WAY TO ENSURE DEFINITE PUNISHMENT AS DETERENT AGAINST CYBER CRIMES
CYBER FORENSICS CAN BE AN EFFECTIVE TOOL
CYBER FORENSICS IS……
“The unique process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally accepted.”
MULTI DIMENSIONAL CHALLENGES
WHY IS IT UNIQUE ?
MULTI DIMENSIONAL CHALLENGE
TECHNICALOPERATIONALSOCIALLEGAL
TECHNICAL
TECHNOLOGY IS CHANGING RAPIDLYCYBER CRIMES ARE ALSO CHANGING RAPIDLYSYSTEMS AND CRIMES EVOLVE MORE RAPIDLY THAN THE TOOLS THAT EXAMINE THEM
TECHNOLOGYEVOLUTION
OBSOLESENCE
NEWERDEVICES
NEWTOOLS
NEWMETHODOLOGIES
TECHNICAL
UBIQUITY OF COMPUTERS CRIMES OCCUR IN ALL JURISDICTIONS
TRAINING LEA BECOMES A CHALLENGE
TECHNOLOGY REVOLUTION LEADS TO NEWER SYSTEMS, DEVICES ETC..
OPERATIONAL
ALL DATA MUST BE GATHERED AND EXAMINED FOR EVIDENCE
GIGABYTES OF DATA PROBLEMS OF
STORAGE ANALYSIS PRESENTATION..
NO STANDARD SOLUTION AS YET
SOCIAL
IT RESULTS IN UNCERTAINITIES ABOUT
EFFECTIVENESS OF CURRENT INVESTIGATION TECHNIQUES
SUB OPTIMAL USE OF RESOURCES
PRIVACY CONCERNS
LEGAL
USE & BOUNDS OF DIGITAL EVIDENCE IN LEGAL PROCEDURES STILL UNCLEARCURRENT TOOLS & TECHNIQUES NOT RIGOROUSLY USED / CONTESTED IN COURT
TYPICAL TOOLS
EMAIL TRACERTRUEBACKCYBERCHECK
MANUAL
EMAIL TRACER FORENSIC TOOL
FEATURES OF EMAIL TRACER
•Display of Actual Mail Content for Outlook Express, Eudora, MS Outlook and mail clients with MBOX mailbox.•Display the Mail Content (HTML / Text)•Display the Mail Attributes for Outlook Express.•Display of extracted E-mail header information •Save Mail Content as .EML file.•Display of all Email attachments and Extraction.•Display of E-mail route.•IP trace to the sender’s system.•Domain name look up.•Display of geographical location of the sender’s gateway on a world map.•Mail server log analysis for evidence collection.•Access to Database of Country code list along with IP address information.
EMAIL TRACING OVER WEB
AS A PRE-EMPTIVE TOOL
EMAIL TRACING SERVICE
Users can submit their tracing task to Email Tracer through web.Tracing IP Address upto city level (non-spoofed)Detection of spoofed mailDetailed report
SEIZURE & ACQUISITION TOOL
TRUEBACK
FEATURES OF TRUE BACKDOS application with event based Windowing System.Self-integrity check.Minimum system configuration check.Extraction of system informationThree modes of operation:
- Seize- Acquire - Seize and Acquire
Disk imaging through Parallel port.Disk imaging using Network Interface Card.
Block by Block acquisition with data integrity check on each block.IDE/SCSI, USB, CD and Floppy acquisition.Acquisition of floppies and CDs in Batch mode.Write protection on all storage media except destination media.Checking for sterile destination media.Progress Bar display on all modes of operation.Report generation on all modes of operation.BIOS and ATA mode acquisition
ANALYSIS TOOL
CYBER CHECK
CyberCheck - FeaturesCyberCheck - Features
Standard Windows application.Standard Windows application.
Self-integrity check.Self-integrity check.
Minimum system configuration check.Minimum system configuration check.
Analyses evidence file containing FAT12, FAT16, Analyses evidence file containing FAT12, FAT16, FAT32, NTFS and EXT2FS file system.FAT32, NTFS and EXT2FS file system.
Analyses evidence files created by the following disk Analyses evidence files created by the following disk imaging tools:imaging tools:
TrueBackTrueBack
LinkMassterLinkMasster
EncaseEncase
User login facilities.User login facilities.
CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)
Creates log of each analysis session and Analyzing Creates log of each analysis session and Analyzing officer’s details. officer’s details.
Block by block data integrity verification while loading Block by block data integrity verification while loading evidence file. evidence file.
Explorer type view of contents of the whole evidence Explorer type view of contents of the whole evidence file. file.
Display of folders and files with all attributes.Display of folders and files with all attributes.
Show/Hide system files.Show/Hide system files.
Sorting of files based on file attributes.Sorting of files based on file attributes.
Text/Hex view of the content of a file.Text/Hex view of the content of a file.
Picture view of an image file.Picture view of an image file.
Gallery view of images.Gallery view of images.
CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)
Graphical representation of the following views of an Graphical representation of the following views of an evidence file: evidence file:
Disk View.Disk View.
Cluster View.Cluster View.
Block view.Block view.
Timeline view of:Timeline view of:
All filesAll files
Deleted files.Deleted files.
Time anomaly files.Time anomaly files.
Signature mismatched files.Signature mismatched files.
Files created within a time frame.Files created within a time frame.
CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)
Display of cluster chain of a file.Display of cluster chain of a file.
Single and Multiple Keyword search.Single and Multiple Keyword search.
Extraction of Disk, Partition, File and MBR slacks.Extraction of Disk, Partition, File and MBR slacks.
Exclusive search in slack space.Exclusive search in slack space.
Extraction of unused unallocated clusters and Extraction of unused unallocated clusters and exclusion from search space. exclusion from search space.
Exclusive search in used unallocated clusters .Exclusive search in used unallocated clusters .
Extraction of lost clusters.Extraction of lost clusters.
Exclusive search in data extracted from lost clusters.Exclusive search in data extracted from lost clusters.
Extraction of Swap files.Extraction of Swap files.
Exclusive search in data extracted from Swap files.Exclusive search in data extracted from Swap files.
CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)
File search based on file extension.File search based on file extension.
File search based on hash value.File search based on hash value.
Exclusion of system files from search space.Exclusion of system files from search space.
Data recovery from deleted files, slack space, Data recovery from deleted files, slack space, used unallocated clusters and lost clusters.used unallocated clusters and lost clusters.
Recovery of formatted partitions.Recovery of formatted partitions.
Recovery of deleted partitions.Recovery of deleted partitions.
Exporting files, folders and slack content.Exporting files, folders and slack content.
Exporting folder structure including file names into a Exporting folder structure including file names into a file. file.
Exporting files on to external viewer.Exporting files on to external viewer.
CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)
Local preview of storage media.Local preview of storage media.
Network preview of storage media using cross-over Network preview of storage media using cross-over cable.cable.
Book marking of folders, files and data.Book marking of folders, files and data.
Adding book marked items into report.Adding book marked items into report.
Restoration of storage media.Restoration of storage media.
Creating raw image.Creating raw image.
Raw image analysis.Raw image analysis.
Facility for viewing Mailbox files of Microsoft Outlook Facility for viewing Mailbox files of Microsoft Outlook Express, Microsoft Outlook, Eudora and Linux Express, Microsoft Outlook, Eudora and Linux Mail clients.Mail clients.
CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)
Registry viewer.Registry viewer.
Hash set of system files.Hash set of system files.
Identification of encrypted & password protected files.Identification of encrypted & password protected files.
Identification of steganographed image files.Identification of steganographed image files.
Generation of analysis report with the following Generation of analysis report with the following features. features.
Complete information of the evidence file Complete information of the evidence file system.system.
Complete information of the partitions and drive Complete information of the partitions and drive geometry.geometry.
Hash verification details.Hash verification details.
User login and logout information.User login and logout information.
CyberCheck– Features CyberCheck– Features (Contd …)(Contd …)
Exported content of text file and slack Exported content of text file and slack information.information.
Includes picture file as image.Includes picture file as image.
Saving report, search hits and book marked Saving report, search hits and book marked items for later use.items for later use.
Password protection of report.Password protection of report.
Print report.Print report.
ISSUES AHEAD.. &.. TECHNOLOGY BEHIND..
CASE #4
A young girl had been involved in a series of sexually explicit exchanges via instant messenger system and email.
Upon investigation, the perpetrator was tracked to the home of a 50 year old prominent local physician.
Computers seized from the physician’s house had 240GB hard disk each, full of files.
ISSUE #1
How to get convincing leads to go ahead with the case in a short time from among the overload of available material.
ADVANCED CONCEPT SEARCH
ISSUE #2
Computers contained many password protected/encrypted files.
How to get into these files in a short time.
PASSWORD CRACKING
GRID Enabled Password
Cracker
GRIDGRID
SERVER
FSL
POLICE CRIME CELL
CBI
INTERNET
PASSWORD CRACKING OF ZIP FILES USING GRID
CYBER FORENSICS LAB
GRIDGRID
SERVER
FSL
POLICE CRIME CELL
CBI
INTERNET
PASSWORD CRACKING OF ZIP FILES USING GRID
1.ZIPPED FILE SUBMISSION
2. SERVER RECEIVES AND DISTRIBUTES TO GRID CLIENTS
3. CLIENTS COMPUTES AND SEND RESULTS TO SERVER
4. GRID SERVER SENDS RESULTS OVER INTERNET
ISSUE #3
However, the case took a twist when it came to light that the doctor’s 13-year-old son and 15 year old nephew had also been using the doctor’s account.
Who was at the keyboard then?
WHO’S AT THE KEYBOARD?
BIOMETRICSA software driver associated with the keyboard records the user’s rhythm in typing.
These rhythms are then used to generate a profile of the authentic user.
WHO’S AT THE KEYBOARD?
FORENSIC STYLISTICS
A qualitative approach to authorship assesses errors and “idiosyncrasies” based on the examiner’s experience.
This approach could be quantified through Databasing.
WHO’S AT THE KEYBOARD?
STYLOMETRY
It is quantitative and computational method, focusing on readily computable and countable language features, e.g. word length, phrase length, sentence length, vocabulary frequency, distribution of words of different lengths.
REAL CYBER FORENSIC CHALLENGE IS YET TO COME.. ….
GOA’s SKYBUS MISHAP
Konkan Railway Corporation Ltd's Skybus Metro dashed against a pole on the track during its trial run at Madgoan in Goa. "The skybus should have approached the station at the speed of 20 kmph. However, it was driving at 50 kmph. The sudden jerk after it hit the pole caused one person standing at the door, to fall off and two others to suffer major injuries."
QUESTIONS BEING ASKEDHad the SKYBUS been tested sufficiently and should this controller bug have been found out during testing?WHO developed the control system software?Who carried out the design and who carried out the design approval?