Launching Investigation, prosecution and defending of a computer related crime

1

New Age Cybercrime conference Novotel,
Mumbai29 30th Oct 2009

• Launching Investigation, prosecution and
  defending of a computer related crime
• Karnika Seth
• Cyberlaw IP expert
• Managing Partner,Seth Associates
• Chairperson, Cyberlaws Consulting Centre

2
Introduction

• Seth Associates is a leading full service Indian
  law firm that is internationally networked to
  provide spectrum of legal services to its
  domestic and international clients
• Network of 2000 associate offices of Association
  of European lawyers (AEA alliance) as foreign
  associates
• We maintain one of the strongest Cyberlaws
  practice in India today. With more than a
  decade's experience in Cyberlaws Practice, Seth
  Associates recently established the World's first
  integrated 'Cyberlaws Consulting Centre' at Seth
  Associates

3
CCC- Cyberlaws Consulting Centre

• CCC renders cyber legal consultancy, cyber law
  analytics and forensic services to its clients
  world wide.
• Work experience of handling cybercrime matters
  with Delhi Police
• Delivered training workshops to Delhi police on
  dealing with cybercrime investigation cases
• Recently authored a book titled Cyberlaws in the
  Information Technology age published by Lexis
  Nexis Butterworths that elucidates the key
  developments in the field of Cyberlaws across
  many important jurisdictionsIndia, United States
  and European nations

4
Cyberlaws in the Information Technology Age by
Karnika Seth
5
Presentation plan

• The categories of cybercrimes
• The techniques of cyber investigation and
  forensic tools
• Analysis of the cybercrime Indian legal
  position
• The possible reliefs to a cybercrime victim and
  strategy adoption
• The preparation for prosecution
• Admissibility of digital evidence in courts
• Defending an accused in a computer related crime

6
Cyber Threats in 2009 and BeyondReport of
Georgia Tech Information Security Center (GTISC)
7
Vectors trends for cyber threats
8
Striking facts!

• According to a report compiled by Panda Labs, in
  2008, 10 million bot computers were used to
  distribute spam and malware across the Internet
  each day.
• Annual take by theft-oriented cyber criminals is
  estimated to be as high as 100 billion dollars
  and 97 per cent of these offences go
  undetected,-CBI's Conference on International
  Police Cooperation against Cyber Crime, March
  2009
• .

9
Source Government Accountability Office (GAO),
Department of Homeland Security's (DHS's) Role in
Critical Infrastructure Protection (CIP)
Cybersecurity, GAO-05-434 (Washington, D.C. May,
2005).
10
Glaring Examples Data thefts

• The incidents in the recent past involving Cyber
  Space have highlighted the issues of privacy and
  data protection in India
• The Pune scam was the first among the many BPO
  frauds that made international headlines. In
  April 2005, five employees of MsourcE in Pune
  were arrested for allegedly pulling off a fraud
  worth nearly 2.5 crore rupees from the Citibank
  accounts of four New York-based account holders.
• In June 2005, the British tabloid Sun, in a sting
  operation, purchased the bank account details of
  1,000 Britons from Karan Bahree, an employee of
  Gurgaon-based BPO company Infinity E-Search.

11
MMS scandals

• In 2004 a DPS (Delhi Public School) student
  filmed a sexually explicit video clip of his
  classmate in a compromising position on his cell
  phone, forwarded the video via MMS to his
  friends. The clip was then put up on Bazee.com
  and widely circulated.
• Case of the State of Tamil Nadu Vs Suhas Katti
  is notable for the fact that the conviction was
  achieved successfully within a relatively quick
  time of 7 months from the filing of the FIR .
• The case related to posting of obscene,
  defamatory and annoying message about a divorcee
  woman in the yahoo message group. Additional
  Chief Metropolitan Magistrate, delivered the
  judgment on 5-11-04 as follows
• The accused is found guilty of offences under
  section 469, 509 IPC and 67 of IT Act 2000 and
  the accused is convicted and is sentenced for the
  offence to undergo RI for 2 years under 469 IPC
  and to pay fine of Rs.500/- and for the
  offence u/s 509 IPC sentenced to undergo 1 year
  Simple imprisonment and to pay fine of Rs.500/-
  and for the offence u/s 67 of IT Act 2000 to
  undergo RI for 2 years and to pay fine of
  Rs.4000/- All sentences to run concurrently.
• This is considered the first case convicted under
  section 67 of Information Technology Act 2000 in
  India

12
Incident Response a precursor to Techniques of
Cyber investigation forensic tools

• Incident response could be defined as a
  precise set of actions to handle any security
  incident in a responsible ,meaningful and timely
  manner.
• Goals of incident response-
• To confirm whether an incident has occurred
• To promote accumulation of accurate information
• Educate senior management
• Help in detection/prevention of such incidents in
  the future,
• To provide rapid detection and containment
• Minimize disruption to business and network
  operations
• To facilitate for criminal action against
  perpetrators

13
Six steps of Incident response

• Detection of incidents

Pre incident preparation
Initial response
Investigate the incident
14
Techniques of cyber investigation- Cyber forensics

• Computer forensics, also called cyber forensics,
  is the application of computer investigation and
  analysis techniques to gather evidence suitable
  for presentation in a court of law.
• The goal of computer forensics is to perform a
  structured investigation while maintaining a
  documented chain of evidence to find out exactly
  what happened on a computer and who was
  responsible for it.

15
6 As of digital forensics
16
The Digital Investigation ProcessSource
Forensics Guru.
17
Rules of evidence

• Computer forensic components-
• Identifying
• Preserving
• Analysing
• Presenting evidence in a legally admissible
  manner

Admissible
chain of custody
Relevant
Complete
Reliable
18
FBI handbook of forensic investigation-techniques
for computer forensics

19
Sources of Evidence

• Existing Files
• Deleted Files
• Logs
• Special system files (registry etc.)
• Email archives, printer spools
• Administrative settings
• Internet History
• Chat archives
• Misnamed Files
• Encrypted Files / Password Protected files etc.

20
Cyberforensics in accounting frauds

• Use of CAAT computer assisted audit
  techniques-spreadsheets, excel, MS access
• Generalized audit software-PC based file
  interrogation software- IDEA,ACL
• Help detect fictitious suppliers, duplicate
  payments, theft of inventory
• Tender manipulation, secret commissions
• False financial reporting
• Expense account misuse
• Insider trading

21
Establishment and maintenance of Chain of
Custody

• Tools required
• - Evidence notebook
• - Tamper evident labels
• - Permanent ink pen
• - Camera
• Document the following
• - Who reported the incident along with critical
  date and times
• - Details leading up to formal investigation
• - Names of all people conducting investigation
• - Establish and maintain detailed activity log

22
Maintaining Chain Of Custody

• Take pictures of the evidence
• - Document crime scene details
• Document identifiable markings on evidence
• Catalog the system contents
• Document serial numbers, model numbers, asset
  tags
• Bag it!
• Maintain Chain Of Custody on tamperproof
• evidence bag
• Take a picture!

23
Classification of computer forensics

• Disk based forensics
• Network based forensics
• Disk imaging and analysis-
• Tool must have the ability to image every bit of
  data on storage medium, tool must not make any
  changes to the source medium.
• Examples- DD-www.gnu.org
• DCFLDD-www.prdownloads.sourceforge.net/biatchux
• ODD-open data duplicator
• ODESSA-creating a qualified duplicate image with
  Encase-www.odessa.sourceforge.net

24
Recovering deleted data

• Encase
• FTK
• Stelar Phoenix
• PCI file recovery
• Undelete
• Recover4allGet data back
• Fast file recovery
• Active undelete

25
E-mail forensics

• E-mail composed of two parts- header and body
• Examine headers
• Request information from ISP
• Trace the IP
• Tools-Encase,FTK,Final email
• Sawmill groupwise
• Audimation for logging
• Cracking the password- brute force attack, smart
  search, dictionary search, date search,
  customised search, guaranteed decryption,
  plaintext attack
• Passware, ultimate zip cracker,office recovery
  enterprise,etc

26
Live demo- sending fake e-mails and reading
headers ,phising attacks

• Use of www.fakemailer.net
• Use of Who is
• Dissecting header and body of an e-mail
• message digest,
• IP address
• Return path
• Senders address
• Live demo phising- www.noodlebank.com,
  www.nood1ebank.com
• www.whois.sc
• www.readnotify.com

27
The Information Technology Act,2000 and
cybercrimes

• The Information Technology Act 2000 came into
  force in India on 17 October 2000. It extends to
  whole of India and also applies to any offence or
  contraventions committed outside India by any
  person (s 1(2),IT Act 2000).
• According to s 75 of the Act, the Act applies to
  any offence or contravention committed outside
  India by any person irrespective of his
  nationality, if such act involves a computer,
  computer system or network located in India.

28
Cybercrime vs Cyber contravention

• The IT Act prescribes provisions for
  contraventions in ch IX of the Act, particularly
  s 43 of the Act, which covers unauthorised
  access, downloading, introduction of virus,
  denial of access and Internet time theft
  committed by any person. It prescribes punishment
  by way of damages not exceeding Rs 1 crore to the
  affected party.
• Chapter XI of the IT Act 2000 discusses the
  cyber crimes and offences inter alia, tampering
  with computer source documents (s 65), hacking (s
  66), publishing of obscene information (s 67),
  unauthorised access to protected system (s 70),
  breach of confidentiality (s 72), publishing
  false digital signature certificate (s 73).
• Whereas cyber contraventions are civil wrongs
  for which compensation is payable by the
  defaulting party, cyber offences constitute
  cyber frauds and crimes which are criminal wrongs
  for which punishment of imprisonment and/or fine
  is prescribed by the Information Technology Act
  2000.

29
Special and General statutes applicable to
cybercrimes

• While the IT Act 2000, provides for the specific
  offences it has to be read with the Indian Penal
  Code 1860 (IPC) and the Code of Criminal
  Procedure 1973 (Cr PC)
• IT Act is a special law, most IT experts are of
  common consensus that it does not cover or deal
  specifically with every kind of cyber crime
• for instance, for defamatory emails reliance is
  placed on s 500 of IPC, for threatening e-mails,
  provisions of IPC applicable thereto are criminal
  intimidation (ch XXII), extortion (ch XVII), for
  e-mail spoofing, provisions of IPC relating to
  frauds, cheating by personation (ch XVII) and
  forgery (ch XVIII) are attracted.
• Likewise, criminal breach of trust and fraud (ss
  405, 406, 408, 409) of the IPC are applicable and
  for false electronic evidence, s 193 of IPC
  applies.
• For cognisability and bailability, reliance is
  placed on Code of Criminal Procedure which also
  lays down the specific provisions relating to
  powers of police to investigate.

30
Tampering of source code

• According to s 65 of the IT Act-
• a person who intentionally conceals or destroys
  or alters or intentionally or knowingly causes
  another to conceal, destroy or alter any computer
  source code used for a computer, computer
  program, computer system or network when the
  computer source code is required to be maintained
  by law is punishable with imprisonment upto 3
  years or with fine that may extend upto 2 lakh
  rupees or with both.

31
Hacking

• Section 66 of the IT Act 2000 deals with the
  offence of computer hacking.
• In simple words, hacking is accessing of a
  computer system without the express or implied
  permission of the owner of that computer system.
• Examples of hacking may include unauthorised
  input or alteration of input, destruction or
  misappropriation of output, misuse of programs or
  alteration of computer data.
• Punishment for hacking is imprisonment upto
  3years or fine which may extend to 2 lakh rupees
  or both

32
Publishing obscene information

• Section 67 of the IT Act lays down punishment for
  the offence of publishing of obscene information
  in electronic form
• Recently, the Supreme Court in Ajay Goswami v
  Union of India considered the issue of obscenity
  on Internet and held that restriction on freedom
  of speech on ground of curtailing obscenity
  amounts to reasonable restriction under art 19(2)
  of the Constitution. The court observed that the
  test of community mores and standards has become
  obsolete in the Internet age.
• punishment on first conviction with imprisonment
  for a term which may extend to 5 years and with
  fine which may extend to 1 lakh rupees. In the
  event of second conviction or subsequent
  conviction imprisonment of description for a term
  which may extend to 10 years and fine which may
  extend to2 lakh rupees.

33
New offences defined under IT Amendment Bill 2008

• Many cybercrimes for which no express provisions
  existed in the IT Act 2000 now stand included by
  the IT Amendment Bill 2008.
• Sending of offensive or false messages (s 66A),
  receiving stolen computer resource (s 66C),
  identity theft (s 66C), (s 66D) cheating by
  personation, violation of privacy (s 66E).
  Barring the offence of cyber terrorism (s 66F )
  punishment prescribed is generally upto three
  years and fine of one/two lakhs rupees has been
  prescribed and these offences are cognisable and
  bailable. This will not prove to play a deterrent
  factor for the cyber criminals.
• Further, as per new s 84B,abetment to commit an
  offence is made punishable with the punishment
  provided for the offence under the Act and the
  new s 84C makes attempt to commit an offence also
  a punishable offence with imprisonment for a term
  which may extend to one-half of the longest term
  of imprisonment provided for that offence

34
The IT Amendment Bill 2008

• In certain offences, such as hacking (s 66)
  punishment is enhanced from 3 years of
  imprisonment and fine of 2 lakhs to fine of 5
  lakhs rupees. In s 67, for publishing of obscene
  information imprisonment term has been reduced
  from five years to three years (and five years
  for subsequent offence instead of earlier ten
  years) and fine has been increased from one lakh
  to five lakhs rupees (ten lakhs on subsequent
• conviction).
• Section 67A adds an offence of publishing
  material containing sexually explicit conduct
  punishable with imprisonment for a term that may
  extend to 5 years with fine upto ten lakhs
  rupees.

35
The IT Amendment Bill 2008

• Section 67B punishes offence of child
  pornography, childs sexually explicit act or
  conduct with imprisonment on first conviction for
  a term upto 5 years and fine upto 10 lakhs
  rupees.

36
Possible reliefs to a cybercrime victim- strategy
adoption

• A victim of cybercrime needs to immediately
  report the matter to his local police station and
  to the nearest cybercrime cell
• Depending on the nature of crime there may be
  civil and criminal remedies.
• In civil remedies , injunction and restraint
  orders may be sought, together with damages,
  delivery up of infringing matter and/or account
  for profits.
• In criminal remedies, a cybercrime case will be
  registered by police if the offence is cognisable
  and if the same is non cognisable, a complaint
  should be filed with metropolitan magistrate
• For certain offences, both civil and criminal
  remedies may be available to the victim

37
Before lodging a cybercrime case

• Important parameters-
• Gather ample evidence admissible in a court of
  law
• Fulfill the criteria of the pecuniary
  ,territorial and subject matter jurisdiction of a
  court.
• Determine jurisdiction case may be filed where
  the offence is committed or where effect of the
  offence is felt ( S. 177 to 179, Crpc)

38
The criminal prosecution pyramid
39
Preparation for prosecution

• Collect all evidence available saving snapshots
  of evidence
• Seek a cyberlaw experts immediate assistance for
  advice on preparing for prosecution
• Prepare a background history of facts
  chronologically as per facts
• Pen down names and addresses of suspected
  accused.
• Form a draft of complaint and remedies a victim
  seeks
• Cyberlaw expert police could assist in
  gathering further evidence e.g tracing the IP in
  case of e-mails, search seizure or arrest as
  appropriate to the situation
• A cyber forensic study of the hardware/equipment/
  network server related to the cybercrime is
  generally essential

40
Amendments- Indian Evidence Act 1872

• Section 3 of the Evidence Act amended to take
  care of admissibility of ER as evidence along
  with the paper based records as part of the
  documents which can be produced before the court
  for inspection.
• Section 4 of IT Act confers legal recognition to
  electronic records

41
Societe Des products Nestle SA case 2006 (33 )
PTC 469

• By virtue of provision of Section 65A, the
  contents of electronic records may be proved in
  evidence by parties in accordance with provision
  of 65B.
• Held- Sub section (1) of section 65B makes
  admissible as a document, paper print out of
  electronic records stored in optical or magnetic
  media produced by a computer subject to
  fulfillment of conditions specified in subsection
  2 of Section 65B .
• The computer from which the record is generated
  was regularly used to store or process
  information in respect of activity regularly
  carried on by person having lawful control over
  the period, and relates to the period over which
  the computer was regularly used.
• Information was fed in the computer in the
  ordinary course of the activities of the person
  having lawful control over the computer.
• The computer was operating properly, and if not,
  was not such as to affect the electronic record
  or its accuracy.
• Information reproduced is such as is fed into
  computer in the ordinary course of activity.
• State v Mohd Afzal,2003 (7) AD (Delhi)1

42
State v Navjot Sandhu (2005)11 SCC 600

• Held, while examining Section 65 B Evidence Act,
  it may be that certificate containing details of
  subsection 4 of Section 65 is not filed, but that
  does not mean that secondary evidence cannot be
  given.
• Section 63 65 of the Indian Evidence Act
  enables secondary evidence of contents of a
  document to be adduced if original is of such a
  nature as not to be easily movable.

43
Presumptions in law- Section 85 B Indian Evidence
Act

• The law also presumes that in any proceedings,
  involving secure digital signature, the court
  shall presume, unless the contrary is proved,
  that the secure digital signature is affixed by
  the subscriber with the intention of signing or
  approving the electronic record
• In any proceedings involving a secure electronic
  record, the court shall presume, unless contrary
  is proved, that the secure electronic record has
  not been altered since the specific point of
  time, to which the secure status relates

44
Presumption as to electronic messages- Section
88A of Evidence Act

• The court may treat electronic messages received
  as if they were sent by the originator, with the
  exception that a presumption is not to be made as
  to the person by whom such message was sent.
• It must be proved that the message has been
  forwarded from the electronic mail server to the
  person ( addressee ) to whom such message
  purports to have been addressed
• An electronic message is primary evidence of the
  fact that the same was delivered to the addressee
  on date and time indicated.

45
IT Amendment Bill 2008-Section 79A

• Section 79A empowers the Central govt to appoint
  any department, body or agency as examiner of
  electronic evidence for proving expert opinion on
  electronic form evidence before any court or
  authority.
• Till now, government forensic lab of hyderabad
  was considered of evidentiary value in courts-
  CFSIL
• Statutory status to an agency as per Section 79A
  will be of vital importance in criminal
  prosecution of cybercrime cases in India

46
Defending an accused in a cybercrime

• Preparation of chain of events table
• Probing where evidence could be traced? E-mail
  inbox/files/folders/ web history
• Has the accused used any erase evidence
  software/tools
• Forensically screening the hardware/data/files
  /print outs / camera/mobile/pendrives of
  evidentiary value
• Formatting may not be a solution
• Apply for anticipatory bail
• Challenge evidence produced by opposite party and
  look for loopholes
• Filing of a cross complaint if appropriate

47
Thank you!

• SETH ASSOCIATES
• ADVOCATES AND LEGAL CONSULTANTS
• New Delhi Law Office
• C-1/16, Daryaganj, New Delhi-110002, India
• Tel91 (11) 65352272, 91 9868119137
• Corporate Law Office
• B-10, Sector 40, NOIDA-201301, N.C.R ,India
• Tel 91 (120) 4352846, 91 9810155766
• Fax 91 (120) 4331304
• E-mail mail_at_sethassociates.com