Cyber Law

&
Security Policy
REFERENCE

Cyber Security
by
Nina Godbole & Sunit Belapure
Wiley India Publication
 Contents
• Module 1A : Introduction of Cybercrime

• Module 1B : Category of Cybercrime

• Module 4B : Cybercrime &

Cybersecurity
INTRODUCTION OF CYBERCRIME
 Cybercrime
• It is a crime committed using computer
Internet , cyberspace and WWW to steal
a person’s identity or self contraband or
stalk victims or disrupt operations with
malevolent programs
• Some people think that cybercrime is a
crime against software and not against a
person or property and so it is not a
crime at all.

What is your opinion?

 Cybercrime
Two types of attacks are prevalent

•Cyber Crime
•Techno-crime

•Techno-vandalism
 Cybercrime
Techno-crime : A planned act against a
system or systems, with the intent to
copy, steal, prevent access, corrupt or
otherwise deface or damage parts of
or the complete computer system

This is possible due to 24x7 Internet

connection from anywhere in the
world leaving few fingerprints
 Cybercrime
Techno-vandalism : These acts of
“brainless ” defacement of websites
and other activities like copying files
and publicizing their contents publicly

Tight internal security allied to strong

technical safeguards should be used
to prevent such incidents
 Cybercrime
Examples:
• Tampering computer source
documents
• Hacking with computer systems
• Obscene publication/transmission in
electronic form
• Failure of compliance/orders of
certifying authority
• Unauthorized access/ attempt to
access to protected computer system
 Cybercrime
Examples:
• Obtaining license or digital signature
certificate
misrepresentation/suppression of facts
• Publishing false digital signature
• Offences by/against public servant
• Destruction e-evidence
• Forgery
• Criminal breach of trust/fraud
• Counterfeiting property, tampering,
currency stamps
 Cybercrime
Cybercrime vs Terrestrial crime
1. How to commit them is easier
2. They require few resources relative
to the potential damage caused
3. They can be committed in a
jurisdiction without being physically
present in it
4. They are often not clearly illegal
 Cybercrime
Associated Terms
c e Cy
sp a be
e r rsq
C y b uatt
Cybe in
rpun g
k

re r i s m
erwa rfa ro
Cyb e rter
Cyb
 Cybercrime
Cyberspace
It is a
worldwide
network of
computer
networks that
uses TCP/IP for
communication
to facilitate
transmission
and exchange of
data
 Cybercrime
Cybersquatting
It is the practice of buying “ domain
names ” that have existing business
names and selling it back to the rightful
owner at much higher price

It means registering, selling, or using a

domain name with the intent of
profiting from the goodwill of someone
else’s trademark
 Cybercrime
Cyberpunk
It is defined as “ anarchy via machines ”
The word first appeared as the title of a
short story “ Cyberpunk ” by Bruce Bethke
published in Science fiction magazine,
AMAZING ,1983
It is about a bunch of teenage
hackers/crackers that expresses the
combination of punk attitudes and high
technology
Cybercrime
Cyberwarfare
It means information warriors
unleashing vicious attacks against an
unsuspecting opponent’s computer
networks, wreaking havoc and paralyzing
nations
It is attack against information
infrastructure which includes
information resources and
communication systems that support an
industry, institution or population
Cybercrime
Cyberterrorism
Narrow Definition : It relates to deployments by
known terrorist organizations, of disruption
attacks against information systems for the
primary purpose of creating alarm and panic
Broad Definition : The premeditated use of
disruptive activities or the threat thereof
against computers and or networks with the
intention to cause harm or further social
ideological religious political or similar
objectives or to intimidate any person in
furtherance of such objectives
Cybercrime
 Cybercrime
Botnet
Menace
 Cybercrime
Botnet Menace
Botnet refers to a
group of compromised
computers (zombie
computers, i.e.,
computers secretly
under the control of
hackers) running
malwares under a
common command
and control
infrastructure
Cybercrime
Forgery
• Counterfeit currency
notes, postage and
revenue stamps,
marksheets, etc. can
be forged using • Outside colleges sale of
sophisticated fake marksheets and
computers, printers degree certificates
and scanners prevail
• These are made using
high quality scanners
and printers
• This has become a
booming business
 Hacking

• Every act committed toward breaking into a

computer and/or network is hacking and it
is an offense
• Attackers write or use ready-made computer
programs to attack the target computer for
enjoyment or for personal monetary gains
• The steal credit card information , transfer
money from various banks to their account
• They extort money from some corporate
giant threaten ing him to publish some
stolen information critical in nature
 Hacking
• Purpose :
• Greed
• Power
• Publicity
• Revenge
• Adventure
• Desire to access forbidden information
• Destructive mindset
 Software Piracy
• Defined as theft of software through
the illegal copying of genuine
programs or the counterfeiting and
distribution of products intended to
pass for the original
• Examples:
• End-user copying
• Hard disk loading with illicit means
• Illegal downloads from the Internet
 Software Piracy
• You have lots to lose:
• Getting untested software that may
have been copied thousands of times
over
• Software may contain hard-drive
infecting viruses
• Lack of technical support
• No warranty protection
• No legal right to use the product
 Computer Network
Intrusion
• Computer networks pose a problem
by way of security threat as people
can get into them from anywhere
• Hackers or crackers can break into
computer systems from anywhere
and steal data, plant viruses , create
backdoors , insert Trojan Horses
Computer Network
Intrusion
Computer Network
Intrusion
CATEGORY OF CYBERCRIME
 Cybercriminals
Cybercrime involves such activities as
• credit card fraud
• cyberstalking
• defaming another online
• gaining unauthorized access to computer
systems
• ignoring copyright, software licensing,
trademark protection
• overriding encryption to make illegal copies
• software piracy, stealing another’s identity
to perform criminal acts

Cybercriminals are those who perform these acts

 Cybercriminals
Categories :
1. Type I : Cybercriminals – hungry for
recognition
2. Type II : Cybercriminals – not
interested in recognition
3. Type III : Cybercriminals – the
insiders
 Cybercriminals
Categories :
Type I : Cybercriminals – hungry for
recognition
• Hobby hackers
• IT professionals (threat – social
engineering)
• Politically motivated hackers
• Terrorist organizations
 Cybercriminals
Categories :
Type II : Cybercriminals – not interested
in recognition
• Psychological perverts
• Financially motivated hackers (corporate
espionage)
• State-sponsored hacking (national
espionage, sabotage)
• Organized criminals
 Cybercriminals
Categories :
Type III : Cybercriminals – the insiders
• Disgruntled or former employees
seeking revenge
• Competing companies using
employees to gain economic
advantage through damage and/or
theft
 Classification of
Cybercrimes
1. Cybercrime against individual
2. Cybercrime against property
3. Cybercrime against organization
4. Cybercrime against society
5. Crimes emanating from Usenet
groups
 Classification of
Cybercrimes
Cybercrime against individual
• Electronic mail
• Phishing, Spear Phishing
• Spamming
• Cyberdefamation
• Cyberstalking and harassment
• Computer sabotage
• Password sniffing
 Classification of
Cybercrimes
Cybercrime against property
• Credit card frauds
• Intellectual Property (IP) crimes
• Internet time theft
 Classification of
Cybercrimes
Cybercrime against organization
• Unauthorized accessing of computer
• Password sniffing
• Denial-of-service
• Virus attack/dissemination of viruses
• E-mail bombing/mail bombs
• Salami attack/Salami technique
• Logic bomb
• Tojan Horse
• Data didling
• Software piracy
• Computer Network Intrusions
• Software piracy
 Classification of
Cybercrimes
Cybercrime against society
• Forgery
• Cyberterrorism
• Web jacking
 Classification of
Cybercrimes
Crimes emanating from Usenet groups
• These groups may carry very
offensive, harmful, inaccurate or
inappropriate material
• So we must use caution and
common sense and exercise proper
judgment when using Usenet
 Classification of
Cybercrimes

Based on :
• Target of the crime

• Whether crime occurs as a single event or as a

series of events
 Classification of
Cybercrimes
• Target of the crime : Goal is to exploit
– Crimes targeted at individuals human weakness
– Crimes targeted at property such as greed and
naivety
Goal is to steal cell
phones, laptops, PDAs,
CDs and pendrives,
transmitting harmful
Goal is
programs to destroy
Cyberterrorism by
devices etc
planting programs
– Crimes targeted at organizations to get control of the
network
 Classification of
Cybercrimes
• Single event of cybercrime :
– It is the single event from the
perspective of the victim
– Unknowingly opening a virus affected
attachment that may infect the system
(PC/laptop)
– This is known as hacking or fraud
 Classification of
Cybercrimes
• Series of events :
– This involves attacker interacting with
victims repetitively
– Attacker interacts with the victim on
the phone and/or via chat rooms to
establish relationship first and then
they exploit that relationship to
commit assault
 Planning Attack
Steps :
• Reconnaissance (information gathering)
• Passive
• Active
• Scanning and scrutinizing
information for its validity
• Identifying existing vulnerabilities
• Launching an attack (gaining and
maintaining system access)
 Passive Attack
• Involves gathering information about
a target without his/her knowledge
• May be done with
• Google or Yahoo search
• Organization’s website
• Surfing online community groups like
Orkut/Facebook
• Blogs, newsgroups, press releases
• Job postings in particular job profiles
Passive Attack
Tools used during passive
•attacks
Google Earth • Dnsstuff
• Internet Archive • Traceroute
• Professional • VisualRoute
Community Trace
• People Search • eMailTrackerPro
• Domain Name • HTTrack
Confirmation • Website
• WQHOIS Watcher
• Nsloookup • Competitive
Intelligence
 Active Attack
• Involves probing the network to
discover individual hosts to confirm
the information ( IP address, OS type
& version, services on the network)
gathered in passive attack
• It is called “ Rattling the doorknobs ”
or “ Active reconnaissance ”
• It provides confirmation about
security measures – but is risky
 Active Attack
Tools used during active
• attacks
Arphound • Hmap
• Arping • Hping
• Bing • Httping
• Bugtraq • Hunt
• Dig
• Libwhisker
• DNStracer
• Dsniff • Mailsnarf
• Filesnarf • Msgsnarf
• FindSMB • NBTScan
• Fping • Nessus
• Fragroute • Netcat
• Fragtest • Nikto
• Hackbot • Nmap
Active Attack
Tools used during active
attacks
• Pathchar
• Ping
• ScanSSH
• SMBclient
• SMTPscan
• TCPdump
• TCPreplay
• THC-Amap
• Traceroute
• URLsnarf
• XProbe2
Scanning & Scrutinizing
Objectives :
• Port scanning – Identifying open/close
ports and services
• Network scanning - Understanding IP
Addresses and related information about
computer network systems
• Vulnerability scanning – Understanding
existing weaknesses in the system
Scanning & Scrutinizing
Ports
• A port is an interface on a computer to
which one can connect a device
• TCP/IP has ports 0 through 65536 (i.e.,
from 2 0 to 2 16 for binay address)
• Port numbers are divided into 3 ranges:
• Well-known ports (from 0 to 1023)
• Registered ports
• Dynamic and/or private ports
Scanning & Scrutinizing

Well-known
Ports
Scanning & Scrutinizing
• Port Scanning
• Ports are entry/exit points that any
computer has to be able to communicate
with external machines
• Each computer has 3 or more external ports
• These are used to communicate with
printers, modems, mouse, scanner, video
game etc
• “Nmap ” is used for port scanning (to see which
ports are open and what OS is being used by the
system)
Scanning & Scrutinizing
• Port Scanning
• In “portscan ” a host scans for listening
ports on a single target host
• In “portsweep ” a host scans multiple
hosts for a specific listening port
Scanning & Scrutinizing
• Port Scanning
• The result of port scanning is
categorized into:
• Open or accepted : The host sent a reply
indicating that a service is listening on the
port
• Closed or not listening : The host sent a reply
indicating that connections will be denied to
the port
• Filtered or blocked : There was no reply from
the host
Scanning & Scrutinizing
• Ports for TCP/IP
• Ports 20 and 21 – File Transfer Protocols (FTP) –
are used for uploading and downloading of
information
• Port 25 – Simple Mail Transfer Protocol (SMTP) –
is used for sending/receiving E-Mails
• Port 23 – Telnet Protocol – is used to connect
directly to a remote host and Internet control
message
• Port 80 – It is used for Hypertext Transfer
Protocol (HTTP)
• Internet Control Message Protocol (ICMP) – It
does not have a port abstraction and is used for
checking network errors, viz. ping
Scanning & Scrutinizing
• Vulnerabilities of ports
• Vulnerabilities associated with the
program that is delivering the service
• Vulnerabilities associated with the OS
that is running on the host – closed
ports

Usually most of the atta ers consume 90% of the

time in scanning scrutinizing and gathering
information on a target and 10% of the time in
launching the atta
Scanning & Scrutinizing
• Attack (Gaining and Maintaining the
System Access
• Crack the password
• Exploit the privileges
• Execute the malicious
commands/applications
• Hide the files (if required)
• Cover the tracks – delete the access
logs, so as to remove trail of illicit
activity
Social Engineering
Social Engineering
• Human-based
• Impersonating an employee or valid user
• Posing as an important user
• Using a third person
• Calling technical support
• Shoulder surfing
• Dumpster diving
Social Engineering
• Computer-based
• Fake E-Mails
• E-Mail attachments
• Pop-up windows

Social engineering and dumpster diving are

also considered passive
information-gathering methods
Social Engineering
Social Engineering
 Cyberstalking
• Stalking means “act or process of
following prey stealthily – trying to
approach somecody or something”
• Cyberstalking means “use of information
and communications technology by an
individual or group to harass another
individual, group, organization
• Behaviour includes false accusations,
monitoring, threats, ID theft, damage to
data or equipment
Cyberstalkin
g
• Types of stalkers :
• Online stalkers –
Internet, Email, chat
room

• Offline stalkers –
following the victim,
watching the daily
routine of the victim,
searching on personal
websites about the
victim outside the
knowledge of the
victim
Cyberstalkin
g

Foursquare is a location-based social networking website for mobile devices,

such as smart phones. Users "check in at venues using a mobile
website, text messaging or a device-specific application by selecting from a
list of venues the application locates nearby. Location is based on GPS in
the mobile device or network location provided by the application, and the
map is based on data from the OpenStreetMap project.
 Cyberstalking
Case Study
- Mrs. Joshi of Delhi received almost 40
calls a day for 3 days at odd hours from
Kuwait, Cochin, Bombay and Ahmadabad that
created havoc in her personal life
- She registered a complaint with Delhi
Police
- Actually a person was using her ID to chat
over the Internet at www.micr.com for 4
consecutive days using obscene language and
gave Mrs. Joshi’s telephone no. to other
chatters encouraging them to call her at
odd hours
Cyberstalking
Cyberstalking
CYBERCRIME AND CYBER
SECURITY
 Legal Aspects
❖ Cybercrime is the largest illegal industry
❖ It involves massive, coordinated attacks against
the information infrastructure of a country
❖ So knowledge of cyber laws is essential for
people who interact with networked services
either over
❖ Internet
❖ Banks
❖ Stock brokers
❖ Intra-or inter-company information exchange
systems
❖ Involved in social networking sites
 Legal Aspects
❖ We must have a sound knowledge about
digital evidence as given by the Indian
Information Technology Act (ITA) 2000
❖ For global business – besides Indian
legislations, world scenario may be
considered
❖ At 10 th United Nations Congress on
Prevention of Crime and Treatment of
Offenders, in a workshop devoted to the
issues of crimes related to computer
networks, cyber crime was broken into two
categories
❖ Computer crime
 Legal Aspects
❖ Cybercrime in a restrictive sense (computer crime)
Any illegal behavior carried out by electronic means
targeting the security of computer system
❖ Cybercrime in a general sense (computer-related
crime)
Any illegal behavior carried out by means of or in
relation to a computer system or network including
such crimes as
❑ illegal possession
❑ offering or distributing information by means of
computer system or network
 Legal Aspects
❖ Some more examples are:
❖ Unauthorized access to computer
❖ Causing damage to computer data or
programs
❖ An act of computer sabotage
❖ Doing unauthorized interception of
communications
❖ Carrying out computer espionage
 Legal Aspects
❖ Degree of Unlawful Access to
Computer
❖ First-degree access
❖ Second-degree access
❖ Third-degree access
❖ Fourth-degree access
❖ Computer trespassing
 Legal Aspects
❖ Degree of Unlawful Access to
Computer
❖ First-degree access: crime is of
first-degree when a person accesses,
causes to be accessed or attempts to
access a computer system and computer
software for the purpose of defrauding
or obtaining money, property or services
by fraudulent pretense – This crime is a
Class C felony
 Legal Aspects
❖ Degree of Unlawful Access to
Computer
❖ Second-degree access: crime is of
second-degree when a person accesses,
causes to be accessed or attempts to
access a computer system and computer
software and the crime results in
damages or losses of value considered
high enough by the law– This crime is a
Class D felony
 Legal Aspects
❖ Degree of Unlawful Access to
Computer
❖ Third-degree access: crime is of third
degree~ when a person accesses, causes
to be accessed or attempts to access a
computer system and computer software
and the crime results in loss or damage
of less than the value that is considered
“high” by the prevailing law in the
country– This crime is a Class A
misdemeanor
 Legal Aspects
❖ Degree of Unlawful Access to
Computer
❖ Fourth-degree access: crime is of
fourth-degree when a person accesses,
causes to be accessed or attempts to
access a computer system and computer
software but there is no loss or damage
– This crime is a Class B misdemeanor
 Legal Aspects
❖ Degree of Unlawful Access to
Computer
❖ Computer trespassing: involves using a
computer with the knowledge that such
use is without authority and with the
intention of:
a) deleting temporarily or permanently
any computer data
b) altering, damaging or causing
malfunction of a computer
 Indian Cyber Laws
• Under the purview of cyber law, the
different aspects are:
• Intellectual Property
• Data protection and privacy
• Freedom of expression
• Crimes committed using computers
 Indian Cyber Laws
• ITA 2000 aimed at providing the legal
infrastructure for E-Commerce in
India to
• Manage all aspects, issues, legal
consequences and conflict in the world
of cyberspace, Internet or WWW
• Provide legal recognition for
transactions carried out by electronic
data interchange and other means of
electronic communication – E-Commerce
 Indian Cyber Laws
• Reasons for enactment of cyber laws
in India:
• Well-defined legal system of India lacks
in many aspects when it comes to
Internet Technology
• Need to have some legal recognition to
the Internet – the most dominating
source of business
• Cyberterrorism came into existence – an
old offence in an innovative way
 Indian Cyber Laws
• A legal framework for cyberworld was
conceived in India in the form of a draft
E-Commerce Act 1998
• Thereafter the basic law for the cyberspace
transactions in India has emerged in the form
of the ITA 2000
• ITA 2000 amended the Indian Penal Code (IPC)
1962, the Indian Evidence Act 1872, the
Banker’s Book Evidence Act 1891, the Reserve
Bank of India Act 1934
 Indian IT Act
• Contents:
• Cybercrimes punishable under Indian IT Act
• Digital Evidence and its Admissibility in
Courts
• Admissibility of E-Records: Amendments
made in the Indian ITA 2000
• Positive Aspects of ITA 2000
• Weak Areas of ITA 2000
• Challenges to Indian Law and Cybercrime
Scenario in India
• Consequences of not Addressing the
Weakness in ITA 2000
 Cybercrimes punishable under
Indian IT Act
• Under section 65 of Indian Copyright Act- making
copies of any work in which Copyright subsists is
punishable with imprisonment of up to 2 years
with fine
• Under section 67 of IT Act - sending obscene
E-Mails are punishable with imprisonment of up to
5 years and with fine (~ 1 L)
• Under section 500 of IPC - defamatory E-Mails are
punishable with imprisonment of up to 2 years or a
fine or both
• Under provisions of IPC - threatening E-Mails are
punishable pertaining to criminal intimidation,
insult and annoyance and extortion
• Under provisions of IPC - E-Mail spoofing is
punishable with regard to fraud, cheating by
impersonation and forgery
Sections of Indian IT Act Relevant
Cybercrime in legal context
• Section 65: Tampering with computer
source documents
• Imprisonment of 3 years, fine 2L or
both
• Section 66: Computer related offenses
• Imprisonment of 3 years, fine 5L or
both
• Section 67L : Punishment for
publishing or transmitting obscene
material in electronic form
• Imprisonment – 3 years, fine 5L for first
conviction
• Imprisonment – 5 years, fine 10L for
Sections of Indian IT Act Relevant
Cybercrime in legal context
• Section 71: Penalty for misrepresentation
• Imprisonment of 2 years, fine 1L or both
• Section 72: Penalty for breach of
confidentiality and privacy
• Imprisonment of 2 years, fine 1L or both
• Section 73: Penalty for publishing Digital
Signature Certificate false in certain
particulars
• Imprisonment of 2 years, fine 1L or both
• Section 74: Publication for fraudulent
purpose
• Imprisonment of 2 years, fine 1L or both
 Digital Evidence and its
Admissibility
in Courts
• Digital Electronic evidence is probative information
stored in digital form that a party may use at trial

• It includes:
• Computer printouts
• E-Mails
• Digital photographs
• ATM transaction logs
• Spreadsheets

• With increased computerization and technology as

well rise of digital office, courts have been forced to
allow for the admittance of digital evidence
 Digital Evidence and its
Admissibility
in Courts
• Challenges in digital evidence handling:
• Extensive usage of computers in spite
of complex computer technology
• Extensive data stored on today’s
computers
• Limited resources available to analyze
computer evidence causes delay in
return of digital evidence
 Digital Evidence and its
Admissibility
in Courts
• Challenges in digital evidence handling:
• Cybercrime occurring from anywhere in the
world causes difficulty in obtaining evidence
and enforcing warrants for searches and
seizures of digital evidence stored abroad
• Courts have noted that as compared to
traditional evidence digital version is more
voluminous, difficult to destroy, easily
modified, easily duplicated, potentially more
expressive and more readily available
 Sources of Digital Evidence

❑ More than the obvious

– PCs

– PDAs

– Mobile Phones

– GPS

– Digital TV systems

– CCTV

– Other Embedded Devices

 Forensic Computing
Purpose

❑ Forensic computing techniques may be

deployed to :
❑ Recover evidence from digital sources

• Witness – factual only

❑ Interpret recovered evidence

• Expert witness – opinion & experience

 Forensic Computing
Definition

❑ Forensic
❑ Relating to the recovery, examination

and/or production of evidence for legal

purposes
❑ Computing
❑ Through the application of

computer-based techniques
 Forensic Computing :
Alternative Definition

“...the application of science and engineering to

the legal problem of digital evidence. It is a
synthesis of science and law”
 Forensic Computing
Background

• Role of the forensic examiner

– Retrieve any and all evidence
– Provide possible interpretations
• How the evidence got there
• What it may mean
– Implication
• The “illicit” activity has already been
identified
• Challenge is to determine who did it and how
 Forensic Computing
Single Source Cases

• According to Marshall &Tompsett [1]

– Any non-internet connected system can be
treated as a single source of evidence,
following the same examination principles
as a single computer

– Even a large network

– Is this a valid proposition ?

 Forensic Computing
Single Source

• Implies that the locus of evidence can be

determined
– i.e. There are no unidentified or external
entities involved
• Even in a large network, all nodes can be
identified
– as long as the network is closed (i.e. The
limit of extent of the network can be
determined)
• “Computer-assisted/enabled/only”
categories
 Forensic Computing
Static Evidence

• Time is the enemy

– Primary sources of evidence are storage
devices
• Floppies, hard disks, CD, Zip etc.
• Log files, swap files, slack space, temporary
files
– Data may be deleted, overwritten,
damaged or compromised if not captured
quickly
– (See ACPO guidelines – No.1)
 Forensic Computing
Standard seizure
procedure
1) Quarantine the 4) Kill power
scene
5) Seize all
– Move everyone
away from the associated
suspect equipment equipment and
2) Kill removable media
communications – Bag 'n' tag
– Modem, network immediately
3) Visual inspection – Record actions
– Photograph, notes
– Screensavers ? 6) Ask user/owner
for passwords
 Forensic Computing
Imaging and Checksumming

• After seizure, before examination

– Make forensically sound copies of media
– Produce image files on trusted workstation
– Produce checksums
• For integrity checking
 Forensic Computing
Why image ?

• Why not just boot the suspect equipment

and check it directly
 Forensic Computing
Forensically sound copy

• Byte by byte, block by block copy of ALL

data on the medium, including deleted
and/or bad blocks.
– Device level and logical level (partitions)
• Identical to the original
• Specialist programs
– (e.g. Encase)
• Adapt standard tools
– (e.g. “dd” on Unix/Linux/*BSD MacOS X)
 Forensic Computing
Checksumming

• During/immediately after imaging

– Calculate checksum files for the image.
Ideally 1 per block.
– Use later to verify that
• Image file has not changed
• Source media has not been modified
– Difficult at device level – differences between
devices. (manufacturing defects)
– Possible algorithms
• MD5, SHA, SNEFRU
 Forensic Computing
Sources of evidence in the image

• Image is a forensically sound copy

– Can be treated as the original disk
– Examine for
• “live” files
• Deleted files
• Swap space
• Slack space
 Live Files

• “live” files
– Files in use on the system
– Saved data
– Temporary files
– Cached files

• Rely on suspect not having time to take

action
 Deleted files

• O/S rarely deletes all data associated with

a file
– More commonly marks space used by file as
available for re-use
– e.g.
• In FAT systems, change 1st character of
name to “deleted” marker
• In Unix/Linux – add nodes to free list
– Data may still be on disk, recoverable using
sector-level tools
 Swap space

• Both O/S and program swap

– Areas of 10 memory swapped out to disk
may contain usable data
– Created by O/S during scheduling
– Created by programs when required
 Slack space

• Files rarely completely fill all allocated

sectors
– e.g. Sector size of 512 bytes, file size 514
bytes – 2 sectors, but one only contains 2
bytes of real data
– Disk controller must write a complete
sector.
• Using DMA, grabs “spare” bytes from 10
memory and pads the sector
• Padding may contain useful evidence,
potentially from past programs – same rules
apply to RAM as Disk! (unless powered
down)
 What about edited files ?

• e.g.
– Entries deleted from log files ?
 Recovered data

• Needs thorough analysis to reconstruct

full or partial files
• May not contain sufficient contextual
information
– e.g. missing file types, timestamps,
filenames etc.
 Challenges

Current & Future

 Challenges - Current

• Recovered data may be

– Hashed
– Encrypted
– Steganographic

• Analytical challenges
 Hashed Data

• Non-reversible process
– i.e. Original data cannot be determined from
the hashed value
• cf. Unix/Linux password files
– Aka (erroneously) “one-way” encryption
– “Brute Force” attack may be required
• Is this good enough for legal purposes ?
 Encryption

• Purpose
– To increase the cost of recovery to a
point where it is not worth the effort
• Symmetric and Asymmetric
• Reversible – encrypted version contains
full representation of original

• Costly for criminal,

costly for investigator
 Steganography

• Information hiding
– e.g.
• Maps tattooed on heads
• Books with pinpricks through
letters
• Low-order bits in image files

– Difficult to detect, plenty of free

tools
– Often combined with
cryptographic techniques.
 Worse yet

• CryptoSteg
• SteganoCrypt

• Combination of two techniques...

– layered
 Additional challenges

• Emerging technologies
• Wireless
– Bluetooth
• “Bluejacking”, bandwidth theft
– 802.11 b/g/a
• Insecure networks, Insecure devices
• Bandwidth theft, storage space theft
– Forms of identity theft
 Additional challenges

• Viral propagation
– Proxy implantation
• Sobig, SuperZonda
– obscene
– Evidence “planting”

• Proven defence
 Case studies

• Choose from :
– IPR theft
– Identity theft & financial fraud
– Murder
– Street crime (mugging)
– Blackmail
– Fraudulent trading
– etc. etc. etc.
Admissibility of E-Records
Amendments made in the Indian ITA 2000

• The Second Schedule of Indian ITA 2000:

Amendment to the Indian Evidence Act
• The Third Schedule of Indian ITA 2000:
Amendment to the Banker’s Books
Evidence Act
• The Fourth Schedule of Indian ITA 2000:
Amendment to the Reserve Bank of India
Act
Admissibility of E-Records
Amendments made in the Indian ITA 2000

• The Second Schedule of Indian ITA 2000:

Amendment to the Indian Evidence Act

• “Evidence” The word Electronic records to

be included
Admissibility of E-Records
Amendments made in the Indian ITA 2000
• The Third Schedule of Indian ITA 2000:
Amendment to the Banker’s Books
Evidence Act
• “Banker’s Books” The word ledgers,
data-books, cash-books, account-books and
all other books used in the written form or
as printouts of data store in a floppy, disc,
tape or any other form of electro-magnetic
data storage device to be included
• “Certified copy” consists of printouts with
such statements certified to be included
Admissibility of E-Records
Amendments made in the Indian ITA 2000
• The Fourth Schedule of Indian ITA 2000:
Amendment to the Reserve Bank of India
Act
• “the regulation of fund transfer through
electronic means between banks or between
banks and other financial institutions,
including laying down of the conditions
subject to which banks and other finanlcial
institutions shall participate in such fund
transfers, the manner of such fund transfers
and rights and obligations of the
participants in such fund transfers ” to be
inserted
Positive Aspects of ITA 2000
• Acceptance of E-Mail as a legal form of
communication
• Growth of E-Commerce using the legal
infrastructure provided by ITA 2000
• Use of digital evidence to carry out online
transactions
• Statutory remedy for anyone breaking into
computer systems and networks of
companies and causing damage or copying
data
• Definition of cybercrimes and legal redress
for them
Weak Areas of ITA 2000
• Causes a conflict of jurisdiction
• Domain names on which E-Commerce is
based, have not been defined and the
rights and liabilities of domain name
owners are not mentioned in the law
• The law lacks proper Intellectual Property
Protection for Electronic Information and
Data
• The law does not cover various kinds of
cybercrimes and Internet-based crimes like
• Cybertheft, cyberstalking, cyberharassmemt,
cyberdefamation, cyberfraud, misuse of credit
card numbers, chat room abuse, theft of
Internet hours, cybersquatting
Challenges to Indian Law and
Cybercrime Scenario in India
• Indian law does not provide definition of
cybercrime
• Indian cyberlaw even after amendment does
not use the term cybercrime – has a chapter
entitled offences in which cybercrimes has
been declared as penal offences punishable
with imprisonment and fine viz.,
• Tampering with computer source code
• Un-authorized access to computer
• Failure to decrypt information in the interest of
sovereignty or integrity of India, security of
state
Challenges to Indian Law and
Cybercrime Scenario in India
Offences:
• Securing access or attempting to secure
access to a protected system
• Misrepresentation while obtaining any
license to act as a Certifying Authority (CA)
or a digital signature certificate
• Breach of confidentiality and privacy
• Publication of false digital signature
certificates
• Publication of digital signature certificates
for fraudulent purposes
Challenges to Indian Law and
Cybercrime Scenario in India
So with respect to the previous discussion –
• Legal drawbacks with regard to cybercrimes
addressed in India exists – need to improve
legal scenario
• Law enforcement agencies in India are neither
well equipped nor knowledgeable about
cybercrime – training is necessary
• Lack of cybercrime courts in India – lack of cyber
savvy judges – cyber cell officials need a sound
technical training
• People need to be encouraged to report the
matter to the law enforcement
• Need for a distinct law on cybercrime and
appropriate changes should be made in IPC and
IT Act
Consequences of not Addressing
the Weakness in ITA 2000
• India’s outsourcing sector may get impacted
• There are many news about overseas
customer worrying about data breaches
data leakages in India
• This can result in breaking India’s IT
business leadership in international
outsourcing market

If the weaknesses in ITA 2000

are not addressed in the near
ture then the dream of India
ruling the world’s outsourcing
market may not come true
Thank You