New Age Cybercrime conference Novotel, Mumbai 29& 30th Oct
Download
Report
Transcript New Age Cybercrime conference Novotel, Mumbai 29& 30th Oct
New Age Cybercrime conference
Novotel, Mumbai
29& 30th Oct 2009
Launching Investigation,
prosecution and defending of a
computer related crime
Karnika Seth
Cyberlaw & IP expert
Managing Partner,Seth Associates
Chairperson, Cyberlaws Consulting Centre
Introduction
Seth Associates is a leading full service Indian
law firm that is internationally networked to
provide spectrum of legal services to its domestic
and international clients
Network of 2000 associate offices of Association
of European lawyers (AEA alliance) as foreign
associates
We maintain one of the strongest Cyberlaws
practice in India today. With more than a
decade's experience in Cyberlaws Practice, Seth
Associates recently established the World's first
integrated 'Cyberlaws Consulting Centre' at Seth
Associates
CCC- Cyberlaws Consulting Centre
CCC renders cyber legal consultancy, cyber law
analytics and forensic services to its clients world
wide.
Work experience of handling cybercrime matters
with Delhi Police
Delivered training workshops to Delhi police on
dealing with cybercrime investigation cases
Recently authored a book titled ‘Cyberlaws in the
Information Technology age’ published by Lexis
Nexis Butterworths that elucidates the key
developments in the field of Cyberlaws across
many important jurisdictions—India, United
States and European nations
‘Cyberlaws in the Information Technology Age’
by Karnika Seth
Presentation plan
The categories of cybercrimes
The techniques of cyber investigation and
forensic tools
Analysis of the cybercrime & Indian legal
position
The possible reliefs to a cybercrime victim and
strategy adoption
The preparation for prosecution
Admissibility of digital evidence in courts
Defending an accused in a computer related
crime
Cyber Threats in 2009 and Beyond
Report of Georgia Tech Information Security Center (GTISC)
Malware
Data thefts
Cyber warfare
Botnets
Threats to VOIP and
mobile convergence
Vectors & trends for cyber threats
Malicious attackers will install malware on
social networking sites leading to
increased phising scams, or stealing
data,etc- browser level protection needed.
Hackers will install malcode within video
Mash up technology used by web
applications to combine data/media from
multiple sources, locations and coding
styles may lead to increased corporate
espionage and other scams
Identity thefts will only increase and
botnets will be used for corporate
espionage and phising scams
Polymorphic exploitation- creation of
unique exploit with each user request –
signature based protection engines at
network or host level fail
Growing popularity of VOIP applicationsinstances of voice spam and voice
phising or smishing will increase.
Targeted attacks -Attack activity through
e-mail, Instant messaging ,P2P networks
will increase
Denial of service affecting voice
infrastructure
Cyber terrorist attacks will increase and
lead to cyber warfare- threat to nation’s
sovereignty
MMS scams will be on the rise and raise
issues of defamation and invasion of
privacy
content which will affect users accessing
video clips.
Striking facts!
According to a report compiled by
Panda Labs, in 2008, 10 million bot
computers were used to distribute
spam and malware across the Internet
each day.
Annual take by theft-oriented cyber
criminals is estimated to be as high as
100 billion dollars and 97 per cent of
these offences go undetected,-CBI's
Conference on International Police
Cooperation against Cyber Crime,
March 2009
.
Source: Government Accountability Office (GAO), Department of Homeland
Security's (DHS's) Role in Critical Infrastructure Protection (CIP) Cybersecurity,
GAO-05-434 (Washington, D.C.: May, 2005).
Cyber threat
groups
Bot network
operators
Spyware
authors
Foreign
intelligence
Insiders
Phishers
spammers
Glaring Examples – Data thefts
The incidents in the recent past involving Cyber Space have
highlighted the issues of privacy and data protection in India
The Pune scam was the first among the many BPO frauds that made international
headlines. In April 2005, five employees of MsourcE in Pune were arrested for
allegedly pulling off a fraud worth nearly 2.5 crore rupees from the Citibank accounts
of four New York-based account holders.
In June 2005, the British tabloid Sun, in a sting operation, purchased the bank
account details of 1,000 Britons from Karan Bahree, an employee of Gurgaon-based
BPO company Infinity E-Search.
MMS scandals
In 2004 a DPS (Delhi Public School) student filmed a sexually explicit video clip
of his classmate in a compromising position on his cell phone, forwarded the video
via MMS to his friends. The clip was then put up on Bazee.com and widely circulated.
Case of the State of Tamil Nadu Vs Suhas Katti is notable for the fact that the
conviction was achieved successfully within a relatively quick time of 7 months from
the filing of the FIR .
The case related to posting of obscene, defamatory and annoying message about a
divorcee woman in the yahoo message group. Additional Chief Metropolitan
Magistrate, delivered the judgment on 5-11-04 as follows:
“The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act
2000 and the accused is convicted and is sentenced for the offence to undergo RI for
2 years under 469 IPC and to pay fine of Rs.500/and for the offence u/s 509 IPC
sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and
for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of
Rs.4000/- All sentences to run concurrently.”
This is considered the first case convicted under section 67 of Information Technology
Act 2000 in India
Incident Response – a precursor to Techniques of
Cyber investigation & forensic tools
‘Incident response’ could be defined as a precise set of
actions to handle any security incident in a responsible
,meaningful and timely manner.
Goals of incident responseTo confirm whether an incident has occurred
To promote accumulation of accurate information
Educate senior management
Help in detection/prevention of such incidents in the future,
To provide rapid detection and containment
Minimize disruption to business and network operations
To facilitate for criminal action against perpetrators
Six steps of Incident response
Pre incident preparation
Resolution
Reporting
Detection
of incidents
Initial response
Investigate the incident
Techniques of cyber investigationCyber forensics
Computer forensics, also called cyber forensics, is the
application of computer investigation and analysis
techniques to gather evidence suitable for presentation in a
court of law.
The goal of computer forensics is to perform a structured
investigation while maintaining a documented chain of
evidence to find out exactly what happened on a computer
and who was responsible for it.
6 A’s of digital forensics
Assessment
Acquisition
Authentication
Analysis
Articulation
Archival
The Digital Investigation Process:
Source: Forensics Guru.
Rules of evidence
Computer forensic
components-
Identifying
Preserving
Analysing
Presenting evidence in a
legally admissible manner
FBI handbook of forensic investigationtechniques for computer forensics
Examine type of content in
computer
Comparison of data files
Transactions-to know time
and sequence when data files
were created
Data files can be extracted
from computer
Deleted data files can be
recovered from the computer
Data files can be converted
from one format to the other
Key word searching
passwords
Limited source code can be
analysed and compared
Storage media with
standalone word processors
can be examined
Sources of Evidence
Existing Files
Deleted Files
Logs
Special system files (registry etc.)
Email archives, printer spools
Administrative settings
Internet History
Chat archives
Misnamed Files
Encrypted Files / Password Protected files etc.
Cyberforensics in accounting frauds
Use of CAAT –computer assisted audit techniquesspreadsheets, excel, MS access
Generalized audit software-PC based file interrogation
software- IDEA,ACL
Help detect fictitious suppliers, duplicate payments, theft of
inventory
Tender manipulation, secret commissions
False financial reporting
Expense account misuse
Insider trading
Establishment and maintenance of ‘Chain of
Custody
Tools required:
- Evidence notebook
- Tamper evident labels
- Permanent ink pen
- Camera
Document the following:
- Who reported the incident along with critical date and
times
- Details leading up to formal investigation
- Names of all people conducting investigation
- Establish and maintain detailed ‘activity log’
Maintaining Chain Of Custody
Take pictures of the evidence
- Document ‘crime scene’
details
Document identifiable
markings on evidence
Catalog the system contents
Document serial numbers,
model numbers, asset tags
“Bag” it!
Maintain Chain Of Custody on
tamperproof
evidence bag
Take a picture!
Classification of computer forensics
Disk based forensics
Network based forensics
Disk imaging and analysisTool must have the ability to image every bit of data on
storage medium, tool must not make any changes to the
source medium.
Examples- DD-www.gnu.org
DCFLDD-www.prdownloads.sourceforge.net/biatchux
ODD-open data duplicator
ODESSA-creating a qualified duplicate image with Encasewww.odessa.sourceforge.net
Recovering deleted data
Encase
FTK
Stelar Phoenix
PCI file recovery
Undelete
Recover4allGet data back
Fast file recovery
Active undelete
E-mail forensics
E-mail composed of two parts- header and body
Examine headers
Request information from ISP
Trace the IP
Tools-Encase,FTK,Final email
Sawmill groupwise
Audimation for logging
Cracking the password- brute force attack, smart search,
dictionary search, date search, customised search,
guaranteed decryption, plaintext attack
Passware, ultimate zip cracker,office recovery enterprise,etc
Live demo- sending fake e-mails and
reading headers ,phising attacks
Use of www.fakemailer.net
Use of Who is
Dissecting header and body of an e-mail
message digest,
IP address
Return path
Sender’s address
Live demo phising- www.noodlebank.com,
www.nood1ebank.com
www.whois.sc
www.readnotify.com
The Information Technology Act,2000
and cybercrimes
The Information Technology Act 2000 came into
force in India on 17 October 2000. It extends to
whole of India and also applies to any offence or
contraventions committed outside India by any
person (s 1(2),IT Act 2000).
According to s 75 of the Act, the Act applies to
any offence or contravention committed outside
India by any person irrespective of his
nationality, if such act involves a computer,
computer system or network located in India.
Cybercrime vs Cyber contravention
The IT Act prescribes provisions for contraventions in ch IX of the
Act, particularly s 43 of the Act, which covers unauthorised
access, downloading, introduction of virus, denial of access and
Internet time theft committed by any person. It prescribes
punishment by way of damages not exceeding Rs 1 crore to the
affected party.
Chapter XI of the IT Act 2000 discusses the cyber crimes and
offences inter alia, tampering with computer source documents (s
65), hacking (s 66), publishing of obscene information (s 67),
unauthorised access to protected system (s 70), breach of
confidentiality (s 72), publishing false digital signature certificate
(s 73).
Whereas cyber contraventions are ‘civil wrongs’ for which
compensation is payable by the defaulting party, ‘cyber offences’
constitute cyber frauds and crimes which are criminal wrongs for
which punishment of imprisonment and/or fine is prescribed by
the Information Technology Act 2000.
Special and General statutes applicable
to cybercrimes
While the IT Act 2000, provides for the specific offences it has to
be read with the Indian Penal Code 1860 (IPC) and the Code of
Criminal Procedure 1973 (Cr PC)
IT Act is a special law, most IT experts are of common consensus
that it does not cover or deal specifically with every kind of cyber
crime
for instance, for defamatory emails reliance is placed on s 500 of
IPC, for threatening e-mails, provisions of IPC applicable thereto
are criminal intimidation (ch XXII), extortion (ch XVII), for e-mail
spoofing, provisions of IPC relating to frauds, cheating by
personation (ch XVII) and forgery (ch XVIII) are attracted.
Likewise, criminal breach of trust and fraud (ss 405, 406, 408,
409) of the IPC are applicable and for false electronic evidence, s
193 of IPC applies.
For cognisability and bailability, reliance is placed on Code of
Criminal Procedure which also lays down the specific provisions
relating to powers of police to investigate.
Tampering of source code
According to s 65 of the IT Acta person who intentionally conceals or destroys
or alters or intentionally or knowingly causes
another to conceal, destroy or alter any computer
source code used for a computer, computer
program, computer system or network when the
computer source code is required to be
maintained by law is punishable with
imprisonment upto 3 years or with fine that may
extend upto 2 lakh rupees or with both.
Hacking
Section 66 of the IT Act 2000 deals with the
offence of computer hacking.
In simple words, hacking is accessing of a
computer system without the express or implied
permission of the owner of that computer
system.
Examples of hacking may include unauthorised
input or alteration of input, destruction or
misappropriation of output, misuse of programs
or alteration of computer data.
Punishment for hacking is imprisonment upto
3years or fine which may extend to 2 lakh rupees
or both
Publishing obscene information
Section 67 of the IT Act lays down punishment for the
offence of publishing of obscene information in electronic
form
Recently, the Supreme Court in Ajay Goswami v Union of
India considered the issue of obscenity on Internet and held
that restriction on freedom of speech on ground of
curtailing obscenity amounts to reasonable restriction under
art 19(2) of the Constitution. The court observed that the
test of community mores and standards has become
obsolete in the Internet age.
punishment on first conviction with imprisonment for a
term which may extend to 5 years and with fine which may
extend to 1 lakh rupees. In the event of second conviction
or subsequent conviction imprisonment of description for a
term which may extend to 10 years and fine which may
extend to2 lakh rupees.
New offences defined under IT Amendment Bill
2008
Many cybercrimes for which no express provisions existed
in the IT Act 2000 now stand included by the IT
Amendment Bill 2008.
Sending of offensive or false messages (s 66A), receiving
stolen computer resource (s 66C), identity theft (s 66C), (s
66D) cheating by personation, violation of privacy (s 66E).
Barring the offence of cyber terrorism (s 66F ) punishment
prescribed is generally upto three years and fine of one/two
lakhs rupees has been prescribed and these offences are
cognisable and bailable. This will not prove to play a
deterrent factor for the cyber criminals.
Further, as per new s 84B,abetment to commit an offence is
made punishable with the punishment provided for the
offence under the Act and the new s 84C makes attempt to
commit an offence also a punishable offence with
imprisonment for a term which may extend to one-half of
the longest term of imprisonment provided for that offence
The IT Amendment Bill 2008
In certain offences, such as hacking (s 66) punishment is
enhanced from 3 years of imprisonment and fine of 2 lakhs
to fine of 5 lakhs rupees. In s 67, for publishing of obscene
information imprisonment term has been reduced from five
years to three years (and five years for subsequent offence
instead of earlier ten years) and fine has been increased
from one lakh to five lakhs rupees (ten lakhs on subsequent
conviction).
Section 67A adds an offence of publishing material
containing sexually explicit conduct punishable with
imprisonment for a term that may extend to 5 years with
fine upto ten lakhs rupees.
The IT Amendment Bill 2008
Section 67B punishes offence of child
pornography, child’s sexually explicit act or
conduct with imprisonment on first conviction for
a term upto 5 years and fine upto 10 lakhs
rupees.
Possible reliefs to a cybercrime victimstrategy adoption
A victim of cybercrime needs to immediately report the
matter to his local police station and to the nearest
cybercrime cell
Depending on the nature of crime there may be civil and
criminal remedies.
In civil remedies , injunction and restraint orders may be
sought, together with damages, delivery up of infringing
matter and/or account for profits.
In criminal remedies, a cybercrime case will be registered
by police if the offence is cognisable and if the same is non
cognisable, a complaint should be filed with metropolitan
magistrate
For certain offences, both civil and criminal remedies may
be available to the victim
Before lodging a cybercrime case
Important parametersGather ample evidence admissible in a court of
law
Fulfill the criteria of the pecuniary ,territorial and
subject matter jurisdiction of a court.
Determine jurisdiction – case may be filed where
the offence is committed or where effect of the
offence is felt ( S. 177 to 179, Crpc)
The criminal prosecution pyramid
Conviction/acquittal
Trial
Contents of charge
Issue of process –summons, warrant
Examine the witnesses
Examine the complainant on oath
Initiation of criminal proceedings-cognizance of offences by magistrates
Preparation for prosecution
Collect all evidence available & saving snapshots of
evidence
Seek a cyberlaw expert’s immediate assistance for advice
on preparing for prosecution
Prepare a background history of facts chronologically as
per facts
Pen down names and addresses of suspected accused.
Form a draft of complaint and remedies a victim seeks
Cyberlaw expert & police could assist in gathering further
evidence e.g tracing the IP in case of e-mails, search &
seizure or arrest as appropriate to the situation
A cyber forensic study of the hardware/equipment/ network
server related to the cybercrime is generally essential
Amendments- Indian Evidence Act
1872
Section 3 of the Evidence
Act amended to take care
of admissibility of ER as
evidence along with the
paper based records as
part of the documents
which can be produced
before the court for
inspection.
Section 4 of IT Act confers
legal recognition to
electronic records
Societe Des products Nestle SA case
2006 (33 ) PTC 469
By virtue of provision of Section 65A, the contents of electronic records
may be proved in evidence by parties in accordance with provision of 65B.
Held- Sub section (1) of section 65B makes admissible as a document,
paper print out of electronic records stored in optical or magnetic media
produced by a computer subject to fulfillment of conditions specified in
subsection 2 of Section 65B .
The computer from which the record is generated was regularly used to
store or process information in respect of activity regularly carried on by
person having lawful control over the period, and relates to the period
over which the computer was regularly used.
Information was fed in the computer in the ordinary course of the
activities of the person having lawful control over the computer.
The computer was operating properly, and if not, was not such as to affect
the electronic record or its accuracy.
Information reproduced is such as is fed into computer in the ordinary
course of activity.
a)
b)
c)
d)
State v Mohd Afzal,
2003 (7) AD (Delhi)1
State v Navjot Sandhu
(2005)11 SCC 600
Held, while examining Section 65 B Evidence Act,
it may be that certificate containing details of
subsection 4 of Section 65 is not filed, but that
does not mean that secondary evidence cannot
be given.
Section 63 & 65 of the Indian Evidence Act
enables secondary evidence of contents of a
document to be adduced if original is of such a
nature as not to be easily movable.
Presumptions in law- Section 85 B
Indian Evidence Act
The law also presumes that in any proceedings, involving
secure digital signature, the court shall presume, unless the
contrary is proved, that the secure digital signature is
affixed by the subscriber with the intention of signing or
approving the electronic record
In any proceedings involving a secure electronic record, the
court shall presume, unless contrary is proved, that the
secure electronic record has not been altered since the
specific point of time, to which the secure status relates
Presumption as to electronic messagesSection 88A of Evidence Act
The court may treat electronic messages received
as if they were sent by the originator, with the
exception that a presumption is not to be made
as to the person by whom such message was
sent.
It must be proved that the message has been
forwarded from the electronic mail server to the
person ( addressee ) to whom such message
purports to have been addressed
An electronic message is primary evidence of the
fact that the same was delivered to the
addressee on date and time indicated.
IT Amendment Bill 2008-Section 79A
Section 79A empowers the Central govt to
appoint any department, body or agency as
examiner of electronic evidence for proving
expert opinion on electronic form evidence before
any court or authority.
Till now, government forensic lab of hyderabad
was considered of evidentiary value in courtsCFSIL
Statutory status to an agency as per Section 79A
will be of vital importance in criminal prosecution
of cybercrime cases in India
Defending an accused in a cybercrime
Preparation of chain of events table
Probing where evidence could be traced? E-mail
inbox/files/folders/ web history
Has the accused used any erase evidence
software/tools
Forensically screening the hardware/data/files
/print outs / camera/mobile/pendrives of
evidentiary value
Formatting may not be a solution
Apply for anticipatory bail
Challenge evidence produced by opposite party
and look for loopholes
Filing of a cross complaint if appropriate
Thank you!
SETH ASSOCIATES
ADVOCATES AND LEGAL CONSULTANTS
New Delhi Law Office:
C-1/16, Daryaganj, New Delhi-110002, India
Tel:+91 (11) 65352272, +91 9868119137
Corporate Law Office:
B-10, Sector 40, NOIDA-201301, N.C.R ,India
Tel: +91 (120) 4352846, +91 9810155766
Fax: +91 (120) 4331304
E-mail: [email protected]