Transcript Document
July 20, 2015 Cyber Crimes GUJARAT POLICE 1 MANOJ AGARWAL IPS July 20, 2015 The transformation • Two years ago, we were afraid of rockets destroying • Today, we should buildings and be aware of computer software centres... destroying rockets and missiles! GUJARAT POLICE 2 MANOJ AGARWAL IPS July 20, 2015 IT Act 2000 Cyber Cases Investigation & Forensics Issues to ponder GUJARAT POLICE 3 MANOJ AGARWAL IPS IT Act 2000 Objectives July 20, 2015 • Legal Recognition for E-Commerce – Digital Signatures and Regulatory Regime – Electronic Documents at par with paper documents • E-Governance – Electronic Filing of Documents • Amend certain Acts • Define Civil wrongs, Offences, punishments – Investigation, Adjudication – Appellate Regime GUJARAT POLICE 4 MANOJ AGARWAL IPS July 20, 2015 Wrongs Moral Wrongs Civil Wrongs Feeling of Aggrieved guiltPolice has a very approaches limited role the to STATE play Compensation Legal Wrongs Crimes Police has a Punishment defined Fine role play Ortoboth Criminal Court GUJARAT POLICE 5 MANOJ AGARWAL IPS July 20, 2015 Crimes Non-Cognizable Offences Cognizable Offences Police has a very Minor offences limited role to Aggrieved seeks redressal play Serious ones Responsibility of the STATE to to get the offender punished GUJARAT POLICE 6 MANOJ AGARWAL IPS July 20, 2015 Cognizability and Bailability • Not mentioned in the Act – Rely on Part II of Schedule I of CrPC • If punishable with death, imprisonment for life or imprisonment for more than 7 years: Cognizable, Non-Bailable, Court of Session • If punishable with imprisonment for 3 years and upwards but not more than 7 years: Cognizable, Non Bailable, Magistrate of First Class • If punishable with imprisonment of less than 3 years: Non-Cognizable, Bailable, Any Magistrate (or Controller of CAs) GUJARAT POLICE 7 MANOJ AGARWAL IPS Civil Wrongs under IT Act • Chapter IX of IT Act, Section 43 • Whoever without permission of owner of the computer – Secures access (mere U/A access) • Not necessarily through a network – Downloads, copies, extracts any data – Introduces or causes to be introduced any viruses or contaminant – Damages or causes to be damaged any computer resource • Destroy, alter, delete, add, modify or rearrange • Change the format of a file – Disrupts or causes disruption of any computer resource • Preventing normal continuance of GUJARAT POLICE 8 MANOJ AGARWAL IPS – Denies or causes denial of access by any means • Denial of service attacks – Assists any person to do any thing above • Rogue Websites, Search Engines, Insiders providing vulnerabilities – Charges the services availed by a person to the account of another person by tampering or manipulating any computer resource • Credit card frauds, Internet time thefts • Liable to pay damages not exceeding one crore to the affected party • Investigation of – ADJUDICATING OFFICER – Powers of a civil court GUJARAT POLICE 9 MANOJ AGARWAL IPS Section 65: Source Code • Most important asset of software companies • “Computer Source Code" means the listing of programmes, computer commands, design and layout GUJARAT POLICE 10 MANOJ AGARWAL IPS Section 65.. Contd. • Ingredients – Knowledge or intention – Concealment, destruction, alteration – computer source code required to be kept or maintained by law • Punishment – imprisonment fine up to Rs 2 lakh – up to three years, and / or • Cognizable, Non Bailable, JMIC GUJARAT POLICE 11 MANOJ AGARWAL IPS July 20, 2015 Section 66: Hacking • Ingredients – Intention or Knowledge to cause wrongful loss or damage to the public or any person – Destruction, deletion, alteration, diminishing value or utility or injuriously affecting information residing in a computer resource • Punishment – imprisonment up to three years, and / or – fine up to Rs 2 lakh • Cognizable, Non Bailable, JMFC GUJARAT POLICE 12 MANOJ AGARWAL IPS July 20, 2015 Hacking (contd.) • Covers crimes like – – – – Trojan, Virus, worm attacks Logic bombs and Salami attacks Internet time theft Analysis of electromagnetic waves generated by computers GUJARAT POLICE 13 MANOJ AGARWAL IPS July 20, 2015 Examples • • State versus Amit Pasari and Kapil Juneja Delhi Police – M/s Softweb Solutions – Website www.go2nextjob.com hosted – Complaint of hacking by web hosting service • State versus Joseph Jose – Delhi Police • Hoax Email - Planting of 6 bombs in Connaught place • • State vesus Aneesh Chopra – Delhi Police • Three company websites hacked • Accused: An ex -employee State versus K R Vijayakumar – Bangalore Cyber Crime Police Station, 2001 • Criminal intimidation of employers and crashing the company’s server • Phoenix Global solutions – GUJARAT POLICE 14 MANOJ AGARWAL IPS Sec. 67. Pornography • Ingredients – Publishing or transmitting or causing to be published – in the electronic form, – Obscene material • Punishment – On first conviction • imprisonment of either description up to five years and • fine up to Rs 1 lakh – On subsequent conviction • imprisonment of either description up to ten years and • fine up to Rs 2 lakh • Section covers – Internet Service Providers, – Search engines, – Pornographic websites • Cognizable, Non-Bailable, JMIC/ Court of Sessions Sec 69: Decryption of information • Ingredients – Controller issues order to Government agency to intercept any information transmitted through any computer resource. – Order is issued in the interest of the • • • • • sovereignty or integrity of India, the security of the State, friendly relations with foreign States, public order or preventing incitement for commission of a cognizable offence – Person in charge of the computer resource fails to extend all facilities and technical assistance to decrypt the information. GUJARAT POLICE 16 MANOJ AGARWAL IPS Decryption of information (contd.) • Applicability – – – – Email messages (If encrypted) Encrypted messages Steganographic images Password protected files (?) • Punishment – Imprisonment up to 7 years • Cognizable, Non-Bailable, JMIC GUJARAT POLICE 17 MANOJ AGARWAL IPS Sec 70 Protected System • Ingredients – Securing unauthorised access or attempting to secure unauthorised access – to ‘protected system’ • Acts covered by this section: – – – – Switching computer on / off Using installed software / hardware Installing software / hardware Port scanning • Punishment – Imprisonment up to 10 years and fine • Cognizable, Non-Bailable, Court of Sessions GUJARAT POLICE 18 MANOJ AGARWAL IPS July 20, 2015 BUT…….. • All cyber crimes do not come under the Information Technology Act, 2000. • Many cyber crimes come under the Indian Penal Code GUJARAT POLICE 19 MANOJ AGARWAL IPS July 20, 2015 Computer Related Crimes under IPC and Special Laws Sending threatening messages by email Sec 503 IPC Sending defamatory messages by email Sec 499 IPC Forgery of electronic records Sec 463 IPC Bogus websites, cyber frauds Sec 420 IPC Email spoofing Sec 463 IPC Online sale of Drugs NDPS Act Web-Jacking Sec. 383 IPC Online sale of Arms Arms Act GUJARAT POLICE 20 MANOJ AGARWAL IPS July 20, 2015 COMPUTER CRIME STATISTICS l Average Computer Crime - $500K Average Bank Robbery - $13K l 80% of computer crime involves Internet l - Internet is in 70 countries - over 25 million users - 10%/month growth rate GUJARAT POLICE 21 MANOJ AGARWAL IPS Frequency of incidents Denial of Service: Section 43 Virus: Section: 66, 43 Data Alteration: Sec. 66 U/A Access : Section 43 Email Abuse : Sec. 67, 500, Other IPC Sections Data Theft: Sec 66, 65 Source: Survey conducted by ASCL GUJARAT POLICE 22 MANOJ AGARWAL IPS July 20, 2015 No. of Indian web-sites defaced 8000 7039 7000 6000 5000 4000 3000 2219 2000 1000 441 1002 0 1998 GUJARAT POLICE 1999 2000 2001 “Not very serious-some one has just pasted a poster over my poster” 23 MANOJ AGARWAL IPS July 20, 2015 Number of Indian sites hacked 25 25 20 15 12 10 6 5 0 0 1998 1999 2000 2001 Site of BARC-panic all around GUJARAT POLICE 24 MANOJ AGARWAL IPS July 20, 2015 2001 CSI/FBI Computer Crime and Security Survey Of the organizations suffering security compromises in the last year– 95% had Firewalls and 61%had! IDSs 1998 1999 2000 2001 SECURITY TECHNOLOGIES USED Intrusion Detection Systems Firewalls Encrypted Files Anti-virus software Access Control •False sense of security % % % % 35 81 42 91 50 78 61 95 50 96 89 61 98 93 62 100 92 64 98 90 – “We already have a Firewall GUJARAT POLICE 25 MANOJ AGARWAL IPS July 20, 2015 COMPUTER CRIME STATISTICS 2002 Computer Crime and Security Survey (CSI) – 91% of respondents detected breaches of their computer security policy. – 64% of respondents acknowledged financial losses due to the breaches. – 35% of respondents quantified financial losses amounting to $377M (up 41% from $266M). – 60% may not have sufficient instrumentation to detect breaches. GUJARAT POLICE 26 MANOJ AGARWAL IPS July 20, 2015 WHY CRIMES WERE NOT REPORTED 56% of crimes NOT REPORTED – Embarrassment. – loss of public confidence. – False arrest concerns . GUJARAT POLICE 27 MANOJ AGARWAL IPS July 20, 2015 COMPUTERS CAN PLAY THREE ROLES IN A CRIME Weapon/Target • Storage Facility • Tool GUJARAT POLICE 28 MANOJ AGARWAL IPS July 20, 2015 CASE - I GUJARAT POLICE 29 MANOJ AGARWAL IPS July 20, 2015 FAKE E-MAIL ID • FAKE E-MAILS • SMS MESSAGES THROUGH NET. GUJARAT POLICE 30 MANOJ AGARWAL IPS July 20, 2015 GUJARAT POLICE 31 MANOJ AGARWAL IPS July 20, 2015 CASE 2 GUJARAT POLICE 32 MANOJ AGARWAL IPS July 20, 2015 FAKE POLICE CONSTABLES • CASE: – A PERSON CAUGHT WITH FAKE MOTOR VEHICLE LICENCE – POLICE SEIZED TWO HARD DISKS GUJARAT POLICE 33 MANOJ AGARWAL IPS July 20, 2015 GUJARAT POLICE 34 MANOJ AGARWAL IPS July 20, 2015 GUJARAT POLICE 35 MANOJ AGARWAL IPS July 20, 2015 GUJARAT POLICE 36 MANOJ AGARWAL IPS July 20, 2015 CASE 3 GUJARAT POLICE 37 MANOJ AGARWAL IPS July 20, 2015 SPECIAL CELL, NEW DELHI • DELHI POLICE ARRESTED – PRESS REPORTER CHANGED IN TO ISI AGENT – SEIZED A LAPTOP AND WRIST WATCH GUJARAT POLICE 38 MANOJ AGARWAL IPS July 20, 2015 CASE 4 GUJARAT POLICE 39 MANOJ AGARWAL IPS July 20, 2015 A VICTIM OF WORLD CUP? • Ms. MANDIRA BEDI – POOR KNOWLEDGE IN CRICKET – A SHOW PIECE – CRICKET LOVERS ARE AGAINST FOR HER COMMENTRY , BUT LOVES HER ----- • PHOTO APPEARED IN SITE WWW,INDIANSEX4U.COM GUJARAT POLICE 40 MANOJ AGARWAL IPS July 20, 2015 CASE 5 GUJARAT POLICE 41 MANOJ AGARWAL IPS July 20, 2015 NOT SAFE TO GIVE VISITING CARD • IS IT SAFE TO GIVE VISITING CARD TO SOME BODY? – DETAILS KEPT UNDER INDIATIMES.COM UNDER ROMANCE COLUMN: • THE ACCUSED HER “FORMER COLLEAGUE “ • THE MISTAKE SHE HAS DONE GIVING VISITING 42 CARD GUJARAT POLICE MANOJ AGARWAL IPS July 20, 2015 CASE 6 GUJARAT POLICE 43 MANOJ AGARWAL IPS July 20, 2015 FIR.NO 581/2001 PS KOTWALI SPECIAL CELL • WASIM AHMED LILY@ WASIM ASRAF ARRESTED ON 12/10/01 ALONG WITH A TWO SUIT CASES CONTAING FAKE CURRENCYTO THE TUNE OF 18.3 LAKHS (1000, 500 DENOMINATIONS) • POLICE SEIZED A COMPUTER, SCANNER, PRINTER FROM THE ACCUSED. GUJARAT POLICE 44 MANOJ AGARWAL IPS July 20, 2015 CONTD…. • FORENSIC ANALYSIS REVEALED – HOW THE COMPUTER WAS USED IN THE PRODUCTION OF COUNTERFEIT CURRENCY – CURRENCY NOTES OF DENOMINATION OFNOT ONLY 500,1000 BUT ALSO RS 50, 100. • FAKE POSTAL STAMPS • THE ADDRESSES OF THE AGENTS WHO ARE CIRCULATING GUJARAT POLICE 45 MANOJ AGARWAL IPS July 20, 2015 CASE 7 GUJARAT POLICE 46 MANOJ AGARWAL IPS July 20, 2015 A CASE OF A PLASTIC COMPANY • THE DIRECTORATE OF CENTRAL EXCISE INTELLIGENCE PERSONS RAIDED A PLASTIC COMPANY OWNER RESIDENCE ON 10/11/2001 AND SEIZED AN AMOUNT OF RS.2 CRORE. • PRODUCED 6000 CASH BILLS DATED PRIOR TO DATE OF RAID. • THE BILLS WERE DATED TO APRILOCTOBER 2001 GUJARAT POLICE 47 MANOJ AGARWAL IPS July 20, 2015 CONTD…. • THE DGCEI OFFICILS SEIZED 12 COMPUTERS WITH THE HELP OF COMPUTER FORENSIC EXPERTS • FORENSIC EXAMINATION OF COMPUTER SYSTEMS REVALED – EXCISE EVASION TO THE TUNE OF 26 CRORES FROM 2000 ONWARDS – BACK MONEY DETAILS – THE BRIBES PAID TO THE EXCISE OFFICILS GUJARAT POLICE 48 MANOJ AGARWAL IPS July 20, 2015 CASE 8 GUJARAT POLICE 49 MANOJ AGARWAL IPS FIR NO 76/02 PS PARLIAMENT STREET July 20, 2015 • Mrs. SONIA GANDHI RECEIVED THREATING E-MAILS • E- MAIL FROM – [email protected] – [email protected] • THE CASE WAS REFERRED • ACCUSED PERSON LOST HIS PARENTS DURING 1984 RIOTS GUJARAT POLICE 50 MANOJ AGARWAL IPS July 20, 2015 CASE - 9 GUJARAT POLICE 51 MANOJ AGARWAL IPS PARLIAMENT ATTACK CASE • - Delhi police seized a laptop where they stored the incriminating material. • ON FORENSIC ANALYSIS: – ROLE OF Lo e T – IP ADDRESSES OF PAKISTAN – TELEPHONE NUMBERS – CODED MESSAGES GUJARAT POLICE 52 MANOJ AGARWAL IPS GUJARAT POLICE 53 MANOJ AGARWAL IPS GUJARAT POLICE 54 MANOJ AGARWAL IPS July 20, 2015 CASE-10 GUJARAT POLICE 55 MANOJ AGARWAL IPS July 20, 2015 KARNATAKA MEDICAL EXAM(K- CET) SCAM OCR BASED ANSWERED SHEET. MODIFIED THE computer (ANSWERS) PROGRAM AS PER THE STUDENT ANSWERS SHEET. MADE FAILED CANDIDATES SUCCESSFUL. --- THE AP INTERMEDIATE BOARD MARKS SCANDAL. GUJARAT POLICE 56 MANOJ AGARWAL IPS July 20, 2015 President CLINTONS IMPEACHMENT TRIAL GUJARAT POLICE 57 MANOJ AGARWAL IPS July 20, 2015 CLINTONS IMPEACHMENT TRIAL – Forensic experts recovered deleted data from Monica Lewinsky’shome computer as well as “her” computer at the pentagon – Computer examinations of deleted White House e-mail records exposed the Clinton-Monica Lewinsky scandal GUJARAT POLICE 58 MANOJ AGARWAL IPS INVESTIGATION A good investigation need network forensic, hardware forensic and software forensic. The general approach to investigating the technical aspects of any computer related crime is: • • • • • • • Eliminate the obvious. Hypothesize the attack. Collect evidence, including, possibly, the computer themselves. Reconstruct the crime. Perform a trace back to the source computer. Analyze the source, target, and intermediate computer. Turn your finding and evidentiary material over corporate or law enforcement for follow-up. GUJARATinvestigators POLICE 59 MANOJ AGARWAL IPS July 20, 2015 Cyber Crimes ? Any crime that involves computers and networks Includes crimes that do not rely heavily on computers Alibi Harassment Black mail Extortion Frauds Murder etc.... GUJARAT POLICE 60 MANOJ AGARWAL IPS What are we looking for ? July 20, 2015 Hardware as contraband or fruits of crime. Stolen computer system Hardware as in instrumentality Hardware designed exclusively to commit crime-sniffer Hardware as evidence. CD Writer to copy blue movies – Pornography Information as contraband or fruits of crime. Pirated software Information as an instrumentality Hacking program Information as evidence. Key of investigation- we are searching this GUJARAT POLICE 61 MANOJ AGARWAL IPS July 20, 2015 How to Proceed ? Pre-investigation intelligence. A must Visualize and access what you would encounter. Prepare accordingly.. Computer may be on / off Blank screen does not indicate a off computer If computer is on Note what all is on the screen If the screen saver is operational, move the mouse slightly.. Map all the connections & mark the matching ends Find out whether it is connected to the network. Decide on the next course of action.. GUJARAT POLICE 62 MANOJ AGARWAL IPS July 20, 2015 Strategy If you shut down the computer in the usual way Fall in a trap If you pull out the chord Loose vital information on the RAM Good documentation of the Screen (photograph) will help resolve some of the discrepancies. Recommended strategy Ensure that all drives are empty Pullout the Chord from the computer (not from the electric board as it may be connected to a UPS) GUJARAT POLICE 63 MANOJ AGARWAL IPS July 20, 2015 Seizing the computer Computers do not have unique identity It will not help also Contents have to be seized uniquely. Hashing Only solution Requirements are Algorithm should run in an trusted environment Suspect disk should be write-blocked No time stamps should be altered GUJARAT POLICE 64 MANOJ AGARWAL IPS INVESTIGATION OF SEIZED MATERIAL WEBSITE RELEATED CRIME INTERNET CRIME • In a 'simple' case of hacking it would be possible to trace out the IP address by the 'who is' query. • Confirm identity of suspect by running the "who is' query". • The IP address may be found in the " page Source " head (Netscape)and "source" head in Internet Explorer • The "who is”details generated may be genuine or that of a "compromised" machine. GUJARAT POLICE 65 MANOJ AGARWAL IPS E-MAIL CRIMES • The header will give the IP address. Run "who is" to ascertain the details of the service provider, whose Mail service was used by the suspect. • If by analyzing circumstances, it is felt that the "who is "result is genuine, the location of suspect can be traced with the help of ISP. • In case of forged/bogus or disguised/number letter mix-up e-mail identities, the ISP can help in identifying, the suspect with the help of the E-mail header by analyzing its contents and "message ID "(see boxes for forged/bogus, disguised senders details). • The ISP will be able to help in locating a suspect, because when a person dials up to connect with an ISP, he/she is logged on to one of the Servers of the ISP. This server assigns ( depending on the port of entry) a specific IP address to the user. This IP address temporarily becomes the IP address of the user for that specific GUJARAT POLICE session. MANOJ AGARWAL 66 IPS July 20, 2015 CARDINAL RULES OF COMPUTER FORENSICS NEVER TRUST THE SUBJECT OPERATING SYSTEM NEVER MISHANDLE EVIDENCE NEVER WORK ON ORIGINAL EVIDENCE USE PROPER SOFTWARE UTILITIES DOCUMENT EVERYTHING GUJARAT POLICE 67 MANOJ AGARWAL IPS July 20, 2015 NEVER TRUST THE SUBJECT SYSTEM GUJARAT POLICE DONOT BOOT FROM SUSPECT SYSTEM DONOT USE SUSPECT OS CRIMANALS MAY MODIFY ROUTINE OPERATING SYSTEM COMMANDS TO PERFORM DESTRUCTIVE COMMANDS. DISCONNECT HARD DRIVE & BOOT FROM FLOPPY (THE BIOS MAY MODIFIED TO ALLOW BOOT FROM A FLOPPY 68 MANOJ AGARWAL IPS July 20, 2015 STEPS TAKEN BY COMPUTER FORENSIC EXPERT PROTECT THE SUBJECT SYSTEM DURING EXAMINATION FROM ALTERATION, DAMAGE, DATA CORRUPTION OR VIRUS INTRODUCTION DISCOVER & RECOVER ALL FILES (active & deleted) ACCESS THE CONTENTS OF PROTECTED OR ENCRYPTED FILES ANALYZE ALL RELEVANT DATA PRINTOUT AN OVERALL ANALYSIS GUJARAT POLICEPROVIDE TESTIMONY IN COURT OF LAW 69 MANOJ AGARWAL IPS Where do we find Evidence ? July 20, 2015 In The Computer Suspect Victim The Server Suspect Victim ISP’s Who logged from where & when ? Computers visited Backbone Computers GUJARAT POLICE 70 MANOJ AGARWAL IPS July 20, 2015 Issues to address GUJARAT POLICE We cannot be masters of all trade Fighting cyber crimes has to be a team effort involving Law enforcement agencies Handle cyber evidence Use it to generate investigate trails Know when to call an expert for assistance Computer expert How to handle cyber evidence Generate investigative leads Call enforcement agencies for assistance Attorneys How to defend cyber evidence Determine whether it is admissible Forensic Scientists How to process it 71 MANOJ AGARWAL IPS July 20, 2015 QUESTIONS GUJARAT POLICE 72 MANOJ AGARWAL IPS THANK YOU July 20, 2015 GUJARAT POLICE 73 MANOJ AGARWAL IPS