3. What does Cyber forensics mean?
• Cyberforensics is an electronic discovery
technique used to determine and reveal technical
criminal evidence. It often involves electronic
data storage extraction for legal purposes.
• Although still in its infancy, cyberforensics is
gaining traction as a viable way of interpreting
evidence.
• Cyberforensics is also known as computer
forensics.
4. Digital Forensics
• Digital Forensics is defined as the process of
preservation, identification, extraction, and
documentation of computer evidence which can be
used by the court of law.
• It is a science of finding evidence from digital media
like a computer, mobile phone, server, or network.
• It provides the forensic team with the best techniques
and tools to solve complicated digital-related cases.
• Digital Forensics helps the forensic team to analyzes,
inspect, identifies, and preserve the digital evidence
residing on various types of electronic devices.
5. History of Digital forensics
• Hans Gross (1847 -1915): First use of scientific study to head
criminal investigations
• FBI (1932): Set up a lab to offer forensics services to all field agents
and other law authorities across the USA.
• In 1978 the first computer crime was recognized in the Florida
Computer Crime Act.
• Francis Galton (1982 - 1911): Conducted first recorded study of
fingerprints
• In 1992, the term Computer Forensics was used in academic
literature.
• 1995 International Organization on Computer Evidence (IOCE) was
formed.
• In 2000, the First FBI Regional Computer Forensic Laboratory
established.
• In 2002, Scientific Working Group on Digital Evidence (SWGDE)
published the first book about digital forensic called "Best practices
for Computer Forensics".
• In 2010, Simson Garfinkel identified issues facing digital
investigations.
6. Process of Digital forensics
• Digital forensics entails the following steps:
• Identification
• Preservation
• Analysis
• Documentation
• Presentation
8. Identification
• It is the first step in the forensic process.
• The identification process mainly includes
things like what evidence is present, where it
is stored, and lastly, how it is stored (in which
format).
• Electronic storage media can be personal
computers, Mobile phones, PDAs, etc.
9. Preservation
• In this phase, data is isolated, secured, and
preserved.
• It includes preventing people from using the
digital device so that digital evidence is not
tampered with.
10. Analysis
• In this step, investigation agents reconstruct
fragments of data and draw conclusions based
on evidence found.
• However, it might take numerous iterations of
examination to support a specific crime
theory.
11. Documentation
• In this process, a record of all the visible data
must be created.
• It helps in recreating the crime scene and
reviewing it.
• It Involves proper documentation of the crime
scene along with photographing, sketching,
and crime-scene mapping.
12. Presentation
• In this last step, the process of summarization
and explanation of conclusions is done.
• However, it should be written in a layperson's
terms using abstracted terminologies. All
abstracted terminologies should reference the
specific details.
13. Types of Digital Forensics
• Three types of digital forensics are:
• Disk Forensics:
• It deals with extracting data from storage media by searching active, modified, or deleted files.
• Network Forensics:
• It is a sub-branch of digital forensics. It is related to monitoring and analysis of computer network
traffic to collect important information and legal evidence.
• Wireless Forensics:
• It is a division of network forensics. The main aim of wireless forensics is to offers the tools need
to collect and analyze the data from wireless network traffic.
• Database Forensics:
• It is a branch of digital forensics relating to the study and examination of databases and their
related metadata.
• Malware Forensics:
• This branch deals with the identification of malicious code, to study their payload, viruses,
worms, etc.
• Email Forensics
• Deals with recovery and analysis of emails, including deleted emails, calendars, and contacts.
• Memory Forensics:
• It deals with collecting data from system memory (system registers, cache, RAM) in raw form and
then carving the data from Raw dump.
• Mobile Phone Forensics:
• It mainly deals with the examination and analysis of mobile devices. It helps to retrieve phone
and SIM contacts, call logs, incoming, and outgoing SMS/MMS, Audio, videos, etc.
14. Challenges faced by Digital Forensics
• Here, are major challenges faced by the Digital
Forensic:
• The increase of PC's and extensive use of internet
access
• Easy availability of hacking tools
• Lack of physical evidence makes prosecution
difficult.
• The large amount of storage space into Terabytes
that makes this investigation job difficult.
• Any technological changes require an upgrade or
changes to solutions.
15. Example Uses of Digital Forensics
• In recent time, commercial organizations have
used digital forensics in following a type of cases:
• Intellectual Property theft
• Industrial espionage
• Employment disputes
• Fraud investigations
• Inappropriate use of the Internet and email in the
workplace
• Forgeries related matters
• Bankruptcy investigations
• Issues concern with the regulatory compliance
16. Advantages of Digital forensics
• Here, are pros/benefits of Digital forensics
• To ensure the integrity of the computer system.
• To produce evidence in the court, which can lead to the
punishment of the culprit.
• It helps the companies to capture important information if
their computer systems or networks are compromised.
• Efficiently tracks down cybercriminals from anywhere in the
world.
• Helps to protect the organization's money and valuable
time.
• Allows to extract, process, and interpret the factual
evidence, so it proves the cybercriminal action's in the
court.
17. Disadvantages of Digital Forensics
• Here, are major cos/ drawbacks of using Digital
Forensic
• Digital evidence accepted into court. However, it is
must be proved that there is no tampering
• Producing electronic records and storing them is an
extremely costly affair
• Legal practitioners must have extensive computer
knowledge
• Need to produce authentic and convincing evidence
• If the tool used for digital forensic is not according to
specified standards, then in the court of law, the
evidence can be disapproved by justice.
• Lack of technical knowledge by the investigating officer
might not offer the desired result
18. Cyber Criminals and its types
• Cyber crime is taken very seriously by law
enforcement. In the early long periods of
the cyber security world, the standard cyber
criminals were teenagers or hobbyists in
operation from a home laptop, with attacks
principally restricted to pranks and malicious
mischief.
• Today, the planet of the cyber criminals has
become a lot of dangerous. Attackers are
individuals or teams who attempt to exploit
vulnerabilities for personal or financial gain.
19. Types of Cyber Criminals:
• 1. Hackers:
The term hacker may refer to anyone with technical skills, however,
it typically refers to an individual who uses his or her skills to
achieve unauthorized access to systems or networks so as to
commit crimes. The intent of the burglary determines the
classification of those attackers as white, gray, or black hats. White
hat attackers burgled networks or PC systems to get weaknesses so
as to boost the protection of those systems.
• The owners of the system offer permission to perform the burglary,
and they receive the results of the take a look at. On the opposite
hand, black hat attackers make the most of any vulnerability for
embezzled personal, monetary or political gain. Grey hat attackers
are somewhere between white and black hat attackers. Grey hat
attackers could notice a vulnerability and report it to the owners of
the system if that action coincides with their agenda.
20. Types of Hackers
• (a). White Hat Hackers –
These hackers utilize their programming aptitudes for a good and
lawful reason. These hackers may perform network penetration
tests in an attempt to compromise networks to discover network
vulnerabilities. Security vulnerabilities are then reported to
developers to fix them.
• (b). Gray Hat Hackers –
These hackers carry out violations and do seemingly deceptive
things however not for individual addition or to cause harm. These
hackers may disclose a vulnerability to the affected organization
after having compromised their network.
• (c). Black Hat Hackers –
These hackers are unethical criminals who violate network security
for personal gain. They misuse vulnerabilities to bargain PC
frameworks.
21. Types of cyber criminals
• 2. Organized Hackers:
These criminals embody organizations of
cyber criminals, hacktivists, terrorists, and
state-sponsored hackers. Cyber criminals are
typically teams of skilled criminals targeted on
control, power, and wealth. These criminals
are extremely subtle and organized, and
should even give crime as a service. These
attackers are usually profoundly prepared and
well-funded.
22. Types of cyber criminals
• 3. Internet stalkers:
Internet stalkers are people who maliciously
monitor the web activity of their victims to
acquire personal data. This type of cyber
crime is conducted through the use of social
networking platforms and malware, that are
able to track an individual’s PC activity with
little or no detection.
23. Types of cyber criminals
• 4. Disgruntled Employees:
Disgruntled employees become hackers with a
particular motive and also commit cyber crimes. It is
hard to believe that dissatisfied employees can become
such malicious hackers. In the previous time, they had
the only option of going on strike against employers.
But with the advancement of technology there is
increased in work on computers and the automation of
processes, it is simple for disgruntled employees to do
more damage to their employers and organization by
committing cyber crimes. The attacks by such
employees brings the entire system down.
24. Mobile Forensics
• Mobile device forensics is a branch of digital
forensics relating to recovery of digital evidence or data
from a mobile device under forensically sound conditions.
• The phrase mobile device usually refers to mobile phones;
however, it can also relate to any digital device that has
both internal memory and communication ability,
including PDA devices, GPS devices and tablet computers.
• The use of mobile phones/devices in crime was widely
recognized for some years, but the forensic study of mobile
devices is a relatively new field, dating from the late 1990s
and early 2000s.
• A proliferation of phones (particularly smartphones) and
other digital devices on the consumer market caused a
demand for forensic examination of the devices, which
could not be met by existing computer
forensics techniques.
25. Growing need for mobile forensics
• Mobile devices can be used to save several types of personal
information such as contacts, photos, calendars and
notes, SMS and MMS messages. Smartphones may additionally
contain video, email, web browsing information, location
information, and social networking messages and contacts.
• There is growing need for mobile forensics due to several reasons
and some of the prominent reasons are:
• Use of mobile phones to store and transmit personal and corporate
information
• Use of mobile phones in online transactions
• Law enforcement, criminals and mobile phone devices[2]
• Mobile device forensics can be particularly challenging on a number
of levels
26. Types of evidence in mobile forensics
• As mobile device technology advances, the amount and types of data that can be found on
a mobile device is constantly increasing. Evidence that can be potentially recovered from a mobile
phone may come from several different sources, including handset memory, SIM card, and
attached memory cards such as SD cards.
• Traditionally mobile phone forensics has been associated with
recovering SMS and MMS messaging, as well as call logs, contact lists and
phone IMEI/ESN information. However, newer generations of smartphones also include wider
varieties of information; from web browsing, Wireless network settings, geolocation information
(including geotags contained within image metadata), e-mail and other forms of rich internet
media, including important data—such as social networking service posts and contacts—now
retained on smartphone 'apps'.[7]
• Internal memory
• Nowadays mostly flash memory consisting of NAND or NOR types are used for mobile devices.[8]
• External memory
• External memory devices are SIM cards, SD cards (commonly found within GPS devices as well as
mobile phones), MMC cards, CF cards, and the Memory Stick.
• Service provider logs
• Although not technically part of mobile device forensics, the call detail records (and occasionally,
text messages) from wireless carriers often serve as "back up" evidence obtained after the mobile
phone has been seized. These are useful when the call history and/or text messages have been
deleted from the phone, or when location-based services are not turned on. Call detail records
and cell site (tower) dumps can show the phone owner's location, and whether they were
stationary or moving (i.e., whether the phone's signal bounced off the same side of a single tower,
or different sides of multiple towers along a particular path of travel).
• Carrier data and device data together can be used to corroborate information from other sources,
for instance, video surveillance footage or eyewitness accounts; or to determine the general
location where a non-geotagged image or video was taken.
27. Electronic Evidence/ Digital Evidence & Cyber Law in
India
• The proliferation of computers and the influence of
information technology on society as whole, coupled
with the ability to store and amass information in
digital form have all necessitated amendments in
Indian law, to incorporate the provisions on the
appreciation of digital evidence.
• The Information Technology Act, 2000 and its
amendment is based on the United Nations
Commission on International Trade Law (UNCITRAL)
model Law on Electronic Commerce. The Information
Technology (IT) Act 2000, was amended to allow for
the admissibility of digital evidence.
• An amendment to the Indian Evidence Act 1872, the
Indian Penal Code 1860 and the Banker's Book
Evidence Act 1891 provides the legislative framework
for transactions in electronic world.
28. Digital evidence or electronic evidence
• Digital evidence or electronic evidence is any probative information stored
or transmitted in digital form that a party to a court case may use at trial.
Before accepting digital evidence it is vital that the determination of its
relevance, veracity and authenticity be ascertained by the court and to
establish if the fact is hearsay or a copy is preferred to the original.
• Digital Evidence is “information of probative value that is stored or
transmitted in binary form”. Evidence is not only limited to that found on
computers but may also extend to include evidence on digital devices such
as telecommunication or electronic multimedia devices.
• The e-EVIDENCE can be found in e-mails, digital photographs, ATM
transaction logs, word processing, documents, instant message histories,
files saved from accounting programs, spreadsheets, internet browser
histories databases, Contents of computer memory, Computer backups,
Computer printouts, Global Positioning System tracks, Logs from a hotel’s
electronic door locks, Digital video or audio files.
• Digital Evidence tends to be more voluminous, more difficult to destroy,
easily modified, easily duplicated, potentially more expressive and more
readily available.
29. Computer forensics
• Computer forensics is a branch of forensic science
pertaining to legal evidence found in computers
and digital storage mediums. Computer forensics
is also known as digital forensics.
• The goal of computer forensics is to explain the
current state of a digital artifact.
• The term digital artifact can include: A computer
system storage medium (hard disk or CD-ROM)
an electronic document (e.g. an email message or
JPEG image) or even a sequence of packets
moving over a computer network.
30. Evidence Act, 1872
• The definition of 'evidence' has been amended to include
electronic records.
• The definition of 'documentary evidence' has been
amended to include all documents, including electronic
records produced for inspection by the court.
• Section 3 of the Evidence Act, 1872 defines evidence as
under: "Evidence" - Evidence means and includes:-
• 1) all statements which the court permits or requires to be
made before it by witnesses, in relation to matters of fact
under inquiry; such statements are called oral evidence;
• 2) all documents including electronic records produced for
the inspection of the court. Such documents are called
documentary evidence.
31. Electronic Records
• The term 'electronic records' has been given the same meaning as that assigned to
it under the IT Act. IT Act provides for "data, record or data generated, image or
sound stored, received or sent in an electronic form or microfilm or computer-
generated microfiche". The definition of 'admission' (Section 17 of the Evidence
Act) has been changed to include a statement in oral, documentary or electronic
form which suggests an inference to any fact at issue or of relevance.
• New Section 22-A has been inserted into Evidence Act, to provide for the relevancy
of oral evidence regarding the contents of electronic records. It provides that oral
admissions regarding the contents of electronic records are not relevant unless the
genuineness of the electronic records produced is in question.
• The definition of 'evidence' has been amended to include electronic records. The
definition of 'documentary evidence' has been amended to include all documents,
including electronic records produced for inspection by the court.
• New sections 65-A and 65-B are introduced to the Evidence Act, under the Second
Schedule to the IT Act.
• Section 65-A provides that the contents of electronic records may be proved in
accordance with the provisions of Section 65-B.
• Section 65-B provides that notwithstanding anything contained in the Evidence
Act, any information contained in an electronic, is deemed to be a document and
is admissible in evidence without further proof of the original's production,
provided that the conditions set out in Section 65-B are satisfied.
32. The conditions specified in Section 65-
B (2) are:
• Firstly, the computer output containing the information should have
been produced by the computer during the period over which the
computer was used regularly to store or process information for the
purpose of any activities regularly carried on over that period by
the person having lawful control over the use of the computer.
• The second requirement is that it must be shown that during the
said period the information of the kind contained in electronic
record or of the kind from which the information contained is
derived was 'regularly fed into the computer in the ordinary course
of the said activity'.
• A third requirement is that during the material part of the said
period, the computer was operating properly and that even if it was
not operating properly for some time that break did not affect
either the record or the accuracy of its contents.
• The fourth requirement is that the information contained in the
record should be a reproduction or derived from the information
fed into the computer in the ordinary course of the said activity.
33. • Under Section 65-B(4) the certificate which identifies the
electronic record containing the statement and describes
the manner in which it was produced giving the particulars
of the device involved in the production of that record and
deals with the conditions mentioned in Section 65-B(2) and
is signed by a person occupying a responsible official
position in relation to the operation of the relevant device
'shall be evidence of any matter stated in the certificate’.
• Section 65-B(1) states that if any information contained in
an electronic record produced from a computer (known as
computer output) has been copied on to a optical or
magnetic media, then such electronic record that has been
copied 'shall be deemed to be also a document' subject to
conditions set out in Section 65-B(2) being satisfied. Both in
relation to the information as well as the computer in
question such document 'shall be admissible in any
proceedings when further proof or production of the
original as evidence of any contents of the original or of any
fact stated therein of which direct evidence would be
admissible.'
34. ELECTRONIC EVIDENCE -CASE LAW'S
• Amitabh Bagchi Vs. Ena Bagchi (AIR 2005 Cal 11) [Sections 65-A and 65-B of
Evidence Act, 1872 were analyzed.] The court held that the physical presence of
person in Court may not be required for purpose of adducing evidence and the same
can be done through medium like video conferencing. Sections 65-A and 65-B
provide provisions for evidences relating to electronic records and admissibility of
electronic records, and that definition of electronic records includes video
conferencing.
• State of Maharashtra vs. Dr Praful B Desai (AIR 2003 SC 2053) [The question
involved whether a witness can be examined by means of a video conference.] The
Supreme Court observed that video conferencing is an advancement of science and
technology which permits seeing, hearing and talking with someone who is not
physically present with the same facility and ease as if they were physically present.
The legal requirement for the presence of the witness does not mean actual physical
presence. The court allowed the examination of a witness through video
conferencing and concluded that there is no reason why the examination of a
witness by video conferencing should not be an essential part of electronic evidence.
• BODALA MURALI KRISHNA VS. SMT. BODALA PRATHIMA (2007 (2) ALD 72) The
court held that, “…the amendments carried to the Evidence Act by introduction of
Sections 65-A and 65-B are in relation to the electronic record. Sections 67-A and 73-
A were introduced as regards proof and verification of digital signatures. As regards
presumption to be drawn about such records, Sections 85-A, 85-B, 85-C, 88-A and 90-
A were added. These provisions are referred only to demonstrate that the emphasis,
at present, is to recognize the electronic records and digital signatures, as admissible
pieces of evidence.”
35. ELECTRONIC EVIDENCE -CASE LAW'S
• STATE (NCT OF DELHI) Vs. NAVJOT SANDHU (AIR 2005 SC 3820) There was an
appeal against conviction following the attack on Parliament on December 13
2001. This case dealt with the proof and admissibility of mobile telephone call
records. While considering the appeal against the accused for attacking
Parliament, a submission was made on behalf of the accused that no reliance
could be placed on the mobile telephone call records, because the prosecution
had failed to produce the relevant certificate under Section 65-B(4) of the
Evidence Act. The Supreme Court concluded that a cross-examination of the
competent witness acquainted with the functioning of the computer during the
relevant time and the manner in which the printouts of the call records were taken
was sufficient to prove the call records.
• JAGJIT SINGH Vs. STATE OF HARYANA ((2006) 11 SCC 1) The speaker of the
Legislative Assembly of the State of Haryana disqualified a member for defection.
When hearing the matter, the Supreme Court considered the digital evidence in
the form of interview transcripts from the Zee News television channel, the Aaj Tak
television channel and the Haryana News of Punjab Today television channel. The
court determined that the electronic evidence placed on record was admissible
and upheld the reliance placed by the speaker on the recorded interview when
reaching the conclusion that the voices recorded on the CD were those of the
persons taking action. The Supreme Court found no infirmity in the speaker's
reliance on the digital evidence and the conclusions reached by him. The
comments in this case indicate a trend emerging in Indian courts: judges are
beginning to recognize and appreciate the importance of digital evidence in legal
proceedings.