cyber forensic report- data recovery module

Cyber Forensic Investigation Report

Submitted By:

Name: Ivneet Singh

ID: TP023861

Intake: UC3F1010IT(ISS)

Module: Data Recovery

Submitted To:

NOR AFIFAH BINTI SABRI

(Lecturer)

ContentsComputer Evidence Analysis Report...............................................................................................5

1

Case Background..................................................................................................5

Investigation Outlines:............................................................................................................6

FIRST INFORMATION REPORT.................................................................................................7

PROPERTY SEARCH AND SEIZURE FORM...........................................................................10

Request for Service........................................................................................................................12

Chain of Custody Form.................................................................................................................13

Investigation Report..........................................................................................................14





Cyber Forensic Analysis................................................................................................................23

Evidence device 1:................................................................................................................23

Evidence Device 2:...............................................................................................................35

Evidence device 3:................................................................................................................41

Computer evidence assessment checklist......................................................................................46

Cyber forensic Analysis Report.....................................................................................................47

Computer Evidence Analysis Checklist........................................................................................48

Detailed Case:................................................................................................................................49

Introduction...........................................................................................................................49

Background of the issue........................................................................................................49

Details of the Cyber Forensic carried out by team........................................................................50

Evidence Analysis.................................................................................................................50

COMPLAINT TO ASJUDUCATING OFFICER.........................................................................52

Legal Issues...................................................................................................................................55

2

Information Theft................................................................................................55

Applicable Law.....................................................................................................................56

COMPUTER EVIDENCE ANALYSIS REPORT

Case Background

An internal investigation would be conducted in Detag Industries, a company that manufactures

fuel cell batteries that is used by thousands of companies worldwide. This investigation is

required because one of their research assistant in the R&D lab, Mr. Robert is suspected of

leaking out confidential information to their major competitors, Rift, Inc. This occur right after

they noticed that their clients are no longer re-ordering these fuel cell batteries, which were once

unique to them and instead, from Rift, Inc.

After a thorough investigation conducted on the reason this is occurring, it has been established

that a CD that contains many confidential information had been taken out from the research and

development laboratory without any authorization. Through the use of the surveillance camera

video, it had shown that this offence had been committed on the 26 th of April 2008 at around

4:45pm by Mr. Robert. Due to this, Mr. Robert is suspected of committing 2 crimes which are,

accessing this confidential information without authorization and also, leaking out that

information.

To proceed with the investigation, a USB flash drive was seized from Robert Saunders. To help

with this investigation, an investigation team consisting of IT security and forensic experts had

been approached. A USB flash drive and laptop was later seized from Robert Saunders

possession for further investigation. Both these were taken into custody by company and were

handed over to the investigation team for analysis. The leader of the investigation team, David

Keen has requested you to analyze the USB flash drive and laptop and provide a report on your

findings.

3

Investigation Outlines:

While investigating the cybercrime cases; need to follow the process outlined below:

1. The filled request of service (RFS) is obtained from the client (Detag). The RFS helps the

team to understand what the client expects from the investigation. In the RFS, the client

describes the crime and request team to investigate it.

2. Then team appoints a lead investigator (Mr David) for the case. The lead investigator

meets the client to discuss the investigative avenues and potential evidence being sought

in the investigation. The lead investigator and the investigation team for each case are

appointed with great care and caution. The technical requirements of the investigation are

primary basis for the selection of the team and the lead investigator.

3. The relevant information, media, documents etc. are then received from the client. The

chain of custody form in respect of each of these items is duly filled in by team of

investigators.

4. The chain of custody form in respect of each device is meticulously updated throughout

the investigation. One copy of the chain of custody form in respect of each device is

handed over to the client at the end of the investigation.

5. Where possible the media (USB and hard drive) is imaged. The original media is returned

to the client and the image is retained for investigation.

6. The images are authenticated using MD5 and /or SHA1 hash function. Detailed cyber

forensic analysis and investigations are carries out in a secure and confidential manner by

skilled professionals.

7. The findings of the analysis and investigation are properly documented and relevant

reports are submitted to the court.

4

FIRST INFORMATION REPORT

(Under Section 154 Cr.P.C)

1. District : New Delhi P.S: Green Lawns Year:2008 FIR No: 29

Date: 27th April 2008

2. (1) Act Information Technology Act, 2000 Section 66

(2) Act Information Technology Act, 2000 Section 43

3. (a) Occurrence of offence:

Date from: 26th April 2008 Date to: 26th April 2008

Time from: 1400 hours Time to: 1645 hours

(b) Information received at P.S.:

Date: 27th April 2008 Time: 1000 hours

(c) General Diary Reference: Entry No. 29A/D Time: 1000 hours

4. Type of Information: Oral

5. Place of Occurrence:

(a) Direction and distance from Police Station : North /3.0 KM

Beat number: 2284

(b) Address : New Delhi / North Delhi INDIA

(c) In case , outside the limit of this police station , then

Name of Police Station District

5

6. Compliant / Informant:

(a) Name : Mr. Harrison

(b) Father’s / husband name: Mr. Martin

(c) Date / year of birth : 11 / 09/ 1959

(d) Nationality: INDIAN

(e) Passport No: G560934 Date of Issue: 12/12/1990

Place of Issue: New Delhi

(f) Occupation: IT professional

(g) Address: Brown Road , Green Bihar , New Delhi INDIA

7. Details of known / suspected / unknown accused with full particulars

Name: Mr. Robert Company: DeTag

Sex: Male Occupation: Research Assistant

Age: 35 years

8. Reasons for delay in reporting by the complainant / informant

Not applicable

9. Particulars of properties stolen

Not applicable

10. Total value of property

Not applicable

11. Inquest Report / U.D. case no. , If any

12. First information contents

On 26th April 2008, Mr. Robert was suspected for leaking the private and confidential

information from the DeTag Company. A video surveillance tape was proven as evidence

which states that Mr. Robert was copying the confidential information of the company on

the compact disks. The video was taken on 26th April 2008 at 4:45 PM.

6

13. Action taken:

Since the above information reveals commission of offence(s) u/s as mentioned at

item No.2:

(1) Registered the case and took up the investigation or

(2) Directed :Mr. Karan Saxena

Rank: Asst. Commissioner of Police No.: IPS2334

(3) Refused investigation due to or

(4) Transferred to police station District on point of jurisdiction.

F.I.R read over to the complainant / informant, admitted to be correctly recorded and copy

given to the complainant / informant, free of cost

R.O.A.C Signature of Officer in charge

Police Station Name: Karan Saxena

Rank: Asst. Commissioner of Police

No. IPS2334

14. Date and time of dispatch to the court : 28th April 2008 , 1000 hours

7

PROPERTY SEARCH AND SEIZURE FORM

(Search / Production / Recovery u/s 51/102/165 Cr.P.C)

1. District : New Delhi P.S: Green Lawns Year:2008 FIR No: 29

2. Act & sections : Section 66 of the information Technology Act,2000

3. Nature of property seized: Stolen / Unclaimed/ unlawful possession / Involved /

Intestate.

4. Property Seized / recovered:

(a) Date: 28th April 2008

(b) Time: 1100 hours

(c) Place: 14 Alex Street , New Delhi

(d) Description of the place : DeTag Company , New Delhi

5. Person from whom seized / recovered:

Name: Mr Harrison Father’s name: Mr Joe

Sex: Male Age: 42 years

Address: DeTag Company, New Delhi

Professional receiver of stolen property: Yes / No

6. Witness:

(1) Name: Savita Kulkerni

Father’s / husband name: Gokul Kulkerni

Age: 43 years Occupation: IT professional

8

Address: 123, LIM SIM , New Delhi

(2) Name: Abhijeet Nayaran

Father’s / husband name: Venkat Narayan

Age: 35 years Occupation: IT professional

Address: 270, Green Avenue road, New Delhi

7. Action taken/ recommended for disposal of perishable property

Not Applicable

8. Action taken / recommended for keeping of valuable property

Deposited with computer storage room at New Delhi District Court

9. Identification required : Yes / No

10. Details of property seized / recovered

(1) Toshiba Laptop Model no – A48756876 having serial number 95535353BF

(2) Kingston USB Flash Drive Model No - M9724ZP/A having serial number

MHY2250BH

(3) Video Tape Model No - TDK E249 NHS having serial number 223-442-2060

11. Circumstances / grounds for seizure

The above laptop, USB flashes drive and video tape is suspected to have been plan and

commit offence by the accused in Case no.29 registered with Green Lawns Police

Station.

12. The above mentioned properties were seized in accordance with the provisions of law in

the presence of the above said witnesses /* and a copy of the seizure from was given to

the person / the occupant of the place from whom seized.

9

13. The properties mentioned above were packed and / or sealed and the

signature of the above said witnesses obtained thereon or on the body of the property.

REQUEST FOR SERVICE

RFS No. IN-PNQ/03-08/084

Date:28th April 2008

Client name and addressDeTag Company , New Delhi, INDIAClient’s authorised representative

Name Mr Harrison

[email protected]

Phone9812288990

Fax011-604690

Background of the caseOn 26th April the Detag company found the suspect Mr Robert working as assistant researcher in research and development department for leaking out the DeTag Company confidential information to their competitors. From the video surveillance tape they found that Mr Robert copied the confidential information from the company laptop onto the compact disk.Details of the media(1) Toshiba Laptop Model no – A48756876 having serial number 95535353BF(2) Kingston USB Flash Drive Model No - M9724ZP/A having serial number

MHY2250BH(3) Video Tape Model No - TDK E249 NHS having serial number 223-442-2060

Have the computer(s), media etc. mentioned above been accessed / examined prior to being handed over to the team? If yes give details.The Laptop, USB flash drive and Video Tape has been seized from the suspect. Thereafter there has been no access / examination of the media listed above.Services requested from teamAnalyse the seized hard disk from the laptop, Kingston flash drive and video surveillance tape to recover evidence related to undisclosed information.

For internal use only (Please leave blank)

Case received on : 28th April 2008

Case received by : Mr David

Referred by:Mr Harrison

10

mailto:[email protected]

Tax Porn Financial Cyber Priority 1 2 3 4 5 6 7 8 9 10

Chain of Custody Form

Lead Investigator:Mr David

Case numberIN-PNQ/03-08/084

Evidence numberHDD-01

Date and time of confiscation / recovery:28th April 2008 [1425 hours]

Person from whom confiscated / recovered:Mr Robert

Place of confiscation / recoveryDeTag Company , New Delhi , INDIA

Details of prior access / investigation:NIL

Description of media: TOSHIBA LAPTOP HARD DISKModel no: M9724ZP/AManufacturer: TOSHIBASerial no: 95535353BFDimensions: 10cm * 14.5 cm *2.5 cm

Capacity:160 GBJumper: MasterInterface: IDELBA Add. Sec.: 78,242,976

Unusual marks, if any:None

Chain of custodyDate and Time Released by Released to Purpose of change of custody29th April 20081005 hours

Mr David Mr Thomas Creation of Image Computation of hash value

29th April 20081245 hours

Mr Thomas Mr David For returning to client

11


Mr David Mr Harrison Returned to Client

Investigation Report

The MD5 Hash Value of the HDD-01 [Case: IN-PNQ/03-08/084] as computed by using winhex 14.4 SR2 software (hereafter referred to Winhex) licenced to the investigation team is:

MD5 HASH (128 Bit) = 1F4E08B0FAECC667EC2DC500BD118AEE

Computing MD5 (128 Bit) HASH VALUE

Computing SHA-1 (160 Bit) HASH VALUE

SHA-1 HASH (160 Bit) = DE4C8CD227F6A0B4A1E1D08DF95034381F15388E

12

The image of evidence number HDD-01 was created by Mr David using winhex. The images were named as USB-01. The MD5 Hash and SHA1 Hash Value of the image as computed usingWinhex is:MD5 HASH (128 Bit) = 1F4E08B0FAECC667EC2DC500BD118AEESHA-1 HASH (160 Bit) = DE4C8CD227F6A0B4A1E1D08DF95034381F15388E



Case number Evidence number

13

IN-PNQ/03-08/084 USB-01


Person from whom confiscated / recovered:Mr Robert



Description of media: USB Flash DriveModel no: A4875687Manufacturer: KingstonSerial no: MHY2250BHDimensions: 36.4 x 25.6 x 5.7mm

Capacity:512 MBJumper: N/AInterface: N/ALBA Add. Sec.: N/A

Unusual marks, if any:Without cover; some scratches on the top and covered with cello tape from the edges.








The MD5 Hash Value of the USB-01 [Case: IN-PNQ/03-08/084] as computed by using winhex 14.4 SR2 software (hereafter referred to Winhex) licenced to the investigation team is:

MD5 HASH (128 Bit) = 2A0A9A93069AC2A8A5C6EF4BCB615BA4

14

Computing MD5 (128 Bit) HASH VALUE


SHA-1 HASH (160 Bit) = 3D1598FD832247EFCD58DE76E943DF190E46E10B

15

The image of evidence number USB-01 was created by Mr David using winhex. The images were named as USB-01. The MD5 Hash and SHA1 Hash Value of the image as computed usingWinhex is:

MD5 HASH (128 Bit) = 2A0A9A93069AC2A8A5C6EF4BCB615BA4SHA-1 HASH (160 Bit) = 3D1598FD832247EFCD58DE76E943DF190E46E10B



Case numberIN-PNQ/03-08/084

Evidence number VHS-01

16


Person from whom confiscated / recovered:Mr Harrison (Detag executive)



Description of media: Video TapeModel no: TDK E249 NHSManufacturer: RTISerial no: 223-442-2060Dimensions: 7 3/8 x 4 1/16 x 1

Capacity: 24 hoursJumper: N/AInterface: N/ALBA Add. Sec.: N/A

Unusual marks, if any:Without cover; some scratches on the top and covered with cello tape from the edges.








The MD5 Hash Value of the USB-01 [Case: IN-PNQ/03-08/084] as computed by using winhex 14.4 SR2 software (hereafter referred to Winhex) licenced to the investigation team is:

MD5 HASH (128 Bit) = 83A16902A0D4F9C98A62E7C3B6F1B0BC

17


18

SHA-1 HASH (160 Bit) = FB404B61CFFD01254C47B7676FCE24320F396F88

The image of

19

evidence number USB-01 was created by Mr David using winhex. The images were named as USB-01. The MD5 Hash and SHA1 Hash Value of the image as computed

usingWinhex is:

MD5 HASH (128 Bit) = 83A16902A0D4F9C98A62E7C3B6F1B0BCSHA-1 HASH (160 Bit) = FB404B61CFFD01254C47B7676FCE24320F396F88

20

CYBER FORENSIC ANALYSIS

Objective

To determine if the laptop and USB flash drive contain any evidence to show Mr. Robert was

involved in the crime affecting Detag Company.

Evidence device 1: Toshiba Laptop Model no – A48756876 (Hard Drive)

Evidence Device 2: Kingston USB flash drive 512 MB Model no- M9724ZP/A

Evidence device 3: Video surveillance tape – TDK E249 VHS

Evidence device 1: Toshiba Laptop Hard drive

I then began analysis of the said file name HDD-01.(1) We opened the image file using winhex using the “specialist > Interpret Image File

Disk” Option (Illustrated Below)

21

(2) We then viewed the contents of the image file in the directory browser of Winhex (Illustrated below)

(3) On previewing the data of the image I found that there are many files and folders which contain the company confidential information. Some of these files and folders were recovered by me using Winhex.

Contents of Local Disk (C)

Local Disk (C) \Windows\Desktop

Local Disk (C) \Windows\System 32

22

Local Disk (C) \Windows\Internet Logs

23

Contents of Local Disk (D)

24

Local Disk (D) \DeTag

(4) The detailed analysis for the hard drive is being conducted from which the files were recovered.

(5) The total number of 59 files recovered contained confidential information regarding Detag Company.

(6) 11 roots folders were recovered from the image which contained many sub folders for windows system files.

(7) Further investigation was taken and I found the 7 PDF files for E-tickets and travelling information of Mr Robert on the desktop which he might be planning to move out of the country very soon.

(8) Total files and folders recovered from the image mentioned below:

18 .PDF files 11 root folders 22 .Txt files 4 sub folders 12 .docx files 7 xls files

25

(9) Four document files were password protected which was recovered using licenced forensic software.

Details of the files recovered from Mr Robert Laptop Hard Drive

Files recovered from local drive (C)

Analysing files recovered from desktop:

The files recovered from desktop shows that Mr.Robert was planning to move to Malaysia very soon. From the files recovered we found some E-tickets booked by Mr.Robert to Malaysia. Some of the tour and travellers information was also available in these files

Analysing the URL History

Monday, March 24, 2008 Star-Jobs Online: We’ve shifted to MyStarJob.com

26

Jobs in Malaysia | careerjet.com.my

Best Jobs Malaysia :: Malaysian job search, job bank, employment and recruitment JobsMalaysia.gov.my - Gerbang Kerjaya Interaktif Anda Jobs in Malaysia, Selangor Jobs & Kuala Lumpur Jobs - JobsDB Malaysia Jobs in Malaysia, Malaysia jobs | Kerja & jawatan kosong - JobStreet.com jobs in malaysia - Google Search Malaysia Airline (MAS) Online Booking Tickets Malaysia airline tickets - Reservation, booking , best prices, system and comparison of airline

systems Cheap Flights, Airline Tickets, Cheap Plane Tickets, Cheap Airfare – CheapOair Malaysia Airlines airticket booking - Google Search airticket booking in malaysia - Google Search Malaysia Hotels - Online hotel reservations for Hotels in Malaysia Booking.com: Hotels in Malaysia. Book your hotel now! hotel booking in malaysia - Google Search How to rebuild a Li-Ion battery pack Cell Phone Batteries damage battery cells - Google Search Google RIFT - Home - Dynamic Fantasy MMORPG rift - Google Search detag - Google Search

DE TAG INDUSTRY SDN BHD - Electronic Article Surveillance ( EAS ) DE TAG INDUSTRY SDN BHD - Electronic Article Surveillance ( EAS )

27

indian immigrants - Google Search

Bureau of Immigration Battery Cells Battery (electricity) - Wikipedia, the free encyclopedia battery cells - Google Search Gmail: Email from Google Yahoo! Mail: The best web-based email! MATTA Portal MALAYSIA CENTRAL: Travel & Tours Agents, Tour Operators, Holidays, Sightseeing &

Reservation

From the URL history of Mr.Robert laptop highlighted above shows that he was planning to move out of the country to Malaysia to work over there as some of the links also shows that Mr.Robert was applying for jobs in Malaysia. From one of the links Mr.Robert also searched for their rival company RIFT.

Analysing Internet Cookies

From the internet cookies we found that Mr.Robert had been looking forward toward the RIFT Company. This may be possible that Mr.Robert might be contacting someone from the company to sell the Detag Company private and confidential information.

28

Analysing the files recovered from local drive (D)

The files and folder illustrated above are recovered from the local drive (D) from Mr.Robert laptop hard drive which contains files mentioned below:

No. Name Type

1. 22 Battery .pdf

29

2. Agentlic .pdf

3. Battery .pdf

4. it_security_policy .pdf

5. Lead_Acid_Battery .pdf

6. Microsoft Word - IT SecAuditStd _ITRM

SEC502-00_ amend 2008 02 21

.pdf

7. MSDS-Battery-Wet-Acid .pdf

8. sme_loans business plan .pdf

9. software_license_101 .pdf

10. Topic 2 - Battery Cell Balancing - What to

Balance and How

.pdf

11. V79 Cell Battery .pdf

12. 41602903 .xls

13. QuoteRequestForm .xls

14. SealedLeadAcidCrossRef .xls

15. Solar-Panel-Battery-Sizing .xls

16. A guide to Lead Acid batteries .doc

17. Battery_guide .doc

18. fanancial analysis of honda atlas .doc

19. HSA_Tax_Reporting_for_2008 .doc

20. kamapril2005_235 .doc

21. NICADS .doc

22. Nor_ok_nat .doc

23. PAYEinfo .doc

24. Profile .doc

25. pub_249 .doc

26. SQB0022APC_33A_65AR_80BC_125BMP .doc

The files mentioned in the table above contained much confidential information about the company and per company executives this information was not accessed to Mr.Robert.

30

So now Mr.Robert had unauthorized access to the company’s private and confidential data.

Analysing the files found Local Drive (D)/Detag

The files illustrated above were found in the Detag folder in local drive (D). The properties of the Detag folder were marked as hidden. So we recovered the hidden folder and changed the permissions and properties of this folder. On analysing these files we found that these files were password protected. So using the licensed forensic tools we were able to recover the passwords and gain access to the information in the files.

Customer_details.xls

Detag_cli.docx

31

Financial _review.xls

Ordersheet.xls

32

Details of files

No. Name Type Password

1. Customer_ details .xls accessedin

2. Financial_ review .xls accessedin

3. ordersheet .xls accessedin

4. Detag_cli .doc accessedin

Evidence Device 2: Kingston USB flash drive 512 MB Model no- M9724ZP/A

We then began analysis of the said file name USB-01.(1) We opened the image file using winhex using the “specialist > Interpret Image File

Disk” Option (Illustrated Below)

33

(2) W

e then viewed the contents of the image file in the directory browser of Winhex (Illustrated below)

(3) On analysing the image I found that there are many files and folders deleted. These files and folders were recovered by me using Winhex.

34

(4) The .Trash – root folder contains 38 files and 3 folders.

(5) Deleted files and folders were recovered from the USB.

(6) The folder Detag, Comp_Prof also contains 25 scanned documents regarding Detag company information.

Detag Folder Files Recovered

35

Details of the files recovered from Detag folder from Mr Robert USB

No. Name Type

1. Images .jpg

2. it-infrastructure-security-policy .png

3. lee2 (1) .gif

4. lee2 .gif

5. Legaldemand .png

6. Letter .gif

7. Mold .jpg

8. ocr-2 .jpg

9. Paper_Journal_Entry_001 .jpg

10. Pdfconverted .png

11. policy-papers_oehrlein_2-2010 .jpg

12. Schillings-threat-letter1(crop) .gif

13. Sidebar .jpg

14. ura21apr08-02 .gif

36

Comp_Prof folder files recovered

Details of the files recovered from Comp_Prof folder from Mr Robert USB

No. Name Type

1. 09_12_sb .jpg

2. 546c0a5e2e5fab4b59c8d0ca107d3640 .jpg

3. 5271 .png

4. 618633 .png

5. 18578442 .png

6. Butler .gif

7. china-trademark-infringement-

lawsuit-213x300

.gif

8. clarkeletter2-1 .jpg

9. Fedex .gif

10. images (1) .jpg

11. images (2) .jpg

Battery_cell folderThis folder does not contain any file or image.

37

Details of other files recovered from Mr Robert USB

Details of the other files recovered from Mr Robert USB

No. Name Type

1. battery cell .gif

2. battery_cell_diagram (1) .jpg

3. battery_cell_diagram (2) .jpg

4. battery_cell_view .jpg

5. c74dd42838fb339040f26117f582a269.image.750

x497

.jpg

6. def52a726f340a528e58602fa43d60ab .jpg

7. detagBanner .png

8. lithf2 .gif

9. New Text Document .txt

10. Nicad .gif

11. powerex_d_cell_rechargeable_battery_350 .jpg

12. Rifts-trademark .jpg

The analysis of the USB flash drive results in the recovery of 38 files of evidentiary /

investigative value. These included:

1. Total 25 scanned images of the documents (such as legal papers of the company,

upcoming research details of the company, new product launch) pertaining to the

company most confidential data.

2. 3 folders which contained details of budget of the company financial details.

38

3. 11 Images that contained formulas and designs of battery cells from which

some traces of Rift Company was also included like their logo (Image number

12 illustrated in table above).

4. 1 text file which states the email [email protected] , may be this email belongs to rift

company employees.

The files mentioned above have been copied onto 3 CD ROMs. One CD ROM has been

achieved by the team. Two CD ROMs have been handed over to the client with final report.

Evidence device 3: Video surveillance tape – TDK E249 VHS

I then began analysis of the said file name VHS-01.

39


(1) I opened the image file using winhex using the “specialist > Interpret Image File Disk” Option (Illustrated Below)

(2) I then viewed the contents of the image file in the directory browser of Winhex.

40

(3) On analysing the video I found that Mr Robert was stealing the information from the research and development department from the supervisor head

office. (Images Illustrated below).

Image 1:

Image 2:

Image 3:

41

Image 4:

Image 5:

Image 6:

42

Image 7:

Image 8:

43

The analysis of the video results in evidentiary / investigative value. These included:

The video states that Mr. Robert was stealing the Detag Company information from the research

and development department.

The video and files mentioned above have been copied onto 3 CD ROMs. One CD ROM has

been achieved by the team. Two CD ROMs have been handed over to the client with final report.

44

COMPUTER EVIDENCE ASSESSMENT CHECKLIST

Activity Date

The “RFS” was obtained from the client Yes

28th April 2008

Details of the case were obtained from the client Yes

28th April 2008

The cybercrime investigator met with the client and discussed the investigative

avenues and potential evidence being sought in the investigation

Yes

28th April 2008

Computer and other devices were received from the client Yes

28th April 2008

The evidence was marked and photographed Yes

28th April 2008

Chain of custody was properly documented Yes

28th April 2008

BIOS information documented Yes

28th April 2008

Image file created and mathematically authenticated Yes

28th April 2008

CYBER FORENSIC ANALYSIS REPORT

45

Report of cyber forensic analysis of hard disk from Toshiba laptop described

as under

Model No: K5UFHYG

Capacity: 160GB

Serial No: 45V7GQW34545Q

Report of cyber forensic analysis of USB flash drive described as under

Model No: M9724ZP/A

Capacity: 512 MB

Serial No: MHY2250BH

Report of cyber forensic analysis of USB flash drive described as under

Model No: TDK E249 NHS

Capacity: 300 MB

Serial No: 223-442-2060

This contains the image of the above mentioned files.

46

Report no.: DeTag / 052008/02 DT. 1st May, 2008

COMPUTER EVIDENCE ANALYSIS CHECKLIST

Activity Date

The forensic machine was prepared with operating system and forensic and

investigation software programs.

Yes

1st May, 2008

The image files from the evidence devices were copied onto the forensic

machine and examined

Yes

1st May, 2008

Deleted files were recovered Yes

1st May, 2008

File data was recorded Yes

1st May, 2008

Keyword text searches were conducted and hits were reviewed. Yes

1st May, 2008

Graphics files were opened and viewed Yes

1st May, 2008

Passwords for password protected files were recovered Yes

1st May, 2008

Encryption keys were recovered Yes

1st May, 2008

Unallocated and slack space was searched Yes

1st May, 2008

Relevant files (of evidentiary / investigative value) were copied onto a CD

ROM

Yes

1st May, 2008

47

DETAILED CASE:

Introduction

On 26th April 2008, Mr. Harrison of DeTag Company requested Mr. David lead investigator of

the team to conduct a detailed investigation of the media (previously retrieved by the team) and

the image of the computer hard disk of Mr. Robert laptop.

Mr. Harrison has declared that he is the person legally entitled to hand over the said laptop,

surveillance tape and USB flash disk. The said laptop and video tape is owned by DeTag

Company a company registered under the company Act, 1956 and having office at DeTag Ltd.

Park Street INIDA. The said company authorized Mr. Harrison to hand over the said laptop,

surveillance tape and USB flash drive to investigation team for the said cyber forensic analysis.

Background of the issue

Note: The information below forming the background of the issue is as provided by Mr.

Harrison. The said information has not been verified or cross checked by the investigators or

DeTag company employees.

According to Mr. Harrison

1. The company Detag came to know that many of their clients are no longer re-ordering

from them.

2. The company Detag thinks that may be some confidential information is being leaked out

of the company to their competitors.

3. So, internal investigation was conducted to find the suspect.

4. The DeTag Company suspects the unauthorized access to their confidential information.

5. Authorized officials of DeTag suspects that the said unauthorized access and information

theft was carried out by Mr. Robert.

6. Mr. Robert is being working in the research department as an assistant.

7. Authorized officials of Detag therefore requested investigations team to conduct a cyber-

forensic analysis of the above mentioned laptop, video tape and USB flash drive and any

other relevant information obtained from the hard disk.

48

DETAILS OF THE CYBER FORENSIC CARRIED OUT BY TEAM

The entire cyber forensic analysis was carried out by Mr. David investigation team. The laptop

and other devices and relevant software used for the cyber forensic analysis are regularly used to

store and process information. Throughout the material part of the said cyber forensic analysis,

the said laptop, USB flash drive and video tape was operating properly. The objective of the

investigation was to analyze the devices and find the relevant evidence. The analysis of the

laptop computer and USB flash drive and Hard disk results in the recovery of 97 files of

evidentiary / investigative value. These included: files of the documents (such as legal papers of

the company, upcoming research details of the company, new product launch) pertaining to the

company most confidential data. 4 password protected Microsoft excel files which contained

details of budget of the company financial details. 18PDF files containing airline E-tickets.

These tickets had been booked online using Mr. Robert which shows that he is planning to move

out for country very soon containing the airline tickets.

Evidence Analysis

Based on the results above, it is proven that Mr. Robert Saunders has been viewing these

confidential files without authorization. This is proven when some confidential files were found

in his laptop hard drive where it is believed that to view those files later, also, he had transferred

the files into his thumb drive. There were some E-tickets on the desktop which shows that Mr.

Robert was planning to move out of the country very soon. Mr. Robert Saunders is therefore

guilty for viewing these files without authorization. Mr. Robert Saunders is also found guilty for

committing another crime which is, transferring these confidential files out to unauthorized

people. As confidential files have been found in his USB flash drive and also, some files were

retrieved back, it is proven that Mr. Robert Saunders had used this USB Flash Drive to transfer

these files out from his laptop to unwanted sources.

By obtaining the information on Mr. Robert Saunders’s time of logging in to Laptop, the

investigator is also able to find him guilty of committing this crime. This is so because, as

mentioned earlier, a CD was brought out of the R&D laboratory on the 26th of April at about

4:45pm based on video evidence of Mr. Robert Saunders’s records. It is believed that he had

49

committed the crime of taking out the CD which contains confidential information

during this period. Besides that, it has also been proven that he did leaked these files

out using his thumb drive and also viewing these files without authorization using his laptop as

seen from the date and time the files were accessed. Some of the recovered files also show that

Mr. Robert is being communicating with some one of the employee named “Hennry” working in

Rift Company. This information was gathered from the evidence found in the USB which states

email address [email protected].

50


COMPLAINT TO ASJUDUCATING OFFICER

UNDER INFORMATION TECHNOLOGY ACT - 2000

1.

Name of the complainant Mr. Harrison (Detag Company)

E-mail address [email protected]

Telephone No. 98122356788

Address for correspondence New Delhi , Green Bihar , INDIA

Digital Signature Certificates

If any

N.A

2.

Name of the respondent Mr. Robert

E-mail address [email protected]

Telephone No. 9814207338

Address for correspondence Green Avenue , New Delhi , INDIA

Digital Signature Certificates

If any

N.A

3.

51



Damages claimed: Rs. 10,00,000/-

Fee deposited Rs 13000/-

4.

Complaint under

Section / Rule / Direction / Order etc.

Section 66 and 43 of IT Act

Time of Contravention 4:45 PM 26th April 2008

5.

Place of Contravention: New Delhi

6.

Cause of action: The complainant alleges that the respondent has

conducted unauthorized access to company

confidential data and leaking out the information to

their rivals.

7.

Brief facts of the case: 1. The complainant is an IT professional

working as team member in board of

directors of DeTag.

2. The respondent is also an IT

professional working in DeTag

company in research and development

department as research assistant.

3. On 26th April while internal

investigation in the company was going

52

they found that Mr. Robert stole the

companies’ private and confidential

material by copying it on CD-ROM.

4. From the video surveillance tape found

that 4:45PM on 26th April Mr. Robert

was copying the information on the

CD.

5. Then the company head decided to log

an official complaint against Mr.

Robert and also seized the laptop and

USB which was provided by company

to Mr. Robert.

6. Now further investigation was carried

out by the cyber crime department.

53

LEGAL ISSUES

Information Theft

Acts penalized Publishing or transmitting the obscene electronic

material or confidential material

Causing damage to obscene and confidential

material

Dishonestly sending or receiving any stolen

computer resources or communication device

knowing or having reason to believe the same to be

stolen.

Punishment Imprisonment upto 3 years and / or fine upto Rs

1,00,000/-

Punishment for attempt Imprisonment upto 18 months and / or fine upto Rs

1,00,000/-

Punishment for abetment Imprisonment upto 3 years and / or fine upto Rs

1,00,000/-

Whether cognizable? Yes

Whether bail able? Yes

Whether compoundable? Yes

However it shall not be compound if the crime

affects the socio economic conditions of the

country or has been committed against a child

below the age of 18 years or against a woman.

Investigation authorities Police officer not below the rank of inspector

Controller

Officer authorized by controller under section 28 of

Information Technology Act

Relevant court Magistrate of the first class

First appeal lies to Court of session

54

Applicable Law

Mr. Robert obtains the information using hacking or social engineering. Then uses information

for benefit of own business.

Usual motives: Illegal financial gain

Before 27 October , 2009 After 27 October , 2009

Sections 43 & 66 information Technology Act and

section 426 of Indian Penal Code

Section 43,66 & 66B of the information Technology

Act and section 426 of Indian Penal Code

Applicable Law

Mr. Robert obtains the information by hacking or social engineering and threatens to make

information public unless victim pays him some money.

Usual Motives: Illegal financial gain






Applicable Law

A disgruntled employee (Mr. Robert) steals the information and passes it to the victim’s rival and

also posts it to numerous websites and newsgroup.

Usual Motives: Revenge.






55

cyber forensic report- data recovery module

Documents