Launching Investigation, prosecution and defending of a

computer related crime

Karnika SethCyberlaw & IP expert

Managing Partner,Seth AssociatesChairperson, Cyberlaws Consulting Centre

New Age Cybercrime conference Novotel, Mumbai

29& 30th Oct 2009

Introduction Seth Associates is a leading full service Indian law

firm that is internationally networked to provide spectrum of legal services to its domestic and international clients

Network of 2000 associate offices of Association of European lawyers (AEA alliance) as foreign associates

We maintain one of the strongest Cyberlaws practice in India today. With more than a decade's experience in Cyberlaws Practice, Seth Associates recently established the World's first integrated 'Cyberlaws Consulting Centre' at Seth Associates

CCC- Cyberlaws Consulting Centre CCC renders cyber legal consultancy, cyber law

analytics and forensic services to its clients world wide.

Work experience of handling cybercrime matters with Delhi Police

Delivered training workshops to Delhi police on dealing with cybercrime investigation cases

Recently authored a book titled ‘Cyberlaws in the Information Technology age’ published by Lexis Nexis Butterworths that elucidates the key developments in the field of Cyberlaws across many important jurisdictions—India, United States and European nations

‘Cyberlaws in the Information Technology Age’ by Karnika Seth

Presentation plan The categories of cybercrimes The techniques of cyber investigation and

forensic tools Analysis of the cybercrime & Indian legal position The possible reliefs to a cybercrime victim and

strategy adoption The preparation for prosecution Admissibility of digital evidence in courts Defending an accused in a computer related

crime

Cyber Threats in 2009 and BeyondReport of Georgia Tech Information Security Center (GTISC)

Malware

Botnets

Threats to VOIP and mobile convergence

Cyber warfare

Data thefts

Vectors & trends for cyber threats

Malicious attackers will install malware on social networking sites leading to increased phising scams, or stealing data,etc- browser level protection needed.

Hackers will install malcode within video

content which will affect users accessing video clips.

Mash up technology used by web applications to combine data/media from multiple sources, locations and coding styles may lead to increased corporate espionage and other scams

Identity thefts will only increase and botnets will be used for corporate espionage and phising scams

Polymorphic exploitation- creation of unique exploit with each user request –signature based protection engines at network or host level fail

Growing popularity of VOIP applications-instances of voice spam and voice phising or smishing will increase.

Targeted attacks -Attack activity through e-mail, Instant messaging ,P2P networks will increase

Denial of service affecting voice infrastructure

Cyber terrorist attacks will increase and lead to cyber warfare- threat to nation’s sovereignty

MMS scams will be on the rise and raise issues of defamation and invasion of privacy

Striking facts!

According to a report compiled by Panda Labs, in 2008, 10 million bot computers were used to distribute spam and malware across the Internet each day.

Annual take by theft-oriented cyber criminals is estimated to be as high as 100 billion dollars and 97 per cent of these offences go undetected,-CBI's Conference on International Police Cooperation against Cyber Crime, March 2009

.

Source: Government Accountability Office (GAO), Department of Homeland Security's (DHS's) Role in Critical Infrastructure Protection (CIP) Cybersecurity, GAO-05-434 (Washington,

D.C.: May, 2005).

Cyber threat groups

Bot network operators

Spyware authors

Foreign intelligence

Insiders Phishers spammers

Glaring Examples – Data thefts

The incidents in the recent past involving Cyber Space have highlighted the issues of privacy and data protection in India

The Pune scam was the first among the many BPO frauds that made international headlines. In April 2005, five employees of MsourcE in Pune were arrested for allegedly pulling off a fraud worth nearly 2.5 crore rupees from the Citibank accounts of four New York-based account holders.

In June 2005, the British tabloid Sun, in a sting operation, purchased the bank account details of 1,000 Britons from Karan Bahree, an employee of Gurgaon-based BPO company Infinity E-Search.

MMS scandals In 2004 a DPS (Delhi Public School) student filmed a sexually explicit video clip of

his classmate in a compromising position on his cell phone, forwarded the video via MMS to his friends. The clip was then put up on Bazee.com and widely circulated.

Case of the State of Tamil Nadu Vs Suhas Katti is notable for the fact that the conviction was achieved successfully within a relatively quick time of 7 months from the filing of the FIR .

The case related to posting of obscene, defamatory and annoying message about a divorcee woman in the yahoo message group. Additional Chief Metropolitan Magistrate, delivered the judgment on 5-11-04 as follows:

“The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act 2000 and the accused is convicted and is sentenced for the offence to undergo RI for 2 years under 469 IPC and to pay fine of Rs.500/- and for the offence u/s 509 IPC sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run concurrently.”

This is considered the first case convicted under section 67 of Information Technology Act 2000 in India

Incident Response – a precursor to Techniques of Cyber investigation & forensic tools ‘Incident response’ could be defined as a precise set of

actions to handle any security incident in a responsible ,meaningful and timely manner.

Goals of incident response- To confirm whether an incident has occurred To promote accumulation of accurate information Educate senior management Help in detection/prevention of such incidents in the future, To provide rapid detection and containment Minimize disruption to business and network operations To facilitate for criminal action against perpetrators

Six steps of Incident response

Resolution

Reporting

Pre incident preparationDetection of incidents

Initial response

Investigate the incident

Techniques of cyber investigation- Cyber forensics Computer forensics, also called cyber forensics, is the

application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law.

The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.

6 A’s of digital forensics

Archival

Articulation

Analysis

Authentication

Acquisition

Assessment

The Digital Investigation Process:Source: Forensics Guru.

Rules of evidence Computer forensic

components-

Identifying Preserving Analysing Presenting evidence in a

legally admissible manner

FBI handbook of forensic investigation-techniques for computer forensics

Examine type of content in computer

Comparison of data files

Transactions-to know time and sequence when data files were created

Data files can be extracted from computer

Deleted data files can be recovered from the computer

Data files can be converted from one format to the other

Key word searching passwords

Limited source code can be analysed and compared

Storage media with standalone word processors can be examined

Sources of EvidenceSources of Evidence

Existing FilesExisting Files Deleted FilesDeleted Files LogsLogs Special system files (registry etc.)Special system files (registry etc.) Email archives, printer spoolsEmail archives, printer spools Administrative settingsAdministrative settings Internet HistoryInternet History Chat archivesChat archives Misnamed FilesMisnamed Files Encrypted Files / Password Protected files etc.Encrypted Files / Password Protected files etc.

Cyberforensics in accounting frauds Use of CAAT –computer assisted audit techniques-

spreadsheets, excel, MS access Generalized audit software-PC based file interrogation

software- IDEA,ACL Help detect fictitious suppliers, duplicate payments, theft of

inventory Tender manipulation, secret commissions False financial reporting Expense account misuse Insider trading

Establishment and maintenance of ‘Chain of Custody

Tools required: - Evidence notebook - Tamper evident labels - Permanent ink pen - Camera Document the following: - Who reported the incident along with critical date and

times - Details leading up to formal investigation - Names of all people conducting investigation - Establish and maintain detailed ‘activity log’

Maintaining Chain Of Custody

Take pictures of the evidence - Document ‘crime scene’

details Document identifiable

markings on evidence Catalog the system contents Document serial numbers,

model numbers, asset tags “Bag” it! Maintain Chain Of Custody on

tamperproof evidence bag Take a picture!

Classification of computer forensics Disk based forensics Network based forensics

Disk imaging and analysis- Tool must have the ability to image every bit of data on

storage medium, tool must not make any changes to the source medium.

Examples- DD-www.gnu.org DCFLDD-www.prdownloads.sourceforge.net/biatchux ODD-open data duplicator ODESSA-creating a qualified duplicate image with Encase-

www.odessa.sourceforge.net

Recovering deleted data Encase FTK Stelar Phoenix PCI file recovery Undelete Recover4allGet data back Fast file recovery Active undelete

E-mail forensics E-mail composed of two parts- header and body Examine headers Request information from ISP Trace the IP Tools-Encase,FTK,Final email Sawmill groupwise Audimation for logging Cracking the password- brute force attack, smart search,

dictionary search, date search, customised search, guaranteed decryption, plaintext attack

Passware, ultimate zip cracker,office recovery enterprise,etc

Live demo- sending fake e-mails and reading headers ,phising attacks Use of www.fakemailer.net Use of Who is Dissecting header and body of an e-mail message digest, IP address Return path Sender’s address Live demo phising- www.noodlebank.com,

www.nood1ebank.com www.whois.sc www.readnotify.com

The Information Technology Act,2000 and cybercrimes The Information Technology Act 2000 came into

force in India on 17 October 2000. It extends to whole of India and also applies to any offence or contraventions committed outside India by any person (s 1(2),IT Act 2000).

According to s 75 of the Act, the Act applies to any offence or contravention committed outside India by any person irrespective of his nationality, if such act involves a computer, computer system or network located in India.

Cybercrime vs Cyber contravention The IT Act prescribes provisions for contraventions in ch IX of the

Act, particularly s 43 of the Act, which covers unauthorised access, downloading, introduction of virus, denial of access and Internet time theft committed by any person. It prescribes punishment by way of damages not exceeding Rs 1 crore to the affected party.

Chapter XI of the IT Act 2000 discusses the cyber crimes and offences inter alia, tampering with computer source documents (s 65), hacking (s 66), publishing of obscene information (s 67), unauthorised access to protected system (s 70), breach of confidentiality (s 72), publishing false digital signature certificate (s 73).

Whereas cyber contraventions are ‘civil wrongs’ for which compensation is payable by the defaulting party, ‘cyber offences’ constitute cyber frauds and crimes which are criminal wrongs for which punishment of imprisonment and/or fine is prescribed by the Information Technology Act 2000.

Special and General statutes applicable to cybercrimes While the IT Act 2000, provides for the specific offences it has to

be read with the Indian Penal Code 1860 (IPC) and the Code of Criminal Procedure 1973 (Cr PC)IT Act is a special law, most IT experts are of common consensus that it does not cover or deal specifically with every kind of cyber crime

for instance, for defamatory emails reliance is placed on s 500 of IPC, for threatening e-mails, provisions of IPC applicable thereto are criminal intimidation (ch XXII), extortion (ch XVII), for e-mail spoofing, provisions of IPC relating to frauds, cheating by personation (ch XVII) and forgery (ch XVIII) are attracted.

Likewise, criminal breach of trust and fraud (ss 405, 406, 408, 409) of the IPC are applicable and for false electronic evidence, s 193 of IPC applies.

For cognisability and bailability, reliance is placed on Code of Criminal Procedure which also lays down the specific provisions relating to powers of police to investigate.

Tampering of source code According to s 65 of the IT Act- a person who intentionally conceals or destroys

or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer program, computer system or network when the computer source code is required to be maintained by law is punishable with imprisonment upto 3 years or with fine that may extend upto 2 lakh rupees or with both.

Hacking Section 66 of the IT Act 2000 deals with the

offence of computer hacking. In simple words, hacking is accessing of a

computer system without the express or implied permission of the owner of that computer system.

Examples of hacking may include unauthorised input or alteration of input, destruction or misappropriation of output, misuse of programs or alteration of computer data.

Punishment for hacking is imprisonment upto 3years or fine which may extend to 2 lakh rupees or both

Publishing obscene information Section 67 of the IT Act lays down punishment for the

offence of publishing of obscene information in electronic form

Recently, the Supreme Court in Ajay Goswami v Union of India considered the issue of obscenity on Internet and held that restriction on freedom of speech on ground of curtailing obscenity amounts to reasonable restriction under art 19(2) of the Constitution. The court observed that the test of community mores and standards has become obsolete in the Internet age.

punishment on first conviction with imprisonment for a term which may extend to 5 years and with fine which may extend to 1 lakh rupees. In the event of second conviction or subsequent conviction imprisonment of description for a term which may extend to 10 years and fine which may extend to2 lakh rupees.

New offences defined under IT Amendment Bill 2008 Many cybercrimes for which no express provisions existed in

the IT Act 2000 now stand included by the IT Amendment Bill 2008.

Sending of offensive or false messages (s 66A), receiving stolen computer resource (s 66C), identity theft (s 66C), (s 66D) cheating by personation, violation of privacy (s 66E). Barring the offence of cyber terrorism (s 66F ) punishment prescribed is generally upto three years and fine of one/two lakhs rupees has been prescribed and these offences are cognisable and bailable. This will not prove to play a deterrent factor for the cyber criminals.

Further, as per new s 84B,abetment to commit an offence is made punishable with the punishment provided for the offence under the Act and the new s 84C makes attempt to commit an offence also a punishable offence with imprisonment for a term which may extend to one-half of the longest term of imprisonment provided for that offence

The IT Amendment Bill 2008

In certain offences, such as hacking (s 66) punishment is enhanced from 3 years of imprisonment and fine of 2 lakhs to fine of 5 lakhs rupees. In s 67, for publishing of obscene information imprisonment term has been reduced from five years to three years (and five years for subsequent offence instead of earlier ten years) and fine has been increased from one lakh to five lakhs rupees (ten lakhs on subsequent

conviction).

Section 67A adds an offence of publishing material containing sexually explicit conduct punishable with imprisonment for a term that may extend to 5 years with fine upto ten lakhs rupees.

The IT Amendment Bill 2008 Section 67B punishes offence of child

pornography, child’s sexually explicit act or conduct with imprisonment on first conviction for a term upto 5 years and fine upto 10 lakhs rupees.

Possible reliefs to a cybercrime victim- strategy adoption A victim of cybercrime needs to immediately report the

matter to his local police station and to the nearest cybercrime cell

Depending on the nature of crime there may be civil and criminal remedies.

In civil remedies , injunction and restraint orders may be sought, together with damages, delivery up of infringing matter and/or account for profits.

In criminal remedies, a cybercrime case will be registered by police if the offence is cognisable and if the same is non cognisable, a complaint should be filed with metropolitan magistrate

For certain offences, both civil and criminal remedies may be available to the victim

Before lodging a cybercrime case Important parameters- Gather ample evidence admissible in a court of

law Fulfill the criteria of the pecuniary ,territorial and

subject matter jurisdiction of a court. Determine jurisdiction – case may be filed where

the offence is committed or where effect of the offence is felt ( S. 177 to 179, Crpc)

The criminal prosecution pyramid

Conviction/acquittal

Trial

Contents of charge

Issue of process –summons, warrant

Examine the witnesses

Examine the complainant on oath

Initiation of criminal proceedings-cognizance of offences by magistrates

Preparation for prosecution Collect all evidence available & saving snapshots of

evidence Seek a cyberlaw expert’s immediate assistance for advice

on preparing for prosecution Prepare a background history of facts chronologically as

per facts Pen down names and addresses of suspected accused. Form a draft of complaint and remedies a victim seeks Cyberlaw expert & police could assist in gathering further

evidence e.g tracing the IP in case of e-mails, search & seizure or arrest as appropriate to the situation

A cyber forensic study of the hardware/equipment/ network server related to the cybercrime is generally essential

Amendments- Indian Evidence Act 1872

Section 3 of the Evidence Act amended to take care of admissibility of ER as evidence along with the paper based records as part of the documents which can be produced before the court for inspection.

Section 4 of IT Act confers legal recognition to electronic records

Societe Des products Nestle SA case 2006 (33 ) PTC 469

By virtue of provision of Section 65A, the contents of electronic records may be proved in evidence by parties in accordance with provision of 65B.

Held- Sub section (1) of section 65B makes admissible as a document, paper print out of electronic records stored in optical or magnetic media produced by a computer subject to fulfillment of conditions specified in subsection 2 of Section 65B .

a) The computer from which the record is generated was regularly used to store or process information in respect of activity regularly carried on by person having lawful control over the period, and relates to the period over which the computer was regularly used.

b) Information was fed in the computer in the ordinary course of the activities of the person having lawful control over the computer.

c) The computer was operating properly, and if not, was not such as to affect the electronic record or its accuracy.

d) Information reproduced is such as is fed into computer in the ordinary course of activity.

State v Mohd Afzal,2003 (7) AD (Delhi)1

State v Navjot Sandhu (2005)11 SCC 600 Held, while examining Section 65 B Evidence Act,

it may be that certificate containing details of subsection 4 of Section 65 is not filed, but that does not mean that secondary evidence cannot be given.

Section 63 & 65 of the Indian Evidence Act enables secondary evidence of contents of a document to be adduced if original is of such a nature as not to be easily movable.

Presumptions in law- Section 85 B Indian Evidence Act The law also presumes that in any proceedings, involving

secure digital signature, the court shall presume, unless the contrary is proved, that the secure digital signature is affixed by the subscriber with the intention of signing or approving the electronic record

In any proceedings involving a secure electronic record, the court shall presume, unless contrary is proved, that the secure electronic record has not been altered since the specific point of time, to which the secure status relates

Presumption as to electronic messages- Section 88A of Evidence Act The court may treat electronic messages received

as if they were sent by the originator, with the exception that a presumption is not to be made as to the person by whom such message was sent.

It must be proved that the message has been forwarded from the electronic mail server to the person ( addressee ) to whom such message purports to have been addressed

An electronic message is primary evidence of the fact that the same was delivered to the addressee on date and time indicated.

IT Amendment Bill 2008-Section 79A Section 79A empowers the Central govt to

appoint any department, body or agency as examiner of electronic evidence for proving expert opinion on electronic form evidence before any court or authority.

Till now, government forensic lab of hyderabad was considered of evidentiary value in courts- CFSIL

Statutory status to an agency as per Section 79A will be of vital importance in criminal prosecution of cybercrime cases in India

Defending an accused in a cybercrime Preparation of chain of events table Probing where evidence could be traced? E-mail

inbox/files/folders/ web history Has the accused used any erase evidence

software/tools Forensically screening the hardware/data/files

/print outs / camera/mobile/pendrives of evidentiary value

Formatting may not be a solution Apply for anticipatory bail Challenge evidence produced by opposite party

and look for loopholes Filing of a cross complaint if appropriate

Thank you!

SETH ASSOCIATES

ADVOCATES AND LEGAL CONSULTANTSNew Delhi Law Office:

C-1/16, Daryaganj, New Delhi-110002, IndiaTel:+91 (11) 65352272, +91 9868119137

Corporate Law Office: B-10, Sector 40, NOIDA-201301, N.C.R ,India

Tel: +91 (120) 4352846, +91 9810155766Fax: +91 (120) 4331304

E-mail: mail@sethassociates.com