s ®

4. The Authority shall have the power to issue such directions to service
providers as it may consider necessary for proper functioning of service
providers.

CYBER CRIME INVESTIGATION

INITIATIVES TAKEN BY CBI
A\ 1. The CBI has now some specialized structures to combat the computer
related crimes.
1) Cyber crimes research and development unit (CCRDU)
i) Cyber Crime investigation cell (CCIC)
i) Cyber forensic laboratory ; and
W) Network monitoring centre.
. CCRDU s charged with the responsibility of keeping track of the
developments in this ever growing area. It has following tasks-
a) Liaison with the state police forces and collection of information on
case of Cyber Crime reported to them for investigation and to find out
about the follow-up action in each case.
b) Liaison with software experts to identiy areas, which fequire atte
of State Police Force for prevention and delection of Sych crimes with
a view to train them for the task:
<) Collection of information on the latest cases repored in other
Gountries and innovatigne’ employed by Police Forces in those
countries to handle such cases;
d) Prepare a monthly Cyber Crime Digest for the benefit of state police
forces and ,
<) Maintenance of close rapport with ministry of IT, Gowt. of India, and
other organizations/institutions and Interpol Headquarters, Lyons for
achieving its objective of giving the needed thrust to collection and
dissemination of information on Cyber Crimes.
3. The CCIC, established in Sept. 1999 started functiong from March 2000, itis
a part of the Economic Offences Division. The cell has allIndia Jurisdiction
and investigates criminal offences under the information Technology Act
2000, besides frauds committed with the help of computers, credit cards etc.

— T —

Scanned with CamScanner

 LI
— ~
26
o
itis also a round the clock NODAL POINT of CONTACT for 'v"‘e"‘;o'::r::;;
,S
a member of “CY°r crime
Cyber Crimes in India and aiso
Information Network System” Japan. functions
(CFL), established in Nov. 2003, fu
4. The Cyber Forensics Laboratory
under the Director, central Forensic science Laboraton
The responsibility of CFL are- bY cBl
al investigation
i) Provide media analysis in suppor it of crimin
and other Law Enforcement Agencies
i) Provide onsite assistance for computer search and SGiZUI® on
request.
in which media
i) Provide consulation on investigation or activtes
analysis is probable or occurring;
iv) Provide expert testimony
) V) Research and development in Cyber Forensic.
». The following principles are followed by the CFL-
) Purpose of analysis shall be to use the evidence in court
i) Allegal formalities shall be followed
The media should have been legally seized, and chain of custody
maintained,
i) The analysis shall be on an image of the media and not on the
media itself.
V) The laboratory shall have the best imaging tools and software
tools for analysis.
. The purpose of the NE TWORK MONITORING CENTRE s to Policy the
internet, It has network monitoring tool (NMT) developed by IIT, Ka r and
may use similar and other tools to achieve its purpose after following the
required procedure.
B SEARCH AND SEIZURE OF DIGITAL EVIDENCE:

In the conventional Environment, items are stored in a tangible

form that can be stored physically like information written on paper, bills,
receipts, address, book efc. which are susceptible to damage by physical
methods such as theft, burglary etc. but in the information Age of “electronic
environment”, data is stored in an intangible form making it a virtual world

Scanned with CamScanner

 a7

apply. It also has no

Where these limitations of conventional methods no longer
g information stored in network
Physical boundaries, hence criminal seekin
information. from virtually
Computers with dial- in-access can access that
that can be stolen or the
anywhere i the world, The quantity of information
ous progr amming code may be
amount of damage that can be caused by malici
limited only by the speed of the network and criminals equipment
%DVANCE PLANNING FOR SEARCH.

\When the L0, s required to carry out search in a place wheres itis
2
suspected that computer network or any other electronic memory device
likeolybe found, it is advisable to cc' a
forensic scienc e laborat ory to accomp an! is not
possile, nformation may be cllectsd regardng the tbe, make, madel
aperatingsyston,netir archiecure,type f loconof dta stcFage, reriele
o possibilties etc, which can be passed on to forensic experts as .thatIt
ul Id help making necessary preparation to collect and preserve evidence
must be remembered that on some occasions, it may ot be possible to remove
the computer system physically and data may have to be copied at the scgne of
crime! place of search. The investigator or expert must cary necessary medi
software, and ofher specialized lems as well s special packing materiak
d by
which can prevent loss of data as data of magnetic media can be destroye
dust, jerks, and electrostatic environment.
\7(' 'PRECAUTION AT THE SEARCH SITE
Taking control of the Location:

t is extremely important to ensure that suspect o an accused is

ot allowed to touch any part of the computer or accEssory attached to it ithe)
by physical Tneans or frough wireless. Since these days, systems could be
connected through physical networks such as fibre optics, cables. telephone or
on wifi or wi-max wireless networks or even through a mobile phone having a
wireless communication port, the investigator, has to be extremely alert and
may seek guidance from an expert, if not available on site, on telephone and
take steps as per instructions. The Investigator must remember that even by

Scanned with CamScanner

 8
°" keyboard
nd throug h 2 WY reless mouse
Pressing a key or by giving a comma e, e entte data
an &-mal messag th Investigator.
O even by executing a command through the
either could be wiped out or cormupted, making t Us€ less for s,
age ¢ jevice
This is also applicable in case of small devices of e ovable stor-y e
ThUe: itis
Which have the capaty of stoing huge amount of data:
site of the search are separat
important that individuals present at the Sini c® itisis e2 y to
kept out o their reach
eas)

their computers and all deviceg,are from across @

tamper or destioy computer evidence, and it can be done
d take all
network, which could be physical, o wireless the investigator s houl
steps to secure data.
network environment
As already mentioned the information in a
data could reside at a remotg Jocatio
need not be stored at the same site. The
and take action accordingly. In case, storage of data is suspected to be locas
outside the country, it may be BT Tnterpol and_take
net W Up steps to issus letter rogatory under the provisions of
section 16)
Before conducting the search, the Investigator will need to decid
Whetherto seize data on site, or seize hardware for examination at a compule@ -
forensic Laboratory. While on site data seizure has the advantage, that one
does not have to transport much hardware, one may need services of a
computer Forensic Expert to download data for analysis and preserve data for
presenting it in the Court. When in doubt, make use of a computer Forensic
Expert Specialist at the scene, if possible, to determine whether one needs to
seize data or seize hardware. In case, a specialist isfnot available, it is
recommended that one seizes everything.

NET WORKED COMPUTERS:

Do not disconnect the computer if networks or mainframes are

involved, pulling a computer from a network may damage the network, and
cause harm to the company’s operations. It is generally not practical to seize a
mainframe because it requires disconnecting all the computers that are
attached to it. Hardware seizure with mmfiule:s on a network can be very

Scanned with CamScanner

 49

forensic
help of computer
complicated, and one should definitely enlist the
specialist in these cases.
PREPARATION FOR SEARCH: —R
oK W
—
X m’va’

with him that will facilitate

The Investigator should carry the following items
the sparch:
used (o store o opies of
/" DiSKS OR CARTRIDGED — These can be
files from the computer for use in his investigation- various parts
2/ LABELS — to label cables, whers they plug in discs, the
/Gt the computer and to write/ protect disks.
dismantle the hardware
" Screw drivers and ofher tools — to be used to
/or seizure.
from disks
%7 GLOVES — remember that often, latent prints can be taken
o other storage media or hardware.
' Packing materials ~ rubber bands, tape, boxes, bubble wrap, and if
he does not have access to anti-static wrap, paper bags, should be
used, because they have less static charge than plastic bags.
GAMERA EQUIPMENT — to videotape and photograph the scene.
7. | CHAIN OF CUSTODY - report sheets, and other paper to inventories
seized evidence.
G #2. STEPS FOR SEARCH: ~—0
Rely on Technical Staff or Experts:
Be careful not to cause damage during a search as electronically
stored data can be easily lost. The services of the computer Forensic
Experts must be available, wherever possible{Tfie experts will help during a
seaigh_but could also assist in_interviewing the compan =
personnel because they will know what questions to ask to elicit relevant
infgrpation for the MVesTam
Once on the site the 1.0. must survey the equipment and take
precautionary steps as described above. Next he will need to document the
way the system is connected together and take following steps.
\}»— Labeling and photographing the setup:
Labeling and photographing everything prior to dismantle the
system s an important first step — Take some general photographs of the

Scanned with CamScanner

 3 . for legal al P' purp 0s€} an @ F
Search site to dooument s pre-search condition

system was
of the front and back ©f ::n
feconnected in the Forensic Laboratol
he SWPS
equipments and the way itis connected. He should pay special attention 19
DIP switches on the back of certain eqmmmmm
cunrguwm‘\mmmn
transport creaW
L bel all pars:
ling
The 1.0. should label each part before he starts dismant
any of the equipment. He shouid remember to label all the connectors,
and plugs at both ends, and on the computer so that re-assembly is eas)
and accurafp. A good way to do this is (o Tabel each item its own letter.
For Example, a power card § may be_marked ‘A’ on the end @

be insZTed_J
(ul)POWER SYSTEM DOWN:
TT""Rsa rule, if a computer is of, it should not be tumed
Hackers can make their computer erase data f a certain disc is not in the
drive When The machine is booted Up o f a certain password 15 not
enlered Likewise, if the machine is_on, one should check it before
furning
u off, otherwise it may destroy data. Keep in mind a computer
may look powered down but actually, it may be in a “Sleep” mode.
Hac@?! can their computers to erase data if not proper
from a “sleep” mode so one may be reguired to pufl the plug or resfiove

machine down through the operating system rather than just “Pulling the
plug”. If, however, he does need to “pull the plug”, he should disconnect
it from_the «backof the machine rather than at wall, because if th
maching s Dlugged o3 backup power supply, ft may initiate a sh@
donmprocedus tal coul lerled 4D
Booked upmeanisp: fo Alartup @ Congutes Aiptonby paviing £ with
sequiced eledhnical Wi and Looding fug Srortup Kiviay
bl b &?wkrfikpm'\»lmdeb

Scanned with CamScanner

 40 DISMANTLE THE SYSTEM:
jown, it can be dismantied
Onoe system is labeled and powered & 2
into separate components for_transi
portation. 1 a_computer is at
proc edur e shou ld be
Susimess Tocation and a part of a network, Proper metwork ]
from the
followed to properly disconnect the computer
/rsfize DOCUMENTATION:
periphegat deviges
Seize all manugk for the computer, its
The examiners at
and especially the so@m.
determine the kind of
Forensic Laboratory nEd o refer (o a manual to
docume} i i
hardware and its technicalities. Seizing other
l. Stic notes of
like ngtes, pasgyords, and jourpels may prove very usefu
other Fiaces of paper around The computer_s ystom s that may_hay
seized from the spot.
passwofds or loginJ's written on them, should be
4% HANDLING EVIDENCE AND COMPUTER HARDWARE:
AT Protecting Data —_—
s
The 1.0. should also write / protect disks or cartridges he finds at the
of search in order to protect daf 'Most disks and cartridge s have a small sliding
1ab thaf Frevents changing e disc content when set correctly. Placing 2 blani
disk in the hard drive of a compuer system will keep them from W L)
the rard arive If they are accidentally turmed on
W
——Sm=TeTO oS Spehas dismantied the computer, it is ready to be
packaged for transportation to the forensic laboratory. Computers parts being
sensitive are handled carefully. One should not wrap the computer components
using Styrofoam because small particles can break off and get inside the
computer causing it to ma\lundlcn
%(lii) Keep System Components together:
Keep the components of each computer system together. This small
organizational step can save lots of time when the examiners are trying to
reconstruct the system. €
e

i areie Mty i et oy poligshy ed Specd N

styrofoasm: Ak Kind of oxparded

Scanned with CamScanner

 -

W‘lele Machine, Single Seizing Agent: rson can

t same Pe o
the seizure of @ lha
cDmpu(er
1f one person handles
Auth&MTcate the evidence at a trial. This ST e T .u
Confusion later)
e the System: compu ter
How to transport and stor a police vehicle. The
Do not put the computer i in the trunk of that may shake
SystenROU B seoured in 2 way thaTwould reduce vibralions
€00l | dry place
store the computer in @ secure,
a part logsg) The 1.0. should
emit €%
"away from any generdtors o other devices that
A SECURITY COUNCIL OF INDIA

tis a{iotto profit companyet up bZASSCOMgs an pgepende seil

nt
develop, securit y and
Reguia toy_Organisation to_promote data_protection,
industry to implement
4 ::wscy odes and SEndards and STCANMEGe the IT/BPO
=
dhesame_,
\ SC is focused on capacity building of Law jencies for

combating cyber crimes in the counts and towards this, it operates several

————
help police 3 er Ci ber forensic tools any
sfandard operating procedures— it was released by the Union Home Secretary
in 2011 )

EVIDENCE GATHERING DOCTRINE:

~&The onus is on me show the Court that evidence
produced is no more and no less than when Tt was first taken into possession.” @
ciation of Chief of Police Officers ACPO/ has given som e
“Good Practice Guide) for Computer based Electronic Evidence [ACPO].
1. No actio by investigator should change data contained in
digital devics or storage medihat may subsequenly be relied upon in
| the Coutt

Scanned with CamScanner

 t do so and have
ssin g ori gin &2
al {a must be competen
2. Individuals acce - i
the ability to expltheir non
aiacti for repli cal °
s. suit able
rds of applied prpcesse
3. A tgpil or other reco parh be cre
ed,
the res indopendent-2%
stigatve step|
acourgtely documenting.each inve
_and_in_
edures are_foll owed
ensuring the above mentioned _proc
compliance with governing law.

e
CLASSIFICATION OF CYBER F (L
data / information from_stora
ge
Forensic: deals with extracting
Disc Forensic: also from U1 allocated, slack
media by searching actve, deleted fis and
paces. ) and analysis JF)
. Network Forensics: is a sub branc! h relating to monitoring
evidence
of Information Gathering, legal
nétwork traffic for the purposes tigation®
l forensics, network inves "
detection. Unlike other areas of digia is transmitted
k traffic
.P”‘Tm,fl delfwith volafl=e and dynamic information. Networ investigation.
veSnvWertpuk N
and then lost, so networ k forens ic is often a proact ive
mwmeék ic. The main J
M"r ,mj a “Witel ess_Eorensics: is a sy discipine of network forens
\ Bast goal of wireless forensic i to provide the methodolpgy and togis’ required
i ‘?Ea‘ he data collected ().
o 1o{collect and analyse WIréless nework tra
, or, with broad usag e of voice -over -IP
can correspond (o plain_gata
especially over wireless, can include voice
(VolP) technologies,
conversations.
“
&,g_& Database Forensics: is a br anch of digital forensic science relating to the
that
w"’ n“;':"\ {orensic study of databases a7d thei related metadataa set of data 'V\-
esgves information about other data). !
P #""‘} B __gesurivand
SMR 5. nsics: deals with investigation and analysis of Maliciol
Code for identfication of Malware like viruses, Trojans, worms,
. keyloggers etc. and study their payload.
Mw‘fys Ma.i“e Device Forensics: deals with examining and analyzing Mobile

\"’idfb“ ” devices lie mobile phones, pagers, to retrieve address book, call logs,
é\efiif" Vol (Vg0 1) V206 Interpet-otucr, @ atecbaoligy tral allous
Gnrechn
qou to hake Vb (alle wango broad bant lutemet
crabesdh o) a. eguler (oranalep) Yelephont Gall -

Scanned with CamScanner

 )\ X\ - v
Missed, dialed, Veceivid), pared device histo 1y, Incoming / Qutgoing
SMS/MMS, videos, photos, Audio etc h:
+ GPS Forensics or Sat Nav Forensics: t is used for exa _and
e o ints,
analyzing GPS devices to retrieve Trackfogs, Track k pdints, g way,
Rpltes, stored lgeéitions, Hapre, Officgretc s
8. E:mail Forensics: deals with recovery and analysis of e-mails including
‘,:‘:"“flrv deleted emails, calendars, and contacts.
mory from " data from system memory [e.g9.
Which ighapecq | % MemOry Forensics: deals with collecting
retrievalls system registers, cache, RAM n
ossible. o,
Poseiol and carving the data from thegt raw Jomp.
W2tk 1, (CYBER FORENSIC PROG ESS ENCOMPASSES FIVE KEY ELEMENTS.
Computer
tiope
MeoGalled @ 1. The Identification and Acquiring of Digtal Evidence|
Cranh dusipor
owony dusp Knowing what evidence is present, where it is stored, and how it is
amflgf#;lored is vital in detefmining which processes are to be employed to facilitate its

;{;ng“fienmeaPEOTES Befinology oen bo usedeximact

o |
the cyber forensic examiner / investigator should image -
untxpected. 3
‘oo A 2. Preservation of Digital Evidence: R
oF &Wbda\h
9 sis a critcal
critial slement
slemnt inn forensic
forensic process.
process.A Any examinationi of efectronical
[ al- stored data can be carried out in the least intrusi Alteration to data
| ffa ~9@E thats evidentiary value must be accounted for and justified.
| the OO
douned’ 3. The Analysis of Digital Evidence:

regarded as main element of cyber forensice!/Extraction produces W

~Junk") which should be processed, to make it readable by human being.
N —_—— g

Scanned with CamScanner

 STORED
PoINTS THAT ARE AUTOMATICALLY
(/(‘“Auc Log ; Trocxlog ovre
4 whon o deviei v VD , R
ks
you G| posnts O 4 Ahape o5 Mmas
Track, Péaks
Fe""“”" ma Ao
cincluding pai»f/aMku) & vepecave
Guafe waed fcbeabin @
wwvof‘fl;? o poikof epecuuymLo Hak
£peuft lak hdy o brs hde of &
Nowigakn « 9t ca
fratwe «
locakun o otitll vaun nuithlisg-of rodwal
bebueea Places.
Rouke ;A parhoales vy x dlirectin
si o nulecop {peahuss, o
Stoved locakus ; Conquies MEMINE Con L numare addeon
o Wrhith fas @ WA
cdly , anch
: wofodata : Cfiibfl#w’x__‘_%i&k
A S
4‘{“‘”42 o
F'*WS;:; whon @ Rle® wadafRed wis cnborpre Canbe
and bed
File Splean mek % enally
-
\/:er.iYh»flr &7 wndershued
wd o e wter,
chay ¢ indows M
Q%qf:? k,f;*’ifw 5 w{fi fifafifiv@\ %flwt—
Opfroh fathirgs - A hipreachonl “daked] )
wakewp mwfi\m
ot k&fl& Qd Valny

Scanned with CamScanner

 4. Reportthe findings:
It means giving the findings in a simple, lucid manner so thaf any person can
understand. The report should 56 in simple tems, giving déscription ofthe -
items, process adopted for analysis and chain of custody, the hard and soft
copies of the findings, glossary of terms, ec )
S Presentation of Digital Evidence:
————
It involves deposing evidence in the Court of law regarding the findings and
the credibilty of the processes employed during analysis.
EXPECTATIONS FROM FORENSIC ANALYST
Cyber forensic analyst should be able to extract and recover information
from /

Mwe file 2y Deleted files K tadata (qf( re Applications (5)

Hidden files/Folders/Partitions (5] Encrypted filesx;ala in unallocated
sectors, Swap files (¢} Data retriéval from formatted Disks, Defragmentation
Disks. (q;{? tracing (40) E-mail box recovery Recycle Bin (12)
Regisf Forensic Analysis of Mobile Phones (14) *Bios examination
yflfiwyming (JAS, 08, Application Package (1/) Hard held
devices (18)Mobile phones, PDA'S, SIM card examination.
BIOS- Basic Input Output system
—_— ———
0S - Open source computing, computing ordinary source:
PDA - Personal Digital Assistance, Palm top device with email & internet. ’
FUNDAMENTAL FORENSIC PRINCIPLES

Itis based on “Locard's Exchange Principle”. If a culprit commits a crime

he must have left his foot prints behind. The culprit while handling a computer
or digital device leaves his marks which betray him.

Scanned with CamScanner

 6

LETED FILES STILL WITH COMPUTER:

" ally does
When a file is deleted, it seems to have disappeared. But actually
not disappear. The file s stillleft on computer.
Word file, then
When we create a new document, for example, Microsoft
at the same time a shadow file (temporary file is also created which is invisible.
When we delete the word fie, if disappears. The file system actually does not
delete it, but its file structure; it turns the first letter of the file to a "geek sigma
which says to the computer thatit can over wiite this file. So this content is
blvery much
actually present il in computer. Therefore, i asy for a forensic
investigator or a data recovery program to bring back that file intact.
STEPS FOR DIGITAL CRIME SCENE INVESTIGATION:

| / Identifying and securing the crime scene .

A~ * "Asiswhere is" documentation of the scene of offence
« Collection of Evidence
] = Procedure for gathering evidence from switched off systems.
- Procedure for gathering evidence from five or switched on
systems.
% ssic duplication.

y{*‘ and documenting of evidence. <~

,(‘ Packaging and transportation of Evidence:

PRELIMINARY REVIEW OF SCENE OF OFFENCE: -

S
« Residence of the individual
« Cybercafe
« Companies / organizations
= With or without intemet works.)
./ INVESTIGATIVE TOOLS AND
_— EQUIPMENTS:

Documer
(a) Cable tags (b) indelible feft-tip markers (c) stick on labels.
T ——

Scanned with CamScanner

 57

ty of non-magnetic sizes
* Dissembling an d removal tools are available in varie
includes packaging and transporting
supplies such as
and types that ence Bag
le wraps (b) cable ties and Evid
/fif‘sflfic bags and bubb boxes of vario us sizes
(d) sturdy
©) Evidence and packing tape

/o«her items, such as

orms/iarge rubber bands
(df Evidence tags / evidence tape/ gloves/f
assistance
oy List of contact telephone numbers for
lagnifying glass/printed paperiseizure disk/ smallflash light

COLLECTING DIGITAL EVIDENCE:

—_—
(1) PROCEDURE FOR GATHERING INFORMATION FROM SWITCH-OFF
SYSTEMS: .
~Sacureand take control of the scene of crime, both physically and
electronically.
‘/fifi:ks sure the computer is SWITCHED OFF; some screen savers
may give the appearance that the computer is switched off, but the
hard_drive and monitor lights may indicate that the machine is
switched on. Some laptops may power on by opening the lid.
/pfilemwe the battery from the laptop
/ plug the power and other devices from sockets.
(@) Never switch on the computer in any circumstances
A8) Label and photograph (or video graph) all components in-site and if
o camera is available draw a sketch plan of the system.
_“{f) Label the ports and (in and out) cables so that the computer may be
resonstructed at a later date, if necessary.
/\fi)fim n side casing of CPU of laptop or Desktop.
%fify the HARD DISK and detach it from power cables and mother
/aam
() Recover unique identifiers like make, model, and serial number.
/m/'rake signature of accused and witness on hard disk
(k)-Gather non-electronic records or. @ diaries, note books, or
pieces of paper with passwords:

Scanned with CamScanner

yf (2) PROCEDURE FOR GATHERING INFORMATION FROMITCHED
ing 8a W
and making written note
Kowhat is on the screen by photography
Record )
of #4& contents of th
the mouse and if the screen is
%) Do not touch the keyboard or click be asked
bk or a screen saver is presen, tho case offcer should
screen. f so, then a short
to decide if they wish to restore the the
movement of the mouse will restore th e soreen or reveal that
screen saver is password protected. f the screen restores, then
photograph, video graph and note its contents. If the password
protected is shown, then continue as be rther disturbing
mouse. Record
se circumstances.
‘ake help of a technical exne se live forensic tool to extract the

©) If no specialist advice is available, then remove the power supply

from the back of the computer, without closing down any program.
When removing the power supply cable, always remave. the. end
d to the computer and not the one attached to the socket,-This.
will prevent any database being written to the hard drive if an
uninterruptible power protection device is fitted.
(3) GATHERING EVIDENCE FROM MOBILE PHONES:
(a) If the device is “off” do not turn “on’”.
(b If PDA or cell phone device is “on” leave it "o’
Powering down device may enable password, thus preventing access
to the evidence.
Photograph device and screen display (if available)
(d) Label and collect the(inciuding
cable power supply) and transport
ith device.
tdeep the device charged
A1) 1t the device cannot be kept charged, then analysis by a specialist
must be completed prior to battery discharge or data may be lost
(9) Seize additional storage media (Memory sticks, compact flash etc.)

Scanned with CamScanner

 ® o @V)(/ .
(h) Document all steps involved in seizure of device and components.
/Fafisusrc PLICATION |
IKGI(;\A'L BACK UP:
A logical backup copies the directories and files of a logical
volume/ it does not capture other data tha sent in the media
such as deleted files or residual data stored in slack space.
~2 BIT STREAMING IMAGING:
Also known as disk_imaging /_cloning.L_hit_stream _imaging
generates a for_h
bit it.copy of the original media, including free space
eam imaaes reauiremore storage space and take

A wiite blocker is a hardware or soft ware-based tool that prevents a

COmPULET from writing to_computer storage media connected to it, H lardware
write blockers are physically connected to the computer and storage
media
being processed to prevent any writes to that media. Wide varieties of “WRITE
BLOCKERS' devices are available based on the type of the interface
eg. SATA
/1DE /USB erc.’

Never connect directly without Blocker device.

— g
NETWORK DRIVES IMAGING AND LOGICAL FILE COLLECTION:
if the hard drive cannot be removed, then we have to image
the
computer using network acquisition. This s done by connecting the evidence
comuter to the forensic computer via a “SPECIAL ETHERNE
T CABLE” called
a 'CROS CABLE" (Network Cross over cable). Once the compuiers are
connecteboo the evidence
d. computer from Torensic
& Distribution ke “HELIX™
or “LINEN" and_connect the Torensic computer to the evidence ‘computer using
forensic
like "ENCASE
.foo ,[Now
l the acquisition just ocours ke reguiar hard
drive acquisition’y
’ HEnx — % an cntidk wes pt<.
Lin®s9 Agquigbis oud e
% holii
ol Kit
ERCASE % Jendiicunaly wieg Ligfinfi 3 - 9;: LNFA;LM; o lvnkw
o f;/}\flmuu el“:;\ Cnduct- WL\W TRAPAL o0 Wil
Sndoph ewnalygey 4 ks E]fifi Glaredon20 Waug,
Jnthas Aumm‘mmw’fiumw s MW Reeilos infemeln

Scanned with CamScanner

 SEALING AND TRANSPORTATION it to
fise antistatic aerated cover to place the seized hard disk. Send
laboratory through special mm

[ (07 The person wh i transporting should be made to understand that the

exhibit is not exposed to any magnetic field during transportation.
J( Computers are to be kept n Antistatic Bubble Wrap is preferable.
(=] Keep system and computer together.
Single machine should have single seizing agent.
‘)JPaper bags are not having static electricity and are preferable over plastic
bags.
seizing mobile phones pfe\leflLS data from
% Use of Faraday Bag while

evidence being tampered with. ‘

PANCHANAMA (SEIZURE MEMO) & SEIZUR; &EENNGS T 2000

ower to search, seize is under 'section 165 Cr.P. M‘—G

FFAA-2008.
Ensure that a technical person from the_responder side along with 2
independent witnesses are part of search and seizure procedure to identify the
‘/uuiument correctly and guide the 1.O. and witnesses.
Time zone/system time play a very critical role in investigation. Please make
sure this information is noted carefully in the Panchanama, from the systems
that are switched on condition.
_/ Please do not switch on any device
Please make sure that a serial number is allotted for each device and same
should be duly noted not only on panchnama but also in the chain of
custody and Digital evidence collection form.
CHAIN OF CUSTODY:
Chain of custody refers to documentation that shows the people who
have been entrusted with the evidence. These would be people who had‘seized
the equipment, psople who are in charge of trapsferring the evidence from the

Scanned with CamScanner

 crime scene to forensic lab, people in chgrge of analyzing the evidence and so
on. .

CHAIN OF CUSTODY
Details of the Digital Evidence
Crime number - Date of Seizure -
Name of 1.O. - Time -
PF Number -

Technical information
[Manufacturer [Model [[Seral Number [ PF Number |

Chain
of Custody
]Rsasan/Acnon |Recewedfmm [Reoewad By ‘Da!e lTimelemarks ‘

DIGITAL EVIDENCE COLLECTION (DEC) FORM

« System Information
. Type
* Manufacturer

« Model Number
« Serial Numberfany unique identification feature
« BIOS DatefTime
« Property form number/Evidence Number L

HASHING:
Establishing the integrity of seized evidence through forensically proving
procedure
technicaly by trained |.OJ or with help of a technical expert wil k:‘i
ennancmofiz:‘iwen the case is taken for prosecution. The
integrity of the_evidence on a digital media can be established by 'P :
using a process called HASHING.
" Hashing program produces a fixed integer value (ranging from 80 to 240
bits) represent data on seized media. Any changes made to the original
evidence will result in change of the hash value.

Scanned with CamScanner

 )
2/ FORENSIC AN, TOoOLS

(A)ENCASE SOF
/{ GUIDANCE SOFTWARE: (Version 7)
Vidence: with Encase Forensic, examiner can be confident the
integrity of evidence will not be compromised. This s_is_widely_used
throughout world.
Process Evidence: As the amount of evidence in each case increases,
examiners need speedy, reliable processing capabilities in_order to
completeinvestigaiioh”ficiently. Encase version 7, now_can_dive
invaluable En Scfiptswhich is indexed for unified search and review of
i evidence from one, easy to use interface.
Perform Deep Forensic Analysis: This tool now has capability to analyse
all files deeply and.analyse. It can also analyse EXT4 and HF:
ofice_2010 fies, checl oain_point sec encrypled version, and SO
ohysical image. It can emailinvestigation.
also help in with a streamline
interface and features enablln
email conversatior
analysis,
Compile Findings: This gives an easily configurable report, with
customized templates, for any type of case which is easy of read
Archive case: To ensure examiners have everything they need when a
case needs o be reviewed in future. It has a buit in archiving capability
and with a click, it gives evidence, findings , and report associated with
the case and ensures everything remains intact.
5 (B) FORENSIC TOOL KIT FROM ACCESS DATA : (FTK)
Handle Massive Data sets without crashing:
% Experience fast searching and easy data navigation.
istributed processing and fully leveraging.
K:;Ae 0S analysis: FTK provides most comprehensive Apple O.S.
nalysis.
V) E-mail analysis — Emails of all types of all digital companies can be
analysed.
Vi) Encryption support : FTK supports popular encryption technologies.

Scanned with CamScanner

 6

PASSWARE KIT FORENSIC

s while
Forensic Hardware needs proj per forensic software of all kind work
one challeng
there may be s ome software for forensic examination e k&
Pass — ware may be used for
decryption of “Password protected” files.
decrypting files and removing password protection
(D) ELECTRONIC DISCOVERY TOOLS:
(a) NUIX
processes and makes searchable unstructured
This machine
easily find crucial evidence and graphically
information, investigator can
output, befier
demonstrate what really happened. The result is faster
investigation, and more confidence that all elevant data has been discovered
« Build around the world's fastest and most powerful inde)
engi
by text, metadat a, all images and binary, slack space
« Processes every word
etc.
« Removes need for time consuming data processing
+ Automatically finds emails, documents which are hidden, encrypted, deleted
or stored in ways to conceal their identity.
+ Once processed 1.0. can get his required information in seconds.
o EasytoInstall
« Simple touse
« NUIX finds more information.
(b) INTELLA* FROM VOUND** TECHNOLOGY
Visualized search with intella
« Gains deeper insight through visualization.
+ Search e-mail, attachments, embedded images, archives, headers and
metadata.
Drill deeply using intella’s unique facets.
« Group and trace email conversations.
« Preview email, cell phones, data files, for investigation and e-Discovery.
esi- Email and ESI investigation can be taken up with Intella’s powerful process
Electronically and unique visual representation enable 1.0. to quickly and easily search
stored
Information and review emails cell phones, and other stored electronically evidence

Scanned with CamScanner

 « AWE
which will reveal improper use of email, intellectual property theft or
inappropriate images.
(E)WRITE BLOCKER ToOLS:
These are devices that allow acquisition of information on a drive without
creating the possibility of accidentally damaging the drive contents. They do
this by allowing read cor 510 pass but by blocking write commands,
“?mr name. Ther
arE amerant
e models ke,
ABLEU T35ES (i) TABLEU T4 ES
i) TABLEU T6 ES
(F) FORENSIC DUPLICATORS
This is used both in field and labs. Are portable and easy to use.
Standard features include Disk to Disk and Disk to file duplication, Format Disk,
‘Wwipe Disk, Hash Disk, detection and removal. It acquires images helping ensure
the Ttegrty oral L
The models are (i) TABLEU TD1 (i) TABLEU TD2
(G)FORENSIC DOSSIE!
These can plure two hard disks drives) with dossier connectivity
option. It authenticates, has advanced keyword search, compatible with self-
encrypting drives, capture from flash media, 100% write protection, Audit trail
reporting, uni-direction data transfer, secured system also.
Forensic Talons are used for this purpose which is rugged and field
ready and has advance keyword searching.
—
**ABOUT VOUND
Founded in 2008, Vound is a leading global vender of technology used‘
for forensic search, e-discovery and information
“INTELLA range of e-discovery, information governance, digital forensic and
legal investigation sof is used by the world's best known enterprises and
legal organizations. Intella's_streng th_lies in i m
=z =
collection of data, and allowing users to quickly search and drill down the most
pertinent dats] This minimizes the need for experts and significant cut dow an
tige_and_costs izati ly_incur to_carry out _e-mail
investigations, audit requests and e-discaveny mattersy
~

Scanned with CamScanner

 ERNATIONAL ORGANISATION ON COMPUTER EVIDENCE (LO.C.E)
(PRINCIPLES AND GUIDELINES)
SCIENTIFIC WORKING GROUP OF DIGITAL EVIDENCE (SWGDE)

Introduction: The Scientific Working Group of Digital Evidence (SWGDE) was

established in February 1998 through a collaborative effort of the Federal Crime
Lab. Directors. SWGDE, as the U.S based component of standardization efforts
= —— organization
o CoMPUTET EVigEnce (I0CE), was
charged e development of cross-disciplinary guidelines and standards for
APRESERVATIONS and | EXAMINATION OF DIGITAL
EVIDENCE, including AUDIO, IMAGING andELECTRONIC DEVICES)
A docuniEnt was drafted by nd presented at the
INTERNATIONAL HI-TECH CRIME AND FORENSIC CONFERENCE (IHCFC)
held in London, UK October 4-7, 1999. It proposes establishment of standards
for Exchange of DIGITAL_EVIDENCE between Sovereign nations and_is
intended to elicit constructive discussion regarding _digital_evi
document has been adopted as draft standard for US law_enforcement
Agencies.
PURPOSE: The world has changed from Analog to Digital. Although
“Computer” reigns supreme in digit is_not the only digital device.
There are mobile phones, Smart Phones, laptops, memory stics, Digital Discs
and pen drives including audio, video, communications and photographic
devices are closely associated with computer as to have converged with it.
From Law Enforcement perspective, more of the information that serves

as currency in the judicial process is being stored, transmitted, or processed in

“digital form’. The cunnaclmfinwm:‘s_n'\g_le-flw
companies providing goods and servk Fuly ernational, has enabled
criminals to act transjurisdictionaly with ease. Consequently,a perpetrator may
be brought to justice_in one jurisdiction while the digital evidence requi to
sumss'.wm)\ammmm‘
Tnimfirmfif:m and
preserve digital evidence for their own needs as well as for the potential

Scanned with CamScanner

 66

other countries. Each jurisdiction has its_own system of government and

administration of justice; BT i order for_one country to protect ftself and its
citizens; it MWW
Though it is not reasonable to expect all nations to know about and abide
by the precise laws and rules of other countries, a means that will allow the
exchange of evidence must be found. This document by SWGDE is a first
attempt to define the technical aspects of these exchanges.
ORGANISATION : The format of this document was adopted in conformance
with the format of American Society of Crime Laboratory Directors/ Laboratory
Accreditation Board manual.

DEFINITIONS:

(1) ACQUISITION OF DIGITAL EVIDENCE: Begins with information and or

physical items are collected or stored for examination purposes. The term
“evidence® implies that the collector of evidence is recognized by courts. The
process of collecting is also assumed o be legal process and appropriate
for rules of evidence in that locality. A data object or physical items only
become evidence when so deemed by a law enforcement officer or
designee.
(2) DATA OBJECTS: Objects or information of potential probity value that are
associated with physical items. Data objects may occur in different formats
without altering the original information.
(3) DIGITAL EVIDENCE: Information of Probative Value Stored or transmitted
in digital form.
(4) PHYSICAL ITEMS: ltems on which data objects or information may be
stored and/or through which data objects are transferred.
(5) ORIGINAL DIGITAL EVIDENCE: Physical items and data objects
associated with such items at the time of acquisition or seizure.
(6) DUPLICATE DIGITAL EVIDENCE: An accurate digital reproduction of all
data objects contained on an original Physical item
(7) COPY: An accurate reproduction of information contained on an original
Physical item, independent of the original physical item.

Scanned with CamScanner

 61

STANDARDS
PRINCIPLE1: In order to ensure that digital evidence is collected, preserved,
examined, or transferred in a manner safeguarding the accuracy and reliability
of the evidence, law enforcement and forensic organization must establish and
maintain an effective quality system. Standard operating procedures (SOPs)
are documented quality- control guidelines that must be supported by proper
case records and use broadly accepted procedures, equipment, and materials.
Standards and Criteria (1.1

All agencies that seized andlor examine digital evidence must maintain
an appropriate SOP document. All elements of an agency's policies and
procedures concerning digital evidence must be clearly set forth in this S.0.P
document, which must be issued under the agency's management authority.
Standards and Criteria (1.2)
Agency Management must review the SOPs on an annual basis to
ensure their continued suitability and effectiveness.

Standards and Criteria (1.3

Procedure used must be generally accepted in the field or supported by

data gathered and recorded in scientific manner.
Standards and Criteria (1.4)
The Agency must maintain written copies of appropriate technical
procedure.

Standards and Criteria (1.5

The Agency must use hardware and software that is appropriate and
effective for the seizure or examination procedure.

Scanned with CamScanner

 Standards and critora (1.
Al activities relating to the seizure, storage, & xamination, or transfer of
digital evidence must be recorded in wiiting and be available for review and
testimony,
Standards and Criteria (1.7)

Any action that has the potential to alter, damage, or destroy any aspect
of original evidence must be performed by qualified persons in a forensically
sound manner.
INTERNATIONAL ORGANISATION ON COMPUTER EVIDENCE (.O.C.E)

The IOCE was established in 1955 to provide Intemational Enforcement

agencies a forum for the exchange of information concerning computer Crime
Investigation and other computer-related forensic issues. Comprised of
accredited government agencies involved in computer forensic investigations.
IOGE identifies and discusses issues of interest to its constituents, facilitates
the Intemnational dissemination of information and develops recommendations
for consideration by its member agencies. In addition to formulating computer
evidence standards, IOCE develops communication services between member
agencies and holds confSTenees geared toward the establishment of working
FeTaToTTSpE.)
INTERNATIONAL PRINCIPLES

The International principles developed by IOCE for the standardized

recoy of computer-based evidence are governed by the following attributes.

o, Consistency with all legal systems/

/ /Allowance for the use of common language. /
buabilty -
Ability to cross international boundaries.
Ability to instill confidence in the integrity of eviden
Applicability to all forensic evidence; and

Scanned with CamScanner

 G Applicability at all levels, including that of individual, agency, and country.
These Principles were presented and approved at the “International Hi-tech
Crime and Forensic Conference" i October y are as
T Upon seizing digital_evidence, aclions taken should not change that
‘jidense,
When it is necessary for a person to access original digital evidence, that
fmn must be forensically competent.
ctivity relating to the seizure, access, storage, or transfer of digital
lence must be fully documented, preserved, and available for review.
n individual is responsible for all actions taken with respect to digital
evidence, while the digital evidence is in their possession.
Any agency that is responsible for seizing, accessing, storing, or transferring
digital evidence is responsible for compliar ese
—
Other_items recommended by IOCE for further debate and/or facilitation
included;
“Forensic competency” and need to generate agreement on international
aglreditation and the validation of tools, techniques, and training;
lssues related to practices and procedures for the examination of digital
idence; and
The sharing of Information relating to hitech crime and_forensic
computing, such as events, tools and techniques.

—
Scanned with CamScanner