“COMPUTER FORENSIC INVESTIGATION IN

CYBER WORLD WITH ITS TOOLS’’

DISSERTATION TOWARDS FULFILLMENT OF THE

AWARD OF DIPLOMA IN CYBER LAWS.

SUBMITTED TO:
DR D.Y.PATIL LAW COLLEGE, PIMPRI PUNE
SAVITRIBAI PHULE PUNE UNIVERSITY

PREPARED BY:
MS Pranali laxman Awandkar

UNDER THE GUIDANCE AND SUPERVISION OF:

PROF. PARAG NAVANDER

ASSISTANT PROFESSOR,
DR.D.Y.PATIL LAW COLLEGE, PIMPRI, PUNE
Savitribai Phule Pune University

Place and Date of Submission:

Dr. D. Y. Patil Law College, Pimpri, Pune.

March, 2020

1
 “COMPUTER FORENSIC INVESTIGATION IN
CYBER WORLD WITH ITS TOOLS’’

A Project towards the fulfillment for the Award of Diploma in

Cyber Law Submitted to Savitribai Phule Pune University
Submitted by:

MS. Pranali laxman Awandkar.

Under the guidance:

Prof. PARAG NAVANDER

Place and Date of Submission:

Dr. D. Y. Patil Law College, Pimpri, Pune

March, 2020

2
 DR.D.Y.PATIL UNITECH SOCIETY’S
D0R.D.Y.PATIL LAW COLLEGE,
PIMPRI, PUNE-411018

CERTIFICATE
This is to certify that MS. Pranali laxman Awandkar student of Diploma in Cyber Law Seat
No.________________ of Dr. D. Y. Patil Law College. He has independently carried out
dissertation titled “COMPUTER FORENSIC INVESTIGATION IN CYBER WORLD
WITH ITS TOOLS’’, under our supervision and guidance and we recommend it for
submission.

Place: Pimpri

Date

Professor In-Charge External Supervisor Principal

3
 ACKNOWLEDGEMENT

This project has been made possible by the efforts of many individuals. Under
the supervision of PROF. PARAG NAVANDER and Principal Dr. UJWALA
SHINDE provided invaluable guidance in this project.

In the preparation of the project, I would like to express deep sense of

gratitude to all those who have helped me with the cordial support, valuable
information, which encouraged and helped me to complete the task at
various stages.

Lastly, I would like to thank to the great authors of the books from which
the reference is being taken and my parents and teachers who inspired me
and made me capable of doing this work and those all people who gave
suggestions regarding my work .

Date :
Place: Pimpri, Pune

4
 INDEX

SR TOPICS PAGE
NO. NO.
1 INTRODUCTION 6

2 CRONICLE OF COMPUTER FORENSICS 9

3 DENOTATION OF CYBER CRIME 11

4 DISCRIPTION DIGITAL EVIDENCE 13

5 EXPLANATION OF COMPUTER FORENSICS 18

6 CATEGORY CYBER CRIME CASES 19

7 SIGNIFICANCE OF HACKING 27

8 OTIGIN OF CRIMES AND CRIMINALS 29

9 BREED OF CRIMINALS 30
10 TECHNIQUE OF PERPETRATION 31
11 OUTCOME OF CRIME 34
12 DETECTION 38
13 FORENSIC PROCESS 41
14 ROLE OF COMPUTER FORENSICS 46
15 THE ABILITY OF DIG DEEPER 55
16 PRESERVATION AND CHAIN OF CUSTODY ISSUE 58
17 EXECUTING THE BASIC COMPUTER FORENSIC INVESTIGATION 59
18 PRE EMPTING LITIGATION 60
19 IMPORTANCE OF COMPUTER FORENSICS 61
20 ACQUSITION 66
21 FORENSIC COMPARISION PLATFORM 73
22 STAGES OF EXAMINATION 78
23 ISSUES FACED BY COMPUTER FORENSICS 81
24 TOOLS USED BY COMPUTER FORENSIC INVESTIGATORS 83

5
25 PUNISHMENTS 95
26 CASE LAWS 101
27 CONCLUSION 106
28 BIBLIOGRAPHY 107
29 WEBLIOGRAPHY 108

1 .INTRODUCTION:

6
The internet is a network of networks, connecting millions of devices, and is used many
business, communications and information interchange throughout the world. Undoubtedly, the
invention of these connections has impacted all aspects of our lives. The decentralized nature of
the internet forms its very foundation, yet ironically, this nature has opened networks and
individual machines to a host of threats and attacks from cyber-criminals. Cyber-crime includes,
but is not limited to, the theft of trade secrets, theft of or destruction of intellectual property and
fraud. Trade secrets and intellectual property is typically the foundation upon which many
companies are built. This information gives each company a competitive advantage and to have
such information compromised in any way could easily cost the company millions. In addition,
since money is no longer exclusively paper based due to online trading, financial fraud such as
credit card misuse is propagated once a criminal gains access to enterprise information systems.
Cyber obscenity is one of the more popular forms of cyber crime. Essentially, pornographic
material, such as child pornography, is hidden on storage media since perpetrators acknowledge
the illegality of being in possession of these images. Cyber-criminals associate themselves with
one of or all of these crimes by making it their jobs to find vulnerabilities in operating systems,
applications or services that run on a computer connected to the internet. Once a vulnerability is
discovered and exploited, the criminal is able to view or store sensitive information on some
form of storage media. The storage medium can either be local, i.e. hard-drives or removable, i.e.
floppy disks, zip drives, memory sticks or CDs. Once the crime is committed, prosecution
becomes extremely difficult since the crime venue could easily be in different cities and
countries and involve unsuspecting third parties. At this point, a computer forensic specialist
(CFS) is tasked to investigate the digital crime scene by impartially scrutinizing a number of
digital sources that are either involved or thought to be involved in the crime, and ultimately
produce a single document reflecting a summary of the contents of the digital source. Like any
other forensic science, CFSs make use of a number of specialized software tools and hardware
devices to carry out investigations. These investigations follow a strict methodology to maintain
the credibility and integrity of all storage devices involved.

The general methodology is to:

i. PROTECT the subject computer system during the forensic examination from any possible
alteration, damage, data corruption or virus infection.

7
ii. DISCOVER all files on the subject system which includes existing normal files, deleted yet
remaining files, hidden files, password-protected files and encrypted files.

iii. RECOVER, as much as possible, files that are discovered to be dele ted.

iv. REVEAL, to the extent possible, the contents of hidden files as well as temporary files used
by both the application programs and the operating system.

v. ACCESS the contents of protected or hidden files if possible and legally appropriate.

vi. ANALYZE all relevant data found in special areas of the disk. The concept of special areas of
a disk is explained later in section 3.

vii. PRINT out an overall analysis of the subject computer system. This analysis includes a
listing of all relevant files and discovered file data. The print-out also provides an overview 3 of
the system layout, file structures and data authorship information. Any attempts to hide, delete,
protect or encrypt information will also be revealed through the print-out.

viii. PROVIDE EXPERT CONSULTATION and/or testimony as required. This testimony

would typically be required to prove the points of a case in a court of law.

The subject of this paper will be those tools involved in each step of the, above
mentioned, forensic methodology. The functionalities offered by the tools will also be discussed
to offer a better understanding into the forensic process. These tools generally differ in
functionality, complexity and cost. In terms of functionality, some tools are designed to serve a
single purpose while others offer a suite of functions. Therefore, the functionalities offered by a
tool are exactly what lead to its complexities. These complexities can either be related to design
and algorithmic complexity or ease-of-use; in some instances, a tool can offer great functionality
but fall short because of a complex interface. Cost is the final distinguishing factor. Some of the
market-leading commercial products cost thousands of dollars while other tools are completely
free. Wit ch these limiting factors (functionality, complexity, and cost) in mind, the computer
forensic expert now needs to evaluate the criticality of the crime and choose an appropriate
tool(s) to help with his/her investigation.

8
 2. GLOSSORY OF COMPUTER FORENSIC:

The history of computer forensics can be traced to back to the 1970s when military
investigators started finding instances of computer-related criminal activity and needed a more
comprehensive approach for solving these technical crimes. Many computer forensics degree and

9
training programs now include a History of Computer Forensics course so that students can learn
about how this industry developed, and what types of security breaches and cybercrimes have
affected individuals and businesses over time. This field did begin in the United States as
government personnel realized that they would need investigative protocol to solve cybercrimes
and criminal activities related to computers.1

A. TIMELINE OF THE HISTORY OF COMPUTER FORENSICS

The official timeline for the history of computer forensics begins in 1984 when the FBI
Magnetic Media program was created. This program was later known as the Computer Analysis
and Response Team (CART) which is still in existence today. It wasn't until 1995 that the
International Organization on Computer Evidence (IOCE) was formed, and many criminologists
and crime scene investigators were able to join after training in the field of computer forensics.
Since the mid-90s, the field of computer forensics has grown rapidly and law enforcement
personnel are often trained in the field of cybercrime and Internet investigative techniques at
some point in their career.

B. STUDYING THE HISTORY OF COMPUTER FORENSICS

Most computer forensics degree programs include at least one history of computer
forensics course to help students understand the brief history and background of the growing
field. You may be able to take a history of computer forensics course online or offline,
depending on the school you attend.

Most courses on this topic cover some of the key events and facts surrounding three
points throughout the rise of computer forensics: the ad-hoc phase, the structured phase, and the
enterprise phase.

The ad-hoc phase can be characterized as the stage when officials realized that there was
a need for some type of formal investigation in the field of cybercrimes and computer-related
crimes, but there was a lack of structure, clear goals and adequate tools and processes to achieve

1
http://www.computerforensicstraining101.com/history.html

10
any goals. There were also many legal issues surrounding the gathering and handling of digital
evidence.2

The structured phase can be characterized as the development of a more complex solution
for computer forensics. This would include accepted procedures, tools that were developed
specifically to solve computer-related problems, and the enabling of some type of criminal
legislation to support the use of digital evidence when solving a crime. The structured phase
appeared right around the mid-80s when the CART and other entities were authorized to handle
various types of cybercrimes.3

The enterprise phase is the current state of the computer forensics industry, and is the
most advanced of all phases. At this level, computer forensics is considered to be an actual
science and involves the real-time collection of evidence, the development of effective tools and
processes, and the use of structured protocol and procedures. Forensics is now offered as a
service to many companies and entities in need of investigative support in the digital field.4

3. WHAT IS CYBER CRIME:

2
ibid
3
ibid
4
ibid

11
Cybercrime, or computer crime, is crime that involves a computer and a network,5 The computer
may have been used in the commission of a crime, or it may be the target. Debarati Halder and
K. Jaishankar define cybercrimes as: "Offences that are committed against individuals or groups
of individuals with a criminal motive to intentionally harm the reputation of the victim or cause
physical or mental harm, or loss, to the victim directly or indirectly, using modern
telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and
mobile phones (SMS/MMS)".6 Such crimes may threaten a nation's security and financial health.
[4]
 Issues surrounding these types of crimes have become high-profile, particularly those
surrounding hacking, copyright infringement, child pornography, and child grooming. There are
also problems of privacy when confidential information is intercepted or disclosed, lawfully or
otherwise.

Cybercrime is defined as crimes committed on the internet using the computer as either a tool or
a targeted victim. It is very difficult to classify crimes in general into distinct groups as many
crimes evolve on a daily basis. Even in the real world, crimes like rape, murder or theft need not
necessarily be separate. However, all cybercrimes involve both the computer and the person
behind it as victims, it just depends on which of the two is the main target. 
Hence, the computer will be looked at as either a target or tool for simplicity’s sake. For
example, hacking involves attacking the computer’s information and other resources. It is
important to take note that overlapping occurs in many cases and it is impossible to have a
perfect classification system.

A. Computer as a tool

When the individual is the main target of Cybercrime, the computer can be considered as the tool
rather than the target. These crimes generally involve less technical expertise as the damage done
manifests itself in the real world. Human weaknesses are generally exploited. The damage dealt
is largely psychological and intangible, making legal action against the variants more difficult.
These are the crimes which have existed for centuries in the offline. Scams, theft, and the likes
have existed even before the development in high-tech equipment. The same criminal has simply
5
 Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," 
6
ibid

12
been given a tool which increases his potential pool of victims and makes him all the harder to
trace and apprehend.

B. Computer as a target
These crimes are committed by a selected group of criminals. Unlike crimes using he computer
as a tool, these crimes requires the technical knowledge of the perpetrators. These crimes are
relatively new, having been in existence for only as long as computers have - which explains
how unprepared society and the world in general is towards combating these crimes. There are
numerous crimes of this nature committed daily on the internet.

4. WHAT IS DIGITAL EVIDENCE:

13
Sources of electronic data have grown exponentially with the popularity of, for instance, text
messaging, social networking, and e-mail. This variety of data represents a key component of
police investigations and a potential source of evidence that could prove critical in supporting the
prosecution of different types of crimes. This highlights the importance of not only collecting
such digital evidence but also having up-to-date procedures for its proper handling, archival, and
maintenance, particularly to ensure its suitability for presentation in court.7

Digital evidence is information stored or transmitted in binary form that may be relied on in
court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant
(PDA), a CD, and a flash card in a digital camera, among other place s. Digital evidence is
commonly associated with electronic crime, or e-crime, such as child pornography or credit card
fraud. However, digital evidence is now used to prosecute all types of crimes, not just e-crime.
For example, suspects' e-mail or mobile phone files might contain critical evidence regarding
their intent, their whereabouts at the time of a crime and their relationship with other suspects.8

A. Digital Trail
Most criminals now leave a digital trail; a suspect’s e-mail or mobile phone files might contain
critical information:

i. Intent,
ii. Location and time of crime,
iii. Relationship with victim(s), and
iv. Relationship with other suspect(s)
B. On Scene
As the first responding officer, the collection and preservation of digital evidence begins with
you.

Once the scene has been secured and legal authority to seize the evidence has been confirmed,
devices can be collected. First responders must be cautious when handling digital devices in
addition to normal evidence collection procedures the preventing the exposure to extreme
temperatures, static electricity and moisture are a must.
7
https://leb.fbi.gov/2011/august/digital-evidence
8
https://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx

14
 I. Frequently seized devices – Smartphones and other mobile devices
Step 1 – Document the device and all collection procedures and information
i. Photograph OR Video OR Sketch
ii. Notes
iii. Chain of custody
Step 2 – Determine if the device is on or off
i. Look for lights
ii. Listen for sounds
iii. Feel for vibrations or heat
NOTE – Many mobile devices save power by turning off screens after a specified amount of
time.  Despite the screen status, the device is likely still active.  Ask if the device is currently
powered on. Where legal, pressing the power button quickly will activate the screen.
Step 3 – If the device is off, do not turn it on
i. Collect and package.
ii. Ask for password/pass pattern
iii. Transport.
Step 4 – If the device is on, proceed with CAUTION
WARNING – The two most significant challenges for officers seizing mobile devices are:
i. isolating the device from cellular and Wi-Fi networks; and
ii. obtaining security passwords or pass patterns for the device so the evidence can be examined
forensically.  Always ask if there is any security feature enabled on the phone. These can include
passwords (simple or complex), security/wiping apps, pass patterns, or biometrics (facial scan).
Document (see the attached consent form for guidance) and confirm the password or pass
pattern. Turning the device off could result in the loss of evidence. The best option is to keep the
device powered, unlocked (if locked, collect any available passwords, PIN codes, or security
unlock information), and in airplane mode until it is in the hands of an experience technician.
Step 5 – Collection and Package
WARNING – You may need to collect other forensic evidence including fingerprints, biological
samples, DNA, etc. from smart phones and mobile devices. Work with crime scene technicians
or trained forensic personnel to preserve such evidence without disturbing the integrity of the
data on the device. Be sure to advise forensic examiners in advance of submission of the possible

15
existence of hazardous material on the device.
i. Secure data and power cables
ii. Consider collecting computers that may contain device backups
iii. Package the device so it will not be physically damaged  or  deformed
iv. Package the device in evidence bags or boxes
Step 6 – Transport
i. Deliver evidence to a secure law enforcement facility or digital evidence laboratory as soon as
possible
ii. Protect from temperature extremes and moisture.

II. Frequently seized devices – Laptop and Desktop Computer Systems

Step 1 – Document the device and all collection procedures and information
i. Photograph OR Video OR Sketch
ii. Notes
iii. Chain of custody
Step 2 – Determine if the device is on or off
i. Look for lights
ii. Listen for sounds
iii. Feel for vibrations or heat
Step 3 – IfsZAW the system is off, do not turn it on
i. Disassemble
ii. Transport
Step 4 – If the system is on, proceed with CAUTION
i. Do not type, click the mouse, or explore files or directories without advanced training or expert
consultation
ii. Ask about passwords and/or encyption of the system
iii. Observe the screen, and look for any running programs that indicate access to internet-based
accounts, open files, encryption, or the presence of files or data of potential evidentiary value
iv. If you see anything on the screen that concerns you or needs to be preserved, consult with an
expert (if you don’t know who to contact, call the number on the inside cover of this manual)
v. Photograph the screen

16
vi. Once you are prepared to power down the system, pull the plug from the back of the
computer system
vii. Remove the battery from a laptop system
Step 5 – Disassemble and package the system
i. Photograph the system from all perspectives
ii. Clearly mark evidence and document chain of custody, location, and other important details
about the seized item(s)
iii. Disconnect and secure cables
iv. Check media ports and cd/dvd trays for the presence of removable media
v. Package the system, and peripheral devices, for transport using laptop bags (if applicable),
boxes, or evidence bags
Step 6 – Transport
i. Protect from temperature extremes and moisture
ii. Do not place evidence in the cruiser’s trunk
iii. Protect from electro-static discharge
iv. Package evidence so it will not be physically damaged or deformed
v. Deliver evidence to a secure law enforcement facility or digital evidence laboratory as soon as
practicable
Other commonly seized devices that may store digital evidence 
There are many other storage media and technical devices that may process and store digital
evidence.  Examples of these devices include media cards (ie. secure digital, SIM, flash, memory
sticks), thumb drives, optical media (ie. CD, DVD, and Blu-ray), digital cameras, MP3 players,
iPods, servers, surveillance systems, gaming stations (ie. Xbox, PlayStation, Wii), and GPS
devices. Each of these devices is capable of holding significant digital evidence that will help
your case. And each is handled in a separate way. Seizure of these items should be performed
with special care.   Consider working with an experienced digital evidence analyst to collect
these items.

Step 1 – Document the device and all collection procedures and information
i. Photograph OR Video OR Sketch
ii. Notes
iii. Chain of custody

17
Step 2 – Determine if the device is on or off
i. Look for lights
ii. Listen for sounds
iii. Feel for vibrations or heat
Step 3 – Ask if there are any security features enabled on the device including passwords or
encrypted file protection.
Step 4 – If the device is off, do not turn it on
i. Collect and package
ii. Transport 
Step 5 – While assessing, collecting, packaging, and transporting, follow these device-specific
rules
i. Only trained personnel should collect data from a server. If you don’t know what you are
doing, stop and call an expert. Be careful when asking for the assistance of information
technology or other personnel on-site
ii. GPS devices, MP3 players, and digital cameras should be turned off to secure data.  Be sure to
ask for any passwords or security features
iii. If available, paper evidence bags, or static-free evidence bags, are best for the storage of
media
iv. Media contained in binders or carriers should remain in the container
v. Be careful not to scratch optical media during seizure.
vi. Gaming stations should be seized in the same manner as computers
Step 6 – Collection and Package
i. Follow chain-of-custody procedures
ii. Secure data and power cables
iii. Label the evidence container(s), not the device(s)
iv. Package the device so it will not be physically damaged or deformed
v. Package the device in evidence bags or boxes
Step 7 – Transport
i. Deliver evidence to a secure law enforcement facility or digital evidence laboratory as soon as
practicable
ii. Protect from temperature extremes and moisture.

18
 5. MEANING OF CYBER/COMPUTER FORENSIC:

Forensic science is the scientific method of gathering and examining information about the past.
The word forensic comes from the Latin forēnsis, meaning "of or before the forum." In modern

19
use, the term forensics in the place of forensic science can be considered correct, as the term
forensic is effectively a synonym for legal or related to courts. 9

Computer forensics is the practice of collecting, analysing and reporting on digital data in
a way that is legally admissible. It can be used in the detection and prevention of crime and in
any dispute where evidence is stored digitally. Computer forensics follows a similar process to
other forensic disciplines, and faces similar issues.10

This guide discusses computer forensics from a neutral perspective. It is not linked to
particular legislation or intended to promote a particular company or product, and is not written
in bias of either law enforcement or commercial computer forensics. The guide is aimed at a
non-technical audience and provides a high-level view of computer forensics. Although the term
“computer” is used, the concepts apply to any device capable of storing digital information.

My simple definition of computer forensics is, “The employment of a set of predefined

procedures to thoroughly examine a computer system using software and tools to extract and
preserve evidence of criminal activity.” Judd Robbins, a computer forensics investigator, defines
computer forensics as “Simply the application of computer investigation and analysis techniques
in the interest of determining potential legal evidence.”1 New Technologies Inc. expands on
Robbins’ definition. “Computer Forensics involves the preservation, identification, extraction
and documentation of computer evidence stored in the form of magnetically encoded information
(data).”11

6. TYPES OF CYBER CRIME CASES

A. AGAINST INDIVIDUAL
i. Drug trafficking

9
Recovering and examining computer forensic investigation, Oct 2000
10
https://forensiccontrol.com/resources/beginners-guide-computer-forensics/
11
www. forensics-intl.com/ forensic.html

20
 Drug traffickers are increasingly taking advantage of the Internet to sell illegal
substances through encrypted e-mail. Some drug traffickers arrange deals at
internet cafes, use courier Web sites to track illegal packages of pills, and
exchange recipes for amphetamines in restricted-access chat rooms. The increase
in Internet drug trades could also be attributed to the lack of face-to-face
communication. Such virtual exchanges allow more intimidated individuals to
more comfortably purchase illegal drugs. The sketchy effects that are associated
with drug trades are severely minimized and the filtering process that comes with
physical interaction fades away.
ii. Offensive content & Harassment
The content in websites and other electronic communications may be distasteful,
obscene or offensive for a variety of reasons. In some cases these communications
may be illegal. Around 25 jurisdictions place limits on certain speech and ban
racist, blasphemous, politically subversive, libelous or slanderous, seditious, or
inflammatory material that tends to incite hate crimes. The extent of these
unlawful communications varies greatly between countries, and even within
nations. It is a sensitive case in which the courts can become involved in
arbitrating between groups with strong beliefs. One part of Internet pornography
that has been the target of the strongest efforts at curtailment is child
pornography. Whereas the content may be offensive in a non-specific way,
harassment directs obscenities and derogatory comments at specific individuals
focusing for example on gender, race, religion, nationality, sexual orientation.
This often occurs in chat rooms, through newsgroups, and by sending hate e-mail
to interested parties. Any comment that may be found disrespectful or offensive is
considered harassment. 
More examples are as follows:
a. Pastering via e-mails
b. Cyber Stalking
c. Distribution of obscene material
d. Insult
e. Illegal control over computer system

21
 f. Offensive exposure
g. Email spoofing
h. Cheating and fraud

B. AGAINST INDIVIDUAL PROPERTY

i. Electronic Funds Transfer Fraud

Electronic funds transfer systems have begun to increase, and so has the risk
that such transactions may be taken into hold and diverted. Valid credit card
numbers can be easily intercepted electronically, as well as physically; the
digital information stored on a card can be recreated. In 1994, a Russian
hacker, Vladimir Levin, operating from St Petersburg, retrieved the computers
of Citibank's central wire transfer department, and transferred funds from
large corporate accounts to other accounts which had been opened by his
subordinates in The United States. The above form of computer-related crime
is not inevitably mutually exclusive, and need not occur in isolation. One robs
telecommunications services and uses them for aimed vandalism, fraud, or in
furtherance of a criminal conspiracy. Computer related crime may be
intensive in nature, combining two or more of the general forms.
ii. Dissemination of Offensive Materials
Content considered by some people to be objectionable abundantly exists in
cyberspace. This includes, among much else, sexually explicit materials, racist
propaganda, and instructions for the fabrication of inflammatory and
explosive devices. Telecommunications systems can also be used for
harassing, threatening or invasive communications, from the traditional
obscene telephone call to its contemporary manifestation in "cyber-stalking",
in which persistent messages are sent to an unwilling recipient. In one case, a
man allegedly stole nude photographs of his former girlfriend and her new
boyfriend and posted them on the Internet, along with her name, address and
telephone number. The unfortunate couple, received phone calls and e-mails
from strangers as far away as Denmark who said they had seen the photos on

22
 the Internet. Investigations also revealed that the surmise was maintaining
records about the woman's movements and compiling information about her
family. Computer networks may also be used in advancement of extortion. In
England, financial institutions were reported to have paid portentous amounts
to sophisticated computer criminals who threatened to wipe out computer
systems. An article ingeminated four incidents between 1993 and 1995 in
which a total of 42.5 million Pounds Sterling were paid by senior executives
of the organizations concerned, who were convinced of the extortionists
capacity to crash their computer systems.
iii. More examples are
a. pestering via e-mails
b. Cyber- Stalking
c. Distribution of obscene material
d. Insult
e. Illegal control over computer system
f. Offensive exposure
g. Email spoofing
h. Cheating and Fraud

C. AGAINST SOCIETY
i. Cyber Bulling and Cyber stalking
Cyber-bullying is the harmful use of the Internet and related technologies to
harm other people, in a deliberate, repeated, and hostile manner. As it has
become more often in society, particularly among young people, legislation
and awareness campaigns have arisen to combat it. Cyber-bullying has
subsequently been defined as "when the Internet, cell phones or other devices
are used to send or post text or images for a particular purpose to hurt or
embarrass another person". Cyber-bullying can be as simple as continuing to
send e-mail to someone who has said they want no further contact with the
sender, but it may also include threats, sexual remarks, pejorative labels ,

23
 ganging up on victims by making them the subject of ridicule in forums, and
posting false statements as fact aimed at humiliation.
Cyber-stalking is the use of the Internet or other electronic means to stalk
an individual, a group of individuals, or an organization. It may include false
accusations, making threats, identity theft, and damage to data or equipment,
the solicitation of minors for sex, or gathering information in order to harass.
The definition of "harassment" must meet the criterion that a reasonable
person, in possession of similar information, would regard it as sufficient to
cause another reasonable person distress. Cyber stalking is different from
spatial stalking. However, it sometimes leads to it, or is accompanied by it.
ii.Cyber Bulling vs Cyber stalking
The practice of cyber bullying is not limited to children, while the behavior is
identified by the same definition in adults; the distinction in age groups is
sometimes referred to as cyber stalking or cyber harassment when perpetrated
by adults toward adults, sometimes directed on the basis of sex. Common
tricks used by cyber stalkers are to vandalize a search engine or encyclopedia,
to threaten a victim's earnings, employment, reputation, or safety. Repetition
of such actions against a target by an adult constitutes cyber stalking.
More examples are
a. Porniography
b. Polluting the youth through coarse exposure
c. Trafficking
d. Monetary crime
e. Sale of illegal articles
f. Online betting/gambling
g. Forgery

D. Against Private Organizations

i. Theft telecommunication services
The "phone preachers" of three decades ago set a precedent for what has
become a major criminal industry today. By gaining access to an

24
 organization’s telephone switchboard (PBX) individuals or criminal
organizations can obtain access to dial-in/dial-out circuits and then make their
own calls or sell call time to third parties. Offenders may gain access to the
switchboard by impersonating a technician, by fraudulently obtaining an
employee's access code, or by using hack software available on the internet.
Few sophisticated offenders loop between PBX systems to evade detection.
Other forms of service theft include capturing "calling card" details and on-
selling calls charged to the calling card account, and counterfeiting or illicit
reprogramming of stored value telephone cards. It has been suggested that as
long ago as 1990, security failures at one of the major telecommunications
carrier cost approximately £290 million, and that more recently, up to 5% of
total industry turnover has been lost to fraud. Costs to individual subscribers
may also be significant. It has been recorded in one case, in the United States;
computer hackers had illegally obtained access to Scotland Yard's telephone
network and made £620,000 worth of international calls for which Scotland
Yard was responsible.
ii.Telecommunication Piracy
Digital technology permits perfect reproduction and has simplified the
dissemination of print, graphics, sound, and multimedia combinations. The
temptation to reproduce copyrighted material for personal purpose, for sale at
a lower price, or indeed, for free distribution, has proven irresistible to many.
This piracy has caused considerable concern to owners of copyrighted
material. The Software Publishers Association has computed that
approximately $7.4 billion worth of software was lost to piracy in 1993 with
$2 billion of that being stolen from the Internet. It was found that, a copy of
the most recent James Bond Film “The World is not enough” was available
free on the internet before its official release. When creators of a work, are
unable to profit from their creations, there can be a chilling effect on creative
effort generally, in addition to financial loss.
iii. More examples are
a. Unauthorized control/access over computer system

25
 b. Ownership of non permitted information
c. Distribution of pirated software etc.

E. AGAINST GOVERNMENT/ NATION

i. Electronic Vandalism and extortion

As never before, western industrialized society is interdependent upon
complex data processing and telecommunications systems. Any damage to, or
interference with, any of these systems can lead to harmful consequences.
Whether incited by curiosity or vindictiveness electronic intruders cause
disoblige at best, and have the potential for inflicting massive harm. While
this potential has yet to be cognized, a number of individuals and protest
groups have hacked the official web pages of various governmental and
commercial organizations. Defense planners around the world are
considerably investing in information warfare-- means of interrupting the
information technology infrastructure of defense systems. Attempts were
made to interrupt the computer systems of the Sri Lankan Government and of
the North Atlantic Treaty Organization at the time of 1999 bombing of
Belgrade. Recently, an extortionist in Eastern Europe acquired the credit card
details of customers of a North American based on-line music retailer, and
published some on the Internet when the retailer refused to accept of his
demand.
ii. Cyber Warfare and terrorism
Government officials and Information Technology refuge specialists have
acknowledged a significant rise in Internet problems and server scans since
early 2001. But there is a growing apprehension among central officials that
such intrusions are part of a well thought-out effort by cyber terrorists, foreign
intelligence services, or other groups to map potential security holes in critical
systems. A cyber terrorist is someone who intimidates or coerces a
government or organization to continue his or her political or social objectives
by introducing computer-based attack against computers, network, and the

26
 information stored on them. Cyber terrorism in general, may be defined as an
act of terrorism which has taken place through the use of cyberspace or
computer resources. For example, a simple misinformation in the Internet, that
there will be bomb attacks during the holidays can be considered as cyber
terrorism. As well there are also hacking activities intended towards
individuals, families, organized by groups within networks, tending to cause
terror among people, demonstrate power, collecting appropriate information
for ruining peoples' lives, robberies, blackmailing etc. Cyber extortion is a
type of cyber terrorism in which a website, e-mail server, or computer system
is subjected to repetitive rejection of service or other attacks by wicked
hackers, who demand money in return for promising to stop the attacks.
Fearing that such attacks may become the custom in future warfare among
nation-states, the concept of cyberspace operations impacts and will be
adapted by war fighting military commanders in the future me out of the
domain. Perpetrators characteristically use a scattered denial-of-service attack.

27
7.HACKING
Hacking means an illegal interference into a computer network or our personal email id. The
intention can range from financial gains such as stealing credit card information, transferring
money from various bank accounts to their own account followed by withdrawal of money. It
could also be for revenge or a desire to access illegal information. Thus if anyone secures access
to a computer without the consent of the owner shall be legally responsible to pay compensation
of 1 crore rupees under Information Technology Act ,2000.

I. TYPES OF HACKING:
A. SPOOFING
Spoofing refers to an online process which involves sending an e-mail using a
fake name or e-mail id so as to make it appear that the e-mail has come from
someone else other than the real person who has done it.
Spoofing is done simply faking an identity, such as username.
Spoofing can take place in the net in many ways. One common way  is by e-
mail. E-mail spoofing involves sending messages using a fake e-mail id or
faking the e-mail address of other user. Second way of spoofing takes place in
the Internet through IP spoofing.This involves masking the IP address of a
computer system. By hiding(or) faking a system’s IP address, it is difficult for
other systems to find out where the system to find out where the system is
transmitting data from.
B. Phishing
By means of e-mail messages which completely resembles the original mail
messages of consumers, hackers can ask for confirmation of certain
information, like account information or passwords etc.
Here consumer might not know the fact that the e-mail messages are
deceiving and would fail to make out the originality of the messages, this
results in huge financial loss when the hackers use that information for
deceitful acts like withdrawing money from consumers account without their
knowledge.

28
 Phone Phishing – It is done by use of in-voice messages by the hackers where
the consumers are asked to tell their account identification, and passwords to
file a complaint for any problems concerning their bank accounts etc.
C. Computer Viruses and Trojan Horses:
Viruses are used by Hackers to infect the user’s PC and destroy the data saved
in the system using “payload” in viruses which carries damaging code. Trojan
horses, which are attached to other codes, are the main cause of all illegal
access. When a anyone downloads and installs a Trojan horse, the hacked
software kicks off a virus, password detector, or remote-control switch that
gives the hacker a regulation of the PC.
D. Credit Card Fraud
This kind of deceit  results in Enormous loss to the victim. This is done by
means of publishing bogus digital signatures.
Many people lose their credit cards on the way of delivery to the recipient or
its damaged or defective, misrepresented, etc. Banks and other financial
institutions are vulnerable to the revolutionary groups to use their sensitive
information resulting in  serious loss. There are different ways used by
hackers to gain illegal access to the systems despite using viruses like Trojans
and worms etc.
E. Internet Pharming
Here hacker aims at redirecting the website used by the client to another fake
website by hijacking the user’s DNS server and altering his I.P address to
bogus website by manipulating the DNS server. This redirects user’s original
website to a false  deceptive website to achieve illegal information.

8. THE CAUSES AND CRIMINALS

  The concept of law has said that 'Human Beings are Vulnerable so rule of law is
required to protect them. Applying this to Cyberspace, we may say that computers are
vulnerable and so rule of law is required to protect and safeguard them against the Cyber

29
 crime. There are many reasons why cyber-criminals commit cyber-crime, chief among
them are these three listed below: 

a. Passion of youngsters
Cyber crimes can be committed for the sake of recognition.  This is basically committed
by youngsters who want to be noticed and feel among the group of the big and tough
guys in the society.  They do not mean to hurt anyone in particular; they fall into the
category of the idealists; who just want to be in spotlight.
b. Desire of Making quick Money
Another cause of cyber-crime is to make quick money.  This group is greed motivated
and is career criminals, who tamper with data on the net or system especially, e-
commerce, e-banking data information with the sole aim of committing fraud and
swindling money off unsuspecting customers.
c. Misconception of Fighting a just cause
Thirdly, cyber-crime can be committed to fight a cause one thinks he believes in; to cause
threat and most often damages that affect the recipients adversely.  This is the most
dangerous of all the causes of cyber-crime.  Those involve believe that they are fighting a
just cause and so do not mind who or what they destroy in their quest to get their goals
achieved. These are the cyber-terrorists.
d. Capacity to store data in comparatively small space:
The computer has unique characteristic of storing data in a very small space. This affords
to remove or derive information either through physical or virtual medium makes it much
easily.
e. Confidential information is online:
Confidential data from security firms, scientific databases, financial institutes and even
governmental organizations is stored online and on networks. This allows cyber criminals
to initiate unauthorized access and use it for their own needs. Complex technology can be
manipulated and firewalls can be bypassed, allowing criminals to gain access to security
codes, bank accounts and other information.
f. Negligence:
Sometimes simple negligence can give rise to criminal activities, such as saving a
password on an official computer, using official data in a public place and even storing

30
 data without protecting it. The cyber criminal can take advantage of such negligence and
use it to obtain, manipulate and forge information.Negligence is very  closely connected
with human conduct. It is therefore very probable that while protecting the computer
system there might be any negligence, which in turn provides a Cyber Criminal to gain
access and control over the computer system.
g. Complexity in Understanding:
The computers work on operating systems and these operating systems in turn are
composed of millions of codes. Human mind is fallible and it is not possible that there
might not be a lapse at any stage. The cyber criminals take advantage of these lacunas
and penetrate into the computer system.
h. Loopholes in system:
Operating systems have complex codes that can be decoded or manipulated to gain
access to the system. There are always loopholes in security that a professional cyber
criminal can find and hack into. The traditional bank robber researched the security
system and took advantage of it; a cyber thief is not much different, expect he can breach
security virtually.
i. New Form of Crime:
There are so many modes of criminal activity on the Net that the traditional policing
methods and the laws that bind criminals at times lose jurisdiction in cyber crime cases.
This is why there are so many crimes being committed online.
j. Accessibility to Victims:
The amount of people online allow criminals to target their victims without being
physically present. Police find it impossible to implicate people when the trail is online.
Child pornography, pedophiles who bait their victim's online; rapists who meet their
targets through online social networks and hackers who gather information and use it to
their own criminal ends without ever being a part of the network are just a handful of
criminal examples.
k. Inaccessibility to Criminals
The problem encountered in guarding a computer system from unauthorized access is that
there is every possibility of breach not due to human error but due to the complex
technology. By secretly implanted logic bomb, key loggers that can steal access codes,

31
 advanced voice recorders; retina imagers etc. that can fool biometric systems and even
bypass firewalls can also be utilized to get past many a security system. Though
technology is improving there is a long way to go before cyber criminals can be policed
vigilantly.
l. Lack of Evidence
One cause of increasing cyber crime is the lack of evidence to bind the criminal by law.
There are so many ways to hide the trail of a cyber crime and little to actually police the
criminal. Consider a pedophile who baits his victim through email or social networks.
The police can trace the information to the criminal, but unless solid physical evidence is
found, the trail cannot be used in a court of law. Loss of evidence is a very common &
obvious problem as all the data are routinely destroyed. Further collection of data outside
the territorial extent also paralyses this system of Crime Investigation.
m. Drawbacks in judiciary system

Large number of vacancies in trial courts,Unwillingness of lawyers to become

judges,Failure of the apex judiciary in filling vacant HC judges posts.Judiciary
corruptionThis delays the decision making and punishment and might also lead to wrong
decisions. This encourages other criminals to be casual and fearless.

9. TYPES OF CRIMINALS
a. Children and youngsters between the age group of 6 – 18 years 
The reason for this type of criminal actions in children is seen chiefly because of the
curiosity to know and discover the stuff.  Other similar reason may be to show
themselves to be wonderful in the midst of other kids in their group. Further the
reasons may be emotional or psychological too.
b. Structured hackers:

32
 These kinds of hackers are mostly structured mutually to execute certain goal. The
reason may be to fulfil their fundamentalism, political prejudice, etc. The Pakistanis
are believed to be one of the best class hackers on the globe. They chiefly target the
Indian government sites with the intention to accomplish their political aims.
c. Expert hackers/ crackers:
Their labor is provoked by the colour of money. These kinds of hackers are mostly in
a job to hack the site of the rivals and get possible, consistent and precious
information. Moreover they are even engaged to crack the system of the boss in
essence as a measure to make it safer by noticing the dodges.
d. Dissatisfied employees:
This group comprise those persons who have been either bagged by their boss or are
disappointed with their boss. To punish, they usually hack the system of their
employer.

10. WAYS OF PERPETRATION

The Modes & mannerism of committing crime:
a. Computer crimes
Viruses are programs that affix themselves to a computer or a file and then
flow themselves to other files and also to other computers on a network. They
typically influence the data on a computer, either by changing or deleting it.

33
 Worms on the other hand do not interfere with data. They simply multiply
until they fill all available space on the computer.
b. Malware
Also known as malicious software. It's a software that is used to achieve
awful things by corrupting peoples' private data. It steals data like
passwords, etc. and sends them to the creator of malware and these data
are used by him to threaten or steal computer based items for personal use.
c. Trojan Attacks:
Trojan attacks occur from Trojan Horse. A Trojan Horse is a unauthorized
program which gains control over another system by presenting itself as a
authorized program. Most of them come through e-mails
d. Cyber stalking and bullying:
It is the use of computer and internet to harass people. It includes blaming
innocent people, gaining personal data etc. It is generally done to popular
people by hackers to get revenge of for playful reasons. It affects people a
lot socially. It also in involves blackmailing, troubling and worrying the
victim.
e. Fraud:
Fraud is an act by a person or group of people for personal gain of money
by deceiving a business. In cyber crime fraud is creating fake websites of
original websites for gaining IDs and passwords to get money illegally.
Examples: Bank fraud, Fake billing, Identity theft etc.
f. Unauthorised access ( cracking)
It is also known as Cracking. This is done by either fake IDs or by
cracking the password (i.e. guessing). People gain access to other people’s
accounts by unofficial means.
g. Theft of information contained in electronic form:
This includes tampering of information and data of an individual by
gaining access into their hard disk and changing or deleting their work.
h. Internet time theft:

34
 This denotes the usage of ‘Internet time’ paid for by someone else, by an
unauthorized person. This is done by achieving entrée to the login ID and
password.
i. The Salami Attack:
It is used to commit financial crimes. In this type of crime small
alterations are done by people on transactions to gain money without
getting noticed.
j. Email Bombing:
It is sending a large number of junk or useless mails to a person or a
company which leads to crashing of the computers.
k. E-mail Spoofing:
It is changing the email header and other parts of the sender’s address to
make it appear as it is from another location or source.
l. Web jacking:
In this type of crime a hacker gains access and control over a website and
alters, changes or deletes information on the website.
m. Logic Bombs:
These are programs similar to real bombs which have a trigger. These are
used to threaten companies for gaining money. They completely delete
everything present on the computer system on which they act on. Once
triggered, nothing can stop them.
They are also called event dependent programs.
n. Data Diddling:
It is a kind of attack which involves altering data before it is processed by
the computer so that incorrect results are obtained.
o. Denail or Distribution denial of service attack:
In this type of crime the victim’s computer is overloaded with requests
than it can handle leading the computer system to crash. In distributed
denial of service attack the perpetrators are more than one and far away
from each other. It is very difficult to control such attacks.
p. Intellectual property crime:

35
 This crime includes unauthorized copying and distribution of original
software. Pirating of games, movies etc are examples.

11.CONSEQUENCES OF CRIME
a. Loss of Revenue:
One of the main consequences of cyber crime on a company is a loss of
revenue/income. This loss may be caused by an outside person who
acquires sensitive financial information, using it to extract funds from an
organization. It can also come about when a business's e-commerce site
becomes compromised--while terminal, expensive income is lost when
consumers are unable to utilize the site.

36
 b. Wasted Time:
Another major consequence of cyber crime is the time that is wasted when
Information Technology personnel must dedicate maximum part of their
day handling such incidences. Rather than working on productive and
creative measures for an organization, many Information
Technology staff members spend a great percentage of their time handling
security breaches and other problems related with cyber crime.
c. Damaged Reputation:
In situations where customer records are compromised by a security
contravene associated with cyber crime, a company's reputation can take a
major batter. Customers whose credit cards or other monetary data
become grabbed by hackers or other infiltrators drop assurance in an
organization and often begin taking their business elsewhere.
d. Reduced Productivity:
Due to the safety measures that many companies must implement to
neutralize cyber crime, there is often a pessimistic effect on employees'
efficiency. This is because, due to many security reasons, employees must
enter more passwords and execute other time-consuming acts in order to
do their jobs. Every second wasted executing these acts is a second not
spent working in a effective manner.
e. Influence of Cyber Terrorism:
Cyber-terrorism can have a serious large-scale influence on significant
numbers of people. It can weaken countries' economy greatly, thereby
stripping their of its resources and making it more vulnerable to military
attack.
Cyber-terror also affect internet-based businesses. Like brick and mortar
retailers and service providers, most websites that produce income
(whether by advertising, monetary exchange for goods or paid services)
could stand to lose money in the event of downtime created by cyber
criminals.

37
 As internet-businesses have increasing economic importance to countries,
what is normally cybercrime becomes more political and therefore "terror"
related.
f. Impact on Government and society:
Cyber crime has been increasing its convolution and financial expenses
since corporations have began to use computers in the course of doing
business.
As technology increases between governments that are caught up in
international business, criminals have realized that this is a cost efficient
method of making money.
This investigation and testing manual is meant to provide as a basic model
on the lessons learned to set up governments, and their prosecutors, for
combating cyber crime. To research deeply into computer technology
requires both long learning and technical expertise. Therefore, as in most
of the crimes that are technological in nature, or have technical aspects to
them, such as bank hoax or murder investigations that necessitate the
analysis of blood and spatter techniques, gun-shots that require extensive
ballistics investigation, experts are advisable for use as an aid in directing
your investigations, to act as a special aide in preparing for trial, and as an
expert to testify in that trial.
 However, experts are not absolutely required, principally in identifying
basic components that make up a cyber crime, and on how to show the
elements of that case. All of us know that computer crimes can run from
the simple to the mega sophisticated. This does not mean they are not
solvable, and understandable to the judiciary throughout any trial. The
complication in these crimes should not be feared. All that is required is
for you to comprehend the basic concepts explained in this manual, follow
its simple set of laws and use the facts you have acquired. You will then
be able to effectively investigate, organize and put on any case.

38
 12. DETECTION
To be know is that, Detection and response expansion and exploitation of
European Information Sharing and Alert System, reaching out to populace
and Small and Medium Enterprises (SME) and being based on national
and private sector information and alert sharing systems.

39
 It is well said that, a stitch in time saves nine! Detecting the crime in right
time and responding to it the most appropriate way is very crucial part in
combating the cyber crime.

I. DETECTION OF CRIME:

Regrettably, there is no cut-and-dried way for detecting cyber-crime. Today, a

large number of cybercrimes are detected by chance. However, recent
experience has shown some more or less informal methods by which an
individual can detect cyber-crime.

a. Reviewing:
Audit the system frequently. Be attentive to any irregularities in the
system. As of now, it is generally the uncertainties of employees or
managers that lead to the capturing of a perpetrator. Most of the computer
crimes do not draw from from distant "hackers," but normally comes from
employees or people the operator knows. Most computer crimes are done
by employees working on large network systems in organizations
managing a lot of computerized cash. Apparently, banks, large firms,
government offices and universities are susceptible, and, known the size of
the organizations, it can take months to detect with any certainty.
b. Checking Mistake:
Check for mistakes. Many authorities claim that cyber criminals can get
too gluttonous and begin to get careless. Employees who are aware of this
crime often get nervous and turn the perpetrator in. These similarities have
been seen to happen with family members of the cyber-criminal too. The
probability of this working are greater if employees know clearly that
cyber-crime will result in full prosecution.
c. Email Inspection:

40
 Some types of cyber crime, such as cyber-stalking or cyber defamation,
are carried out by email and can be detected and tracked by investigating
the email header. The email header is info that travels with every mail,
including the Internet Protocol (IP) address of the dispatcher and the date
and time at which the message was sent. Using this information, law
enforcement agency officials get hold of the address and telephone
number of the sender from the internet service provider.
d. Network Intrusion Detection Systems:
Cyber crime, such as network intrusion -- where a cyber criminal breaks
into a computer network for changing or stealing sensitive data -- are more
difficult to detect and track. Organizations utilize network intrusion
detection systems, which unreceptively supervise the traffic on their
networks for irregular activity, but skilled cyber criminals can avoid
detection by manipulating the traffic stream such that detection systems do
not see tell-tale interference patterns, or signatures.
e. Using Government:
Make full use of government agencies to help detect cyber crime. It
happens frequently that audits by the IRS or investigations by police turn
up the continuation of cybercrime that had gone undetected for a long
while. Things like inventory shortages and abnormalities in the allotment
of income within the organization can be signals that crime is being
committed over the network. Nonetheless, it is generally hunches that
reveal computer crime, when it is detected.

13. FORENSIC PROCESS:

a. The first stage of the forensic process is to acquire a forensic duplicate of the media or
intelligence often using a device which will prevent any alteration of the original. Both

41
 the original and the duplicate are "hashed" and the values are then analyzed to ensure the
replicas are accurate and exact.
b. Once the investigator has acquired evidentiary material they will need to begin analysis
using many techniques and devices. Evidence may be apparent but may have gaps in
which the forensic detectives must fill by using their forensic processes. The procedure
may involve the use of conducting keyword searches within files or slack space (the
unused space in a disk cluster), recovering deleted files and withdrawing registry
information such as user accounts or attached USB devices. The evidence is then used for
reconstruction purposes and then finally put into a written report.12

I. APPLICATION

Computer forensics is most commonly known in criminal law but also has applications in
private investigation and corporate investigation. Outside of the criminal realm, computer
forensics might commonly be used to ensue unauthorized network intrusions or identify a
network attack or hacker.13

The primary focus of computer forensics is to recover evidence of criminal activity. The
legal term is: Actus reus in legal parlance. There is an assortment of data within digital
devices that is beneficial to other areas of inquiry.

a. Attribution: Meta Data can be used to incriminate specific actions to an individual.

b. Alibis and Statements: Information provided may be checked with digital evidence
such as mobile phone statements for date and time stam0070 proofing.
c. Intent: Objective evidence is data that can be used to prove mens rea (intent) if the
internet history y shows incriminating evidence such as search terms: How to poison
with arsenic, or How to kill people.
d. Evaluation of Source: File artifacts and meta data can be used to determine where
the data was generated. It identifies whether or not the file was designed on the
computer being evaluated or if it came from another source. The problem with source
evaluation is that you can affect the file dates by simply changing computer clock

12
http://hubpages.com/politics/Uses-of-Computer-Forensics
13
ibid

42
 times. This has been highly debated in trial. Fortunately, it's not a strong enough
argument to suspend evidence in nearly all cases.

II. TYPES OF FORENSIC DATA:

Different types of investigations are needed in different cases. For example, investigators
use different techniques to solve arson, murder and kidnapping. In various cases,
investigators must be able to find and analyze evidence, locate suspects and identify
victims. Training in proper investigative procedures and access to tools and resources can
help an investigator close a case successfully.

NIJ is interested in enhancing the forensic aspects of investigations, making awards to

fund the creation and maintenance of investigative resources such as investigation
manuals, missing persons databases, and training courses. NIJ has funded research and
development in several areas relevant to investigations, including evidence preservation,
fire dynamics and tools for evidence identification. NIJ also offers assistance to state and
local agencies to identify, review and investigate cold cases that have the potential to be
solved through DNA analysis.
 Active Data is the information that we can see such as files, programs and anything that
would be used by the operating system. It is the easiest type of information to obtain.

 Archival Data is data that has been backed up and stored on CDs, disks, back-up tapes or
entire hard drives. This information requires a bit more work and know-how to retrieve.

 Latent Data is the material that requires specialized equipment to access such as information
that has been deleted or partially overwritten. Latent data is the most difficult and time
consuming type of information to collect.

 When collecting data for forensic purposes it is important that devices are collected and
information is harvested as early as possible in order to prevent information from degraded
or being destroyed

III. USES OF COMPUTER FORENSIC:

43
 Computer forensics deals with the gathering, analysing and preserving of evidence that
may be contained in any computing device mainly in preparation for presentation in a court of
law. The uses of computer forensics vary depending on the application. Computer forensics is
widely used by law enforcement agents in gathering evidence. Corporate entities use computer
forensics to evaluate the usage of computer resources in office environments. This technique
may also be used to analyse the security of computer resources. Uses of computer forensics also
extend to domestic applications in investigating infidelity.14

Computer forensics is a field of study concerned with the digital extraction and analysis
of latent information. While a relatively new science, computer forensics has gained a reputation
for being able to uncover evidence that would not have been recoverable otherwise, such as
emails, text messages and document access. Although many people do not realize it, their
computers are recording every keystroke, file access, website, email or password. While this
does present a threat from "hackers," it is this latent information that is being used in an
increasing number of ways.15

A. CRIMINAL

 Computer forensics is popularly used in criminal cases. Computer forensics analysis may
provide evidence that a crime has been committed, whether that crime involved computers
directly or not. Evidence may be in the form of a document, an email, an instant message, a chat
room or a photograph. This is seen frequently in narcotics cases, stalking, sexual harassment,
sexual exploitation, extortion, kidnapping and even murder cases.

B. DOMESTIC

 Computer forensics also frequently plays a role in domestic cases and is generally centered on
proof of infidelity. Examples include recovered emails, chat room transcripts, instant messaging
and photographs.

C. SECURITY

14
https://www.private-investigators-uk.com/pcemail-forensics/uses-computer-forensics/
15
http://www.ehow.com/about_5549900_uses-computer-forensics.html

44
 The Center for Computer Forensics reports that 92 percent of all business documents and records
are stored digitally and that although hackers are commonly seen as a threat to security, in reality
greater risks are found within a company. Examples include theft of intellectual property (such
as customer lists, new designs, company financials or trade secrets) and embezzlement. The fact
is that if a person is alone with a computer for less than five minutes, it is enough time to copy a
hard drive on a removable storage device.

D. INTERNAL

 There are many uses of computer forensics that exist within companies to monitor computer
usage. While what is being monitored may not be illegal itself, it is tracked because doing so is
"illegal" within the confines of the company. For example, many companies have "acceptable
use policies," meaning policies prohibiting personal use of the computers. Common examples of
acceptable use violations include online shopping, Internet surfing, online gambling, personal
emails and instant messaging or chats.

E. MARKETING

 Computer forensics is also used in marketing. Examples of this can be seen on Amazon.com
when recommendations are provided, or "Just for you" from the iTunes Store. When a person
visits a website, a memory of that website is placed in the computer's memory. Each site has
different meta-tags embedded in it; meta-tags are one or two word descriptions of the site
content. The advertisements that person experiences are tailored to the meta-tags of the sites
visited, similar to a target demographic

F. USES OF COMPUTER FORENSICS AT HOME

As listed above computer forensics can be used at home when conducting various investigations.
As computers have widespread use in domestic applications. You can use your PC to surf the
internet, send emails and instant messages and even record videos. In investigations revolving
around infidelity this data in the computer can be very helpful. Private investigators can dig
through the information contained in a PC applying computer forensics techniques to discover
hidden or deleted messages, videos and pictures. Available forensic tools can be used to
reconstruct deleted partitions in computer hard drives in detail and thus create viable evidence.

45
 G. USES OF COMPUTER FORENSICS IN THE CORPORATE WORLD

Companies rely on computers and computer networks to manage, communicate and store vital
information. Computers are widely used in offices as most organisational processes are
computerised. Employees may access restricted information such as patents, trade secrets and
other valuable information. Computer forensics can also be used to investigate any unrestricted
use of computers and computer resources at the work place. Private investigators use computer
forensics to track unauthorized use of resources e.g. chatting during work hours. This can be
used to pin point any wastages. Corporate sabotage in terms of theft of important and valuable
information can be investigated by analysing access records in computers.

14. ROLE OF COMPUTER FORENSICS

A. ROLE OF COMPUTER FORENSICS IN CRIMINAL INVESTIGATION

46
Computer forensics integrates the fields of computer science and law to investigate crime. For
digital evidence to be legally admissible in court, investigators must follow proper legal
procedures when recovering and analyzing data from computer systems. Unfortunately, laws
written before the era of computer forensics are often outdated and cannot adequately assess the
techniques used in a computer system search. The inability of the law to keep pace with
technological advancements may ultimately limit the use of computer forensics evidence in
court. Privacy advocates are growing especially concerned that computer searches may be a
breach of a suspect’s human rights. Furthermore, as methods for encryption and anonymity grow
more advanced, technology may be abused by helping criminals hide their actions. Ultimately,
the role of technology in computer forensics may not reach its full potential due to legal
boundaries and potential malicious intentions.

Computer forensics has been indispensable in the conviction of many well-known criminals,
including terrorists, sexual predators, and murderers. Terrorist organizations may use the Internet
to recruit members, and sexual predators may use social networking sites to stalk potential
victims. However, most criminals fail to cover their tracks when using technology to implement
their crimes. They fail to realize that computer files and data remain on their hard drive even
when deleted, allowing investigators to track their criminal activity. Even if criminals delete their
incriminating files, the data remains in a binary format due to “data remanence” or the residual
representation of data. File deletion merely renames the file and hides it from the user; the
original file can still be recovered.

Eventually, data may be overwritten and lost due to the volatile nature of memory, a storage area
for used data. A random access memory chip (RAM) retrieves data from memory to help
programs to run more efficiently. However, each time a computer is switched on, the RAM loses
some of its stored data. Therefore, RAM is referred to as volatile memory, while data preserved
in a hard drive is known as persistent memory. The RAM is constantly swapping seldom used
data to the hard drive to open up space in memory for newer data. Over time, though, the
contents in the swap file may also be overwritten. Thus, investigators may lose more evidence
the longer they wait since computer data does not persist indefinitely. Fortunately, computer
scientists have engineered equipment that can copy the computer’s contents without turning on
the machine. The contents can then be safely used by lawyers and detectives for analysis.

47
Global Position System (GPS) software embedded in smartphones and satellite navigation
(satnav) systems can also aid prosecutors by tracking the whereabouts of a suspect. Since
companies that develop software for computer forensics also develop products for satellite
navigators, they are well-equipped with the tools and technology necessary for acquiring GPS
evidence.

However, the evidence that can be recovered from GPS software is limited to only a list of
addresses. Current GPS software does not record the time when the address was archived,
whether the address was inputted by a person or automatically recorded, or whether the owner’s
intent for entering the address was associated with the crime. Despite these limitations, GPS
evidence has still been crucial to the success of many prosecutions. In one famous example, four
armed suspects accused of robbing a bank in the United Kingdom were convicted because each
suspect owned a vehicle whose satnav held incriminating evidence, including the bank’s address
and the addresses of the other three suspects. The Scottish National High-Tech Crime Unit
searched a suspect’s TomTom, a GPS device, to obtain thousands of addresses that the vehicle
passed by. Many of the addresses turned out to be the scenes of criminal offenses. In 2011, U.S.
forces successfully found the Pakistani compound where Osama bin Laden was killed by
tracking satellite phone calls made by his bodyguard.

While GPS evidence on its own may not be enough to establish a motive, GPS evidence can still
provide invaluable leads or confirm a hunch. For example, contact lists, language preferences,
and settings all may be used to establish a suspect’s identity or identify accomplices. Evidence
from GPS software and mobile devices can be a valuable supplement to other forms of evidence.

Some criminals have grown more cautious by hiding incriminating data through encryption
techniques. However, according to Andy Spruill, senior director of risk management for
Guidance Software, most criminals “don’t have the knowledge or patience to implement
[encryption software] on a continued-use basis.” The minority of criminals who do encrypt their
files may only use partial encryption. If only a few files on a hard drive are encrypted,
investigators can analyze unencrypted copies found elsewhere on the device to find the
information they are seeking. Furthermore, since most computer users tend to reuse passwords,
investigators can locate passwords in more easily decipherable formats to gain access to
protected files. Computer data are also oftentimes redundant – Microsoft Word makes copies

48
each time a document is modified so that deleting the document may not permanently remove it
from the hard drive. With so many forms of back-up, it is difficult for criminals to completely
delete incriminating computer evidence (5).

While investigators can exploit computer system glitches to obtain evidence, technological
limitations can often compromise a computer search. A common protocol for handling a mobile
device found at a crime scene is to turn the power off. Investigators want to preserve the battery
and prevent an outside source from using the remote wipe feature on the phone’s contents. When
the phone is turned off, the phone cannot receive text messages and other data that may
overwrite the evidence currently stored in the device. However, turning off the device has its
own consequences, potentially causing data to be lost and downloaded files to be corrupted (1).

To solve such problems, computer engineers have developed technology for shielding a device
from connecting to a cellular carrier’s network. Computer forensic scientists no longer need to
turn off the device to isolate it. For example, radio frequency (RF) shielded test enclosure boxes
help keep signals from entering or leaving the device. A Faraday bag, used in conjunction with
conductive mesh, can also isolate a mobile device. Using these techniques, investigators can
safely transport mobile devices to the lab while the device is turned on (1).

However, GPS software and Faraday bags are not foolproof. A cell phone isolated in a Faraday
bag may adamantly search for a signal, depleting the phone’s battery power. When searching for
a network, cell phones are also losing data (1).

According to Professor David Last of University of Bangor, Wales, errors in locating signals
may range up to 300 meters when obstructions are present. While “95 percent of [GPS]
measurements fall within 5 metres of the true position” in clear and open areas, large
geographical barriers and skyscrapers may severely block and reflect satellite signals.
Interference from solar weather may also disrupt signals. Criminals even purposely use jammers
to disrupt tracking systems. Investigators must carefully audit communications channels and
monitoring systems used in tracking systems. In doing so, they can better avoid skepticism from
the jury by being able to give a clearer and more precise estimate of the amount of error
afflicting GPS measurements. Otherwise, the defense can suppress the GPS evidence if the
measurements are significantly faulty and unreliable (3).

49
While the Fourth and Fifth Amendments were written long before the era of computers, both
concepts still apply to the practice of computer forensics. The amendments serve to protect basic
human rights by preventing unreasonable search and seizure and self-incrimination. In the case
of United States v. Finley, the defendant claimed that ”a cell phone was analogous to a closed
container,” suggesting that investigators should exercise the same restraint and caution in
searching cell phones as they would in a bag or a private home. Generally, investigators must
first obtain a search warrant, which is typically given by the court in order to obtain and preserve
evidence that can be easily destroyed (1). However, exceptions to the rule have been observed
in United States v. Ortiz; investigators legally retrieved telephone numbers of “finite memory”
from a suspect’s pager without a warrant because the contents of the pager can be easily altered
when incoming messages overwrite currently stored data. Searches without a warrant “incident
to arrest” are permissible because they help to prevent fragile data of evidentiary value from
being lost (6). They consist mostly of scanning the device’s contents using the keyboard and
menu options. More advanced searches incident to arrest may include the use of a mobile lab,
which allows for the immediate download of cellular phone data (7). However, according
to United States v. Curry, searches “incident to arrest” can only be conducted “substantially
contemporaneous with the arrest” (1). If investigators want to conduct further post-arrest forensic
analysis, proper legal authorization must first be obtained (7).
Proper legal procedures are often vague and burdensome for investigators, especially since laws
may vary from state to state. Some states may have a stricter policy regarding warrantless
searches. In United States v. Park, the court ruled that since cell phones can hold a greater
quantity of data than pagers, its contents are less likely to be lost; a warrantless cell phone search
is thus unnecessary and unjustified. Similarly, in United States v. Wall, the court decided that
“searching through information stored on a cell phone is analogous to a search of a sealed letter”
(6). Even if investigators manage to obtain a search warrant, the evidence they find may still be
suppressed if their forensic procedures fail to follow legal procedures. For example, looking
through unopened mail and unread texts or not carefully documenting the chain of custody may
constitute an improper search (1). With so many boundaries and inconsistencies in the legal
system, it is often difficult for investigators to successfully perform their jobs.
Different state and national legal systems plague computer forensics as well. When an Estonian
was charged with computer crimes in 2007, Russia refused to provide legal cooperation because

50
it had not criminalized computer crimes yet. Russia received severe Distributed Denial of
Service attacks for its lack of cooperation (8).

In addition to a faulty legal system, the accessibility of advanced technology may be afflicting
computer forensics. The North Atlantic Treaty Organization (NATO) defines cyber terrorism as
“a cyber attack using or exploiting computer or communication networks to cause sufficient
destruction to generate fear or to intimidate a society into an ideological goal” (8) As computer
systems grow more powerful, criminals may also abuse computer systems to commit crimes such
as software theft, terrorism, and sexual harassment (9). For example, stalkers can abuse the Tor
Project, an anonymizing tool for victims of cybercrimes to safely report abuses, to instead hide
their identities when they commit crimes of harassment. The technology is too advanced for the
digital trail of cybercrimes to be tracked. As encryption programs grow stronger and more
popular, forensic investigators may no longer be able to decode the hidden digital evidence.

B. ROLE OF COMPUTER FORENSICS IN LAW ENFORCEMENT

 The analysis of computer evidence are abundant today in the popular media, particularly in
television shows ranging from the Law & Order franchise to Court TV's Forensic Files. And, as
we have come to expect from television, there is a grain of truth in the oversimplification (or
gross distortion) of the facts.

Forensics, of course, is the use of science to investigate and establish facts in a criminal or civil
court. Physical evidence (e.g., tire tracks and bullets) and medical evidence (e.g., blood and
DNA) are well accepted in courts as well as the hearts and minds of the law enforcement
community and the public. Less well known — and much less well understood — is the role of
computer forensics and digital investigations.

Computer forensics is the acquisition, examination, and reporting of information found on

computers and networks that pertain to a criminal or civil investigation, although the same
processes and methods are applied to corporate and other "private" investigations. Nearly
everything that someone does on a computer or a network leaves traces — from deleted files and
registry entries to the Internet history cache and automatic Word backup files. E-mail headers
and instant messaging logs give clues as to the intermediate servers through which information

51
has traversed. Server logs provide information about every computer system accessing a Web
site.

Cyberforensics is increasing in importance for the law enforcement community for a number of
reasons, not the least of which is that computers and the Internet represent the fastest growing
technology tools used by criminals... and this trend will continue for the foreseeable future.
Cybercrimes and white collar crimes are particularly lucrative because they are generally non-
violent crimes, yield high profits (a recent report suggested that cybercrime in the U.S. yielded
more income than the illegal drug trade), have relatively low risk of capture, and, if caught and
convicted, usually result in relatively short prison sentences — judges and juries seem to have a
"romantic" view of cybercriminals as intelligent, misguided individuals rather than as the
cyberthugs that they are.

The Internet, of course, is a significant problem for legal investigations. The biggest issue is
jurisdiction. With crimes such as identity theft, Nigerian 409 (and other) scams, phishing, fraud,
and other acts enabled by the global Internet, it is now possible for a criminal in one country to
perpetrate a crime against a person in another country, all the while using servers located in a
third country. The exchange of child pornography, largely shut down in the U.S. by the postal
service, is rampant on the Internet. Luring, traveling, cyberstalking, and other child sexual
exploitation activities have been dramatically enabled because of the global reach of the Net.
And laws vary from country to country, so that a felony is one country might not even be illegal
in another.

The Internet is totally changing crime scene investigation. Due to the dynamic nature of the 'Net,
a site on the Internet used to perpetrate a crime one day may be different or absent the next day.
Access to the Internet is nearly ubiquitous in the industrialized countries so that a criminal can
gain access from a different computer at a different location every time they logon; while it may
be easy to show a particular computer was used to access a given server at a given date and time,
it may be very hard to prove whose fingers were on the keyboard. And Internet access and
storage devices are becoming smaller, cheaper, faster, and more mobile every day. Gone is the
era of securing a crime scene by throwing yellow police tape around it!

52
Computers can yield evidence of a wide range of criminal and other unlawful activities;
criminals engaged in network-based crimes are not the only ones who store information on
computers! Many criminals engaged in murder, kidnapping, sexual assault, extortion, drug
dealing, auto theft, espionage and terrorism, gun dealing, robbery/burglary, gambling, economic
crimes, confidence games, and criminal hacking (e.g., Web defacements and theft of computer
files) maintain files with incriminating evidence on their computer. Sometimes the information
on the computer is key to identifying a suspect and sometimes the computer yields the most
damning evidence.

Consider, for example, the case of a pipe bomb murder that occurred in 1998 in the sleepy town
of Fair Haven, Vermont. In this case, a 17-year old named Chris Marquis was selling CB radios
on the Internet. The problem was that he didn't actually have radios to sell and was scamming the
buyers. One of his victims was 35-year-old Chris Dean from Pierceton, Indiana, who was conned
for several hundred dollars. After realizing what had happened, Dean attempted unsuccessfully
to contact Marquis, even sending several threatening e-mails. On March 19, a pipe bomb arrived
at Marquis' house by UPS; when it exploded, it killed Marquis and badly injured his mother.
Examination of the crime scene yielded pieces of the package and the UPS shipping label that
led the FBI and local authorities to Dean. Having found the threatening e-mails from Dean on
Marquis' computer, investigators searched Dean's computer and found the e-mails there, as well,
in addition to an electronic version of the mailing label of the package containing the pipe bomb.
That information was key in convicting Dean, who is currently serving a 20-to-life sentence in
federal prison.

More recently, the examination of a single computer file provided a key piece of information in
the arrest of the BTK killer in Wichita, Kansas, in March 2005. The BTK killer's 30-year serial
murder spree was brought to an end by a mere oversight on his part. As was his habit, the BTK
killer sent a letter to a Wichita television station about his exploits, in this case via e-mail. Police
examined the file and found the first name of the author (Dennis) and the organization name
(Christ Lutheran Church) in the metadata (properties) of the document. A search of the church's
Web site showed that a Dennis Rader was the church president. Police went to the church with a
warrant to search the computers and found a floppy disk that Rader had given to the church
pastor with the agenda for an upcoming church council meeting; the disk also contained the BTK

53
letter. Up until this time, Dennis Rader's name had come up in the investigation only as part of a
list of thousands of names of students and he was never a suspect.

Computers may also contain important information for intelligence-gathering purposes.

Although the application of the Fourth Amendment is somewhat different when gathering
evidence rather than criminal or anti-terrorist intelligence, the digital investigation process and
tools are the same.

A basic level understanding of computer forensics, at the very least, is an essential knowledge
area for all law enforcement officers. Investigators need to know when information on a
computer might have a nexus to a crime, how to write an appropriate warrant to seize and search
a computer, and how to gather and search cyberevidence. Prosecutors and judges need to better
understand the role of digital evidence — and the laborious task of a proper and thorough
computer forensics exam. High technology crime task forces have already been formed in the
larger metropolitan areas where this is a particularly serious problem, but the problem is actually
far more widespread than just the big cities. Even a patrol officer who is not involved in
computer crimes needs to know what actions to take when a computer is discovered at a crime or
arrest scene.

Computer forensics and digital investigations have become an integral part of police work in the
new millennium. Computers are now as much a part of the modern law enforcement officer's
daily routine as the baton, sidearm, two-way radio, or handcuffs.

C. THE PIVOTAL ROLE OF COMPUTER FORENSICS IN TODAY’S LITIGATION

Electronically stored information (ESI) continues to take center stage in all types of litigation,
from bankruptcy to tort. Author Keenen Milner discusses the critical role computer forensics
experts play in collecting and preserving digital evidence.

Over the past decade or so, attorneys have come to realize that some of the most valuable
evidence is found not in filing cabinets but on computers and servers. The 2006 amendments to
the Federal Rules of Civil Procedure, which expressly made ESI subject to discovery, also reflect
the growing role of digital data. Even when vital evidence might appear in hard copies, many

54
attorneys have found it much more efficient and economical to scan those copies for review by
computer-based tools than to rely on manual review. But ESI can be vulnerable to alteration and
manipulation, making careful preservation essential.

15.THE ABILITY TO DIG DEEPER

With computer forensics, qualified experts can unearth evidence far beyond the textual or
numerical contents of electronic files, including the significant information found in metadata –
that is, information that describes the history, tracking, or management of an electronic file.16

Metadata comes in two forms – system and application. System metadata contains the dates a file
was modified, accessed, and created (known as the MAC dates) and also reveals when a file was
deleted or last printed and by which user. Application metadata, embedded by the application

16
" www.uscourts.gov/rules/EDiscovery

55
that created a file (Microsoft® Word, for example), can show information related to file
revisions and the last time the file was saved.

The information packed in metadata might establish timelines or knowledge, demonstrate fraud
or negligence, or suggest causation. In bankruptcy cases, for example, a computer forensics
expert can use metadata to determine all of the users who accessed or revised a debtor company's
accounting documents and financial statements. Note, however, that a file's metadata changes
every time the file is opened.

Often, though, computer forensics experts do not have the luxury of working with intact
electronic files. In these circumstances, a qualified expert can ferret out data in otherwise
inaccessible locations. He or she might find fragments of a deleted file on the hard drive and put
them together to reconstruct the original document. The expert also could use a computer's
recycle bin to discover which files were deleted and when. With a computer's Internet history
and temporary Internet files, an expert can plot the exact path that a computer user took while
working online.

56
16.PRESERVATION AND CHAIN-OF-CUSTODY ISSUES

ESI is not without its weaknesses, especially its susceptibility to both intentional and inadvertent
alteration. A proponent of ESI, as with any evidence, must establish its chain of custody and
authenticity before the ESI will be admitted. A mere litigation hold might not always suffice; it
may be necessary to preserve an entire computer and document every individual who accesses it
to pre-empt challenges to evidence derived from the computer. As an example, a single field
agent sitting down at the computer of a debtor company's CEO during the company's wind-down
can compromise all of the evidence the computer offers for a related bankruptcy case.

When dealing with individual files, a computer expert might be able to use metadata to establish
authenticity, particularly MAC dates. Like the contents of an electronic file, though, metadata is
subject to manipulation. With a file's metadata changing every time the file is opened, capturing
an image of the hard drive is crucial to protecting the integrity of its files' metadata for purposes
of authentication.

The costs of failing to preserve ESI can prove high. In a well-known sexual discrimination case
from the Southern District of New York, Zubulake v. UBS Warburg, the jury awarded the
plaintiff $29 million after the court allowed the jurors to make adverse inferences about e-mails
that the defendant failed to adequately preserve.17

17
 www.lexisnexis.com/applieddiscovery/lawlibrary/focus_07.asp  .

57
 17.EXECUTING THE BASIC COMPUTER FORENSICS INVESTIGATION

Computer forensics investigations typically follow a general outline. An expert will begin by
securing the system or systems in question and establishing a chain-of-custody log. The expert
makes a forensic image of the data repositories (that is, the hard drives and, if necessary, volatile
RAM), along with information about the systems. The servers and drives must be
imaged before the files on them are searched and reviewed to prevent the corruption of important
evidence. From the image, the expert generally will export all of the word processing and
spreadsheet documents, and encrypted, compressed, and PDF files, and locate the relevant
software programs, including the accounting and database systems.

Working with the attorney, the expert then determines the types of information of interest and
selects relevant keywords to use in data searches. Common search terms include specific names
and dates, credit card and Social Security numbers, birthdays, telephone numbers, and e-mail
addresses.

More specific searches will be conducted based on the nature of the case. If financial fraud is
suspected, for example, an expert can look for journal entries made outside of regular business
hours and at the end of an accounting period. The expert also might find entries made by unusual
users, entries made for nonrecurring transactions, entries posted to unusual or seldom-used
accounts, and other suspicious entries. Data mining could uncover trends, patterns, and
inconsistencies indicative of fraud. The mountain of data usually involved in cases involving
financial matters – data that is frequently available only in electronic format – almost demands
computerized tools and expertise.

58
 A. PRE-EMPTING LITIGATION

In addition to using ESI in existing or pending litigation, some attorneys have recognized that
their clients can wield ESI as a hedge against future litigation and are advising them to preserve
certain data. A human resources department might consider imaging a departing employee's hard
drive as a defense against a potential lawsuit. If the employee subsequently brings a wrongful
termination or sexual harassment claim, the company can examine that hard drive for evidence
of incriminating behavior or wrongdoing. Similarly, some human resources departments at
companies undergoing large numbers of layoffs will use computer forensics to determine if their
former or soon-to-be-former employees have gained access to data before leaving or tried to
misappropriate company information or assets.

59
 17.IMPORTANCE OF COMPUTER FORENSIC

FORENSIC INVESTIGATIONS seek to uncover evidence and then analyze it in order to gain a

full understanding of a crime scene, the motives of the perpetrator, or the criminal’s identity. As
computers and the Internet have become ubiquitous in our daily lives, the cyber realm
increasingly contains potential evidence for all types of criminal investigations

Traditional cyber forensics have focused on “dead-box” analysis, but there is an emerging
methodology for “live-box” analysis—a technique that preserves and harvests vital evidence
from a computer’s physical memory, also referred to as random-access memory (RAM)
or volatile memory. 18

Computer forensics has reached a stage where its increasing importance in this day of technology
is incontrovertible. This field is just coming into bloom in many countries. It is basically a very
specialized investigative science where investigation and analysis of a suspects computer is done
in a bid to uncover evidence of a criminal act.

However, computer forensics evidence are being frequently challenged and computer expert
witnesses are often required to defend their findings, their methods and tools. It is extremely
important that the processing methods in uncovering these findings are done correctly or you will
find your case being thrown out.

Computer forensic experts are often the only ones that can crack technology-based cases.
Anyone can turn on a computer and do a basic search for a missing file but not everyone can find
a missing file that someone else doesn’t want found. So if you want a wining case, hiring highly
qualified experts makes all the difference.19

Computer forensic investigation techniques are not only useful for solving cyber crimes such as
computer hacking or child pornography, but they also have helped to solve other crimes like
murder, terrorism, organized crime, tax evasion, drug smuggling, extortion, and robbery cases. In

18
http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=116
19
http://www.akati.com

60
fact, computer forensics played a pivotal role in a number of high-profile cases such as the Laci
Peterson murder and the BTK serial-murder cases.

Computers can store vast amounts of information: e-mail messages and e-mail addresses, contact
lists, pictures, financials, research, videos, Internet history, and phone numbers—and all of these
things can provide information about people’s habits and interests.

Computer forensic investigations are structured much like any traditional law-enforcement
investigation. Highly trained individuals follow a specific computer forensic methodology that
has standard operating procedures to efficiently gather potential evidentiary artifacts from the
crime scene. This process must follow a forensically sound process—that is, it should be
minimally invasive so that the collected “stuff” can be used as evidence in a court of law.

The FBI has a cyber mission to stop those behind computer intrusions, to identify online sexual
predators who exploit children, to counteract operations that target the United States’ intellectual
property, and to dismantle organized criminal enterprises engaging in Internet fraud. Police
departments all over the United States have units that are dedicated to investigating computer
crimes. Businesses and governments have computer-incident response teams whose missions are
to understand the computer-network intrusions and to minimize their damage while bolstering
network defenses.

Fighting these new breeds of cyber criminals is often an uphill battle. Law enforcement and
computer security professionals within businesses and governments are literally in an arms race
against tech-savvy criminals who use advanced technologies to thwart or defeat computer
forensic investigations. The bad guys infiltrate computers and install their own malicious code
(which is referred to as malware) in order to log keystrokes and steal intellectual property. Their
sophisticated methods use anti-detection, anti-forensics, in-memory malware, encrypted
software, and other techniques to cover their digital tracks and defeat traditional security and
dead-box forensics20

Conventional computer investigations collect, preserve, and analyze computer hard drives and
media such as USB drives, floppy disks, zip drives, and optical media (CDs and DVDs). Since
20
ibid

61
investigators typically “pull the plug” on the computer system prior to acquiring an exact copy of
the hard drive, this particular methodology is referred to as dead-box forensics—a technique that
analyzes the data at rest. The technique has not changed much over the last 15 years and is still
widely used today.

In addition to data that is stored on disks and other external media, every running computer has a
storehouse of data located in the computer’s main memory, or RAM. This consists of 1 to 4
gigabytes (or more) of information that is often overlooked. To put this into perspective, consider
this: Discarding 4 gigabytes of RAM would be like throwing away 1 million pages of single-
spaced printed text. There is also this point to consider: RAM contains data that is not found on
the disk.

The technique known as live-box forensics gives investigators access to the entire running
system, including the volatile information contained in the memory chips (RAM) and whatever
is on the live hard drive. A computer’s volatile information—the data that is contained in the
memory chips—is lost when you remove power from the system or shut down the computer. 
The information found in memory includes user names and passwords, encryption keys, instant-
messenger chat sessions, unencrypted data, open documents and e-mails, hidden code like
rootkits, registry information, and other critical evidence. All of this data can help provide
contextual information about the target subject’s activity on the computer.

Unfortunately, much of this information is calculated at runtime, exists only in memory, and will
not be available to an analyst who is performing conventional dead-box forensics.

When investigating a murder case, the investigator will want access to the encrypted folders and
files on the suspect’s hard drive. When working a financial-fraud case involving insider trading,
it makes practical sense to get access to the suspect’s instant messages that are purposely not
stored on the hard drive. For a terrorism case, the investigator will want to preserve the e-mail
addresses and phone numbers stored in memory but not on the hard drive. Live-box analysis can
provide all of these capabilities.

Live-box analysis has become a requirement for those who are investigating illicit activities on
computers so that they can best determine motives, behaviors, and identity. While computer

62
investigators often receive ongoing training to stay current with the latest computer forensic tools
and best practices, most are not trained in live-box methodologies and technologies.

The first step in live-box forensics is to capture and preserve the physical memory or volatile
data before turning off the computer. Given the latest technological advances, it is not difficult to
use software to create an image of physical memory. There are a number of techniques an
investigator can use to capture the entire contents of physical memory on a computer. Each has
its own strengths and weaknesses, and each is best employed under specific circumstances. This
is precisely where proper training becomes critical for the investigator.

Currently there are software utilities, hardware devices, and specific keyboard sequences within
some operating systems that can be used to create a snapshot, or crash dump, of physical
memory. For the sake of this article, we will focus on the software methods and techniques used
to capture memory.

Today there are a number of free software utilities available to capture the entire contents of
physical memory on Windows computer systems. Best practices dictate that investigators get the
software and learn how to use it prior to beginning their first live-box computer investigation.

For a brief list of some of the software applications that are available for memory collection and
preservation on Windows platforms.

Computer forensic investigators must adhere to and follow forensic best practices for any and all
actions they take during the collection of potential evidence. For example, they should record all
actions performed at the crime scene to include the user actions performed on the suspect’s
computer system. Investigators also should make sure to log all actions and the time at which
they were performed. This sort of basic information is important for chain-of-custody reasons
and may be needed in litigation.

Analyzing physical memory is the hard part.

Even though tools exist to preserve memory, there are only a few software tools available today
to help computer investigators analyze the preserved memory images. In the past, most of the
memory-analysis work has been done in the academic, open-source communities and
63
government labs. With time, however, these software tools have become increasingly user-
friendly and we have seen widespread adoption of their use in additional markets such as finance
and law enforcement.

In order to properly analyze and investigate the physical memory of a computer, the investigator
needs to use specialized software that recreates the runtime state of the machine at the time the
memory was imaged. The goal is to expose all the objects in memory, including all the running
applications, system resources, attached devices, and open documents. There is existing soft-
ware tools that can accomplish these complex tasks by parsing undocumented, esoteric data
structures and reporting on their contents. This is no small feat. The specific Windows Memory
structures often vary from one service pack to another and from one operating system to another.
However, there is a treasure trove of information contained in these undocumented data
structures that is now available to investigators.

64
 19.ACQUISITION:

A. DEAD ACQUISITION:

Dead forensic acquisition The most reliable and predictable method of acquisition is performed
on computers that have been powered off. It is commonly known as 'traditional' or 'dead'
acquisition. Dead acquisition is a very simple process.

Simplicity, Reliability and Thoroughness Dead acquisition has clear merits principally due to its
simplicity; its main strength is the clearly defined and straightforward stages of the acquisition,
which can be verified at any time. The logic required for the acquisition software is extremely
straightforward making it easily understood. There is no risk of altering and therefore
contaminating the evidence as the data on the hard disk is not modified. It is also very reliable
due to its clear stages and the predictability of hard disks. This method is not simply copying
files; file copying does not collect unallocated sectors, slack space† and complete file metadata.
Dead acquisition is extremely thorough; every byte on the hard disk is acquired including
unallocated, slack space and metadata.

Weaknesses of Dead Acquisition As we have seen, the dead methodology acquires a complete
copy of all data on a hard disk. While this is useful, there is much information present on a
computer that is not on the hard disk . Criminals rapidly responded to the successes of computer
forensic practitioners. For example, many criminals began to use encryption extensively10.
Clearly, having an exact copy of an encrypted file is no use to a forensic examiner as analysis of
seemingly random data is impossible. Encrypted volumes, files which contain an encrypted file
system, are widely used by criminals. These files are opened with a program, such as
BestCrypt11, which can decrypt the data and mount the file system. Once a key has been
provided to the program the file system can be mounted and accessed like any other file system;
encryption and decryption are transparent. Encrypted volumes are useless if a forensic
practitioner can assess a computer while the volume is still mounted. Also, as networks became
more widespread, the importance of network data - such as currently open ports - grew
dramatically. As this data is volatile12 , turning off the computer automatically causes the data to

65
be lost. Other important data, such as decryption keys for encrypted files, can also be stored in
volatile memory.

B. LIVE ACQUISITION:

To act against these electronic offenders, it is necessary to develop new processes and
technique.

The first pro-active step in any digital forensic investigation is that of acquisition. The inherent
problem with digital media is that it is readily modified; even just by accessing files. For this
reason analysts obtain a "bit copy" of the media using specialist tools which stop modification
occurring.

Working from a copy is one of the fundamental steps to making a forensic investigation audit-
able and acceptable to a court. Another fundamental part of the process is the ability to verify the
accuracy of the evidence produced; acquisition and verification are key concepts in preparing
digital media for investigation.

Prior to the availability of very large storage capacity the acquisition process usually consisted of
creating a bit-perfect copy of the digital media evidence. This is usually conducted with the
media connected to a write blocking device which stops it from being modified during the
process. After being acquired the physical media is placed in secure storage the forensic analyst
conducts the forensic investigation on the copy.

The aim of working on a copy of the evidence is to leave the original media intact - which allows
for any evidence to be verified (proven accurate) at a later date.

Write blockers can take two forms; hardware or software (you can see a picture of a hardware
write blocker to the right). The hardware devices are more reliable, stopping all write commands
from reaching the digital media. Software writer blockers are less reliable and tend to be
proprietary.

Acquired media is usually refereed to as an "image", they are stored in a number of open and
proprietary formats. The popular EnCase software employs a proprietary, compressible, "EnCase

66
Evidence File Format" (EEFF). Other open formats such as RAW (i.e. a simple bit copy) are
used by programs such as "FTK Imager".

During acquisition forensic tools create a verification hash of the media, this allows an analyst to
later confirm that the image and its contents are accurate.21

A "live" acquisition is where data is retrieved from a digital device directly via its normal
interface; for example switching a computer on and running programs from within the operating
system. This has some level of risk, as data is likely to be modified. This process is rapidly
becoming the more common approach as disk drive capacities increase to the point where they
are impractical to 'image' and technology such as 'cloud computing' means that you cannot even
access the hardware in many cases [1]

However there are also advantages to live acquisition - for example it allows you to capture the
contents of RAM. Where a computer is found turned on, prior to seizure, it is sometimes
beneficial to make a live acquisition of the RAM in case it contains information deleted from the
hard drive (for example temporary documents).

Such an acquisition is often done by non-technical personnel, or at least personnel not trained in
computer forensics, which creates the added risk of a mistake deleting important data. A variety
of tools exist to help with this process and to make it accessible to non-technical personnel. For
example Microsoft recently released a free suite of tools (available only to law enforcement) to
capture information from a live Windows system. The software, called COFEE, fits on a USB
pen drive and contains various automated tools to recover RAM and system log files.22

C. PROBLEMS WITH LIVE FORENSICS

This chapter will explain the two main technical problems with live acquisition and the
difficulties they cause.23

1. Data modification during acquisition process. Data on a computer may be modified by any
process during acquisition. These can range from user applications to server applications or the
operating system itself. Forensic examiners have no control over the types and numbers of
21
https://en.wikibooks.org/wiki/Introduction_to_Digital_Forensics/Acquisition
22
ibid
23
https://www.cs.kent.ac.uk/pubs/ug/2007/co620-projects/forensic/report.pdf

67
processes running when they begin to investigate a computer. Every running process is liable to
change data on the drive during acquisition.

2. Slurred images. 'Slurred' images are produced when the file system being acquired is
modified during acquisition. Any modification causes a problem as the meta-data section of the
hard disk - the record of where all files on the hard disk are currently situated - (e.g. The MFT or
FAT) is read first. If sectors, stated by metadata to hold parts of files, are changed before they
have been acquired the analysis becomes problematic as the metadata and sectors don’t
correspond.

For example: If metadata indicates MyPasswords.doc is held in sectors 1567 – 1626 but when
the imaging software reaches these sectors the file has moved we have potentially lost valuable
evidence. The data may still be on the drive; however it becomes extremely difficult to find it.
This process is analogous to hand-copying a book, one page at a time, whilst someone else is still
editing it. The contents page has been acquired but by the time the rest of the book has been
copied chapters have b

een moved around and edited. The contents page can no longer be relied upon as an accurate
guide to the book.

3. Potential for hard disk modification by forensic practitioners. To perform live acquisition
forensic practitioners must execute code which will run on the CPU of the suspect system. The
code will change data in the CPU registers and RAM. It may also change data on the hard disk.
This is the case even if there are no explicit write commands. This is because, as the acquisition
programs run in a virtual machine, the operating system may decide to swap the program to hard
disk. This complicates the displaying of evidence in a case and gives the defence the opportunity
to argue that evidence should be ruled inadmissible. This often happens in practice as the
evidence against someone is so overwhelming the only possible line of defence is to argue the
evidence inadmissible.

4. We may ruin all evidence when inappropriate action is taken by forensic examiners.
Errors in a forensic examination can cause an unnecessary amount of data to be changed. This
may be due to something as simple as running an application on the suspect hard drive. Running
a program commonly causes it to overwrite much data, such as last opened time and other lists of
recent actions. If the criminal use of this application is pivotal to the case it will cause many

68
issues in court. If there is a large amount of anomalous data in images it may call in to question
the competence of the forensic examiner and the reliability of the evidence in general. In this
case the data gained by live forensic acquisition might be less useful than if data had been gained
by dead acquisition.

5. Anti-forensic programs. Criminals who are forensically aware are liable to take steps to
reduce the effectiveness of a potential investigation. Writing a program to detect forensic
acquisition programs and subsequently to destroy evidence is not complicated. EnCase FIM
publishes the registry keys it changes on installation. This makes it extremely easy to identify the
program and allow evidence destroying to commence.

6. Acquisition dependant on operating system Live forensic acquisitions are performed by

programs running in user space. In other words they run in their own virtual machine on top of
the operating system. Consequently the only way acquisitions can be performed is by requesting
information from the operating system via its APIs. The acquisition software must trust the
operating system completely to gather its information.

7. Problems with this dependency. Criminals who suspect they may have forensic techniques
used against them may modify the operating system to lie for them. A method to provide
programs in user space with deliberately sanitised data is a new idea, however proof of concept
code has been produced that enables this. In this case, live imaging has been likened to “turning
up to a homicide at the docks and asking the mafia to collect your evidence” 14. This is because
we examine the computer (scene of crime) and ask the potentially 'bad' operating system to give
us the data on the hard disk.

D. SOLUTIONS TO LIVE FORENSIC PROBLEM

Four solutions have been identified to tackle the problem of data changing during acquisition.
The advantages and disadvantages of each solution shall be explained and the evaluation criteria
shall include the practicality and flexibility of use. One of these solutions will be selected and
implemented within the project time-scale.

1. Freezing current state of computer A solution to allow us to image the ram in memory
would be to 'freeze' (perhaps crash) the computer while still maintaining power to the RAM. It
may then be possible to image the ram by connecting directly to the hardware. This method

69
affords us a complete image of the RAM and hard disk with the knowledge that no modifications
can be made during the acquisition. It guarantees us the image produced will not be slurred. To
perform this, direct access to the internals of a computer must be gained. It would be a delicate
process in which different imaging hardware would be required for each type of RAM. Another
major disadvantage with this system is the fact that when we freeze the computer we will
probably be unable to resume it without a reboot.

2. Killing unnecessary programs There may be many programs running on the system during
acquisition any one of which may alter data on the hard disk or in RAM. One method to deal
with this is to kill all the processes which are not vital to the system. This would minimise the
possibility of programs causing slurred images during acquisition. It would also minimise the
possibility of anti-forensics programs, running in user mode, destroying evidence. There are
however some large issues with this method. Identifying the programs vital to the operation of
the system is difficult. Killing the wrong processes could cause a system crash. A forensic
examiner accidentally crashing a suspect computer system would be looked upon very poorly in
court; the jury has an expectation of competency from a computer forensic expert. There would
be difficulties implementing this system, using a black-list may leave many problematic
processes running that are not on the list, while a white-list would be likely to kill many
programs that are vital to the system.

3. Swapping hard disk for forensic hardware It may be possible to place forensic write
blocking hardware between the motherboard and the hard disk whist it is running, without
crashing the system. A solution which builds upon the principles of the shadow drive15 may be
feasible. When new forensic hardware is installed all write commands would be written to the
new hard disk attached to the shadow drive, instead of the original suspect hard disk. The suspect
hard disk would remain unchanged. This would result in obtaining an exact image of the hard
disk at the time the forensic hardware was added to the system. There would be possible issues
with the system crashing during the install of the hardware. Direct access to the internals of the
system would be needed for this method to be installed.

4. Imager with write command policing The final option would be to use a forensic acquisition
program placed between the hard disk driver and all processes which use it. This gives it one
large advantage; it may inspect every command that is issued to the hard disk before any data is

70
changed. This would allow the acquisition program to intercept any writes to the hard disk and
image sectors before they are allowed to be overwritten. Therefore as the acquisition process
occurred in the times that read and write commands were not being serviced we gain a complete
image of the hard drive at the exact time that the acquisition software was loaded. This method
guarantees a complete, non slurred, image of the hard disk. This solution can also be run
remotely. This solution also has the potential to be modified to perform similar actions on RAM.
However acquisition programs must delve deep into the kernel which greatly increases the
possibility of poor programming causing a system crash. Also as the acquisition program must
wait for the data to be sent over the network it may cause hard disk access times to increase. This
may be a problem if the acquisition is being performed covertly as it may alert the user of the
system to the presence of the imager. 4.5. Implementation choice This project will implement
For this project we will implement solution 4.4. Solutions 4.1 and 4.3 would require a deep
understanding of electronics and direct access to the internals of computers. Internal access to
live computers has two drawbacks; the solutions are complex to use and there is no opportunity
for covert use. Solution 4.2 would require much research into 'good' and 'bad' processes. It would
not be possible to keep a complete and accurate process database. It also has serious potential to
crash computers by killing essential processes. Solution 4.4 is clearly the most elegant and
flexible solution. It is possible to implement PoC code and its operation is simple and easy to
understand. There are opportunities to extend the functionality described to provide further
advantages.

71
 20.FORENSIC COMPARISON PLATFORM

The code for the forensic imagers themselves is relatively short; however they must be run in an
appropriate environment. This chapter discusses briefly the design and construction of that
environment; the Forensic Comparison Platform.24

A. Main Components

The main components of the FCP are

i. Hard Disk: Data is stored here and can be accessed sector by sector.
ii. File System: Allows structured data to be stored.
iii. User Interface: Allows user modification of files
iv. Visualization: Provides display of the systems operations.
v. Forensic server: Collects and stores information sent to it by forensic
imagers.

Hard Disk Clearly, the hard disk is vital to the FCP as without it there is no data to image. The
virtual hard disk is implemented by providing a hard disk style interface to a 32MB file accessed
by the Random Access File class. The hard disk services commands to read and write sectors at
any place on the drive. It does not provide any performance enhancing features such as caching.

File System The file system allows the FCP to handle structured data; essential to demonstrate
imager caused data corruption. It communicates with both the UI and processes with a Hard Disk
style interface. The file system is very limited but features include:

• Reading and Writing of files

• Fragmented file support

• Modified, Accessed and Created times

User Interface A basic textual user interface (UI) has been implemented to allow interactive
data modification and retrieval. This allows the user to modify the hard disk and, with the aid of
the visualisation see the affects modifications have with different forensic acquisition programs.

Visualisation The visualisation is required to display the affects of hard disk modifications upon
different imaging methods. This component of the FCP is not needed for the correct operation of
24
https://www.cs.kent.ac.uk/pubs/ug/2007/co620-projects/forensic/report.pdf

72
the forensic imagers, only as an aid to understanding. Visualisations would not be present in any
real world solution and as it is implemented as a component of the imagers, it is not included on
conceptual diagrams. The visualisation shows a view of every sector of the hard disk; white areas
are unimaged sectors, green – correctly imaged sectors and black – sectors modified before
imaging.

Forensic Server The forensic server must receive data from forensic imagers and store the
information in an image file. The messages it will receive from the imagers are of the form
“Sector X currently holds the data Y”

Both computer and non-computer professionals use computers every day. Accordingly,
it is safe to say that computers play a significant role in both business and personal life,
and that the resultant technological advances are remarkable.
One of the bigger Information Technology advances was the creation of the Internet to
connect people globally. Unfortunately, the Internet not only aided worldwide
communication and commerce, but also sparked the growth of electronic crime.
Criminals now make use of computers on a daily basis to assist with and to commit
crimes.
To act against these electronic offenders, it is necessary to develop new processes and
techniques to retrieve evidence from computers. Specialists commonly refer to this
discipline as Cyber Forensics
Both computer and non-computer professionals use computers every day. Accordingly,
it is safe to say that computers play a significant role in both business and personal life,
and that the resultant technological advances are remarkable.
One of the bigger Information Technology advances was the creation of the Internet to
connect people globally. Unfortunately, the Internet not only aided worldwide
communication and commerce, but also sparked the growth of electronic crime.
Criminals now make use of computers on a daily basis to assist with and to commit
crimes.
To act against these electronic offenders, it is necessary to develop new processes and
techniques to retrieve evidence from computers. Specialists commonly refer to this
discipline as Cyber Forensics
Both computer and non-computer professionals use computers every day. Accordingly,
73
it is safe to say that computers play a significant role in both business and personal life,
and that the resultant technological advances are remarkable.
One of the bigger Information Technology advances was the creation of the Internet to
connect people globally. Unfortunately, the Internet not only aided worldwide
communication and commerce, but also sparked the growth of electronic crime.
Criminals now make use of computers on a daily basis to assist with and to commit
crimes.
To act against these electronic offenders, it is necessary to develop new processes and
techniques to retrieve evidence from computers. Specialists commonly refer to this
discipline as Cyber Forensics
Both computer and non-computer professionals use computers every day. Accordingly,
it is safe to say that computers play a significant role in both business and personal life,
and that the resultant technological advances are remarkable.
One of the bigger Information Technology advances was the creation of the Internet to
connect people globally. Unfortunately, the Internet not only aided worldwide
communication and commerce, but also sparked the growth of electronic crime.
Criminals now make use of computers on a daily basis to assist with and to commit
crimes.
To act against these electronic offenders, it is necessary to develop new processes and
techniques to retrieve evidence from computers. Specialists commonly refer to this
discipline as Cyber Forensics
Both computer and non-computer professionals use computers every day. Accordingly,
it is safe to say that computers play a significant role in both business and personal life,
and that the resultant technological advances are remarkable.
One of the bigger Information Technology advances was the creation of the Internet to
connect people globally. Unfortunately, the Internet not only aided worldwide
communication and commerce, but also sparked the growth of electronic crime.
Criminals now make use of computers on a daily basis to assist with and to commit
crimes.
To act against these electronic offenders, it is necessary to develop new processes and
techniques to retrieve evidence from computers. Specialists commonly refer to this

74
discipline as Cyber Forensics
Both computer and non-computer professionals use computers every day. Accordingly,
it is safe to say that computers play a significant role in both business and personal life,
and that the resultant technological advances are remarkable.
One of the bigger Information Technology advances was the creation of the Internet to
connect people globally. Unfortunately, the Internet not only aided worldwide
communication and commerce, but also sparked the growth of electronic crime.
Criminals now make use of computers on a daily basis to assist with and to commit
crimes.
To act against these electronic offenders, it is necessary to develop new processes and
techniques to retrieve evidence from computers. Specialists commonly refer to this
discipline as Cyber Forensics
Both computer and non-computer professionals use computers every day. Accordingly,
it is safe to say that computers play a significant role in both business and personal life,
and that the resultant technological advances are remarkable.
One of the bigger Information Technology advances was the creation of the Internet to
connect people globally. Unfortunately, the Internet not only aided worldwide
communication and commerce, but also sparked the growth of electronic crime.
Criminals now make use of computers on a daily basis to assist with and to commit
crimes.
To act against these electronic offenders, it is necessary to develop new processes and
techniques to retrieve evidence from computers. Specialists commonly refer to this
discipline as Cyber Forensics
Both computer and non-computer professionals use computers every day. Accordingly,
it is safe to say that computers play a significant role in both business and personal life,
and that the resultant technological advances are remarkable.
One of the bigger Information Technology advances was the creation of the Internet to
connect people globally. Unfortunately, the Internet not only aided worldwide
communication and commerce, but also sparked the growth of electronic crime.
Criminals now make use of computers on a daily basis to assist with and to commit
crimes.

75
To act against these electronic offenders, it is necessary to develop new processes and
techniques to retrieve evidence from computers. Specialists commonly refer to this
discipline as Cyber Forensics
Both computer and non-computer professionals use computers every day. Accordingly,
it is safe to say that computers play a significant role in both business and personal life,
and that the resultant technological advances are remarkable.
One of the bigger Information Technology advances was the creation of the Internet to
connect people globally. Unfortunately, the Internet not only aided worldwide
communication and commerce, but also sparked the growth of electronic crime.
Criminals now make use of computers on a daily basis to assist with and to commit
crimes.
To act against these electronic offenders, it is necessary to develop new processes and
techniques to retrieve evidence from computers. Specialists commonly refer to this
discipline as Cyber Forensics
Both computer and non-computer professionals use computers every day. Accordingly,
it is safe to say that computers play a significant role in both business and personal life,
and that the resultant technological advances are remarkable.
One of the bigger Information Technology advances was the creation of the Internet to
connect people globally. Unfortunately, the Internet not only aided worldwide
communication and commerce, but also sparked the growth of electronic crime.
Criminals now make use of computers on a daily basis to assist with and to commit
crimes.
To act against these electronic offenders, it is necessary to develop new processes and
techniques to retrieve evidence from computers. Specialists commonly refer to this
discipline as Cyber Forensics

21.STAGES OF EXAMINATION:

76
I have divided the computer forensic examination process into six stages, presented in their usual
chronological order.25

i.Readiness

Forensic readiness is an important and occasionally overlooked stage in the examination process.
In commercial computer forensics it can include educating clients about system preparedness; for
example, forensic examinations will provide stronger evidence if a device’s auditing features
have been activated prior to any incident occurring.

For the forensic examiner themself, readiness will include appropriate training, regular testing
and verification of their software and equipment, familiarity with legislation, dealing with
unexpected issues (e.g., what to do if indecent images of children are found present during a
commercial job) and ensuring that the on-site acquisition (data extraction) kit is complete and in
working order.

ii.Evaluation

The evaluation stage includes the receiving of instructions, the clarification of those instructions
if unclear or ambiguous, risk analysis and the allocation of roles and resources. Risk analysis for
law enforcement may include an assessment on the likelihood of physical threat on entering a
suspect’s property and how best to counter it.

Commercial organisations also need to be aware of health and safety issues, conflict of interest
issues and of possible risks – financial and to their reputation – on accepting a particular project.

iii.Collection

The main part of the collection stage, acquisition, has been introduced above.

25
https://forensiccontrol.com/resources/beginners-guide-computer-forensics/

77
If acquisition is to be carried out on-site rather than in a computer forensic laboratory, then this
stage would include identifying and securing devices which may store evidence and
documenting the scene. Interviews or meetings with personnel who may hold information
relevant to the examination (which could include the end users of the computer, and the manager
and person responsible for providing computer services, such as an IT administrator) would
usually be carried out at this stage.

The collection stage also involves the labelling and bagging of evidential items from the site, to
be sealed in numbered tamper-evident bags. Consideration should be given to securely and safely
transporting the material to the examiner’s laboratory.

iv.Analysis

Analysis depends on the specifics of each job. The examiner usually provides feedback to the
client during analysis and from this dialogue the analysis may take a different path or be
narrowed to specific areas. Analysis must be accurate, thorough, impartial, recorded, repeatable
and completed within the time-scales available and resources allocated.

There are myriad tools available for computer forensics analysis. It is our opinion that the
examiner should use any tool they feel comfortable with as long as they can justify their choice.
The main requirements of a computer forensic tool is that it does what it is meant to do and the
only way for examiners to be sure of this is for them to regularly test and calibrate the tools they
rely on before analysis takes place.

Dual-tool verification can confirm result integrity during analysis (if with tool ‘A’ the examiner
finds artefact ‘X’ at location ‘Y’, then tool ‘B’ should replicate these results).

v.Presentation

This stage usually involves the examiner producing a structured report on their findings,
addressing the points in the initial instructions along with any subsequent instructions. It would
also cover any other information which the examiner deems relevant to the investigation.

78
The report must be written with the end reader in mind; in many cases the reader will be non-
technical, and so reader-appropriate terminology should be used. The examiner should also be
prepared to participate in meetings or telephone conferences to discuss and elaborate on the
report.

vi.Review

As with the readiness stage, the review stage is often overlooked or disregarded. This may be due
to the perceived costs of doing work that is not billable, or the need ‘to get on with the next job’.

However, a review stage incorporated into each examination can help save money and raise the
level of quality by making future examinations more efficient and time effective.

A review of an examination can be simple, quick and can begin during any of the above stages. It
may include a basic analysis of what went wrong, what went well, and how the learning from
this can be incorporated into future examinations’. Feedback from the instructing party should
also be sought.

Any lessons learnt from this stage should be applied to the next examination and fed into the
readiness stage.

22.ISSUES FACED BY COMPUTER FORENSICS:

Issues facing computer forensics

79
The issues facing computer forensics examiners can be broken down into three broad categories:
technical, legal and administrative.26

i.Technical issues

Encryption – Encrypted data can be impossible to view without the correct key or password.
Examiners should consider that the key or password may be stored elsewhere on the computer or
on another computer which the suspect has had access to. It could also reside in the volatile
memory of a computer (known as RAM [6]) which is usually lost on computer shut-down;
another reason to consider using live acquisition techniques, as outlined above.
Increasing storage space – Storage media hold ever greater amounts of data, which for the
examiner means that their analysis computers need to have sufficient processing power and
available storage capacity to efficiently deal with searching and analysing large amounts of data.
New technologies – Computing is a continually evolving field, with new hardware, software and
operating systems emerging constantly. No single computer forensic examiner can be an expert
on all areas, though they may frequently be expected to analyse something which they haven’t
previously encountered. In order to deal with this situation, the examiner should be prepared and
able to test and experiment with the behaviour of new technologies. Networking and sharing
knowledge with other computer forensic examiners is very useful in this respect as it’s likely
someone else has already come across the same issue.
Anti-forensics – Anti-forensics is the practice of attempting to thwart computer forensic analysis.
This may include encryption, the over-writing of data to make it unrecoverable, the modification
of files’ metadata and file obfuscation (disguising files). As with encryption, the evidence that
such methods have been used may be stored elsewhere on the computer or on another computer
which the suspect has had access to. In our experience, it is very rare to see anti-forensics tools
used correctly and frequently enough to totally obscure either their presence or the presence of
the evidence that they were used to hide.

ii.Legal issues

Legal issues may confuse or distract from a computer examiner’s findings. An example here
would be the ‘Trojan Defence’. A Trojan is a piece of computer code disguised as something
26
https://forensiccontrol.com/resources/beginners-guide-computer-forensics/

80
benign but which carries a hidden and malicious purpose. Trojans have many uses, and include
key-logging [7]), uploading and downloading of files and installation of viruses. A lawyer may
be able to argue that actions on a computer were not carried out by a user but were automated by
a Trojan without the user’s knowledge; such a Trojan Defence has been successfully used even
when no trace of a Trojan or other malicious code was found on the suspect’s computer. In such
cases, a competent opposing lawyer, supplied with evidence from a competent computer forensic
analyst, should be able to dismiss such an argument. A good examiner will have identified and
addressed possible arguments from the “opposition” while carrying out the analysis and in
writing their report.

iii.Administrative issues

Accepted standards – There are a plethora of standards and guidelines in computer forensics,
few of which appear to be universally accepted. The reasons for this include: standard-setting
bodies being tied to particular legislations; standards being aimed either at law enforcement or
commercial forensics but not at both; the authors of such standards not being accepted by their
peers; or high joining fees for professional bodies dissuading practitioners from participating.
Fit to practice – In many jurisdictions there is no qualifying body to check the competence and
integrity of computer forensics professionals. In such cases anyone may present themselves as a
computer forensic expert, which may result in computer forensic examinations of questionable
quality and a negative view of the profession as a whole.

23.TOOLS USED BY FORENSIC INVESTIGATORS:

81
 Computer forensics is a very important branch of computer science in relation to computer and
Internet related crimes. Earlier, computers were only used to produce data but now it has
expanded to all devices related to digital data. The goal of Computer forensics is to perform
crime investigations by using evidence from digital data to find who was the responsible for that
particular crime.

For better research and investigation, developers have created many computer forensics tools.
Police departments and investigation agencies select the tools based on various factors including
budget and available experts on the team.

These computer forensics tools can also be classified into various categories:

Tools Lists
 1. Autopsy
 2. Encrypted Disk Detector
 3. Wireshark
 4. Magnet RAM Capture
 5. Network Miner
 6. NMAP
 7. RAM Capturer
 8. Forensic Investigator
 9. FAW
 10. HashMyFiles
 11. USB Write Blocker
 12. Crowd Response
 13. NFI Defraser
 14. ExifTool
 15. Toolsley
 16. SIFT
 17. Dumpzilla
 18. Browser History
 19. ForensicUserInfo

82
 20. Black Track
 21. Paladin
 22. Sleuth Kit
 23. CAINE

1. Autopsy

Autopsy is a GUI-based open source digital forensic program to analyze hard drives and smart
phones effectively. Autospy is used by thousands of users worldwide to investigate what actually
happened in the computer.27

It’s widely used by corporate examiners, military to investigate and some of the features are.

 Email analysis
 File type detection
 Media playback
 Registry analysis
 Photos recovery from memory card
 Extract geolocation and camera information from JPEG files
 Extract web activity from browser
 Show system events in graphical interface
 Timeline analysis
 Extract data from Android – SMS, call logs, contacts, etc.

It has extensive reporting to generate in HTML, XLS file format.28

2. Encrypted Disk Detector

Encrypted Disk Detector can be helpful to check encrypted physical drives. It supports

TrueCrypt, PGP, Bitlocker, Safeboot encrypted volumes.29

27
https://geekflare.com/forensic-investigation-tools/
28

29
https://geekflare.com/forensic-investigation-tools/

83
Encrypted Disk Detector is a command-line tool that can quickly and non-intrusively check for
encrypted volumes on a computer system during incident response.

The decision can then be made to investigate further and determine whether a live acquisition
needs to be made in order to secure and preserve the evidence that would otherwise be lost if the
plug was pulled.30

3. Wireshark

Wireshark is a network capture and analyzer tool to see what’s happening in your network.
Wireshark will be handy to investigate network related incident.

4. Magnet RAM Capture

You can use Magnet RAM capture to capture the physical memory of a computer and analyze
artifacts in memory.

It supports Windows operating system.

Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a
suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often
only found in memory.

Magnet RAM Capture has a small memory footprint, meaning investigators can run the tool
while minimizing the data that is overwritten in memory. Export captured memory data in Raw
(.DMP) format and easily upload into leading analysis tools including, Internet Evidence Finder.

Evidence that can be found in RAM includes process and programs running on the system,
network connections, evidence of malware intrusion, registry hives, username and passwords,
decrypted files and keys, and evidence of activity not typically stored on the local hard disk.31

5. Network Miner

30
https://www.magnetforensics.com/free-tool-encrypted-disk-detector/
31
https://www.magnetforensics.com/free-tool-magnet-ram-capture/

84
An interesting network forensic analyzer for Windows, Linux & MAC OS X to detect OS,
hostname, sessions and open ports through packet sniffing or by PCAP file. Network
Miner provide extracted artifacts in an intuitive user interface.

NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect
operating systems, sessions, hostnames, open ports etc. without putting any traffic on the
network. NetworkMiner can also parse PCAP files for off-line analysis and to
regenerate/reassemble transmitted files and certificates from PCAP files.

NetworkMiner makes it easy to perform advanced Network Traffic Analysis (NTA) by providing
extracted artifacts in an intuitive user interface. The way data is presented not only makes the
analysis simpler, it also saves valuable time for the analyst or forensic investigator.

NetworkMiner has, since the first release in 2007, become a popular tool among incident
response teams as well as law enforcement. NetworkMiner is today used by companies and
organizations all over the world.

NetworkMiner can extract files, emails and certificates transferred over the network by parsing a
PCAP file or by sniffing traffic directly from the network. This functionality can be used to
extract and save media files (such as audio or video files) which are streamed across a network
from websites such as YouTube.32

6. NMAP

NMAP (Network Mapper) is one of the most popular networks and security auditing tools.
NMAP is supported on most of the operating systems including Windows, Linux, Solaris, MAC
OS, HP-UX etc. It’s open source so free.

Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and
security auditing. Many systems and network administrators also find it useful for tasks such as
network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network,

32
http://www.netresec.com/?page=NetworkMiner

85
what services (application name and version) those hosts are offering, what operating systems
(and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of
other characteristics. It was designed to rapidly scan large networks, but works fine against
single hosts. Nmap runs on all major computer operating systems, and official binary packages
are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap
executable, the Nmap suite includes an advanced GUI and results viewer , a flexible data
transfer, redirection, and debugging tool , a utility for comparing scan results , and a packet
generation and response analysis tool .

 Flexible: Supports dozens of advanced techniques for mapping out networks filled with
IP filters, firewalls, routers, and other obstacles. This includes many port
scanningmechanisms (both TCP &  UDP), OS detection, version detection, ping sweeps,
and more.
 Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands
of machines.
 Portable: Most operating systems are supported, including Linux, Microsoft
Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun
OS, Amiga, and more.
 Easy: While Nmap offers a rich set of advanced features for power users, you can start
out as simply as "nmap -v -A targethost". Both traditional command line and graphical
(GUI) versions are available to suit your preference. Binaries are available for those who
do not wish to compile Nmap from source.
 Free: The primary goals of the Nmap Project is to help make the Internet a little more
secure and to provide administrators/auditors/hackers with an advanced tool for exploring
their networks.
 Well Documented: Significant effort has been put into comprehensive and up-to-date
man pages, whitepapers, tutorials, and even a whole book.
 Supported: While Nmap comes with no warranty, it is well supported by a vibrant
community of developers and users.
 Acclaimed: Nmap has won numerous awards, including "Information Security Product
of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in

86
 hundreds of magazine articles, several movies, dozens of books, and one comic book
series.
 Popular: Thousands of people download Nmap every day, and it is included with many
operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is
among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is
important because it lends Nmap its vibrant development and user support communities.33

7. RAM Capturer

RAM Capturer by Belkasoft is a free tool to dump the data from computer’s volatile memory.
It’s compatible with Windows OS. Memory dumps may contain encrypted volume’s password
and login credentials for webmails and social network services.

Memory dumps are a valuable source of ephemeral evidence and volatile information. Memory
dumps may contain passwords to encrypted volumes (TrueCrypt, BitLocker, PGP Disk), account
login credentials for many webmail and social network services such as Gmail, Yahoo Mail,
Hotmail; Facebook, Twitter, Google Plus; file sharing services such as Dropbox, Flickr,
SkyDrive, etc.
In order to extract ephemeral evidence out of already captured memory dumps, forensic experts
must use proper analysis software such as Belkasoft Evidence Center. Besides, some other tools
can be used to extract passwords to encrypted volumes (e.g. Elcomsoft Forensic Disk
Decryptor).
Acquiring volatile memory from a computer running a debugging protection or anti-dumping
system is tricky. Most memory acquisition tools run in the system’s user mode, and are unable to
bypass the defense of such protection system (which run in the systems’ most privileged kernel
mode). Belkasoft Live RAM Capturer is designed to work correctly even if an aggressive anti-
debugging or anti-memory dumping system is running. By operating in kernel mode, Belkasoft
Live RAM Capturer plays on the same level with these protection systems, being able to
correctly acquire address space of applications protected with the most sophisticated systems
such as nProtect GameGuard.34

33
https://nmap.org/
34
http://belkasoft.com/ram-capturer

87
8. Forensic Investigator

If you are using Splunk then Forensic Investigator will be a very handy tool. It’s Splunk app and
has many tools combined.

 WHOIS/GeoIP lookup
 Ping
 Port scanner
 Banner grabber
 URL decoder/parser
 XOR/HEX/Base64 convertor
 SMB Share/NetBIOS viewer
 Virus Total lookup

9. FAW

FAW (Forensics Acquisition of Websites) is to acquire web pages for forensic investigation

which has the following features.

 Capture the entire or partial page

 Capture all types of image
 Capture HTML source code of the web page
 Integrate with Wireshark

10. HashMyFiles

HashMyFiles is small utility that allows you to calculate the MD5 and SHA1 hashes of one or
more files in your system. You can easily copy the MD5/SHA1 hashes list into the clipboard, or
save them into text/html/xml file. 
HashMyFiles can also be launched from the context menu of Windows Explorer, and display the
MD5/SHA1 hashes of the selected file or folder.35

HashMyFiles will help you to calculate the MD5 and SHA1 hashes. It works on almost all latest
Windows OS.
35
http://www.nirsoft.net/utils/hash_my_files.html

88
11. USB Write Blocker

Noted physicist Werner Heisenberg said the act of observing something changes it. That’s
certainly true for your data. Every time you access a piece of information on your network, you
leave a fingerprint. That can compromise the metadata used to validate the information. USB
Write Blocker is our application that uses the Windows registry to write-block USB devices. It’s
a useful tool for those who wish to view the contents of USB drives without making changes to
the files’ metadata or timestamps.

This is a critical feature in the fields of digital and computer forensics, as well as eDiscovery,
where time stamps play a crucial role in the validity of evidence.36

View the USB drives content without leaving the fingerprint, changes to metadata and
timestamps. USB Write Blocker use Windows registry to write-block USB devices.

12. Crowd Response

Response by Crowd Strike is a windows application to gather system information for incident
response and security engagements. You can view the results in XML, CSV, TSV or HTML with
help of CRConvert. It runs on 32 or 64 bit of Windows XP above.

Crowd Strike has some other nice tools for investigation.

 Totrtilla – anonymously route TCP/IP and DNS traffic through TOR.

 Shellshock Scanner – scan your network for shellshock vulnerability
 Heartbleed scanner – scan your network for OpenSSL heart bleed vulnerability

13. NFI Defraser

Defraser forensic tool may help you to detect full and partial multimedia files in the data streams.
It is typically used to find (and restore) complete or partial video files in datastreams (for
instance, unallocated diskspace).37

14. ExifTool
36
http://dsicovery.com/software/usb-writeblocker/
37
https://sourceforge.net/projects/defraser/

89
ExifTool helps you to read, write and edit meta information for a number of file types. It can
read EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, etc.38

15. Toolsley

Toolsley got more than 10 useful tools for investigation.

 File signature verifier

 File identifier
 Hash & Validate
 Binary inspector
 Encode text
 Data URI generator
 Password generator39

16. SIFT

An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the
SANS Incident Forensic Toolkit (SIFT) Workstation for incident response and digital forensics
use and made it available to the whole community as a public service. The free SIFT toolkit, that
can match any modern incident response and forensic tool suite, is also featured in SANS'
Advanced Incident Response course (FOR 508). It demonstrates that advanced investigations
and responding to intrusions can be accomplished using cutting-edge open-source tools that are
freely available and frequently updated.40

SIFT (SANS investigative forensic toolkit) workstation is freely available as Ubuntu 14.04. SIFT
is a suite of forensic tools you need and one of the most popular open source incident response
platform.

17. Dumpzilla

38
http://www.sno.phy.queensu.ca/~phil/exiftool/
39
https://www.toolsley.com/
40
https://digital-forensics.sans.org/community/downloads/#overview

90
 Extract all interesting information from Firefox, Iceweasel and Seamonkey browser to be
analyzed with Dumpzilla.

18. Browser History

Foxton has two free interesting tools.

1. Browser history capturer – capture web browser (chrome, firefox, IE & edge) history on
Windows OS.
2. Browser history viewer – extract ana analyze internet activity history from most of the
modern browsers. Results are shown in the interactive graph and historical data can be
filtered.

19. ForensicUserInfo

Extract the following information with ForensicUserInfo.:41

 RID
 Login Name
 Name
 Description
 User Comment
 LM Hash
 NT Hash
 Last Login Date
 Password Reset Date
 Account Expiry Date
 Login Fail Date
 Login Count
 Failed Logins
 Profile Path
 Groups

41
http://www.woanware.co.uk/forensics/forensicuserinfo.html

91
20. Black Track

Blacktrack is one of the most popular platforms for penetration testing but it has forensic
capability too.

21. Paladin

PALADIN forensic suite – the world’s most popular Linux forensic suite is a modified Linux
distro based on Ubuntu available in 32 and 64 bit. Paladin has more than 100 tools under 29
categories, almost everything you need to investigate an incident. Autospy is included in latest
version – Paladin 6.

22. Sleuth Kit

The Sleuth Kit is a collection of command line tools to investigate and analyze volume and file
systems to find the evidence.

23. CAINE

CAINE (Computer Aided Investigate Environment) is Linux distro that offers the complete

forensic platform which has more than 80 tools for you to analyze, investigate and create an
actionable report.

92
 24.PUNISHMENTS

Section Offence Punishment Bailability and

Congizability

65 Tampering with Computer Imprisonment up to 3 Offence is

Source Code years or fine up to Rs Bailable,
2 lakhs Cognizable and
triable by Court
of JMFC.

66 Computer Related Offences Imprisonment up to 3 Offence is

years or fine up to Rs Bailable,
5 lakhs Cognizable and

93
66-A Sending offensive messages Imprisonment up to 3 Offence is
through Communication years and fine Bailable,
service, etc... Cognizable and
triable by Court
of JMFC

66-B Dishonestly receiving stolen Imprisonment up to 3 Offence is

computer resource or years and/or fine up to Bailable,
communication device Rs. 1 lakh Cognizable and
triable by Court
of JMFC

66-C Identity Theft Imprisonment of Offence is

either description up Bailable,
to 3 years and/or fine Cognizable and
up to Rs. 1 lakh triable by Court
of JMFC

66-D Cheating by Personation by Imprisonment of Offence is

using computer resource either description up Bailable,
to 3 years and /or fine Cognizable and
up to Rs. 1 lakh triable by Court
of JMFC

66-E Violation of Privacy Imprisonment up to 3 Offence is

years and /or fine up Bailable,
to Rs. 2 lakh Cognizable and
triable by Court
of JMFC

94
66-F Cyber Terrorism Imprisonment extend Offence is Non-
to imprisonment for Bailable,
Life Cognizable and
triable by Court
of Sessions

67 Publishing or transmitting On first Conviction, Offence is

obscene material in imprisonment up to 3 Bailable,
electronic form years and/or fine up to Cognizable and
Rs. 5 lakh On triable by Court
Subsequent of JMFC
Conviction
imprisonment up to 5
years and/or fine up to
Rs. 10 lakh

67-A Publishing or transmitting On first Conviction Offence is Non-

of material containing imprisonment up to 5 Bailable,
sexually explicit act, etc... in years and/or fine up to Cognizable and
electronic form Rs. 10 lakh On triable by Court
Subsequent of JMFC
Conviction
imprisonment up to 7
years and/or fine up to
Rs. 10 lakh

67-B Publishing or transmitting On first Conviction Offence is Non

of material depicting imprisonment of Bailable,
children in sexually explicit either description up Cognizable and
act etc., in electronic form to 5 years and/or fine triable by Court

95
 up to Rs. 10 lakh On of JMFC
Subsequent
Conviction
imprisonment of
either description up
to 7 years and/or fine
up to Rs. 10 lakh

67-C Intermediary intentionally Imprisonment up to 3 Offence is

or knowingly contravening years and fine Bailable,
the directions about Cognizable.
Preservation and retention
of information

68 Failure to comply with the Imprisonment up to 2 Offence is

directions given by years and/or fine up to Bailable, Non-
Controller Rs. 1 lakh Cognizable.

69 Failure to assist the agency Imprisonment up to 7 Offence is Non-

referred to in sub section (3) years and fine Bailable,
in regard interception or Cognizable.
monitoring or decryption of
any information through any
computer resource

69-A Failure of the intermediary Imprisonment up to 7 Offence is Non-

to comply with the direction years and fine Bailable,
issued for blocking for Cognizable.
public access of any
information through any

96
 computer resource

69-B Intermediary who Imprisonment up to 3 Offence is

intentionally or knowingly years and fine Bailable,
contravenes the provisions Cognizable.
of sub-section (2) in regard
monitor and collect traffic
data or information through
any computer resource for
cybersecurity

70 Any person who secures Imprisonment of Offence is Non-

access or attempts to secure either description up Bailable,
access to the protected to 10 years and fine Cognizable.
system in contravention of
provision of Sec. 70

70-B Indian Computer Imprisonment up to 1 Offence is

Emergency Response Team year and/or fine up to Bailable, Non-
to serve as national agency Rs. 1 lakh Cognizable
for incident response. Any
service provider,
intermediaries, data centres,
etc., who fails to prove the
information called for or
comply with the direction
issued by the ICERT.

71 Misrepresentation to the Imprisonment up to 2 Offence is

Controller to the Certifying years and/ or fine up Bailable, Non-

97
 Authority to Rs. 1 lakh. Cognizable.

72 Breach of Confidentiality Imprisonment up to 2 Offence is

and privacy years and/or fine up to Bailable, Non-
Rs. 1 lakh. Cognizable.

72-A Disclosure of information in Imprisonment up to 3 Offence is

breach of lawful contract years and/or fine up to Cognizable,
Rs. 5 lakh. Bailable

73 Publishing electronic Imprisonment up to 2 Offence is

Signature Certificate false in years and/or fine up to Bailable, Non-
certain particulars Rs. 1 lakh Cognizable.

74 Publication for fraudulent Imprisonment up to 2 Offence is

purpose years and/or fine up to Bailable, Non-
Rs. 1 lakh Cognizable.

98
 15. CASE LAWS

1. Frios v/s State of Kerela

Facts: In this case it was declared that the FRIENDS application software as protected
system. The author of the application challenged the notification and the constitutional
validity of software under Section 70. The court upheld the validity of both
It included tampering with source code. Computer source code the electronic form, it can
be printed on paper. 

Held: The court held that Tampering with Source code are punishable with three years
jail and or two lakh rupees fine of rupees two lakh rupees for altering, concealing and
destroying the source code.

2. Syed Asifuddin case:

Facts: In this case the Tata Indicom employees were arrested for manipulation of the
electronic 32- bit number (ESN) programmed into cell phones theft were exclusively
franchised to Reliance Infocom.
Held: Court held that Tampering with source code invokes Section 65 of the Information
Technology Act.

3. Parliament Attack Case:

99
 Facts: In this case several terrorist attacked on 13 December, 2001Parliament House. In
this the Digital evidence played an important role during their prosecution. The accused
argued that computers and evidence can easily be tampered and hence should not be
relied.

In Parliament case several smart device storage disks and devices, a Laptop were
recovered from the truck intercepted at Srinagar pursuant to information given by two
suspects. The laptop included the evidence of fake identity cards, video files containing
clips of the political leaders with the background of Parliament in the background shot
from T.V news channels. In this case design of Ministry of Home Affairs car sticker,
there was game “wolf pack” with user name of ‘Ashiq’. There was the name in one of the
fake identity cards used by the terrorist. No back up was taken therefore it was challenged
in the Court.

Held: Challenges to the accuracy of computer evidence should be established by the

challenger. Mere theoretical and generic doubts cannot be cast on the evidence.

4.R v/s Gold & Schifreen

In this case it is observed that the accused gained access to the British telecom Prestl
Gold computers networks file amount to dishonest trick and not criminal offence.

5. R v/s Whiteley.
In this case the accused gained unauthorized access to the Joint Academic Network
(JANET) and deleted, added files and changed the passwords to deny access to the
authorized users.

The perspective of the section is not merely protect the information but to protect the
integrity and security of computer resources from attacks by unauthorized person seeking
to enter such resource, whatever may be the intention or motive.

100
 6.The State of Tamil Nadu v/s Suhas Katti.

Facts: This case is about posting obscene, defamatory and annoying message about a
divorcee woman in the Yahoo message group. E-mails were forwarded to the victim for
information by the accused through a false e- mail account opened by him in the name of
the victim. These postings resulted in annoying phone calls to the lady. Based on the
complaint police nabbed the accused. He was a known family friend of the victim and
was interested in marrying her. She married to another person, but that marriage ended in
divorce and the accused started contacting her once again. And her reluctance to marry
him he started harassing her through internet.

Held: The accused is found guilty of offences under section 469, 509 IPC and 67 of IT
Act 2000 and the accused is convicted and is sentenced for the offence to undergo RI for
2 years under 469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC
sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and for the
offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All
sentences to run concurrently.”

The accused paid fine amount and he was lodged at Central Prison, Chennai. This is
considered the first case convicted under section 67 of Information Technology Act 2000
in India.

In a recent case, a groom's family received numerous emails containing defamatory

information about the prospective bride. Fortunately, they did not believe the emails and
chose to take the matter to the police. The sender of the emails turned out to be the girl's
step-father, who did not want the girl to get married, as he would have lost control over
her property, of which he was the legal guardian. 

7. Avnish Bajaj (CEO of bazzee.com – now a part of the eBay group of companies)
case.

101
 Facts: There were three accused first is the Delhi school boy and IIT Kharagpur Ravi Raj
and the service provider Avnish Bajaj. 

The law on the subject is very clear. The sections slapped on the three accused were
Section 292 (sale, distribution, public exhibition, etc., of an obscene object) and Section
294 (obscene acts, songs, etc., in a public place) of the Indian Penal Code (IPC), and
Section 67 (publishing information which is obscene in electronic form) of the
Information Technology Act 2000. In addition, the schoolboy faces a charge under
Section 201 of the IPC (destruction of evidence), for there is apprehension that he had
destroyed the mobile phone that he used in the episode. These offences invite a stiff
penalty, namely, imprisonment ranging from two to five years, in the case of a first time
conviction, and/or fines. 

Held: In this case the Service provider Avnish Bajaj was later acquitted and the Delhi
school boy was granted bail by Juvenile Justice Board and was taken into police charge
and detained into Observation Home for two days.

8. DASKHINA Kannada police have solved the first case of cyber crime in the
district. 

A press release by Dakshina Kannada Police said here on Saturday that a Father at a
Christian institution in the city had approached the Superintendent of Police with a
complaint that he was getting offensive and obscene e-mails. 

Police said that all the three admitted that they had done this to tarnish the image of the
Father. As the three tendered an unconditional apology to the Father and gave a written
undertaking that they would not repeat such act in future, the complainant withdrew his
complaint. Following this, the police dropped the charges against the culprit. 

The release said that sending of offensive and obscene e-mails is an offence under the
Indian Information Technology Act 2000. If the charges are framed.

102
 9.Bennett Coleman & Co. v/s Union of India. 
In this case the publication has been stated that ‘publication means dissemination and
circulation’. In the context of digital medium, the term publication includes and
transmission of information or data in electronic form. 

10.R v/s Governor of Brixton prison and another.

Facts: In this case the Citibank faced the wrath of a hacker on its cash management
system, resulting in illegal transfer of funds from customers account in to the accounts of
the hacker, later identified as Valdimer Levin and his accomplices. After Levin was
arrested he was extradite to the United States. One of the most important issues was
jurisdictional issue, the ‘place of origin’ of the cyber crime. 

Held: The Court helds that the real- time nature of the communication link between Levin
and Citibank computer meant that Levin’s keystrokes were actually occurring on the
Citibank computer.

It is thus important that in order to resolve the disputes related to jurisdiction, the issue of
territoriality and nationality must be placed by a much broader criteria embracing
principles of reasonableness and fairness to accommodate overlapping or conflicting
interests of states, in spirit of universal jurisdiction. 

103
 16. CONCLUSION
Cyber crimeswill always be an ongoing challenge despite the advancements being made
by numerous countries. Most countries have their own laws to combat cybercrimes, but
some doesn’t have any new laws but solely relies on standard terrestrial law to prosecute
these crimes. Along with outdated laws to combat cybercrime, there are still feeble
penalties set in place to punish criminals, thus doing no major prevention of cybercrimes’
which affect the economy and people’s social lives on a large scale by those criminals.
Consequently, there is a desperate need for countries on a global scale to come together
and decide on what constitute a cybercrime, and develop ways in which to persecute
criminals across different countries.
It is recommend that until sufficient legal actions can be put in place where individual
countries and global ways of persecution criminals, self-protection remains the first line
of defense. The everyday individuals and businesses need to make sure they are educated
on what to do in terms of prevent in becoming the next victim of cybercrimes. This basic
awareness can help prevent potential cybercrimes against them.
It is almost impossible to reduce cyber crime from the cyber-space. Looking back on the
many different acts passed, history can be witness that no legislation has thrived in total
elimination of cybercrime from the world. The only possible step is to make people
aware of their rights and duties and further making more punishable laws which is more
stringent to check them. Undoubtedly, the different Acts were and still are historical steps
in the virtual world as we know it. This further suggests that there is a need to convey
modifications in the Information Technology Act so it can be more effective to fight
104
 cyber crimes. Caution should be employed for the pro-legislation educational institutions
that the requirements of the cyber laws are not prepared so rigorous that it may delay the
growth of the commerce and demonstrate to be counter-productive to many. Remember,
cybercriminals are evolving as well in terms of computer knowledge per technological
advancement made.
Nevertheless, business should employ practices where their employees follow proper
safety practices to ensure that integrity and confidentially of stored information is kept at
all times to combat cybercrimes. Safety practices like ensuring that staying off game sites
on company time where viruses can be downloaded, forwarding chain emails, leaving
workstation unattended or password sharing over virtual mediums should be prohibited.
With all these safety practices implemented, it can be said that the safety of many clients
stored information is optimal.

1.

105
 27.BIBLIOGRAPHY

1. Cyber Crime: Investigating High Technology Computer Crime, moore.

2. Recovering and Exmining Computer forensic Investigation
3. Lexis Nexis
4. Bare Act, 2017.
5. Guide to Computer Forensics and Investigation, Nelson.
6. Computer Forensics: Incidnt Response Essentials.
7. Hacing Exposed; 5th ed.
8. Malware: Fighting malicious Code.

106
 28. WEBLIOGRAPHY

www.computerforensicstraining.com

www.leb.fib.gov.com

www.nij.gov.com

www.forensiccontrol.com

www.forensic.com

www.hubpages.com

www.privateinvestigations.com

www.ehoe.com

www.lexisnexis.com

www.akati.com

www.evidencemagazine.com

www.cs.kent.ac

www.geelflare.com

www.magnetforensic.com

www.digitalforensic.com

107
108