Workshop on

“Cyber Crime”

Wednesday, 18th June 2010 - Hotel Bristol, M.G. Road, Gurgaon

Session IV- Incident Response and Reporting Cyber CrimesBy Karnika SethManaging Partner, SETH ASSOCIATES

Presentation plan

Incident Response and Reporting Cyber Crimes:

How to handle a cybercrime scenario Importance of Corporate training in

cyberlaws How to report Cyber Crime Legal recourse available in cybercrime

cases Role of forensic expert & cyberlawyer. Steps that lead to effective prosecution &

conviction

Incident Response – a precursor to Techniques of Cyber investigation & forensic tools

‘Incident response’ could be defined as a precise set of actions to handle any security incident in a responsible ,meaningful and timely manner.

Goals of incident response- To confirm whether an incident has occurred To promote accumulation of accurate information Educate senior management Help in detection/prevention of such incidents in the

future, To provide rapid detection and containment Minimize disruption to business and network operations To facilitate for criminal action against perpetrators

Possible reliefs to a cybercrime victim- strategy adoption

A victim of cybercrime needs to immediately report the matter to his local police station and to the nearest cybercrime cell

Depending on the nature of crime there may be civil and criminal remedies.

In civil remedies , injunction and restraint orders , blocking of websites, may be sought, together with damages, delivery up of infringing matter and/or account for profits.

In criminal remedies, a cybercrime case will be registered by police if the offence is cognisable and if the same is non cognisable, a complaint should be filed with metropolitan magistrate

For certain offences, both civil and criminal remedies may be available to the victim

Before lodging a cybercrime case Important parameters- Gather ample evidence admissible in a

court of law Fulfill the criteria of the pecuniary ,territorial

and subject matter jurisdiction of a court. Determine jurisdiction – case may be filed

where the offence is committed or where effect of the offence is felt ( S. 177 to 179, Crpc)

The criminal prosecution pyramid

Conviction/acquittal

Trial

Contents of charge

Issue of process –summons, warrant

Examine the witnesses

Examine the complainant on oath

Initiation of criminal proceedings-cognizance of offences by magistrates

Preparation for prosecution Collect all evidence available & saving snapshots of

evidence Seek a cyberlaw expert’s immediate assistance for

advice on preparing for prosecution Prepare a background history of facts chronologically

as per facts Pen down names and addresses of suspected accused. Form a draft of complaint and remedies a victim seeks Cyberlaw expert & police could assist in gathering

further evidence e.g tracing the IP in case of e-mails, search & seizure or arrest as appropriate to the situation

A cyber forensic study of the hardware/equipment/ network server related to the cybercrime is generally essential

Defending an accused in a cybercrime

Preparation of chain of events table Probing where evidence could be traced? E-mail

inbox/files/folders/ web history Has the accused used any erase evidence

software/tools Forensically screening the hardware/data/files

/print outs / camera/mobile/pendrives of evidentiary value

Formatting may not be a solution Apply for anticipatory bail Challenge evidence produced by opposite party

and look for loopholes Filing of a cross complaint if appropriate

Amendments- Indian Evidence Act 1872

Section 3 of the Evidence Act amended to take care of admissibility of ER as evidence along with the paper based records as part of the documents which can be produced before the court for inspection.

Section 4 of IT Act confers legal recognition to electronic records

Societe Des products Nestle SA case 2006 (33 ) PTC 469

By virtue of provision of Section 65A, the contents of electronic records may be proved in evidence by parties in accordance with provision of 65B.

Held- Sub section (1) of section 65B makes admissible as a document, paper print out of electronic records stored in optical or magnetic media produced by a computer subject to fulfillment of conditions specified in subsection 2 of Section 65B .

a) The computer from which the record is generated was regularly used to store or process information in respect of activity regularly carried on by person having lawful control over the period, and relates to the period over which the computer was regularly used.

b) Information was fed in the computer in the ordinary course of the activities of the person having lawful control over the computer.

c) The computer was operating properly, and if not, was not such as to affect the electronic record or its accuracy.

d) Information reproduced is such as is fed into computer in the ordinary course of activity.

State v Mohd Afzal,2003 (7) AD (Delhi)1

State v Navjot Sandhu (2005)11 SCC 600

Held, while examining Section 65 B Evidence Act, it may be that certificate containing details of subsection 4 of Section 65 is not filed, but that does not mean that secondary evidence cannot be given.

Section 63 & 65 of the Indian Evidence Act enables secondary evidence of contents of a document to be adduced if original is of such a nature as not to be easily movable.

Presumptions in law- Section 85 B Indian Evidence Act

The law also presumes that in any proceedings, involving secure digital signature, the court shall presume, unless the contrary is proved, that the secure digital signature is affixed by the subscriber with the intention of signing or approving the electronic record

In any proceedings involving a secure electronic record, the court shall presume, unless contrary is proved, that the secure electronic record has not been altered since the specific point of time, to which the secure status relates

Live demo- sending fake e-mails and reading headers ,phising attacks Use of www.fakemailer.net Use of Who is Dissecting header and body of an e-mail message digest, IP address Return path Sender’s address Live demo phising- www.noodlebank.com,

www.nood1ebank.com www.whois.sc www.readnotify.com

Fake bank sites

Checking authenticity of e-mail

Internet headers - example

Return-Path: <jburden@indilaw.com> Delivered-To: karnika@sethassociates.com Received: (qmail 14805 invoked by uid 399); 14 Jun 2010 10:06:26 -0000 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on cp.mysticaconsultancy.com X-Spam-Level: ** X-Spam-Status: No, score=2.2 required=5.0 tests=AWL,DEAR_SOMETHING, HTML_MESSAGE,RDNS_NONE autolearn=disabled version=3.2.5 X-Virus-Scan: Scanned by ClamAV 0.94.2 (no viruses); Mon, 14 Jun 2010 15:36:27 +0530 Received: from unknown (HELO nwt201.smartinfo.com.hk) (58.64.135.201) by mail.mysticaconsultancy.com with ESMTP; 14 Jun 2010 10:06:26 -0000 X-Originating-IP: 58.64.135.201 Received-SPF: none (mail.mysticaconsultancy.com: domain at indilaw.com does not designate permitted sender hosts) identity=mailfrom; client-ip=58.64.135.201; envelope-from=<jburden@indilaw.com>; Received: from [202.155.235.123] (helo=Jamesz17) by nwt201.smartinfo.com.hk with esmtp (Exim 4.69) (envelope-from <jburden@indilaw.com>) id 1OO6fd-0007ti-HO for karnika@sethassociates.com; Mon, 14 Jun 2010 18:13:33 +0800 From: "James Burden" <jburden@indilaw.com> To: "'Karnika Seth'" <karnika@sethassociates.com> References: <019701cadbb6$790ebbe0$6b2c33a0$@com> <!&!

AAAAAAAAAAAYAAAAAAAAAPOg2rbT7EZBvR1yEZiTNb3CgAAAEAAAAMwSmJZkO0ZEhmOq1ziIk4UBAAAAAA==@sethassociates.com> <047701cadc97$57b829e0$07287da0$@com> <!&!AAAAAAAAAAAYAAAAAAAAAPOg2rbT7EZBvR1yEZiTNb3CgAAAEAAAAACtRFRrSaVJgPc/B/JUFgMBAAAAAA==@sethassociates.com>

In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAPOg2rbT7EZBvR1yEZiTNb3CgAAAEAAAAACtRFRrSaVJgPc/B/JUFgMBAAAAAA==@sethassociates.com>

Subject: RE: A story of interest from India Business Law Journal Date: Mon, 14 Jun 2010 18:18:18 +0800 Message-ID: <009101cb0baa$ea0541b0$be0fc510$@com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----

=_NextPart_000_0092_01CB0BED.F82881B0" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index:

AcrbtlhfkWh1MrOJSyWK5i/aRRropAA1ZBKQAALOomAAAJ4NYAvEM6+w

Content-Language: en-us X-AntiAbuse: This header was added to track abuse, please

include it with any abuse report X-AntiAbuse: Primary Hostname - nwt201.smartinfo.com.hk

Read notify

Thank you!

SETH ASSOCIATES

ADVOCATES AND LEGAL CONSULTANTSNew Delhi Law Office:

C-1/16, Daryaganj, New Delhi-110002, India

Tel:+91 (11) 65352272, +91 9868119137

Corporate Law Office:

B-10, Sector 40, NOIDA-201301, N.C.R ,India

Tel: +91 (120) 4352846, +91 9810155766

Fax: +91 (120) 4331304

E-mail: mail@sethassociates.com