Embed Size (px)
Citation preview
Digital Forensics Best Practices with the
use of Open Source Tools and
Admissibility of Digital Evidence in
Courts
Mr. Ninad Nawaghare CFE CFAP DEA CSIR
Mr. Sagar Rahurkar CFE BLS LLB LLM CCI
The boy is accused of sending an obscene sms
As per National Crime Research Bureau, during 2012, 587 cases were registered under cyber crime category for eve teasing / harassment
Illustration 1
Source: National Crime Research Bureau - http://ncrb.gov.in/
The origin of threatening email was traced back to a cyber café.
Illustration 2
As per National Crime Research Bureau, during 2012 , total 135 cases were registered under cyber crime category for extortion & revenge settling.
Source: National Crime Research Bureau - http://ncrb.gov.in/
Illustration 3
Accounting software is stolen from a server located in Country A. With minor alterations, same software is sold at a cheaper cost in Country B
As per National Crime Research Bureau, during 2012, total 624 cases were registered under cyber crime category for greed of money and 668 cases were
registered for fraud/ illegal gain.
Source: National Crime Research Bureau - http://ncrb.gov.in/
Illustration 4
With an intention to revenge the management, disgruntled employee sends a fake mail to the stake holders mentioning irregularities in the company affairs.
As per National Crime Research Bureau, during 2012, total 117 cases were registered under cyber crime category for causing disrepute either to an
individual, government or organizations
Source: National Crime Research Bureau - http://ncrb.gov.in/
Vexing Questions with respect to the illustrations
Where is the evidence?
How do I investigate? How to prove the crime?
What is the evidence?
Solution is “Digital Forensics”
2‘Digital’ is defined in Oxford Dictionary as:
(of signals or data) expressed as series of the digits 0 and 1, typically represented by values of a physical quantity such as voltage or magnetic polarization. Often contrasted with analogue.• involving or relating to the use of computer technology: the digital revolution
3‘Forensics’ is defined in Oxford Dictionary as:
Scientific tests or techniques used in connection with the detection of crime
Thus Digital Forensics can be defined as:
Discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications and storage devices in a way that is admissible as evidence in a court of law.
Source:2http://oxforddictionaries.com/definition/english/digital?q=Digital / 3http://oxforddictionaries.com/definition/english/forensic
Expected outcome of “Digital Forensics” is “Digital Evidence”
Digital evidence can be defined as :
Information and data of value to an investigation that is stored on, received, or transmitted by an electronic device. This evidence is acquired when data or electronic devices are seized and secured for examination.
Traits of Digital Evidence
May be found in Storage devices like hard disc, CD, DVD, memory card, USB drive, mobile phones & SIM card & Online resource like mail servers & cloud servers
Can be hidden inPassword protected files, Encrypted files , Steganography files, Formatted hard disc , HPA (Host Protected Area) or DCO (Device Configuration Overlay) of the hard drives
Can relate to
Online fraud , Organized crime , Identity theft , Data theft , Unauthorized access, Malicious files (Virus attack) , Data alteration , Cyber defamation , Cyber pornography, Online gambling ,Sale of illegal items etc..
Phases in “Digital Forensics” process
Phase 1: Identification of storage media for potential evidence
Phase 2: Acquisition of the storage media
Phase 3: Forensic analysis of the acquired media
Phase 4: Documentation & Reporting
Forensic analysis of the acquired media involves….
Analyzing digital information
Identifying traces of network / computer intrusion
Identifying & examining malicious files.
Employing techniques to crack file & system passwords.
Detecting steganography
Recovering deleted, fragmented & corrupted data
Maintaining evidencecustody procedures
Courtroom PresentationAnalyzing Online Activities
Digital Forensics Process
Subjected To
Storage Media Digital Evidence
Acquires
Digital Forensics Process can be implemented either by using commercial tools a.k.a. proprietary tools or open source free tools.
Commercial / Proprietary Tools are software applications designed with a commercial objective. The source code & the internal working of the software application is privileged and concealed from the user.
Open Source Free Tools are software applications available for usage at no cost. The source code & the internal working of the software application is known to the user. Further more, user has the liberty of altering the source code as per the requirements.
To Recapitulate
ISSUES with Commercial / Proprietary Tools
High capital cost High operational cost High maintenance cost (Paid updates or bugs fixing) Algorithm/logic not known Source code is strictly privileged Heavy dependency on the software manufacturer Restricted usage
ADVANTAGES with Open Source Tools
Zero capital cost Minimal / No operational cost Minimal / No maintenance cost Algorithm/logic is known to the user Source code is freely available for access , editing & customization Extensive support from the open source community Free usage to any number of users
Law Enforcement initiative in “Open Source Digital Forensics Tools”
By: Belgian Federal Computer Crime Unit (FCCU)http://www.lnx4n6.be/index.php
An advanced network forensic framework
By: Australian Federal Police, Brisbane, Australiahttp://sourceforge.net/projects/pyflag/files/
Project in The Software and Systems Division supported by Law Enforcement Standards Office and Department of Homeland Security. http://www.cftt.nist.gov/index.html
The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency
Law Enforcement initiative in “Open Source Digital Forensics Tools” cont.
http://ocfa.sourceforge.net/
ForeIndex: A Framework for Analysis and Triage of Data ForensicsBy: Forensic Expert of Brazilian Federal Police & Researcher of the Brazilian Space Agencyhttp://www.basistech.com/about-us/events/open-source-forensics-conference/2011/presentations/
Proprietary ToolsEnCase Forensic - Guidance Software www.guidancesoftware.com/encase-forensic.htmFTK – AccessData www.accessdata.com/products/digital-forensics/ftkWinHex - X-Ways Software Technology AG www.x-ways.net/winhex/Forensics Apprentice www.registryforensics.com/BlackLight www.blackbagtech.com/blacklight-1.htmlCellebrite - Mobile Forensics and Data transfer solutions www.cellebrite.com/Paraben – Handheld Digital Forensics http://www.paraben.com/handheld-forensics.html
Open Source Tools Digital Forensics Framework www.digital-forensic.orgCAINE www.caine-live.net/DEFT www.deftlinux.net/
Open source tools listed below may not be limited to the same Commercial / Proprietary & Open Source Tools for Imaging in Acquisition Phase
Proprietary ToolsEnCase Forensic - Guidance Software
www.guidancesoftware.com/encase-forensic.htm
FTK – AccessData www.accessdata.com/products/digital-forensics/ftk
WinHex - X-Ways Software Technology AG
www.x-ways.net/winhex/
Forensics Apprentice www.registryforensics.com/BlackLight www.blackbagtech.com/blacklight-1.htmlCellebrite - Mobile Forensics and Data transfer solutions
www.cellebrite.com/
Paraben – Handheld Digital Forensics
http://www.paraben.com/handheld-forensics.html
Open Source Tools Digital Forensics Framework www.digital-forensic.orgCAINE www.caine-live.net/DEFT www.deftlinux.net/SAFT Mobile Forensics www.signalsec.com/saft/
Analyzing digital information
Identifying & examining malicious files
Recovering deleted, fragmented, corrupted data
Analyzing Online Activities
Open source tools listed below may not be limited to the same Commercial / Proprietary & Open Source Tools for Forensic Analysis
Analyzing mobiles
Analyzing RAMFree Tools CMAT http://sourceforge.net/projects/cmatVolafox https://www.volatilesystems.com/default/volatilityVolatile https://www.volatilesystems.com/default/volatilityProprietary Tools Second Look http://secondlookforensics.com/Windows Scope http://windowsscope.com/Memoryze http://www.mandiant.com/resources/download/memoryze/
Network Forensics : capturing / analyzing network packetsFree Tools WireShark http://www.wireshark.org/NetworkMinor http://networkminer.en.malavida.com/Proprietary Tools
NetIntercepthttp://www.securitywizardry.com/index.php/products/forensic-solutions/network-forensic-tools/niksun-netintercept.html
Registry analysisFree Tools Registry Decoder http://www.digitalforensicssolutions.com/registrydecoder/Proprietary Tools Registry Recon http://arsenalrecon.com/apps/
Open source tools listed below may not be limited to the same Commercial / Proprietary & Open Source Tools for Forensic Analysis cont.
Identifying traces of network / computer intrusion
Password cracking Free Tools John the Ripper www.openwall.com/johnCracking Passwords for Windows, PDF, Word RAR , ZIP & Excel
http://pcsupport.about.com/od/toolsofthetrade/tp/password-cracker-recovery.htm
Proprietary Tools Password Recovery www.elcomsoft.com/products.htmlPassware http://www.lostpassword.com/
Detecting Pornography Free Tools
Redlight Porn Scanner
http://dfcsc.uri.edu/research/redLightTrial [NIJ Funded Project: http://www.nij.gov/topics/technology/software-tools.htm]
Proprietary Tools SurfRecon http://www.surfrecon.com/products/home-edition.php
Open source tools listed below may not be limited to the same
Employing techniques to crack file & system passwords
Commercial / Proprietary & Open Source Tools for Forensic Analysis cont.
Admissibility of Digital Evidence in Courts
Orientation
• Digital Evidence - Meaning
• Requirements U/Sec. 65B of the Indian Evidence Act
• Expert Examiner of Electronic Evidence
• Daubert Principle for Expert Witness
Digital Evidence
Evidence as defined U/Sec. 3 of the Indian Evidence Act means and includes –
All statements and all documents including electronic records produced for the
inspection of the Court.
Requirement U/Sec. 65B of the Indian Evidence Act
Sec. 65B - Admissibility of electronic records
• Any information contained in an electronic record,
• If printed on a paper, stored, recorded or copied in optical or magnetic media produced
by a computer shall deemed to be a document,
• If the conditions mentioned in this section are satisfied in relation to the information
and computer in question and
• Shall be admissible in any proceedings, without further proof or production of the
original, as evidence of any contents of the original or of any fact stated therein or
which direct evidence would be admissible.
Conditions U/Sec. 65B
(a) Regular use of Computer by the authorised person
The computer output containing the information was produced by the
computer during the period over which the computer was used regularly to
store or process information for the purposes of any activities regularly carried
on over that period by the person having lawful control over the use of the
computer.
(b) Regular feeding of information in the system in the ordinary course of
Business
During the said period, information of the kind contained in the electronic
record or of the kind from which the information so contained is derived was
regularly fed into the computer in the ordinary course of the said activities;
Conditions U/Sec. 65B
(c) Working state of the media
Throughout the material part of the said period, the computer was operating
properly or, if not, then in respect of any period in which it was not operating
properly or was out operation during that part of the period, was not such as to
affect the electronic record or the accuracy of its contents; and
(d) The information contained in the electronic record reproduces or is derived
from such information fed into the computer in the ordinary course of the said
activities.
Requirement of an Affidavit
• To demonstrate compliance with the requirements of conditions, a statement
in form of affidavit is required to be made in the court.
• It should be signed by a person occupying a responsible official position in
relation to the operation of the relevant device or the management of the
relevant activities
• Section 65B(4).
Is it really necessary ?
• The requirement to file an affidavit under Sec. 65B is not absolute. Supreme
Court, in the case of State v. Navjot Sandhu , while examining Section 65B,
held that, even when an affidavit/certificate under Sec. 65B is not filed it
would not foreclose the Court from examining such evidence provided it
complies with the requirements of Section 63 and 65 of the Evidence Act (refer
to Para 150 of the judgement).
• Vodafone Essar Ltd. Vs. Raju Sud the Bombay High Court dispensed with the
requirement under Sec. 65B.
Expert Witness
• Witness, who by virtue of education, training, skill, or experience, is believed
to have knowledge in a particular subject beyond an average person.
• In a famous Scottish case, Davie v Edinburgh Magistrates (1953), the function
of an expert witness is discussed as, ‘to furnish the judge with the necessary
scientific criteria for testing the accuracy of their conclusions, so as to enable
them to form their own independent judgment by the application of these
criteria to the facts provided in evidence’.
If scientific, technical, or other specialized knowledge will assist the trier of fact to
understand the evidence or to determine a fact in issue, a witness qualified as an expert
by knowledge, skill, experience, training, or education and may testify his opinion.
Criteria for expert U/the principle –
1) Whether the expert has used scientific methods/discovery techniques?
2) Whether method/s used by the expert in the case has ever been used by any other
expert or same expert in any other case?
3) Whether the testimony is the product of reliable principles and methods?
4) Whether the expert has applied the principles and methods reliably to the facts of
the case?
Daubert Principle for Expert Witness
Sec. 79A – The Information Technology Act, 2000
• The Central Government may, for the purposes of providing expert opinion on
electronic evidence before any court or other authority specify, by notification
in the official Gazette, any department, body or agency of the Central
Government or a State Government as an Examiner of Electronic Evidence.
Examiner of Electronic Evidence
Sagar Rahurkar @ - [email protected]# - +91-9623444448
Ninad Nawaghare @ - [email protected]# - +91-9004094463
