ch2 - cyber law

8/6/2019 Ch2 - Cyber Law

1/22

CYBER LAW

Session Objectives:

At the end of this Session, you will be able to understand

Cyber Laws- from Indian Perspective.

Emergence of IT ACT-2000.

Types of Attacks by Crackers.

Types of Techniques used by Crackers.

Cyber Crime Measures.

Chapter-2

All Rights Reserved. www.sedulitygroups.com 1


2/22

Introduction__________________________________________

Cyber Law is a term that encapsulates the legal issues related to use ofCommunicative, Transactional, and Distributive aspects of networked informationDevices and Technologies. It is less a distinct field of law in the way that property orcontracts are, as it is a domain covering many areas of law and regulation. Someleading topics include Intellectual Property, Privacy, Freedom of Expression, andJurisdiction. In Indian law, Cyber Crime has to be voluntary and willful, an act oromission that adversely affects a person or property. The IT Act provides the backbonefor E-Commerce and Indias approach has been to look at E-Governance and E-Commerce primarily from the promotional aspects looking at the vast opportunities andthe need to sensitize the population to the possibilities of the information age. There isthe need to take in to consideration the security aspects.

In the present global situation where Cyber control mechanisms are important we needto push Cyber Laws. Cyber Crimes are a new class of crimes to India rapidlyexpanding due to extensive use of internet. Getting the right lead and making the rightinterpretation are very important in solving a cyber crime. In India, there are 30 millionpolicemen to train apart from 12,000 strong Judiciary. Police in India are trying tobecome cyber crime savvy and hiring people who are trained in the area. Many policestations in Delhi have computers which will be soon connected to the Head Quarters.Cyber Police Stations are functioning in major Cities all over the Country. The pace ofthe investigations can become faster; judicial sensitivity and knowledge need toimprove. IT Institutions can also play a role in this area.

Technology nuances are important in a spam infested environment where privacy canbe compromised and individuals can be subjected to become a victim unsuspectingly.Most cyber criminals have a counter part in the real world. If loss of property or personsis caused the criminal is punishable under the IPC also. Since the law enforcementagencies find it is easier to handle it under the IPC, IT Act cases are not getting reportedand when reported are not necessarily dealt with under the IT Act. A lengthy andintensive process of learning is required.

A whole series of initiatives of cyber forensics were undertaken and cyber lawprocedures resulted out of it. This is an area where learning takes place every day aswe are all beginners in this area. We are looking for solutions faster than the problemscan get invented. We need to move faster than the criminals.

The real issue is how to prevent cyber crime. For this, there is need to raise theprobability of apprehension and conviction. India has a law on evidence that considersadmissibility, authenticity, accuracy, and completeness to convince the judiciary. Thechallenge in cyber crime cases includes getting evidence that will stand scrutiny in aforeign court. For this India needs total international cooperation with specializedagencies of different countries. Police has to ensure that they have seized exactly whatwas there at the scene of crime, is the same that has been analyzed and the reportpresented in court is based on this evidence. It has to maintain the chain of custody.The threat is not from the intelligence of criminals but from our ignorance and the will tofight it. The law is stricter now on producing evidence especially where electronicdocuments are concerned.

All Rights Reserved. www.sedulitygroups.com2


3/22

The computer is the target and the tool for the perpetration of crime. It is used for thecommunication of the criminal activity such as the injection of a virus/worm which cancrash entire networks. The Information Technology (IT) Act, 2000, specifies the acts

which have been made punishable. Since the primary objective of this Act is to createan enabling environment for commercial use of I.T., certain omissions and commissionsof criminals while using computers have not been included. With the legal recognition ofElectronic Records and the amendments made in the several sections of the IPC videthe IT Act, 2000, several offences having bearing on cyber-arena are also registeredunder the appropriate sections of the IPC.

As per the report of National Crime Records Bureau, in 2005, a total 179 cases wereregistered under IT Act 2000, of which about 50 percent (88 cases) were related toObscene Publications / Transmission in electronic form, normally known as cyberpornography. 125 persons were arrested for committing such offences during 2005.

There were 74 cases of Hacking of computer systems during the year wherein 41persons were arrested. Out of the total (74) Hacking cases, those relating toLoss/Damage of computer resource/utility under Sec 66(1) of the IT Act were 44.6percent (33 cases) whereas the cases related to Hacking under Section 66(2) of IT Actwere 55.4 percent (41 cases). Tamil Nadu (15) and Delhi (4) registered maximum casesunder Sec 66(1) of the IT Act out of total 33 such cases at the National level. Out of thetotal 41 cases relating to Hacking under Sec. 66(2), most of the cases (24 cases) werereported from Karnataka followed by Andhra Pradesh (9) and Maharashtra (8).

During the year, a total of 302 cases were registered under IPC Sections as comparedto 279 such cases during 2004 thereby reporting an increase of 8.2 percent in 2005 over2004. Gujarat reported maximum number of such cases, nearly 50.6 percent of totalcases (153 out of 302) like in previous year 2004 followed by Andhra Pradesh 22.5percent (68 cases). Out of total 302 cases registered under IPC, majority of the crimesfall under 2 categories viz. Criminal Breach of Trust or Fraud (186) and Counterfeiting ofCurrency/Stamps (59). Though, these offences fall under the traditional IPC crimes, thecases had the cyber tone wherein computer, Internet or its related aspects were presentin the crime and hence they were categorized as Cyber Crimes under IPC. Out of the53,625 cases reported under head Cheating during 2005, the Cyber Forgery (48 cases)accounted for 0.09 percent. The Cyber frauds (186) accounted for 1.4 percent out of thetotal Criminal Breach of Trust cases (13,572).

The Forgery (Cyber) cases were highest in Andhra Pradesh (28) followed by Punjab(12). The cases of Cyber Fraud were highest in Gujarat (118) followed by Punjab (28)and Andhra Pradesh (20). A total of 377 persons were arrested in the country for CyberCrimes under IPC during 2005. Of these, 57.0 percent (215) of total such offenders(377) were taken into custody for offences under 'Criminal Breach of Trust/Fraud(Cyber)', 22.0 percent (83) for Counterfeiting of Currency/Stamps and 18.8 percent (71)for offences under Cyber Forgery. The States such as Gujarat (159), Andhra Pradesh(110), Chhattisgarh and Punjab (51 each) have reported higher arrests for Cyber Crimesregistered under IPC. Bangalore (38), Chennai (20) and Delhi (10) cities have reportedhigh incidence of such cases (68 out of 94 cases) accounting for more than half of the

cases (72.3%) reported under IT Act, 2000. Surat city has reported the highestincidence (146 out of 163 cases) of cases reported under IPC sections accounting formore than 89.6 percent.



4/22

The latest statistics show that Cyber Crime is actually on the rise. However, it is true thatin India, Cyber Crime is not reported too much about. Consequently there is a false

sense of complacency that Cyber Crime does not exist and that society is safe fromCyber Crime. This is not the correct picture. The fact is that people in our country do notreport Cyber Crimes for many reasons. Many do not want to face harassment by thepolice. There is also the fear of bad publicity in the media, which could hurt theirreputation and standing in society. Also, it becomes extremely difficult to convince thepolice to register any Cyber Crime, because of lack of orientation and awareness aboutCyber Crimes and their registration and handling by the police.

A recent survey indicates that for every 500 Cyber Crime incidents that take place, only50 are reported to the police and out of that only one is actually registered. Thesefigures indicate how difficult it is to convince the police to register a Cyber Crime. The

establishment of Cyber Crime cells in different parts of the country was expected toboost Cyber Crime reporting and prosecution. However, these cells havent quite keptup with expectations. Netizens should not be under the impression that Cyber Crime isvanishing and they must realize that with each passing day, cyberspace becomes amore dangerous place to be in, where criminals roam freely to execute their criminalsintentions encouraged by the so-called anonymity that internet provides.

The absolutely poor rate of cyber crime conviction in the country has also not helped thecause of regulating Cyber Crime. There have only been few Cyber Crime convictions inthe whole country, which can be counted on fingers. We need to ensure that we havespecialized procedures for prosecution of Cyber Crime cases so as to tackle them on apriority basis,. This is necessary so as to win the faith of the people in the ability of thesystem to tackle Cyber Crime. We must ensure that our system provides for stringentpunishment of Cyber Crimes and cyber criminals so that the same acts as a deterrentfor others.

2.1 Cyber Law An Indian Perspective__________________

Information Technology solutions have paved a way to a new world of Internet,Business Networking and e-banking, budding as a solution to reduce costs, change thesophisticated economic affairs to more easier, speedy, efficient, and time saving method

of transactions. Internet has emerged as a blessing for the present pace of life but at thesame time also resulted in various threats to the consumers and other institutions forwhich its proved to be the most beneficial Communication resource. Various criminalslike Hackers & Crackers have been able to pave their way to interfere with the internetaccounts through various techniques like hacking the Domain Name Server (DNS),Internet Providers (IP) address, spoofing, phishing, internet phishing etc. and havebeen successful in gaining unauthorized access to the users computer system andstolen useful data to gain huge profits from customers accounts. Intentional use ofinformation technology by cyber terrorists for producing destructive and harmful effectsto tangible and intangible property of others is called Cyber Crime. Cyber Crime isclearly an international problem with no national boundaries. Hacking attacks can be

launched from any corner of the world without any fear of being traced or prosecutedeasily.



5/22

Cyber Terrorists can collapse the economic structure of a country from a place wherethat country might not have any arrangements like Extradition Treaty to deal with thatcriminal. The only safeguard would be better technology to combat such technology

already evolved and known to the Hackers. But that still has threat of being taken overby the intellect computer criminals. Though there are many techniques evolved to curbthe criminal activities by Cyber Terrorists but still the problem persists in legal structureand has failed to produce a deterring effect on the criminals. If the suggestions areundertaken in light of conclusion there can be a better co-ordination among variousnational and international agencies to make the system more efficient, and InformationTechnology Act 2000 more secured and trustworthy. It can still be held good for theobjects it had existed to provide the benefits to the society. This paper is contributive ofthe fact that the till the crime rate is not curbed technology cannot produce adequatebenefits for which its been created.

2.2 What Is Cyber Crime?_______________________________

Cyber Terrorists usually use the computer as a tool, target, or both for their unlawful acteither to gain information which can result in heavy loss/damage to the owner of thatintangible sensitive information. Internet is one of the means by which the offenders cangain such price sensitive information of companies, firms, individuals, banks, intellectualproperty crimes (such as stealing new product plans, its description, market programmeplans, list of customers etc.), selling illegal articles, Pornography etc. this is donethrough many methods such as Phishing, Spoofing, Pharming, wire transfer etc. anduse it to their own advantage without the consent of the individual.

Many banks, financial institutions, investment houses, brokering firms etc. are beingvictimized and threatened by the cyber terrorists to pay extortion money to keep theirsensitive information intact to avoid huge damages. And its been reported that manyinstitutions in US, Britain and Europe have secretly paid them to prevent huge meltdownor collapse of confidence among their consumers.

2.3 Emergence of Information Technology Act, 2000._______

In India, the Information Technology Act 2000 was enacted after the United NationGeneral Assembly Resolution A/RES/51/162, dated the 30th January, 1997 by adopting

the Model Law on Electronic Commerce adopted by the United Nations Commission onInternational Trade Law. This was the first step towards the Law relating to e-commerceat international level to regulate an alternative form of commerce and to give legal statusin the area of e-commerce. It was enacted taking into consideration UNICITRAL modelof Law on e- commerce 1996.



6/22

Some Noteworthy Provisions under the Information Technology Act, 2000.

Sec.43 Damage to Computer system etc. Compensation for Rupees 1crore.Sec.66 Hacking (with intent or knowledge)

Fine of 2 lakh rupees, and imprisonment for3 years.

Sec.67Publication of obscene material in

e-form

Fine of 1 lakh rupees, and imprisonment of5years, and double conviction on second

offence

Sec.68Not complying with directions of

controllerFine upto 2 lakh and imprisonment of 3

years.

Sec.70attempting or securing access to

computerImprisonment upto 10 years.

Sec.72For breaking confidentiality of the

information of computer

Fine upto 1 lakh and imprisonment upto 2

yearsSec.73

Publishing false digital signatures,false in certain particulars

Fine of 1 lakh, or imprisonment of 2 yearsor both.

Sec.74Publication of Digital Signatures for

fraudulent purpose.Imprisonment for the term of 2 years and

fine for 1 lakh rupees.

2.4 Types of Attacks By Hackers.________________________

Hacker is computer expert who uses his knowledge to gain unauthorized access to thecomputer network. Hes not the one who intends to break through the system but alsoincludes the one who has no intent to damage the system but intends to learn more by

using ones computer. Information Technology Act 2000 doesnt make hacking as anoffence but looks into factor of ethics. Crackers on other hand use the information causedisruption to the network for personal and political motives. Hacking by an insider or anemployee is quite prominent in present date. Section 66 (b) of the InformationTechnology Act 2000, provides punishment of imprisonment for the term of 3 years andfine which may extent to two lakhs rupees, or with both.


Banks and other financial institutions are threatened by the terrorist groups to use theirsensitive information resulting in heavy loss and in turn ask for ransom amount fromthem. There are various methods used by hackers to gain unauthorized access to thecomputers apart from use of viruses like Trojans and worms etc. Therefore if anyone

secures access to any computer without the permission of the owner shall be liable topay damages of one crore rupees under Information Technology Act, 2000. Computersystem here means a device including input and output support devices and systemswhich are capable of performing logical, arithmetical, data storage and retrieval,communication control and other functions but excludes calculators. Unauthorizedaccess under Section 43 of the Information Technology Act 2000 is punishableregardless of the intention or purpose for which unauthorized access to the computersystem was made. Owner neednt prove the facto of loss, but the fact of it been usedwithout his authorization. Case of United States v. Rice would be important in thisregard where defendant on the request of his friend (who was been under investigationby IRS officer) tried to find the status of his friends case by using officers computer

without his consent. Though it didnt cause any damage/loss to the plaintiff (officer) butwas convicted by the Jury for accessing the computer system of a Government withouthis authority and his conviction was later on confirmed.


7/22

Even if one provides any assistance to the other to gain any unauthorized access to thecomputer he shall be liable to pay damages by way of compensation of Rupees 1 crore.Does turning on the computer leads to unauthorized access? The mens rea under

section 1 of the Computer misuse Act, 1990 comprises of two elements there must bean intent to secure an access to any programme or data held in any computer, and theperson must know that he intends to secure an unauthorized access. e.g. Whendefendants went to his former employee to purchase certain equipments and the salesperson was not looking he was alleged to have keyed in certain commands to thecomputerized till granting himself substantial discount. Though section 1 (1) (a) requiresthat second computer must be involved but the judiciary in the case of R v. SeanCropp, believed that the Parliament would have intended to restrict the offence even ifsingle computer system was involved.

2.5 Types of Techniques used by the Crackers/ Cyber

Terrorists

A) Computer Viruses: Viruses are used by Hackers to infect the users computer anddamage data saved on the computer by use of payload in viruses which carriesdamaging code. Person would be liable under I.T Act only when the consent of theowner is not taken before inserting virus in his system. The contradiction here is thatthough certain viruses causes temporary interruption by showing messages on thescreen of the user but still its not punishable under Information Technology Act 2000 asit doesnt cause tangible damage. But, it must be made punishable as it would fall underthe ambit of unauthorized access though doesnt cause any damage. Harmless viruses

would also fall under the expression used in the provision to unsure the normaloperation of the computer, system or network. This ambiguity needs reconsideration.

B) Phishing: By using e-mail messages which completely resembles the original mailmessages of customers, hackers can ask for verification of certain information, likeaccount numbers or passwords etc. here customer might not have knowledge that thee-mail messages are deceiving and would fail to identify the originality of the messages,this results in huge financial loss when the hackers use that information for fraudulentacts like withdrawing money from customers account without him having knowledge of it

C) Spoofing: This is carried on by use of deceiving Websites or e-mails. These sources

mimic the original websites so well by use of logos, names, graphics and even the codeof real banks site.

D) Phone Phishing: Is done by use of in-voice messages by the hackers where thecustomers are asked to reveal their account identification, and passwords to file acomplaint for any problems regarding their accounts with banks etc.

E) Internet Pharming: Hacker here aims at redirecting the website used by thecustomer to another bogus website by hijacking the victims DNS server (they arecomputers responsible for resolving internet names into real addresses - signposts ofinternet), and changing his I.P address to fake website by manipulating DNS server.This redirects users original website to a false misleading website to gain unauthorizedinformation.



8/22

F) Risk Posed On Banks And Other Institutions: Wire transfer is the way oftransferring money from one account another or transferring cash at cash office. This ismost convenient way of transfer of cash by customers and money laundering by cyber

terrorists. There are many guidelines issued by Reserve Bank of India (RBI) in thisregard, one of which is KYC (Know Your Customer) norms of 2002. Main objective ofwhich is to:

1) Ensure appropriate customer identification, and2) Monitor the transaction of suspicious nature and report it to appropriate authorityevery day bases.

G) Publishing Pornographic Material In Electronic Form: Section 67 of theInformation Technology Act, 2000 in parallel to Section 292 of Indian Penal Code, 1860makes publication and transmission of any material in electronic thats lascivious orappeals to the prurient interest a crime, and punishable with imprisonment which mayextend to 5 years and fine of 1 lakh rupees and subsequent offence with animprisonment extending to 10 years and fine of 2 lakhs.

Various tests were laid down gradually in course of time to determine the actual crime incase of obscene material published in electronic form on net. Hicklin test was adopted inAmerica in the case of Regina v. Hicklin wherein it was held that if the material hastendency is to deprive and corrupt those whose minds are open to such immoralinfluences, and into whose hands a publication of this sort may fall. In Indian scenariothe case of Ranjeet D. Udeshi v. State of Maharashtra the Supreme Court admitted thatIndian Penal Code doesnt define obscenity though it provides punishment forpublication of obscene matter. Theres very thin line existing between a material whichcould be called obscene and the one which is artistic. Court even stressed on need tomaintain balance between fundamental right of freedom of speech and expression andpublic decency and morality. If matter is likely to deprave and corrupt those minds whichare open to influence to whim the material is likely to fall. Where both obscenity andartistic matter is so mixed up that obscenity falls into shadow as its insignificant thenobscenity may be overlooked.

In the case of Miller v. California it was held that local community standard must beapplied at the time of determination of the offence. As it can traverse in manyjurisdictions and can be accessed in any part of the globe. So wherever the material canbe accessed the community standards of that country would be applicable to determine

the offence of publication of obscene material posted in electronic form. Thoughknowledge of obscenity under Information Technology Act 2000 and Indian Penal Codemay be taken as mitigating factor but doesnt take the case out of the provision.

Section 72 of Information Technology Act, 2000 provides punishment for anunauthorized access or, disclosure of that information to third person punishable with animprisonment upto 2 years or fine which may extend to 1 lakh rupees or with both.English courts have also dealt with an issue as to what activities would constitute crimeunder existing legislation, in the case of R. v. Fellows and Arnold it was held that thelegislation before the 1994 amendment would also enable computer data to beconsidered a copy of an indecent photograph and making images available fordownloading from the website would constitute material being distributed or shown.Statute is wide enough to deal with the use of computer technology.



9/22

(H) Investment Newsletter: We usually get newsletter providing us free informationrecommending that investment in which field would be profitable. These may sometimesbe a fraud and may cause us huge loss if relied upon. False information can be spread

by this method about any company and can cause huge inconvenience or loss throughjunk mails online.

(I) Credit Card Fraud: Huge loss may cause to the victim due to this kind of fraud. Thisis done by publishing false digital signatures. Most of the people lose credit cards on theway of delivery to the recipient or its damaged or defective, misrepresented etc.

2.6 Measures To Curb Cyber Crime.______________________

Though by passage of time and improvement in technology to provide easier and user

friendly methods to the consumer for make up their daily activities, it has lead to harshworld of security threats at the same time by agencies like hackers, crackers etc.various Information technology methods have been introduced to curb such destructiveactivities to achieve the main objects of the technology to provide some sense ofsecurity to the users. Few basic prominent measures used to curb cyber crimes are asfollows:

A) Encryption: This is considered as an important tool for protecting data in transit.Plain text (readable) can be converted to cipher text (coded language) by this methodand the recipient of the data can decrypt it by converting it into plain text again by usingprivate key. This way except for the recipient whose possessor of private key to decrypt

the data, no one can gain access to the sensitive information. Not only the information intransit but also the information stored on computer can be protected by usingConventional cryptography method. Usual problem lies during the distribution of keys asanyone if overhears it or intercept it can make the whole object of encryption tostandstill. Public key encryptograpy was one solution to this where the public key couldbe known to the whole world but the private key was only known to receiver, its verydifficult to derive private key from public key.

B) Synchronized Passwords: These passwords are schemes used to change thepassword at users and host token. The password on synchronized card changes every30-60 seconds which only makes it valid for one time log-on session. Other useful

methods introduced are signature, voice, fingerprint identification or retinal and biometricrecognition etc. to impute passwords and pass phrases

C) Firewalls: It creates wall between the system and possible intruders to protect theclassified documents from being leaked or accessed. It would only let the data to flow incomputer which is recognized and verified by ones system. It only permits access to thesystem to ones already registered with the computer.

D) Digital Signature: Are created by using means of cryptography by applyingalgorithms. This has its prominent use in the business of banking where customerssignature is identified by using this method before banks enter into huge transactions.



10/22

2.7 Investigations And Search Procedures.________________

Section 75 of Information Technology Act, 2000 takes care of jurisdictional aspect ofcyber crimes, and one would be punished irrespective of his nationality and place ofcommission of offence. Power of investigation is been given to police officer not belowthe rank of Deputy Superintendent of police or any officer of the Central Government ora State Government authorized by Central Government. He may enter any public place,conduct a search and arrest without warrant person who is reasonably expected to havecommitted an offence or about to commit computer related crime. Accused has to beproduced before magistrate within 24 hours of arrest. Provisions of Criminal ProcedureCode, 1973 regulate the procedure of entry, search and arrest of the accused.

2.8 Problems Underlying Tracking of Offence._____________

Most of the times the offenders commit crime and their identity is hard to be identified.Tracking cyber criminals requires a proper law enforcing agency through cyber borderco-operation of governments, businesses and institutions of other countries. Most of thecountries lack skilled law enforcement personnel to deal with computer and evenbroader Information technology related crimes. Usually law enforcement agencies alsodont take crimes serious, they have no importance of enforcement of cyber crimes, andeven if they undertake to investigate they are posed with limitation of extra-territorialnature of crimes.

2.9 How Efficient Is Information Technology Act 2000?______

It cant be disputed that Information Technology Act, 2000 though provides certain kindsof protections but doesnt cover all the spheres of the I.T where the protection must beprovided. Copyright and trade mark violations do occur on the net but Copy Right Act1976, or Trade Mark Act 1994 are silent on that which specifically deals with the issue.Therefore have no enforcement machinery to ensure the protection of domain names onnet. Transmission of e-cash and transactions online are not given protection underNegotiable Instrument Act, 1881. Online privacy is not protected only Section 43(penalty for damage to computer or computer system) and 72 (Breach of confidentialityor privacy) talks about it in some extent but doesnt hinder the violations caused in the

cyberspace.

Even the Internet Service Providers (ISP) who transmits some third party informationwithout human intervention is not made liable under the Information Technology Act,2000. One can easily take shelter under the exemption clause, if he proves that it wascommitted without his knowledge or he exercised due diligence to prevent the offence.Its hard to prove the commission of offence as the terms due diligence and lack ofknowledge have not been defined anywhere in the Act. And unfortunately the Actdoesnt mention how the extra territoriality would be enforced. This aspect is completelyignored by the Act, where it had come into existence to look into cyber crime which is on

the face of it an international problem with no territorial boundaries.



11/22

2.10 Data Protection___________________________________

Information stored on the owner of the computer would be his property and must beprotected there are many ways such information can be misused by ways likeunauthorized access, computer viruses, data typing, modification erasures etc.Legislators had been constantly confronted with problem in balancing the right of theindividuals on the computer information and other peoples claim to be allowed accessto information under Human Rights. The first enactment in this regard was DataProtection Act by Germany in the year 1970. This was widely accepted by the world andalso contributed to the Information Technology Act.

The origin of laws on date protection dates back to 1972 when United Kingdom formeda committee on privacy which came up with ten principles, on the bases of which data

protection committee was set up. Data Protection Act, 1984 (DPA) was UnitedKingdoms response to the Council of Europe Convention 1981, this Act lacked properenforcement mechanism and has done little to enforce individuals rights and freedoms.European Union directive in 1995, European Convention of Human Rights (ECHR),Human Rights Acts, and further introduction of Data Protection Act, 1998 have donemuch in the field of Data protection in todays date. Data Protection Act has followingaims and objectives:

Personal information shall only be obtained for lawful purpose, it shall only be used forthat purpose, mustnt be disclosed or used to effectuate any unlawful activity, and mustbe disposed off when the purpose is fulfilled.

Though Data Protection Act aims at protecting privacy issues related to the informationbut still we find no mention of the word privacy in the Act, nor is it defined, further theprotection comes with various exemptions, including compulsory notification from theCommissioner in certain cases of the personal data. Due to the change in the regime ofinformation technology for the date European Convention came, on which the Act isbased amendments in the Act is advised for matching the present situation and curbingthe crime in efficient way.

There is no Data Protection Act in India, the only provisions which talks about dataprotection are Section 72 and Section 43 of Information Technology Act, 2000. There

must be a new Law to deal with the situation for a person to know that the Controller isprocessing his data concerning him and also that he must know the purpose for which ithas been processed. It is a fundamental right of the Individual to retain privateinformation concerning him provided under Article 21 of the Indian Constitution, whichsays: No person shall be deprived of his life or personal liberty except according toprocedure established by law. And due to the increasing trend of the Crime rate in thefield separate legislation is required in this context for better protection of individuals.



12/22

2.11 Process of Reporting Internet Frauds:________________

2.11.1 Digital evidence is fragile and can easily be lost. For exampleIt can change with usage.

It can be maliciously and deliberately destroyed or altered.It can be altered due to improper handling and storage.

For these reasons, evidence should be carefully retrieved and preserved. Alsoconsider that for investigating offences involving the Internet, time, date, and timezone information may prove to be very important.

2.11.2 There are two situations complainant may face

1. Crime is likely to be committed.2. Crime is already committed.

In the first case, the information may be informed to the local police of your jurisdictionor it may be informed to the Cyber Crime Cell in so that incident may be averted.In the second case, most of the financial frauds are dealt in IPC only hence thecomplaint may be given either in the Local police station or in the CCS.

2.11.3 As the case committed in Cyber environment it is not sufficientto give complaint only, but you may provide following information

mentioned below:1. E-mail messages related to the investigation.2. Other e-mail addresses.3. Sender information.4. Content of the communications.5. IP addresses.6. Date and time information.7. User information.8. Attachments.9. Passwords.

10. Application logs that show evidence of spoofing.11. The computer being used to receive the communication.12. The screen or user name (victim and suspect).13. The owner of the Internet Service Provider (ISP) account being used.14. The content (witness account of contact or activity).15. The date and time the message was received/ viewed.16. The dates and times of previous contacts.17. Any logging or printouts of communications saved by the victim.18. Applicable passwords.19. Potential suspects.20. Whether security software was in use that may have captured additional

information.21. Credit card/ATM card/Debit card information including the account details.22. What are the locations those cards are recently used.



13/22

2.11.4 Precautions to be taken while reporting

1. It is always advisable to meet police personally and report the crime.

2. It is also advisable to inform the bank first about the fraud to avoid further losses.3. If the fraudster is still in touch with you, keep them engaged and inform police

about their moves regularly4. If you have suspicion on particular Mail ID or Mobile Number, never call that

number but inform police about that.5. Never delete the information however objectionable it is till police has a look at it

2.12 WHAT IS A COMPUTER FORENSICS REPORT?________

During an investigation into the cause of a computer security incident, you willcommonly review the contents of a computer for evidence that supports your case. Forexample, if you are responding to an allegation that an employee named Jeff Kelly isstealing your organizations intellectual property and providing it to a competitor, you willlikely review the contents of his system to see if Mr. Kelly:

Possesses the intellectual property or trade secretsDisseminated the intellectual property or trade secrets to the competitorCommunicated with competitors via email, Internet Relay Chat (IRC), or some

other mode of communicationDocumented his evil intentions anywhere on his system

You should have a standard way to document why you reviewed the computer system,how you reviewed the computer data, and how you arrived at your conclusions.You also need to be able to clearly explain your conclusions, support your conclusions,and perhaps even offer recommendations to avoid having the incident repeated. Yourdocumentation may be offered as an exhibit during a trial or be the primary mechanismfor an administrative action.

We call the documentation that describes the examination of the contents of a computersystem (or systems) a computer forensics report. There are two types of computerforensic reports: those that report solely the facts and those that include facts as well as

opinions. In this chapter, we provide a format that meets the requirements of either typeof report.

2.13 What Is an Expert Report?__________________________Law enforcement examiners are generally trained to create forensic reports that offer noopinions; they merely state the findings. This type of report does not meet the legaldefinition of an expert report. A report that does not offer an opinion is not an expertreport. When working with law firms, corporate/private sector examiners are usuallyrequested to offer an opinion, which suggests that the examiner writing the report willeventually qualify as an expert and offer this opinion in court (hence, be an expert

witness). When a client does not express whether our opinion is desired, we usuallyprovide it (perhaps verbally). In most cases, your professional opinion about a case isthe most useful item to your client.



14/22

2.13.1 Report Goals

Report writing, like so many things in life, requires a documented process to ensure a

repeatable standard is met by your organization. You want your investigative reports tobe accurate, written in a timely manner, and understandable to your audience. Theymust meet the golden standard established by your organization. Your computerforensic reports should achieve the following goals:

Accurately describe the details of an incident Be understandable to decision-makers Be able to withstand a barrage of legal scrutiny Be unambiguous and not open to misinterpretation Be easily referenced (using paragraph numbers for the report and Bates numbers

for attached documents)

Contain all information required to explain your conclusions Offer valid conclusions, opinions, or recommendations when needed Be created in a timely manner

2.13.2 REPORT WRITING GUIDELINES

Through our experience of writing a vast number of forensic reports, using these reportsto refresh our recollections during criminal trials, and training numerous employees newto the field of computer forensics, we have developed some report writing guidelines.These embody general principals that should be followed to ensure your organizationcan exceed expectations with your investigative reports.

2.13.3 Document Investigative Steps Immediately and Clearly

Documenting investigative steps immediately requires discipline and organization, but itis essential to successful report writing. Write everything down in a fashion that isunderstandable to you and others; do not use shorthand or shortcuts. Such vaguenotations, incomplete scribbling, or unclear documentation will eventually lead toredundant efforts, forced translation of notes, confirmation of notes, and a failure tocomprehend notes by yourself or others.

Writing something clearly and concisely at the moment you discover evidence

(information of probative value) saves time and promotes accuracy. It also ensures thatthe details of the investigation can be communicated more clearly to others at anymoment, which is critical should new personnel become involved or assigned to lead theinvestigation. We call this the write it tight philosophy. This cant be emphasizedenough, so it is worth repeating: Document as you go!

2.13.4 Know the Goals of Your Analysis

Know what the goals of your examination are before you begin your analysis. Thisfosters a focused report, which is what a client/consumer wants. For law enforcementexaminers, every crime has elements of proof. Your report should unearth evidence thatconfirms or dispels these elements. The bottom line is that the more focused yourreports are, the more effective they are.



15/22

While hashing out the objectives of your forensic examination, you should also addressissues such as the following:

Does the client/consumer of your report want a single forensics report for eachpiece of media examined or a report of the investigation that encompasses allmedia analyzed?

How does the client/consumer wish you to communicate your findings: verballyor in written form?

How often does the client/consumer want a status report of your forensicexamination?

Should the interim status reports be verbal or written?

Which examiner should sign as the provider or author of the forensic report?

We address these issues while attempting to scope the objectives of our examination.Doing so saves a lot of headaches in the long run.

2.13.5 Organize Your Report

Write macro to micro. Organize your forensic report to start at the high level, and havethe complexity of your report increase as your audience continues to read it. This way,the high-level executives need to read only the first page or so to get the gist of yourconclusions, and they should not need to understand the low-level details that supportyour claims. Include a table of contents for your longer reports. The table of contentsenforces a logical approach to documenting your findings, and it helps the reader

understand what your report accomplishes.

2.13.6 Use Attachments and Appendices

Use attachments or appendices to maintain the flow of your report. You do not want tointerrupt your forensic report with 15 pages of source code right in the middle of yourconclusions. Any information, files, and file fragments that you cite in your report that areover a page long should be included as appendices or attachments. Then, you caninclude a brief reference to the appendix in the report. For example, you might say, Aprintout of the whois information is included as Appendix A.

Consider including every file that contributes to your conclusions as an appendix to yourreport. This makes your report able to stand alone. You can reference your report forany questions that may arise in judicial or administrative processes. It is also a greatidea to Bates number any files you reference in your report so that every document (fileor file fragment) that you cite in your report has a unique reference number. You shouldalso provide an electronic copy of every file or file fragment you cite in your report.

Some material is too big or simply impossible to provide in a printed format. Forexample, large database files, lengthy source code files, and spreadsheets are unwieldyor difficult to produce in printed form. For this type of reference, we provide an electroniccopy instead of the printed copy and call it an eAppendix (electronic appendix). We

simply burn a CD-ROM that contains all files that we cited in the report, and we appendit as the last attachment in the report.



16/22

2.13.7 Use MD5 Hashes

Create and record the MD5 hashes of your evidence, whether it is an entire hard drive

or specific files. Performing MD5 hashes for all evidence provides support to the claimthat you are diligent and attentive to the special requirements of forensic examination. Ifyour evidence is handled properly and remains tamper-proof, the MD5 hashescalculated for a given set of data will always remain the same. By recording these MD5values, your audience becomes confident that you are handling the data in theappropriate manner.

2.13.8 Include Metadata

Record and include the metadata for every file or file fragment cited in your report. Thismetadata includes the time/date stamps, full path of the file (or physical location of the

file fragments), the file size, and the files MD5 sum (as described in the previoussection). This identifying data will helpto eliminate confusion and also to increaseconsumer confidence. Those that read your report appreciate that you include all thedetails, and you will likely need the details to remove any ambiguity about which filesyou reference during testimony.

The following is an example of a table we include in our reports after we cite a specificfile. Specifically, it provides the file metadata for a Windows IIS web access log found onthe C: partition (C:\WINNT\system32\LogFiles\W3SVC3\ex001215.log).

File Created 12/15/00 09:16:26AM

Last Accessed 11/14/01 08:47:11AMLast Written 04/06/01 04:26:05AMLogical Size 2,034,833Hash Value eb40d0678cd9cdfbf22d2ef7ce093273

We often add a Comment field to our file tables to provide a quick reference andreminder of why we cited the file in the report. This table shows an example of the filemetadata for a cmd.exe file found on the C: partition and its Comment field (C:\ProgramFiles\Common Files\System\MSADC\cmd.exe).

File Created 02/14/01 01:24:02AMLastAccessed

11/14/01 04:11:11AM

Logical Size 208,144Hash Value 25d1ee046ebf4a758148f92cc39a8e7eComment A copy of cmd.exe in a browser accessible directory. The MD5

sum is identical to c:\winnt\system32\cmd.exe.

When a single report includes data from multiple pieces of media (evidence), we need toinclude additional data in our file tables. This table includes an extra row illustrating thesource media for the file.



17/22

If the file you are citing was originally contained within a zipfile or some other archivefile, it adds complexity to the metadata you provide. We provide the metadata for boththe original zipfile and the metadata for the cited file contained within that zipfile. Forexample, if we find a buffer overflow executable called ufsrestore stored within a tape-archived, compressed file, and we consider the finding relevant to the case, we cite boththe original compressed archive file and the relative contents. We might state that thefile ufsrestore was located on the KELLY LAPTOP in the following compressed file: /hda1/home/jkelly/attacktools.tar.gz. Inside this tar-gzipped file resided a single filecalled tools.tar. When /hda1/home/jkelly/attacktools.tar.gz was uncompressed, tools.tarresided in the /home/tools directory. We refer to the full path of the ufsrestore file asfollows:

/hda1/home/jkelly/attacktools.tar.gz:/home/tools/tools.tar:ufsrestoreWe use the colon (:) as a delimiter between compressed/archive files. You can read thefull path from right to left: ufsrestore was contained within the file /home/tools/tools.tar,which was contained within the file /hda1/home/jkelly/attacktools.tar.gz.

2.14 A TEMPLATE FOR COMPUTER FORENSIC REPORTS___

Each forensic report your organization produces could include any of the followingsections:

Executive Summary Objectives Computer Evidence Analyzed Relevant Findings Supporting Details Investigative Leads Additional subsections, such as Attacker Methodology, User Applications,

Internet Activity, and Recommendations.



18/22

2.14.1 Executive Summary

The Executive Summary section provides the background information of the

circumstances that brought about the need for an investigation. This is the section thatthe senior management just might read; they will probably not get much further into thereport.

Therefore, this section needs to include, in short detail (under a page long), the thingsthat matter. We use the Executive Summary section to do the following:

Include who authorized the forensic examination Describe why a forensic examination of computer media was necessary List what the significant findings were (in short detail) Include a signature block for the examiner(s) who performed the work

It is important to include the full, proper names of all persons involved in the case, theiremployer and job titles, and the dates of initial communications. We include a high-levelview of the significant findings as part of the Executive Summary section. Here aresome examples of significant findings:

Three days prior to leaving employment, Employee X emailed nine companyconfidential documents to Company B, a competitor.

Employee X did not have authorized access to these documents, and passwordcracking tools, along with cracked executive user passwords, were found on hiscomputer.

Employee X used a network monitor program to intercept email communicationsbetween corporate executives.

A thorough forensic examination of the contents of the KELLY LAPTOP did notreveal any evidence that the user of the system downloaded or intended todownload pornographic images.

2.14.2 Objectives

You never know what might prompt you to perform the forensic examination of a harddrive. Since any type of litigation can take place, the goals of your forensic examinationcan be related to virtually any subject. In many instances, your forensic examination ofmedia may include criteria that focuses and narrows your examination; in other words,you may not always perform a full-scale investigation or fishing expedition whenreviewing the contents of media.

Weuse the Objectives section to outline all the tasks that our investigation intended toaccomplish. This task list should be discussed and approved by decision-makers, legalcounsel, and/or the client prior to any forensic analysis. It is a good idea to ensure allparties are working off the same sheet of music.The task list should include the tasks undertaken by the forensic examiner, the methodby which the examiner undertook each task, and the status of each task at the

completion of the report. Table shown below provides an example of a potential task listwhen reviewing the contents of a hard drive for child pornography.



19/22

Task DescriptionTask 1: Create a Working

Copy (Forensic Duplication)of the Evidence Media

Create a forensic copy of all the evidence media as a

working copy. No forensic operations are taken onthe evidence media, which will be handled followingproper evidence-handling procedures.

Task 2: Identify Any Lewd orContraband Files

Review the contents of the KELLY LAPTOP for thepresence of materials that may depict minorsengaged in sexually explicit acts (Title 18 USC,2252).

2.14.3 Computer Evidence Analyzed

We use a section entitled Computer Evidence Analyzed to introduce all the evidencethat was collected and interpreted when creating the investigative report. This sectionprovides detailed information regarding the assignment of evidence tag numbers andmedia serial numbers, as well as descriptions of the evidence. This information issometimes best communicated using a table similar to Table shown below. Readers canreference such a table to immediately understand the evidence that was considered orinterpreted to create the investigative report.

EvidenceNumber

Type Serial Number Description

Tag 1 WesternDigital -

313000

Y733-W2701 Laptop belonging to and usedby JEFF KELLY. Referred to

throughout the report as theKELLY LAPTOP.Tag 2 Quantum

Fireball CR86753091234 One of two hard drives found in

the Sun web server belongingto JEFF KELLY. Referred tothroughout this report as SUNWEB SERVER DISK 1.

2.14.4 Relevant Findings

The Relevant Findings section provides a summary of the findings of probative value.It answers the question, What relevant items were found during the investigation? Therelevant findings should be listed in order of importance, or relevance to the case. Thissection briefly describes the findings in an organized, logical way. It provides the quickreference that high-level decision-makers need and make use of when describing theresults of the investigation. The fine details supporting these findings should be writtenin a different section (Supporting Details). This conforms to the macro to micro reportorganization recommended earlier.

2.14.5 Supporting Details


This section provides an in-depth look and analysis of the relative findings listed in theRelevant Findings section. It outlines how we found or arrived at the conclusions

outlined in the Relative Findings section. This section should include tables listing thefull pathnames of important files, the number of files reviewed, string-search results,emails or URLs reviewed, and any other relevant information.


20/22


21/22

Value DescriptionAug 31 The date the log entry was made.18:16:50 The time the record was logged.

Gengis The host or computer responsible for creating the log entry.Sendmail[2730] The program responsible for the log entry (in this case, the

sendmail application) and the process ID of the sendmail instanceprocessing the current message.

2.14.6 Investigative Leads

In the Investigative Leads section, we outline action items that could be performed todiscover additional information pertinent to the investigation. These are the outstandingtasks that could be completed if the examiner or investigator were provided more time oradditional resources. The Investigative Leads section is often critical to law

enforcement. The goal of your forensic analysis is almost always to generate morecompelling evidence to helpyour case. Therefore, it is absolutely essential to documentfurther investigative steps that, although perhaps beyond the scope of your forensicreport, could generate actions that lead to the successful resolution of the case.

On the other hand, the Investigative Leads section is also exceptionally important forthe hired forensic consultant. I often call this the CYA section, because you have theopportunity to list all of the tasks you could have performed, but simply did not. This iscritical if your examination did not yield substantive conclusions, and your client orconsumer is asking, Why didnt you try this? or Why dont you know who did this?This section suggests the additional tasks that could unearth the information required to

advance the case.

Below are some examples of investigative leads:The Linux partition on the LAPTOP contained Palm Pilot files. A review of the data

stores for the Palm Pilot personal digital assistant can be conducted.Determine whether there are any firewall logs or intrusion detection logs that date far

enough into the past to provide an accurate picture of any attacks that took place.Subpoena AOL to pierce the anonymity behind the online user [email protected].

2.14.7 Additional Report Subsections

There are several additional subsections that we often include in our computer forensicreports. We have found the following subsections to be useful in specific cases, but notevery case. It depends on the needs and wants of the end consumer.

2.15 Attacker Methodology_____________________________

An Attacker Methodology section is an additional primer to help the reader understandthe common attacks performed or the exact attack conducted. This section is veryuseful if you are investigating a computer intrusion case. You can examine how theattack was executed and what the remnants of the attacks look like in standard logs.



22/22

2.16 User Applications_________________________________In many cases, the applications present on the system are extremely relevant. In theUser Applications section, we discuss any relevant applications that were installed onthe media analyzed. We outline where the applications were found and what they do.When investigating a system that was used by an attacker, we often title this sectionCyber-Attack Tools (of course, you can name any section anything you want). Wehave employed this section when looking for accounting software on a fraud case,image viewing applications on a child pornography cases, and credit card numbergeneration software on credit card fraud cases.

2.17 Internet Activity or Web Browsing History_____________

This section is a breakdown of the Internet history or Web surfing performed by theusers of the media analyzed. This section is commonly included during administrativecases where an employee is simply surfing the Web all day. The browser history canalso be used to suggest intent, online research/predisposition, downloads of malicioustools, downloads of secure delete programs, or evidence-elimination type programs thatwipe files slack, unallocated space, and temporary files that often harbor evidence vitalto an investigation.

ch2 - cyber law

Documents