Cyber Crime Investigation and Forensics

A PROJECT REPORT

ON

CYBER CRIME INVESTIGATION AND FORENSICS

Contents:

CYBER CRIME INVESTATION ------------------------------------------------------------------4--31

 What Is Cyber Crime---------------------------------------------------------------------------4--4

 Examples Include---------------------------------------------------------------------------4
 Definition------------------------------------------------------------------------------------4
 Reasons For Cyber Crime---------------------------------------------------------------------4--5
 Capacity To Store Data In Comparatively Small Space-------------------------------5
 Easy To Access------------------------------------------------------------------------------5
 Complex--------------------------------------------------------------------------------------5
 Negligence-----------------------------------------------------------------------------------5
 Loss Of Evidence---------------------------------------------------------------------------5
 Cyber Criminals---------------------------------------------------------------------------------5--6
 Children And Adolescents Between The Age Group Of 6 – 18 Years --------------6
 Organized Hackers--------------------------------------------------------------------------6
 Professional Hackers / Crackers ----------------------------------------------------------6
 Discontented Employees-------------------------------------------------------------------6
 Mode And Manner Of Committing Cyber Crime----------------------------------------6--8
 Unauthorized Access To Computer Systems Or Networks / Hacking---------------6

1
 Cyber Crime Investigation and Forensics

 Theft Of Information Contained In Electronic Form-----------------------------------7

 Email Bombing------------------------------------------------------------------------------7
 Data Diddling--------------------------------------------------------------------------------7
 Salami Attacks-------------------------------------------------------------------------------7
 Denial Of Service Attack-------------------------------------------------------------------7
 Virus / Worm Attacks----------------------------------------------------------------------7
 Logic Bombs---------------------------------------------------------------------------------8
 Trojan Attacks-------------------------------------------------------------------------------8
 Internet Time Thefts------------------------------------------------------------------------8
 Web Jacking---------------------------------------------------------------------------------8
 Understand The Fundamentals---------------------------------------------------------------9--9
 Classification Of Cyber Crime--------------------------------------------------------------9--10
 Computer As Target------------------------------------------------------------------------9
 Computer As An Instrumentality---------------------------------------------------------9
 Computer As An Incidental Or Other Crime-------------------------------------------10
 Crime Associated With The Prevalence Of Computers------------------------------10
 Why Learn About Cyber Crime----------------------------------------------------------10--10
 Types Of Cyber Crime----------------------------------------------------------------------10--14
 Email Related Crime------------------------------------------------------------------------14--14
 Case Studies-----------------------------------------------------------------------------------15--20
 Case No.1------------------------------------------------------------------------------15--16
 Case No.2------------------------------------------------------------------------------17--18
 Case No.3-----------------------------------------------------------------------------------19
 Case No.4-----------------------------------------------------------------------------------20
 Characteristics Of Computer Crime-----------------------------------------------------21--21
 Prevention Of Cyber Crime----------------------------------------------------------------21--22
 Questionnaire ---------------------------------------------------------------------------------23--25
 Relevance Of Evidence----------------------------------------------------------------------26--26
 Indian Evidence Act (Amended)----------------------------------------------------------26--26
 When Oral Admission As To Contents Of Electronic Records Are Relevant—26--27

2
 Cyber Crime Investigation and Forensics

 Opinion As To Digital Signature Where Relevant-------------------------------------27--27

 Proof As To Digital Signature-------------------------------------------------------------27--27
 Proof As To Verification Of Digital Signature-----------------------------------------27--27
 Admissibility Of Electronic Records-----------------------------------------------------27--28
 Presumption As To Electronic Records And Digital Signatures-------------------28--28
 Presumption As To Electronic Messages------------------------------------------------28--29
 Presumption As To Electronic Records Five Years Old-----------------------------29--29
 Recent Amendments-------------------------------------------------------------------------29--29
 Important Amendments To IT Act-------------------------------------------------------29--30
 Cyber Terrorism Is Defined In Section 66F--------------------------------------------30--31
 Important Amendments To IPC----------------------------------------------------------31--31
 Important Amendments To CRPC-------------------------------------------------------32--32
 Our Analysis-----------------------------------------------------------------------------------32--32
 Conclusion-------------------------------------------------------------------------------------32--32
 Establishment of PUNE cyber cell--------------------------------------------------------33--33

FORENSICS-------------------------------------------------------------------------------------------34--39

 What Is Cyber Forensics--------------------------------------------------------------------34--34

 Different Type’s Of Storage Media-------------------------------------------------------35--35
 Electronic Evidence Precautions----------------------------------------------------------35--35
 Computer Forensics-------------------------------------------------------------------------36--36
 Electronic Evidence Considerations------------------------------------------------------36--36
 Incident Response----------------------------------------------------------------------------36--36
 Collecting Volatile Data---------------------------------------------------------------------37--37
 Imaging Electronic Media (Evidence)----------------------------------------------------37--37
 Forensic Analysis-----------------------------------------------------------------------------37--37
 Reasons for Evidence------------------------------------------------------------------------37--38
 Evidence Processing Guidelines-----------------------------------------------------------38--39
 Conclusion-------------------------------------------------------------------------------------39--39

3
 Cyber Crime Investigation and Forensics

What is Cyber crime?

Criminal activity that utilizes as element of a computer or computer network.
Cyber crime is the latest and perhaps the most complicated problem in the cyber world.
Cyber crime may be said to be those species, of which, genus is the conventional crime, and
where either the computer is an object or subject of the conduct constituting crime” Crime is
a social and economic phenomenon and is as old as the human society. Crime is a legal
concept and has the sanction of the law. Crime or an offence is “a legal wrong that can be
followed by criminal proceedings which may result into punishment.”
A crime may be said to be any conduct accompanied by act or omission prohibited by law
and consequential breach of which is visited by penal consequences
Examples Include:
 Cyber-extortion
 Information theft
 Fraud
 Identity theft
 Exploitation of children
 Intellectual property theft
 Phishing and Vishing

Definition:
Any criminal activity that uses a computer either as an instrumentality, target or a means for
perpetuating further crimes comes within the ambit of cyber crime”
“ unlawful acts wherein the computer is either a tool or target or both”
“Illegal computer-mediated activities that can be conducted through global electronic
networks”

Reasons For Cyber Crime:

Hart in his work “The Concept of Law” has said ‘human beings are vulnerable so rule of law
is required to protect them’. Applying this to the cyberspace we may say that computers are
vulnerable so rule of law is required to protect and safeguard them against cyber crime. The
reasons for the vulnerability of computers may be said to be:

4
 Cyber Crime Investigation and Forensics

1. Capacity to store data in comparatively small space-

The computer has unique characteristic of storing data in a very small space. This affords
to remove or derive information either through physical or virtual medium makes it much
easier.
2. Easy to access-
The problem encountered in guarding a computer system from unauthorised access is that
there is every possibility of breach not due to human error but due to the complex
technology. By secretly implanted logic bomb, key loggers that can steal access codes,
advanced voice recorders; retina imagers etc. that can fool biometric systems and bypass
firewalls can be utilized to get past many a security system.
3. Complex-
The computers work on operating systems and these operating systems in turn are
composed of millions of codes. Human mind is fallible and it is not possible that there
might not be a lapse at any stage. The cyber criminals take advantage of these lacunas
and penetrate into the computer system.
4. Negligence-
Negligence is very closely connected with human conduct. It is therefore very probable
that while protecting the computer system there might be any negligence, which in turn
provides a cyber criminal to gain access and control over the computer system.
5. Loss of evidence-
Loss of evidence is a very common & obvious problem as all the data are routinely
destroyed. Further collection of data outside the territorial extent also paralyses this
system of crime investigation.

Cyber Criminals
The cyber criminals constitute of various groups/ category. This division may be justified on
the basis of the object that they have in their mind. The following are the category of cyber
criminals-

5
 Cyber Crime Investigation and Forensics

1. Children and adolescents between the age group of 6 – 18 years –

The simple reason for this type of delinquent behaviour pattern in children is seen mostly
due to the inquisitiveness to know and explore the things. Other cognate reason may be
to prove them to be outstanding amongst other children in their group. Further the
reasons may be psychological even. E.g. the BAL Bahrain (Delhi) case was the outcome
of harassment of the delinquent by his friends.
2. Organised hackers-
These kinds of hackers are mostly organised together to fulfil certain objective. The
reason may be to fulfil their political bias, fundamentalism, etc. The Pakistanis are said to
be one of the best quality hackers in the world. They mainly target the Indian government
sites with the purpose to fulfil their political objectives. Further the NASA as well as the
Microsoft sites is always under attack by the hackers.
3. Professional hackers / crackers –
Their work is motivated by the colour of money. These kinds of hackers are mostly
employed to hack the site of the rivals and get credible, reliable and valuable information.
Further they are van employed to crack the system of the employer basically as a measure
to make it safer by detecting the loopholes.
4. Discontented employees-
This group include those people who have been either sacked by their employer or are
dissatisfied with their employer. To avenge they normally hack the system of their
employee.

Mode and Manner of Committing Cyber Crime

1. Unauthorized access to computer systems or networks / Hacking-
This kind of offence is normally referred as hacking in the generic sense. However the
framers of the information technology act 2000 have no where used this term so to avoid
any confusion we would not interchangeably use the word hacking for ‘unauthorized
access’ as the latter has wide connotation.

6
 Cyber Crime Investigation and Forensics

2. Theft of information contained in electronic form-

This includes information stored in computer hard disks, removable storage media etc.
Theft may be either by appropriating the data physically or by tampering them through
the virtual medium.
3. Email bombing-
This kind of activity refers to sending large numbers of mail to the victim, which may be
an individual or a company or even mail servers there by ultimately resulting into
crashing.
4. Data diddling-
This kind of an attack involves altering raw data just before a computer processes it and
then changing it back after the processing is completed. The electricity board faced
similar problem of data diddling while the department was being computerised.
5. Salami attacks-
This kind of crime is normally prevalent in the financial institutions or for the purpose of
committing financial crimes. An important feature of this type of offence is that the
alteration is so small that it would normally go unnoticed. E.g. the Ziegler case wherein a
logic bomb was introduced in the bank’s system, which deducted 10 cents from every
account and deposited it in a particular account
6. Denial of Service attack-
The computer of the victim is flooded with more requests than it can handle which cause
it to crash. Distributed Denial of Service (DDOS) attack is also a type of denial of service
attack, in which the offenders are wide in number and widespread. E.g. Amazon, Yahoo.
7. Virus / worm attacks-
Viruses are programs that attach themselves to a computer or a file and then circulate
themselves to other files and to other computers on a network. They usually affect the
data on a computer, either by altering or deleting it. Worms, unlike viruses do not need
the host to attach themselves to. They merely make functional copies of themselves and
do this repeatedly till they eat up all the available space on a computer's memory. E.g.
love bug virus, which affected at least 5 % of the computers of the globe. The losses were
accounted to be $ 10 million. The world's most famous worm was the Internet worm let

7
 Cyber Crime Investigation and Forensics

loose on the Internet by Robert Morris sometime in 1988. Almost brought development
of Internet to a complete halt.
8. Logic bombs-
These are event dependent programs. This implies that these programs are created to do
something only when a certain event (known as a trigger event) occurs. E.g. even some
viruses may be termed logic bombs because they lie dormant all through the year and
become active only on a particular date (like the Chernobyl virus).
9. Trojan attacks-
This term has its origin in the word ‘Trojan horse’. In software field this means an
unauthorized programme, which passively gains control over another’s system by
representing itself as an authorised programme. The most common form of installing a
Trojan is through e-mail. E.g. a Trojan was installed in the computer of a lady film
director in the U.S. while chatting. The cyber criminal through the web cam installed in
the computer obtained her nude photographs. He further harassed this lady.
10. Internet time thefts-
Normally in these kinds of thefts the Internet surfing hours of the victim are used up by
another person. This is done by gaining access to the login ID and the password. E.g.
Colonel Bajwa’s case- the Internet hours were used up by any other person. This was
perhaps one of the first reported cases related to cyber crime in India. However this case
made the police infamous as to their lack of understanding of the nature of cyber crime.
11. Web jacking-
This term is derived from the term hi-jacking. In these kinds of offences the hacker gains
access and control over the web site of another. He may even mutilate or change the
information on the site. This may be done for fulfilling political objectives or for money.
E.g. recently the site of MIT (Ministry of Information Technology) was hacked by the
Pakistani hackers and some obscene matter was placed therein. Further the site of
Bombay crime branch was also web jacked. Another case of web jacking is that of the
‘gold fish’ case. In this case the site was hacked and the information pertaining to gold
fish was changed. Further a ransom of US $ 1 million was demanded as ransom. Thus
web jacking is a process where by control over the site of another is made backed by
some consideration for it.

8
 Cyber Crime Investigation and Forensics

Understand the Fundamentals

 Internet has offered us a much more convenient way to share information across time and
place.
 Cyberspace also opened a new venue for criminal activities.
 Cyber attacks
 Distribution of illegal materials in cyberspace
 Computer-mediated illegal communications within big crime groups or terrorists
 Cyber crime has become one of the major security issues for the law enforcement
community.
 The anonymity of cyberspace makes identity tracing a significant problem which hinders
investigations.
Classification of Cyber crime
1. Computer as Target
2. Computer as an instrumentality
3. Computer as an incidental or other crime
4. Crime associated with the prevalence of computers.
The above categories are not isolated compartments. Crime may often spill over from one
category to the other.

1. Computer As A Target Of A Crime

 Physical damage,
 Theft or destruction of information (data).
 The spread of viruses, worms,
 Software piracy, hacking etc.
 A computer virus is a self-replicating computer program written to alter the way a
computer operates, without the permission or knowledge of the user
2. Computer as an instrumentality
This category include such crimes were either computers or their contents bare used in
furtherance of crime or those offences which are committed by manipulating contents of
computer systems. They could include sending e-mails, ransom notes or manipulating
computer contents for credit card frauds telecommunication frauds or theft.

9
 Cyber Crime Investigation and Forensics

3. Computer as incidental or other crime

This category includes conventional crimes, and with the advent of computer the criminal
have started using the technology as an aid for its perpetuation. They include use of
computers as an aid for drug trafficking, money laundering, child pornography etc
4. Crime associated with the prevalence of computers.
 Copyright violation,
 Software piracy,
 Component theft etc.
Why Learn About Cyber Crime
 Everybody is using Computers.
 From white collar criminals to terrorist organizations And from Teenagers to Adults.
 Conventional crimes like Forgery, extortion, kidnapping etc. Are being committed with
the help of computers.
 New generation is growing up with computers.
 Most Important - Monetary transactions are moving on to the Internet.
Types of Cyber Crime
 Hacking
 Denial Of Service Attack
 Virus Dissemination
 Software Piracy
 Pornography
 IRC Crime
 Credit Card Fraud
 Net Extortion
 Phishing
 Spoofing
 Cyber Stalking
 Cyber Defamation
 Threatening
 Salami Attack.

10
 Cyber Crime Investigation and Forensics

 HACKING
Hacking in simple terms means illegal intrusion into a computer system without the
permission of the computer owner/user.
 DENIAL OF SERVICE ATTACK
This is an act by the criminal, who floods the bandwidth of the victim's network or fills
his e-mail box with spam mail depriving him of the services he is entitled to access or
provide
 VIRUS DISSEMINATION
Malicious software that attaches itself to other software% (virus, worms, Trojan Horse,
Time bomb, Logic Bomb, Rabbit and Bacterium are the malicious software)
 SOFTWARE PIRACY
Theft of software through the illegal copying of genuine programs or the counterfeiting
and distribution of products intended to pass for the original. Retail revenue losses
worldwide is ever increasing due to this crime can be done in various ways End user
copying, Hard disk loading, Counterfeiting, Illegal downloads from the internet etc.
 PORNOGRAPHY
Pornography is the first consistently successful e- commerce product. Deceptive
marketing tactics and mouse trapping technologies Pornography encourage customers to
access their websites. Anybody including children can log on to the internet and access
websites with pornographic contents with a click of a mouse. Publishing, transmitting any
material in electronic form which is lascivious or appeals to the prurient interest is an
offence under the provisions of section 67 of I.T. Act -2000.
 IRC CRIME
Internet Relay Chat (IRC) servers have chat rooms in which people from anywhere the
world can come together and chat with each other Criminals use it for meeting co-
conspirators. Hackers use it for discussing their exploits I sharing the techniques
Pedophiles use chat rooms to allure small children Cyber Stalking - In order to harass a
woman her telephone number is given to others as if she wants to befriend males.

11
 Cyber Crime Investigation and Forensics

 CREDIT CARD FRAUD

You simply have to type credit card number into www page of the vendor for online
transaction if electronic transactions are not secured the credit card numbers can be stolen
by the hackers who can misuse this card by impersonating the credit card owner.

Credit card skimmer

12
 Cyber Crime Investigation and Forensics

 NET EXTORTION
Copying the company's confidential data in order to extort said company for huge amount
 PHISHING
It is technique of pulling out confidential information from the bank/financial
institutional account holders by deceptive means
 PHISHING EMAIL
From: *****Bank [mailto:support@****Bank.com]
Sent: 08 June 2004 03:25
To: India
Subject: Official information from ***** Bank
Dear valued ***** Bank Customer!
For security purposes your account has been
Randomly chosen for verification. To verify
Your account information we are asking you to
Provide us with all the data we are requesting.
Otherwise we will not be able to verify your identity
And access to your account will be denied. Please click
On the link below to get to the bank secure
Page and verify your account details. Thank you.
https://infinity.*****bank.co.in/Verify.jsp
****** Bank Limited
 SPOOFING
Getting one computer on a network to pretend to have the identity of another computer,
usually one with special access privileges, so as to obtain access to the other computers
on the network.
 CYBER STALKING
The Criminal follows the victim by sending emails, entering the chat rooms frequently.
 CYBER DEFAMATION
The Criminal sends emails containing defamatory matters to all concerned of the victim
or post the defamatory matters on a website.

13
 Cyber Crime Investigation and Forensics

 THREATENING
The Criminal sends threatening email or comes in contact in chat rooms with Victim.
(Any one disgruntled may do this against boss, friend or official)
 SALAMI ATTACK
In such crime criminal makes insignificant changes in such a manner that such changes
would get unnoticed. Criminal makes such program that deducts small amount like Rs.
2.@0 per month from the account of all the customer of the Bank and deposit the same in
his account. In this case no account holder will approach the bank for such small amount
but criminal gains huge amount.
 SALE OF NARCOTICS
Sale & Purchase through net. There are web site which offers sale and Shipment of
contrabands drugs. They may use the techniques of stenography for hiding the messages.
Email related crime
1. Email spoofing
2. Sending malicious codes through email
3. Email bombing
4. Sending threatening emails
5. Defamatory emails
6. Email frauds

14
 Cyber Crime Investigation and Forensics

Case Studies
Case No.1
Police Station – Vishrambaug (Emphasis)
G.R.N . 91/05 IPC No 467, 468, 471, 419, 420, 379, 34 with law of information &
Technology No. 66
Petitioner - Jay fin Robert Disuse
Criminals -
1) Ivan Samuel Thomas
2) Sheila’s Chanddrakant Burrower
3) Bijou Alexander
4) Siddhartha Mehta
5) Stephen Daniel
6) Marlin Fernandez
7) Prim john Phil poses
8) Soundharajan Jamaican
9) Jinee George
10) Stash Para
11) John Varghese

Incident- Date 25/1/2005 to 4/4/2005 time to time

Filed On 5/4/05 at 17:15
Evident Officer- Sanjay Judah Asst Police Commissioner (Fin & Cyber)
Crime Branch, Pune

Short Story- In the last week of March 2005, Vice Chairman of City Bank notified that
Rs.1,86,23,761(4,27,061 American Dollars) from some of the A/c holders of City Bank
of America have been transferred to various banks in Pune. The Above amount has not
been deposited in Pune Bank.

15
 Cyber Crime Investigation and Forensics

Finding- After the case has filed , the bank in which the amount has been transferred ,
those banks has to intimated in writing that if some one comes to enquire about deposit
of money in the particular bank amount to be intimated to Police immediately.
1. Accordingly Rupees Bank Rajendranagar branch, Pune reported that two person
came for the enquiry
2. Immediately sent a Police squad and two persons taken in custody. The name
were:-
 Vim Samuel Thomas
 Sheila’s Burrower
3. In the enquiry, Ivan Thomas was working in BPO Company in Pune named
Emphasis (This company runs a customer care centre to give service to the City
bank account holders in America). His other Colloquies Bijou Alexander,
Siddhartha Mehta, Stephen Daniel, Marlin Fernandez have procured ATM Cards
lose as well as their PIN codes Social Security Number and authorized E-mail Id
Of 5 Account holders of City Bank by doing Social Engineering . After that they
have transferred Rs.1 Cr 86 lace in various banks in Pune by using wire transfer’s
facility. This facility is being used to transfers the amount through internet. When
you go to City banks website, choose option wire transfer. Then put user ID &
password, automatic code is generated. This code is being sent to the authorized
E-mail Id of account holder. Then this code is sent to wire transfer page. Then
only the account is being accessed to the particular account holder.

4. All the hard disks of those cyber café from where the amount has been transferred
were ceased. Also the full information of E-mail Id from where automatic code
was taken with full header was noted.
5. The above criminal has opened fake accounts in various banks supporting proofs
have been taken from the banks.
The crime report has been submitted against criminals.

Result Waited.

16
 Cyber Crime Investigation and Forensics

Case No.2
Police station- Decca Gymkhana
G.R.N 199/07 IPC Code. 420, 467, 468, 34 with law of information & technology of 2000 cool
43, a, b, h 66 & 72
Petitioner- Sunil Marianna Made age 32 yrs occupation- service (Rise manager HDFC stargaze,
pane) Residential Address B-402 Uttamnagar, Pune-23
Criminal- Moil Laming Harkin Age-30 Residential Address- Ignore Rd near Vidyasagar High
school, Naphtha, Delhi
Native- Churchyard Poor Lama, at & Post Bethel, Manipur
Incident- 24/4/2007 between 15:45 to 16:00 at Rank Jewelers carve Rd, Pune.
Case filed- 24/04/07 at 23:00 hrs
Evident officer- Entail Shined Asst. Police Commissioner (Fin & cyber) crime Branch Pune.

Short Story- Criminal lady & her colloquies 1) Utahan 2)Nepali man 3) Lady named Mara all
together on 24/04/07 between 15:45 to 16:00 hrs at Rank Jewelers, Carve Rd Pane Purchased By
using HDFC Bank credit card, but this card belongs to Missoula Federal union, USA bank. This
was found through Risk monitoring system and also found that the card wad fakes. On the spot
lady was arrested, but her other colleagues ran away.
Finding- Lady Criminal was found with Chinese passport on the name of Talon Eyeing. On that
immigration stamps of Indonesia, Australia, Germany were found, criminal lady was found with
credit cards of five banks on Talon Eyeing.
1. Sent a letter to Aortal, Hutch, Idea & Tate to get the information of criminal’s mobile no
9967674094 & her colleagues mob no
2. Sent a letter to bank for getting information of credits cards holders
3. To verifying reality of passport consumer Chennai, Embassy Mumbai has been
approached by sending letter.
4. Take statements of Mosaic Palace, Shirted Rd Pane where criminals & her colleagues
were staying. And also taken the statements of manager & owner of Rank Jewelers.
5. Came to know though HDFC, HSBC and Standard Charted Bank that the criminal lady
holding the credit cards is of Missoula Federal Credit Union, USA.

17
 Cyber Crime Investigation and Forensics

6. Sent a letter to Police commissioner Chennai for information as the criminal passport was
emigration stamped by Chennai passport.
7. Sent a wireless to south Manipur Police to get address proof and character information.
8. Sent a Police squad to Delhi for searching for other criminals.
9. Regarding Passport, fax received from Embassy of china that concerned passport was
from Hong Kong Special Administrative region and wad expired on 10th Sep 2003.
10. Received Information from Manipur police by wireless is as below-

Lady Name- Neural Moil Hop kip

Occupation- Service in private company in Delhi Married with Sri Sensing, Resident Chore,
Sandspur
Marital Status- 2 Daughters. Etc

After sending criminal reports the court the criminal lady was punished by the court.

18
 Cyber Crime Investigation and Forensics

Case No- 3
Police Station - Yawed
G.R.N - 2/8/08 C B V 403419420
Applicant - Swap nil Deli Sail Age 30 Son 401/r
Balladic VadyanNagar Vadgensheri Pune 14
Accursed - Yogis Chowder Chennai
Applied on - on 25/3/08 Use of credit card stolen.
Enquiry Officer - Kristi Kumar Patel PSI

Short Story- Yogis has purchased Air tickets on 28/3/08 for Rs.18, 596.10.
Swap nil has City Bank credit card he take online accounts statements, he has seen on 24/4/08 at
a bill of Rs.18596.10 as a transaction done on 28/3/08 from Makemytripe.com & Airdeccan.com
Yogis has taken the tickets.

Enquiry- Used mail ID indiaservice@Ghcorp.com

Service@makemytrip.com
utharabbm@airdeccan.net
As like this Full IP Address needed.

1. To find out whose IP is This by Domain Tool get name Isaac Telecom India Put Ltd.
Sutra
2. Send Letter to Ibarra to enquire to whom this IP Address is Given Get Information Of IP
Address 123.201.56.193 is dynamic and given to Yogis Chowdery Chennai
3. Mobile use in No 9884214361, 9789943185 get details of this phones & phone calls from
Manager Airtal & Manager Hutch.
4. Visit to Chennai to find out Yogis.
5. Caught him at Chennai he deterrent he has done this crime.

19
 Cyber Crime Investigation and Forensics

Case No.4
Police Station- Koshered G.R.N 00107 BDV 509 information Security Act 5.67
Apply by - Miss Sanity Koshered Pane
Against - Miss Lisa and Pane
Happened on- Before 26/06/07 12:30
Recorded on- 28/06/07 5:00 PM
Short Story- Before 26/06/07 someone stolen password of email Id of Sanity & profile XYZ
Rout website and produce some very bad Exposition on website.
Director- Net Shined PSI
Enquiry- Send all database link Rout website prepared by Name on what date, Time , IP
Address to Google company by e-mail.Saniya get knowledge from friends that there is some bad
things on Rout by Lisa Cornello.Saniya before 3 to 4 weeks try to prepare new Account
abc@hotmail.com. On that website the bad topic is profiled again. Visited to sanity’s residence
checked her computer whiter there is any virus or not. Send Read notify to Sanity for stolen by
anybody her password at xyz@hotmail.com. Read Information from Google 3/7/09.
Profile prepared by Sanity was as follows:-
E-mail Profile email Id xyz@hotmail.com
IP Address 59.161.3.66 on 8/5/07 4IS GMT.
Secondary email Id LisaCornello@ yahoo.co.in
Trace out all information from above address.
Received following information from Yahoo on 14/5/09 at 9:36:14 Lisacornello@yahoo.co.in
and IP Address 219.64.160.136 has been prepared .On 5/5/07 3:36:4 Lisacornello@yahoo.co.in
Email ID and IP Address 59.169.3.66 prepared on 8/05/07
Let following information for Domain tools
File Number- 12345678
Name - Lisa
Phone - 122344568
Address- And Pane
Red on Lisa Residence makes all necessary Police Action. Story is Lisa & Sanity were friends
being affairs with Shoed. The Police ceased the Hard disk & CPU sent it to forensic lab.
Lisa was punished by 2 yrs prison & 2, 75,000 cash fine.

20
 Cyber Crime Investigation and Forensics

Characteristics of Computer Crime

 Silent in Nature: Computer crime could be committed in privacy without reaching to
scene of crime physically i.e. any eye witnesses. There are no signs of physical violence
or struggle.
 Global in character: No national borders. By sitting comfortably far away from the
country the entire economy of the country could be destroyed. As digital evidences are
fragile in nature one has to respond quickly.
 Non existence of Physical Evidence: No physical evidence to indicate that crime has been
committed. Only on a closer look the trained person could find out the evidences which
are not in the traditional format but are in digital format.
 Creates high Impact: Impact is severe and may be long term. It can damage the victim
system permanently. Loss of good will.
 High Potential and Easy to Perpetrate: A software developer who did not get enough
money or good job would turn to criminal world for their survival. Therefore, the
computer crimes have a potential to increase. Hence organized mafia may enter into this
sector.
Prevention of Cyber Crime:
Prevention is always better than cure. It is always better to take certain precaution while
operating the net. A should make them his part of cyber life. Saileshkumar Zackary, technical
advisor and network security consultant to the Mumbai Police Cyber crime Cell, advocates the
5P mantra for online security: Precaution, Prevention, Protection, Preservation and Perseverance.
A bedizen should keep in mind the following things-

1. To prevent cyber stalking avoid disclosing any information pertaining to

one. This is as good as disclosing your identity to strangers in public
place.
2. Always avoid sending any photograph online particularly to strangers and
chat friends as there have been incidents of misuse of the photographs.
3. Always use latest and up date anti virus software to guard against virus
attacks.
4. Always keep back up volumes so that one may not suffer data loss in case
of virus contamination
5. Never send your credit card number to any site that is not secured, to
guard against frauds.

21
 Cyber Crime Investigation and Forensics

6. Always keep a watch on the sites that your children are accessing to
prevent any kind of harassment or depravation in children.
7. It is better to use a security programme that gives control over the cookies
and send information back to the site as leaving the cookies unguarded
might prove fatal.
8. Web site owners should watch traffic and check any irregularity on the
site. Putting host-based intrusion detection devices on servers may do this.
9. Use of firewalls may be beneficial.
10. Web servers running public sites must be physically separate protected
from internal corporate network.

Adjudication of a Cyber Crime - On the directions of the Bombay High Court the Central
Government has by a notification dated 25.03.03 has decided that the Secretary to the
Information Technology Department in each state by designation would be appointed as
the AO for each state.

22
 Cyber Crime Investigation and Forensics

QUESTIONNAIRE
QUESTIONNAIRE RELATED TO THE RECOMMENDATIONS FROM THE FOURTH
MEETING OF GOVERNMENTAL EXPERTS ON CYBER-CRIME

1. In which of the following areas does our country have existing cyber-crime
legislation in place?
a) IT act Cyber laws (e.g., laws prohibiting online identity theft, hacking,
intrusion into computer systems, child pornography): Yes ___ No ___

If yes, please list and attach copies of all such legislation, preferably in electronic
format if possible:

65 – Code Modification

66 – Hacking

67 – Pornography

b) Procedural cyber-crime laws (e.g., authority to preserve and obtain electronic

data from third parties, including internet service providers; authority to
intercept electronic communications; authority to search and seize electronic
evidence): Yes ___ No ___

If yes, please list and attach copies of all such legislation, preferably in electronic
format if possible:

41 CRPC

42 CRPC

100 CRPC

78 – Search and seize

80 – All police rights.

c) Mutual legal assistance related to cyber-crime: Yes ___ No ___

If yes, please list and attach copies of all such legislation, preferably in electronic
format if possible:

They need only Technical help during case investigation.

23
 Cyber Crime Investigation and Forensics

2. Please identify whether the following forms and means (1) occur frequently, (2) occur
infrequently, or (3) have not occurred, by placing an “X” as appropriate in the
following table:

Forms and Occur Occur Has not

Means of Frequently Infrequently Occurred
Cyber- Crime
Online identity
theft (including
phasing and
online trafficking
in false identity
information)
Hacking (illegal
intrusion into
computer
systems; theft of
information from
computer
systems)
Malicious code
(worms, viruses,
malware and spy
ware)
Illegal
interception of
computer data
Online
commission of
intellectual
property crimes
Online trafficking
in child
pornography
Intentional
damage to
computer systems
or data
Others

24
 Cyber Crime Investigation and Forensics

a) In addition, to the above, if there are any other forms and means of cyber-
crime that have occurred (either frequently or infrequently) in our country,
please identify them as well as the frequency with which they occur in the
following table.

Forms and Means

Occur Frequently Occur Infrequently
of Conduct
Cheating Threatening

Cyber Stalking

Credit card fraud

Copy Right

Source Code

3. Does our country have any concrete experiences with respect to strengthening the
relationship between the authorities responsible for investigating and/or prosecuting cyber-
crimes, and internet service providers that may be shared with other States as a best practice
in this area? Yes No ___

If yes, please explain: ISP’s meeting, Bank models meeting cyber committee
regular basic interaction.

4. Has our country identified, created, or established a unit or entity specifically charged
with directing and developing the investigation of cyber-crimes? Yes No

If yes, please provide the following information: CBI Crime cell, CID

The institution to which the unit/entity belongs: POLICE

The number of officers or investigators in the unit/entity: 4-5

If such a unit/entity has been created or established, are its functions dedicated
exclusively to the investigation of cyber-crimes? Yes No ___

If no, what other types of offenses or crimes is this unit/entity responsible for
investigating and/or prosecuting?

5. Has our country identified, created, or established a unit or entity specifically charged with
directing and developing the prosecution of cyber-crimes? Yes ___ No

25
 Cyber Crime Investigation and Forensics

Relevance of Evidence
 Main purpose of investigation of any crime is to collect sufficient & legally admissible
evidence to ensure conviction of offenders.
 Requirements of evidence in Cyber Crimes are not different but its nature has made
collection of Evidence a specialized job.
 Evidence Act & rules already in existence were considered not sufficient; so IT Act, 2000
made extensive changes in Indian Evidence Act, 1872

Indian Evidence Act (Amended)

3. Evidence - "Evidence" means and includes:

 All documents including electronic records produced in Court are called documentary
evidence.
 “Electronic records” has the same meaning as assigned in IT Act,2000, i.e.:
 image or sound stored, received or sent in an electronic form; or
 micro film or computer generated micro fiche;
 17. Admission defined - An admission is a statement, oral or documentary or contained in
electronic form which suggests any inference as to any fact in issue or relevant fact.
 27. How much of information received from accused may be proved - When any fact is
discovered in consequence of information received from a person accused of any offence,
in the custody of a police officer, so much of such information, as relates distinctly to the
fact thereby discovered, may be proved.

When oral admission as to contents of electronic records is relevant:

 22A. Oral admissions as to the contents of electronic records are not relevant, unless the
genuineness of the electronic record produced is in question.
 59. Proof of facts by oral evidence - All facts, except the contents of documents or
electronic records, may be proved by oral evidence.
 39. How much evidence to be given when statement forms part of electronic record:
 When any statement of which evidence is given forms part of an electronic record, then

26
 Cyber Crime Investigation and Forensics

 Evidence shall be given of so much and no more of the electronic record, as the Court
considers necessary in that particular case to the full understanding of the nature and
effect of the statement, and of the circumstances under which it was made.
Opinion as to digital signature where relevant.
 47A. When the Court has to form an opinion as to the digital signature of any person, the
opinion of the Certifying Authority which has issued the Digital Signature Certificate is a
relevant fact.

Proof as to digital signature.

 67A. Except in the case of a secure digital signature, if the digital signature of any
subscriber is alleged to have been affixed to an electronic record, the fact that such digital
signature is the digital signature of the subscriber must be proved.

Proof as to verification of digital signature.

 73A. In order to ascertain whether a digital signature is that of the person by whom it
purports to have been affixed, the Court may direct-
 That person or the Controller or the Certifying Authority to produce the Digital
Signature Certificate;
 Any other person to apply the public key listed in the Digital Signature Certificate
and verify the digital signature purported to have been affixed by that person.

Admissibility of electronic records.

 65B. (1) Any information contained in an electronic record which is printed on a paper,
stored, recorded or copied in optical or magnetic media produced by a computer shall be
deemed to be also a document, if certain conditions are satisfied.
 It shall be admissible in any proceedings, without further proof or production of the
original, as evidence of any contents of the original or of any fact stated therein of
which direct evidence would be admissible.

27
 Cyber Crime Investigation and Forensics

 65 B (2) The conditions are as following:

 The computer output was produced during the period when it was used regularly to
store or process information for the purposes of any activities regularly carried on by
a person having lawful control over the computer;
 During the said period, information of the kind contained in the electronic record or
of the kind from which the information so contained is derived was regularly fed into
the computer in the ordinary course of the said activities;
 65(c) throughout the said period, computer was operating properly or, if not, then that
part of the period was not such as to affect the electronic record or the accuracy of its
contents
 65(d) the information contained in the electronic record reproduced or is derived from
such information fed into the computer in the ordinary course of the said activities.
 Presumption as to electronic agreements.

 85A The Court shall presume that every electronic record purporting to be an agreement
containing the digital signatures of the parties was so concluded by affixing the digital
signature of the parties.

Presumption as to electronic records and digital signatures:

 85B. (1) the Court shall presume that the secure electronic record has not been altered
since the specific point of time to which the secure status relates.
 (2) In proceedings involving secure digital signature, the Court shall presume that the
secure digital signature is affixed by subscriber with the intention of signing or approving
the electronic record.

Presumption as to electronic messages:

 88A. The Court may presume that an electronic message forwarded by the originator
through an electronic mail server to the address to whom the message purports to be
addressed corresponds with the message as fed into his computer for transmission;

28
 Cyber Crime Investigation and Forensics

 But the Court shall not make any presumption as to the person by whom such message
was sent.

Presumption as to electronic records five years old.

 90A. Where any electronic record, purporting or proved to be five years old, is produced
from any custody which the Court in the particular case considers proper, the Court may
presume that the digital signature which purports to be the digital signature of any
particular person was so affixed by him or any person authorized by him in this behalf.

Recent Amendments
 The Information Technology (Amendment) Bill, 2008 (Bill No.96-F of 2008) was passed
by the Look Saba on 22-12-2008 and by the Raja Saba on 23-12-2008.
 It received His Excellency President’s assent on 5th February, 2009.
 The date, from which the amendments are to be applicable, is yet to be notified.

Important Amendments to ITS Act

 In Section 43, two new offences added:
 Destroying, deleting or altering information in a computer resource to diminish its
value.
 Stealing, concealing or destroying any computer source code with intention to cause
damage.
 Sec. 66 has been replaced providing that if any of the acts mentioned in Section 43 was
done dishonestly or fraudulently, it is punishable with 3 Years Imprisonment or Fine of
Rs.5.00 Lacs or with both.
 A new Sec.66A is added providing for three years imprisonment and fine for sending:
 Offensive or menacing information; or
 False information for causing insult, injury, intimidation, hatred or ill-will; or
 E-mail causing annoyance or to deceive or misled recipient about the origin of that e-
mail

29
 Cyber Crime Investigation and Forensics

 Section 66B makes it an offence to dishonestly receive or retain any stolen computer
resource or communication device which is punishable with 3 years imprisonment or fine
unto Rs. 1.00 Lac.
 Dishonest use of Electronic Signatures, password or identification feature invites
punishment up to 3 years and fine up to Rs. 1.00 Lac (Section 66C)
 Impersonation with the help of computer or communication device will result in 3 years
imprisonment and fine unto Rs.1.00 Lac (Section 66D)
 Violation of privacy by way of sending electronic visual images of private parts of body
is also punishable with 3 years’ imprisonment or fine unto Rs. 1.00 Lac. (Section 66E).

Cyber Terrorism is defined in Section 66F:

 Whoever threatens the unity, integrity, security or sovereignty of India or strike terror in
people by:
 Denying access to computer resource; or
 access computer resource without authority; or
 Introduce any computer contaminant
 and causes death or destruction of property; or
 Penetrates restricted computer resources or information affecting sovereignty, integrity,
friendly relations with foreign states, public order, decency, contempt of court,
defamation or to the advantage of foreign state or group of persons.
 It is punishable with imprisonment unto life
 Obscenity has been defined in new Section 67 punishable with imprisonment for 3 years
with fine unto Rs. 5.00 Lacs for first offence and imprisonment for 5 years with fine unto
Rs. 10.00 Lacs for subsequent offence.
 Section 67A deals with publishing or transmitting sexually explicit material which is
punishable with 5 years imprisonment & fine unto 10.00 Laces for first offence and for
subsequent offence, imprisonment unto 7 years with fine unto 10.00 Lacs.
 Child Pornography has been made a separate offence in Section 67B punishable with 5
years imprisonment & fine unto 10.00 Laces for first offence and for subsequent offence,
imprisonment unto 7 years with fine unto 10.00 Lacs.

30
 Cyber Crime Investigation and Forensics

 Section 69 has been redrafted enabling Government agencies to intercept, monitor or

decrypt any electronic information with the help of subscribers, intermediary or person in
charge of computer resources.
 Non-cooperation by any of the above invites imprisonment up to 7 years with fine.
 69A: Government gets power to issue directions for blocking for public access of any
information through any computer resource.
 An intermediary who fails to comply with directions in this regard shall be punished with
imprisonment up to 7 years with fine.
 sss69B: For cyber security, Government may order any intermediary to allow access to
any computer resources and violation results in imprisonment up to 3 years with fine.
 Sec.72A provides for punishment for disclosure of information in breach of lawful
contract extending up to 3 years or fine to the tune of Rs. 5.00 Lacs or with both.
 Section 77: confiscation, compensation awarded or penalty imposed does not come in the
way of penalty, punishment or compensation under any other Act.
 Compounding of offences with punishment up to 3 years allowed subject to the
conditions that accused has no previous conviction or the offence does not affect the
socio-economic conditions or it was not committed against a child or a woman.
 Sec. 77B prescribes that notwithstanding CRPC:
 Offence punishable with imprisonment of 3 years and above is cognizable.
 Offence punishable with imprisonment up to 3 years is bail able.
 Power to investigate Cyber Crimes has been now vested in Inspectors in place of Dy.S.P.
 Office of Government Examiner of Electronic Evidence is to be established. (Section
79A).
Important Amendments to IPC
 Jurisdiction is not bounded by Country’s boundaries if the target is a computer resource
located in India. Section 4(3)
 Any act done anywhere in the world is an offence if the said act, if committed in India is
an offence. Explanation (a) to Section 4
 Voluntary concealment of existence of a design by encryption or any other information
hiding tool is an offence.
 The words ‘Digital Signatures” have been replaced with “Electronic signatures”.

31
 Cyber Crime Investigation and Forensics

Important Amendments to CRPC

 Opinion of Examiner of Electronic Evidence has been made relevant. (Section 45A)
 Examiner is to be treated as an Expert.
 Examiner is too examined like any other expert from CFSL or other Labs.
 Words ‘Digital Signature” is to be replaced by “Electronic Signature”.

Our Analysis
As we all have seen all the crimes done with the help of computer or technology,
Has become very serious issue now – days. And victim can be anybody a naïve person or even a
tech savvy personal can be a victim. So from above cyber crime conducted we can conclude the
to counter these crime the end user should be educated about these cyber crimes. And he/she
should be cautious in checking his/her e-mails, or when downloading files/ software. They
should even change their password after 45 days, and also set a strong password with
alphanumeric and special characters used in it, should never used the Administrator account if
not required. Always updated the Antivirus. Try keeping licence copy of the software used by
the user. Try to secure his/her network both LAN and wireless.

Conclusion:
Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime from the
cyber space. It is quite possible to check them. History is the witness that no legislation has
succeeded in totally eliminating crime from the globe. The only possible step is to make people
aware of their rights and duties (to report crime as a collective duty towards the society) and
further making the application of the laws more stringent to check crime. Undoubtedly the Act is
a historical step in the cyber world. Further I all together do not deny that there is a need to bring
changes in the Information Technology Act to make it more effective to combat cyber crime. I
would conclude with a word of caution for the pro-legislation school that it should be kept in
mind that the provisions of the cyber law are not made so stringent that it may retard the growth
of the industry and prove to be counter-productive.

32
 Cyber Crime Investigation and Forensics

Establishment of PUNE Cyber Cell

It was established on 1st July 2003, under this department there our following officers involved:

 Police Commissioner
 Two Asst. Police Commissioner
 Two Sub Inspector
 And ten constables in the team.

In the year 2008 there were 63 cases got registered. And between 2003-2008 total numbers of
cases registered with Police were 452.

Police Station under IT Act 2000

Year 2001 2002 2003 2004 2005 2006 2007 2008 2009 total
Total 03 04 09 06 10 10 13 08 09 72

In year 2008 the Cyber Crime Cell has solved 15 cases.

Cyber Crime Cell

Year 2003 2004 2005 2006 2007 2008 2009 Total

Total 05 30 32 79 99 207 92 544

Pune Cyber Lab

On 20th January Pune Cyber Lab was established with the collaboration Of NASSCOM, near
Shivaji Nagar in Pune. In this department there are 580 officers and 411 staffs in which members
of 76th Batch has been provided with cyber crime investigation training.
And 65 judges have attended the program/ training of cyber crime.

33
 Cyber Crime Investigation and Forensics

WHAT IS CYBER FORENSICS?

Cyber forensics discovery, analysis, and reconstruction of evidence extracted from any element
of computer systems, computer networks, computer media, and computer peripherals that allow
investigators to solve the crime.

Four Stages
 Acquire
 Authenticate
 Analyze
 Documentation

34
 Cyber Crime Investigation and Forensics

DIFFERENT TYPE’S OF STORAGE MEDIA

ELECTRONIC EVIDENCE PRECAUTIONS

Static Electricity
 Magnetic Fields
 Shock
 Moisture

35
 Cyber Crime Investigation and Forensics

Computer Forensics:-
Computer forensics is a branch of forensic science pertaining to legal evidence found in
computers and digital storage mediums.
Computer forensics, also called cyber forensics, is the application of computer
investigation and analysis techniques to gather evidence suitable for presentation in a court of
law. The goal of computer forensic is to perform a structured investigation while maintaining a
documented chain of find out exactly what happened on a computer and who was responsible for
it.
Computer forensics experts investigate data storage devices, such as hard drives, USB
Drives, CD-ROMs, floppy disks, tape drives, etc., identifying sources of documentary or other
digital evidence, preserving and analyzing evidence, and presenting findings. Computer forensics
adheres to standards of evidence admissible in a court of law.

Electronic evidence considerations

Electronic evidence can be collected from a variety of sources. Within a company’s
network, evidence will be found in any form of technology that can be used to transmit or store
data. Evidence should be collected through three parts of an offender’s network: at the
workstation of the offender, on the server accessed by the offender, and on the network that
connects the both. Investigators can therefore use three different sources to confirm the data’s
origin.

Incident Response
An important part of computer forensics lies in the initial response to a computer crime. It
is at this point that the suspect computer and related devices are identified and prepared for the
forensic response. In a corporate environment, this is simply done by locating the perpetrator's
computer workstation and collecting a forensic image of the hard drive, and any related media.
In a criminal situation with a law enforcement response, the incident response involves the
proper serving of a search warrant and lawful collection of evidentiary media. While in some
corporate environments the computer is left behind, sometimes to give the impression that the
employee is not a targeted suspect, law enforcement will attempt to seize all computer related
material (bag and tag) and transfer it to a forensic laboratory for analysis.

36
 Cyber Crime Investigation and Forensics

Collecting Volatile Data

If the machine is still active, any intelligence which can be gained by examining the
applications currently open is recorded. If the machine is suspected of being used for illegal
communications, such as terrorist traffic, not all of this information may be stored on the hard
drive. If information stored solely in RAM is not recovered before powering down it may be lost.
This results in the need to collect volatile data from the computer at the onset of the response.

Imaging electronic media (evidence)

The process of creating an exact duplicate of the original evidenciary media is often
called Imaging. Using a standalone hard-drive duplicator or software imaging tools such as AIR,
the entire hard drive is completely duplicated. This is usually done at the sector level, making a
bit-stream copy of every part of the user-accessible areas of the hard drive which can physically
store data, rather than duplicating the file system. The original drive is then moved to secure
storage to prevent tampering. During imaging, a write protection device or application is
normally used to ensure that no information is introduced onto the evidentiary media during the
forensic process.

Forensic Analysis
All digital evidence must be analyzed to determine the type of information that is stored
upon it. For this purpose, specialty tools are used that can display information in a format useful
to investigators. Such forensic tools include: Brian Carrier's Sleuth Kit, Foremost and Smart. In
many investigations, numerous other tools are used to analyze specific portions of information.

Reasons for Evidence

 Wide range of computer crimes and misuses
 Non-Business Environment: evidence collected by Federal, State and local authorities for
crimes relating to:
 Theft of trade secrets
 Fraud

37
 Cyber Crime Investigation and Forensics

 Extortion
 Industrial espionage
 Position of pornography
 SPAM investigations
 Virus/Trojan distribution
 Homicide investigations
 Intellectual property breaches
 Unauthorized use of personal information
 Forgery
 Perjury
 Computer related crime and violations include a range of activities including:
o Business Environment:
 Theft of or destruction of intellectual property
 Unauthorized activity-
 Tracking internet browsing habits
 Reconstructing Events
 Inferring intentions
 Selling company bandwidth
 Wrongful dismissal claims
 Sexual harassment
 Software Piracy
Evidence Processing Guidelines
 New Technologies Inc. recommends following 16 steps in processing evidence
 They offer training on properly handling each step
o Step 1: Shut down the computer
 Considerations must be given to volatile information
 Prevents remote access to machine and destruction of evidence (manual or
ant-forensic software)
o Step 2: Document the Hardware Configuration of The System

38
 Cyber Crime Investigation and Forensics

 Note everything about the computer configuration

prior to re-locating

o Step 3: Transport the Computer System to A Secure Location

 Do not leave the computer unattended unless it is locked in a secure
location
o Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks
o Step 5: Mathematically Authenticate Data on All Storage Devices
 Must be able to prove that we did not alter
any of the evidence after the computer
came into our possession
o Step 6: Document the System Date and Time
o Step 7: Make a List of Key Search Words
o Step 8: Evaluate the Windows Swap File
o Step 9: Evaluate File Slack
 File slack is a data storage area of which most computer users are
unaware; a source of significant security leakage.
o Step 10: Evaluate Unallocated Space (Erased Files)
o Step 11: Search Files, File Slack and Unallocated Space for Key Words
o Step 12: Document File Names, Dates and Times
o Step 13: Identify File, Program and Storage Anomalies
o Step 14: Evaluate Program Functionality
o Step 15: Document Our Findings
o Step 16: Retain Copies of Software Used
Conclusion
 Forensics is an extremely valuable tool in the investigation of computer security
incidents.
 Considerable legal issues arise when investigating computer systems.
 Intrusion Detection might support Computer Forensics in the future, and vice versa.

39