Foundations of digital Forensics

advertisement
Foundations of digital Forensics
1
Computer Forensics
• Computer forensics is the scientific
examination and analysis of data held
on, or retrieved from, computer storage
media in such a way that the
information can be used as evidence in
a court of law.
2
Computer Forensic Activities
• Computer forensics activities commonly include:
– the secure collection of computer data
– the identification of suspect data
– the examination of suspect data to determine
details such as origin and content
– the presentation of computer-based information
to courts of law
– the application of a country's laws to computer
practice.
3
The 3 As
• The basic methodology consists of the
3 As:
– Acquire the evidence without altering or
damaging the original
– Authenticate the image
– Analyze the data without modifying it
4
Basic Definition
Cyber: According to the Oxford Dictionary cyber means relating to or
characteristic virtual reality. Law means the System of rules which a
particular country or community recognizes as regulating the actions of its
members and which it may enforce by the imposition of penalties.
Cyber Law & Cyber Law consists of?
Cyber Law is the law governing cyber space. The Information Technology
(Amendment) Act, 2008 deals with cases relating to cyber space. Cyber space
includes computers, networks, software, internet, websites, e-mails, data
storage devices like hard disks, USB disks, PDA’s, phones and ATM machines
and so on. Cyber Law consists of cyber crime, electronic and digital
signatures, intellectual property and data protection and privacy.
5
Cont..
• Computer crime: computer crime is a situations where a computer or
network was not directly involved in a crime but still contains digital
evidence related to the crime.
• Computer-related: computer-related is used to refer to any crime that
involves computers and networks, including crimes that do not rely
heavily on computers.
• some organizations such as the US Department of Justice and the Council
of Europe use the term cybercrime to refer to a wide range of crimes
that involve computers and networks.
6
Fundamental of Digital forensics
7
Language of Computer Crime Investigation
• Several attempts have been made to develop a standard language to
describe the various aspects of computer crime investigation.
• Computer crime mainly refers to a limited set of offenses that are
specifically defined in laws such US Computer Fraud and Abuse Act and
the UK Computer Abuse Act are computer crime acts which is defined
by US.
• These crimes include theft of computer services, unauthorized access
to protected computers, software piracy and the alteration or theft of
electronically stored information, extortion committed with the
assistance of computers, obtaining unauthorized access to records from
banks, credit card issuers, or customer reporting agencies, traffic in
stolen passwords and transmission of destructive viruses or commands.
8
Cont..
• One of the main difficulties in defining computer crime is that
situations arise where a computer or network was not directly
involved in a crime but still contains digital evidence related to the
crime.
• To accommodate this type of situation, the more general term
computer-related is used to refer to any crime that involves
computers and networks, including crimes that do not rely heavily
on computers.
• Notably some organizations such as the US Department of Justice
and the Council of Europe use the term cybercrime to refer to a
wide range of crimes that involve computers and networks.
9
Cont..
• Computer forensics : Computer forensics usually refers to the forensic
examination of computer components and their contents such as hard
drives, compact disks, and printers.
• Forensic entomology : forensic entomology as "bug forensics "only to
computers limits the scope of the term, neglecting important aspects of
the field such as communication systems, embedded systems, and digital
image, audio, and video analysis.
• Digital forensic science : to describe the field as a whole
• Digital evidence examination: . This term is specific enough to be clear in
the context of digital forensic science, computer forensics, incident
response, or any other situation that involves the examination of digital
evidence.
10
Digital Evidence in the Courtroom
• Individuals processing evidence must realize that, in addition to being
pertinent(relevant), evidence must meet certain standards to be
admitted.
• The US Federal Rules of Evidence, the UK Police and Criminal Evidence
Act (PACE) and Civil Evidence Act, and similar rules of evidence in other
countries were established to help evaluate evidence.
1. Admissibility-Warrants
• The most common mistake that prevents digital evidence from being
admitted by courts is that it was obtained without authorization.
• Generally, a warrant is required to search and seize(capture) evidence.
• The main exceptions are plain view, consent, and exigency.
• By obtaining consent to search, investigators can perform a search
without a warrant but some care must be employed when obtaining
consent to reduce the chance of the search being successfully
challenged in court.
11
2. Authenticity and Reliability
• The process of determining whether evidence is worthy is called
authentication.
• Authentication means satisfying the court that
(a) the contents of the record have remained unchanged,
(b) that the information in the record does in fact originate from its
purported(original) source, whether human or machine, and
(c) that extraneous information such as the apparent date of the record
is accurate.
•
Authentication is actually a two-step process, with an initial
examination of the evidence to determine that it is what its proponent
claims and, later, a closer analysis to determine.
•
In the initial stage, it may be sufficient for an individual who is familiar
with the digital evidence to testify to its authenticity. i.e. its probative
value.
•
Alternately, a system administrator can testify that log files presented in
12
court originated from her/his system.
3. Casey's Certainty Scale
•
•
•
•
•
•
•
Computers can introduce errors and uncertainty in various ways, making it
difficult to assess the trustworthiness of digital evidence meaningfully.
Although courts are warned to consider the computer systems involved carefully,
little guidance is provided.
Computer machinery may make error because of malfunctioning of hardware, the
computer's mechanical apparatus.
Computers may also make errors that arise out of defects in the software, the input
procedures, the database, and the processing program.
In view of the complex nature of the operation of computers, courts have been
cautioned to take special care to be certain that the foundation is sufficient to
warrant a finding of trustworthiness and that the opposing party has full
opportunity to Inquire(ask) into the process by which information is fed into the
computer.
The certainly values (C-values) provide a method for a digital evidence examiner to
denote the level of certainty he/she has in a given piece of evidence in a given
context.
The primary purpose of this Certainty Scale is to help others understand how
13 a
much weight an examiner has given pieces of digital evidence when making
Cont..
• One major advantage of this Certainty Scale is that it is flexible
enough to assess the evidential weight of both the process that
generated a piece of digital evidence and its contents, which may
be documents or statements.
• Another major advantage of this Certainty Scale is that it is nontechnical and therefore easily understood by non-technical people
such as those found in most juries.
14
4. Best Evidence
• When dealing with the contents of a writing, recording, or photograph
courts sometimes require the original evidence.
• This was originally intended to prevent a witness from misrepresenting
such materials by simply accepting their testimony(witness statement)
regarding the contents.
• With the advent of photocopiers, scanners, computers, and other
technology that can create effectively identical duplicates, copies
became acceptable in place of the original, unless "a genuine question is
raised as to the authenticity of the original or the accuracy of the copy
or under the circumstances it would be unfair to admit the copy of the
original"
• Because an exact duplicate of most forms of digital evidence can be
made, a copy is generally acceptable. In fact, presenting a copy of digital
evidence is usually more desirable because it eliminates the risk that
the original will be accidentally altered.
15
5. Direct versus Circumstantial Evidence
• Direct evidence establishes a fact. Circumstantial evidence may suggest
one. It is a common misconception that digital evidence cannot be direct
evidence because of its separation from the events.
•
However, digital evidence can be used to prove facts. For example, if the
reliability of a computer system is at issue, showing the proper
functioning of that specific system is direct evidence of its reliability,
whereas showing the proper functioning of an identical system is
circumstantial.
• Although digital evidence is generally only suggestive of human activities,
circumstantial evidence may be as weighty as direct evidence and digital
evidence can be used to firmly establish facts.
16
Cont..
• For example, a computer logon record is direct evidence that a
given account was used to log into a system at a given time but is
• circumstantial evidence that the individual who owns the account
was responsible. Someone else may have used the individual's
account and other evidence would be required to prove that he
actually logged into the system. It may be sufficient to demonstrate
that nobody else had access to the individual's computer or
password.
•
Alternately, other sources of digital evidence such as building
security logs may indicate that the account owner was the only
person in the vicinity of the computer at the time of the logon.
17
6.Hearsay
•
Digital evidence might not be admitted if it contains hearsay because
the speaker or author of the evidence is not present in court to verify
its truthfulness.
•
Evidence is hearsay where a statement in court repeats a statement
made out of court in order to prove the truth of the content of the out
of court statement. Similarly, evidence contained in a document is
hearsay if the document is produced to prove that statements made in
court are true.
•
The evidence is excluded because the crucial aspect of the evidence,
the truth of the out of court statement (oral or documentary), cannot
be tested by cross-examination.
18
Cont..
• There are several exceptions to the hearsay rule to accommodate evidence
that portrays( pictures ) events quite accurately and that is easier to verify than
other forms of hearsay.
• Although some courts evaluate all computer-generated data as business
records under the hearsay rule, this approach may be inappropriate when a
person was not involved.
•
In fact, computer-generated data may not considered hearsay at all because
they do not contain human statements or they do not assert a fact but simply
document an act.
19
7.Scientific Evidence
• In addition to challenging the admissibility of digital evidence directly, tools and
techniques used to process digital evidence have been challenged by evaluating
them as scientific evidence. Because of the power of science to persuade,
courts are careful to assess the validity of a scientific process before accepting
its results.
• If scientific process is found to be questionable, this may influence the
admissibility or weight of the evidence, depending on the situation.
• In the United States, scientific evidence is evaluated using four criteria
developed in 1993. These criteria are:
a) whether the theory or technique can be (and has been) tested;
b) whether there is a high known or potential rate of error, and the existence and
maintenance of standards controlling the technique's operation;
c)whether the theory or technique has been subjected to peer review and
publication;
d) Whether the theory or technique enjoys "general acceptance" within the
relevant scientific community.
20
8. Presenting Digital Evidence
• Preparation is one of the most important aspects of testifying in court (National
Center for Forensic Science 2003).
• Conclusions should be stated early in testimony rather than as a punch line at
the end because there is a risk that the opportunity will not arise later.
• During cross-examination, attorneys (lawyer) often attempt to point out flaws
and details that were overlooked by the digital investigator. The most effective
response to this type of questioning is to be prepared with clear explanations
and supporting evidence.
• In addition to presenting findings, it is necessary to explain how the evidence
was handled and analyzed to demonstrate chain of custody and thoroughness
of methods. Also, expect to be asked about underlying technical aspects in a
relatively non-technical way, such as how files are deleted and recovered and
how tools acquire and preserve digital evidence. Simple diagrams depicting
these processes are strongly recommended.
21
• Cyber crime Law: United State Perspective,
Indian Perspective, Conductive Digital
Investigation, Handling a Digital Crime Scene:
Principles, Preservation,
22
4. Cyber crime Law: United State Perspective
• Chapter reviews how law in the United States deals
cybercrime. As the United States is a federal system, there are
two basic levels of cybercrime law: federal cybercrime law
and state cybercrime law.
• U.S. law deals with the major cybercrimes: the crimes that
target computers and computer systems (e.g., unauthorized
access, malware, and denial of service attacks) and the crimes
in which computers and computer systems are used as tools
to commit traditional crimes (e.g., fraud, extortion, and child
pornography).
• Federal Cybercrime Law
• State Cybercrime Law
• Constitutional Law
• Fourth Amendment
• Fifth Amendment and Encryption
23
1. Federal Cybercrime Law
4.1 Computer Fraud and Abuse Act
• It focuses on the Computer Fraud and Abuse Act such as identity
theft, child pornography, and copyright and trademark offenses.
• Congress adopted the Computer Fraud and Abuse Act (1986), but it
has since been amended on several occasions.
• amendments have all been designed to update certain provisions
of the Act in light of advancements in computer technology
• Section 1030(a) makes it a federal crime to do any of the following:
1. Knowingly access a computer without authorization or exceed
authorized access and obtain information that is legally protected
against disclosure.
2. Intentionally access a computer without authorization or exceed
authorized access and obtain information from (i) a financial
institution, credit card company, or consumer reporting agency.
3. With the intent to extort money or any thing of value like
(i) threat to damage a computer, (ii) threat to obtain information from,
24
4.1.1 Section 1030(a)(5) Offense: accounts for the largest number of
prosecutions(legal proceeding against person), perhaps because it
creates three crimes. The first consists of knowingly transmitting a
program, information, code, or command and thereby intentionally
damaging a protected computer. Other two are hacking, or
unauthorized access, to a computer or computer system.
4.1.2 Section 1030(a)(4) Offense: As noted above, § 1030(a)(4) makes
it a federal crime to access a protected computer without being
authorized to do so, or by exceeding the scope of authorized
access, and obtain “anything of value” and thereby further a
scheme to defraud.
4.1.3 Section 1030(a)(6) Offense : makes it a crime to traffic “in any
password or similar information through which a computer may be
accessed without authorization” if either of two conditions are met.
The first is “affects interstate or foreign commerce”; the other
condition is that the computer is “used by or for the Government of
the United States.”
4.1.4 Section 1030(a)(7) Offense: criminalizes the use of computer
25
technology to commit extortion.
4.2 Identity Theft: The federal criminal code contains two identity
theft provisions: Section 1028(a)(7) of Title 18 of the U.S. Code
defines a basic identity theft offense. makes it a federal crime to
knowingly transfer, possess, or use “a means of identification of
another person” without being authorized.
4.4 Copyright Infringement(against law)(Section 506(a))
Copyright infringement in the form of software piracy is a crime. For
a work to be “original,” it must have “originated” with—have been
created by—the author claiming the copyright; originality does not
require novelty but to be original an item cannot simply be a copy
of another.
4.5 Trademarks and Trade Secrets
The Lanham Act is the primary source of protection for trademarks
(Act of July5, 1946). It defines “trademark” as “any word, name,
symbol, or device, or any combination thereof” that is used by a
person or which a person has a bonafide intention to use in
commerce “to identify and distinguish his or her goods from those
manufactured or sold by others and to indicate the source of the
goods, even if that source is unknown” (15 U.S. Code § 1127).
26
2. State cybercrime law
4.2.1 Access Crimes: Every U.S. state prohibits simple hacking (gaining
unauthorized access to a computer) and aggravated hacking (gaining
unauthorized access to a computer for the purpose of committing
theft, vandalism, or other crimes)
4.2.2 Malware: Computer contaminant” means any set of computer
instructions that are designed to modify, damage, destroy, record, or
transmit information within a computer, computer system, or
computer network without the intent or permission of the owner of
the information.
4.2.3 Denial of Service: DDoS attack as “techniques or actions involving
the use of one (1) or more damaged computers to damage another
computer or a targeted computer system in order to shut the
computer or computer system down and deny the service of the
damaged computer or computer system to legitimate users”.
4.2.4 Computer Forgery: “Any person who creates, alters, or deletes any
data contained in any computer or computer network, who, if such
person had created, altered, or deleted a tangible document or
instrument would have committed forgery … shall be guilty of the
27
crime of computer forgery”.
4.2.5 Computer Fraud and Theft: Computer theft can encompass any
of several different crimes, including information theft, software
theft, computer hardware theft, and theft of computer services. It
can also encompass the theft of computer hardware . And it can
consist of using a computer to steal other types of property.
4.2.6 Computer Extortion: One approach they take is to include
computer extortion within the definition of computer fraud.
4.2.7 Crimes Against Children:
3 Constitutional law
• In the United States, constitutional law exists at two levels:
The U.S. Constitution is the constitution that applies throughout the
territorial
Two of the U.S. Constitution’s provisions are particularly relevant to
the conduct of cybercrime investigations.
The Fourth Amendment & Fifth Amendment
28
4. Fourth Amendment
• The Fourth Amendment creates a right to be free from
“unreasonable” searches and seizures(forcefully taking ownership)
• To be “reasonable,” a search or seizure must be conducted either
a lawfully authorized search or arrest warrant.
• Court has applied the Fourth Amendment to areas in which
technology and privacy intersect.
4.4.1 Wiretapping: Content of Communications
The progress of science is not likely to stop with wire tapping. Ways
may be developed by which the government, without removing
papers from secret drawers, can reproduce them in court, and
expose to a jury the most intimate occurrences of the home. Can it
be that the Constitution affords no protection against such fraud.
4.4.2 Wiretapping: Traffic Data
• In a subsequent decision, the Supreme Court dealt with the related
issue of whether the transmittal information—the traffic data—
generated by a telephone call is private under the Fourth Amendme29
4.4.3 Technology Not in General Public Use
The Supreme Court’s 2001 decision in Kyllo v. United States is its
most recent parsing of the Katz standard. The issue in Kyllo was
whether “the use of a thermal- imaging device aimed at a private
home from a public street to detect relative amounts of heat within
the home constitutes a ‘search’ within the meaning of the Fourth
Amendment”
5 Fifth Amendment and encryption
• The Fifth Amendment states that no one can be “forcefully to be a
witness against himself”
• The Fifth Amendment privilege only comes into play when following
element is present. The first is compulsion(power to force a person
to act); the Fifth Amendment does not protect communications
that are made voluntarily;
• The compulsion must seek to extort “testimony”—oral or written
communications—from an individual because the Fifth Amendment
privilege does not encompass physical evidence
30
• One area in which the Fifth Amendment can come into play
involves the use of encryption.
• Encryption can be used to protect the contents of online
communications or data files stored in a computer or on other
storage media. If files are encrypted with an essentially unbreakable
encryption algorithm;
• If the owner of the files committed the key to memory, then he/she
can claim the Fifth Amendment privilege and refuse that fraud.
31
Conducting Digital Investigation
Digital investigations inevitably vary depending on technical factors
such as the type of computing or communications device, whether the
investigation is in a criminal, civil, commercial, military, or other
context, and case-based factors such as the specific claims to be
investigated.
6.1 Digital Investigation Process Models
• describe how one conducted a digital investigation tended to focus
on practical stepwise approaches to solving particular investigative
challenges, within the context of particular technical computing
environments.
• Proposal of a number of models for describing investigations, which
have come to be known as “process models.”
• motivations
1. models serve as useful points of reference for reflecting on the state
and nature of the field
2. framework for training and directing research,
3. for benchmarking performance against generally accepted practice.32
• Process models have defined as linear process.
• For example, in 1999, McKemmish defined forensic computing as:
The process of identifying, preserving, analyzing and presenting digital
evidence in a manner that is legally acceptable.
• This activities are the basis of the process model
• Figure 6.1. The most common steps for conducting a complete and competent
digital investigation are:
1. Preparation: Generating a plan of action to conduct an effective
Digital investigation, and obtaining supporting resources and materials.
2. Survey/Identification: Finding potential sources of digital evidence (e.g., at a
crime scene, within an organization, or on the Internet).
3. Preservation: Preventing changes of in situ digital evidence, including isolating
the system on the network, securing relevant log files, and collecting volatile
data that would be lost when the system is turned off. This step includes
subsequent collection or acquisition.
4. Examination and Analysis: Searching for and interpreting trace evidence. Some
process models use the terms examination and analysis interchangeably.
5. Presentation: Reporting of findings in a manner which satisfies the context of
the investigation, whether it be legal, corporate, military, or any other.
33
34
6.1.1 Physical Model
• The overall process model has 17 phases organized into five groups:
Readiness, Deployment, Physical Crime Scene Investigation, Digital
Crime Scene Investigation, and Presentation, summarized in Table
6.1 for both physical and digital investigations.
• (Carrier & Spafford, 2004) said that
• A computer being investigated can be considered a digital crime
scene and investigations as a subset of the physical crime scene
where it is located. Physical evidence may exist around a server that
was attached by an employee and usage evidence may exist around
a home computer that contains contraband. Furthermore, the end
goal of most digital investigation is to identify a person who is
responsible and therefore the digital investigation needs to be tied
to a physical investigation.
35
36
• 6.1.2 Staircase Model
• sequence of ascending stairs in Figure 6.2, provides a practical and
methodical approach to conducting an effective digital investigation
(Casey & Palmer, 2004).
• Steps are defined from bottom to top in a systematic, determined
manner in an effort to present a compelling story after reaching the
final step of persuasion/testimony.
• The categories in Figure 6.2 are intended to be as generic as possible.
The unique methods and tools employed in each category tie the
investigative process to a particular forensic domain. The terms located
on the riser of each step are those more closely associated with the law
enforcement perspective.
• the steps in this process often proceed simultaneously and it may be
necessary to take certain steps more than once at different stages of an
investigation.
• Finally, as with most processes, there is a relationship between
successive steps. That relationship can often be described by the input
37
and output expected at each stage,
38
6.1.3 Evidence Flow Model
• The main goal of this model is to completely describe the flow of
information in a digital investigation, from the moment digital
investigators are alerted until the investigation reaches its
conclusion.
• By concentrating on the flow of information, appropriate controls
can be implemented at each step of the process to handle
evidentiary data, written reports, or communications relating to the
investigation.
6.1.4 Subphase Model
• Beebe and Clark contend that most investigative process models
are too high level and do not address the “more concrete principles
of the investigation”. Their solution is to create a multitiered
framework, taking the steps common in other models and adding
subphases with defined objectives to help investigators implement
each step properly.
39
• As a proof of concept, Beebe and Clark use the analysis process, providing
three objectives-based subphases, namely, survey, extract, and examine
with the following objectives for file system analysis:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
1. Reduce the amount of data to analyze
2. Assess the skill level of the suspect(s)
3. Recover deleted files
4. Find relevant hidden data
5. Determine chronology of file activity
6. Recover relevant ASCII data
7. Recover relevant non-ASCII data
8. Ascertain Internet (non-e-mail) activity history
9. Recover relevant e-mail and attachments
10. Recover relevant “personal organizer” data (e.g., calendar, address
books, etc.)
11. Recover printed documents
12. Identify relevant software applications and configurations
13. Find evidence of unauthorized system modification (e.g., Trojan
applications)
14. Reconstruct network-based events
40
6.1.5 Roles and Responsibilities Model
• The FORZA model ascends to an even higher level of abstraction by
providing a framework of roles and responsibilities in digital
investigations. The goal of this framework is to address not just the
technical aspects of a digital investigation but also the legal and
managerial issues.
6.2 Scaffolding for Digital Investigations
• Although such occurrences and activities are not central to digital
investigations, they provide necessary scaffolding to help build a
solid case. This scaffolding also includes accusation/alert,
threshold considerations, and case management.
• In addition, digital investigators will generally have to make some
form of threshold assessment to decide what level of attention to
give a certain case relative to all of the other cases they are
handling.
41
6.2.1 Incident Alert
Every process has a starting point—a place, event, or for lack of a better
term, a “shot from a starting gun” that signals that the race has begun.
6.2.2 Authorization
Before approaching digital evidence, it is important to be certain that the
search is not going to violate any laws
6.2.3 Threshold Considerations
digital investigators must establish thresholds in order to prioritize cases
and make decisions about how to allocate resources.
6.2.4 Transportation
Moving evidence from the crime or incident scene back to the forensic
laboratory effects of which range from loss of confidentiality to
destruction of evidence.
6.2.5 Verification
• Assessing the completeness and accuracy of acquired data and
documenting its integrity are important
6.2.6 Case Management
• Helps to binding together all of the activities and outcomes.
42
6.3 Applying the Scientific Method in Digital evidence
• Although process models that define each step of an investigation
can be useful for certain purposes, such as developing procedures,
they are too complex and rigid to be followed in every investigation.
• All steps of the investigative process are often intertwined and a
digital investigator may find the need to revisit steps in light of a
more refined understanding of the case.
6.3.1 Formation and Evaluation of Hypotheses
6.3.2 Preparation
6.3.3 Survey
6.3.4 Preservation
6.3.5 Examination
6.3.6 Analysis
6.3.7 Reporting and Testimony
43
•
•
6.4 Investigative Scenario: Security Breach
An investigative scenario involving a network security breach is outlined here
to demonstrate how the various steps in a digital investigation tie together.
6.4.1 Preparation and Case Management
IT help desk.
6.4.2 Accusation or Incident Alert
• unusually high numbers of failed logon attempts to a server it confirms
that there has been unauthorized use of the administrator account on the
system
6.4.3 Assessment of Worth
• most valuable intellectual property.
6.4.4 Authorization
•
Developing situation and obtains approval to gather evidence and report back any
findings.
6.4.5 Survey
• digital investigators would waste
• substantial time and effort trying to locate sources of digital evidence, and
• might ultimately find that there was insufficient information to reach any
• conclusions
44
6.4.6 Preservation
6.4.7 Transportation
6.4.8 Examination
6.4.9 Analysis
6.4.10 Reporting
45
INFORMATION TECHNOLOGY (AMENDED) ACT,
2008
• New communication systems and digital technology have made dramatic
changes in the way.
• Businessmen are increasingly using computers to create, transmit and
store information in electronic form instead of traditional paper
documents. It is cheaper, easier to store and retrieve and speedier to
communicate.
• Electronic commerce eliminates need for paper based transactions.
• The Law of Evidence is traditionally based upon paper-based records and
oral witness. Hence, to facilitate e-commerce, the need for legal changes.
• The legal recognition to electronic records and digital signatures in turn
will facilitate through the electronic communication like Internet.
• In May 2000 Indian Parliament passed the Information Technology Bill and
came to be known as the Information Technology Act, 2000. Cyber laws
are contained in the IT Act, 2000.
46
Cont..
• This Act was amended by Information Technology Amendment Bill 2006,
passed in Loksabha on Dec 22nd and in Rajyasbha on Dec 23rd of 2008.
• Objectives of the IT 2008 Act are:
·Carried out by means of electronic data interchange, and other means of
electronic communication, commonly referred to as "electronic
commerce“
· To facilitate electronic filing of documents with Government departments
· To facilitate electronic storage of data
· To facilitate and give legal sanction to electronic fund transfers between
banks and financial institutions
· To give legal recognition for keeping of books of accounts by banker’s in
electronic form.
· To amend the Indian Penal Code, the Indian Evidence Act, 1872, the Banker’s
Book Evidence Act, 1891, and the Reserve Bank of India Act, 1934.
47
Important section of IT act
• Section 1:
It shall extend to the whole of India and, save as otherwise provided in
this Act, it applies also to any offence committed outside India by any
person.
• Section 2: Definitions
(a) "Access"
(b) "Addressee"
(c) “Affixing Electronic Signature"
(d) "Asymmetric Crypto System"
(e) "Certifying Authority" means a person who has been granted a license to
issue a Electronic Signature Certificate.
(f) "Communication Device"
(g) "Computer"
(h) “Computer network“
(i) "Computer Resources“ means computer, communication device,
computer system, computer network, data, computer database or
software;
48
(j) "Controller" means the Controller of Certifying Authorities
(k) "Data" means a representation of information, knowledge, facts,
concepts or instructions
• Section 3: Defines Digital Signatures
The authentication to be affected by use of asymmetric crypto system
and hash function
• Section 4 Legal Recognition of Electronic Records
Where any law provides that information or any other matter shall
be in writing or in the typewritten or printed form, then,
notwithstanding anything contained in such law, such requirement
shall be deemed to have been satisfied if such information or
matter is
(a) rendered or made available in an electronic form; and
(b) accessible so as to be usable for a subsequent reference
49
• Section 5: Legal recognition of Electronic Signature
• Section 6: Use of Electronic Records and Electronic Signature in
Government and its agencies
Where any law provides for
1. the filing of any form
2. the issue or grant of any license,
3. the receipt or payment of money in a particular manner,
• Section 7 : Retention of Electronic Records
• Section 8: Publication of rules, regulation, etc, in Electronic
Gazette
• Section 11: Attribution of Electronic Records
An electronic record shall be attributed to the originator
• Section 12: Acknowledgement of Receipt
• Section 14: Secure Electronic Record
50
• Section 16 : Security procedures and Practices (Amended vide
ITAA 2008)
The Central Government may for the purposes of sections 14 and 15
prescribe the security procedures.
It is regard to the commercial circumstances, nature of transactions
and such other related factors as it may consider appropriate.
• Section 17: Appointment of Controller and other officers
• Section 18: The Controller may perform all or any of the following
functions, namely
(a) exercising supervision over the activities of the Certifying
Authorities;
(b) certifying public keys of the Certifying Authorities
(c) laying down the standards to be maintained by the Certifying
Authorities;
(d) specifying the qualifications and experience which employees of
the Certifying Authorities should possess;
(e) specifying the conditions subject to which the Certifying Authorities
51
shall conduct their business;
• Section 21: License to issue electronic signature certificates
• A license granted under this section shall –
• (a) be valid for such period as may be prescribed by the Central
Government;
• (b) not be transferable
• (c) be subject to such terms and conditions as may be specified by
the regulations.
• Section 23: Renewal of license
• Section 29: Access to computers and data
• Section 37: Suspension of Digital Signature Certificate
• Section 40: Generating Key Pair
• Section 43: Penalty for damage to computer, computer system,
etc
If any person without permission of the owner or any other
person who is in charge of a computer, computer system or
computer network 52
(a) accesses or secures access to such computer, computer system or
computer network or computer resource (ITAA2008)
(b) downloads, copies or extracts any data, computer data base or
information from such computer, computer system or computer
network including information or data held or stored in any
removable storage medium;
(c) introduces or causes to be introduced any computer contaminant
or computer virus into any computer, computer system or
computer network;
• Section 52: Salary allowance and other terms and conditions of
service of Chairperson and Member.
The salary and allowances payable to, and the other terms and
conditions of service including pension, gratuity and other
retirement benefits
• Section 53: Filling up of vacancies (Amended vide ITAA 2008)
If, for reason other than temporary absence, any vacancy occurs in the
office of Chairperson or Member as the case may be then the
Central Government shall appoint another person in accordance
with the provisions of this Act
53
• Section 62: Appeal to High court
Any person aggrieved by any decision or order of the Cyber authority
may file an appeal to the High Court within sixty days from the date
of communication of the decision or order of the Cyber Appellate
Tribunal to him on any question of fact or law
• Section 65: Tampering with Computer Source Documents
shall be punishable with imprisonment up to three years, or with fine
which may extend up to two lakh rupees, or with both.
• Section 66: Computer Related Offences (Substituted vide ITAA
2008)
imprisonment for a term which may extend to two three years or with
fine which may extend to five lakh rupees or with both.
• Section 71 Penalty for misrepresentation
imprisonment for a term which may extend to two years, or with fine
which may extend to one lakh rupees, or with both
• Section 85 Offences by Companies
54
Modus Operandi
• Modus operandi (MO) is a Latin term that means "a method of
operating." It refers to the behaviors that are committed by a
criminal for the purpose of successfully completing an offense.
• A criminal's MO consists of learned behaviors that can evolve and
develop over time.
• It can be refined, as an offender becomes more experienced,
sophisticated, and confident.
• It can also become less competent and less skilful over time,
decompensating by virtue of a deteriorating mental state, or
increased used of mind-altering substances.
• an offender's MO behavior is functional by its nature. It most often
serves (or fails to serve) one or more of three purposes:
 protects the offender's identity;
 ensures the successful completion of the crime;
55
 facilitates the offender's escape.
Motive & Technology
• The term motive refers to the emotional, psychological, or material
need that impels, and is satisfied by, a behavior. Criminal motive is
generally technology independent.
• Classifying offenders - to classifying offense behaviors (turning it
from an inductive labeling system to a deductive tool). They include
the following types of behaviors:
 Power Reassurance
 Power Assertive
 Anger Retaliatory (Sadistic)
 Opportunistic and Profit oriented.
56
Thank You
57
Download