Foundations of digital Forensics 1 Computer Forensics • Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law. 2 Computer Forensic Activities • Computer forensics activities commonly include: – the secure collection of computer data – the identification of suspect data – the examination of suspect data to determine details such as origin and content – the presentation of computer-based information to courts of law – the application of a country's laws to computer practice. 3 The 3 As • The basic methodology consists of the 3 As: – Acquire the evidence without altering or damaging the original – Authenticate the image – Analyze the data without modifying it 4 Basic Definition Cyber: According to the Oxford Dictionary cyber means relating to or characteristic virtual reality. Law means the System of rules which a particular country or community recognizes as regulating the actions of its members and which it may enforce by the imposition of penalties. Cyber Law & Cyber Law consists of? Cyber Law is the law governing cyber space. The Information Technology (Amendment) Act, 2008 deals with cases relating to cyber space. Cyber space includes computers, networks, software, internet, websites, e-mails, data storage devices like hard disks, USB disks, PDA’s, phones and ATM machines and so on. Cyber Law consists of cyber crime, electronic and digital signatures, intellectual property and data protection and privacy. 5 Cont.. • Computer crime: computer crime is a situations where a computer or network was not directly involved in a crime but still contains digital evidence related to the crime. • Computer-related: computer-related is used to refer to any crime that involves computers and networks, including crimes that do not rely heavily on computers. • some organizations such as the US Department of Justice and the Council of Europe use the term cybercrime to refer to a wide range of crimes that involve computers and networks. 6 Fundamental of Digital forensics 7 Language of Computer Crime Investigation • Several attempts have been made to develop a standard language to describe the various aspects of computer crime investigation. • Computer crime mainly refers to a limited set of offenses that are specifically defined in laws such US Computer Fraud and Abuse Act and the UK Computer Abuse Act are computer crime acts which is defined by US. • These crimes include theft of computer services, unauthorized access to protected computers, software piracy and the alteration or theft of electronically stored information, extortion committed with the assistance of computers, obtaining unauthorized access to records from banks, credit card issuers, or customer reporting agencies, traffic in stolen passwords and transmission of destructive viruses or commands. 8 Cont.. • One of the main difficulties in defining computer crime is that situations arise where a computer or network was not directly involved in a crime but still contains digital evidence related to the crime. • To accommodate this type of situation, the more general term computer-related is used to refer to any crime that involves computers and networks, including crimes that do not rely heavily on computers. • Notably some organizations such as the US Department of Justice and the Council of Europe use the term cybercrime to refer to a wide range of crimes that involve computers and networks. 9 Cont.. • Computer forensics : Computer forensics usually refers to the forensic examination of computer components and their contents such as hard drives, compact disks, and printers. • Forensic entomology : forensic entomology as "bug forensics "only to computers limits the scope of the term, neglecting important aspects of the field such as communication systems, embedded systems, and digital image, audio, and video analysis. • Digital forensic science : to describe the field as a whole • Digital evidence examination: . This term is specific enough to be clear in the context of digital forensic science, computer forensics, incident response, or any other situation that involves the examination of digital evidence. 10 Digital Evidence in the Courtroom • Individuals processing evidence must realize that, in addition to being pertinent(relevant), evidence must meet certain standards to be admitted. • The US Federal Rules of Evidence, the UK Police and Criminal Evidence Act (PACE) and Civil Evidence Act, and similar rules of evidence in other countries were established to help evaluate evidence. 1. Admissibility-Warrants • The most common mistake that prevents digital evidence from being admitted by courts is that it was obtained without authorization. • Generally, a warrant is required to search and seize(capture) evidence. • The main exceptions are plain view, consent, and exigency. • By obtaining consent to search, investigators can perform a search without a warrant but some care must be employed when obtaining consent to reduce the chance of the search being successfully challenged in court. 11 2. Authenticity and Reliability • The process of determining whether evidence is worthy is called authentication. • Authentication means satisfying the court that (a) the contents of the record have remained unchanged, (b) that the information in the record does in fact originate from its purported(original) source, whether human or machine, and (c) that extraneous information such as the apparent date of the record is accurate. • Authentication is actually a two-step process, with an initial examination of the evidence to determine that it is what its proponent claims and, later, a closer analysis to determine. • In the initial stage, it may be sufficient for an individual who is familiar with the digital evidence to testify to its authenticity. i.e. its probative value. • Alternately, a system administrator can testify that log files presented in 12 court originated from her/his system. 3. Casey's Certainty Scale • • • • • • • Computers can introduce errors and uncertainty in various ways, making it difficult to assess the trustworthiness of digital evidence meaningfully. Although courts are warned to consider the computer systems involved carefully, little guidance is provided. Computer machinery may make error because of malfunctioning of hardware, the computer's mechanical apparatus. Computers may also make errors that arise out of defects in the software, the input procedures, the database, and the processing program. In view of the complex nature of the operation of computers, courts have been cautioned to take special care to be certain that the foundation is sufficient to warrant a finding of trustworthiness and that the opposing party has full opportunity to Inquire(ask) into the process by which information is fed into the computer. The certainly values (C-values) provide a method for a digital evidence examiner to denote the level of certainty he/she has in a given piece of evidence in a given context. The primary purpose of this Certainty Scale is to help others understand how 13 a much weight an examiner has given pieces of digital evidence when making Cont.. • One major advantage of this Certainty Scale is that it is flexible enough to assess the evidential weight of both the process that generated a piece of digital evidence and its contents, which may be documents or statements. • Another major advantage of this Certainty Scale is that it is nontechnical and therefore easily understood by non-technical people such as those found in most juries. 14 4. Best Evidence • When dealing with the contents of a writing, recording, or photograph courts sometimes require the original evidence. • This was originally intended to prevent a witness from misrepresenting such materials by simply accepting their testimony(witness statement) regarding the contents. • With the advent of photocopiers, scanners, computers, and other technology that can create effectively identical duplicates, copies became acceptable in place of the original, unless "a genuine question is raised as to the authenticity of the original or the accuracy of the copy or under the circumstances it would be unfair to admit the copy of the original" • Because an exact duplicate of most forms of digital evidence can be made, a copy is generally acceptable. In fact, presenting a copy of digital evidence is usually more desirable because it eliminates the risk that the original will be accidentally altered. 15 5. Direct versus Circumstantial Evidence • Direct evidence establishes a fact. Circumstantial evidence may suggest one. It is a common misconception that digital evidence cannot be direct evidence because of its separation from the events. • However, digital evidence can be used to prove facts. For example, if the reliability of a computer system is at issue, showing the proper functioning of that specific system is direct evidence of its reliability, whereas showing the proper functioning of an identical system is circumstantial. • Although digital evidence is generally only suggestive of human activities, circumstantial evidence may be as weighty as direct evidence and digital evidence can be used to firmly establish facts. 16 Cont.. • For example, a computer logon record is direct evidence that a given account was used to log into a system at a given time but is • circumstantial evidence that the individual who owns the account was responsible. Someone else may have used the individual's account and other evidence would be required to prove that he actually logged into the system. It may be sufficient to demonstrate that nobody else had access to the individual's computer or password. • Alternately, other sources of digital evidence such as building security logs may indicate that the account owner was the only person in the vicinity of the computer at the time of the logon. 17 6.Hearsay • Digital evidence might not be admitted if it contains hearsay because the speaker or author of the evidence is not present in court to verify its truthfulness. • Evidence is hearsay where a statement in court repeats a statement made out of court in order to prove the truth of the content of the out of court statement. Similarly, evidence contained in a document is hearsay if the document is produced to prove that statements made in court are true. • The evidence is excluded because the crucial aspect of the evidence, the truth of the out of court statement (oral or documentary), cannot be tested by cross-examination. 18 Cont.. • There are several exceptions to the hearsay rule to accommodate evidence that portrays( pictures ) events quite accurately and that is easier to verify than other forms of hearsay. • Although some courts evaluate all computer-generated data as business records under the hearsay rule, this approach may be inappropriate when a person was not involved. • In fact, computer-generated data may not considered hearsay at all because they do not contain human statements or they do not assert a fact but simply document an act. 19 7.Scientific Evidence • In addition to challenging the admissibility of digital evidence directly, tools and techniques used to process digital evidence have been challenged by evaluating them as scientific evidence. Because of the power of science to persuade, courts are careful to assess the validity of a scientific process before accepting its results. • If scientific process is found to be questionable, this may influence the admissibility or weight of the evidence, depending on the situation. • In the United States, scientific evidence is evaluated using four criteria developed in 1993. These criteria are: a) whether the theory or technique can be (and has been) tested; b) whether there is a high known or potential rate of error, and the existence and maintenance of standards controlling the technique's operation; c)whether the theory or technique has been subjected to peer review and publication; d) Whether the theory or technique enjoys "general acceptance" within the relevant scientific community. 20 8. Presenting Digital Evidence • Preparation is one of the most important aspects of testifying in court (National Center for Forensic Science 2003). • Conclusions should be stated early in testimony rather than as a punch line at the end because there is a risk that the opportunity will not arise later. • During cross-examination, attorneys (lawyer) often attempt to point out flaws and details that were overlooked by the digital investigator. The most effective response to this type of questioning is to be prepared with clear explanations and supporting evidence. • In addition to presenting findings, it is necessary to explain how the evidence was handled and analyzed to demonstrate chain of custody and thoroughness of methods. Also, expect to be asked about underlying technical aspects in a relatively non-technical way, such as how files are deleted and recovered and how tools acquire and preserve digital evidence. Simple diagrams depicting these processes are strongly recommended. 21 • Cyber crime Law: United State Perspective, Indian Perspective, Conductive Digital Investigation, Handling a Digital Crime Scene: Principles, Preservation, 22 4. Cyber crime Law: United State Perspective • Chapter reviews how law in the United States deals cybercrime. As the United States is a federal system, there are two basic levels of cybercrime law: federal cybercrime law and state cybercrime law. • U.S. law deals with the major cybercrimes: the crimes that target computers and computer systems (e.g., unauthorized access, malware, and denial of service attacks) and the crimes in which computers and computer systems are used as tools to commit traditional crimes (e.g., fraud, extortion, and child pornography). • Federal Cybercrime Law • State Cybercrime Law • Constitutional Law • Fourth Amendment • Fifth Amendment and Encryption 23 1. Federal Cybercrime Law 4.1 Computer Fraud and Abuse Act • It focuses on the Computer Fraud and Abuse Act such as identity theft, child pornography, and copyright and trademark offenses. • Congress adopted the Computer Fraud and Abuse Act (1986), but it has since been amended on several occasions. • amendments have all been designed to update certain provisions of the Act in light of advancements in computer technology • Section 1030(a) makes it a federal crime to do any of the following: 1. Knowingly access a computer without authorization or exceed authorized access and obtain information that is legally protected against disclosure. 2. Intentionally access a computer without authorization or exceed authorized access and obtain information from (i) a financial institution, credit card company, or consumer reporting agency. 3. With the intent to extort money or any thing of value like (i) threat to damage a computer, (ii) threat to obtain information from, 24 4.1.1 Section 1030(a)(5) Offense: accounts for the largest number of prosecutions(legal proceeding against person), perhaps because it creates three crimes. The first consists of knowingly transmitting a program, information, code, or command and thereby intentionally damaging a protected computer. Other two are hacking, or unauthorized access, to a computer or computer system. 4.1.2 Section 1030(a)(4) Offense: As noted above, § 1030(a)(4) makes it a federal crime to access a protected computer without being authorized to do so, or by exceeding the scope of authorized access, and obtain “anything of value” and thereby further a scheme to defraud. 4.1.3 Section 1030(a)(6) Offense : makes it a crime to traffic “in any password or similar information through which a computer may be accessed without authorization” if either of two conditions are met. The first is “affects interstate or foreign commerce”; the other condition is that the computer is “used by or for the Government of the United States.” 4.1.4 Section 1030(a)(7) Offense: criminalizes the use of computer 25 technology to commit extortion. 4.2 Identity Theft: The federal criminal code contains two identity theft provisions: Section 1028(a)(7) of Title 18 of the U.S. Code defines a basic identity theft offense. makes it a federal crime to knowingly transfer, possess, or use “a means of identification of another person” without being authorized. 4.4 Copyright Infringement(against law)(Section 506(a)) Copyright infringement in the form of software piracy is a crime. For a work to be “original,” it must have “originated” with—have been created by—the author claiming the copyright; originality does not require novelty but to be original an item cannot simply be a copy of another. 4.5 Trademarks and Trade Secrets The Lanham Act is the primary source of protection for trademarks (Act of July5, 1946). It defines “trademark” as “any word, name, symbol, or device, or any combination thereof” that is used by a person or which a person has a bonafide intention to use in commerce “to identify and distinguish his or her goods from those manufactured or sold by others and to indicate the source of the goods, even if that source is unknown” (15 U.S. Code § 1127). 26 2. State cybercrime law 4.2.1 Access Crimes: Every U.S. state prohibits simple hacking (gaining unauthorized access to a computer) and aggravated hacking (gaining unauthorized access to a computer for the purpose of committing theft, vandalism, or other crimes) 4.2.2 Malware: Computer contaminant” means any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. 4.2.3 Denial of Service: DDoS attack as “techniques or actions involving the use of one (1) or more damaged computers to damage another computer or a targeted computer system in order to shut the computer or computer system down and deny the service of the damaged computer or computer system to legitimate users”. 4.2.4 Computer Forgery: “Any person who creates, alters, or deletes any data contained in any computer or computer network, who, if such person had created, altered, or deleted a tangible document or instrument would have committed forgery … shall be guilty of the 27 crime of computer forgery”. 4.2.5 Computer Fraud and Theft: Computer theft can encompass any of several different crimes, including information theft, software theft, computer hardware theft, and theft of computer services. It can also encompass the theft of computer hardware . And it can consist of using a computer to steal other types of property. 4.2.6 Computer Extortion: One approach they take is to include computer extortion within the definition of computer fraud. 4.2.7 Crimes Against Children: 3 Constitutional law • In the United States, constitutional law exists at two levels: The U.S. Constitution is the constitution that applies throughout the territorial Two of the U.S. Constitution’s provisions are particularly relevant to the conduct of cybercrime investigations. The Fourth Amendment & Fifth Amendment 28 4. Fourth Amendment • The Fourth Amendment creates a right to be free from “unreasonable” searches and seizures(forcefully taking ownership) • To be “reasonable,” a search or seizure must be conducted either a lawfully authorized search or arrest warrant. • Court has applied the Fourth Amendment to areas in which technology and privacy intersect. 4.4.1 Wiretapping: Content of Communications The progress of science is not likely to stop with wire tapping. Ways may be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and expose to a jury the most intimate occurrences of the home. Can it be that the Constitution affords no protection against such fraud. 4.4.2 Wiretapping: Traffic Data • In a subsequent decision, the Supreme Court dealt with the related issue of whether the transmittal information—the traffic data— generated by a telephone call is private under the Fourth Amendme29 4.4.3 Technology Not in General Public Use The Supreme Court’s 2001 decision in Kyllo v. United States is its most recent parsing of the Katz standard. The issue in Kyllo was whether “the use of a thermal- imaging device aimed at a private home from a public street to detect relative amounts of heat within the home constitutes a ‘search’ within the meaning of the Fourth Amendment” 5 Fifth Amendment and encryption • The Fifth Amendment states that no one can be “forcefully to be a witness against himself” • The Fifth Amendment privilege only comes into play when following element is present. The first is compulsion(power to force a person to act); the Fifth Amendment does not protect communications that are made voluntarily; • The compulsion must seek to extort “testimony”—oral or written communications—from an individual because the Fifth Amendment privilege does not encompass physical evidence 30 • One area in which the Fifth Amendment can come into play involves the use of encryption. • Encryption can be used to protect the contents of online communications or data files stored in a computer or on other storage media. If files are encrypted with an essentially unbreakable encryption algorithm; • If the owner of the files committed the key to memory, then he/she can claim the Fifth Amendment privilege and refuse that fraud. 31 Conducting Digital Investigation Digital investigations inevitably vary depending on technical factors such as the type of computing or communications device, whether the investigation is in a criminal, civil, commercial, military, or other context, and case-based factors such as the specific claims to be investigated. 6.1 Digital Investigation Process Models • describe how one conducted a digital investigation tended to focus on practical stepwise approaches to solving particular investigative challenges, within the context of particular technical computing environments. • Proposal of a number of models for describing investigations, which have come to be known as “process models.” • motivations 1. models serve as useful points of reference for reflecting on the state and nature of the field 2. framework for training and directing research, 3. for benchmarking performance against generally accepted practice.32 • Process models have defined as linear process. • For example, in 1999, McKemmish defined forensic computing as: The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable. • This activities are the basis of the process model • Figure 6.1. The most common steps for conducting a complete and competent digital investigation are: 1. Preparation: Generating a plan of action to conduct an effective Digital investigation, and obtaining supporting resources and materials. 2. Survey/Identification: Finding potential sources of digital evidence (e.g., at a crime scene, within an organization, or on the Internet). 3. Preservation: Preventing changes of in situ digital evidence, including isolating the system on the network, securing relevant log files, and collecting volatile data that would be lost when the system is turned off. This step includes subsequent collection or acquisition. 4. Examination and Analysis: Searching for and interpreting trace evidence. Some process models use the terms examination and analysis interchangeably. 5. Presentation: Reporting of findings in a manner which satisfies the context of the investigation, whether it be legal, corporate, military, or any other. 33 34 6.1.1 Physical Model • The overall process model has 17 phases organized into five groups: Readiness, Deployment, Physical Crime Scene Investigation, Digital Crime Scene Investigation, and Presentation, summarized in Table 6.1 for both physical and digital investigations. • (Carrier & Spafford, 2004) said that • A computer being investigated can be considered a digital crime scene and investigations as a subset of the physical crime scene where it is located. Physical evidence may exist around a server that was attached by an employee and usage evidence may exist around a home computer that contains contraband. Furthermore, the end goal of most digital investigation is to identify a person who is responsible and therefore the digital investigation needs to be tied to a physical investigation. 35 36 • 6.1.2 Staircase Model • sequence of ascending stairs in Figure 6.2, provides a practical and methodical approach to conducting an effective digital investigation (Casey & Palmer, 2004). • Steps are defined from bottom to top in a systematic, determined manner in an effort to present a compelling story after reaching the final step of persuasion/testimony. • The categories in Figure 6.2 are intended to be as generic as possible. The unique methods and tools employed in each category tie the investigative process to a particular forensic domain. The terms located on the riser of each step are those more closely associated with the law enforcement perspective. • the steps in this process often proceed simultaneously and it may be necessary to take certain steps more than once at different stages of an investigation. • Finally, as with most processes, there is a relationship between successive steps. That relationship can often be described by the input 37 and output expected at each stage, 38 6.1.3 Evidence Flow Model • The main goal of this model is to completely describe the flow of information in a digital investigation, from the moment digital investigators are alerted until the investigation reaches its conclusion. • By concentrating on the flow of information, appropriate controls can be implemented at each step of the process to handle evidentiary data, written reports, or communications relating to the investigation. 6.1.4 Subphase Model • Beebe and Clark contend that most investigative process models are too high level and do not address the “more concrete principles of the investigation”. Their solution is to create a multitiered framework, taking the steps common in other models and adding subphases with defined objectives to help investigators implement each step properly. 39 • As a proof of concept, Beebe and Clark use the analysis process, providing three objectives-based subphases, namely, survey, extract, and examine with the following objectives for file system analysis: • • • • • • • • • • • • • • • • 1. Reduce the amount of data to analyze 2. Assess the skill level of the suspect(s) 3. Recover deleted files 4. Find relevant hidden data 5. Determine chronology of file activity 6. Recover relevant ASCII data 7. Recover relevant non-ASCII data 8. Ascertain Internet (non-e-mail) activity history 9. Recover relevant e-mail and attachments 10. Recover relevant “personal organizer” data (e.g., calendar, address books, etc.) 11. Recover printed documents 12. Identify relevant software applications and configurations 13. Find evidence of unauthorized system modification (e.g., Trojan applications) 14. Reconstruct network-based events 40 6.1.5 Roles and Responsibilities Model • The FORZA model ascends to an even higher level of abstraction by providing a framework of roles and responsibilities in digital investigations. The goal of this framework is to address not just the technical aspects of a digital investigation but also the legal and managerial issues. 6.2 Scaffolding for Digital Investigations • Although such occurrences and activities are not central to digital investigations, they provide necessary scaffolding to help build a solid case. This scaffolding also includes accusation/alert, threshold considerations, and case management. • In addition, digital investigators will generally have to make some form of threshold assessment to decide what level of attention to give a certain case relative to all of the other cases they are handling. 41 6.2.1 Incident Alert Every process has a starting point—a place, event, or for lack of a better term, a “shot from a starting gun” that signals that the race has begun. 6.2.2 Authorization Before approaching digital evidence, it is important to be certain that the search is not going to violate any laws 6.2.3 Threshold Considerations digital investigators must establish thresholds in order to prioritize cases and make decisions about how to allocate resources. 6.2.4 Transportation Moving evidence from the crime or incident scene back to the forensic laboratory effects of which range from loss of confidentiality to destruction of evidence. 6.2.5 Verification • Assessing the completeness and accuracy of acquired data and documenting its integrity are important 6.2.6 Case Management • Helps to binding together all of the activities and outcomes. 42 6.3 Applying the Scientific Method in Digital evidence • Although process models that define each step of an investigation can be useful for certain purposes, such as developing procedures, they are too complex and rigid to be followed in every investigation. • All steps of the investigative process are often intertwined and a digital investigator may find the need to revisit steps in light of a more refined understanding of the case. 6.3.1 Formation and Evaluation of Hypotheses 6.3.2 Preparation 6.3.3 Survey 6.3.4 Preservation 6.3.5 Examination 6.3.6 Analysis 6.3.7 Reporting and Testimony 43 • • 6.4 Investigative Scenario: Security Breach An investigative scenario involving a network security breach is outlined here to demonstrate how the various steps in a digital investigation tie together. 6.4.1 Preparation and Case Management IT help desk. 6.4.2 Accusation or Incident Alert • unusually high numbers of failed logon attempts to a server it confirms that there has been unauthorized use of the administrator account on the system 6.4.3 Assessment of Worth • most valuable intellectual property. 6.4.4 Authorization • Developing situation and obtains approval to gather evidence and report back any findings. 6.4.5 Survey • digital investigators would waste • substantial time and effort trying to locate sources of digital evidence, and • might ultimately find that there was insufficient information to reach any • conclusions 44 6.4.6 Preservation 6.4.7 Transportation 6.4.8 Examination 6.4.9 Analysis 6.4.10 Reporting 45 INFORMATION TECHNOLOGY (AMENDED) ACT, 2008 • New communication systems and digital technology have made dramatic changes in the way. • Businessmen are increasingly using computers to create, transmit and store information in electronic form instead of traditional paper documents. It is cheaper, easier to store and retrieve and speedier to communicate. • Electronic commerce eliminates need for paper based transactions. • The Law of Evidence is traditionally based upon paper-based records and oral witness. Hence, to facilitate e-commerce, the need for legal changes. • The legal recognition to electronic records and digital signatures in turn will facilitate through the electronic communication like Internet. • In May 2000 Indian Parliament passed the Information Technology Bill and came to be known as the Information Technology Act, 2000. Cyber laws are contained in the IT Act, 2000. 46 Cont.. • This Act was amended by Information Technology Amendment Bill 2006, passed in Loksabha on Dec 22nd and in Rajyasbha on Dec 23rd of 2008. • Objectives of the IT 2008 Act are: ·Carried out by means of electronic data interchange, and other means of electronic communication, commonly referred to as "electronic commerce“ · To facilitate electronic filing of documents with Government departments · To facilitate electronic storage of data · To facilitate and give legal sanction to electronic fund transfers between banks and financial institutions · To give legal recognition for keeping of books of accounts by banker’s in electronic form. · To amend the Indian Penal Code, the Indian Evidence Act, 1872, the Banker’s Book Evidence Act, 1891, and the Reserve Bank of India Act, 1934. 47 Important section of IT act • Section 1: It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence committed outside India by any person. • Section 2: Definitions (a) "Access" (b) "Addressee" (c) “Affixing Electronic Signature" (d) "Asymmetric Crypto System" (e) "Certifying Authority" means a person who has been granted a license to issue a Electronic Signature Certificate. (f) "Communication Device" (g) "Computer" (h) “Computer network“ (i) "Computer Resources“ means computer, communication device, computer system, computer network, data, computer database or software; 48 (j) "Controller" means the Controller of Certifying Authorities (k) "Data" means a representation of information, knowledge, facts, concepts or instructions • Section 3: Defines Digital Signatures The authentication to be affected by use of asymmetric crypto system and hash function • Section 4 Legal Recognition of Electronic Records Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is (a) rendered or made available in an electronic form; and (b) accessible so as to be usable for a subsequent reference 49 • Section 5: Legal recognition of Electronic Signature • Section 6: Use of Electronic Records and Electronic Signature in Government and its agencies Where any law provides for 1. the filing of any form 2. the issue or grant of any license, 3. the receipt or payment of money in a particular manner, • Section 7 : Retention of Electronic Records • Section 8: Publication of rules, regulation, etc, in Electronic Gazette • Section 11: Attribution of Electronic Records An electronic record shall be attributed to the originator • Section 12: Acknowledgement of Receipt • Section 14: Secure Electronic Record 50 • Section 16 : Security procedures and Practices (Amended vide ITAA 2008) The Central Government may for the purposes of sections 14 and 15 prescribe the security procedures. It is regard to the commercial circumstances, nature of transactions and such other related factors as it may consider appropriate. • Section 17: Appointment of Controller and other officers • Section 18: The Controller may perform all or any of the following functions, namely (a) exercising supervision over the activities of the Certifying Authorities; (b) certifying public keys of the Certifying Authorities (c) laying down the standards to be maintained by the Certifying Authorities; (d) specifying the qualifications and experience which employees of the Certifying Authorities should possess; (e) specifying the conditions subject to which the Certifying Authorities 51 shall conduct their business; • Section 21: License to issue electronic signature certificates • A license granted under this section shall – • (a) be valid for such period as may be prescribed by the Central Government; • (b) not be transferable • (c) be subject to such terms and conditions as may be specified by the regulations. • Section 23: Renewal of license • Section 29: Access to computers and data • Section 37: Suspension of Digital Signature Certificate • Section 40: Generating Key Pair • Section 43: Penalty for damage to computer, computer system, etc If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network 52 (a) accesses or secures access to such computer, computer system or computer network or computer resource (ITAA2008) (b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium; (c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; • Section 52: Salary allowance and other terms and conditions of service of Chairperson and Member. The salary and allowances payable to, and the other terms and conditions of service including pension, gratuity and other retirement benefits • Section 53: Filling up of vacancies (Amended vide ITAA 2008) If, for reason other than temporary absence, any vacancy occurs in the office of Chairperson or Member as the case may be then the Central Government shall appoint another person in accordance with the provisions of this Act 53 • Section 62: Appeal to High court Any person aggrieved by any decision or order of the Cyber authority may file an appeal to the High Court within sixty days from the date of communication of the decision or order of the Cyber Appellate Tribunal to him on any question of fact or law • Section 65: Tampering with Computer Source Documents shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both. • Section 66: Computer Related Offences (Substituted vide ITAA 2008) imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both. • Section 71 Penalty for misrepresentation imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both • Section 85 Offences by Companies 54 Modus Operandi • Modus operandi (MO) is a Latin term that means "a method of operating." It refers to the behaviors that are committed by a criminal for the purpose of successfully completing an offense. • A criminal's MO consists of learned behaviors that can evolve and develop over time. • It can be refined, as an offender becomes more experienced, sophisticated, and confident. • It can also become less competent and less skilful over time, decompensating by virtue of a deteriorating mental state, or increased used of mind-altering substances. • an offender's MO behavior is functional by its nature. It most often serves (or fails to serve) one or more of three purposes: protects the offender's identity; ensures the successful completion of the crime; 55 facilitates the offender's escape. Motive & Technology • The term motive refers to the emotional, psychological, or material need that impels, and is satisfied by, a behavior. Criminal motive is generally technology independent. • Classifying offenders - to classifying offense behaviors (turning it from an inductive labeling system to a deductive tool). They include the following types of behaviors: Power Reassurance Power Assertive Anger Retaliatory (Sadistic) Opportunistic and Profit oriented. 56 Thank You 57