1. INTRODUCTION

Cyber crime has made a significant impact on the criminal justice system prevalent throughout the world. Its effects are felt more as nations constantly endeavour to provide quicker and more efficient services to its citizens through the use of cyber space.

Almost all offences in the present time involve the use of computers and other electronic media at some stage of the act being committed by the criminal.

Criminals, realizing the effectiveness of computers and the Internet to successfully perpetrate conventional crimes, are resorting to using them as tools for committing such crimes.

2. NEED FOR A CYBER CRIME INVESTIGATION CELL

A Cyber Crime Investigation Cell is now an essential requirement for any law enforcement agency to tackle not only cyber crimes but also investigate conventional crimes.

1. Conventional Crime

   A disturbing trend that is emerging nowadays is the increasing use of encryption, high-frequency encrypted voice/data links, steganography etc. by terrorists and members of organized crime cartels.

   Instances around the world are coming to light where computers and other electronic tools have been used as tools to facilitate the commission of conventional crimes.

   Some of the conventional crimes where cyber space and other electronic media have been used are:

   a) Organised Crime:

   An organized crime syndicate attempted to kill the 50-year old head of a rival mafia family, who had been hospitalised, by changing the prescription in the computer records of the hospital.

   Dutch organized crime syndicates use Pretty Good Privacy (PGP) and PGPfone to encrypt their communications. They also use palmtop computers installed with Secure Device, a Dutch software product for encrypting data with IDEA. The palmtops serve as an unmarked police / intelligence vehicles database.

   The Italian mafia uses PGP for encryption and concealing information of their activities.

   b) Terrorism:

   Using a technology called steganography, terrorists routinely communicate with their henchmen by encrypting messages into image files, inaccessible to all except those who have the password.

   The alleged mastermind behind the September 11 attacks on the World Trade Center in the USA is believed to use steganography and 512-bit encryption to keep his communication channels secure.

   Leary, who was sentenced to 94 years in prison for setting off firebombs in the New York (USA) subway system in 1995 had developed his own algorithm for encrypting the files on his computer.

   On March 20, 1995, the Aum Supreme Truth cult dropped bags of Sarin nerve gas in the Tokyo subway, killing 12 people and injuring 6,000 more. Members of the cult had developed many chemical and biological weapons, including Sarin, VX, Mustard gas, Cyanide, botulism, anthrax and Q fever. It is believed that preparations were underway to develop nuclear capability.

   The cult was also believed to be developing a "death ray" that could destroy all life! The records of the cult had been stored in encrypted form (using RSA asymmetric algorithm) on computers.

   The enforcement authorities were able to decrypt the information as the relevant private key was found in a floppy disk seized from the cult’s premises. The encrypted information related plans of the cult to cause mass deaths in Japan and USA.

   c) Drug Cartels:

   The Cali cartel is reputed to be using sophisticated encryption to conceal their telephone communications, radios that distort voices, video phones which provide visual authentication of the caller's identity, and instruments for scrambling transmissions from computer modems.

   In 1997, a Bolivian terrorist organization had assassinated four U.S. army personnel. A raid on one of the hideouts of the terrorists’ yielded information encrypted using symmetric encryption.

   A 12-hour brute force attack resulted in the decryption of the information and subsequently led to one of the largest drug busts in Bolivian history and the arrest of the terrorists.

   d) Other Crimes:

   James Bell had launched a vendetta against the Internal Revenue Service (IRS) of the USA. His activities included intimidating IRS officials, rewarding those who killed selected government employees and contaminating an area outside IRS premises in many states of the USA with Mercaptan (a stink gas).

   After his arrest, the investigators were able to decrypt his PGP-encrypted messages only because he divulged the pass phrase to his private key.

   Kevin Poulson was a skilled hacker who rigged radio contests and burglarized telephone-switching offices and hacked into the telephone network in order to determine whose phone was being tapped and to install his own phone tapping devices.

   Poulson had encrypted files documenting everything from the phone tapping he had discovered to the dossiers he had compiled about his enemies.

   The files had been encrypted several times using the Data Encryption Standard. A US Department of Energy supercomputer took several months to find the key. The result yielded nearly ten thousand pages of evidence.

2. Cyber Crime

   The widespread growth of cyber crime has affected nations from all across the globe. Incidents of cyber crime have caused extensive loss to a nation’s economy. Loss of business profits and disruption of government and other services severely hampers the growth of any economy.

   Incidents of Cyber Crime

   The incidents of cyber crime can range from obscene, threatening and defamatory emails to computer aided sabotage, source code thefts and even attempted cyber murders.

   In March 2003, Asian School of Cyber Laws’ Computer Emergency Response Team (ASCL-CERT) published the Computer Crime and Abuse Report (India) 2001-02 that analysed 6266 incidents of computer crime and abuse reported by over 600 organisations in India. The highest number of incidents reported was those of Data Theft followed by e-mail abuse, unauthorized access and so on.

   The data collected by the Malaysian Computer Emergency Response Team (MyCert) in 2002 also analysed cyber crimes that were reported in Malaysia.

   The highest number of incidents reported was those of Hack Threats followed by virus attacks, intrusions and so on.

   The joint survey conducted by Computer Security Institute (CSI) and the Federal Bureau of Investigation (FBI), USA highlights the various kinds cyber crimes committed. The highest number of crimes committed was virus attacks followed closely by abuse of Internet Access and Denial of Service.

   Impact of Cyber Crime

   As can be seen from the reports above, cyber crime has a major impact on the economic growth of a nation. Valuable data is stolen by means of hacking. The various Internet virus attacks that have taken place have caused global losses amounting to billions of dollars. Cyber crime is a phenomenon whose effects are felt at a global level.

3. SETTING UP A CYBER CRIME INVESTIGATION CELL

To prevent the various cyber crimes that take place every day it is essential to establish a dedicated cell.

As more criminals have started resorting to computers and other electronic media to commit conventional crimes, nations have understood the significant role that a Cyber Crime Investigation Cell plays to help law enforcement agencies to investigate such crimes.

Various nations have already put into place dedicated personnel and infrastructure that exclusively deal with issues of cyber crime.

As realization dawns upon countries on the need to zealously protect their citizens and themselves from becoming victims of cyber crime, they also realize the importance of setting up a dedicated mechanism to counter this menace.

1. Identification of Personnel

   The identification of key personnel to man the Cyber Crime Investigation Cell is a pre-requisite for setting up such an investigative wing. The personnel would have to undergo initial training to be well equipped to tackle the issues that arise.

   However, such training programs should be conducted from time to time to ensure that the personnel are always equipped with the latest information on the tools and techniques to help them tackle cyber crime.

2. Training

   The next, and essentially the most crucial step, in setting up a cyber crime cell, involves the identification of the type of training that is required for the personnel that have been assigned to the Cyber Crime Investigation Cell.

   Specialized training is a critical pre-requisite to setting up a cell. Training programs are essential for the smooth functioning of a cyber crime cell.

   With regards to the training of the personnel for the cyber crime cell Asian School of Cyber Laws offers the following training programs:

   a) ASCL Certified Cyber Crime Investigator Level -1

   This course introduces and exposes the participant to various issues related to cyber crimes. It provides a detailed understanding of cyber crimes and various issues related to investigation of the same.

   This module also equips participants with requisite knowledge to successfully and efficiently investigate cyber crimes.

   b) ASCL Certified Cyber Crime Investigator Level -2

   The level-2 training module provides the participants with complete hands on exposure through the extensive use of technologies available to help investigate cyber crimes.

   This training module is coupled with extensive case studies and practical sessions that would help the participants to master the tools and techniques required for investigating cyber crime.

   c) ASCL Certified Cyber Forensics Professional

   The close association that a cyber crime investigation holds to cyber forensics makes it imperative that the Cyber Forensics Professional training program forms a part of the overall training of the personnel.

   The cyber crime investigators should understand issues related to cyber forensics in light of the fact that the initial investigation and the mode and manner in which digital evidence is collected always has a bearing on the evidence extraction by the forensics expert.

   This training module helps the participants understand basic issues involved in cyber forensics. The participants learn the rules of cyber forensics and understand the issues involved in collection and analysis of electronic evidence.

3. Constant Training & Upgrading Systems

   Continuous training ensures that personnel stay in touch with current developments of cyber crime. Such training programs also help the participants in keeping up to date with modern tools and techniques for investigating cyber crimes.

   It is essential that the Infrastructure and other systems used in the Cyber Crime Investigation Cell also be checked and audited constantly and upgraded as and when required.

4. Infrastructure

   It is important for the Cyber Crime Investigation Cell to have adequate infrastructure for successful examination and analysis of digital evidence. It should be kept in mind that for a cyber crime cell, infrastructure does not only include technical infrastructure but also assets such as adequate working space, dedicated communication lines, a 24 hour high speed internet connection among others which should be made available to the personnel.

   The computers should be networked so that various personnel can have access to files residing in other computers in the cyber forensics cell. Stand-alone machines should also be used as they help eliminate the threat of damage to sensitive data through network penetration crimes.

   This would include procuring the requisite hardware and software for such examination and analysis. The Software requirements for the cell should include:

   This would include procuring the requisite hardware and software for such examination and analysis. The hardware requirements for the cell include:

   • Powerful computer systems with standard peripherals like CD-ROM drives and CD-writers, desktop and laser printers, scanners etc.
     
     
   • Storage devices for making bit-stream copies or clones of the suspect storage media.
     
     
   • Card readers for examination of various kinds of cards that store data used for authentication and communication e.g., SMART cards, MicroDrives, GSM SIM cards.
     
     
   • USB external CD Writers for taking back-up of information retrieved from various storage media.
     
     
   • A wide array of connectors for connecting various hardware devices.
     
     
   • Laptop Hard Disk Drive examination tools.

   The software requirements for the cell include:

   • Robust operating system software.

   • Other application software facilitating word-processing, spread sheet, electronic mails, multimedia, imaging, etc.

   • Case management software for keeping records of the cases being investigated and for tracking case details at short notice.

   • Bootable disks to let investigating authorities boot from such disks instead of the suspect’s bootable disk.

   • Tracking software to detect the location of a computer from which an offence has been committed.

   • spoofing tools for e-mail and SMS spoofing.

   Cyber criminals tend to be technically sound and hardly leave any trails for law enforcement personnel to find out or trace their physical location. This necessitates the use of spoofing tools to trap and subsequently induce the suspect to give clues about his actual physical location and thus help law enforcement personnel to ultimately apprehend the suspect

   .
   • Header analyzing software for analysis of email headers.

   • Advanced Search software for swiftly locating files containing specified keywords.

   • Chain-of-custody software for maintaining a chronological and personnel sequence of evidence handling by the investigating agency

   • Steganography software

   • Basic cyber forensic software having the following functionalities
     • Password cracking tools
     • Disc imaging tools
     • Data, File and image recovery tools

4. SETTING UP A CYBER FORENSICS CELL

Just as a Cyber Crime Investigation Cell is essential for the successful investigation of cyber crime so too is a Cyber Forensic Cell necessary for the proper extraction and presentation of the evidence collected during the course of the investigation.

Introduction

Cyber forensics is the discovery, analysis, and reconstruction of evidence extracted from any element of computer systems, computer networks, computer media, computer peripherals and other electronic equipment that allow the forensics experts to present and put forward the best evidence in a court of law.

For successful prosecution of cyber crimes it is essential for a cyber forensics cell to have adequate and cogent evidence implicating the criminal so that a conviction is ensured.

Need for a Cyber Forensic Cell

Information stored in digital form is transient in nature and therefore it is very difficult for a law enforcement agency to seize, collect and analyze digital evidence in the absence of a specialized unit, which can undertake such tasks.

Successful prosecution depends upon the ability of the cyber crime cell to discover adequate evidence against the suspect and then link this information to the suspect.

This necessitates the need of forming a specialized cyber forensics cell with adequate resources to correctly examine and analyze the evidence and provide such a link so that it can be presented before a court of law for successful prosecution.

1. Identification of Personnel

   The identification of expert personnel to man the cyber forensics cell is essential in order to ensure the successful working of such a cell. The expert personnel would have to undergo initial training to be well equipped to tackle the evidentiary issues that arise.

   However such training programs should be conducted from time to time to ensure that the personnel are always equipped with the latest information on the tools and techniques to help them extract the best possible digital evidence.

2. Training

   The next, and essentially the most crucial step in setting up a cyber forensics cell involves the identification of the type of training that is required for the personnel who would man the cyber forensics cell. Specialized training is a critical pre-requisite to setting up a cell.

   Training programs are essential for the smooth functioning of a cyber crime cell.

   With regards to the training of the personnel for the cyber forensics cell Asian School of Cyber Laws offers the ASCL Certified Cyber Forensics Professional.

   The cyber forensics expert needs to understand the vital issues related to cyber forensics in light of the fact that the initial investigation and the mode and manner in which digital evidence collected may not have been performed in the appropriate manner due to lack of training or expertise.

   This training module helps the participants understand the key issues involved in Cyber Forensics. The participants learn the rules of Cyber Forensics and understand the issues involved in collection and analysis of electronic evidence.

   The transient nature of such evidence is also discussed and analysed as part of this training module. The training provides a working knowledge and hands on practical exposure to cyber forensics.

3. Constant Training & Upgrading of Systems

   Continuous training ensures that personnel stay in touch with current developments of cyber forensics. Such training programs also help the participants in keeping up to date with modern tools and techniques utilised for cyber forensics.

   It is essential that the Infrastructure and other systems used in the cyber forensics cell also be checked and audited constantly and upgraded as and when required.

4. Infrastructure

   It is important for the cyber forensics cell to have adequate infrastructure for successful examination and analysis of digital evidence. It should be kept in mind that for a Cyber Forensics Cell, infrastructure does not only include technical infrastructure but also assets such as adequate working space, dedicated communication lines, a 24 hour internet connection among others which should be made available to the cyber forensic expert(s) working on cyber crime cases.

   The Computer Infrastructure should be kept at a secure location and only authorized personnel should be allowed access to that location. The computers should be networked so that various personnel can have access to files residing in other computers in the cyber forensics cell. Stand-alone machines should also be used as they help eliminate the threat of damage to sensitive data through network penetration crimes.

   This would include procuring the requisite hardware and software for such examination and analysis. The hardware requirements for the cell should include:

   The software requirements for the cell should include:

   • Robust operating system software

   • Other application software facilitating word processing, spread sheet, electronic mails, multimedia, imaging and for identifying various other kinds of file formats during the course of examination

   • Case management software for keeping records of the cases being examined and for tracking case details at short notice

   • Bootable disks to let the forensic specialist boot from such disks instead of the suspect’s bootable disk

   • Advanced cyber forensic software having the following functionalities

     • Bit-stream back up of data contained in any storage media
       Such back up is necessary for examining the information contained in the suspect storage media. The forensic procedure prohibits examination of the original media to prevent any accidental erasure or interference during examination of such media.

     • Powerful password recovery tool having both brute force and dictionary password recovery modes

     • Preserving the integrity of the information contained in the suspect’s storage media through mathematical authentication of data.
       The forensic software should contain a tool for allowing message digests to be taken during data acquisition from the suspect storage media to prevent allegation of tampering of evidence by the defence during trial.

     • Recovery of deleted data, image and multimedia among other kinds of files
       In many cases, the suspect may have deleted or formatted sensitive and potentially incriminating information from the storage media. In such cases, it becomes imperative for the forensic specialist to have tools for recovering deleted and formatted information from the storage media, which in many cases may lead to the conviction of the offender.

     • For generating reports based on the analysis of the information contained on the suspect storage media

     • Searching tool for locating folders and files on the suspect storage media. The tool should have the capability of making an index of all files located in the suspect storage media and instantly find out sensitive files

   • Partition recovery and analysis software for recovering information lost due to partitioning of a suspect hard-disk drive

   • Firewalls and Intrusion Detection Systems would also help in detection of network penetration crimes directed against the cyber forensics cell itself.

   • Updated Anti-virus programs would be essential to prevent breakdown of systems due to any malicious codes such as viruses and worms.

   • Other necessary application software programs as would be required from time to time to analyze various files during forensic examination.

   The hardware requirements include:

   • Powerful computer systems with hot swappable bays and standard peripherals having support for the following:

     • Fast disk imaging and cloning

     • Various kinds of removable storage media (e.g., JAZZ Cartridges and ZIP cartridges)

     • CD / DVD Readers and writers

     • Tape drives

     • Other kinds of electronic storage devices (CompactFlash, SmartMedia, Memory Stick)

     • IDE hard drives

     • SCSI hard drives

     • Notebook Hard Drives

     • PCMCIA Cards and Drives

   • Write protect devices to prevent any information being written on to the suspect storage media

   • Additional storage devices for making bit-stream copies or clones of the suspect storage media for examination purposes

   • External CD Writers for portability

   • Card-readers for analyzing information from various types of cards that store information in magnetic form

   • A wide array of connectors

5. ASIAN SCHOOL OF CYBER LAWS

   Asian School of Cyber Laws is a society and public charitable trust registered under the laws of India.

   Asian School of Cyber Laws (ASCL) was established in 1999 to facilitate awareness, study and advanced research in cyber law and information security. We provide educational and training programs in cyber law, information security and cyber crime investigation.

   In these fields we have been working closely with several educational institutions, corporate houses, law enforcement agencies and Government departments, both within India and abroad.

   ASCL has been the pioneering institute in India in promoting and spreading awareness about cyber crimes and cyber law. We have been actively involved with several law enforcement agencies in India and provided training and consultancy on cyber crimes, cyber crime investigation and cyber forensics.

   We are also pioneers in the field of cyber crime education in India.

   We have conducted numerous educational programs and seminars in various educational institutions all over India.

   The courses imparted by us by us have attracted students from North America, South America, Africa and Asia. We have also been equally involved with corporate India in the field of cyber crime and information security encompassing companies from both the public and the private sector.

   1. Major Achievements

      1. Publication of our “Cyber Crime Investigation Manual” the first of its kind in India. Law enforcement personnel in India and abroad extensively use our Manual.

         Times of India, the world’s largest selling English newspaper, referred to the Manual as a “bible for cyber crime detectives”.

      2. The appointment of Adjudicating Officers under the Indian Information Technology Act, 2000.

         The appointment of these officers, responsible for deciding the fate of multi crore cyber crime cases in India was the result of the public interest litigation filed by our faculty and students.

      3. An invitation to make a presentation on "Indian Legal position on Cyber Terrorism, Encryption and preventive measures" on behalf of the Karnataka Police for Otto Schily, Interior Minister, Federal Republic of Germany.

      4. Members of the Organising Committee for the Second World Congress on Informatics and Law conducted at Spain in September 2002.

      5. We have also significantly contributed to the development of cyber laws. In that regard we have assisted the Government of India in drafting rules and regulations under the Information Technology Act, 2000.

      Some of these rules and regulations are:

      a. Rule u/s 87(2)(b) of the Information Technology Act, 2000 relating to the electronic form in which filing, issue, grant or payment shall be effected:-

      This rule will have a major impact on the e-governance initiatives of the Government of India. As India moves towards providing online services to its citizens this rule will provide the guidelines in which such online services are to be provided and payments effected.

      b. Rule u/s 87(2)(c) of the Information Technology Act, 2000 relating to the manner and format in which electronic records shall be filed, or issued and the method of payment of any fee:-

      This rule will also have a significant bearing on the e-governance services to be offered by the Government of India to its citizens.

      c. Rule u/s 87(2)(e) of the Information Technology Act, 2000 relating to the security procedure for the purpose of creating secure electronic record and secure digital signature:-

      The e-commerce growth of the nation is dependent on the Public Key Infrastructure adopted by the nation. This rule regarding the procedure for creation of secure electronic record and secure digital signatures will significantly impact the e-commerce growth of the country. This rule has a bearing on the issue of persons obtaining digital signatures.

      d. Rule u/s 87(2)(g) of the Information Technology Act, 2000 relating to other standards to be observed by the Controller of Certifying Authorities:-

      The Controller of Certifying Authorities (CCA) is the authority appointed under the Information Technology Act, 2000 to regulate and oversee the functioning of Certifying Authorities in India.

      The CCA also has the authority to issue directions to the law enforcement agencies to decrypt and intercept information from a computer resource if it is so required in the interests of national security.

      We have drafted the rules relating to the standards that need to be observed by the Controller.

      e. Rule u/s 87(2)(o) of the Information Technology Act, 2000 relating to the fee to be paid to the Certifying Authority for issue of a Digital Signature Certificate:-

      This rule will have a bearing on the extensive use of Digital Signature systems in India. The rule has been drafted by ASCL keeping in mind the nature and significance that e-commerce would play and its impact on the Indian economy.

      f. Rule u/s 87(2)(s) of the Information Technology Act, 2000 relating the procedure for investigation of misbehavior or incapacity of the Presiding Officer:-

      The Presiding officer is the appellate authority who determines whether the order passed by the Adjudicating Officer appointed under the Information Technology Act, 2000 for the contravention of any the provisions of the Act stand good in law or not.

      g. Rule u/s 87(2)(v) of the Information Technology Act, 2000 relating to any other power of a civil court required to be prescribed:-

      This rule determines the powers of a civil court that the Cyber Appellate Tribunal constituted under the Information Technology Act, 2000 would be conferred with.

      h. Rule u/s 87(2)(w) of the Information Technology Act, 2000 relating to any other matter which is required to be, or may be, prescribed.

      i. Regulation u/s 89 (2)(a) of the Information Technology Act, 2000 relating toparticulars relating to maintenance of database containing the disclosure record of every Certifying Authority:-

      This regulation has significance in light of the fact that the technical requirements relating to the maintenance of the database has to ensure the highest levels of security to prevent any unauthorised access and intrusion into that database.

      j. Regulation u/s 89 (2)(b) of the Information Technology Act, 2000 relating to conditions and restrictions subject to which the Controller may recognize any foreign Certifying Authority:-

      The recognition of foreign Certifying Authority is significant as it would provide a system for global e-commerce transactions to have legal validity in a court of law.

6. Our Computer Emergency Response Team has handled over 7000 incidents of computer crime and abuse. We have also assisted various law enforcement agencies in the investigation of some of the most high profile cases, including:-

   1. The Giancarla Balestra stalking case.

   2. The US $ 1.5 Million e-commerce source code case

2. Assistance sought to be provided by ASCL

With our rich and varied experience in the field of cyber crime, cyber forensics and cyber law, ASCL can advice and assist in the formation of a Cyber Crime Investigation Cell and Cyber Forensics Cell in all its aspects including:

• Identification of the personnel vital to the smooth and effective functioning of the cell;
• Identifying the necessary infrastructure essential for setting up such a cell;
• Specifying and procuring the crucial hardware and software for the cell;
• Providing extensive training to the personnel who will man the cell;
• Providing consultancy to the cell for proper presentation of an examination report prepared by the cyber crime investigator for the purpose of prosecuting the offender;
• Providing consultancy to the cyber forensics cell for optimal presentation of the collected evidence in a court of law;
• Drafting policies fundamental to the secure and smooth operations of the cell