Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Forensics Best Practices with the use of Open Source Tools and Admissibility of Digital Evidence in Courts Mr. Ninad Nawaghare CFE CFAP DEA CSIR.

Published byMargaretMargaret Quinn Modified over 6 years ago

Similar presentations

Presentation on theme: "Digital Forensics Best Practices with the use of Open Source Tools and Admissibility of Digital Evidence in Courts Mr. Ninad Nawaghare CFE CFAP DEA CSIR."— Presentation transcript:

1 Digital Forensics Best Practices with the use of Open Source Tools and Admissibility of Digital Evidence in Courts Mr. Ninad Nawaghare CFE CFAP DEA CSIR Mr. Sagar Rahurkar CFE BLS LLB LLM CCI

2 The boy is accused of sending an obscene sms
Illustration 1 The boy is accused of sending an obscene sms As per National Crime Research Bureau, during 2012, 587 cases were registered under cyber crime category for eve teasing / harassment Source: National Crime Research Bureau -

3 The origin of threatening email was traced back to a cyber café.
Illustration 2 The origin of threatening was traced back to a cyber café. As per National Crime Research Bureau, during 2012 , total 135 cases were registered under cyber crime category for extortion & revenge settling. Source: National Crime Research Bureau -

4 Illustration 3 Accounting software is stolen from a server located in Country A. With minor alterations, same software is sold at a cheaper cost in Country B As per National Crime Research Bureau, during 2012, total 624 cases were registered under cyber crime category for greed of money and 668 cases were registered for fraud/ illegal gain. Source: National Crime Research Bureau -

5 Illustration 4 With an intention to revenge the management, disgruntled employee sends a fake mail to the stake holders mentioning irregularities in the company affairs. As per National Crime Research Bureau, during 2012, total 117 cases were registered under cyber crime category for causing disrepute either to an individual, government or organizations Source: National Crime Research Bureau -

6 Vexing Questions with respect to the illustrations
Where is the evidence? How do I investigate? How to prove the crime? What is the evidence?

7 Solution is “Digital Forensics”
2‘Digital’ is defined in Oxford Dictionary as: (of signals or data) expressed as series of the digits 0 and 1, typically represented by values of a physical quantity such as voltage or magnetic polarization. Often contrasted with analogue. • involving or relating to the use of computer technology: the digital revolution 3‘Forensics’ is defined in Oxford Dictionary as: Scientific tests or techniques used in connection with the detection of crime Thus Digital Forensics can be defined as: Discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications and storage devices in a way that is admissible as evidence in a court of law. Source: 2http://oxforddictionaries.com/definition/english/digital?q=Digital / 3http://oxforddictionaries.com/definition/english/forensic

8 Expected outcome of “Digital Forensics” is “Digital Evidence”
Digital evidence can be defined as : Information and data of value to an investigation that is stored on, received, or transmitted by an electronic device. This evidence is acquired when data or electronic devices are seized and secured for examination. Traits of Digital Evidence May be found in  Storage devices like hard disc, CD, DVD, memory card, USB drive, mobile phones & SIM card & Online resource like mail servers & cloud servers Can be hidden in Password protected files, Encrypted files , Steganography files, Formatted hard disc , HPA (Host Protected Area) or DCO (Device Configuration Overlay) of the hard drives Can relate to Online fraud , Organized crime , Identity theft , Data theft , Unauthorized access, Malicious files (Virus attack) , Data alteration , Cyber defamation , Cyber pornography, Online gambling ,Sale of illegal items etc..

9 Phases in “Digital Forensics” process
Phase 1: Identification of storage media for potential evidence Phase 2: Acquisition of the storage media Phase 3: Forensic analysis of the acquired media Phase 4: Documentation & Reporting

10 Forensic analysis of the acquired media involves….
Analyzing digital information Identifying traces of network / computer intrusion Identifying & examining  malicious files. Employing techniques to  crack file & system passwords. Detecting  steganography Recovering deleted, fragmented & corrupted data Analyzing Online Activities Maintaining evidence custody procedures Courtroom Presentation

11 To Recapitulate Digital Forensics Process Subjected To Storage Media Digital Evidence Acquires Digital Forensics Process can be implemented either by using commercial tools a.k.a. proprietary tools or open source free tools. Commercial / Proprietary Tools are software applications designed with a commercial objective. The source code & the internal working of the software application is privileged and concealed from the user. Open Source Free Tools are software applications available for usage at no cost. The source code & the internal working of the software application is known to the user. Further more, user has the liberty of altering the source code as per the requirements.

12 ISSUES with Commercial / Proprietary Tools
High capital cost High operational cost High maintenance cost (Paid updates or bugs fixing) Algorithm/logic not known Source code is strictly privileged Heavy dependency on the software manufacturer Restricted usage ADVANTAGES with Open Source Tools Zero capital cost Minimal / No operational cost Minimal / No maintenance cost Algorithm/logic is known to the user Source code is freely available for access , editing & customization Extensive support from the open source community Free usage to any number of users

13 Law Enforcement initiative in “Open Source Digital Forensics Tools”
By: Belgian Federal Computer Crime Unit (FCCU) An advanced network forensic framework By: Australian Federal Police, Brisbane, Australia Project in The Software and Systems Division supported by Law Enforcement Standards Office and Department of Homeland Security.

14 ForeIndex: A Framework for Analysis and Triage of Data Forensics
Law Enforcement initiative in “Open Source Digital Forensics Tools” cont. The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency ForeIndex: A Framework for Analysis and Triage of Data Forensics By: Forensic Expert of Brazilian Federal Police & Researcher of the Brazilian Space Agency

15 Commercial / Proprietary & Open Source Tools for Imaging in Acquisition Phase
Open source tools listed below may not be limited to the same Proprietary Tools EnCase Forensic - Guidance Software FTK – AccessData WinHex - X-Ways Software Technology AG Forensics Apprentice BlackLight Cellebrite - Mobile Forensics and Data transfer solutions Paraben – Handheld Digital Forensics Open Source Tools Digital Forensics Framework CAINE DEFT

16 Commercial / Proprietary & Open Source Tools for Forensic Analysis
Open source tools listed below may not be limited to the same Proprietary Tools EnCase Forensic - Guidance Software FTK – AccessData WinHex - X-Ways Software Technology AG Forensics Apprentice BlackLight Cellebrite - Mobile Forensics and Data transfer solutions Paraben – Handheld Digital Forensics Analyzing digital information Analyzing Online Activities Recovering deleted, fragmented, corrupted data Identifying & examining  malicious files Open Source Tools Digital Forensics Framework CAINE DEFT SAFT Mobile Forensics Analyzing mobiles

17 Commercial / Proprietary & Open Source Tools for Forensic Analysis cont.
Open source tools listed below may not be limited to the same Analyzing RAM Free Tools CMAT Volafox Volatile Proprietary Tools Second Look Windows Scope Memoryze Network Forensics : capturing / analyzing network packets Free Tools WireShark NetworkMinor Proprietary Tools NetIntercept Identifying traces of network / computer intrusion Registry analysis Free Tools Registry Decoder Proprietary Tools Registry Recon

18 crack file & system passwords Detecting Pornography
Commercial / Proprietary & Open Source Tools for Forensic Analysis cont. Open source tools listed below may not be limited to the same Password cracking Free Tools John the Ripper Cracking Passwords for Windows, PDF, Word RAR , ZIP & Excel Proprietary Tools Password Recovery Passware Employing techniques to  crack file & system passwords Detecting Pornography Free Tools Redlight Porn Scanner [NIJ Funded Project: Proprietary Tools SurfRecon

19 Admissibility of Digital Evidence in Courts

20 Orientation Digital Evidence - Meaning
Requirements U/Sec. 65B of the Indian Evidence Act Expert Examiner of Electronic Evidence Daubert Principle for Expert Witness

21 Digital Evidence Evidence as defined U/Sec. 3 of the Indian Evidence Act means and includes – All statements and all documents including electronic records produced for the inspection of the Court.

22 Requirement U/Sec. 65B of the Indian Evidence Act
Sec. 65B - Admissibility of electronic records Any information contained in an electronic record, If printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer shall deemed to be a document, If the conditions mentioned in this section are satisfied in relation to the information and computer in question and Shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein or which direct evidence would be admissible.

23 Conditions U/Sec. 65B (a) Regular use of Computer by the authorised person The computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer. (b) Regular feeding of information in the system in the ordinary course of Business During the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities;

24 Conditions U/Sec. 65B (c) Working state of the media Throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and (d) The information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities.

25 Requirement of an Affidavit
To demonstrate compliance with the requirements of conditions, a statement in form of affidavit is required to be made in the court. It should be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities Section 65B(4).

26 Is it really necessary ? The requirement to file an affidavit under Sec. 65B is not absolute. Supreme Court, in the case of State v. Navjot Sandhu , while examining Section 65B, held that, even when an affidavit/certificate under Sec. 65B is not filed it would not foreclose the Court from examining such evidence provided it complies with the requirements of Section 63 and 65 of the Evidence Act (refer to Para 150 of the judgement). Vodafone Essar Ltd. Vs. Raju Sud the Bombay High Court dispensed with the requirement under Sec. 65B.

27 Expert Witness Witness, who by virtue of education, training, skill, or experience, is believed to have knowledge in a particular subject beyond an average person. In a famous Scottish case, Davie v Edinburgh Magistrates (1953), the function of an expert witness is discussed as, ‘to furnish the judge with the necessary scientific criteria for testing the accuracy of their conclusions, so as to enable them to form their own independent judgment by the application of these criteria to the facts provided in evidence’.

28 Daubert Principle for Expert Witness
If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education and may testify his opinion. Criteria for expert U/the principle – Whether the expert has used scientific methods/discovery techniques? Whether method/s used by the expert in the case has ever been used by any other expert or same expert in any other case? Whether the testimony is the product of reliable principles and methods? Whether the expert has applied the principles and methods reliably to the facts of the case?

29 Examiner of Electronic Evidence
Sec. 79A – The Information Technology Act, 2000 The Central Government may, for the purposes of providing expert opinion on electronic evidence before any court or other authority specify, by notification in the official Gazette, any department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence.

30

31 Sagar Rahurkar @ - # Ninad Nawaghare @ - #

Download ppt "Digital Forensics Best Practices with the use of Open Source Tools and Admissibility of Digital Evidence in Courts Mr. Ninad Nawaghare CFE CFAP DEA CSIR."

Similar presentations

Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Computer Forensics.

Computer Forensics.
The next generation in digital forensics Mobile Phones A New Frontier in Digital Forensics BK Forensics.

The next generation in digital forensics Mobile Phones A New Frontier in Digital Forensics BK Forensics.
2 Language of Computer Crime Investigation

2 Language of Computer Crime Investigation
Computer Forensics By: Stephanie DeRoche Benjamin K. Ertley.

Computer Forensics By: Stephanie DeRoche Benjamin K. Ertley.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Cyber Crime: Judicial Perspective By Talwant Singh Addl. Distt. & Sessions Judge Delhi

Cyber Crime: Judicial Perspective By Talwant Singh Addl. Distt. & Sessions Judge Delhi
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.

Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
1 Chapter 15 Search Warrants. 2 Search warrants fall under the 4 th Amendment Search warrants fall under the 4 th Amendment The police must have “probable.

1 Chapter 15 Search Warrants. 2 Search warrants fall under the 4 th Amendment Search warrants fall under the 4 th Amendment The police must have “probable.
Computer Forensics Mr.PRAWEE PROMPONMUANG M.Sc(Forensic Science) NO.515020181-9.

Computer Forensics Mr.PRAWEE PROMPONMUANG M.Sc(Forensic Science) NO
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Department of Mathematics Computer and Information Science1 Basics of Cyber Security and Computer Forensics Christopher I. G. Lanclos.

Department of Mathematics Computer and Information Science1 Basics of Cyber Security and Computer Forensics Christopher I. G. Lanclos.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices

Similar presentations

Ads by Google