Saturday, March 2, 2013

Regulations And Guidelines For Effective Investigation Of Cyber Crimes In India

Cyber crimes are increasing at a rapid speed in India. However, cyber crimes investigation in India has still to be developed to tackle these cyber crimes effectively. As on date the cyber crime investigation capabilities of law enforcement agencies of India is still deficient and they need proper training in this regard.

The legal and judicial systems of India also need to adapt as per the contemporary information technology oriented society. However, a majority of cyber crimes in India are not reported at all. Even if some cyber crimes are reported, they are not properly investigated and very few such cyber crime cases reach to the court level.

In the absence of scientific evidence and knowledge and proper cyber crime investigation, there are very few cyber crimes convictions in India. In fact, the Supreme Court of India is hearing many Public Interest Litigations (PILs) in this regard.

In one such PIL the Supreme Court of India has issued notice to Centre to seek its views in this regard. The Supreme Court has sought response from the Centre on a PIL seeking its direction to the government to frame regulations and guidelines for effective investigation of cyber crimes in India.

The notice has been issued by a Three Judge Bench of Supreme Court headed by Chief Justice Altamas Kabir. The PIL alleges that the common people are being harassed by police due to lack of procedural safeguards in the prevalent system of cyber laws.

The PIL originated out of the allegations of Pune-based businessman Dilip Kumar Tulsidas Shah who claimed that he was harassed by the police in a cyber crime case in which he was not involved.

 The petitioner seeks the remedy of issuing a writ of Mandamus, order or direction to the Centre to frame an appropriate regulatory framework of rules, regulations and guidelines for effective investigation of cyber crimes, keeping in mind the fundamental rights of citizens.

The Petitioner also contends that there is a near total lack of procedural safeguards in the prevalent system of cyber crime investigation. Police harassment of citizens, whether out of intention or ignorance, is rampant, says the Petitioner.

The Bench after hearing his arguments issued notice and clubbed his plea along with other similar PIL pending before it.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we have been working in the direction of spreading public awareness regarding cyber law on the one hand and cyber crimes investigation on the other. PTLB is managing the exclusive techno legal Centre of Excellence for Cyber Crimes Investigation in India.

PTLB is also managing the exclusive techno legal Cyber and Hi-Tech Crimes Investigation and Training Centre (CHCIT) of India. A special emphasis upon preventing and punishing cyber crimes against women in India has been undertaken by PTLB. 

PTLB has also launched a techno legal initiative named Intelligence Agencies and Law Enforcement Technology in India. The aim of this initiative is to develop the techno legal capabilities of law enforcement and intelligence agencies of India.

Intelligence agencies and law enforcement agencies of India are actively looking towards adoption and use of information and communication technology (ICT) for their functioning.

Ambitious projects like Crime And Criminal Tracking Network and Systems (CCTNS) Project Of India, National Intelligence Grid (Natgrid) Project Of India, National Counter Terrorism Centre (NCTC) Of India, Central Monitoring System (CMS) Project of India, National Cyber Coordination Centre (NCCC) Of India, etc require techno legal expertise. Law enforcement agencies of India must be aware of both technical as well as legal requirements in order to derive maximum benefits out of these projects.

If either the Supreme Court or the Centre needs our assistance regarding formulating regulations and guidelines for effective investigation of cyber crimes in India, Perry4Law and PTLB would be glad to extend the same.

Source: CECSRDI.

Friday, February 8, 2013

Forensics Analysis Of Nokia’s Computer Used To Download Software In India

Nokia has been accused of violating income tax and transfer pricing laws of India. Nokia India has flatly denied these allegations and has been maintaining that it is complying with all the applicable laws of India.

In order to strengthen its allegations and prove its point, the income tax department officials paid a visit to Nokia India’s factory at Sriperumbudur, near Chennai, along with Central Forensic Science Laboratory (CFSL) officials from Hyderabad.

The idea was to verify and analyse Nokia India’s computers using cyber forensics methodologies that are suspected to be used for downloading software from parent company.

The verification started at 11:30 AM on Thursday and around 10-15 officials from the IT department along with two experts from the Central Forensic Science Labs were part of the verification, which lasted for almost seven hours.

The verification visit was triggered because during recording of statements in the last few weeks, Nokia officials gave different versions. The department sought a third party cyber expert to prove what Nokia did was wrong, and to strengthen the case, if it goes to a Court.

We at Perry4Law and Perry4Law’s Techno Legal Base (PTLB) believe that this is the right approach to gather digital evidence. The experience officials from the CFSL would consider all the aspects of cyber forensics, e-discovery, etc. Further, paper evidence scanning and e-discovery legal issues in India and optical character recognition (OCR) legal issues India should also be kept in mind by the CFSL officials.

The department is expected to raise demand anytime with Nokia for Rs 3,000 crore tax deducted at source (TDS) and if they don't compile with the law the department may consider freezing their bank accounts and their assets. The department is also alleging a transfer pricing violation of about Rs 10,000 crore.

According to the department, the Indian subsidiary of Finland-based handset manufacturer Nokia, has been downloading software from its parent company to manufacture mobile handsets at Sriperumbudur, near Chennai, but had not paid tax on royalty for downloading.

Monday, October 8, 2012

Techno Legal Initiatives Of Perry4Law And PTLB

Techno legal issues pose special challenges before all nations. This is so because these issues are complex combination of both technical and legal issues. At Perry4Law and Perry4Law Techno Legal Base (PTLB) we have been spearheading many world renowned techno legal initiatives.


Similarly, on the education, trainings and skills development front as well Perry4Law and PTLB have been managing many initiatives. For instance, the exclusive techno legal e-learning in India is managed by PTLB whereas highly specialised and domain specific trainings and education is managed by Perry4Law techno Legal ICT Training Centre (PTLITC).  


We are also discussing important issues pertaining to international ICT policies and strategies. Similarly, techno legal issues are specifically discussed at PTLB blog. We hope these initiatives would prove useful to all stakeholders.

Source: ICTPS Blog

Monday, July 30, 2012

Cyber Forensic Investigation Solutions in India Are Needed

Cyber forensics requires application of both technical and legal mind to a situation. If either of them is missing, the entire purpose of cyber forensics exercise would be frustrated. Cyber forensics also requires a greater degree of care and expertise as compared to electronic discovery whose purposes may be limited in nature.

India has a unique cyber culture that requires effective cyber forensics and electronic discovery capabilities. Further, cyber security research and development is also required to be enhanced in India. Companies and firms providing cyber forensics services in India must also innovate so that international cyber threats can be effectively tackled. These companies and firms must also invest in producing world class cyber forensics solutions in India.

On the education front as well we need to do a lot in India. Indian educational system is academic in nature with little scope for professional and vocational studies. The traditional educational system would take decades to reform and we need parallel initiatives in this regard that are free from procedural hassles and bureaucratic hurdles.

Corruption in higher legal education in India is rampant and it needs to be curbed. PhDs in India are dying and if the Indian government does not intervenes immediately; there is no scope and future for cyber forensics education in India as well. Virtual campuses are the solution for corrupt higher education in India and they must be encouraged in India.

At Perry4Law Techno Legal Base (PTLB) we are managing a techno legal e-learning platform that is providing cyber forensics trainings and courses world wide. We are also providing cyber crime investigation trainings in India.

In order to effectuate and strengthen the cyber forensics investigation solutions in India, Perry4Law, PTLB and Perry4Law Techno Legal ICT Training Centre (PTLITC) are also managing the exclusive techno legal cyber forensics tools and software repository of India. It consists of the most advanced cyber forensics tools and software that can be used in a varied of situations.

We are also in the process of developing cyber forensics best practices that would be compatible with Indian requirements. We expect a more pro active and direct role by Indian government in this crucial field that has been ignored for long.

Sunday, July 22, 2012

IP Address Tracking Methods And Techniques For E-Mails

An Internet Protocol Address (IP Address) is the starting point for not only initiating communications across the Internet but also to trace back the same to a particular Computer System. Of course, an IP Address is not always as it seems to be and there may be instances of IP Address Spoofing where the IP Address is forged to mislead the Traceability exercise. This is also the reason why an IP Address should not be the exclusive criteria to arrest and convict an accused.

Nevertheless, tracing the “Real Culprit” essentially involves the exercise of IP Address Tracing as the first step. In this article I would discuss some of the issues connected with tracking of IP Address from an E-Mail. The scope of this article is not to explain how to obtain E-Mail Headers but to discuss how to “Interpret” E-Mail Headers. So I would presume that you are aware of the procedure to obtain E-Mail Headers from your respective E-Mail Clients. Reading of Anonymity and Traceability in Cyberspace (PDF) by Richard Clayton would be a good idea in this regard.

Generally, the details of IP Address can be found in Log Files, in the Received Header fields of an E-Mail, in Tcpdump Traces, by Pinging or doing a Whois Query of a Website, etc. Once the IP Address has been ascertained, it is imperative to Track who is using the concerned IP address.

With Static IP Addresses the problem of Tracking a person is comparatively easy. However, Dynamic IP Addresses keep on changing with every use. It is absolutely essential to “Correlate” the details of such Dynamic IP Address with “Exact Time” as well as concerned “Log Entries”. Further, IP Spoofing must also be kept in mind though it is primarily used for Distributed Denial of Service Attacks (DDOS).

However, the threat of “Spoofed E-mail Headers” is real and a special care must be taken while analysing E-Mail Headers as they may carry “Spoofed Information”. Mutual Authentication and Correlation of the E-Mail Header Information is required to reach a “Conclusive Decision” in this regard.

So before analysing the E-Mail Headers for relevant IP Address, one must ensure that there is no case of E-Mail Spoofing. In E-Mail Spoofing the sender of the E-mail forges the sender address and other parts of the E-Mail Header are altered to appear as though the email originated from a different source. This is possible when the Simple Mail Transfer Protocol (SMTP) fails to provide any Authentication and this allows sending of Spoofed E-Mails.

E-Mails generate “Received Headers” as they travel from different host and so by reading them in order, you can reconstruct the original source of the E-Mail. However, reading E-Mail Header fields to ascertain true IP Address of the sender requires good working knowledge in this regard. The most common and trusted method in this regard is to analyse the Headers from “Top to Bottom” till the “Chain of Coherence” is broken by a suspicious or forged entry. The “Last Trusted Received Header” field may tell you the IP Address of the sender of E-Mail. So instead of jumping directly to the last E-Mail Received Header in all cases to ascertain the IP Address of the sender it would be appropriate to work downwards though the First Header fields to the last and assess their “Integrity”.

In cases of Spoofed E-Mails, the “Last Received Header Rule” may not apply. In order to know the Authenticity of Headers of such Spoofed E-Mail, one must perform both “Reverse Lookup” and “Forward Lookup” of the IP Addresses in the E-Mail.

Another aspect to be noted is that in case of GMail generally it may not be possible to ascertain the IP Address of the sender of an E-Mail because Google puts the IP Address of its own Servers while a Gmail account holder sends an E-Mail. You have to get a “Court Order” to force Google to disclose the IP Address of the sender. However, if someone sends you an E-Mail from the GMail account using a client like Thunderbird, Outlook or Apple Mail, you may still find the “Originating IP Address”.

Finally, basic level “Alertness” is also essential on the part of Law Enforcement Agencies and their Technicians. For instance, Lakshmana Kailash K of India spent 50 days in Indian Jail because the Police/Internet Service Provider (ISP) made an “Apparent but very Common Mistake” while providing details of the person who used the IP Address that resulted in the commission of the offense.

The Indian Police and ISP were confused with what I call “AM/PM Syndrome” and did not bother to check the “Exact Time” of the commission of the crime. Mistakes like these have no space in the Cyber Forensics and Cyber Law fields.

While ascertaining the IP Address of an E-Mail all these factors must be kept in mind. Automatic Scripts/Software are good for ascertaining the IP Address but the end result originating out of such Automatic Scripts/Software must be “Corroborated” with manual inspection. I would share more on this issue in my subsequent articles.

Thursday, July 19, 2012

Hidden Internet: The Unexplored, Hidden And Deep Web And Internet

The tussle between Anonymity and Traceability has been going on for many years. Law Enforcement Agencies are pushing for lesser Anonymity and greater Traceability whereas Civil Liberty Groups and Netizens are demanding greater Anonymity and Privacy. The battle is epic and it is not going to end soon.

Anonymity has both uses and misuses. Just like any legitimate Invention and Technology, Internet can be both abused for criminal activities and used for greater benefit of Human race. Similarly, Internet has also many benefits and it is used in numerous manner, some known while other still unknown.

While the known part can be viewed and analysed through numerous methods including search results through search engines yet a majority of World Wide Web (WWW) is still out of the plain sight and reach of most of us. This hidden Web is known by many as Deep Web though I personally prefer to call it “Hidden Internet”.

The Hidden Internet may be residing in plain sight or it may be hidden by using special techniques and methodologies. For instance, access to a Website or Blog may be restricted to its owners alone through use of robots.txt file. However, even such restricted Blog can be accessed through use of cracking methods or by the owner company of the concerned Blog.

Further, there are many Crawlers that do not comply with the settings and restrictions placed by robots.txt files. This may expose those files and documents that are otherwise not intended to be disclosed. This is where Google Hacking comes into picture.

By its very nature, Hidden Internet is designed to defeat indexing of its contents by search engines. Its contents are visible and accessible to only selective few who have not only the knowledge of such contents but also have means and methods to access the same.

Hidden Internet is different from Dark Internet as in the case of former the Computers storing and processing the contents are still accessible though to selective few alone. Dark Internet on the other hand is a group of Computers that are simply out of the Internet and cannot be accessed at all.

According to an estimate based upon the study of University of California, Berkeley in the year 2001, Hidden Internet consists of about 7,500 terabytes of information. Another study in 2004 has indicated that there are around 300,000 deep web sites in the entire Hidden Internet and around 14,000 deep web sites existed in the Russian part of the Web in 2006. Thus, Hidden Internet is much bigger and carries more information that our present accessible Internet.

The contents and information stored in the Hidden Internet can be found in the form of Dynamic Contents, Unlinked Contents, Private Web, Contextual Web, Limited Access Contents, Scripted Contents, Non-HTML/Text Contents, etc. These contents and information is not available for normal search engines for indexing. Search engines are now planning to tackle this issue and they are devising methods to access contents and information residing in the Hidden Internet.

In fact, some search engines have been specifically designed to access contents of Hidden Internet. However, there is still a long road to cover by search engines and Law Enforcement Agencies around the World to tackle the vices of Hidden Internet. Efforts in the direction of making the entire search process “Automatic” are going on at global level.

The more difficult challenge is to categorise and map the information extracted from multiple Hidden Internet sources according to end-user needs. Hidden Internet search reports cannot display URLs like traditional search reports. End users expect their search tools to not only find what they are looking for quickly, but to be intuitive and user-friendly. In order to be meaningful, the search reports have to offer some depth to the nature of content that underlie the sources or else the end-user will be lost in the sea of URLs that do not indicate what content lies beneath them.

The format in which search results are to be presented varies widely by the particular topic of the search and the type of content being exposed. The challenge is to find and map similar data elements from multiple disparate sources so that search results may be exposed in a unified format on the search report irrespective of their source.

I would try to cover the Security, Forensics and Law Enforcement Issues of Hidden Internet in my subsequent posts. This post is intended to provide the basic level information about Hidden Internet while discussing our subsequent posts and nothing more.

Saturday, June 9, 2012

IP Address Spoofing And Its Defenses


Internet Protocol Address (IP Address) plays a very significant role in our day to day lives. Whether it is Cyber Security or Cyber Forensics, IP Address has a crucial role to play. IP Address is also the Starting Point for any Cyber Crime Investigation. So it is of utmost importance that an IP Address must be correctly ascertained.

Similarly, the Crackers and Cyber Criminals are interested in hiding their “Digital Footprints” through various means. IP Spoofing, use of Proxies, utilising Botnet for nefarious activities, exploiting Unsecured Wireless Access Points and Connections, etc are some of the methods that are used by Cyber Criminals.

IP Address is also the starting point to determine the “Authorship Attribution” that is a must before an accused is “Convicted” by a Court of Law. For instance, if a single Computer of Internet connection is used by multiple users, it is absolutely essential to ascertain who in fact used the Computer/Connection for the “Offending Act”.

Similarly, it is absolutely essential to ensure that the owner of a Wireless Connection is actually the person who committed the Cyber Crime or Cyber Contravention. In the majority of cases, such an Unsecured Wireless Connection is misused by others and the IP Address of the owner is reflected for that activity.

Thus, Authorship Attribution is an important aspect of “Determining the Culpability” of an Offender where the means to commit the Offence are common and accessible to many people simultaneously. Data Mining and Profiling of the accused to “Attribute Culpability” to him/her alone is an emerging area of Cyber Crime Investigation.

IP Spoofing is one of the methods used by Cyber Criminals to deny “Authorship Attribution” to them. A Cyber Crime Investigator would first ascertain the IP Address and then after analysing the E-Mail Headers/Logs, She would come to a conclusion that the IP Address reflected in the communication is a Forged or Spoofed one. Ascertaining the true and correct IP Address is required to proceed further in such case. 

IP Address Spoofing requires creation of IP packets with a forged source IP Address with a purpose of concealing the real identity of the sender or impersonating another System. The most common Protocol for data exchange over Internet is the TCP/IP. The header of each IP Packet contains, among other things, the numerical source and destination address of the Packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different Computer.

However, there is a “Limitation” to such a use. To establish a Connection, TCP uses a “Three Way Handshake” and IP Spoofing by its very nature fails to satisfy this handshake. So the purposes of IP Spoofing are limited in nature. For instance, IP Spoofing can be used for Denial of Service Attacks (DOS) as the attacker is least bothered to receive a “Response”. IP Spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP Addresses. IP Spoofing can also be used for Session Hijacking or Host Impersonation.

There are some services that are vulnerable to IP Spoofing. These include RPC (Remote Procedure Call services), any service that uses IP address authentication, the X Window System, the R services suite (rlogin, rsh, etc.), etc.

IP Spoofing can take many forms. In Non-Blind Spoofing the attacker is on the same subnet as the victim and this enables him to perform session hijacking. Using this technique, an attacker could effectively bypass any authentication measures that have taken place to build a connection.

In Blind Spoofing several packets are sent to the target machine in order to sample sequence numbers. Computers in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most Operating Systems (OSs) implement random sequence number generation, making it difficult to predict them accurately.

In Man in the Middle Attack (MITM) the attacker intercepts a legitimate communication between two Computers. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “Spoofing” the identity of the original sender, who is presumably trusted by the recipient.

There is a “General Consensus” that IP Spoofing does not allow gaining Anonymous Internet Access, which is a common misconception for those unfamiliar with the practice. Any sort of Spoofing beyond simple floods is relatively advanced and used in very specific instances such as evasion and connection hijacking.

However, some believe that if a Website is not using syncookies and is using predictable initial sequence numbers, it is possible to create a live TCP connection without actually revealing the original IP Address. This may be possible as the attacker may be least interested in getting back the “Responses”. I would deal with this issue separately and in greater details subsequently.

IP Spoofing can be prevented and defended against through methods like Packet Filtering, Websites using syncookies and unpredictable initial sequence numbers, use of multiple authentication protocols so that they do not exclusively rely on the IP Address for authentication, use of Encryption, etc.

Some upper layer protocols provide their own defense against IP Spoofing attacks. For example, TCP uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection. Since the attacker normally cannot see any reply packets, the sequence number must be guessed in order to hijack the connection. The poor implementation in many older operating systems and network devices, however, means that TCP sequence numbers can be predicted.

There is an urgent need to do more in depth research in the field of IP Spoofing and I would try to cover this field in great details in my subsequent posts.