Monday, October 8, 2012

Techno Legal Initiatives Of Perry4Law And PTLB

Techno legal issues pose special challenges before all nations. This is so because these issues are complex combination of both technical and legal issues. At Perry4Law and Perry4Law Techno Legal Base (PTLB) we have been spearheading many world renowned techno legal initiatives.

Similarly, on the education, trainings and skills development front as well Perry4Law and PTLB have been managing many initiatives. For instance, the exclusive techno legal e-learning in India is managed by PTLB whereas highly specialised and domain specific trainings and education is managed by Perry4Law techno Legal ICT Training Centre (PTLITC).  

We are also discussing important issues pertaining to international ICT policies and strategies. Similarly, techno legal issues are specifically discussed at PTLB blog. We hope these initiatives would prove useful to all stakeholders.

Source: ICTPS Blog

Monday, July 30, 2012

Cyber Forensic Investigation Solutions in India Are Needed

Cyber forensics requires application of both technical and legal mind to a situation. If either of them is missing, the entire purpose of cyber forensics exercise would be frustrated. Cyber forensics also requires a greater degree of care and expertise as compared to electronic discovery whose purposes may be limited in nature.

India has a unique cyber culture that requires effective cyber forensics and electronic discovery capabilities. Further, cyber security research and development is also required to be enhanced in India. Companies and firms providing cyber forensics services in India must also innovate so that international cyber threats can be effectively tackled. These companies and firms must also invest in producing world class cyber forensics solutions in India.

On the education front as well we need to do a lot in India. Indian educational system is academic in nature with little scope for professional and vocational studies. The traditional educational system would take decades to reform and we need parallel initiatives in this regard that are free from procedural hassles and bureaucratic hurdles.

Corruption in higher legal education in India is rampant and it needs to be curbed. PhDs in India are dying and if the Indian government does not intervenes immediately; there is no scope and future for cyber forensics education in India as well. Virtual campuses are the solution for corrupt higher education in India and they must be encouraged in India.

At Perry4Law Techno Legal Base (PTLB) we are managing a techno legal e-learning platform that is providing cyber forensics trainings and courses world wide. We are also providing cyber crime investigation trainings in India.

In order to effectuate and strengthen the cyber forensics investigation solutions in India, Perry4Law, PTLB and Perry4Law Techno Legal ICT Training Centre (PTLITC) are also managing the exclusive techno legal cyber forensics tools and software repository of India. It consists of the most advanced cyber forensics tools and software that can be used in a varied of situations.

We are also in the process of developing cyber forensics best practices that would be compatible with Indian requirements. We expect a more pro active and direct role by Indian government in this crucial field that has been ignored for long.

Sunday, July 22, 2012

IP Address Tracking Methods And Techniques For E-Mails

An Internet Protocol Address (IP Address) is the starting point for not only initiating communications across the Internet but also to trace back the same to a particular Computer System. Of course, an IP Address is not always as it seems to be and there may be instances of IP Address Spoofing where the IP Address is forged to mislead the Traceability exercise. This is also the reason why an IP Address should not be the exclusive criteria to arrest and convict an accused.

Nevertheless, tracing the “Real Culprit” essentially involves the exercise of IP Address Tracing as the first step. In this article I would discuss some of the issues connected with tracking of IP Address from an E-Mail. The scope of this article is not to explain how to obtain E-Mail Headers but to discuss how to “Interpret” E-Mail Headers. So I would presume that you are aware of the procedure to obtain E-Mail Headers from your respective E-Mail Clients. Reading of Anonymity and Traceability in Cyberspace (PDF) by Richard Clayton would be a good idea in this regard.

Generally, the details of IP Address can be found in Log Files, in the Received Header fields of an E-Mail, in Tcpdump Traces, by Pinging or doing a Whois Query of a Website, etc. Once the IP Address has been ascertained, it is imperative to Track who is using the concerned IP address.

With Static IP Addresses the problem of Tracking a person is comparatively easy. However, Dynamic IP Addresses keep on changing with every use. It is absolutely essential to “Correlate” the details of such Dynamic IP Address with “Exact Time” as well as concerned “Log Entries”. Further, IP Spoofing must also be kept in mind though it is primarily used for Distributed Denial of Service Attacks (DDOS).

However, the threat of “Spoofed E-mail Headers” is real and a special care must be taken while analysing E-Mail Headers as they may carry “Spoofed Information”. Mutual Authentication and Correlation of the E-Mail Header Information is required to reach a “Conclusive Decision” in this regard.

So before analysing the E-Mail Headers for relevant IP Address, one must ensure that there is no case of E-Mail Spoofing. In E-Mail Spoofing the sender of the E-mail forges the sender address and other parts of the E-Mail Header are altered to appear as though the email originated from a different source. This is possible when the Simple Mail Transfer Protocol (SMTP) fails to provide any Authentication and this allows sending of Spoofed E-Mails.

E-Mails generate “Received Headers” as they travel from different host and so by reading them in order, you can reconstruct the original source of the E-Mail. However, reading E-Mail Header fields to ascertain true IP Address of the sender requires good working knowledge in this regard. The most common and trusted method in this regard is to analyse the Headers from “Top to Bottom” till the “Chain of Coherence” is broken by a suspicious or forged entry. The “Last Trusted Received Header” field may tell you the IP Address of the sender of E-Mail. So instead of jumping directly to the last E-Mail Received Header in all cases to ascertain the IP Address of the sender it would be appropriate to work downwards though the First Header fields to the last and assess their “Integrity”.

In cases of Spoofed E-Mails, the “Last Received Header Rule” may not apply. In order to know the Authenticity of Headers of such Spoofed E-Mail, one must perform both “Reverse Lookup” and “Forward Lookup” of the IP Addresses in the E-Mail.

Another aspect to be noted is that in case of GMail generally it may not be possible to ascertain the IP Address of the sender of an E-Mail because Google puts the IP Address of its own Servers while a Gmail account holder sends an E-Mail. You have to get a “Court Order” to force Google to disclose the IP Address of the sender. However, if someone sends you an E-Mail from the GMail account using a client like Thunderbird, Outlook or Apple Mail, you may still find the “Originating IP Address”.

Finally, basic level “Alertness” is also essential on the part of Law Enforcement Agencies and their Technicians. For instance, Lakshmana Kailash K of India spent 50 days in Indian Jail because the Police/Internet Service Provider (ISP) made an “Apparent but very Common Mistake” while providing details of the person who used the IP Address that resulted in the commission of the offense.

The Indian Police and ISP were confused with what I call “AM/PM Syndrome” and did not bother to check the “Exact Time” of the commission of the crime. Mistakes like these have no space in the Cyber Forensics and Cyber Law fields.

While ascertaining the IP Address of an E-Mail all these factors must be kept in mind. Automatic Scripts/Software are good for ascertaining the IP Address but the end result originating out of such Automatic Scripts/Software must be “Corroborated” with manual inspection. I would share more on this issue in my subsequent articles.

Thursday, July 19, 2012

Hidden Internet: The Unexplored, Hidden And Deep Web And Internet

The tussle between Anonymity and Traceability has been going on for many years. Law Enforcement Agencies are pushing for lesser Anonymity and greater Traceability whereas Civil Liberty Groups and Netizens are demanding greater Anonymity and Privacy. The battle is epic and it is not going to end soon.

Anonymity has both uses and misuses. Just like any legitimate Invention and Technology, Internet can be both abused for criminal activities and used for greater benefit of Human race. Similarly, Internet has also many benefits and it is used in numerous manner, some known while other still unknown.

While the known part can be viewed and analysed through numerous methods including search results through search engines yet a majority of World Wide Web (WWW) is still out of the plain sight and reach of most of us. This hidden Web is known by many as Deep Web though I personally prefer to call it “Hidden Internet”.

The Hidden Internet may be residing in plain sight or it may be hidden by using special techniques and methodologies. For instance, access to a Website or Blog may be restricted to its owners alone through use of robots.txt file. However, even such restricted Blog can be accessed through use of cracking methods or by the owner company of the concerned Blog.

Further, there are many Crawlers that do not comply with the settings and restrictions placed by robots.txt files. This may expose those files and documents that are otherwise not intended to be disclosed. This is where Google Hacking comes into picture.

By its very nature, Hidden Internet is designed to defeat indexing of its contents by search engines. Its contents are visible and accessible to only selective few who have not only the knowledge of such contents but also have means and methods to access the same.

Hidden Internet is different from Dark Internet as in the case of former the Computers storing and processing the contents are still accessible though to selective few alone. Dark Internet on the other hand is a group of Computers that are simply out of the Internet and cannot be accessed at all.

According to an estimate based upon the study of University of California, Berkeley in the year 2001, Hidden Internet consists of about 7,500 terabytes of information. Another study in 2004 has indicated that there are around 300,000 deep web sites in the entire Hidden Internet and around 14,000 deep web sites existed in the Russian part of the Web in 2006. Thus, Hidden Internet is much bigger and carries more information that our present accessible Internet.

The contents and information stored in the Hidden Internet can be found in the form of Dynamic Contents, Unlinked Contents, Private Web, Contextual Web, Limited Access Contents, Scripted Contents, Non-HTML/Text Contents, etc. These contents and information is not available for normal search engines for indexing. Search engines are now planning to tackle this issue and they are devising methods to access contents and information residing in the Hidden Internet.

In fact, some search engines have been specifically designed to access contents of Hidden Internet. However, there is still a long road to cover by search engines and Law Enforcement Agencies around the World to tackle the vices of Hidden Internet. Efforts in the direction of making the entire search process “Automatic” are going on at global level.

The more difficult challenge is to categorise and map the information extracted from multiple Hidden Internet sources according to end-user needs. Hidden Internet search reports cannot display URLs like traditional search reports. End users expect their search tools to not only find what they are looking for quickly, but to be intuitive and user-friendly. In order to be meaningful, the search reports have to offer some depth to the nature of content that underlie the sources or else the end-user will be lost in the sea of URLs that do not indicate what content lies beneath them.

The format in which search results are to be presented varies widely by the particular topic of the search and the type of content being exposed. The challenge is to find and map similar data elements from multiple disparate sources so that search results may be exposed in a unified format on the search report irrespective of their source.

I would try to cover the Security, Forensics and Law Enforcement Issues of Hidden Internet in my subsequent posts. This post is intended to provide the basic level information about Hidden Internet while discussing our subsequent posts and nothing more.

Saturday, June 9, 2012

IP Address Spoofing And Its Defenses

Internet Protocol Address (IP Address) plays a very significant role in our day to day lives. Whether it is Cyber Security or Cyber Forensics, IP Address has a crucial role to play. IP Address is also the Starting Point for any Cyber Crime Investigation. So it is of utmost importance that an IP Address must be correctly ascertained.

Similarly, the Crackers and Cyber Criminals are interested in hiding their “Digital Footprints” through various means. IP Spoofing, use of Proxies, utilising Botnet for nefarious activities, exploiting Unsecured Wireless Access Points and Connections, etc are some of the methods that are used by Cyber Criminals.

IP Address is also the starting point to determine the “Authorship Attribution” that is a must before an accused is “Convicted” by a Court of Law. For instance, if a single Computer of Internet connection is used by multiple users, it is absolutely essential to ascertain who in fact used the Computer/Connection for the “Offending Act”.

Similarly, it is absolutely essential to ensure that the owner of a Wireless Connection is actually the person who committed the Cyber Crime or Cyber Contravention. In the majority of cases, such an Unsecured Wireless Connection is misused by others and the IP Address of the owner is reflected for that activity.

Thus, Authorship Attribution is an important aspect of “Determining the Culpability” of an Offender where the means to commit the Offence are common and accessible to many people simultaneously. Data Mining and Profiling of the accused to “Attribute Culpability” to him/her alone is an emerging area of Cyber Crime Investigation.

IP Spoofing is one of the methods used by Cyber Criminals to deny “Authorship Attribution” to them. A Cyber Crime Investigator would first ascertain the IP Address and then after analysing the E-Mail Headers/Logs, She would come to a conclusion that the IP Address reflected in the communication is a Forged or Spoofed one. Ascertaining the true and correct IP Address is required to proceed further in such case. 

IP Address Spoofing requires creation of IP packets with a forged source IP Address with a purpose of concealing the real identity of the sender or impersonating another System. The most common Protocol for data exchange over Internet is the TCP/IP. The header of each IP Packet contains, among other things, the numerical source and destination address of the Packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different Computer.

However, there is a “Limitation” to such a use. To establish a Connection, TCP uses a “Three Way Handshake” and IP Spoofing by its very nature fails to satisfy this handshake. So the purposes of IP Spoofing are limited in nature. For instance, IP Spoofing can be used for Denial of Service Attacks (DOS) as the attacker is least bothered to receive a “Response”. IP Spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP Addresses. IP Spoofing can also be used for Session Hijacking or Host Impersonation.

There are some services that are vulnerable to IP Spoofing. These include RPC (Remote Procedure Call services), any service that uses IP address authentication, the X Window System, the R services suite (rlogin, rsh, etc.), etc.

IP Spoofing can take many forms. In Non-Blind Spoofing the attacker is on the same subnet as the victim and this enables him to perform session hijacking. Using this technique, an attacker could effectively bypass any authentication measures that have taken place to build a connection.

In Blind Spoofing several packets are sent to the target machine in order to sample sequence numbers. Computers in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most Operating Systems (OSs) implement random sequence number generation, making it difficult to predict them accurately.

In Man in the Middle Attack (MITM) the attacker intercepts a legitimate communication between two Computers. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “Spoofing” the identity of the original sender, who is presumably trusted by the recipient.

There is a “General Consensus” that IP Spoofing does not allow gaining Anonymous Internet Access, which is a common misconception for those unfamiliar with the practice. Any sort of Spoofing beyond simple floods is relatively advanced and used in very specific instances such as evasion and connection hijacking.

However, some believe that if a Website is not using syncookies and is using predictable initial sequence numbers, it is possible to create a live TCP connection without actually revealing the original IP Address. This may be possible as the attacker may be least interested in getting back the “Responses”. I would deal with this issue separately and in greater details subsequently.

IP Spoofing can be prevented and defended against through methods like Packet Filtering, Websites using syncookies and unpredictable initial sequence numbers, use of multiple authentication protocols so that they do not exclusively rely on the IP Address for authentication, use of Encryption, etc.

Some upper layer protocols provide their own defense against IP Spoofing attacks. For example, TCP uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection. Since the attacker normally cannot see any reply packets, the sequence number must be guessed in order to hijack the connection. The poor implementation in many older operating systems and network devices, however, means that TCP sequence numbers can be predicted.

There is an urgent need to do more in depth research in the field of IP Spoofing and I would try to cover this field in great details in my subsequent posts.

Thursday, May 31, 2012

IP Address Should Not Be The Sole Criteria For Arrest And Conviction

The Indian Approach to Cyber Forensics has not been very encouraging. Despite many claims and promises, Cyber Forensics in India has still not evolved properly. There are very few Law Enforcement Personnel who are aware of Cyber Law and even fewer are those who know about Cyber Forensics.

The Cyber Forensics Capabilities of India are still evolving. Stakeholders like Police, Lawyers, Judges, etc are still not comfortable with Cyber Forensics. In the absence of even basic level Cyber Forensics adoption in India, Cyber Forensics Best Practices have also not evolved in India.

This absence of “Best Practices” and “Cyber Forensics Methodology” in India has resulted in “Improper Use” of Cyber Forensics for Legal, Judicial and Law Enforcement purposes. Even Internet Protocol (IP) Address Tracking in India has become a mammoth task for Law Enforcement in India.

Tracking of an IP Addresses is the “First Step” in the Cyber Forensics Investigations. However, IP Tracking must be done with great caution and with good application of mind. A casual IP tracking exercise may not only provide wrong results but can also implicate an innocent person. 

Take the example of Lakshmana Kailash K who was kept in the Indian Jail for 50 days because the Internet Service Provider (ISP) made an “Apparent but very Common Mistake” while providing details of the person who used the IP Address that resulted in the Commission of the Offense. This is the “Casual Approach” that I have discussed earlier and that should be avoided in all cases. Since there were no “Best Practices” adopted by either the ISP or the Police, this result in the imprisonment of an innocent Citizen of India.

Lakshmana was released after spending 50 days in jail, three weeks after the Police claimed to have nabbed the "Real Culprits". There is no doubt that this is a clear example of violation of his Fundamental Rights in general and Human Rights in Cyberspace in particular.

Criticising the Police Investigation Methodology and the ISP’s “Misleading Information” that led to his imprisonment, the State Human Rights Commission ordered the ISP to pay Rs 2 lakh to Lakshmana as Damages. However, this Damage is “Too Less and Too Late” and this amount cannot offset the ordeal that Lakshmana faced. Now the Information Technology Act, 2000 (IT Act 2000) carries Provisions that can allow the “Victim” to claim “Damages and Compensation” to the tunes of Crores of Indian Rupees.

In this background, I am of the Opinion that an IP Address should NOT be the “Sole Criteria” for Arrest and Conviction of an accused. An IP address is the “Starting Point” and is at most a “Corroboratory Evidence” but it can never be the “Primary Evidence” on the basis of which a Person can be Arrested and Convicted.

It is the “Forensically Sound Image” of the Hard Disk (Preferably Bit by Bit Image), IP Address Details, Browser and Internet Logs, ISPs Logs pertaining to particular Cyber Activity, MAC Address of the Computer, etc that are “Collectively Relevant and Conclusive” while establishing the “Guilt” of an accused. Further, the guilt of an accused must be “Proved Beyond Reasonable Doubt” and Arresting and Convicting an accused on the basis of IP Address alone is not even close to “Proving” the guilt, forget about Beyond Reasonable Doubt.

It would be a “Dangerous Trend” to follow to Arrest or Detain suspects on the basis of mere “IP Addresses” or “E-Mail Addresses” as they are very easy to be “Spoofed and Forged”. Even MAC Addresses can be spoofed in certain circumstances and for many purposes, particularly for Identity Theft cases in wireless connections.

It is important to apply “Common Sense” and first ascertain the “Identity of Real Culprit”. Of course, it requires tremendous Cyber Forensics Expertise to correctly trace the offender. The case of wrongfully arresting Lakshmana and imprisoning him for a considerable time is a glaring example of faulty and novice Cyber Forensics application in India. The inability of the Government of India to meet these conspicuous deficiencies of the Legal Enablement of ICT Systems in India is stifling the growth Cyber Law and Cyber Forensics in India.

Interestingly, the popular concepts of Indian Criminal Justice System like Establishment of Guilt “Beyond Reasonable Doubt”, “Right to Fair Trial”, Right to Legal Representation, Protection of Privacy Rights etc are simply treated as non-existent in cases of Cyber Crimes and Terrorism related cases.

The requirements of Search and Seizure Warrants for Computers and allied Hardware, Individuals and Places must be as per the Constitutional and Statutory requirements. The lack of Cyber Forensics Expertise in India is resulting in violation of these Constitutional and Statutory provisions. It is high time for Indian Government to give these aspects a “Serious Consideration”.

Tuesday, May 29, 2012

The Basics Of Internet Protocol (IP) Address System

An Internet Protocol (IP) Address is an important aspect of not only the World Wide Web (WWW)/Internet but is also required for conducting a successful Cyber Forensics Analysis. So it is important to have a basic knowledge about IP Address. In this Article I would try to cover the most significant aspects of IP Address and a detailed and technical analysis is beyond the scope of this Article.

Every Computer that communicates on the Internet is allotted a unique IP Address. Through this unique IP Address the “Identity” of the Individual may be established. However, there are exceptions to this case. For instance using of a Proxy Server may not reveal the true IP Address of the Individual. Similarly, IP Address Spoofing may not provide the correct details of the Computer that has been used to send the communication. 

There are two Standards for IP addresses i.e. IP Version 4 (IPv4) and IP Version 6 (IPv6). Presently, most Computers are using IPv4 but soon the same would be migrated to IPv6 as IPv4 is no more able to cope up with the growing demands of IP Addresses.

An IP Address can be either Static or Dynamic. Generally, a Static IP Address is one that your Administrator/ISPs allots and configures by editing your Computer's Network Settings. It produces a single and constant identifiable IP Address that can be easily attributable to the Computer using the same.

A Dynamic IP Address is assigned by the Dynamic Host Configuration Protocol (DHCP), a service running on the Network. DHCP typically runs on Network Hardware such as Routers or dedicated DHCP Servers. A Computer using Dynamic IP Address is allotted a new IP Address for each “New Session” during its “Lease Period”.

A single IP Address may further be shared by different Computers using a “Router”. If you use a Router to share an Internet connection, the Router gets the IP Address issued directly from the ISP. Then, it creates and manages a Subnet for all the Computers connected to that Router. The Router would get the External IP Address and the Computers connected to the Router would get Internal IP Addresses to further “Identify” each Individual Computer.

The most common locations for finding IP Addresses are Log Files, in the Received Header fields of an E-Mail, Tcpdump Traces, etc. In some circumstances only a Host Name must have been recorded, but this can simply be translated into an IP Address.

IP Addresses are the “First Step” in the Cyber Forensics Investigations. However, IP Tracking must be done with great caution and with good application of mind. A casual IP tracking exercise may not only provide wrong results but can also implicate an innocent person.  I would cover these issues in more detail in my subsequent articles.

Tuesday, May 22, 2012

Cyber Forensics And Indian Approach

Cyber Forensics is an area that has not aroused much interest among the Governmental corridors of India. Even the Parliament of India and Indian Judiciary are not very enthusiastic about this much needed Science and Art.

Before I proceed further, it is pertinent to explain the concepts like “Cyber” or “Cyberspace” and “Cyber Forensics” as per my own understanding and with my own personal definitions.

In my opinion the word “Cyber” or “Cyberspace” signifies a “Combination of Information and Communication Technologies (ICT) that includes both Hardware and Software.

Similarly, according to me the word “Cyber Forensics” means “A Scientific and Forensics analysis of “Cyberspace” that includes ICT Components, Hardware and Software in such a manner that the end result is “Presentable and Admissible” in a Court of Law”.

Another concept that I would like to discuss pertains to Electronic Discovery (E-Discovery). According to me there is a difference between Cyber Forensics and E-Discovery. I believe that Cyber Forensics is a “Wider Concept” than E-Discovery. To put it on other words, Cyber Forensics includes E-Discovery but not Vice Versa.

For instance, a properly conducted Cyber Forensics Exercise is “Relevant and “Admissible” for all purposes including Litigation purposes. But E-Discovery may not be “Relevant” and “Admissible” while deciding a Criminal Litigation.

Now coming back to the Indian position, Cyber Forensics has not found favour with the Executive, Judiciary, Legislature and the Administrative Branches of India. We have no dedicated Cyber Forensics Laws in India. Even the Information Technology Act 2000 (IT Act 2000), which is the Cyber Law of India, is not covering Cyber Forensics. A going reference of Cyber Forensics may be found in the IT Act 2000 but that is nothing more than a reference with no actual “Utility” as on date.

This “Poor Condition” of Cyber Forensics in India is attributable to many factors. Firstly, we have no Legal Enablement of ICT Systems in India. Concepts like E-Courts, Online Dispute Resolution (ODR), etc are still missing in India. Secondly, the ICT Policies and Strategies of India are “Defective” and they do not cater the requirements of Cyber Law, Cyber Security, Cyber Forensics, etc. Thirdly, the Parliament of India is not “Comfortable” with ICT related issues. If Parliament is itself not aware of the Techno Legal Concepts like Cyber Law, Cyber Security, Cyber Forensics, etc not much development can take place.

I personally believe that Cyber Law of India should be repealed and a more comprehensive Cyber Law must be enacted. Similarly we need “Dedicated Laws” for Cyber Security and Cyber Forensics in India.

In my subsequent posts, I would try to cover every possible aspect of Cyber Forensics that is applicable to India and World Wide. Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that this Blog would prove useful to all Stakeholders.