Cyber Forensics

What is Cyber Forensics or Computer Forensics?

• Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.
• Cyberforensics is an electronic discovery technique used to determine and reveal technical criminal evidence. It often involves electronic data storage extraction for legal purposes.
• Although still in its infancy, cyberforensics is gaining traction as a viable way of interpreting evidence.
• Cyberforensics is also known as computer forensics.
• The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.

Need for Cyber Forensics

• Cyber Forensics is needed for the investigation of crime and law enforcement.
• There are cases like hacking and denial of service (DOS) attacks where the computer system is the crime scene.
• The proof of the crime will be present in the computer system.
• The proofs can be browsing history, emails, documents, etc.
• These proofs on the computer system alone can be used as evidence in a court of law to sort out allegations or to protect innocent people from charges.

Procedures for Cyber Forensics

• Forensic investigators typically follow a standard set of procedures: After physically isolating the device in question to make sure it cannot be accidentally contaminated, investigators make a digital copy of the device's storage media.
• Once the original media has been copied, it is locked in a safe or another secure facility to maintain its pristine condition. All investigation is done on the digital copy.

Here are the 7 steps about How the Cyber Forensics Experts work

1. Copying the hard drive of the system under investigation.
2. Verification of the copied data.
3. Ensuring the copied data is forensically sound.
4. Deleted files recovery.
5. Finding data in free space.
6. Performing keyword searches.
7. The technical report.

• Investigators use a variety of techniques and proprietary software forensic applications to examine the copy, searching hidden folders and unallocated disk space for copies of deleted, encrypted, or damaged files.
• Any evidence found on the digital copy is carefully documented in a "finding report" and verified with the original in preparation for legal proceedings that involve discovery, depositions, or actual litigation.
• Computer forensics has become its own area of scientific expertise, with accompanying coursework and certification.

What does it cover?

• Cybercrimes cover a broad spectrum, from email scams to downloading copyrighted works for distribution, and are fueled by a desire to profit from another person's intellectual property or private information.
• Cyber forensics can readily display a digital audit trail for analysis by experts or law enforcement.
• Developers often build program applications to combat and capture online criminals; these applications are the crux of cyber forensics.

Resource Centre for Cyber Forensics (RCCF)

• Resource Centre for Cyber Forensics (RCCF) is a pioneering institute, pursuing research activities in the area of Cyber Forensics.
• The centre was dedicated to the nation by the then Honorable union minister in August 2008.

Objectives of RCCF:

• Developing indigenous Cyber Forensics tools.
• Providing training on Cyber Forensics to Law Enforcement Agencies (LEAs)
• Providing technical support to LEAs for cybercrime investigation and analysis.
• Supporting LEAs for setting up of Cyber Forensics Laboratories.

RCCF has identified the following thrust research areas:

• Disk Forensics
• Network Forensics
• Mobile Device Forensics
• Live Forensics.
• Memory Forensics
• Multimedia Forensics
• Internet Forensics

Conclusion

People will rely on computers, for security, and there will be people who will break them. The world will need people who can stop this from happening and think as these hackers do. Therefore, the demand for security professionals will continue to rise and cyber forensics is an evergreen field.

Cyber Police in India: A Case study of Delhi

• When Inspector Vijay Gahlawat joined the Delhi Police cyber cell in 2008, it comprised a small office in Malviya Nagar with two workstations and a team of around eight officers.
• Thirteen years later, the force’s cyber unit is running full throttle from its very own National Cyber Forensic Laboratory (NCFL) and catering to technical investigation requirements of cases from across the country.
• A major change came in 2011-12, when the number of workstations increased to around seven, and the office shifted to Mandir Marg, said Mr. Gahlawat.
• In 2015, Deputy Commissioner of Police (Cyber Cell) Anyesh Roy joined the unit.
• Six years ago, there was no dedicated institutional mechanism to attend to cybercrimes or even a dedicated platform to report them.
• It was still under the Economic Offences Wing of the Delhi police, Mr. Roy said, adding: “Special units like Crime Branch and Special Cell had their own cyber cells but they only concentrated on their own needs. This cyber cell was taking care of headquarter-level requirements.”
• In 2019, CyPAD was inaugurated and was brought directly under the Special Cell while the Economic Offences Wing remained a separate unit.
• Mr. Roy, however, said the nature of complaints has mostly remained the same and only the platforms have changed. The two broad categories include online harassment and online fraud. “In the last couple of years, the numbers of cas\es have increased under both heads, proportionally,” he said.
• There are two aspects in a cybercrime investigation: digital footprint and money trail. The digital footprint essentially involves investigating the platform used: the victim’s device and the suspect’s device.
• “When it comes to platforms like Facebook, Google, Twitter, Instagram, we have to ask them for information. The difficulty for any law enforcement agency is that most of these platforms are foreign-based private entities and it’s a challenge to get information, but since 2018, the government at the highest level is following up with these platforms to ensure that they respond to these agencies,” he said.
• Over the years, every district of the Capital has set up a separate cyber cell, apart from the CyPAD unit which constantly interacts with the district cyber cells.
• The police are currently using Encase, Forensic Tool Kit (FTK), and Universal Forensic Extraction Device (UFED) among other tools that are able to copy, analyse, and extract deleted information from most devices.
• Citing an example, Mr. Gahlawat shared how the unit had been given a burnt and damaged phone from a spot where a man was found murdered. “After deleted data from those phones were extracted, it turned out that the wife had killed the man,” he said.
• With the current technology available to the police, data from over 40,000 types of phones can be extracted, he said. Earlier, there was no way to extract deleted information, Mr. Roy said. “The FTK existed in 2008 as well but in a very primitive form,” Mr. Gahlawat said.
• Another technology the department is proud of is malware and spyware-detection tools such as FireEye, which enables them to detect if a system is being attacked for spying.
• “Previously, we did not have any technology to detect an infected or hacked system. This particular technology enables us to analyse the type of attack and where the information is being sent,” Mr. Roy said.
• Since 2020, a technology that is widely being used during investigations is video and photograph enhancement.
• It has proved to be a boon in probes related to last year’s communal riots. Currently, the force is using programmes called Amped Five and Kanescence for the purpose.
• Giving an example, Mr. Gahlawat said that while investigating a kidnapping case, they managed to enhance a video grab from grainy CCTV footage to ascertain the number plate of a motorbike. “This helped the police trace the accused and rescue the child,” he said.
• At present, the Delhi police have 10 dedicated labs, including memory forensics, mobile forensics, cloud forensics, network forensics, crypto forensics, malware forensics, image and video enhancement, damaged device labs for mobile and laptops, and audio forensics where not only officials from the Information Technology cadre are working but also domain experts have been hired from outside the force.
• While the city police have come a long way from the “dark ages”, they still face some challenges, including retrieving encrypted data from locked devices and issue of privacy, which “enables service providers to wash their hands off when information is asked for”.
• Another major challenge is the increased use of Virtual Private networks, which makes it tough to track online activities.