How digital forensics helping police gather evidence against cybercrime

Information and Communication Technologies (ICTs) permeates all aspects of life, providing newer, better and quicker ways for people to interact, network, gain access to information and learn. With the mammoth increase in digital footprints, the crimes related to technology have also been on rise exponentially. Digital forensics is defined as the discipline that combines elements of law and computer science to collect and analyse data from computer systems, networks, wireless communications and storage devices in a way that is admissible as evidence in a court of law.

Some examples of digital forensics are: Recovering thousands of deleted emails, recovering evidence post formatting of hard drive and performing investigation after multiple users had taken over the system

Digital forensics and digital investigations are not restricted to only law enforcement matters, as the use of ICTs is also prevalent in commercial and national security related activities. Digital forensic investigation plays a role in civil litigation and national security investigations, such as those involving espionage or cyber warfare. Hence there is a need for study and research in digital forensic investigation, involving a broad range of stakeholders.

Digital forensics is used by

1. Criminal prosecutors

2. Civil litigations: Personal and business data discovered on a computer can be used in fraud, divorce, harassment etc, cases.

3. Insurance companies: Evidence discovered on computer can be used to mollify costs

4. Law enforcement officials: Rely computer forensics to backup search warrants and post seizure handling

5. Individual/private citizens: obtain the services of professional computer forensic specialists to support claims of harassment, abuse

6. Private corporations: evidence obtained from employee computers can be used as evidence in fraud and embezzlement cases.

Objectives of digital forensics

1. To recover, analyse and preserve documentation so that it can help to investigate agencies to find criminals

2. The investigating agency can know the motive behind cyber crime

3. They recover deleted data and deleted partitions from digital devices like computers, smart phones, hard drives etc to know the activities done by criminals.

Steps involved in digital forensics

1. Identification: Identification phase is the process to collect digital evidence.There are two forms of data collected. One is persistent data, which is data kept on a local hard drive or other related media.This data remains stored even if the system is powered down.The secondary data form is volatile data found in transit or a device's memory and is lost if the system is powered down.

2. Acquiring the evidence appropriately without causing any harm to the evidence, conducting interviews with IT staff members or affected end users.

3. Preservation: To make sure that the evidence is not tampered /contaminated during the course of investigation. Storage devices and other bits of relevant physical evidence collected are labeled and sealed in tamper resistant containers for secure transport to the forensic lab.

4. Examination: Inspection of the evidence for any other secondary details

5. Analysis: joining and correlating the bits and pieces of information contained in evidence.

6. Presentation: documenting, reporting and presenting the facts and figures to the affected organisation's IT team. This document should also include strategies and recommendations that the IT department should take to prevent similar future incidents. The investigators also create a second document (phrased in the less technical language) for use in court.

Telecom forensics

1) Grey market /SIM box forensics

• SIMs used in fraud

• KYC used for purchasing the SIM fraudulently

• Illegal VOIP (Voice over Internet Protocol) Gateway Interconnection with PSTN (Public switched Telephone Network)/PLMN ( Public Land Mobile Network)

• IPDR/CDR analysis

2) KYC forgery by TSP/managed services

• Examination of CAFs and supporting documents

• Cross-examination with IN (Intelligent Network) and HLR (Home Location Register) data

• Studying usage patterns

3) Network intrusion and sabotage

• Taking advantage of poorly configured access controls

• Remote logins

• Analysis of HLR data for illegal parameter modifications

• Wilful diversions and dumping of calls from competitors

4) Business losses

• Stealing sensitive business model blueprints

• Ex-employees carrying sensitive company information along with them

5) Fraudulent calls/SMSs /financial forgery

• Unauthorised SIM swaps/ MNP frauds

• Social media hacks/takeover

• Email hack

Indian Telegraph Act 1885 and Information Technology Act 2000

Communication surveillance in our country takes place under two laws-Indian Telegraph act and IT act. The Telegraph act deals with interception of calls and the IT act deals with surveillance of all electronic communication. Under the telegraph act the government can intercept calls only in certain situations with the condition precedent on the occurrence of any public emergency or in the interest of public safety. Section 69 of the IT act government can intercept, monitor and decrypt digital information for the investigation of an offence. Significantly, it dispenses with the condition precedent mentioned in the telegraph act.

Way forward

Government is finalising a 'trusted sources list' for procuring telecom gear as the country is moving towards implementation of 5G. Government is also in the process of setting up a unified national level cybersecurity task force with a special focus on the risks emanating from the telecom sector.

The current cyber threats are handled by the specialised Indian Computer Emergency Response team (CERT-in) which operate under MEITY( Ministry of Electronics and Information and Technology). With the cyber attacks getting more sophisticated, the government wants to create a specialised unified task force that will act on inputs from security and cyber forces within the country but also inputs from friendly countries.

(The author is a former Advisor, Department of Telecommunications (DoT), Government of India)