Indian Efforts in Cyber Forensics
10-Feb-09 Resource Centre for Cyber Forensics 1
B. Ramani
Presentation Overview
10-Feb-09 Resource Centre for Cyber Forensics 2
• About C-DAC
• Resource Centre for Cyber Forensics • C-DAC Cyber Forensics Solutions
C-DAC, Pune C-DAC, Bangalore C-DAC, Delhi C-DAC, Hyderabad C-DAC, Mumbai C-DAC, Chennai C-DAC, Kolkata C-DAC, Mohali C-DAC, Noida C-DAC, Trivandrum
National Coverage
Established in 1974 as Keltron R&D Center; Taken by GoI in 1988; Formerly Known as ERDCI
Work force of 800+
An ISO 9001-2000 certified premier R&D Institution involved in the design, development and deployment
of world class electronic and IT solutions for economic and human advancement, under DIT,Govt of India
AREAS OF RESEARCH
Control & Instrumentation
Power Electronics
Broadcast & Communications
Strategic Electronics
ASIC Design
Resource Centre for Cyber Forensics
The Resource Centre for Cyber Forensics (RCCF) is the
premier centre for cyber forensics in India. It was setup in C-DAC, Thiruvananthapuram by the Ministry of Communications and Information Technology and has been functioning for the past three years.
The primary objectives of RCCF are
Develop Cyber Forensics tools based on requirements
from Law Enforcement Agencies
Carry out advanced research in cyber forensics
Provide technical support to LEAs
C-DAC Cyber Forensics Solutions
C-DAC Tools
CyberCheck Suite – Disk Forensics Tools• TrueBack V3.1 on Linux – Disk Imaging Tool • TrueBack V1.0 on Windows – Disk Imaging Tool
• CyberCheck V3.2 on Windows – Data Recovery and Analysis Tool NetForce Suite – Network Forensics Tools
• CyberInvestigator V1.0 on Windows – Forensic Log Analyzer • NeSA V1.0 on Linux – Network Session Analyzer
• EmailTracer V3.0 on Windows – Tool for tracing sender of email DeviceAnalyst Suite – Device Forensics Tools
• PDA Imager & Analyzer – Tool for imaging and analyzing PDA contents
• SIM Card Imager & Analyzer – Tool for imaging and analyzing GSM SIM Cards • CDR Analyzer – Tool for analyzing Call Data Records
Cyber Forensics Hardware Tools
• TrueImager – High speed H/W based Disk Imaging Tool
• TrueLock – H/W based drive lock for write protecting IDE/SATA disks 10-Feb-09 Resource Centre for Cyber Forensics
TrueBack
Tuesday, February 10,
TrueBack – Disk Imaging Tool
Software Tool for seizing, acquiring and authenticating Digital Evidence
Indigenously developed by RCCF, C-DAC, Thiruvananthapuram
Widely used and Certified by agencies like NPA, CBI, IB, CBI Academy, Kerala Police, Forensics Science
Laboratories and GEQDs
Import substitution for similar products Cost-effective solution
National Institute of Standards and Technology (NIST), USA, disk imaging tool specification compliant
Implementation of National Police Academy (NPA) procedures for Seizure and Acquisition
Preview, Seize, Acquire and Seize & Acquire modes of operation
Imaging of IDE, SCSI, SATA, CD, DVD, Floppy and USB devices
Report generation in each mode of operation
Storage media content previewing facility before seizure and acquisition
Main User Interface
TrueBack – Disk Imaging Tool
Collecting case details
TrueBack – Disk Imaging Tool
Selecting media for Seizure
TrueBack – Disk Imaging Tool
Case data summary
TrueBack – Disk Imaging Tool
TrueBack – Seizure process in progress
TrueBack – Disk Imaging Tool
Seizure process completed
TrueBack – Disk Imaging Tool
Seizure Report
TrueBack – Disk Imaging Tool
Hash values of media and blocks
TrueBack – Disk Imaging Tool
CyberCheck
Tuesday, February 10,
CyberCheck – Data Recovery and Analysis Tool
Software Tool for authenticating, recovering, analyzing and reporting Digital Evidence
Indigenously developed by RCCF, C-DAC, Thiruvananthapuram
Widely used (Over 175 copies have been sold) and Certified by agencies like NPA, CBI, IB, CBI Academy,
Kerala Police, Forensics Science Laboratories and GEQDs Import substitution for similar products
Cost-effective solution
Features
Indian Language support
Powerful Data recovery facilities High speed search facility
Comprehensive Timeline features Detailed Report Generation facility
Integrated Email and Internet History Viewer Facility for identifying password protected files Facility for viewing nested ZIP files
CyberCheck – Data Recovery and Analysis Tool
Unicode and Indian Language Support
CyberCheck – Data Recovery and Analysis Tool
Table and Disk views
CyberCheck – Data Recovery and Analysis Tool
Picture Gallery View
CyberCheck – Data Recovery and Analysis Tool
Timeline View
CyberCheck – Data Recovery and Analysis Tool
Search hits view
CyberCheck – Data Recovery and Analysis Tool
Recovery of deleted file
CyberCheck – Data Recovery and Analysis Tool
Report generated by CyberCheck
CyberCheck – Data Recovery and Analysis Tool
EmailTracer
Tuesday, February 10,
Tuesday, February 10, 2009
31
Features
• Trace the originating IP address and other details from
email header
• Generates detailed HTML report of email header analysis
• Find the city level details of the sender
• Plot Route traced by the mail
• Display the originating geographic location of the mail in
the world map
• Keyword searching facility on email content including
attachment
EmailTracer
– S/W tool for tracing sender of an emailTuesday, February 10, 2009
32
EmailTracer
– S/W tool for tracing sender of an emailTuesday, February 10, 2009
33
EmailTracer
– S/W tool for tracing sender of an emailEmailTracer – WhoIs Search
Tuesday, February 10, 2009
34
EmailTracer
– S/W tool for tracing sender of an emailEmailTracer – NS LookUp
Tuesday, February 10, 2009
35
EmailTracer
– S/W tool for tracing sender of an emailEmail Tracer – IP TraceBack
Tuesday, February 10, 2009
36
EmailTracer
– S/W tool for tracing sender of an emailDetailed Report
Tuesday, February 10, 200937
EmailTracer
– S/W tool for tracing sender of an emailCyberInvestigator
Tuesday, February 10,
CyberInvestigator
Indigenously developed by CDAC Thiruvananthapuram
Helps Law Enforcement Agencies in investigating Cyber Crimes
Log analysis tool
Analyses Windows and Linux Logs
Offline Intrusion Analysis
Features of CyberInvestigator
Supports analysis of offline logs
Built in & User defined queries.
Signature based Offline Intrusion Analysis
Supports analysis of Windows event logs
Supports analysis of Linux logs like message log, utmp,wtmp & Cron
Supports web traffic analysis
Supports analysis of Access log & IIS Log
Collects information regarding the insertion of USB devices
Network Session Analyzer
(NeSA)
Tuesday, February 10,
NeSA
Indigenously developed by CDAC Thiruvananthapuram
Helps Law Enforcement Agencies in investigating Cyber
Crimes
Offline Network session analysis tool
Reconstructs network sessions from dump files
Helps in network trouble shooting and debugging
Misuse detection
Features of NeSA
Session Reconstruction - HTTP, SMTP, POP3 and FTP
Displays the data in Hex view, Image view, File view and Mail
view
Powerful & Flexible filtering and searching facility
Filtering based on MAC, IP, Port, Protocol, Date and Time
Facility to export reconstructed files
Statistics generation based on different criteria
PDA Imager & Analyzer
Tuesday, February 10,
Introduction
Many criminals are now using electronic devices other than PCs to commit illegal activities. Cellular telephones, Smart Phones, and Personal Digital Assistants (PDAs) are only a few of the devices that must now be examined by forensic investigators. CDAC(T) has developed forensics software and hardware tools for the analysis of such devices and PDA Forensics Suite is one among them. PDA Forensics Suite is a is a software tool to forensically acquire, analyze and present the digital evidence from WinCE and Palm OS based PDAs/Smart Phones before the court of law. It consists of two software tools - PDA Imager and PDA Analyzer
PDA Imager
PDA Imager is used to forensically image PDAs and Smart Phones. It performs logical and physical acquisition of the devices. It also performs Hashing for authenticating the evidence. Version 1.0 of this software supports acquisition of WinCE and Palm OS based PDAs and Smart Phones. This tool is developed as per the directions provided by the NIST for handheld devices.
PDA Imager
Standard Windows application
Imaging tool for WinCE/Pocket PC/ Windows
Mobile/Palm OS PDAs.
Acquisition through USB connection. Supports physical and logical acquisition.
Logical acquisition includes files, database and registry. Supports MD5 Hashing.
Creates a single evidence file with a specific format. Supports comprehensive HTML reporting.
PDA Imager
PDA Analyzer
PDA Analyzer is used to forensically examine the evidence collected from PDAs and Smart Phones. It takes the acquired evidence file taken by PDA Imager as input and identify the required information from the image if present and display it in a file viewer with all details.
Standard Windows application.
User login facilities.
Creates log of each analysis session and analyzing officer’s details.
Explorer type view of contents of the whole evidence file.
Display of folders and files with all attributes.
Text/Hex view of the content of a file.
Picture view of an image file.
Gallery view of images.
Timeline View of Files
Single and Multiple Keyword search.
Search with GREP expressions.
File search based on extension.
Book marking facility for data, files and folders
Registry viewer
Features
Features(Contd.)
Features(Contd.)
SIM Card Imager &
Analyzer
Tuesday, February 10,
A forensic acquisition tool for GSM Sim Cards
Indigenously developed by Resource Centre for Cyber Forensics
Analysis methods as per NIST guidelines
Generates a detailed report for presentation in court
Acquires the following contents from SIM Card Phone Book
Messages
Location Information IMSI
Last Dialed Numbers
Phone Book Details SIM Card - Analysis
Message Details SIM Card - Analysis
Location Information SIM Card - Analysis
Message Summary
Hash Values of different items SIM Card - Analysis
Cyber Forensics Hardware
Tools
TrueImager & TrueLock
Tuesday, February 10,
TrueImager
A hardware forensic tool for write protecting suspect storage media while seizing and acquiring the media from the scene of cyber crime
TrueLock
A disk forensic hardware tool for seizing and acquiring storage media from the scene of cyber crime specially designed for Indian Law Enforcement Agencies
Features & Benefits
Smart, Portable handheld Cyber Forensics Digital Evidence Image Recorder.
- Seizure
- Acquisition
High speed data transfer at the rate of 3GB/min
Offers built in write-protection of suspect disk.
Support Wiping feature for sanitizing the evidence disk.
Features Contd….
Different Views….
Support 3 types of Suspect disk media:
TrueLock
A hardware drive lock which prevents all data
writes to hard disk drives connected to a computer’s IDE interface.
Helps in the preservation of digital evidence.
A cost-effective solution for supporting disk imaging
Features
Supports all IDE Drives.
Requires no special software.
Physical Dimension: 84mm X 41.5mm X 25mm
Write protects the IDE Hard Disc connected to the PC’s IDE interface.
Achievements
• Designed and developed the first indigenous suite
of products for carrying out cyber forensics
investigation
• More than 175 copies of C-DAC’s CyberCheck
Suite licensed to Law Enforcement Agencies
• Conducted more than 25 basic and advanced
level training programmes on Cyber Forensics to
LEAs
• Analyzed more than 200 Cyber Crime cases and
submitted technical reports to different courts in
India
Organizations that use CyberCheck Suite Hitech Cyber Cell, Thiruvananthapuram
Army Cyber Security Establishment, New Delhi Intelligence Bureau, New Delhi
Delhi Police, New Delhi CBI Academy, Ghaziabad
GEQDs of Hyderabad and Shimla CFSL, Hyderabad
FSLs of Chandigarh, Chennai, Thiruvananthapuram and Haryana DFSL, Gujarat
Cyber Crime Investigation Cell, Thane, Maharashtra Cyber Cells of Bangalore and Arunachal Pradesh SCRB, Thiruvananthapuram
National Academy of Taxes, Nagpur National Police Academy, Hyderabad Cabinet Secretariat, New Delhi
Training on Cyber Forensics
Successfully conducted more than 25 training programmes covering basic and advanced Cyber Forensics concepts.
Conducted a certificate programme on Cyber Forensics to 32 officers of Kerala Police.
Conducted 2 weeks separate training programmes on Cyber Forensics to officers from Intelligence Bureau and Forensic Science Laboratories.
Conducted 7 training programmes of one week duration to Judicial Officers in collaboration with CCA at different State Judicial Academies.
Recently conducted one month training programme on Cyber Forensics to 51 Police Officers from all Police Districts of Kerala.
Case Categories
Nature of Crime Number
Hacking 17
Document Forgery 65
Financial Frauds 22
Software Piracy 7
Pornography 13
Mobile Phone Crime 64
Email Crimes 41
Cyber Forensic Analysis Statistics
Agency Reported Cases CompletedAnalysis
RAW 1 1
CBI 32 26
Bangalore Police 6 6
CCPS Bangalore 27 24
Chennai Police 3 2
Crime Branch, Kerala 17 11
Vigilance, Kerala 16 9
Kerala Police 127 74
Advantages of C-DAC Solutions
• Completely indigenous development
• Self-reliance in technology
• Cost-effective solution
• Developed for Law Enforcement Agencies and
Corporate houses
• Total technical support
10-Feb-09 Resource Centre for Cyber Forensics 89
• Development of Enterprise Forensics System that will provide
proactive solutions to cyber crimes and offences in Enterprise and Corporate networks.
• Design and development of advanced forensic tools for
memory analysis, malware analysis, software forensics, peripheral device forensics, etc.
• Setting up Virtual Training Environment facilities for training
10-Feb-09 Resource Centre for Cyber Forensics 90
• Provide a well tested and certified cyber forensics suite of
products (CyberCheck Suite) for acquisition and analysis on portable lab as well as forensic workstation
• Cost effective solution
• Software for Network Forensics, Live Forensics and Device
Forensics
• Hardware tools for disk forensics
• Introductory training in cyber forensics
• Advanced training in cyber forensics
Tuesday, February 10, 2009 91
Contacts:
B.Ramani, Addl. Director :
V.K.Bhadran, Addl. Director : bhadran@
K.L.Thomas, Jt.Director :
Resource Centre for Cyber Forensics
Centre for Development of Advanced Computing Vellayambalam, Thiruvananthapuram
Kerala – 695033