• No results found

Indian Efforts in Cyber Forensics

N/A
N/A
Protected

Academic year: 2021

Share "Indian Efforts in Cyber Forensics"

Copied!
92
0
0

Loading.... (view fulltext now)

Full text

(1)

Indian Efforts in Cyber Forensics

10-Feb-09 Resource Centre for Cyber Forensics 1

B. Ramani

(2)

Presentation Overview

10-Feb-09 Resource Centre for Cyber Forensics 2

• About C-DAC

• Resource Centre for Cyber Forensics • C-DAC Cyber Forensics Solutions

(3)

C-DAC, Pune C-DAC, Bangalore C-DAC, Delhi C-DAC, Hyderabad C-DAC, Mumbai C-DAC, Chennai C-DAC, Kolkata C-DAC, Mohali C-DAC, Noida C-DAC, Trivandrum

National Coverage

(4)

Established in 1974 as Keltron R&D Center; Taken by GoI in 1988; Formerly Known as ERDCI

Work force of 800+

An ISO 9001-2000 certified premier R&D Institution involved in the design, development and deployment

of world class electronic and IT solutions for economic and human advancement, under DIT,Govt of India

(5)

AREAS OF RESEARCH

Control & Instrumentation

Power Electronics

Broadcast & Communications

Strategic Electronics

ASIC Design

(6)

Resource Centre for Cyber Forensics

The Resource Centre for Cyber Forensics (RCCF) is the

premier centre for cyber forensics in India. It was setup in C-DAC, Thiruvananthapuram by the Ministry of Communications and Information Technology and has been functioning for the past three years.

The primary objectives of RCCF are

Develop Cyber Forensics tools based on requirements

from Law Enforcement Agencies

Carry out advanced research in cyber forensics

 Provide technical support to LEAs

(7)

C-DAC Cyber Forensics Solutions

(8)

C-DAC Tools

CyberCheck Suite – Disk Forensics Tools

TrueBack V3.1 on Linux – Disk Imaging ToolTrueBack V1.0 on Windows – Disk Imaging Tool

CyberCheck V3.2 on Windows – Data Recovery and Analysis Tool NetForce Suite – Network Forensics Tools

CyberInvestigator V1.0 on Windows – Forensic Log AnalyzerNeSA V1.0 on Linux – Network Session Analyzer

EmailTracer V3.0 on Windows – Tool for tracing sender of email DeviceAnalyst Suite – Device Forensics Tools

PDA Imager & Analyzer – Tool for imaging and analyzing PDA contents

SIM Card Imager & Analyzer – Tool for imaging and analyzing GSM SIM CardsCDR Analyzer – Tool for analyzing Call Data Records

Cyber Forensics Hardware Tools

TrueImager – High speed H/W based Disk Imaging Tool

TrueLock – H/W based drive lock for write protecting IDE/SATA disks 10-Feb-09 Resource Centre for Cyber Forensics

(9)

TrueBack

Tuesday, February 10,

(10)

TrueBack – Disk Imaging Tool

Software Tool for seizing, acquiring and authenticating Digital Evidence

Indigenously developed by RCCF, C-DAC, Thiruvananthapuram

Widely used and Certified by agencies like NPA, CBI, IB, CBI Academy, Kerala Police, Forensics Science

Laboratories and GEQDs

Import substitution for similar products Cost-effective solution

(11)

National Institute of Standards and Technology (NIST), USA, disk imaging tool specification compliant

Implementation of National Police Academy (NPA) procedures for Seizure and Acquisition

Preview, Seize, Acquire and Seize & Acquire modes of operation

Imaging of IDE, SCSI, SATA, CD, DVD, Floppy and USB devices

Report generation in each mode of operation

Storage media content previewing facility before seizure and acquisition

(12)

Main User Interface

TrueBack – Disk Imaging Tool

(13)

Collecting case details

TrueBack – Disk Imaging Tool

(14)

Selecting media for Seizure

TrueBack – Disk Imaging Tool

(15)

Case data summary

TrueBack – Disk Imaging Tool

(16)

TrueBack – Seizure process in progress

TrueBack – Disk Imaging Tool

(17)

Seizure process completed

TrueBack – Disk Imaging Tool

(18)

Seizure Report

TrueBack – Disk Imaging Tool

(19)

Hash values of media and blocks

TrueBack – Disk Imaging Tool

(20)

CyberCheck

Tuesday, February 10,

(21)

CyberCheck – Data Recovery and Analysis Tool

Software Tool for authenticating, recovering, analyzing and reporting Digital Evidence

Indigenously developed by RCCF, C-DAC, Thiruvananthapuram

Widely used (Over 175 copies have been sold) and Certified by agencies like NPA, CBI, IB, CBI Academy,

Kerala Police, Forensics Science Laboratories and GEQDs Import substitution for similar products

Cost-effective solution

(22)

Features

Indian Language support

Powerful Data recovery facilities High speed search facility

Comprehensive Timeline features Detailed Report Generation facility

Integrated Email and Internet History Viewer Facility for identifying password protected files Facility for viewing nested ZIP files

CyberCheck – Data Recovery and Analysis Tool

(23)

Unicode and Indian Language Support

CyberCheck – Data Recovery and Analysis Tool

(24)

Table and Disk views

CyberCheck – Data Recovery and Analysis Tool

(25)

Picture Gallery View

CyberCheck – Data Recovery and Analysis Tool

(26)

Timeline View

CyberCheck – Data Recovery and Analysis Tool

(27)

Search hits view

CyberCheck – Data Recovery and Analysis Tool

(28)

Recovery of deleted file

CyberCheck – Data Recovery and Analysis Tool

(29)

Report generated by CyberCheck

CyberCheck – Data Recovery and Analysis Tool

(30)

EmailTracer

Tuesday, February 10,

(31)

Tuesday, February 10, 2009

31

Features

Trace the originating IP address and other details from

email header

Generates detailed HTML report of email header analysis

Find the city level details of the sender

Plot Route traced by the mail

Display the originating geographic location of the mail in

the world map

Keyword searching facility on email content including

attachment

EmailTracer

– S/W tool for tracing sender of an email

(32)

Tuesday, February 10, 2009

32

EmailTracer

– S/W tool for tracing sender of an email

(33)

Tuesday, February 10, 2009

33

EmailTracer

– S/W tool for tracing sender of an email

(34)

EmailTracer – WhoIs Search

Tuesday, February 10, 2009

34

EmailTracer

– S/W tool for tracing sender of an email

(35)

EmailTracer – NS LookUp

Tuesday, February 10, 2009

35

EmailTracer

– S/W tool for tracing sender of an email

(36)

Email Tracer – IP TraceBack

Tuesday, February 10, 2009

36

EmailTracer

– S/W tool for tracing sender of an email

(37)

Detailed Report

Tuesday, February 10, 2009

37

EmailTracer

– S/W tool for tracing sender of an email

(38)

CyberInvestigator

Tuesday, February 10,

(39)

CyberInvestigator

Indigenously developed by CDAC Thiruvananthapuram

Helps Law Enforcement Agencies in investigating Cyber Crimes

Log analysis tool

Analyses Windows and Linux Logs

Offline Intrusion Analysis

(40)

Features of CyberInvestigator

Supports analysis of offline logs

Built in & User defined queries.

Signature based Offline Intrusion Analysis

Supports analysis of Windows event logs

Supports analysis of Linux logs like message log, utmp,wtmp & Cron

Supports web traffic analysis

Supports analysis of Access log & IIS Log

Collects information regarding the insertion of USB devices

(41)
(42)
(43)
(44)

Network Session Analyzer

(NeSA)

Tuesday, February 10,

(45)

NeSA

Indigenously developed by CDAC Thiruvananthapuram

Helps Law Enforcement Agencies in investigating Cyber

Crimes

Offline Network session analysis tool

Reconstructs network sessions from dump files

Helps in network trouble shooting and debugging

Misuse detection

(46)

Features of NeSA

Session Reconstruction - HTTP, SMTP, POP3 and FTP

Displays the data in Hex view, Image view, File view and Mail

view

Powerful & Flexible filtering and searching facility

Filtering based on MAC, IP, Port, Protocol, Date and Time

Facility to export reconstructed files

Statistics generation based on different criteria

(47)
(48)
(49)
(50)

PDA Imager & Analyzer

Tuesday, February 10,

(51)

Introduction

Many criminals are now using electronic devices other than PCs to commit illegal activities. Cellular telephones, Smart Phones, and Personal Digital Assistants (PDAs) are only a few of the devices that must now be examined by forensic investigators. CDAC(T) has developed forensics software and hardware tools for the analysis of such devices and PDA Forensics Suite is one among them. PDA Forensics Suite is a is a software tool to forensically acquire, analyze and present the digital evidence from WinCE and Palm OS based PDAs/Smart Phones before the court of law. It consists of two software tools - PDA Imager and PDA Analyzer

(52)

PDA Imager

PDA Imager is used to forensically image PDAs and Smart Phones. It performs logical and physical acquisition of the devices. It also performs Hashing for authenticating the evidence. Version 1.0 of this software supports acquisition of WinCE and Palm OS based PDAs and Smart Phones. This tool is developed as per the directions provided by the NIST for handheld devices.

(53)

PDA Imager

Standard Windows application

Imaging tool for WinCE/Pocket PC/ Windows

Mobile/Palm OS PDAs.

Acquisition through USB connection. Supports physical and logical acquisition.

Logical acquisition includes files, database and registry.Supports MD5 Hashing.

Creates a single evidence file with a specific format.Supports comprehensive HTML reporting.

(54)
(55)

PDA Imager

(56)
(57)
(58)

PDA Analyzer

PDA Analyzer is used to forensically examine the evidence collected from PDAs and Smart Phones. It takes the acquired evidence file taken by PDA Imager as input and identify the required information from the image if present and display it in a file viewer with all details.

(59)

Standard Windows application.

User login facilities.

Creates log of each analysis session and analyzing officer’s details.

Explorer type view of contents of the whole evidence file.

Display of folders and files with all attributes.

Text/Hex view of the content of a file.

Picture view of an image file.

Gallery view of images.

Timeline View of Files

Single and Multiple Keyword search.

Search with GREP expressions.

File search based on extension.

Book marking facility for data, files and folders

Registry viewer

Features

(60)
(61)
(62)
(63)

Features(Contd.)

(64)

Features(Contd.)

(65)

SIM Card Imager &

Analyzer

Tuesday, February 10,

(66)

A forensic acquisition tool for GSM Sim Cards

Indigenously developed by Resource Centre for Cyber Forensics

Analysis methods as per NIST guidelines

Generates a detailed report for presentation in court

(67)

Acquires the following contents from SIM Card Phone Book

Messages

Location Information IMSI

Last Dialed Numbers

(68)
(69)
(70)
(71)
(72)

Phone Book Details SIM Card - Analysis

(73)

Message Details SIM Card - Analysis

(74)

Location Information SIM Card - Analysis

(75)

Message Summary

(76)

Hash Values of different items SIM Card - Analysis

(77)

Cyber Forensics Hardware

Tools

TrueImager & TrueLock

Tuesday, February 10,

(78)

TrueImager

A hardware forensic tool for write protecting suspect storage media while seizing and acquiring the media from the scene of cyber crime

TrueLock

A disk forensic hardware tool for seizing and acquiring storage media from the scene of cyber crime specially designed for Indian Law Enforcement Agencies

(79)

Features & Benefits

Smart, Portable handheld Cyber Forensics Digital Evidence Image Recorder.

- Seizure

- Acquisition

High speed data transfer at the rate of 3GB/min

Offers built in write-protection of suspect disk.

Support Wiping feature for sanitizing the evidence disk.

(80)

Features Contd….

Different Views….

Support 3 types of Suspect disk media:

(81)

TrueLock

A hardware drive lock which prevents all data

writes to hard disk drives connected to a computer’s IDE interface.

Helps in the preservation of digital evidence.

A cost-effective solution for supporting disk imaging

(82)

Features

Supports all IDE Drives.

Requires no special software.

Physical Dimension: 84mm X 41.5mm X 25mm

Write protects the IDE Hard Disc connected to the PC’s IDE interface.

(83)

Achievements

• Designed and developed the first indigenous suite

of products for carrying out cyber forensics

investigation

• More than 175 copies of C-DAC’s CyberCheck

Suite licensed to Law Enforcement Agencies

• Conducted more than 25 basic and advanced

level training programmes on Cyber Forensics to

LEAs

• Analyzed more than 200 Cyber Crime cases and

submitted technical reports to different courts in

India

(84)

Organizations that use CyberCheck Suite Hitech Cyber Cell, Thiruvananthapuram

Army Cyber Security Establishment, New Delhi Intelligence Bureau, New Delhi

Delhi Police, New Delhi CBI Academy, Ghaziabad

GEQDs of Hyderabad and Shimla CFSL, Hyderabad

FSLs of Chandigarh, Chennai, Thiruvananthapuram and Haryana DFSL, Gujarat

Cyber Crime Investigation Cell, Thane, Maharashtra Cyber Cells of Bangalore and Arunachal Pradesh SCRB, Thiruvananthapuram

National Academy of Taxes, Nagpur National Police Academy, Hyderabad Cabinet Secretariat, New Delhi

(85)

Training on Cyber Forensics

Successfully conducted more than 25 training programmes covering basic and advanced Cyber Forensics concepts.

Conducted a certificate programme on Cyber Forensics to 32 officers of Kerala Police.

Conducted 2 weeks separate training programmes on Cyber Forensics to officers from Intelligence Bureau and Forensic Science Laboratories.

Conducted 7 training programmes of one week duration to Judicial Officers in collaboration with CCA at different State Judicial Academies.

Recently conducted one month training programme on Cyber Forensics to 51 Police Officers from all Police Districts of Kerala.

(86)

Case Categories

Nature of Crime Number

Hacking 17

Document Forgery 65

Financial Frauds 22

Software Piracy 7

Pornography 13

Mobile Phone Crime 64

Email Crimes 41

(87)

Cyber Forensic Analysis Statistics

Agency Reported Cases CompletedAnalysis

RAW 1 1

CBI 32 26

Bangalore Police 6 6

CCPS Bangalore 27 24

Chennai Police 3 2

Crime Branch, Kerala 17 11

Vigilance, Kerala 16 9

Kerala Police 127 74

(88)

Advantages of C-DAC Solutions

• Completely indigenous development

• Self-reliance in technology

• Cost-effective solution

• Developed for Law Enforcement Agencies and

Corporate houses

• Total technical support

(89)

10-Feb-09 Resource Centre for Cyber Forensics 89

• Development of Enterprise Forensics System that will provide

proactive solutions to cyber crimes and offences in Enterprise and Corporate networks.

• Design and development of advanced forensic tools for

memory analysis, malware analysis, software forensics, peripheral device forensics, etc.

• Setting up Virtual Training Environment facilities for training

(90)

10-Feb-09 Resource Centre for Cyber Forensics 90

• Provide a well tested and certified cyber forensics suite of

products (CyberCheck Suite) for acquisition and analysis on portable lab as well as forensic workstation

• Cost effective solution

• Software for Network Forensics, Live Forensics and Device

Forensics

• Hardware tools for disk forensics

• Introductory training in cyber forensics

• Advanced training in cyber forensics

(91)

Tuesday, February 10, 2009 91

Contacts:

B.Ramani, Addl. Director :

V.K.Bhadran, Addl. Director : bhadran@

K.L.Thomas, Jt.Director :

Resource Centre for Cyber Forensics

Centre for Development of Advanced Computing Vellayambalam, Thiruvananthapuram

Kerala – 695033

(92)

THANK YOU

Figure

Table and Disk views

References

Related documents

Early results from trials conducted in the UK using stem cell treat- ments in people suffering myocardial infarction or heart failure have highlighted benefits for some groups

Such uncritical forays into whiteness studies threaten to re-colonize the field of multicultural education (McLaren, 1995; Sheets, 2000), mask the structural power of

The reason of this is trying to determine the relation between the predominant learning styles of pre-service primary school teachers who study in freshman and senior

Themes which emerged from the collected data included the following: (1) an emphasis within South Sudanese culture on the importance of social support and religiosity or faith

Therefore, I want to see on paper, if we increase the size of the farm and cow herd, can we produce a sustainable income for a family and be able to work towards the ownership

The diagram ( Figure 3 ) also connects these wider determinants to personal-level assets, such as recognition of the existence of modern slavery and human

the reputation is the next step, involving values-based judgment about the company on the part of the stakeholder: “If some beliefs and feelings about a company fit with a

Major emphases were focused upon (a) defining of nanotechnology as an interdisciplinary field that integrates science, technology, engineering, and math, and as a field that