Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ......

Indian Efforts in Cyber Forensics

10-Feb-09 Resource Centre for Cyber Forensics 1

B. RamaniAddl. Director

Presentation Overview


• About C-DAC

• Resource Centre for Cyber Forensics

• C-DAC Cyber Forensics Solutions

• Future Plans

C-DAC, Pune

C-DAC, Bangalore

C-DAC, Delhi

C-DAC, Hyderabad

C-DAC, Mumbai

C-DAC, Chennai

C-DAC, Kolkata

C-DAC, Mohali

C-DAC, Noida

C-DAC, Trivandrum

National Coverage

Established in 1974 as Keltron R&D Center;Taken by GoI in 1988;

Formerly Known as ERDCIWork force of 800+

An ISO 9001-2000 certified premier R&D Institution involved in the

design, development and deployment

of world class electronic and IT solutions for economic and human

advancement, under DIT,Govt of India

C-DAC Trivandrum

AREAS OF RESEARCH

Control & Instrumentation Power Electronics Broadcast & Communications Strategic Electronics ASIC Design Cyber Forensics

Resource Centre for Cyber Forensics

The Resource Centre for Cyber Forensics (RCCF) is the premier centre for cyber forensics in India. It was setup in C-DAC, Thiruvananthapuram by the Ministry of Communications and Information Technology and has been functioning for the past three years.

The primary objectives of RCCF are

Develop Cyber Forensics tools based on requirements from Law Enforcement AgenciesCarry out advanced research in cyber forensics Provide technical support to LEAs


C-DAC Cyber Forensics Solutions


C-DAC ToolsCyberCheck Suite – Disk Forensics Tools

• TrueBack V3.1 on Linux – Disk Imaging Tool• TrueBack V1.0 on Windows – Disk Imaging Tool• CyberCheck V3.2 on Windows – Data Recovery and Analysis Tool

NetForce Suite – Network Forensics Tools• CyberInvestigator V1.0 on Windows – Forensic Log Analyzer• NeSA V1.0 on Linux – Network Session Analyzer• EmailTracer V3.0 on Windows – Tool for tracing sender of email

DeviceAnalyst Suite – Device Forensics Tools • PDA Imager & Analyzer – Tool for imaging and analyzing PDA contents• SIM Card Imager & Analyzer – Tool for imaging and analyzing GSM SIM Cards• CDR Analyzer – Tool for analyzing Call Data Records

Cyber Forensics Hardware Tools • TrueImager – High speed H/W based Disk Imaging Tool• TrueLock – H/W based drive lock for write protecting IDE/SATA disks

10-Feb-09 Resource Centre for Cyber Forensics8

TrueBack

Tuesday, February 10, 2009 9

TrueBack – Disk Imaging Tool

Software Tool for seizing, acquiring and authenticating Digital Evidence

Indigenously developed by RCCF, C-DAC, Thiruvananthapuram

Widely used and Certified by agencies like NPA, CBI, IB, CBI Academy, Kerala Police, Forensics Science Laboratories and GEQDs

Import substitution for similar products

Cost-effective solution

Ideal for the use of Indian Law Enforcement Agencies

National Institute of Standards and Technology (NIST), USA, disk imaging tool specification compliant

Implementation of National Police Academy (NPA) procedures for Seizure and Acquisition

Preview, Seize, Acquire and Seize & Acquire modes of operation

Imaging of IDE, SCSI, SATA, CD, DVD, Floppy and USB devices

Report generation in each mode of operation

Storage media content previewing facility before seizure and acquisition


Main User Interface


Collecting case details


Selecting media for Seizure


Case data summary


TrueBack – Seizure process in progress


Seizure process completed


Seizure Report


Hash values of media and blocks


CyberCheck


CyberCheck – Data Recovery and Analysis Tool

Software Tool for authenticating, recovering, analyzing and reporting Digital Evidence

Indigenously developed by RCCF, C-DAC, Thiruvananthapuram

Widely used (Over 175 copies have been sold) and Certified by agencies like NPA, CBI, IB, CBI Academy, Kerala Police, Forensics Science Laboratories and GEQDs

Import substitution for similar products

Cost-effective solution

Ideal for the use of Indian Law Enforcement Agencies

FeaturesIndian Language support

Powerful Data recovery facilities

High speed search facility

Comprehensive Timeline features

Detailed Report Generation facility

Integrated Email and Internet History Viewer

Facility for identifying password protected files

Facility for viewing nested ZIP files


Unicode and Indian Language Support


Table and Disk views


Picture Gallery View


Timeline View


Search hits view


Recovery of deleted file


Report generated by CyberCheck


EmailTracer


Tuesday, February 10, 200931

Features • Trace the originating IP address and other details from

email header• Generates detailed HTML report of email header analysis• Find the city level details of the sender• Plot Route traced by the mail • Display the originating geographic location of the mail in

the world map• Keyword searching facility on email content including

attachment

EmailTracer – S/W tool for tracing sender of an email

EmailTracer – WhoIs SearchTuesday, February 10, 2009

34


EmailTracer – NS LookUpTuesday, February 10, 2009

35


Email Tracer – IP TraceBackTuesday, February 10, 2009

36


Detailed ReportTuesday, February 10, 2009

37


CyberInvestigator


CyberInvestigator

Indigenously developed by CDAC ThiruvananthapuramHelps Law Enforcement Agencies in investigating Cyber CrimesLog analysis toolAnalyses Windows and Linux LogsOffline Intrusion AnalysisQuerying facility

Features of CyberInvestigator

Supports analysis of offline logsBuilt in & User defined queries.Signature based Offline Intrusion AnalysisSupports analysis of Windows event logsSupports analysis of Linux logs like message log, utmp,wtmp & CronSupports web traffic analysisSupports analysis of Access log & IIS LogCollects information regarding the insertion of USB devicesCollects information regarding unauthorised access

CyberInvestigator- Main User Interface

Query Interface for Windows Event log

Analysis O/P of wtmp log

Network Session Analyzer (NeSA)


NeSA

Indigenously developed by CDAC Thiruvananthapuram

Helps Law Enforcement Agencies in investigating Cyber Crimes

Offline Network session analysis tool

Reconstructs network sessions from dump files

Helps in network trouble shooting and debugging

Misuse detection

Gather network statistics

Features of NeSA

Session Reconstruction - HTTP, SMTP, POP3 and FTPDisplays the data in Hex view, Image view, File view and Mail

viewPowerful & Flexible filtering and searching facilityFiltering based on MAC, IP, Port, Protocol, Date and TimeFacility to export reconstructed filesStatistics generation based on different criteriaTime zone based analysis

POP3 Session – Hex View

HTTP Session – Thumb Nail View

POP3 Session – Mail View

PDA Imager & Analyzer


IntroductionMany criminals are now using electronic devices otherthan PCs to commit illegal activities. Cellular telephones,Smart Phones, and Personal Digital Assistants (PDAs) areonly a few of the devices that must now be examined byforensic investigators. CDAC(T) has developed forensicssoftware and hardware tools for the analysis of suchdevices and PDA Forensics Suite is one among them.

PDA Forensics Suite is a is a software tool to forensicallyacquire, analyze and present the digital evidence fromWinCE and Palm OS based PDAs/Smart Phones beforethe court of law. It consists of two software tools - PDAImager and PDA Analyzer

PDA Imager

PDA Imager is used to forensically image PDAs and SmartPhones. It performs logical and physical acquisition of thedevices. It also performs Hashing for authenticating theevidence. Version 1.0 of this software supports acquisitionof WinCE and Palm OS based PDAs and Smart Phones.This tool is developed as per the directions provided bythe NIST for handheld devices.

PDA Imager

Standard Windows application

Imaging tool for WinCE/Pocket PC/ Windows

Mobile/Palm OS PDAs.

Acquisition through USB connection.

Supports physical and logical acquisition.

Logical acquisition includes files, database and registry.

Supports MD5 Hashing.

Creates a single evidence file with a specific format.

Supports comprehensive HTML reporting.

Features

PDA Imager

PDA Imager

Seizure & Acquisition

Acquiring PDA

Acquisition Report

PDA Analyzer

PDA Analyzer is used to forensically examine theevidence collected from PDAs and Smart Phones.It takes the acquired evidence file taken by PDAImager as input and identify the requiredinformation from the image if present and displayit in a file viewer with all details.

Standard Windows application. User login facilities. Creates log of each analysis session and analyzing officer’s

details. Explorer type view of contents of the whole evidence file. Display of folders and files with all attributes. Text/Hex view of the content of a file. Picture view of an image file. Gallery view of images. Timeline View of Files Single and Multiple Keyword search. Search with GREP expressions. File search based on extension. Book marking facility for data, files and folders Registry viewer

Features

PDA Analyzer

PDA Analyzer

File Viewer

Gallery Viewer

Features(Contd.)

Timeline Viewer

Features(Contd.)

Analysis Report

SIM Card Imager & Analyzer


A forensic acquisition tool for GSM Sim Cards

Indigenously developed by Resource Centre for Cyber Forensics

Analysis methods as per NIST guidelines

Generates a detailed report for presentation in court


Acquires the following contents from SIM Card

Phone Book

Messages

Location Information

IMSI

Last Dialed Numbers


SIM Card - Acquisition

Phone Book Details

SIM Card - Analysis

Message Details

SIM Card - Analysis

Location Information

SIM Card - Analysis

Message Summary

SIM Card - Analysis

Hash Values of different items

SIM Card - Analysis

Cyber Forensics Hardware Tools

TrueImager & TrueLock


TrueImager

A hardware forensic tool for write protectingsuspect storage media while seizing and acquiringthe media from the scene of cyber crime

TrueLock

A disk forensic hardware tool for seizing andacquiring storage media from the scene of cybercrime specially designed for Indian Law EnforcementAgencies

Hardware Tools

Features & Benefits

Smart, Portable handheld Cyber Forensics Digital Evidence Image Recorder.

- Seizure

- Acquisition

High speed data transfer at the rate of 3GB/min

Offers built in write-protection of suspect disk.

Support Wiping feature for sanitizing the evidence disk.

Features Contd….

Different Views….

Support 3 types of Suspect disk media:

IDE disk SATA disk USB disk

TrueLock

A hardware drive lock which prevents all data writes to hard disk drives connected to a computer’s IDE interface.

Helps in the preservation of digital evidence.

A cost-effective solution for supporting disk imaging

Connecting Hard disk to PC through True Lock

Features

Supports all IDE Drives.

Requires no special software.

Physical Dimension: 84mm X 41.5mm X 25mm

Write protects the IDE Hard Disc connected to the PC’s IDE interface.

Achievements

• Designed and developed the first indigenous suite of products for carrying out cyber forensics investigation

• More than 175 copies of C-DAC’s CyberCheckSuite licensed to Law Enforcement Agencies

• Conducted more than 25 basic and advanced level training programmes on Cyber Forensics to LEAs

• Analyzed more than 200 Cyber Crime cases and submitted technical reports to different courts in India


Organizations that use CyberCheck Suite

Hitech Cyber Cell, Thiruvananthapuram

Army Cyber Security Establishment, New Delhi

Intelligence Bureau, New Delhi

Delhi Police, New Delhi

CBI Academy, Ghaziabad

GEQDs of Hyderabad and Shimla

CFSL, Hyderabad

FSLs of Chandigarh, Chennai, Thiruvananthapuram and Haryana

DFSL, Gujarat

Cyber Crime Investigation Cell, Thane, Maharashtra

Cyber Cells of Bangalore and Arunachal Pradesh

SCRB, Thiruvananthapuram

National Academy of Taxes, Nagpur

National Police Academy, Hyderabad

Cabinet Secretariat, New Delhi

Kerala IT Mission, Thiruvananthapuram

Training on Cyber Forensics

Successfully conducted more than 25 training programmes covering basic and advanced Cyber Forensics concepts.

Conducted a certificate programme on Cyber Forensics to 32 officers of Kerala Police.

Conducted 2 weeks separate training programmes on Cyber Forensics to officers from Intelligence Bureau and Forensic Science Laboratories.

Conducted 7 training programmes of one week duration to Judicial Officers in collaboration with CCA at different State Judicial Academies.

Recently conducted one month training programme on Cyber Forensics to 51 Police Officers from all Police Districts of Kerala.

Case Categories

Nature of Crime NumberHacking 17

Document Forgery 65

Financial Frauds 22

Software Piracy 7

Pornography 13

Mobile Phone Crime 64

Email Crimes 41

Total 229

Cyber Forensic Analysis Statistics

Agency Reported Cases Analysis Completed

RAW 1 1CBI 32 26

Bangalore Police 6 6CCPS Bangalore 27 24Chennai Police 3 2

Crime Branch, Kerala 17 11

Vigilance, Kerala 16 9Kerala Police 127 74

Total 229 153

Advantages of C-DAC Solutions

• Completely indigenous development

• Self-reliance in technology

• Cost-effective solution

• Developed for Law Enforcement Agencies and Corporate houses

• Total technical support



• Development of Enterprise Forensics System that will provideproactive solutions to cyber crimes and offences in Enterpriseand Corporate networks.

• Design and development of advanced forensic tools formemory analysis, malware analysis, software forensics,peripheral device forensics, etc.

• Setting up Virtual Training Environment facilities for training

Current Activities


• Provide a well tested and certified cyber forensics suite ofproducts (CyberCheck Suite) for acquisition and analysis onportable lab as well as forensic workstation

• Cost effective solution• Software for Network Forensics, Live Forensics and Device

Forensics• Hardware tools for disk forensics• Introductory training in cyber forensics• Advanced training in cyber forensics

What C-DAC can offer


Contacts:

B.Ramani, Addl. Director : [email protected]

V.K.Bhadran, Addl. Director : [email protected]

K.L.Thomas, Jt.Director : [email protected]

Resource Centre for Cyber Forensics

Centre for Development of Advanced Computing

Vellayambalam, Thiruvananthapuram

Kerala – 695033

Phone: 0471 2728929

mailto:[email protected]�



THANK YOU


Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ......

Documents

Transcript of Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ......