The mysteries of cyber forensics

Print edition : September 24, 2004

Pursuing a cyber crime to a logical conclusion is a complex task that demands hard and sustained work, active industry-police liaison and a judiciary trained to hear this modern face of crime.

A YOUNG software engineer of Mumbai is in deep trouble. The company for which she worked until recently has alleged that she was guilty of stealing a valuable source code. According to the company, the software that was being developed by it was for making identity cards for sensitive government institutions such as the armed forces and the police in the United States. In the company's view, her unauthorised and dishonest action in downloading the code on to her Yahoo account amounted to a criminal offence. The complaint originally made to a local police station was subsequently transferred to the cyber crime cell of the Mumbai City Police. The cell is reported to be sceptical of the complaint and seems to be reluctant to move forward. The software company has, therefore, gone to the Bombay High Court praying for a direction to the cell to investigate the complaint thoroughly.

The incident illustrates the complexity of pursuing a cyber breach and taking it to its logical conclusion of a police investigation as envisaged by the Information Technology Act, 2000. It is just possible that the Mumbai software firm had overreacted to a minor lapse on the part of one of its freshers. It is equally probable that the programmer was dishonest and had intended to harm the reputation of her company. In either case, it is an incident serious enough to cause damage to the whole IT industry at a time when there is a huge outcry in the U.S. against outsourcing. U.S. firms are extremely paranoid about data security at offshore centres, and the incident like the one in Mumbai can send alarm signals. This is why it needs to be investigated with all seriousness and the truth ferreted out. Either way the Mumbai Police owe it to the whole software industry to come out with its findings at the end of the investigation, if only those in the trade in India have to carry conviction with U.S. customers that data security will in no way be diluted at India's offshore sites.

This brings me to the point: how complicated are cyber crime investigations, and how well are Indian police agencies equipped to handle them? The average reader who hears about cyber crime day in and day out requires to be told of a few fundamentals of cyber forensics, a fascinating area in every respect. But first, what are the normal cyber crimes that a computer user and the police will have to contend with? I can think mainly of a few that are significant in terms of their frequency and their impact on the victim. These are: hacking (unauthorised and unlawful intrusion into a computer system for a dishonest purpose such as stealing information or altering it), introduction of viruses (unauthorised circulation of programmes that multiply themselves or otherwise corrupt existing information in a system in such a way as to interfere with the working of the system), cyber stalking (harassment or intimidation of an individual through online messages by a person who hides his identity while sending the annoying or obnoxious message), pornography and spoofing or `phishing' (where a person is made to believe that a message which comes in is from a trusted website when it has actually emanated from a fraudster and is made to part with sensitive information such as user name or a password pertaining to a bank account).

CYBER crime investigation proceeds on the same assumption as a conventional crime; that the perpetrator, known individual or a suspect, had a motive (pecuniary gain or animosity) and an opportunity. Similarly, both forms of crime will have to present unassailable evidence against the offender that leaves no doubt in the minds of the court. The similarity ends here, because the nature of evidence that is required to be assembled and the procedure that is required for its collection are unique to cyber crime. The kind of knowledge and skills demanded of an investigator makes cyber crime unique and complicated.

Gone are the days when a mere print-out from a computer under investigation passed muster. We have come very far from such simple steps to the present day when the parts of a system such as a hard disk will themselves have to be seized, analysed and its contents decisively established to the satisfaction of the judge. An artless investigator, ignorant of how to preserve cyber evidence, can cause enormous damage to an otherwise promising case. There are hilarious accounts of how police station-level staff, totally innocent of the basics of a computer, handle the material evidence involved here. One officer is supposed to have driven holes on a number of floppy diskettes and passed a string through them to keep them together in a particular order!

A first step will have to be the photographing of the computer screen the moment a system is seized. The second is one of preventing anyone from using the system after the seizure, so that any attempt to overwrite on existing files is thwarted. A third important exercise will be to examine if any files on the hard disk had been eliminated, just in case the offender had received a tip-off about the police action. There is an array of software that can unearth and revive eliminated files that could carry valuable evidence. This is one way to beat the ingenuity of clued up computer criminals. A painstaking scrutiny of seized floppy disks is also an important aspect of cyber investigation. Since whatever is written on a hard disk or floppy disks can be easily altered and overwritten, it is essential to prove in court that no one had access to such material that lent an opportunity for tampering with the evidence or that there was a possibility of any unintentional and accidental contamination of the material seized.

One feature of cyber crime investigation is the heavy dependence of both the prosecution and defence on expert witnesses. This is analogous to the need for medical evidence in a variety of traditional crime such as homicide or rape. I recently came across an outstanding account of facets of cyber investigation by a United Kingdom professor who had specialised in the area and was quite in demand to prove either the guilt or the innocence of a suspect. Traces of Guilt (Bantam Press, 2004) by Neil Barrett, Professor of Computer Criminology at Cranfield University, is a strikingly original perspective of what we need to know of cyber crimes and their investigation. I would strongly commend police officers as well as those who dabble in computers to read it.

A case described by Prof. Barrett that impressed me most was that of a young researcher at one U.K. university who was drawn to studying the psychology of homosexual paedophiles. Chris, the researcher, was determined to find a treatment regime for such abnormal individuals, in jail or mental hospitals. The idea was either to cure them or at least identify the traits in them which they could use to harm children. Chris believed that face-to-face interviews with such individuals would hardly elicit truthful responses. Hence, he resorted to interviews through the Internet, posing as a fellow paedophile. As a consequence, he himself started receiving pornographic images. This was his undoing. To keep the charade going, he had to send a few such pictures that he himself bought in the market to those who had been interacting with him. To his misfortune this brought Chris into contact with people already under investigation by the Federal Bureau of Investigation (FBI) in the U.S., and it was a question of time before the U.K. Police were alerted, leading to his arrest. The police search of his computer files at the Psychology Department's computer gave all the evidence required - including e-mails with American contacts under FBI surveillance - to nail a charge against him of indulging in on-line child pornography. Prof. Barrett was approached by the defence to prove Chris' innocence against the prosecution charges of `making and possession' of and `possession with the intent to distribute' indecent pictures.

Prof. Barrett was convinced that Chris was only an overzealous researcher. But he had to contend with the enormous material evidence that the prosecution had marshalled against Chris. The only way the latter could be saved was to establish that he was the victim of a frame-up and that all the images he had on his system were introduced by a person who had hacked into that system. The objective was to throw enough doubt on the prosecution story so that he received the benefit of the doubt! Readers know that many of our criminal lawyers are adept at this. This is a relatively simple task in conventional crime. In a cyber offence, it is altogether a different proposition, requiring monumental effort and painstaking scrutiny of Chris' log. This Prof. Barrett did with great felicity.

The first flaw that he found was that the police had failed to take copies of the files in Chris' system before anyone could tamper with them. Going through what is known as the `history file' containing all commands given by the user, Barrett could find one number, `08', preceding every 10-digit number assigned to each of the 100 commands recorded in the file by the user. The police did not have a clue as to what `08' represented. This is where when one tends to believe that some crimes are solved by drawing on the simplest of experiences.

Prof. Barrett's daughter had once quizzed him as to how old he was, in terms not of years or months or days, but in terms of seconds! Barrett recalled that this number worked out to one of ten digits! Possibly the 10-digit number in Chris' computer history file also represented the time for which the machine's operating system had been "alive"! So the numbers beginning with 08 were a time stamp represented in seconds. From this discovery, Barrett could hit upon the real time at which each command was typed and also group commands into various sessions. Barrett could prove that the commands during the final session, before the police arrested Chris, were "wholly different in character" from any of the others associated with him.

During this particular session, which was around the early hours of the morning before Chris was arrested, the commands were unusual in that they seemed to be from a stranger who was possibly quickly rummaging the files, than from a person familiar with the hierarchy of files. Barrett could also unearth from one of the commands the name of the terminal that the intruder was using. This was a piece of information that the latter had unwittingly typed while telling the computer what type of terminal he was using. It was proved to the satisfaction of the court that the computer that had hacked into Chris' system was in the university system administrator's room that was inaccessible to students like Chris.

What Barrett did thereafter was more clinching. He could prove that after seizing Chris' system, the police had asked the university's system administrator to inspect Chris' computer files. This was in fact done by the administrator, but rather clumsily leaving his own commands on Chris' history files! He also used Chris' identity for his operations, and in the process, overwrote the date and time stamps on Chris' files. Nothing could be more devastating to the prosecution story. Prof. Barrett's clever exercise naturally forced the prosecution to drop it first charges.

Unfortunately, however, the evidence to prove that Chris had conscious possession of pornographic material was still available for the prosecution to press a second charge that the court upheld. Prof. Barrett was frustrated because he had identified himself so much with Chris and had been so much convinced of his bona fides that he felt cheated by his conviction. The moral of the episode, in his view, was however that an expert should not believe that he was before a judge to prove the guilt or innocence of the person arraigned. His task was only to deliver the facts and his opinion thereon. Thereafter it was the business of the court to come to any conclusion.

Prof. Barrett's delightful book has many more real stories that are enchanting. The point that he makes eloquently is that computer-crime investigation involves hard and sustained work. It also calls for active industry-police liaison. This would effectively mean that telecommunication and Internet companies should work in tandem with investigating agencies.

The police in India are becoming IT-savvy and cyber crime cells in the metros are gearing up to meet the challenge. Training policemen in this area is an arduous task. The exercises initiated till now have now paid some dividends. One point that Prof. Barrett makes is as much true of India as it is of the U.K. The judiciary that has to hear cyber crime cases is yet to be trained. Its ignorance is appalling, to say the least. It is for Chief Justices of High Courts to launch a drive so that at least a small segment of the lower judiciary is trained and equipped to understand a case before it starts hearing the evidence. Encryption of whatever a computer contains is becoming the order of the day, making workstations more secure and criminality less discernible. This will not only make investigation more difficult, but the comprehension of evidence even more problematic.

It will be appropriate for me to sign off quoting what Prof. Barrett has to say of the cyber crime scene:

"Complicated technology and ill-informed courts; highly-strung and argumentative experts frequently pitted against one another; and a range of challenging and criminally important types of case: this is the world of computer forensics in the era of high-technology crimes."

All the players in the criminal justice system in India need to understand this truism about cyber crime if we are to prove to the rest of the world that we not only produce the best software in the world, but we are also the most skilful investigators of those who abuse the system that revolves round such software.

A letter from the Editor

Dear reader,

The COVID-19-induced lockdown and the absolute necessity for human beings to maintain a physical distance from one another in order to contain the pandemic has changed our lives in unimaginable ways. The print medium all over the world is no exception.

As the distribution of printed copies is unlikely to resume any time soon, Frontline will come to you only through the digital platform until the return of normality. The resources needed to keep up the good work that Frontline has been doing for the past 35 years and more are immense. It is a long journey indeed. Readers who have been part of this journey are our source of strength.

Subscribing to the online edition, I am confident, will make it mutually beneficial.


R. Vijaya Sankar

Editor, Frontline

Support Quality Journalism
This article is closed for comments.
Please Email the Editor