Cyber Forensic Investigation Report

Submitted By: Name: ID: Intake: Module: Ivneet Singh TP023861 UC3F1010IT(ISS) Data Recovery

Submitted To: NOR AFIFAH BINTI SABRI (Lecturer)

Contents
Computer Evidence Analysis Report ........................................................................................... 3 1

Case Background ................................................................................................................... 3 Investigation Outlines: ........................................................................................................ 4 FIRST INFORMATION REPORT ............................................................................................. 5 PROPERTY SEARCH AND SEIZURE FORM.......................................................................... 8 Request for Service ................................................................................................................... 10 Chain of Custody Form ............................................................................................................. 11 Investigation Report ..................................................................................................... 12 Chain of Custody Form ............................................................................................................. 14 Investigation Report ..................................................................................................... 14 Chain of Custody Form ............................................................................................................. 16 Investigation Report ..................................................................................................... 17 Cyber Forensic Analysis ........................................................................................................... 21 Evidence device 1:............................................................................................................ 21 Evidence Device 2: ........................................................................................................... 32 Evidence device 3:............................................................................................................ 38 Computer evidence assessment checklist................................................................................... 44 Cyber forensic Analysis Report................................................................................................. 44 Computer Evidence Analysis Checklist ..................................................................................... 46 Detailed Case: ........................................................................................................................... 47 Introduction ...................................................................................................................... 47 Background of the issue.................................................................................................... 47 Details of the Cyber Forensic carried out by team ..................................................................... 48 Evidence Analysis ............................................................................................................ 48 COMPLAINT TO ASJUDUCATING OFFICER ...................................................................... 50 Legal Issues .............................................................................................................................. 52 2

Information Theft ................................................................................................................. 52 Applicable Law ................................................................................................................ 53

COMPUTER EVIDENCE ANALYSIS REPORT

Case Background
An internal investigation would be conducted in Detag Industries, a company that manufactures fuel cell batteries that is used by thousands of companies worldwide. This investigation is required because one of their research assistant in the R&D lab, Mr. Robert is suspected of leaking out confidential information to their major competitors, Rift, Inc. This occur right after they noticed that their clients are no longer re-ordering these fuel cell batteries, which were once unique to them and instead, from Rift, Inc. After a thorough investigation conducted on the reason this is occurring, it has been established that a CD that contains many confidential information had been taken out from the research and development laboratory without any authorization. Through the use of the surveillance camera video, it had shown that this offence had been committed on the 26th of April 2008 at around 4:45pm by Mr. Robert. Due to this, Mr. Robert is suspected of committing 2 crimes which are, accessing this confidential information without authorization and also, leaking out that information. To proceed with the investigation, a USB flash drive was seized from Robert Saunders. To help with this investigation, an investigation team consisting of IT security and forensic experts had been approached. A USB flash drive and laptop was later seized from Robert Saunders possession for further investigation. Both these were taken into custody by company and were handed over to the investigation team for analysis. The leader of the investigation team, David Keen has requested you to analyze the USB flash drive and laptop and provide a report on your findings.

Investigation Outlines:
While investigating the cybercrime cases; need to follow the process outlined below:

1. The filled request of service (RFS) is obtained from the client (Detag). The RFS helps the team to understand what the client expects from the investigation. In the RFS, the client describes the crime and request team to investigate it. 2. Then team appoints a lead investigator (Mr David) for the case. The lead investigator meets the client to discuss the investigative avenues and potential evidence being sought in the investigation. The lead investigator and the investigation team for each case are appointed with great care and caution. The technical requirements of the investigation are primary basis for the selection of the team and the lead investigator. 3. The relevant information, media, documents etc. are then received from the client. The chain of custody form in respect of each of these items is duly filled in by team of investigators. 4. The chain of custody form in respect of each device is meticulously updated throughout the investigation. One copy of the chain of custody form in respect of each device is handed over to the client at the end of the investigation. 5. Where possible the media (USB and hard drive) is imaged. The original media is returned to the client and the image is retained for investigation. 6. The images are authenticated using MD5 and /or SHA1 hash function. Detailed cyber forensic analysis and investigations are carries out in a secure and confidential manner by skilled professionals. 7. The findings of the analysis and investigation are properly documented and relevant reports are submitted to the court.

FIRST INFORMATION REPORT (Under Section 154 Cr.P.C)

1. District : New Delhi Date: 27th April 2008

P.S: Green Lawns

Year:2008

FIR No: 29

2. (1) Act Information Technology Act, 2000 (2) Act Information Technology Act, 2000

Section 66 Section 43

3. (a) Occurrence of offence: Date from: 26th April 2008 Time from: 1400 hours Date to: 26th April 2008 Time to: 1645 hours

(b) Information received at P.S.: Date: 27th April 2008 Time: 1000 hours

(c) General Diary Reference: Entry No. 29A/D

Time: 1000 hours

4. Type of Information: Oral 5. Place of Occurrence: (a) Direction and distance from Police Station : North /3.0 KM Beat number: 2284 (b) Address : New Delhi / North Delhi INDIA (c) In case , outside the limit of this police station , then Name of Police Station District

6. Compliant / Informant: (a) Name : Mr. Harrison (b) Fathers / husband name: Mr. Martin (c) Date / year of birth : 11 / 09/ 1959 (d) Nationality: INDIAN (e) Passport No: G560934 Place of Issue: New Delhi (f) Occupation: IT professional (g) Address: Brown Road , Green Bihar , New Delhi INDIA Date of Issue: 12/12/1990

7. Details of known / suspected / unknown accused with full particulars Name: Mr. Robert Sex: Male Age: 35 years Company: DeTag Occupation: Research Assistant

8.

Reasons for delay in reporting by the complainant / informant Not applicable

9. Particulars of properties stolen Not applicable

10. Total value of property Not applicable

11. Inquest Report / U.D. case no. , If any 12. First information contents On 26th April 2008, Mr. Robert was suspected for leaking the private and confidential information from the DeTag Company. A video surveillance tape was proven as evidence which states that Mr. Robert was copying the confidential information of the company on the compact disks. The video was taken on 26th April 2008 at 4:45 PM. 6

13. Action taken: Since the above information reveals commission of offence(s) u/s as mentioned at item No.2: (1) Registered the case and took up the investigation or (2) Directed :Mr. Karan Saxena Rank: Asst. Commissioner of Police (3) Refused investigation due to (4) Transferred to police station No.: IPS2334 or District on point of jurisdiction.

F.I.R read over to the complainant / informant, admitted to be correctly recorded and copy given to the complainant / informant, free of cost

R.O.A.C Police Station

Signature of Officer in charge Name: Karan Saxena Rank: Asst. Commissioner of Police No. IPS2334
th

14. Date and time of dispatch to the court : 28 April 2008 , 1000 hours

PROPERTY SEARCH AND SEIZURE FORM (Search / Production / Recovery u/s 51/102/165 Cr.P.C)

1. District : New Delhi

P.S: Green Lawns

Year:2008

FIR No: 29

2. Act & sections : Section 66 of the information Technology Act,2000

3. Nature of property seized: Stolen / Unclaimed/ unlawful possession / Involved / Intestate.

4. Property Seized / recovered: (a) Date: 28th April 2008 (b) Time: 1100 hours (c) Place: 14 Alex Street , New Delhi (d) Description of the place : DeTag Company , New Delhi

5. Person from whom seized / recovered: Name: Mr Harrison Sex: Male Fathers name: Mr Joe Age: 42 years

Address: DeTag Company, New Delhi Professional receiver of stolen property: Yes / No

6. Witness:

(1) Name: Savita Kulkerni Fathers / husband name: Gokul Kulkerni Age: 43 years Occupation: IT professional 8

Address: 123, LIM SIM , New Delhi

(2) Name: Abhijeet Nayaran Fathers / husband name: Venkat Narayan Age: 35 years Occupation: IT professional

Address: 270, Green Avenue road, New Delhi

7. Action taken/ recommended for disposal of perishable property Not Applicable

8. Action taken / recommended for keeping of valuable property Deposited with computer storage room at New Delhi District Court

9. Identification required : Yes / No

10. Details of property seized / recovered (1) Toshiba Laptop Model no A48756876 having serial number 95535353BF (2) Kingston USB Flash Drive Model No - M9724ZP/A having serial number MHY2250BH (3) Video Tape Model No - TDK E249 NHS having serial number 223-442-2060

11. Circumstances / grounds for seizure The above laptop, USB flashes drive and video tape is suspected to have been plan and commit offence by the accused in Case no.29 registered with Green Lawns Police Station.

12. The above mentioned properties were seized in accordance with the provisions of law in the presence of the above said witnesses /* and a copy of the seizure from was given to the person / the occupant of the place from whom seized. 9

13.

The properties mentioned above were packed and / or sealed and the

signature of the above said witnesses obtained thereon or on the body of the property.

REQUEST FOR SERVICE

RFS No. IN-PNQ/03-08/084 Client name and address DeTag Company , New Delhi, INDIA Clients authorised representative

Date: 28th April 2008

Name Email Phone Fax Mr Harrison harrison@detag.com 9812288990 011-604690 Background of the case On 26th April the Detag company found the suspect Mr Robert working as assistant researcher in research and development department for leaking out the DeTag Company confidential information to their competitors. From the video surveillance tape they found that Mr Robert copied the confidential information from the company laptop onto the compact disk. Details of the media (1) Toshiba Laptop Model no A48756876 having serial number 95535353BF (2) Kingston USB Flash Drive Model No - M9724ZP/A having serial number MHY2250BH (3) Video Tape Model No - TDK E249 NHS having serial number 223-442-2060 Have the computer(s), media etc. mentioned above been accessed / examined prior to being handed over to the team? If yes give details. The Laptop, USB flash drive and Video Tape has been seized from the suspect. Thereafter there has been no access / examination of the media listed above. Services requested from team Analyse the seized hard disk from the laptop, Kingston flash drive and video surveillance tape to recover evidence related to undisclosed information. For internal use only (Please leave blank) Case received on : 28th April 2008 Tax Porn Financial Case received by : Mr David Cyber Referred by: Mr Harrison

Priority 1 2 3 4 5 6 7 8 9 10

10

Chain of Custody Form

Lead Investigator: Mr David
Case number IN-PNQ/03-08/084 Date and time of confiscation / recovery: 28th April 2008 [1425 hours] Person from whom confiscated / recovered: Mr Robert Place of confiscation / recovery DeTag Company , New Delhi , INDIA Details of prior access / investigation: NIL Description of media: TOSHIBA LAPTOP HARD DISK Model no: M9724ZP/A Capacity:160 GB Manufacturer: TOSHIBA Jumper: Master Serial no: 95535353BF Interface: IDE Dimensions: 10cm * 14.5 cm *2.5 cm LBA Add. Sec.: 78,242,976 Unusual marks, if any: None Chain of custody Date and Time 29th April 2008 1005 hours 29th April 2008 1245 hours 29th April 2008 1430 hours Evidence number HDD-01

Released by Mr David Mr Thomas Mr David

Released to Mr Thomas Mr David Mr Harrison

Purpose of change of custody Creation of Image Computation of hash value For returning to client Returned to Client

11

Investigation Report The MD5 Hash Value of the HDD-01 [Case: IN-PNQ/03-08/084] as computed by using winhex 14.4 SR2 software (hereafter referred to Winhex) licenced to the investigation team is: MD5 HASH (128 Bit) = 1F4E08B0FAECC667EC2DC500BD118AEE Computing MD5 (128 Bit) HASH VALUE

12

Computing SHA-1 (160 Bit) HASH VALUE SHA-1 HASH (160 Bit) = DE4C8CD227F6A0B4A1E1D08DF95034381F15388E

The image of evidence number HDD-01 was created by Mr David using winhex. The images were named as USB-01. The MD5 Hash and SHA1 Hash Value of the image as computed using Winhex is: MD5 HASH (128 Bit) = 1F4E08B0FAECC667EC2DC500BD118AEE SHA-1 HASH (160 Bit) = DE4C8CD227F6A0B4A1E1D08DF95034381F15388E

13

Chain of Custody Form

Lead Investigator: Mr David
Case number IN-PNQ/03-08/084 Date and time of confiscation / recovery: 28th April 2008 [1425 hours] Evidence number USB-01

Person from whom confiscated / recovered: Mr Robert Place of confiscation / recovery DeTag Company , New Delhi , INDIA Details of prior access / investigation: NIL Description of media: USB Flash Drive Model no: A4875687 Capacity:512 MB Manufacturer: Kingston Jumper: N/A Serial no: MHY2250BH Interface: N/A Dimensions: 36.4 x 25.6 x 5.7mm LBA Add. Sec.: N/A Unusual marks, if any: Without cover; some scratches on the top and covered with cello tape from the edges. Chain of custody Date and Time 29th April 2008 1500 hours 29th April 2008 1745 hours 29th April 2008 1930 hours

Released by Mr David Mr Thomas Mr David

Released to Mr Thomas Mr David Mr Harrison

Purpose of change of custody Creation of Image Computation of hash value For returning to client Returned to Client

Investigation Report

14

The MD5 Hash Value of the USB-01 [Case: IN-PNQ/03-08/084] as computed by using winhex 14.4 SR2 software (hereafter referred to Winhex) licenced to the investigation team is: MD5 HASH (128 Bit) = 2A0A9A93069AC2A8A5C6EF4BCB615BA4 Computing MD5 (128 Bit) HASH VALUE

Computing SHA-1 (160 Bit) HASH VALUE SHA-1 HASH (160 Bit) = 3D1598FD832247EFCD58DE76E943DF190E46E10B 15

The image of evidence number USB-01 was created by Mr David using winhex. The images were named as USB-01. The MD5 Hash and SHA1 Hash Value of the image as computed using Winhex is: MD5 HASH (128 Bit) = 2A0A9A93069AC2A8A5C6EF4BCB615BA4 SHA-1 HASH (160 Bit) = 3D1598FD832247EFCD58DE76E943DF190E46E10B

Chain of Custody Form

16

Lead Investigator: Mr David

Case number IN-PNQ/03-08/084 Date and time of confiscation / recovery: 28th April 2008 [1425 hours] Evidence number VHS-01

Person from whom confiscated / recovered: Mr Harrison (Detag executive) Place of confiscation / recovery DeTag Company , New Delhi , INDIA Details of prior access / investigation: NIL Description of media: Video Tape Model no: TDK E249 NHS Capacity: 24 hours Manufacturer: RTI Jumper: N/A Serial no: 223-442-2060 Interface: N/A Dimensions: 7 3/8 x 4 1/16 x 1 LBA Add. Sec.: N/A Unusual marks, if any: Without cover; some scratches on the top and covered with cello tape from the edges. Chain of custody Date and Time 29th April 2008 1500 hours 29th April 2008 1745 hours 29th April 2008 1930 hours

Released by Mr David Mr Thomas Mr David

Released to Mr Thomas Mr David Mr Harrison

Purpose of change of custody Creation of Image Computation of hash value For returning to client Returned to Client

Investigation Report The MD5 Hash Value of the USB-01 [Case: IN-PNQ/03-08/084] as computed by using winhex 14.4 SR2 software (hereafter referred to Winhex) licenced to the investigation team is: 17

MD5 HASH (128 Bit) = 83A16902A0D4F9C98A62E7C3B6F1B0BC

Computing SHA-1 (160 Bit) HASH VALUE

18

SHA-1 HASH (160 Bit) = FB404B61CFFD01254C47B7676FCE24320F396F88

The image of 19

evidence number USB-01 was created by Mr David using winhex. The images were named as USB-01. The MD5 Hash and SHA1 Hash Value of the image as computed using Winhex is: MD5 HASH (128 Bit) = 83A16902A0D4F9C98A62E7C3B6F1B0BC SHA-1 HASH (160 Bit) = FB404B61CFFD01254C47B7676FCE24320F396F88

20

CYBER FORENSIC ANALYSIS Objective To determine if the laptop and USB flash drive contain any evidence to show Mr. Robert was involved in the crime affecting Detag Company.

Evidence device 1: Toshiba Laptop Model no A48756876 (Hard Drive) Evidence Device 2: Kingston USB flash drive 512 MB Model no- M9724ZP/A Evidence device 3: Video surveillance tape TDK E249 VHS

Evidence device 1: Toshiba Laptop Hard drive

I then began analysis of the said file name HDD-01. (1) We opened the image file using winhex using the specialist > Interpret Image File Disk Option (Illustrated Below)

21

(2) We then viewed the contents of the image file in the directory browser of Winhex (Illustrated below)

(3) On previewing the data of the image I found that there are many files and folders which contain the company confidential information. Some of these files and folders were recovered by me using Winhex. Contents of Local Disk (C)

Local Disk (C) \Windows\Desktop

22

Local Disk (C) \Windows\System 32

Local Disk (C) \Windows\Internet Logs

23

Contents of Local Disk (D)

Local Disk (D) \DeTag

(4) The detailed analysis for the hard drive is being conducted from which the files were recovered.

24

(5) The total number of 59 files recovered contained confidential information regarding Detag Company. (6) 11 roots folders were recovered from the image which contained many sub folders for windows system files. (7) Further investigation was taken and I found the 7 PDF files for E-tickets and travelling information of Mr Robert on the desktop which he might be planning to move out of the country very soon. (8) Total files and folders recovered from the image mentioned below: 18 .PDF files 11 root folders 22 .Txt files 4 sub folders 12 .docx files 7 xls files

     

(9) Four document files were password protected which was recovered using licenced forensic software. Details of the files recovered from Mr Robert Laptop Hard Drive

Files recovered from local drive (C)

25

Analysing files recovered from desktop:

The files recovered from desktop shows that Mr.Robert was planning to move to Malaysia very soon. From the files recovered we found some E-tickets booked by Mr.Robert to Malaysia. Some of the tour and travellers information was also available in these files

Analysing the URL History Monday, March 24, 2008 Star-Jobs Online: Weve shifted to MyStarJob.com Jobs in Malaysia | careerjet.com.my Best Jobs Malaysia :: Malaysian job search, job bank, employment and recruitment JobsMalaysia.gov.my - Gerbang Kerjaya Interaktif Anda Jobs in Malaysia, Selangor Jobs & Kuala Lumpur Jobs - JobsDB Malaysia Jobs in Malaysia, Malaysia jobs | Kerja & jawatan kosong - JobStreet.com jobs in malaysia - Google Search Malaysia Airline (MAS) Online Booking Tickets Malaysia airline tickets - Reservation, booking , best prices, system and comparison of airline systems Cheap Flights, Airline Tickets, Cheap Plane Tickets, Cheap Airfare CheapOair Malaysia Airlines airticket booking - Google Search

26

airticket booking in malaysia - Google Search Malaysia Hotels - Online hotel reservations for Hotels in Malaysia Booking.com: Hotels in Malaysia. Book your hotel now! hotel booking in malaysia - Google Search How to rebuild a Li-Ion battery pack Cell Phone Batteries damage battery cells - Google Search Google RIFT - Home - Dynamic Fantasy MMORPG rift - Google Search detag - Google Search DE TAG INDUSTRY SDN BHD - Electronic Article Surveillance ( EAS ) DE TAG INDUSTRY SDN BHD - Electronic Article Surveillance ( EAS ) indian immigrants - Google Search Bureau of Immigration Battery Cells Battery (electricity) - Wikipedia, the free encyclopedia battery cells - Google Search Gmail: Email from Google Yahoo! Mail: The best web-based email! MATTA Portal MALAYSIA CENTRAL: Travel & Tours Agents, Tour Operators, Holidays, Sightseeing & Reservation

27

From the URL history of Mr.Robert laptop highlighted above shows that he was planning to move out of the country to Malaysia to work over there as some of the links also shows that Mr.Robert was applying for jobs in Malaysia. From one of the links Mr.Robert also searched for their rival company RIFT. Analysing Internet Cookies

From the internet cookies we found that Mr.Robert had been looking forward toward the RIFT Company. This may be possible that Mr.Robert might be contacting someone from the company to sell the Detag Company private and confidential information.

28

Analysing the files recovered from local drive (D)

The files and folder illustrated above are recovered from the local drive (D) from Mr.Robert laptop hard drive which contains files mentioned below:
No. 1. 2. 3. 4. 5. 6. Name 22 Battery Agentlic Battery it_security_policy Lead_Acid_Battery Microsoft Word - IT SecAuditStd _ITRM SEC502-00_ amend 2008 02 21 7. 8. 9. 10. MSDS-Battery-Wet-Acid sme_loans business plan software_license_101 Topic 2 - Battery Cell Balancing - What to Balance and How 11. 12. 13. 14. 15. V79 Cell Battery 41602903 QuoteRequestForm SealedLeadAcidCrossRef Solar-Panel-Battery-Sizing .pdf .xls .xls .xls .xls .pdf .pdf .pdf .pdf Type .pdf .pdf .pdf .pdf .pdf .pdf

29

16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26.

A guide to Lead Acid batteries Battery_guide fanancial analysis of honda atlas HSA_Tax_Reporting_for_2008 kamapril2005_235 NICADS Nor_ok_nat PAYEinfo Profile pub_249

.doc .doc .doc .doc .doc .doc .doc .doc .doc .doc

SQB0022APC_33A_65AR_80BC_125BMP .doc

The files mentioned in the table above contained much confidential information about the company and per company executives this information was not accessed to Mr.Robert. So now Mr.Robert had unauthorized access to the companys private and confidential data. Analysing the files found Local Drive (D)/Detag

The files illustrated above were found in the Detag folder in local drive (D). The properties of the Detag folder were marked as hidden. So we recovered the hidden folder and changed the permissions and properties of this folder. On analysing these files we found that these files were password protected. So using the licensed forensic tools we were able to recover the passwords and gain access to the information in the files.

Customer_details.xls 30

Detag_cli.docx

Financial _review.xls

Ordersheet.xls 31

Details of files
No. 1. 2. 3. 4. Name Customer_ details Financial_ review ordersheet Detag_cli Type .xls .xls .xls .doc Password accessedin accessedin accessedin accessedin

Evidence Device 2: Kingston USB flash drive 512 MB Model no- M9724ZP/A
32

We then began analysis of the said file name USB-01. (1) We opened the image file using winhex using the specialist > Interpret Image File Disk Option (Illustrated Below)

(2) We then viewed the contents of the image file in the directory browser of Winhex (Illustrated below)

(3) On analysing the image I found that there are many files and folders deleted. These files and folders were recovered by me using Winhex. 33

(4) The .Trash root folder contains 38 files and 3 folders. (5) Deleted files and folders were recovered from the USB.

(6) The folder Detag, Comp_Prof also contains 25 scanned documents regarding Detag company information.

Detag Folder Files Recovered 34

Details of the files recovered from Detag folder from Mr Robert USB
No. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Name Images it-infrastructure-security-policy lee2 (1) lee2 Legaldemand Letter Mold ocr-2 Paper_Journal_Entry_001 Pdfconverted policy-papers_oehrlein_2-2010 Schillings-threat-letter1(crop) Sidebar ura21apr08-02 Type .jpg .png .gif .gif .png .gif .jpg .jpg .jpg .png .jpg .gif .jpg .gif

Comp_Prof folder files recovered

35

Details of the files recovered from Comp_Prof folder from Mr Robert USB
No. 1. 2. 3. 4. 5. 6. 7. Name 09_12_sb 546c0a5e2e5fab4b59c8d0ca107d3640 5271 618633 18578442 Butler china-trademark-infringement-lawsuit213x300 8. 9. 10. 11. clarkeletter2-1 Fedex images (1) images (2) .jpg .gif .jpg .jpg Type .jpg .jpg .png .png .png .gif .gif

Battery_cell folder This folder does not contain any file or image.

Details of other files recovered from Mr Robert USB

36

Details of the other files recovered from Mr Robert USB

No. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Name battery cell battery_cell_diagram (1) battery_cell_diagram (2) battery_cell_view Type .gif .jpg .jpg .jpg

c74dd42838fb339040f26117f582a269.image.750x497 .jpg def52a726f340a528e58602fa43d60ab detagBanner lithf2 New Text Document Nicad powerex_d_cell_rechargeable_battery_350 Rifts-trademark .jpg .png .gif .txt .gif .jpg .jpg

The analysis of the USB flash drive results in the recovery of 38 files of investigative value. These included:

evidentiary /

1. Total 25 scanned images of the documents (such as legal papers of the company, upcoming research details of the company, new product launch) pertaining to the company most confidential data. 2. 3 folders which contained details of budget of the company financial details. 3. 11 Images that contained formulas and designs of battery cells from which some traces of Rift Company was also included like their logo (Image number 12 illustrated in table above).

37

4.

1 text file which states the email hennry@rift.inc.in , may be this email

belongs to rift company employees.

The files mentioned above have been copied onto 3 CD ROMs. One CD ROM has been achieved by the team. Two CD ROMs have been handed over to the client with final report.

Evidence device 3: Video surveillance tape TDK E249 VHS

I then began analysis of the said file name VHS-01.

38

(1) I opened the image file using winhex using the specialist > Interpret Image File Disk Option (Illustrated Below)

(2) I then viewed the contents of the image file in the directory browser of Winhex.

39

(3) On analysing the video I found that Mr Robert was stealing the information from the research and development department from the supervisor head office. (Images Illustrated below). Image 1:

Image 2:

Image 3: 40

Image 4:

Image 5:

Image 6: 41

Image 7:

Image 8: 42

The analysis of the video results in evidentiary / investigative value. These included: The video states that Mr. Robert was stealing the Detag Company information from the research and development department. The video and files mentioned above have been copied onto 3 CD ROMs. One CD ROM has been achieved by the team. Two CD ROMs have been handed over to the client with final report.

43

COMPUTER EVIDENCE ASSESSMENT CHECKLIST

Activity The RFS was obtained from the client
th

Date Yes 28 April 2008

Details of the case were obtained from the client

Yes 28th April 2008

The cybercrime investigator met with the client and discussed the investigative avenues and potential evidence being sought in the investigation
th

Yes 28 April 2008

Computer and other devices were received from the client

Yes 28th April 2008

The evidence was marked and photographed

th

Yes 28 April 2008

Chain of custody was properly documented

Yes 28th April 2008

BIOS information documented

Yes 28th April 2008

Image file created and mathematically authenticated

th

Yes 28 April 2008

CYBER FORENSIC ANALYSIS REPORT

44

Report of cyber forensic analysis of hard disk from Toshiba laptop described as under Model No: K5UFHYG Capacity: 160GB Serial No: 45V7GQW34545Q

Report of cyber forensic analysis of USB flash drive described as under Model No: M9724ZP/A Capacity: 512 MB Serial No: MHY2250BH

Report of cyber forensic analysis of USB flash drive described as under Model No: TDK E249 NHS Capacity: 300 MB Serial No: 223-442-2060 This contains the image of the above mentioned files. Report no.: DeTag / 052008/02 DT. 1st May, 2008

45

COMPUTER EVIDENCE ANALYSIS CHECKLIST

Activity The forensic machine was prepared with operating system and forensic and investigation software programs.
st

Date Yes 1 May, 2008

The image files from the evidence devices were copied onto the forensic machine and examined

Yes 1st May, 2008

Deleted files were recovered

Yes 1st May, 2008

File data was recorded

st

Yes 1 May, 2008

Keyword text searches were conducted and hits were reviewed.

st

Yes 1 May, 2008

Graphics files were opened and viewed

Yes 1st May, 2008

Passwords for password protected files were recovered

st

Yes 1 May, 2008

Encryption keys were recovered

Yes 1st May, 2008

Unallocated and slack space was searched

Yes 1st May, 2008

Relevant files (of evidentiary / investigative value) were copied onto a CD ROM
st

Yes 1 May, 2008

46

DETAILED CASE:

Introduction
On 26th April 2008, Mr. Harrison of DeTag Company requested Mr. David lead investigator of the team to conduct a detailed investigation of the media (previously retrieved by the team) and the image of the computer hard disk of Mr. Robert laptop. Mr. Harrison has declared that he is the person legally entitled to hand over the said laptop, surveillance tape and USB flash disk. The said laptop and video tape is owned by DeTag Company a company registered under the company Act, 1956 and having office at DeTag Ltd. Park Street INIDA. The said company authorized Mr. Harrison to hand over the said laptop, surveillance tape and USB flash drive to investigation team for the said cyber forensic analysis.

Background of the issue

Note: The information below forming the background of the issue is as provided by Mr. Harrison. The said information has not been verified or cross checked by the investigators or DeTag company employees. According to Mr. Harrison 1. The company Detag came to know that many of their clients are no longer re-ordering from them. 2. The company Detag thinks that may be some confidential information is being leaked out of the company to their competitors. 3. So, internal investigation was conducted to find the suspect. 4. The DeTag Company suspects the unauthorized access to their confidential information. 5. Authorized officials of DeTag suspects that the said unauthorized access and information theft was carried out by Mr. Robert. 6. Mr. Robert is being working in the research department as an assistant. 7. Authorized officials of Detag therefore requested investigations team to conduct a cyberforensic analysis of the above mentioned laptop, video tape and USB flash drive and any other relevant information obtained from the hard disk.

47

DETAILS OF THE CYBER FORENSIC CARRIED OUT BY TEAM

The entire cyber forensic analysis was carried out by Mr. David investigation team. The laptop and other devices and relevant software used for the cyber forensic analysis are regularly used to store and process information. Throughout the material part of the said cyber forensic analysis, the said laptop, USB flash drive and video tape was operating properly. The objective of the investigation was to analyze the devices and find the relevant evidence. The analysis of the laptop computer and USB flash drive and Hard disk results in the recovery of 97 files of evidentiary / investigative value. These included: files of the documents (such as legal papers of the company, upcoming research details of the company, new product launch) pertaining to the company most confidential data. 4 password protected Microsoft excel files which contained details of budget of the company financial details. 18PDF files containing airline E-tickets. These tickets had been booked online using Mr. Robert which shows that he is planning to move out for country very soon containing the airline tickets.

Evidence Analysis
Based on the results above, it is proven that Mr. Robert Saunders has been viewing these confidential files without authorization. This is proven when some confidential files were found in his laptop hard drive where it is believed that to view those files later, also, he had transferred the files into his thumb drive. There were some E-tickets on the desktop which shows that Mr. Robert was planning to move out of the country very soon. Mr. Robert Saunders is therefore guilty for viewing these files without authorization. Mr. Robert Saunders is also found guilty for committing another crime which is, transferring these confidential files out to unauthorized people. As confidential files have been found in his USB flash drive and also, some files were retrieved back, it is proven that Mr. Robert Saunders had used this USB Flash Drive to transfer these files out from his laptop to unwanted sources.

By obtaining the information on Mr. Robert Saunderss time of logging in to Laptop, the investigator is also able to find him guilty of committing this crime. This is so because, as mentioned earlier, a CD was brought out of the R&D laboratory on the 26th of April at about 4:45pm based on video evidence of Mr. Robert Saunderss records. It is believed that he had 48

committed the crime of taking out the CD which contains confidential information during this period. Besides that, it has also been proven that he did leaked these files out using his thumb drive and also viewing these files without authorization using his laptop as seen from the date and time the files were accessed. Some of the recovered files also show that Mr. Robert is being communicating with some one of the employee named Hennry working in Rift Company. This information was gathered from the evidence found in the USB which states email address hennry@rift.inc.in.

49

COMPLAINT TO ASJUDUCATING OFFICER UNDER INFORMATION TECHNOLOGY ACT - 2000

1.
Name of the complainant Mr. Harrison (Detag Company)

E-mail address

harrison@detag.com

Telephone No.

98122356788

Address for correspondence

New Delhi , Green Bihar , INDIA

Digital Signature Certificates If any

N.A

2.
Name of the respondent Mr. Robert

E-mail address

robert@detag.com

Telephone No.

9814207338

Address for correspondence

Green Avenue , New Delhi , INDIA

Digital Signature Certificates If any

N.A

3. 50

Damages claimed:

Rs. 10,00,000/-

Fee deposited

Rs 13000/-

4.
Complaint under Section / Rule / Direction / Order etc. Time of Contravention 4:45 PM 26th April 2008 Section 66 and 43 of IT Act

5.
Place of Contravention: New Delhi

6.
Cause of action: The complainant alleges that the respondent has conducted unauthorized access to company confidential data and leaking out the information to their rivals.

7.
Brief facts of the case: 1. The complainant is an IT professional working as team member in board of directors of DeTag. 2. The respondent is also an IT professional working in DeTag company in research and development department as research assistant. 3. On 26th April while internal investigation in the company was going they found that

51

Mr. Robert stole the companies private and confidential material by copying it on CD-ROM. 4. From the video surveillance tape found that 4:45PM on 26th April Mr. Robert was copying the information on the CD. 5. Then the company head decided to log an official complaint against Mr. Robert and also seized the laptop and USB which was provided by company to Mr. Robert. 6. Now further investigation was carried out by the cyber crime department.

LEGAL ISSUES

Information Theft
Acts penalized Publishing or transmitting the obscene electronic

52

material or confidential material Causing damage to obscene and confidential material Dishonestly sending or receiving any stolen computer resources or communication device knowing or having reason to believe the same to be stolen. Punishment Imprisonment upto 3 years and / or fine upto Rs 1,00,000/Punishment for attempt Imprisonment upto 18 months and / or fine upto Rs 1,00,000/Punishment for abetment Imprisonment upto 3 years and / or fine upto Rs 1,00,000/Whether cognizable? Whether bail able? Whether compoundable? Yes Yes Yes However it shall not be compound if the crime affects the socio economic conditions of the country or has been committed against a child below the age of 18 years or against a woman. Investigation authorities Police officer not below the rank of inspector Controller Officer authorized by controller under section 28 of Information Technology Act Relevant court First appeal lies to Magistrate of the first class Court of session

Applicable Law
Mr. Robert obtains the information using hacking or social engineering. Then uses information for benefit of own business. Usual motives: Illegal financial gain 53

Before 27 October , 2009

After 27 October , 2009

Sections 43 & 66 information Technology Act and Section 43,66 & 66B of the information Technology section 426 of Indian Penal Code Act and section 426 of Indian Penal Code

Applicable Law Mr. Robert obtains the information by hacking or social engineering and threatens to make information public unless victim pays him some money. Usual Motives: Illegal financial gain
Before 27 October , 2009 After 27 October , 2009 Sections 43 & 66 information Technology Act and Section 43,66 & 66B of the information Technology section 384 of Indian Penal Code Act and section 384 of Indian Penal Code

Applicable Law A disgruntled employee (Mr. Robert) steals the information and passes it to the victims rival and also posts it to numerous websites and newsgroup. Usual Motives: Revenge.
Before 27 October , 2009 After 27 October , 2009 Sections 43 & 66 information Technology Act and Section 43,66 & 66B of the information Technology section 427 of Indian Penal Code Act and section 427 of Indian Penal Code

54