Professional Documents
Culture Documents
Digital Forensics As Investigation Tool - NBR - Bangladesh
Digital Forensics As Investigation Tool - NBR - Bangladesh
DIRECT TAXES
Digital
3
Digital Data
• Data – facts, information, knowledge, instructions,
etc., collected together for reference or analysis
• Digital Data - is the discrete, discontinuous
representation of information or works.
Numbers and letters are commonly used
representations. Others\Digital Data.jpg
• Others\Wooden-antique-almirah.jpg
• Forensics - use of scientific knowledge or methods
to establish facts i.e. detect a tax evasion or any
offence - admissible as evidence in a court of law
4
Locard’s Principle
Every contact leaves a trace
“ ”
5
Technologies – Source of Digital Data
8
Impact of Technology in present
day Investigation
• Digital data is easy to modify, alter, delete, password
protect or hide. HIGHLY VOLATILE, and at time
difficult to locate.
• Issues and Challenges
– Invisible,Obscurity
– Volume
– Data Integrity/manipulation
– Fragile devices
– Data motility
– Remote access/ services
– Storage/Cloud storage
– Formats and compatibility
– Evidentiary value – legal issues
9
Investigating without
Forensic Technology
Capacity of an average Size of a Storage Disk 1000 GB
Approx. No of Characters in an A4 Page
4 KB
[52 lines x 80 Characters = 4160 bytes
Thickness of an A4 Sheet 0.004”
If printed out and stacked one up on another, height of print
5”
outs of 5 MB Data [1250 times of that of 4 KB
Height of Print out of 5 GB data [1000 times of 5 MB] 5,000”
Height of Print out of 1000 GB Data [200 times of 5 GB] 10,00,000”
Height of City Centre Qutub Minar 2,867”
10
Can we turn the challenge into an
advantage!
Digital Forensics as Powerful tool in the hands
of tax administrators to fight a tax evasion act
– Help reconstruct past event or activity – trail/trace
– Brings out evidence of violations and illegal activity
– Complements traditional methods of investigation
– Points out at overall integrity of infrastructure
11
Digital Forensics
• Digital Forensics is the process of identifying
and collecting digital evidence from any
medium, while preserving its integrity for
examination and reporting.
• It can be used individually as key evidence or
alongside more traditional methods of
evidence gathering, where it could serve as a
complement to other types of evidence.
12
Digital Evidence
• Defined in Sec 79A of Information Technology Act
• ‘any information of probative value that is either
stored or transmitted in electronic form’ and
includes computer evidence, digital audio, digital
video, cell phones, digital fax machines.
• Electronic form -means any information
generated, sent, received or stored in media,
magnetic, optical, computer memory, micro film,
computer generated micro fiche or similar device
13
Electronic Record
• Electronic record has been defined in the
Information Technology Act - to include data,
record or data generated, image or sound stored,
received or sent in an electronic form or micro film
or computer generated micro fiche.
• This definition of electronic record is wide enough
to cover person in possession of computer, storage
device, server, mobile phone, i-Pod or any such
digital device.
• Electronic record as admissible evidence at par with
a document
14
Branches of Digital Forensics
Disk
Network
Database
• Hard disks Device
• Enterprise
• Portable • OS Email
• Cloud
• PDA
storage devices • Database
• Email
• Smart phone
• Outlook
• Cell phone
15
Branches of Digital Forensics
• Disk Forensics: extracting information
from storage media like hard
disks/DVDs/Memory Cards/ Flash
Drives/ USB devices
• Network Forensics: process of
capturing information that moves
over a network.
• Database Forensics: stydying the
databases to whether any
manipulations done
16
Branches of Digital Forensics
• Device Forensics: gathering digital evidences
available in different types of devices such as Mobile
Phones, PDAs, ipods, Fax Machines etc.
• Email Forensics: Recovery & Analysis of emails
including deleted emails
17
Legal Provisions associated with
Digital Evidence
• Information Technology Act
• Income Tax Act
• Indian Evidence Act
• Indian Penal Code
• Bankers Book Evidence Act
• Reserve Bank of India Act
18
S.no Section Act Provision in brief
no
2 2(22A) Income Tax Act Defines records and includes electronic records
3 132(1)iib Income Tax Act Affording facility to access electronic records at the
time of search and seizure proceedings
10 2nd Indian Evidence act Electronic record given a legal status as evidence
schedule
21
Steps in Digital Forensics
22
Issues of Digital Evidence
Finding source of digital evidence – Discrete/Disguised
Preserving it – Volatile, Extremely fragile, Easily
tampered
Damages due to shock, vibrations, high powered
electro-magnetic fields, direct exposure to sun,
storage in improper conditions.
Presenting it in a manner admissible in a court of law
(admissible as evidence)
Recovery of hidden/deleted evidence
Voluminous
Password protected
23
Digital Evidence Identification
24
Disguised Device Models
25
Disguised Device Models
26
Disguised Device Models
27
Disguised Device Models
28
Disguised Device Models
29
Fundamentals of handling –
Digital Evidence
Write Blocking
• It is essential that no changes should be
made while handling digital evidence. A
change of a single Bit may render the
whole evidence inadmissible.
• This can be achieved by write blocking
the storage media which is intended to
be acquired/seized by adopting a
technology commonly referred to as
―Write Block
• This is a technology, which ensures that
nothing is written on a particular
storage media that has been write
blocked.
30
Fundamentals of handling –
Digital Evidence
32
Fundamentals of handling –
Digital Evidence
For Authentication and Seizure of Evidence
-Mathematical Hashing
• For evidence authentication, it must be proven to be genuine
to be admissible in a court of law.
• The pre-acquisition hash is computed to maintain the
authenticity and integrity of the evidence when it is seized/
received for the Examination.
• EVIDENCE IS AUTHENTICATED WITH PRECOMPUTED HASH
VALUE.
• Mathematical hashing is equivalent to one-way encryption.
Every digital evidence at the lowest level translates into a big
numerical number. When the digital device or data is
encrypted using a hashing algorithm, it results in a new
number of a fixed length called the dark message digest. 33
Hang him not, kill him
Message Digest
Message Digest
Test.doc 6FB3938D0271301C6C4
AC847908AB26D
34
Other issues of handling
Digital Evidence
• Pre Investigation Preparations
Understanding the digital environment
Kit bags containing Tools– New HDD,
Pendrives, Laptop, Printer, Digital Camera,
etc.
Technical support of manpower
Anti Static Bag, Faraday Bag
35
Understanding the Digital
Environment
• Illustration
You are entering a single room premise where you
find only one Computer (Desktop) system
All data related to the business of the assessee
including BoA or any incriminating material is
stored in that system
Now, What you will start doing!!!!?
Write Blocker
36
Understanding the Digital
Environment
• Illustraion 1
You are entering a single room premise where you
find only one Computer (Desktop) system
All data related to the business of the assessee
including BoA is stored in that system
An incriminating evidence indicating offence of
some act was found in that system
Now What To Do!!!!?
Primary Evidence vs Secondary Evidence
s.62 & s.63
37
Understanding the Digital
Environment
• Illustraion 2
You are entering a head office premise where you
find a building with 3 floors
It is presumed presence of more than 20
computers are in 2nd and 3rd Floor of the building
What is expected from the team to do?
38
Understanding the Digital
Environment
LAN Disconnection
39
Understanding the Digital
Environment
• Identify the location of servers: Identify
different servers along with their physical
location and find out which servers are related
to the case under investigation such as File
server, Database Servers, Mail Servers and
Accounting Servers etc.
• There is high probability of main storage server
and accounting server being in the same server
room. A typical server room will contain rack
mounted servers with networking hardware.
40
Understanding the Digital
Environment
• Illustration 3
After entering a premise, as pre action
intelligence, crucial system is identified but while
booting password protected
After booting, still asking OS (Windows) Password
After bypassing OS password, while browsing
through storage disk you find password protected
PDF or Excel file which seems to be crucial
Password of mail ids of main or crucial persons
41
• Collect Passwords:
– BIOS password: The first thing to do is to ask the assessee to provide password. If he
doesn’t, we can remove the BIOS password by removing the CMOS battery for half an hour,
again put it in the system and restart the system. The BIOS password will be removed.
– Operating System password: Ask the assessee for the password. If he does not provide the
password, then there are some password crackers for normal use operating system such as
Windows XP, and Windows Vista.
– Password for MS office files: Ask the assessee. If he does not provide the same, then there
are some password cracker tools such as Rainbow Table.
– Password for Tally files and any customized software: In this case, it is somewhat difficult to
crack. We may ask the assessee for the passwords. But with some efforts, Tally file
passwords can also be cracked.
– Password for Gmail, Hotmail etc
– Password for Online Accounting Software
• The best option is to ask the assessee to provide password. The assessee is bound
by law to provide such password.
• Else make the assessee to provide password!!
42
Password Extraction
Psychological Handling
Evidence Gathering
Good- Bad Cop
IPC Section Note.docx
Password Manager History
Password Cracker Tools
43
• Securing Mail Boxes: Acquire the user id and
password of email account of assessee and
some important persons of the business
concern, if there is any, and change the
password immediately to secure the mail box.
The changed passwords should be noted down
at a secured place for further analysis of
emails.
• MBOX App – To view in mail environment
44
• Illustration 4
You are entering into a premise which is a single
retail (textile/jewellery) shop and find books of
accounts maintained in the system. What to do
now?
You are entering into a number of premises which
are chain of a retail business (Ex. Chit Fund) and
find books of accounts maintained in TALLY in
Head Office premise. What you will do now?
45
Understanding the Digital
Environment
Cloud Application/Servers
46
• Identify Customized Software Used - collect
information such as vendor of the software‘s,
database used by the software, their file
format and passwords. If the software are
operated with smart card/dongle keys, (small
hardware token keys generally validated
through the USB port); then one must take
possession of the smart card/dongle keys as in
the absence of such keys software will not
function.
47
• Source of Customized Software – Identify the
source programmer of the software provider
and summon the person. Take sworn
statement of that person about the
customized software and all the manipulations
that can be done.
48
• Identifying Cloud Data - Cloud data is any data
which is stored on a remote server. The types
of data typically stored on remote servers can
be email, ERP application data or company
intranet.
– Physically hosted server
– Cloud hosted data
– Remote Desktop Connection
49
Cloud Application/Server
Email
Internet Browser History
Registry Analysis (Metadata)
Bill Payment (Account Statement)
User Credentials Evidence gathered
Network Forensics – Upload/Download
Data size of particular IP Address
50
• Illustration 5
You are going to a residential premise of main assessee and
taken complete control of it. You find a Mercendes Benz car
parked in front of the house. What you will do with that?
GPS location history of the car
Forensics of it reveals number of locations out of which you
find 1 location is unknown to you and also appears unusual
After reaching that location, you find some old godown
having one locked room.
You find Rs.50 crores cash i.e. Black Money
51
• Illustration 6
You are going to a residential premise of main
assessee and taken complete control of it. You find
nothing in the premise after rummage. What you will
do?
You find assessee is so cool and is not bothered
about your search and watching TV in his bedroom
all along.
Can you able to make any inference now?
SMART TV!!!
52
Principles of Evidential Value
• No actions performed by investigators should change data
contained on digital devices or storage media.
58
The structure of a typical high level
ERP is something like –
63
Digital Evidence Collection Form
• It ensures proper documentation of all the
information about the evidence that is visible to
the naked eye. It should contain the following
details:
– Case Name/Date of Search/Name of the Authorised
Officer and Address of acquisition
– System Information like Device
Type/Manufacturer/Model Number/Serial
Number/BIOS Date(Time)
– Type of Media
– Details of Forensic Software and Version Number
64
Digital evidence collection form
65
Mobile device evidence collection form
66
67
Certificate u/s.65B
• DEMO\Forms\65 b.pdf
68
Chain of Custody Form
• Chain of custody refers to the chronological
documentation that shows the people who have been
entrusted with the evidence. It should document the
details of the people who seized the equipment, the
details of people who transferred it from the premise
to forensic labs, people who are analyzing the
evidence, the details on when all it was opened and so
on.
• Because evidence can be used in a court to convict
persons of crimes, it must be handled scrupulously
careful manner to avoid later allegations of tampering
or misconduct.
69
Chain of custody form
70
Checklist for Fool proof Chain of Custody
71
Case Studies
• Casino
• Secret Premise – Parallel Books of Accounts
• Excel Sheet – Running cash book
• Secret Mail id – Foreign Bank Accounts
• Billing software vs BoA (TALLY)
• Damaged hard disk
• Back up of BoA in Google Drive/Cloud
• Youtube video - violation
72
Digital Evidence Presentation
• Description of items, process adopted for analysis,
chain of custody, findings, glossary of terms etc.
• Copies of Digital Evidence Collection Form
• Key digital evidences retrieved from deleted files and
link to the case
• Whether digital evidences have been confronted to
the assessee, key persons, etc., against relevant
portions of the Income tax act
• Linking of circumstantial evidences and key physical
evidences found/ seized with digital evidences
73
Digital Evidence Presentation
• Format
• Authenticity
• Hard Copy / Soft Copy
• Software used versions
• CV of the expert and qualifications
• Hash results
• All storage media details
• Report should be in simple terms
• Supported by photographs
74
Preserving/Storing
Digital Evidence
• Store the evidence in a secure
area that is
• Cool & Dry
• Away from influences of
Electrostatic and Magnetic
fields: Magnets, Generators.
• Prevent from scratches,
overheating , short circuits, etc
• Should not be stored in metal case
as it interferes with magnetic
properties
• Store in plastic or wooden cases
Packaging/Transportation
• Use bubble wraps and other
protective packing
• For magnetic media devices, use
anti-static bubble wrap
• While transporting, hook the
computer/ evidence pack securely
on the floor of the vehicle where
the ride is smooth.
• Avoid exposure to shock/
vibrations during transport
• Avoid exposure to direct sunlight
during transportation/ storage
International Best Practices Flowchart
©2016 Deloitte Shared Services India LLP International Best Practices – Incident Response and Crime Scene Management 77
Discovery of items to be seized
78
Discovery of items to be seized
80
81
Prescribed tools for
Digital Forensics Lab
• EnCase • TrueBack
• FTK Imager • CyberCheck
• Cellebrite UFED • TrueImager
• IDEA Caseware • TrueLock
• Tableau Data • F-RAT
Visualisation
• Advik CDR
• Abbyy Flexi Capture
“No matter how good you are, you can be
traced”
THANK YOU
M Karthik Manickam
Deputy Director, I&CT