Indian Efforts in Cyber Forensics

Transcription

1 Indian Efforts in Cyber Forensics B. Ramani Addl. Director 10-Feb-09 Resource Centre for Cyber Forensics 1

2 Presentation Overview About C-DAC Resource Centre for Cyber Forensics C-DAC Cyber Forensics Solutions Future Plans 10-Feb-09 Resource Centre for Cyber Forensics 2

3 National Coverage C-DAC, Pune C-DAC, Bangalore C-DAC, Delhi C-DAC, Hyderabad C-DAC, Mumbai C-DAC, Chennai C-DAC, Kolkata C-DAC, Mohali C-DAC, Noida C-DAC, Trivandrum

4 C-DAC Trivandrum An ISO certified premier R&D Institution involved in the design, development and deployment of world class electronic and IT solutions for economic and human advancement, under DIT,Govt of India Established in 1974 as Keltron R&D Center; Taken by GoI in 1988; Formerly Known as ERDCI Work force of 800+

5 AREAS OF RESEARCH Control & Instrumentation Power Electronics Broadcast & Communications Strategic Electronics ASIC Design Cyber Forensics

6 Resource Centre for Cyber Forensics The Resource Centre for Cyber Forensics (RCCF) is the premier centre for cyber forensics in India. It was setup in C- DAC, Thiruvananthapuram by the Ministry of Communications and Information Technology and has been functioning for the past three years. The primary objectives of RCCF are Develop Cyber Forensics tools based on requirements from Law Enforcement Agencies Carry out advanced research in cyber forensics Provide technical support to LEAs 10-Feb-09 Resource Centre for Cyber Forensics 6

7 C-DAC Cyber Forensics Solutions 10-Feb-09 Resource Centre for Cyber Forensics 7

8 C-DAC Tools CyberCheck Suite Disk Forensics Tools TrueBack V3.1 on Linux Disk Imaging Tool TrueBack V1.0 on Windows Disk Imaging Tool CyberCheck V3.2 on Windows Data Recovery and Analysis Tool NetForce Suite Network Forensics Tools CyberInvestigator V1.0 on Windows Forensic Log Analyzer NeSA V1.0 on Linux Network Session Analyzer Tracer V3.0 on Windows Tool for tracing sender of DeviceAnalyst Suite Device Forensics Tools PDA Imager & Analyzer Tool for imaging and analyzing PDA contents SIM Card Imager & Analyzer Tool for imaging and analyzing GSM SIM Cards CDR Analyzer Tool for analyzing Call Data Records Cyber Forensics Hardware Tools TrueImager High speed H/W based Disk Imaging Tool TrueLock H/W based drive lock for write protecting IDE/SATA disks 10-Feb-09 Resource Centre for Cyber Forensics 8

9 TrueBack Tuesday, February 10,

10 TrueBack Disk Imaging Tool Software Tool for seizing, acquiring and authenticating Digital Evidence Indigenously developed by RCCF, C-DAC, Thiruvananthapuram Widely used and Certified by agencies like NPA, CBI, IB, CBI Academy, Kerala Police, Forensics Science Laboratories and GEQDs Import substitution for similar products Cost-effective solution Ideal for the use of Indian Law Enforcement Agencies

11 TrueBack Disk Imaging Tool National Institute of Standards and Technology (NIST), USA, disk imaging tool specification compliant Implementation of National Police Academy (NPA) procedures for Seizure and Acquisition Preview, Seize, Acquire and Seize & Acquire modes of operation Imaging of IDE, SCSI, SATA, CD, DVD, Floppy and USB devices Storage media content previewing facility before seizure and acquisition Report generation in each mode of operation

12 TrueBack Disk Imaging Tool Main User Interface

13 TrueBack Disk Imaging Tool Collecting case details

14 TrueBack Disk Imaging Tool Selecting media for Seizure

15 TrueBack Disk Imaging Tool Case data summary

16 TrueBack Disk Imaging Tool TrueBack Seizure process in progress

17 TrueBack Disk Imaging Tool Seizure process completed

18 TrueBack Disk Imaging Tool Seizure Report

19 TrueBack Disk Imaging Tool Hash values of media and blocks

20 CyberCheck Tuesday, February 10,

21 CyberCheck Data Recovery and Analysis Tool Software Tool for authenticating, recovering, analyzing and reporting Digital Evidence Indigenously developed by RCCF, C-DAC, Thiruvananthapuram Widely used (Over 175 copies have been sold) and Certified by agencies like NPA, CBI, IB, CBI Academy, Kerala Police, Forensics Science Laboratories and GEQDs Import substitution for similar products Cost-effective solution Ideal for the use of Indian Law Enforcement Agencies

22 CyberCheck Data Recovery and Analysis Tool Features Indian Language support Powerful Data recovery facilities High speed search facility Comprehensive Timeline features Detailed Report Generation facility Integrated and Internet History Viewer Facility for identifying password protected files Facility for viewing nested ZIP files

23 CyberCheck Data Recovery and Analysis Tool Unicode and Indian Language Support

24 CyberCheck Data Recovery and Analysis Tool Table and Disk views

25 CyberCheck Data Recovery and Analysis Tool Picture Gallery View

26 CyberCheck Data Recovery and Analysis Tool Timeline View

27 CyberCheck Data Recovery and Analysis Tool Search hits view

28 CyberCheck Data Recovery and Analysis Tool Recovery of deleted file

29 CyberCheck Data Recovery and Analysis Tool Report generated by CyberCheck

30 Tracer Tuesday, February 10,

31 Tracer S/W tool for tracing sender of an Features Trace the originating IP address and other details from header Generates detailed HTML report of header analysis Find the city level details of the sender Plot Route traced by the mail Display the originating geographic location of the mail in the world map Keyword searching facility on content including attachment Tuesday, February 10,

32 Tracer S/W tool for tracing sender of an Tuesday, February 10,

33 Tracer S/W tool for tracing sender of an Tuesday, February 10,

34 Tracer S/W tool for tracing sender of an Tracer WhoIs Search Tuesday, February 10,

35 Tracer S/W tool for tracing sender of an Tracer NS LookUp Tuesday, February 10,

36 Tracer S/W tool for tracing sender of an Tracer IP TraceBack Tuesday, February 10,

37 Tracer S/W tool for tracing sender of an Tuesday, February 10, 2009 Detailed Report 37

38 CyberInvestigator Tuesday, February 10,

39 CyberInvestigator Indigenously developed by CDAC Thiruvananthapuram Helps Law Enforcement Agencies in investigating Cyber Crimes Log analysis tool Analyses Windows and Linux Logs Offline Intrusion Analysis Querying facility

40 Features of CyberInvestigator Supports analysis of offline logs Built in & User defined queries. Signature based Offline Intrusion Analysis Supports analysis of Windows event logs Supports analysis of Linux logs like message log, utmp,wtmp & Cron Supports web traffic analysis Supports analysis of Access log & IIS Log Collects information regarding the insertion of USB devices Collects information regarding unauthorised access

41 CyberInvestigator- Main User Interface

42 Query Interface for Windows Event log

43 Analysis O/P of wtmp log

44 Network Session Analyzer (NeSA) Tuesday, February 10,

45 NeSA Indigenously developed by CDAC Thiruvananthapuram Helps Law Enforcement Agencies in investigating Cyber Crimes Offline Network session analysis tool Reconstructs network sessions from dump files Helps in network trouble shooting and debugging Misuse detection Gather network statistics

46 Features of NeSA Session Reconstruction - HTTP, SMTP, POP3 and FTP Displays the data in Hex view, Image view, File view and Mail view Powerful & Flexible filtering and searching facility Filtering based on MAC, IP, Port, Protocol, Date and Time Facility to export reconstructed files Statistics generation based on different criteria Time zone based analysis

47 POP3 Session Hex View

48 HTTP Session Thumb Nail View

49 POP3 Session Mail View

50 PDA Imager & Analyzer Tuesday, February 10,

51 Introduction Many criminals are now using electronic devices other than PCs to commit illegal activities. Cellular telephones, Smart Phones, and Personal Digital Assistants (PDAs) are only a few of the devices that must now be examined by forensic investigators. CDAC(T) has developed forensics software and hardware tools for the analysis of such devices and PDA Forensics Suite is one among them. PDA Forensics Suite is a is a software tool to forensically acquire, analyze and present the digital evidence from WinCE and Palm OS based PDAs/Smart Phones before the court of law. It consists of two software tools - PDA Imager and PDA Analyzer

52 PDA Imager PDA Imager is used to forensically image PDAs and Smart Phones. It performs logical and physical acquisition of the devices. It also performs Hashing for authenticating the evidence. Version 1.0 of this software supports acquisition of WinCE and Palm OS based PDAs and Smart Phones. This tool is developed as per the directions provided by the NIST for handheld devices.

53 PDA Imager Features Standard Windows application Imaging tool for WinCE/Pocket PC/ Windows Mobile/Palm OS PDAs. Acquisition through USB connection. Supports physical and logical acquisition. Logical acquisition includes files, database and registry. Supports MD5 Hashing. Creates a single evidence file with a specific format. Supports comprehensive HTML reporting.

54 PDA Imager

55 Seizure & Acquisition PDA Imager

56 Acquiring PDA

57 Acquisition Report

58 PDA Analyzer PDA Analyzer is used to forensically examine the evidence collected from PDAs and Smart Phones. It takes the acquired evidence file taken by PDA Imager as input and identify the required information from the image if present and display it in a file viewer with all details.

59 PDA Analyzer Features Standard Windows application. User login facilities. Creates log of each analysis session and analyzing officer s details. Explorer type view of contents of the whole evidence file. Display of folders and files with all attributes. Text/Hex view of the content of a file. Picture view of an image file. Gallery view of images. Timeline View of Files Single and Multiple Keyword search. Search with GREP expressions. File search based on extension. Book marking facility for data, files and folders Registry viewer

60 PDA Analyzer

61 File Viewer

62 Gallery Viewer

63 Timeline Viewer Features(Contd.)

64 Analysis Report Features(Contd.)

65 SIM Card Imager & Analyzer Tuesday, February 10,

66 SIM Card Imager & Analyzer A forensic acquisition tool for GSM Sim Cards Indigenously developed by Resource Centre for Cyber Forensics Analysis methods as per NIST guidelines Generates a detailed report for presentation in court

67 SIM Card Imager & Analyzer Acquires the following contents from SIM Card Phone Book Messages Location Information IMSI Last Dialed Numbers

68 SIM Card Imager & Analyzer

69 SIM Card - Acquisition

72 SIM Card - Analysis Phone Book Details

73 SIM Card - Analysis Message Details

74 SIM Card - Analysis Location Information

75 SIM Card - Analysis Message Summary

76 SIM Card - Analysis Hash Values of different items

77 Cyber Forensics Hardware Tools TrueImager & TrueLock Tuesday, February 10,

78 Hardware Tools TrueImager A disk forensic hardware tool for seizing and acquiring storage media from the scene of cyber crime specially designed for Indian Law Enforcement Agencies TrueLock A hardware forensic tool for write protecting suspect storage media while seizing and acquiring the media from the scene of cyber crime

79 Features & Benefits Smart, Portable handheld Cyber Forensics Digital Evidence Image Recorder. - Seizure - Acquisition High speed data transfer at the rate of 3GB/min Offers built in write-protection of suspect disk. Support Wiping feature for sanitizing the evidence disk.

80 Features Contd. Support 3 types of Suspect disk media: IDE disk SATA disk USB disk Different Views.

81 TrueLock A hardware drive lock which prevents all data writes to hard disk drives connected to a computer s IDE interface. Helps in the preservation of digital evidence. A cost-effective solution for supporting disk imaging Connecting Hard disk to PC through True Lock

82 Features Write protects the IDE Hard Disc connected to the PC s IDE interface. Supports all IDE Drives. Requires no special software. Physical Dimension: 84mm X 41.5mm X 25mm

83 Achievements Designed and developed the first indigenous suite of products for carrying out cyber forensics investigation More than 175 copies of C-DAC s CyberCheck Suite licensed to Law Enforcement Agencies Conducted more than 25 basic and advanced level training programmes on Cyber Forensics to LEAs Analyzed more than 200 Cyber Crime cases and submitted technical reports to different courts in India 10-Feb-09 Resource Centre for Cyber Forensics 83

84 Organizations that use CyberCheck Suite Hitech Cyber Cell, Thiruvananthapuram Army Cyber Security Establishment, New Delhi Intelligence Bureau, New Delhi Delhi Police, New Delhi CBI Academy, Ghaziabad GEQDs of Hyderabad and Shimla CFSL, Hyderabad FSLs of Chandigarh, Chennai, Thiruvananthapuram and Haryana DFSL, Gujarat Cyber Crime Investigation Cell, Thane, Maharashtra Cyber Cells of Bangalore and Arunachal Pradesh SCRB, Thiruvananthapuram National Academy of Taxes, Nagpur National Police Academy, Hyderabad Cabinet Secretariat, New Delhi Kerala IT Mission, Thiruvananthapuram

85 Training on Cyber Forensics Successfully conducted more than 25 training programmes covering basic and advanced Cyber Forensics concepts. Conducted a certificate programme on Cyber Forensics to 32 officers of Kerala Police. Conducted 2 weeks separate training programmes on Cyber Forensics to officers from Intelligence Bureau and Forensic Science Laboratories. Conducted 7 training programmes of one week duration to Judicial Officers in collaboration with CCA at different State Judicial Academies. Recently conducted one month training programme on Cyber Forensics to 51 Police Officers from all Police Districts of Kerala.

86 Case Categories Nature of Crime Number Hacking 17 Document Forgery 65 Financial Frauds 22 Software Piracy 7 Pornography 13 Mobile Phone Crime 64 Crimes 41 Total 229

87 Cyber Forensic Analysis Statistics Agency Reported Cases Analysis Completed RAW 1 1 CBI Bangalore Police 6 6 CCPS Bangalore Chennai Police 3 2 Crime Branch, Kerala Vigilance, Kerala 16 9 Kerala Police Total

88 Advantages of C-DAC Solutions Completely indigenous development Self-reliance in technology Cost-effective solution Developed for Law Enforcement Agencies and Corporate houses Total technical support 10-Feb-09 Resource Centre for Cyber Forensics 88

89 Current Activities Development of Enterprise Forensics System that will provide proactive solutions to cyber crimes and offences in Enterprise and Corporate networks. Design and development of advanced forensic tools for memory analysis, malware analysis, software forensics, peripheral device forensics, etc. Setting up Virtual Training Environment facilities for training 10-Feb-09 Resource Centre for Cyber Forensics 89

90 What C-DAC can offer Provide a well tested and certified cyber forensics suite of products (CyberCheck Suite) for acquisition and analysis on portable lab as well as forensic workstation Cost effective solution Software for Network Forensics, Live Forensics and Device Forensics Hardware tools for disk forensics Introductory training in cyber forensics Advanced training in cyber forensics 10-Feb-09 Resource Centre for Cyber Forensics 90

91 Contacts: B.Ramani, Addl. Director : ramani@cdactvm.in V.K.Bhadran, Addl. Director : bhadran@cdactvm.in K.L.Thomas, Jt.Director : thomaskl@cdactvm.in Resource Centre for Cyber Forensics Centre for Development of Advanced Computing Vellayambalam, Thiruvananthapuram Kerala Phone: Tuesday, February 10,

92 THANK YOU 10-Feb-09 Resource Centre for Cyber Forensics 92