cyber forensic report- data recovery module
DESCRIPTION
Cyber Forensic Report as part of my academicsTRANSCRIPT
Cyber Forensic Investigation Report
Submitted By:
Name: Ivneet Singh
ID: TP023861
Intake: UC3F1010IT(ISS)
Module: Data Recovery
Submitted To:
NOR AFIFAH BINTI SABRI
(Lecturer)
ContentsComputer Evidence Analysis Report...............................................................................................5
1
Case Background..................................................................................................5
Investigation Outlines:............................................................................................................6
FIRST INFORMATION REPORT.................................................................................................7
PROPERTY SEARCH AND SEIZURE FORM...........................................................................10
Request for Service........................................................................................................................12
Chain of Custody Form.................................................................................................................13
Investigation Report..........................................................................................................14
Chain of Custody Form.................................................................................................................16
Investigation Report..........................................................................................................17
Chain of Custody Form.................................................................................................................19
Investigation Report..........................................................................................................20
Cyber Forensic Analysis................................................................................................................23
Evidence device 1:................................................................................................................23
Evidence Device 2:...............................................................................................................35
Evidence device 3:................................................................................................................41
Computer evidence assessment checklist......................................................................................46
Cyber forensic Analysis Report.....................................................................................................47
Computer Evidence Analysis Checklist........................................................................................48
Detailed Case:................................................................................................................................49
Introduction...........................................................................................................................49
Background of the issue........................................................................................................49
Details of the Cyber Forensic carried out by team........................................................................50
Evidence Analysis.................................................................................................................50
COMPLAINT TO ASJUDUCATING OFFICER.........................................................................52
Legal Issues...................................................................................................................................55
2
Information Theft................................................................................................55
Applicable Law.....................................................................................................................56
COMPUTER EVIDENCE ANALYSIS REPORT
Case Background
An internal investigation would be conducted in Detag Industries, a company that manufactures
fuel cell batteries that is used by thousands of companies worldwide. This investigation is
required because one of their research assistant in the R&D lab, Mr. Robert is suspected of
leaking out confidential information to their major competitors, Rift, Inc. This occur right after
they noticed that their clients are no longer re-ordering these fuel cell batteries, which were once
unique to them and instead, from Rift, Inc.
After a thorough investigation conducted on the reason this is occurring, it has been established
that a CD that contains many confidential information had been taken out from the research and
development laboratory without any authorization. Through the use of the surveillance camera
video, it had shown that this offence had been committed on the 26 th of April 2008 at around
4:45pm by Mr. Robert. Due to this, Mr. Robert is suspected of committing 2 crimes which are,
accessing this confidential information without authorization and also, leaking out that
information.
To proceed with the investigation, a USB flash drive was seized from Robert Saunders. To help
with this investigation, an investigation team consisting of IT security and forensic experts had
been approached. A USB flash drive and laptop was later seized from Robert Saunders
possession for further investigation. Both these were taken into custody by company and were
handed over to the investigation team for analysis. The leader of the investigation team, David
Keen has requested you to analyze the USB flash drive and laptop and provide a report on your
findings.
3
Investigation Outlines:
While investigating the cybercrime cases; need to follow the process outlined below:
1. The filled request of service (RFS) is obtained from the client (Detag). The RFS helps the
team to understand what the client expects from the investigation. In the RFS, the client
describes the crime and request team to investigate it.
2. Then team appoints a lead investigator (Mr David) for the case. The lead investigator
meets the client to discuss the investigative avenues and potential evidence being sought
in the investigation. The lead investigator and the investigation team for each case are
appointed with great care and caution. The technical requirements of the investigation are
primary basis for the selection of the team and the lead investigator.
3. The relevant information, media, documents etc. are then received from the client. The
chain of custody form in respect of each of these items is duly filled in by team of
investigators.
4. The chain of custody form in respect of each device is meticulously updated throughout
the investigation. One copy of the chain of custody form in respect of each device is
handed over to the client at the end of the investigation.
5. Where possible the media (USB and hard drive) is imaged. The original media is returned
to the client and the image is retained for investigation.
6. The images are authenticated using MD5 and /or SHA1 hash function. Detailed cyber
forensic analysis and investigations are carries out in a secure and confidential manner by
skilled professionals.
7. The findings of the analysis and investigation are properly documented and relevant
reports are submitted to the court.
4
FIRST INFORMATION REPORT
(Under Section 154 Cr.P.C)
1. District : New Delhi P.S: Green Lawns Year:2008 FIR No: 29
Date: 27th April 2008
2. (1) Act Information Technology Act, 2000 Section 66
(2) Act Information Technology Act, 2000 Section 43
3. (a) Occurrence of offence:
Date from: 26th April 2008 Date to: 26th April 2008
Time from: 1400 hours Time to: 1645 hours
(b) Information received at P.S.:
Date: 27th April 2008 Time: 1000 hours
(c) General Diary Reference: Entry No. 29A/D Time: 1000 hours
4. Type of Information: Oral
5. Place of Occurrence:
(a) Direction and distance from Police Station : North /3.0 KM
Beat number: 2284
(b) Address : New Delhi / North Delhi INDIA
(c) In case , outside the limit of this police station , then
Name of Police Station District
5
6. Compliant / Informant:
(a) Name : Mr. Harrison
(b) Father’s / husband name: Mr. Martin
(c) Date / year of birth : 11 / 09/ 1959
(d) Nationality: INDIAN
(e) Passport No: G560934 Date of Issue: 12/12/1990
Place of Issue: New Delhi
(f) Occupation: IT professional
(g) Address: Brown Road , Green Bihar , New Delhi INDIA
7. Details of known / suspected / unknown accused with full particulars
Name: Mr. Robert Company: DeTag
Sex: Male Occupation: Research Assistant
Age: 35 years
8. Reasons for delay in reporting by the complainant / informant
Not applicable
9. Particulars of properties stolen
Not applicable
10. Total value of property
Not applicable
11. Inquest Report / U.D. case no. , If any
12. First information contents
On 26th April 2008, Mr. Robert was suspected for leaking the private and confidential
information from the DeTag Company. A video surveillance tape was proven as evidence
which states that Mr. Robert was copying the confidential information of the company on
the compact disks. The video was taken on 26th April 2008 at 4:45 PM.
6
13. Action taken:
Since the above information reveals commission of offence(s) u/s as mentioned at
item No.2:
(1) Registered the case and took up the investigation or
(2) Directed :Mr. Karan Saxena
Rank: Asst. Commissioner of Police No.: IPS2334
(3) Refused investigation due to or
(4) Transferred to police station District on point of jurisdiction.
F.I.R read over to the complainant / informant, admitted to be correctly recorded and copy
given to the complainant / informant, free of cost
R.O.A.C Signature of Officer in charge
Police Station Name: Karan Saxena
Rank: Asst. Commissioner of Police
No. IPS2334
14. Date and time of dispatch to the court : 28th April 2008 , 1000 hours
7
PROPERTY SEARCH AND SEIZURE FORM
(Search / Production / Recovery u/s 51/102/165 Cr.P.C)
1. District : New Delhi P.S: Green Lawns Year:2008 FIR No: 29
2. Act & sections : Section 66 of the information Technology Act,2000
3. Nature of property seized: Stolen / Unclaimed/ unlawful possession / Involved /
Intestate.
4. Property Seized / recovered:
(a) Date: 28th April 2008
(b) Time: 1100 hours
(c) Place: 14 Alex Street , New Delhi
(d) Description of the place : DeTag Company , New Delhi
5. Person from whom seized / recovered:
Name: Mr Harrison Father’s name: Mr Joe
Sex: Male Age: 42 years
Address: DeTag Company, New Delhi
Professional receiver of stolen property: Yes / No
6. Witness:
(1) Name: Savita Kulkerni
Father’s / husband name: Gokul Kulkerni
Age: 43 years Occupation: IT professional
8
Address: 123, LIM SIM , New Delhi
(2) Name: Abhijeet Nayaran
Father’s / husband name: Venkat Narayan
Age: 35 years Occupation: IT professional
Address: 270, Green Avenue road, New Delhi
7. Action taken/ recommended for disposal of perishable property
Not Applicable
8. Action taken / recommended for keeping of valuable property
Deposited with computer storage room at New Delhi District Court
9. Identification required : Yes / No
10. Details of property seized / recovered
(1) Toshiba Laptop Model no – A48756876 having serial number 95535353BF
(2) Kingston USB Flash Drive Model No - M9724ZP/A having serial number
MHY2250BH
(3) Video Tape Model No - TDK E249 NHS having serial number 223-442-2060
11. Circumstances / grounds for seizure
The above laptop, USB flashes drive and video tape is suspected to have been plan and
commit offence by the accused in Case no.29 registered with Green Lawns Police
Station.
12. The above mentioned properties were seized in accordance with the provisions of law in
the presence of the above said witnesses /* and a copy of the seizure from was given to
the person / the occupant of the place from whom seized.
9
13. The properties mentioned above were packed and / or sealed and the
signature of the above said witnesses obtained thereon or on the body of the property.
REQUEST FOR SERVICE
RFS No. IN-PNQ/03-08/084
Date:28th April 2008
Client name and addressDeTag Company , New Delhi, INDIAClient’s authorised representative
Name Mr Harrison
Phone9812288990
Fax011-604690
Background of the caseOn 26th April the Detag company found the suspect Mr Robert working as assistant researcher in research and development department for leaking out the DeTag Company confidential information to their competitors. From the video surveillance tape they found that Mr Robert copied the confidential information from the company laptop onto the compact disk.Details of the media(1) Toshiba Laptop Model no – A48756876 having serial number 95535353BF(2) Kingston USB Flash Drive Model No - M9724ZP/A having serial number
MHY2250BH(3) Video Tape Model No - TDK E249 NHS having serial number 223-442-2060
Have the computer(s), media etc. mentioned above been accessed / examined prior to being handed over to the team? If yes give details.The Laptop, USB flash drive and Video Tape has been seized from the suspect. Thereafter there has been no access / examination of the media listed above.Services requested from teamAnalyse the seized hard disk from the laptop, Kingston flash drive and video surveillance tape to recover evidence related to undisclosed information.
For internal use only (Please leave blank)
Case received on : 28th April 2008
Case received by : Mr David
Referred by:Mr Harrison
10
Tax Porn Financial Cyber Priority 1 2 3 4 5 6 7 8 9 10
Chain of Custody Form
Lead Investigator:Mr David
Case numberIN-PNQ/03-08/084
Evidence numberHDD-01
Date and time of confiscation / recovery:28th April 2008 [1425 hours]
Person from whom confiscated / recovered:Mr Robert
Place of confiscation / recoveryDeTag Company , New Delhi , INDIA
Details of prior access / investigation:NIL
Description of media: TOSHIBA LAPTOP HARD DISKModel no: M9724ZP/AManufacturer: TOSHIBASerial no: 95535353BFDimensions: 10cm * 14.5 cm *2.5 cm
Capacity:160 GBJumper: MasterInterface: IDELBA Add. Sec.: 78,242,976
Unusual marks, if any:None
Chain of custodyDate and Time Released by Released to Purpose of change of custody29th April 20081005 hours
Mr David Mr Thomas Creation of Image Computation of hash value
29th April 20081245 hours
Mr Thomas Mr David For returning to client
11
29th April 20081430 hours
Mr David Mr Harrison Returned to Client
Investigation Report
The MD5 Hash Value of the HDD-01 [Case: IN-PNQ/03-08/084] as computed by using winhex 14.4 SR2 software (hereafter referred to Winhex) licenced to the investigation team is:
MD5 HASH (128 Bit) = 1F4E08B0FAECC667EC2DC500BD118AEE
Computing MD5 (128 Bit) HASH VALUE
Computing SHA-1 (160 Bit) HASH VALUE
SHA-1 HASH (160 Bit) = DE4C8CD227F6A0B4A1E1D08DF95034381F15388E
12
The image of evidence number HDD-01 was created by Mr David using winhex. The images were named as USB-01. The MD5 Hash and SHA1 Hash Value of the image as computed usingWinhex is:MD5 HASH (128 Bit) = 1F4E08B0FAECC667EC2DC500BD118AEESHA-1 HASH (160 Bit) = DE4C8CD227F6A0B4A1E1D08DF95034381F15388E
Chain of Custody Form
Lead Investigator:Mr David
Case number Evidence number
13
IN-PNQ/03-08/084 USB-01
Date and time of confiscation / recovery:28th April 2008 [1425 hours]
Person from whom confiscated / recovered:Mr Robert
Place of confiscation / recoveryDeTag Company , New Delhi , INDIA
Details of prior access / investigation:NIL
Description of media: USB Flash DriveModel no: A4875687Manufacturer: KingstonSerial no: MHY2250BHDimensions: 36.4 x 25.6 x 5.7mm
Capacity:512 MBJumper: N/AInterface: N/ALBA Add. Sec.: N/A
Unusual marks, if any:Without cover; some scratches on the top and covered with cello tape from the edges.
Chain of custodyDate and Time Released by Released to Purpose of change of custody29th April 20081500 hours
Mr David Mr Thomas Creation of Image Computation of hash value
29th April 20081745 hours
Mr Thomas Mr David For returning to client
29th April 20081930 hours
Mr David Mr Harrison Returned to Client
Investigation Report
The MD5 Hash Value of the USB-01 [Case: IN-PNQ/03-08/084] as computed by using winhex 14.4 SR2 software (hereafter referred to Winhex) licenced to the investigation team is:
MD5 HASH (128 Bit) = 2A0A9A93069AC2A8A5C6EF4BCB615BA4
14
Computing MD5 (128 Bit) HASH VALUE
Computing SHA-1 (160 Bit) HASH VALUE
SHA-1 HASH (160 Bit) = 3D1598FD832247EFCD58DE76E943DF190E46E10B
15
The image of evidence number USB-01 was created by Mr David using winhex. The images were named as USB-01. The MD5 Hash and SHA1 Hash Value of the image as computed usingWinhex is:
MD5 HASH (128 Bit) = 2A0A9A93069AC2A8A5C6EF4BCB615BA4SHA-1 HASH (160 Bit) = 3D1598FD832247EFCD58DE76E943DF190E46E10B
Chain of Custody Form
Lead Investigator:Mr David
Case numberIN-PNQ/03-08/084
Evidence number VHS-01
16
Date and time of confiscation / recovery:28th April 2008 [1425 hours]
Person from whom confiscated / recovered:Mr Harrison (Detag executive)
Place of confiscation / recoveryDeTag Company , New Delhi , INDIA
Details of prior access / investigation:NIL
Description of media: Video TapeModel no: TDK E249 NHSManufacturer: RTISerial no: 223-442-2060Dimensions: 7 3/8 x 4 1/16 x 1
Capacity: 24 hoursJumper: N/AInterface: N/ALBA Add. Sec.: N/A
Unusual marks, if any:Without cover; some scratches on the top and covered with cello tape from the edges.
Chain of custodyDate and Time Released by Released to Purpose of change of custody29th April 20081500 hours
Mr David Mr Thomas Creation of Image Computation of hash value
29th April 20081745 hours
Mr Thomas Mr David For returning to client
29th April 20081930 hours
Mr David Mr Harrison Returned to Client
Investigation Report
The MD5 Hash Value of the USB-01 [Case: IN-PNQ/03-08/084] as computed by using winhex 14.4 SR2 software (hereafter referred to Winhex) licenced to the investigation team is:
MD5 HASH (128 Bit) = 83A16902A0D4F9C98A62E7C3B6F1B0BC
17
Computing SHA-1 (160 Bit) HASH VALUE
18
SHA-1 HASH (160 Bit) = FB404B61CFFD01254C47B7676FCE24320F396F88
The image of
19
evidence number USB-01 was created by Mr David using winhex. The images were named as USB-01. The MD5 Hash and SHA1 Hash Value of the image as computed
usingWinhex is:
MD5 HASH (128 Bit) = 83A16902A0D4F9C98A62E7C3B6F1B0BCSHA-1 HASH (160 Bit) = FB404B61CFFD01254C47B7676FCE24320F396F88
20
CYBER FORENSIC ANALYSIS
Objective
To determine if the laptop and USB flash drive contain any evidence to show Mr. Robert was
involved in the crime affecting Detag Company.
Evidence device 1: Toshiba Laptop Model no – A48756876 (Hard Drive)
Evidence Device 2: Kingston USB flash drive 512 MB Model no- M9724ZP/A
Evidence device 3: Video surveillance tape – TDK E249 VHS
Evidence device 1: Toshiba Laptop Hard drive
I then began analysis of the said file name HDD-01.(1) We opened the image file using winhex using the “specialist > Interpret Image File
Disk” Option (Illustrated Below)
21
(2) We then viewed the contents of the image file in the directory browser of Winhex (Illustrated below)
(3) On previewing the data of the image I found that there are many files and folders which contain the company confidential information. Some of these files and folders were recovered by me using Winhex.
Contents of Local Disk (C)
Local Disk (C) \Windows\Desktop
Local Disk (C) \Windows\System 32
22
Local Disk (C) \Windows\Internet Logs
23
Contents of Local Disk (D)
24
Local Disk (D) \DeTag
(4) The detailed analysis for the hard drive is being conducted from which the files were recovered.
(5) The total number of 59 files recovered contained confidential information regarding Detag Company.
(6) 11 roots folders were recovered from the image which contained many sub folders for windows system files.
(7) Further investigation was taken and I found the 7 PDF files for E-tickets and travelling information of Mr Robert on the desktop which he might be planning to move out of the country very soon.
(8) Total files and folders recovered from the image mentioned below:
18 .PDF files 11 root folders 22 .Txt files 4 sub folders 12 .docx files 7 xls files
25
(9) Four document files were password protected which was recovered using licenced forensic software.
Details of the files recovered from Mr Robert Laptop Hard Drive
Files recovered from local drive (C)
Analysing files recovered from desktop:
The files recovered from desktop shows that Mr.Robert was planning to move to Malaysia very soon. From the files recovered we found some E-tickets booked by Mr.Robert to Malaysia. Some of the tour and travellers information was also available in these files
Analysing the URL History
Monday, March 24, 2008 Star-Jobs Online: We’ve shifted to MyStarJob.com
26
Jobs in Malaysia | careerjet.com.my
Best Jobs Malaysia :: Malaysian job search, job bank, employment and recruitment JobsMalaysia.gov.my - Gerbang Kerjaya Interaktif Anda Jobs in Malaysia, Selangor Jobs & Kuala Lumpur Jobs - JobsDB Malaysia Jobs in Malaysia, Malaysia jobs | Kerja & jawatan kosong - JobStreet.com jobs in malaysia - Google Search Malaysia Airline (MAS) Online Booking Tickets Malaysia airline tickets - Reservation, booking , best prices, system and comparison of airline
systems Cheap Flights, Airline Tickets, Cheap Plane Tickets, Cheap Airfare – CheapOair Malaysia Airlines airticket booking - Google Search airticket booking in malaysia - Google Search Malaysia Hotels - Online hotel reservations for Hotels in Malaysia Booking.com: Hotels in Malaysia. Book your hotel now! hotel booking in malaysia - Google Search How to rebuild a Li-Ion battery pack Cell Phone Batteries damage battery cells - Google Search Google RIFT - Home - Dynamic Fantasy MMORPG rift - Google Search detag - Google Search
DE TAG INDUSTRY SDN BHD - Electronic Article Surveillance ( EAS ) DE TAG INDUSTRY SDN BHD - Electronic Article Surveillance ( EAS )
27
indian immigrants - Google Search
Bureau of Immigration Battery Cells Battery (electricity) - Wikipedia, the free encyclopedia battery cells - Google Search Gmail: Email from Google Yahoo! Mail: The best web-based email! MATTA Portal MALAYSIA CENTRAL: Travel & Tours Agents, Tour Operators, Holidays, Sightseeing &
Reservation
From the URL history of Mr.Robert laptop highlighted above shows that he was planning to move out of the country to Malaysia to work over there as some of the links also shows that Mr.Robert was applying for jobs in Malaysia. From one of the links Mr.Robert also searched for their rival company RIFT.
Analysing Internet Cookies
From the internet cookies we found that Mr.Robert had been looking forward toward the RIFT Company. This may be possible that Mr.Robert might be contacting someone from the company to sell the Detag Company private and confidential information.
28
Analysing the files recovered from local drive (D)
The files and folder illustrated above are recovered from the local drive (D) from Mr.Robert laptop hard drive which contains files mentioned below:
No. Name Type
1. 22 Battery .pdf
29
2. Agentlic .pdf
3. Battery .pdf
4. it_security_policy .pdf
5. Lead_Acid_Battery .pdf
6. Microsoft Word - IT SecAuditStd _ITRM
SEC502-00_ amend 2008 02 21
7. MSDS-Battery-Wet-Acid .pdf
8. sme_loans business plan .pdf
9. software_license_101 .pdf
10. Topic 2 - Battery Cell Balancing - What to
Balance and How
11. V79 Cell Battery .pdf
12. 41602903 .xls
13. QuoteRequestForm .xls
14. SealedLeadAcidCrossRef .xls
15. Solar-Panel-Battery-Sizing .xls
16. A guide to Lead Acid batteries .doc
17. Battery_guide .doc
18. fanancial analysis of honda atlas .doc
19. HSA_Tax_Reporting_for_2008 .doc
20. kamapril2005_235 .doc
21. NICADS .doc
22. Nor_ok_nat .doc
23. PAYEinfo .doc
24. Profile .doc
25. pub_249 .doc
26. SQB0022APC_33A_65AR_80BC_125BMP .doc
The files mentioned in the table above contained much confidential information about the company and per company executives this information was not accessed to Mr.Robert.
30
So now Mr.Robert had unauthorized access to the company’s private and confidential data.
Analysing the files found Local Drive (D)/Detag
The files illustrated above were found in the Detag folder in local drive (D). The properties of the Detag folder were marked as hidden. So we recovered the hidden folder and changed the permissions and properties of this folder. On analysing these files we found that these files were password protected. So using the licensed forensic tools we were able to recover the passwords and gain access to the information in the files.
Customer_details.xls
Detag_cli.docx
31
Financial _review.xls
Ordersheet.xls
32
Details of files
No. Name Type Password
1. Customer_ details .xls accessedin
2. Financial_ review .xls accessedin
3. ordersheet .xls accessedin
4. Detag_cli .doc accessedin
Evidence Device 2: Kingston USB flash drive 512 MB Model no- M9724ZP/A
We then began analysis of the said file name USB-01.(1) We opened the image file using winhex using the “specialist > Interpret Image File
Disk” Option (Illustrated Below)
33
(2) W
e then viewed the contents of the image file in the directory browser of Winhex (Illustrated below)
(3) On analysing the image I found that there are many files and folders deleted. These files and folders were recovered by me using Winhex.
34
(4) The .Trash – root folder contains 38 files and 3 folders.
(5) Deleted files and folders were recovered from the USB.
(6) The folder Detag, Comp_Prof also contains 25 scanned documents regarding Detag company information.
Detag Folder Files Recovered
35
Details of the files recovered from Detag folder from Mr Robert USB
No. Name Type
1. Images .jpg
2. it-infrastructure-security-policy .png
3. lee2 (1) .gif
4. lee2 .gif
5. Legaldemand .png
6. Letter .gif
7. Mold .jpg
8. ocr-2 .jpg
9. Paper_Journal_Entry_001 .jpg
10. Pdfconverted .png
11. policy-papers_oehrlein_2-2010 .jpg
12. Schillings-threat-letter1(crop) .gif
13. Sidebar .jpg
14. ura21apr08-02 .gif
36
Comp_Prof folder files recovered
Details of the files recovered from Comp_Prof folder from Mr Robert USB
No. Name Type
1. 09_12_sb .jpg
2. 546c0a5e2e5fab4b59c8d0ca107d3640 .jpg
3. 5271 .png
4. 618633 .png
5. 18578442 .png
6. Butler .gif
7. china-trademark-infringement-
lawsuit-213x300
.gif
8. clarkeletter2-1 .jpg
9. Fedex .gif
10. images (1) .jpg
11. images (2) .jpg
Battery_cell folderThis folder does not contain any file or image.
37
Details of other files recovered from Mr Robert USB
Details of the other files recovered from Mr Robert USB
No. Name Type
1. battery cell .gif
2. battery_cell_diagram (1) .jpg
3. battery_cell_diagram (2) .jpg
4. battery_cell_view .jpg
5. c74dd42838fb339040f26117f582a269.image.750
x497
.jpg
6. def52a726f340a528e58602fa43d60ab .jpg
7. detagBanner .png
8. lithf2 .gif
9. New Text Document .txt
10. Nicad .gif
11. powerex_d_cell_rechargeable_battery_350 .jpg
12. Rifts-trademark .jpg
The analysis of the USB flash drive results in the recovery of 38 files of evidentiary /
investigative value. These included:
1. Total 25 scanned images of the documents (such as legal papers of the company,
upcoming research details of the company, new product launch) pertaining to the
company most confidential data.
2. 3 folders which contained details of budget of the company financial details.
38
3. 11 Images that contained formulas and designs of battery cells from which
some traces of Rift Company was also included like their logo (Image number
12 illustrated in table above).
4. 1 text file which states the email [email protected] , may be this email belongs to rift
company employees.
The files mentioned above have been copied onto 3 CD ROMs. One CD ROM has been
achieved by the team. Two CD ROMs have been handed over to the client with final report.
Evidence device 3: Video surveillance tape – TDK E249 VHS
I then began analysis of the said file name VHS-01.
39
(1) I opened the image file using winhex using the “specialist > Interpret Image File Disk” Option (Illustrated Below)
(2) I then viewed the contents of the image file in the directory browser of Winhex.
40
(3) On analysing the video I found that Mr Robert was stealing the information from the research and development department from the supervisor head
office. (Images Illustrated below).
Image 1:
Image 2:
Image 3:
41
Image 4:
Image 5:
Image 6:
42
Image 7:
Image 8:
43
The analysis of the video results in evidentiary / investigative value. These included:
The video states that Mr. Robert was stealing the Detag Company information from the research
and development department.
The video and files mentioned above have been copied onto 3 CD ROMs. One CD ROM has
been achieved by the team. Two CD ROMs have been handed over to the client with final report.
44
COMPUTER EVIDENCE ASSESSMENT CHECKLIST
Activity Date
The “RFS” was obtained from the client Yes
28th April 2008
Details of the case were obtained from the client Yes
28th April 2008
The cybercrime investigator met with the client and discussed the investigative
avenues and potential evidence being sought in the investigation
Yes
28th April 2008
Computer and other devices were received from the client Yes
28th April 2008
The evidence was marked and photographed Yes
28th April 2008
Chain of custody was properly documented Yes
28th April 2008
BIOS information documented Yes
28th April 2008
Image file created and mathematically authenticated Yes
28th April 2008
CYBER FORENSIC ANALYSIS REPORT
45
Report of cyber forensic analysis of hard disk from Toshiba laptop described
as under
Model No: K5UFHYG
Capacity: 160GB
Serial No: 45V7GQW34545Q
Report of cyber forensic analysis of USB flash drive described as under
Model No: M9724ZP/A
Capacity: 512 MB
Serial No: MHY2250BH
Report of cyber forensic analysis of USB flash drive described as under
Model No: TDK E249 NHS
Capacity: 300 MB
Serial No: 223-442-2060
This contains the image of the above mentioned files.
46
Report no.: DeTag / 052008/02 DT. 1st May, 2008
COMPUTER EVIDENCE ANALYSIS CHECKLIST
Activity Date
The forensic machine was prepared with operating system and forensic and
investigation software programs.
Yes
1st May, 2008
The image files from the evidence devices were copied onto the forensic
machine and examined
Yes
1st May, 2008
Deleted files were recovered Yes
1st May, 2008
File data was recorded Yes
1st May, 2008
Keyword text searches were conducted and hits were reviewed. Yes
1st May, 2008
Graphics files were opened and viewed Yes
1st May, 2008
Passwords for password protected files were recovered Yes
1st May, 2008
Encryption keys were recovered Yes
1st May, 2008
Unallocated and slack space was searched Yes
1st May, 2008
Relevant files (of evidentiary / investigative value) were copied onto a CD
ROM
Yes
1st May, 2008
47
DETAILED CASE:
Introduction
On 26th April 2008, Mr. Harrison of DeTag Company requested Mr. David lead investigator of
the team to conduct a detailed investigation of the media (previously retrieved by the team) and
the image of the computer hard disk of Mr. Robert laptop.
Mr. Harrison has declared that he is the person legally entitled to hand over the said laptop,
surveillance tape and USB flash disk. The said laptop and video tape is owned by DeTag
Company a company registered under the company Act, 1956 and having office at DeTag Ltd.
Park Street INIDA. The said company authorized Mr. Harrison to hand over the said laptop,
surveillance tape and USB flash drive to investigation team for the said cyber forensic analysis.
Background of the issue
Note: The information below forming the background of the issue is as provided by Mr.
Harrison. The said information has not been verified or cross checked by the investigators or
DeTag company employees.
According to Mr. Harrison
1. The company Detag came to know that many of their clients are no longer re-ordering
from them.
2. The company Detag thinks that may be some confidential information is being leaked out
of the company to their competitors.
3. So, internal investigation was conducted to find the suspect.
4. The DeTag Company suspects the unauthorized access to their confidential information.
5. Authorized officials of DeTag suspects that the said unauthorized access and information
theft was carried out by Mr. Robert.
6. Mr. Robert is being working in the research department as an assistant.
7. Authorized officials of Detag therefore requested investigations team to conduct a cyber-
forensic analysis of the above mentioned laptop, video tape and USB flash drive and any
other relevant information obtained from the hard disk.
48
DETAILS OF THE CYBER FORENSIC CARRIED OUT BY TEAM
The entire cyber forensic analysis was carried out by Mr. David investigation team. The laptop
and other devices and relevant software used for the cyber forensic analysis are regularly used to
store and process information. Throughout the material part of the said cyber forensic analysis,
the said laptop, USB flash drive and video tape was operating properly. The objective of the
investigation was to analyze the devices and find the relevant evidence. The analysis of the
laptop computer and USB flash drive and Hard disk results in the recovery of 97 files of
evidentiary / investigative value. These included: files of the documents (such as legal papers of
the company, upcoming research details of the company, new product launch) pertaining to the
company most confidential data. 4 password protected Microsoft excel files which contained
details of budget of the company financial details. 18PDF files containing airline E-tickets.
These tickets had been booked online using Mr. Robert which shows that he is planning to move
out for country very soon containing the airline tickets.
Evidence Analysis
Based on the results above, it is proven that Mr. Robert Saunders has been viewing these
confidential files without authorization. This is proven when some confidential files were found
in his laptop hard drive where it is believed that to view those files later, also, he had transferred
the files into his thumb drive. There were some E-tickets on the desktop which shows that Mr.
Robert was planning to move out of the country very soon. Mr. Robert Saunders is therefore
guilty for viewing these files without authorization. Mr. Robert Saunders is also found guilty for
committing another crime which is, transferring these confidential files out to unauthorized
people. As confidential files have been found in his USB flash drive and also, some files were
retrieved back, it is proven that Mr. Robert Saunders had used this USB Flash Drive to transfer
these files out from his laptop to unwanted sources.
By obtaining the information on Mr. Robert Saunders’s time of logging in to Laptop, the
investigator is also able to find him guilty of committing this crime. This is so because, as
mentioned earlier, a CD was brought out of the R&D laboratory on the 26th of April at about
4:45pm based on video evidence of Mr. Robert Saunders’s records. It is believed that he had
49
committed the crime of taking out the CD which contains confidential information
during this period. Besides that, it has also been proven that he did leaked these files
out using his thumb drive and also viewing these files without authorization using his laptop as
seen from the date and time the files were accessed. Some of the recovered files also show that
Mr. Robert is being communicating with some one of the employee named “Hennry” working in
Rift Company. This information was gathered from the evidence found in the USB which states
email address [email protected].
50
COMPLAINT TO ASJUDUCATING OFFICER
UNDER INFORMATION TECHNOLOGY ACT - 2000
1.
Name of the complainant Mr. Harrison (Detag Company)
E-mail address [email protected]
Telephone No. 98122356788
Address for correspondence New Delhi , Green Bihar , INDIA
Digital Signature Certificates
If any
N.A
2.
Name of the respondent Mr. Robert
E-mail address [email protected]
Telephone No. 9814207338
Address for correspondence Green Avenue , New Delhi , INDIA
Digital Signature Certificates
If any
N.A
3.
51
Damages claimed: Rs. 10,00,000/-
Fee deposited Rs 13000/-
4.
Complaint under
Section / Rule / Direction / Order etc.
Section 66 and 43 of IT Act
Time of Contravention 4:45 PM 26th April 2008
5.
Place of Contravention: New Delhi
6.
Cause of action: The complainant alleges that the respondent has
conducted unauthorized access to company
confidential data and leaking out the information to
their rivals.
7.
Brief facts of the case: 1. The complainant is an IT professional
working as team member in board of
directors of DeTag.
2. The respondent is also an IT
professional working in DeTag
company in research and development
department as research assistant.
3. On 26th April while internal
investigation in the company was going
52
they found that Mr. Robert stole the
companies’ private and confidential
material by copying it on CD-ROM.
4. From the video surveillance tape found
that 4:45PM on 26th April Mr. Robert
was copying the information on the
CD.
5. Then the company head decided to log
an official complaint against Mr.
Robert and also seized the laptop and
USB which was provided by company
to Mr. Robert.
6. Now further investigation was carried
out by the cyber crime department.
53
LEGAL ISSUES
Information Theft
Acts penalized Publishing or transmitting the obscene electronic
material or confidential material
Causing damage to obscene and confidential
material
Dishonestly sending or receiving any stolen
computer resources or communication device
knowing or having reason to believe the same to be
stolen.
Punishment Imprisonment upto 3 years and / or fine upto Rs
1,00,000/-
Punishment for attempt Imprisonment upto 18 months and / or fine upto Rs
1,00,000/-
Punishment for abetment Imprisonment upto 3 years and / or fine upto Rs
1,00,000/-
Whether cognizable? Yes
Whether bail able? Yes
Whether compoundable? Yes
However it shall not be compound if the crime
affects the socio economic conditions of the
country or has been committed against a child
below the age of 18 years or against a woman.
Investigation authorities Police officer not below the rank of inspector
Controller
Officer authorized by controller under section 28 of
Information Technology Act
Relevant court Magistrate of the first class
First appeal lies to Court of session
54
Applicable Law
Mr. Robert obtains the information using hacking or social engineering. Then uses information
for benefit of own business.
Usual motives: Illegal financial gain
Before 27 October , 2009 After 27 October , 2009
Sections 43 & 66 information Technology Act and
section 426 of Indian Penal Code
Section 43,66 & 66B of the information Technology
Act and section 426 of Indian Penal Code
Applicable Law
Mr. Robert obtains the information by hacking or social engineering and threatens to make
information public unless victim pays him some money.
Usual Motives: Illegal financial gain
Before 27 October , 2009 After 27 October , 2009
Sections 43 & 66 information Technology Act and
section 384 of Indian Penal Code
Section 43,66 & 66B of the information Technology
Act and section 384 of Indian Penal Code
Applicable Law
A disgruntled employee (Mr. Robert) steals the information and passes it to the victim’s rival and
also posts it to numerous websites and newsgroup.
Usual Motives: Revenge.
Before 27 October , 2009 After 27 October , 2009
Sections 43 & 66 information Technology Act and
section 427 of Indian Penal Code
Section 43,66 & 66B of the information Technology
Act and section 427 of Indian Penal Code
55