indian efforts in cyber forensics - cyber · pdf fileindian efforts in cyber forensics ......
TRANSCRIPT
![Page 1: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/1.jpg)
Indian Efforts in Cyber Forensics
10-Feb-09 Resource Centre for Cyber Forensics 1
B. RamaniAddl. Director
![Page 2: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/2.jpg)
Presentation Overview
10-Feb-09 Resource Centre for Cyber Forensics 2
• About C-DAC
• Resource Centre for Cyber Forensics
• C-DAC Cyber Forensics Solutions
• Future Plans
![Page 3: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/3.jpg)
C-DAC, Pune
C-DAC, Bangalore
C-DAC, Delhi
C-DAC, Hyderabad
C-DAC, Mumbai
C-DAC, Chennai
C-DAC, Kolkata
C-DAC, Mohali
C-DAC, Noida
C-DAC, Trivandrum
National Coverage
![Page 4: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/4.jpg)
Established in 1974 as Keltron R&D Center;Taken by GoI in 1988;
Formerly Known as ERDCIWork force of 800+
An ISO 9001-2000 certified premier R&D Institution involved in the
design, development and deployment
of world class electronic and IT solutions for economic and human
advancement, under DIT,Govt of India
C-DAC Trivandrum
![Page 5: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/5.jpg)
AREAS OF RESEARCH
Control & Instrumentation Power Electronics Broadcast & Communications Strategic Electronics ASIC Design Cyber Forensics
![Page 6: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/6.jpg)
Resource Centre for Cyber Forensics
The Resource Centre for Cyber Forensics (RCCF) is the premier centre for cyber forensics in India. It was setup in C-DAC, Thiruvananthapuram by the Ministry of Communications and Information Technology and has been functioning for the past three years.
The primary objectives of RCCF are
Develop Cyber Forensics tools based on requirements from Law Enforcement AgenciesCarry out advanced research in cyber forensics Provide technical support to LEAs
10-Feb-09 Resource Centre for Cyber Forensics 6
![Page 7: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/7.jpg)
C-DAC Cyber Forensics Solutions
10-Feb-09 Resource Centre for Cyber Forensics 7
![Page 8: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/8.jpg)
C-DAC ToolsCyberCheck Suite – Disk Forensics Tools
• TrueBack V3.1 on Linux – Disk Imaging Tool• TrueBack V1.0 on Windows – Disk Imaging Tool• CyberCheck V3.2 on Windows – Data Recovery and Analysis Tool
NetForce Suite – Network Forensics Tools• CyberInvestigator V1.0 on Windows – Forensic Log Analyzer• NeSA V1.0 on Linux – Network Session Analyzer• EmailTracer V3.0 on Windows – Tool for tracing sender of email
DeviceAnalyst Suite – Device Forensics Tools • PDA Imager & Analyzer – Tool for imaging and analyzing PDA contents• SIM Card Imager & Analyzer – Tool for imaging and analyzing GSM SIM Cards• CDR Analyzer – Tool for analyzing Call Data Records
Cyber Forensics Hardware Tools • TrueImager – High speed H/W based Disk Imaging Tool• TrueLock – H/W based drive lock for write protecting IDE/SATA disks
10-Feb-09 Resource Centre for Cyber Forensics8
![Page 9: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/9.jpg)
TrueBack
Tuesday, February 10, 2009 9
![Page 10: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/10.jpg)
TrueBack – Disk Imaging Tool
Software Tool for seizing, acquiring and authenticating Digital Evidence
Indigenously developed by RCCF, C-DAC, Thiruvananthapuram
Widely used and Certified by agencies like NPA, CBI, IB, CBI Academy, Kerala Police, Forensics Science Laboratories and GEQDs
Import substitution for similar products
Cost-effective solution
Ideal for the use of Indian Law Enforcement Agencies
![Page 11: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/11.jpg)
National Institute of Standards and Technology (NIST), USA, disk imaging tool specification compliant
Implementation of National Police Academy (NPA) procedures for Seizure and Acquisition
Preview, Seize, Acquire and Seize & Acquire modes of operation
Imaging of IDE, SCSI, SATA, CD, DVD, Floppy and USB devices
Report generation in each mode of operation
Storage media content previewing facility before seizure and acquisition
TrueBack – Disk Imaging Tool
![Page 12: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/12.jpg)
Main User Interface
TrueBack – Disk Imaging Tool
![Page 13: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/13.jpg)
Collecting case details
TrueBack – Disk Imaging Tool
![Page 14: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/14.jpg)
Selecting media for Seizure
TrueBack – Disk Imaging Tool
![Page 15: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/15.jpg)
Case data summary
TrueBack – Disk Imaging Tool
![Page 16: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/16.jpg)
TrueBack – Seizure process in progress
TrueBack – Disk Imaging Tool
![Page 17: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/17.jpg)
Seizure process completed
TrueBack – Disk Imaging Tool
![Page 18: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/18.jpg)
Seizure Report
TrueBack – Disk Imaging Tool
![Page 19: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/19.jpg)
Hash values of media and blocks
TrueBack – Disk Imaging Tool
![Page 20: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/20.jpg)
CyberCheck
Tuesday, February 10, 2009 20
![Page 21: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/21.jpg)
CyberCheck – Data Recovery and Analysis Tool
Software Tool for authenticating, recovering, analyzing and reporting Digital Evidence
Indigenously developed by RCCF, C-DAC, Thiruvananthapuram
Widely used (Over 175 copies have been sold) and Certified by agencies like NPA, CBI, IB, CBI Academy, Kerala Police, Forensics Science Laboratories and GEQDs
Import substitution for similar products
Cost-effective solution
Ideal for the use of Indian Law Enforcement Agencies
![Page 22: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/22.jpg)
FeaturesIndian Language support
Powerful Data recovery facilities
High speed search facility
Comprehensive Timeline features
Detailed Report Generation facility
Integrated Email and Internet History Viewer
Facility for identifying password protected files
Facility for viewing nested ZIP files
CyberCheck – Data Recovery and Analysis Tool
![Page 23: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/23.jpg)
Unicode and Indian Language Support
CyberCheck – Data Recovery and Analysis Tool
![Page 24: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/24.jpg)
Table and Disk views
CyberCheck – Data Recovery and Analysis Tool
![Page 25: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/25.jpg)
Picture Gallery View
CyberCheck – Data Recovery and Analysis Tool
![Page 26: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/26.jpg)
Timeline View
CyberCheck – Data Recovery and Analysis Tool
![Page 27: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/27.jpg)
Search hits view
CyberCheck – Data Recovery and Analysis Tool
![Page 28: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/28.jpg)
Recovery of deleted file
CyberCheck – Data Recovery and Analysis Tool
![Page 29: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/29.jpg)
Report generated by CyberCheck
CyberCheck – Data Recovery and Analysis Tool
![Page 30: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/30.jpg)
EmailTracer
Tuesday, February 10, 2009 30
![Page 31: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/31.jpg)
Tuesday, February 10, 200931
Features • Trace the originating IP address and other details from
email header• Generates detailed HTML report of email header analysis• Find the city level details of the sender• Plot Route traced by the mail • Display the originating geographic location of the mail in
the world map• Keyword searching facility on email content including
attachment
EmailTracer – S/W tool for tracing sender of an email
![Page 32: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/32.jpg)
Tuesday, February 10, 200932
EmailTracer – S/W tool for tracing sender of an email
![Page 33: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/33.jpg)
Tuesday, February 10, 200933
EmailTracer – S/W tool for tracing sender of an email
![Page 34: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/34.jpg)
EmailTracer – WhoIs SearchTuesday, February 10, 2009
34
EmailTracer – S/W tool for tracing sender of an email
![Page 35: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/35.jpg)
EmailTracer – NS LookUpTuesday, February 10, 2009
35
EmailTracer – S/W tool for tracing sender of an email
![Page 36: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/36.jpg)
Email Tracer – IP TraceBackTuesday, February 10, 2009
36
EmailTracer – S/W tool for tracing sender of an email
![Page 37: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/37.jpg)
Detailed ReportTuesday, February 10, 2009
37
EmailTracer – S/W tool for tracing sender of an email
![Page 38: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/38.jpg)
CyberInvestigator
Tuesday, February 10, 2009 38
![Page 39: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/39.jpg)
CyberInvestigator
Indigenously developed by CDAC ThiruvananthapuramHelps Law Enforcement Agencies in investigating Cyber CrimesLog analysis toolAnalyses Windows and Linux LogsOffline Intrusion AnalysisQuerying facility
![Page 40: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/40.jpg)
Features of CyberInvestigator
Supports analysis of offline logsBuilt in & User defined queries.Signature based Offline Intrusion AnalysisSupports analysis of Windows event logsSupports analysis of Linux logs like message log, utmp,wtmp & CronSupports web traffic analysisSupports analysis of Access log & IIS LogCollects information regarding the insertion of USB devicesCollects information regarding unauthorised access
![Page 41: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/41.jpg)
CyberInvestigator- Main User Interface
![Page 42: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/42.jpg)
Query Interface for Windows Event log
![Page 43: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/43.jpg)
Analysis O/P of wtmp log
![Page 44: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/44.jpg)
Network Session Analyzer (NeSA)
Tuesday, February 10, 2009 44
![Page 45: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/45.jpg)
NeSA
Indigenously developed by CDAC Thiruvananthapuram
Helps Law Enforcement Agencies in investigating Cyber Crimes
Offline Network session analysis tool
Reconstructs network sessions from dump files
Helps in network trouble shooting and debugging
Misuse detection
Gather network statistics
![Page 46: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/46.jpg)
Features of NeSA
Session Reconstruction - HTTP, SMTP, POP3 and FTPDisplays the data in Hex view, Image view, File view and Mail
viewPowerful & Flexible filtering and searching facilityFiltering based on MAC, IP, Port, Protocol, Date and TimeFacility to export reconstructed filesStatistics generation based on different criteriaTime zone based analysis
![Page 47: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/47.jpg)
POP3 Session – Hex View
![Page 48: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/48.jpg)
HTTP Session – Thumb Nail View
![Page 49: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/49.jpg)
POP3 Session – Mail View
![Page 50: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/50.jpg)
PDA Imager & Analyzer
Tuesday, February 10, 2009 50
![Page 51: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/51.jpg)
IntroductionMany criminals are now using electronic devices otherthan PCs to commit illegal activities. Cellular telephones,Smart Phones, and Personal Digital Assistants (PDAs) areonly a few of the devices that must now be examined byforensic investigators. CDAC(T) has developed forensicssoftware and hardware tools for the analysis of suchdevices and PDA Forensics Suite is one among them.
PDA Forensics Suite is a is a software tool to forensicallyacquire, analyze and present the digital evidence fromWinCE and Palm OS based PDAs/Smart Phones beforethe court of law. It consists of two software tools - PDAImager and PDA Analyzer
![Page 52: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/52.jpg)
PDA Imager
PDA Imager is used to forensically image PDAs and SmartPhones. It performs logical and physical acquisition of thedevices. It also performs Hashing for authenticating theevidence. Version 1.0 of this software supports acquisitionof WinCE and Palm OS based PDAs and Smart Phones.This tool is developed as per the directions provided bythe NIST for handheld devices.
![Page 53: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/53.jpg)
PDA Imager
Standard Windows application
Imaging tool for WinCE/Pocket PC/ Windows
Mobile/Palm OS PDAs.
Acquisition through USB connection.
Supports physical and logical acquisition.
Logical acquisition includes files, database and registry.
Supports MD5 Hashing.
Creates a single evidence file with a specific format.
Supports comprehensive HTML reporting.
Features
![Page 54: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/54.jpg)
PDA Imager
![Page 55: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/55.jpg)
PDA Imager
Seizure & Acquisition
![Page 56: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/56.jpg)
Acquiring PDA
![Page 57: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/57.jpg)
Acquisition Report
![Page 58: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/58.jpg)
PDA Analyzer
PDA Analyzer is used to forensically examine theevidence collected from PDAs and Smart Phones.It takes the acquired evidence file taken by PDAImager as input and identify the requiredinformation from the image if present and displayit in a file viewer with all details.
![Page 59: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/59.jpg)
Standard Windows application. User login facilities. Creates log of each analysis session and analyzing officer’s
details. Explorer type view of contents of the whole evidence file. Display of folders and files with all attributes. Text/Hex view of the content of a file. Picture view of an image file. Gallery view of images. Timeline View of Files Single and Multiple Keyword search. Search with GREP expressions. File search based on extension. Book marking facility for data, files and folders Registry viewer
Features
PDA Analyzer
![Page 60: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/60.jpg)
PDA Analyzer
![Page 61: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/61.jpg)
File Viewer
![Page 62: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/62.jpg)
Gallery Viewer
![Page 63: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/63.jpg)
Features(Contd.)
Timeline Viewer
![Page 64: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/64.jpg)
Features(Contd.)
Analysis Report
![Page 65: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/65.jpg)
SIM Card Imager & Analyzer
Tuesday, February 10, 2009 65
![Page 66: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/66.jpg)
A forensic acquisition tool for GSM Sim Cards
Indigenously developed by Resource Centre for Cyber Forensics
Analysis methods as per NIST guidelines
Generates a detailed report for presentation in court
SIM Card Imager & Analyzer
![Page 67: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/67.jpg)
Acquires the following contents from SIM Card
Phone Book
Messages
Location Information
IMSI
Last Dialed Numbers
SIM Card Imager & Analyzer
![Page 68: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/68.jpg)
SIM Card Imager & Analyzer
![Page 69: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/69.jpg)
SIM Card - Acquisition
![Page 70: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/70.jpg)
SIM Card - Acquisition
![Page 71: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/71.jpg)
SIM Card - Acquisition
![Page 72: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/72.jpg)
Phone Book Details
SIM Card - Analysis
![Page 73: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/73.jpg)
Message Details
SIM Card - Analysis
![Page 74: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/74.jpg)
Location Information
SIM Card - Analysis
![Page 75: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/75.jpg)
Message Summary
SIM Card - Analysis
![Page 76: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/76.jpg)
Hash Values of different items
SIM Card - Analysis
![Page 77: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/77.jpg)
Cyber Forensics Hardware Tools
TrueImager & TrueLock
Tuesday, February 10, 2009 77
![Page 78: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/78.jpg)
TrueImager
A hardware forensic tool for write protectingsuspect storage media while seizing and acquiringthe media from the scene of cyber crime
TrueLock
A disk forensic hardware tool for seizing andacquiring storage media from the scene of cybercrime specially designed for Indian Law EnforcementAgencies
Hardware Tools
![Page 79: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/79.jpg)
Features & Benefits
Smart, Portable handheld Cyber Forensics Digital Evidence Image Recorder.
- Seizure
- Acquisition
High speed data transfer at the rate of 3GB/min
Offers built in write-protection of suspect disk.
Support Wiping feature for sanitizing the evidence disk.
![Page 80: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/80.jpg)
Features Contd….
Different Views….
Support 3 types of Suspect disk media:
IDE disk SATA disk USB disk
![Page 81: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/81.jpg)
TrueLock
A hardware drive lock which prevents all data writes to hard disk drives connected to a computer’s IDE interface.
Helps in the preservation of digital evidence.
A cost-effective solution for supporting disk imaging
Connecting Hard disk to PC through True Lock
![Page 82: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/82.jpg)
Features
Supports all IDE Drives.
Requires no special software.
Physical Dimension: 84mm X 41.5mm X 25mm
Write protects the IDE Hard Disc connected to the PC’s IDE interface.
![Page 83: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/83.jpg)
Achievements
• Designed and developed the first indigenous suite of products for carrying out cyber forensics investigation
• More than 175 copies of C-DAC’s CyberCheckSuite licensed to Law Enforcement Agencies
• Conducted more than 25 basic and advanced level training programmes on Cyber Forensics to LEAs
• Analyzed more than 200 Cyber Crime cases and submitted technical reports to different courts in India
10-Feb-09 Resource Centre for Cyber Forensics 83
![Page 84: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/84.jpg)
Organizations that use CyberCheck Suite
Hitech Cyber Cell, Thiruvananthapuram
Army Cyber Security Establishment, New Delhi
Intelligence Bureau, New Delhi
Delhi Police, New Delhi
CBI Academy, Ghaziabad
GEQDs of Hyderabad and Shimla
CFSL, Hyderabad
FSLs of Chandigarh, Chennai, Thiruvananthapuram and Haryana
DFSL, Gujarat
Cyber Crime Investigation Cell, Thane, Maharashtra
Cyber Cells of Bangalore and Arunachal Pradesh
SCRB, Thiruvananthapuram
National Academy of Taxes, Nagpur
National Police Academy, Hyderabad
Cabinet Secretariat, New Delhi
Kerala IT Mission, Thiruvananthapuram
![Page 85: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/85.jpg)
Training on Cyber Forensics
Successfully conducted more than 25 training programmes covering basic and advanced Cyber Forensics concepts.
Conducted a certificate programme on Cyber Forensics to 32 officers of Kerala Police.
Conducted 2 weeks separate training programmes on Cyber Forensics to officers from Intelligence Bureau and Forensic Science Laboratories.
Conducted 7 training programmes of one week duration to Judicial Officers in collaboration with CCA at different State Judicial Academies.
Recently conducted one month training programme on Cyber Forensics to 51 Police Officers from all Police Districts of Kerala.
![Page 86: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/86.jpg)
Case Categories
Nature of Crime NumberHacking 17
Document Forgery 65
Financial Frauds 22
Software Piracy 7
Pornography 13
Mobile Phone Crime 64
Email Crimes 41
Total 229
![Page 87: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/87.jpg)
Cyber Forensic Analysis Statistics
Agency Reported Cases Analysis Completed
RAW 1 1CBI 32 26
Bangalore Police 6 6CCPS Bangalore 27 24Chennai Police 3 2
Crime Branch, Kerala 17 11
Vigilance, Kerala 16 9Kerala Police 127 74
Total 229 153
![Page 88: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/88.jpg)
Advantages of C-DAC Solutions
• Completely indigenous development
• Self-reliance in technology
• Cost-effective solution
• Developed for Law Enforcement Agencies and Corporate houses
• Total technical support
10-Feb-09 Resource Centre for Cyber Forensics 88
![Page 89: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/89.jpg)
10-Feb-09 Resource Centre for Cyber Forensics 89
• Development of Enterprise Forensics System that will provideproactive solutions to cyber crimes and offences in Enterpriseand Corporate networks.
• Design and development of advanced forensic tools formemory analysis, malware analysis, software forensics,peripheral device forensics, etc.
• Setting up Virtual Training Environment facilities for training
Current Activities
![Page 90: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/90.jpg)
10-Feb-09 Resource Centre for Cyber Forensics 90
• Provide a well tested and certified cyber forensics suite ofproducts (CyberCheck Suite) for acquisition and analysis onportable lab as well as forensic workstation
• Cost effective solution• Software for Network Forensics, Live Forensics and Device
Forensics• Hardware tools for disk forensics• Introductory training in cyber forensics• Advanced training in cyber forensics
What C-DAC can offer
![Page 91: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/91.jpg)
Tuesday, February 10, 2009 91
Contacts:
B.Ramani, Addl. Director : [email protected]
V.K.Bhadran, Addl. Director : [email protected]
K.L.Thomas, Jt.Director : [email protected]
Resource Centre for Cyber Forensics
Centre for Development of Advanced Computing
Vellayambalam, Thiruvananthapuram
Kerala – 695033
Phone: 0471 2728929
![Page 92: Indian Efforts in Cyber Forensics - Cyber · PDF fileIndian Efforts in Cyber Forensics ... Storage media content previewing facility before seizure ... writes to hard disk drives connected](https://reader031.vdocument.in/reader031/viewer/2022021818/5aa94bec7f8b9a90188c9f87/html5/thumbnails/92.jpg)
THANK YOU
10-Feb-09 Resource Centre for Cyber Forensics 92