1.

1 PROLOGUE

The revolution in digital technology has been tremendous and has outpaced all other revolutions
of the past, be it the industrial or nuclear revolution. Over the last decade, principally due to
development of digital technology, the world has become a global village. Society has just started
to cultivate the legitimate and the beneficial potential of the rapidly changing and extremely
powerful digital technology for business, empowering individuals & communities and for
promoting economic development. World cultures are becoming more and more dependent on
digital computer systems and networks. Much like other cultural changes that have moved in to
transform our lives, the availability of digital technology inevitably leads to misuse by anti-social
or nefarious individuals. Unlike businesses, governments and individuals, the criminal elements
are taking unfair advantage of the enormous capabilities of this breathtaking and exciting new
technology. Hence technological crimes have grown at an alarming rate. Criminals are exploiting
digital technology to assist in committing traditional as well as innovative forms of unpredictable
and unforeseen crimes.

Today, computer frauds and cyber crimes are moving beyond the conventional realm. The use of
computers and Internet grows exponentially; so does the criminal abuse. Due to ubiquity of digital
technology, most of the crimes today have technological dimensions attached to them. As the
awareness of computers is reaching the grass root level and more sophisticated, powerful
machines and software are easily and economically available, the threat and impact of Computer
Frauds and Cyber Crimes [CFCC] looms large on the society. The CFCC are driven by the
fundamental principle of criminology that crime follows opportunity, motivation and skill;
opportunities and skills abound in today’s digital technology era.

1.2 BACKGROUND

For the criminals, CFCC including computer and digital technology related crimes are proving to
be a low investment, low risk, and low guilt method of making quick money and spreading
terrorism. CFCC leads to denial of information, loss of money, loss of intellectual property,
wastage of valuable time, mental harassment and attack on privacy of innocents. To make things
worse, the investigative and law enforcement agencies have been under-prepared to tackle this
exploding new form of crime, as there is lack of standard guidelines, methodologies, principles
and tools. Information technology related legislations worldwide are evolving and requires more
time and efforts as well as regular revisions, to be useful in the long run.
A proper classification of technological crimes, their impact, existing practices, tools,
methodologies along with the problems encountered by investigating and law enforcement
agencies are of paramount importance. The best way to reduce the number of CFCC incidences is
to detect them and book the persons behind them, thus creating awareness to both the criminals
and public. But it has been observed that analyzing CFCC takes significantly more time than a
perpetrator takes to actually commit it. In general, investigative agencies lag behind in adapting to
new technologies and their approach is reactive rather than proactive.

A successful investigation of CFCC ideally requires a set of trusted guiding principles to detect
and fix the crime and to book the criminal (Human Being Involved). For this, an urgent
requirement is to look at the traditional forensic science principles in the light of advancements in
digital technology and adapt the principles to the technology. This will, in turn, have a far
reaching impact in tackling CFCC. The other major requirement is that the methodologies and
solutions for detecting and fixing the most common CFCC are to be developed in an affordable
way.

1.3 DIGITAL FORENSICS

Forensic Science can be defined as the application of a broad spectrum of scientific methods and
processes to answer questions of interest to the legal system. Another definition says “Forensic
science is the application of science and engineering to assist legal proceedings to prove guilt and
to save the innocent by applying investigation and analysis techniques to determine and acquire
potential legal evidence” [1].

The relationship of forensic science with law and science & technology is very clear and they
influence each other. Traditional forensic science uses science & technology to answer questions
pertaining to investigation in an admissible manner primarily using physicochemical and
biological characteristics of the entities involved.

Digital Forensics [2] can be defined as the use of scientifically derived and proven methods,
towards the preservation, collection, validation, identification, analysis, interpretation,
documentation and presentation of digital evidence, derived from digital sources, for the purpose
of facilitating or furthering the reconstruction of events found to be criminal, or helping to
anticipate unauthorized actions shown to be disruptive to planned operations as shown in Fig-1.1.

2
 Fig-1.1 Nucleus of Digital Forensic Research1

Digital forensics can be classified into computer forensics, cyber forensics, software forensics,
embedded system forensics, audio/ video forensics, mobile phone forensics, and digitized
document forensics to cover major types of digital technological crimes. The study concentrates
on following domains of digital forensics (Fig – 1.2).

1
A Road Map for Digital Forensic Research, Report From the First Digital Forensic Research Workshop
(DFRWS). August 7-8, 2001. Utica, New York.

3
 DIGITAL FORENSICS

COMPUTER FORENSICS

CYBER FORENSICS

SOFTWARE FORENSICS

DIGITIZED DOCUMENT FORENSICS

Fig-1.2 Digital Forensics Classification

1.3.1 COMPUTER FORENSICS

Computer Forensics, also known as media forensics is that branch of digital forensic science,
which deals with the investigation and analysis of a stand-alone computer involved in crime. Here
the investigation gathers evidence from the computer media seized at the crime scene by
extracting hidden or deleted information from the storage devices.

The computer forensics process includes imaging storage media, recovering deleted files,
searching various places where evidence can reside like slack space, free space, and hidden
partitions, and preserving and analyzing collected information for presenting in the court of Law
with appropriate interpretations and conclusions. In general, Computer Forensics methods are
used for one computer at a time. Crimes, which come under this category, are fraudulent
alteration or generation of counterfeited documents e.g., currency, certificates, share certificates
etc.

1.3.2 CYBER FORENSICS

Cyber Forensics, also known as network forensics, is the use of scientifically proven techniques to
collect, fuse, identify, examine, correlate, analyze, and document digital evidence from multiple,

4
actively processing and transmitting digital sources for the purpose of uncovering facts related to
the planned intent, or measured success of unauthorized activities meant to disrupt, corrupt,
and/or compromise system components as well as providing information to assist in response to
or recovery from these activities.

Cyber forensics deals with forensic analysis of digital evidence that is distributed across computer
networks. These evidences are often transient in nature and are not preserved within a single
storage media. In a networked environment, it is imperative to perform forensic-like examinations
of victim systems, in a proactive and preventive approach, in addition to traditional post-mortem
forensic analysis. Cyber forensics includes examination of data related to both trans- and post-
cyber attack periods. Crimes which come under this category include remote break-ins, hacking,
cracking, virus distribution, cyber harassment, phishing, intrusion etc.

1.3.3 SOFTWARE FORENSICS

Software Forensics also called code analysis is that branch of digital forensics science, which
deals with the identification and categorization of author of malicious code, E-mail and any other
e-document. The key to identify the author of a suspect code is selection of appropriate body of
code and appropriate features for comparison. Crimes that are to be dealt with under this category
are identification of plagiarism, author of malicious code, profiling and categorization.

1.3.4 DIGITIZED DOCUMENT FORENSICS

Digitized Document Forensics can be defined as an upcoming branch of forensic science, which
deals with development of methodologies to detect the fraudulent document and solutions to link
generated fraudulent document to source (scanning and printing devices used) in an admissible
manner.

1.4 SOME OPEN PROBLEMS

The growing menace of CFCC has a lot of open problems for the digital forensic community.
Some of the major gaps in research are as follows:

5
 1. Lack of suitable forensic principles to encompass digital investigations

2. Lack of available and scalable tools for digital forensic investigation in very fast
changing technological scenario.

3. Lack of availability of Standard Operating Procedures (SOP) for digital forensic

investigation.

4. Lack of understanding and acceptance of digital forensic investigation process and

evidences by the Judiciary.

5. Lack of understanding of corresponding legal issues and constraints of technology on

computer frauds and cyber crimes and in turn to digital forensics.

A successful digital forensic investigation requires digital investigation life cycle guided by sound
principles and methodologies to gather digital evidences which are trustworthy and admissible in
the court of law. Finally, the global nature of CFCC requires solutions to be developed, keeping in
mind international legislations and requirements. Objective of this research is to analyze the open
issues in forensic investigation of CFCC and hence to study and enhance the forensic principles to
encompass the digital objects, artifacts and technology used in CFCC. In order to establish the
enhanced forensic principle, case studies in the different areas pertaining to CFCC have been
carried out.