Firoze Zia Hussain

CEO Totem International

Former Superintendent of Police Pondicherry
Firoze@totemint.com
M-919618621234
05/13/10 2
 Criminals and
Terrorists are
increasingly
Tech-Savvy.
Are We Ready?

05/13/10 3
The Ultimate Weapon …..Cyber
Warfare
Competitive Weapons of Competitive Weapons of
1990’s 2000
Costs Speed

Speed
Economy of Scale Economy of Skill

Openness Collaboration Collaboration,

Command and Control Communities of Interest

Trust Time Skills

05/13/10 5
 Digital
Investigatio
 n

05/13/10 6
Cyber Weapons
EMAIL-An email that looks like it comes directly from
your bank.
• Contains links could cause your machine to re-boot,
and then send out passwords and login information. 
• It also usually says please click on this safe link
VIRUS- A virus that is modifying commercial USB
drives.  The virus on an infected computer modifies
programs on USB drives. 
• The infected USB drive, when connected to another
computer, can automatically infect the computer and
other drives. 

05/13/10 7
What Is Electronic
Evidence?
Electronic evidence is information and data of investigative
value
a)that is stored on or transmitted by an electronic device.
b)is acquired when data or physical items are collected and
c)stored for examination purposes.
d) Is often latent in the same sense as fingerprints or DNA
evidence
e)Can transcend borders with ease and speed.
f) Is fragile and can be easily altered, damaged, or destroyed.
g) Is sometimes time-sensitive.

05/13/10 8
ELECTRONIC Crime Scene
Investigations

1. Examination of digital evidence.

2. Investigative uses of technology.
3. Investigating electronic technology
crimes.
4. Creating a digital evidence forensic unit.
5. Courtroom presentation of digital
evidence

05/13/10 9
 Managing Digital
Evidence
in the 21st Century
 

05/13/10 10
05/13/10 11
Digital Forensics
Digital forensics is the application of science and
engineering to the recovery of digital evidence in a
legally acceptable method.
Examiners use digital investigation and analysis
techniques to determine potential legal evidence by
applying their skills on a variety of software programs,
different operating systems, varying hard drives sizes,
and specific technologies such as personal digital
assistants, cell phones, or video cameras.
Examiners are also capable of locating deleted,
encrypted or damaged file information that may serve
as evidence in a criminal investigation.

05/13/10 12
 Global initiatives- California
High-Technology Crime Task
Forces
• The design, development, and production of this project
utilizing grant funds made available from the Governor’s
Office of Criminal Justice Planning.
• Help in achieving even greater levels of success in their
prosecution and convictions of those who commit high-
technology crimes.
• Legal transcripts, documents, and resource materials
were selected and developed using the insight and
professional experience of a team of prosecutors

05/13/10 13
Email Tracing and
Prosecutorial Enforcement
Tool
a)Email step-by-step tracing methodology,
b)Expert testimony,
c)Jury presentation,
d)Search warrants, and
e)State and Federal guidelines.
• Veteran who have successfully prosecuted high-
technology crimes cases instrumental in the strategy,
selection of content, and production design used to
address the scale and scope of this complex topic.
• Application of this product — Informative resource
tool that can be applied to a variety of cases —

05/13/10 14
 How email works
Computer Forensic Examiner
• How to Trace an Email ..Tracing methodology.
• How an Email Travels the Internet .
• How to Trace an IP Address . Proper IP address tracing
methods.
• How email moves over the global Internet include
Anonymizers, Remailers, and Email Spoofing.
• Request for Comments (RFCs) and other technical documen
  that define protocols
• Digital Evidence Presenting an email case to a jury
involving complex topics such as digital evidence.
• Expert testimony The following documents provide
information regarding working with expert witnesses
in technical cases.
 

05/13/10 15
Child Pornography
Cases
Sample direct and cross-examination of a
prosecution expert in the Westerfield case:
State of California v. Westerfield trial (June 2002).
• Qualifying the expert
• Imaging hard drives; an explanation of hard drives,
compact disks, zip disks, and how files are stored or
copied to those media;
• Downloading images from the Internet;
• Presenting still images and digital movies to a jury;
• File extensions; allocated versus unallocated space
(deleted files); temporary Internet files; screen capture
• Reviewing email stored on a suspect's computer.

05/13/10 16
Hacking Case
•

Sample direct and cross-examination of expert in a

computer intrusion (hacking) case: 

• The subject computer's clock;

• Downloading groups of zipped files; access dates;
• The retrieval of violent photos and poems vire programs
(programs that create viruses)
• Expert opinion regarding surfing habits of "typical" teenagers
• Whether the computer owner had superior knowledge of
computers and the Internet.
 

05/13/10 17
Cyber InvestigationSoftware/To

• Steganography IP Addresses
• Surveillance/Desktop Monitoring Programs
• Whois Information (Domain Name Lo
• Security Information, Software and Utilities
• Software Firewalls • Country Codes
• Miscellaneous and Shareware • DNS Tools and More
• V. Technical Links • Pings and Traceroutes
• File Extensions and Formats • Person Searches
• Hard Drive Removal • Software Links
• Hard Drives • Forensic Software
• CD-R – Hard Drive Duplication/Examination
• Drivers
– PDA Duplication
• VI. Internet Redirecting Sites/Services (Web Forwarding)
– Data Recovery Services
– Hard Drive Wiping Utilities

05/13/10 18
 Data Recovery-Forensics
 .

Recovers a corporation's data that was lost when a

former employee launched a computer "time bomb"
into the company's technology infrastructure.
 Experts forensically investigated the source of the
computer time bomb and offered expert testimony
in a court of law.
 leading provider of trial consulting and
presentation services, to enable law firms and
corporations to engage expert for their litigation
consulting and technology needs from pre-litigation
preparedness, through discovery and trial.  

05/13/10 19
 Cyber Forensic Software
 Providing complete network visibility, immediate response and
comprehensive, forensic-level analysis of servers and workstations
 Securely investigate/analyze over the LAN/WAN at the disk and
memory level.
 Limit incident impact and eliminate system downtime with
immediate response capabilities.
 Investigate and analyze multiple platforms — Windows, Linux, AIX,
OS X, Solaris
 Proactively audit systems for classified information, as well as
unauthorized processes and network connections.
 Identify fraud, security events and employee integrity issues
wherever they are taking place — then investigate without alerting
targets.

05/13/10 20
Mobile Forensics
• Mobile devices are an integral part of an ever-increasing
number of investigations,
• Need to acquire evidence from mobile devices has
created new and complex challenges for investigators.
• Overview of mobile phone networks
• Identify mobile phones
• Learn proper seizure techniques
• Receive an overview of mobile phone data storage
• Acquire and examine SIM cards
• Examine Mobile Phone Acquisition Device components
• Acquire data from mobile devices
• Examine the data that they have acquired

05/13/10 21
EnCase® Legal Hold
Evidence will be preserved in Logical Evidence File, built upon
court-validated technology, hashed for full chain of custody.
By maintaining complete chain of custody from the moment
the duty to preserve documents occurs
• a) Conduct Early Case Assessment through a network scan for
responsive documents.
b) Execute track and analyze custodian acknowledgments
c) Execute an Interview regarding Responsive Data from your
custodians to determine where their responsive data exists
d) Collecting the potentially responsive data and preserving
that data in a forensically sound manner

05/13/10 22
Image Scan Training

This software tool was created by members of

the FBI’s Computer Analysis Response Team
 Specifically for "knock & talk" situations
relating to child exploitation investigations.
Once deployed, the software quickly identifies
and isolates images on a suspect’s computer
Stores them on a thumb drive – without
altering any files on the computer.

05/13/10 23
RCFL
An RCFL is a one stop, full service forensics
laboratory and training center devoted entirely to
the examination of digital evidence in support of
criminal investigations such as—
Terrorism
Child Pornography
Crimes of Violence
Trade secret theft
Theft or destruction to intellectual property
Financial crime /Property crime /Internet crimes
/Fraud.
05/13/10 24
Emerging Requirements
New Initiatives Required
Computer Forensic Science Laboratory
Electronic Crimes Task Force
Digital Evidence databank
Training in Cyber Security
Personnel------Cyber Security trained officers
Integrated Approach-Home land security
initiative
INTERPOL

05/13/10 25
 CYBER SECURITY COMPETENCY MATRIX

FUNCTIONAL
High Tech
CONSULTANTS
Crimes
APTITUDE TEST GLOBAL APPROACH FOR
Task Force
INTEGRATION

LEGISLATION/
MULTI CONTINUOUS DIGITAL ENFORCEMENT
DISCIPLINARY/ EVIDENSE PROSECUTION/
DIVERSITY COLLECTIONN

RECRUITMENT ON SITE HARDWARE &

OFF SITE SOFTWARE SHARING OF
METHODOLOGY
TRAINING CRIME DATA

STAFF CYBER SECURITY INTEGRATION

TRAINING
CENTRES

INTEGRATED CYBER SECURITY

APPROACH
 investigation
GLOBAL LEGISLATION
INTEGRATION

CASE Management
CYBER SECURITY
TRAINING

PUBLIC PRIVATE PROSECUTION

PARTNERSHIPS Strategy
& Planning
 PUBLIC
PUBLICAWARENESS
AWARENESSIN IN
CYBER
CYBERSECURITY
SECURITYINTEGRATION
INTEGRATIONACTIVITY
ACTIVITY
THE
THE––VITAL
VITALLINK
LINK
 THANK YOU

05/13/10 29