Before any investigation can take place, the system intrusion or abusive conduct must first be detected. The closer the detection is to the actual intrusion not only helps to minimize system damage, but also assists in the identification of potential suspects.
To date, most computer crimes have either been detected by accident or through the laborious review of lengthy audit trails. Although audit trails can assist in providing user accountability, their detection value is somewhat diminished because of the amount of information that must be reviewed and because these reviews are always post-incident. Accidental detection is usually made through the observation of increased resource utilization or inspection of suspicious activity. However, this is not effective due to the sporadic nature of this type of detection.
These types of reactive or passive detection schemes are no longer acceptable. Proactive and automated detection techniques must be instituted to minimize the amount of system damage in the wake of an attack. Real-time intrusion monitoring can help in the identification and apprehension of potential suspects, and automated filtering techniques can be used to make audit data more useful.
Once an incident is detected, it is essential to minimize the risk of any further loss. This may mean shutting down the system and reloading clean copies of the operating system and application programs. However, failure to contain a known situation (i.e., a system penetration) may result in increased liability for the victim organization. For example, if a company’s system has been compromised by an external attacker and the company failed to shut down the intruder, hoping to trace him or her, the company may be held liable for any additional harm caused by the attacker.
Incident containment refers to the determination of the nature and scope of the incident and then minimizing the damage, if any. Containment steps may include having more rules on the firewalls to block access, taking the affected machines off the network, disabling user access controls, or creating a black hole for the affected machines. These measures are taken by the victim or organization, in consultations with the investigators / agencies.
- In case of financial frauds, the IO should immediately contact the concerned branches of the banks to freeze the beneficiary/suspect/accused person’s bank accounts in case of fraudulent money transfers.
- The IO should request the Service Providers to block/remove and at the same time preserve the access details of the fake/defamatory profiles in social networking/community Web sites. The IO should also notify the Service Providers to preserve the access details of the defamatory/obscene contents.
- If the targeted system is to be restored by the affected party immediately for commercial reasons or in public interest, the IO should obtain the services of technical personnel from the Cyber Forensics divisions and, obtain the image copy of the affected system and permit restoration of the system, only after that. These actions need to be documented with enough justification and should be used under rarest of the rare circumstances. Normally, the restoration is done after the seizure of the evidences and not at the immediate stage of the reporting of the crime.
Seizure
The legal provisions empowering the IOs to conduct search and seizure are provided under Section 165 Cr PC and, Section 80 of the ITAA 2008(Refer Annexure 5-1).
Panchanama and seizure procedure is as important in cyber crime investigation as in any other crime. The Investigating Officer may have to take additional care while conducting panchanama and seizure of digital evidences, keeping in mind the nature of digital evidences. Understanding the basics of digital devices and, ability to conduct a thorough pre-investigation assessment will be of great relevance for a proper search and seizure of relevant and admissible evidences from crime scene. Below are few guidelines specific to cyber crime. The sequence of steps prescribed above for digital crime scene investigations, should be reflected in the Panchanama.
- Make sure one of the technical people from the responder side along with two independent witnesses is part of the search and seizure proceedings, to identify the equipment correctly and to guide the IO and witnesses.
- Please refer to the notes made during the pre-investigation assessment for cross verifying and correctly documenting the technical information regarding equipment, networks and other communication equipment at the scene of crime.
- Time Zone/System Time play a very critical role in the entire investigation. Please make sure this information is noted carefully in the panchanama, from the systems that are in ‘switched on’ condition.
- Please DON’T switch ON any device.
- Please make sure a serial number is allotted for each device and the same should be duly noted not only in the panchanama but also in the Chain of Custody and Digital Evidence Collection forms.
- Make sure each device is photographed before starting of the investigation process at their original place along with respective reference like cubicle number or name room soundings, etc.
- Make sure to photograph the Hard Disk Drive or any other internal part along with the system, once removed from the system.
- If possible, please paste the serial number along with PF number/Crime number/section of law
- Capture the information about the system and data you are searching and seizing in the panchanama.
- Brief the witnesses regarding the tools used to perform search and seizure of the digital evidence
- Please make sure all the details mentioned in the forms are completely filled.
