Foundations of digital

Forensics

1
 Why CFCA ?

Real Life Cases
 ACCUSESD IN RS 400 MILLION SMS SCAM
ARRESTED IN MUMBAI
 CITY PRINCIPAL SEEKS POLICE HELP TO
STOP CYBER CRIME
 UTI BANK HOOKED UP IN A PISHING
ATTACK
 ONLINE CREDIT CARD FRAUD ON E-BAY
 Computer Forensics

• Computer forensics is the

scientific examination and
analysis of data held on, or
retrieved from, computer
storage media in such a way
that the information can be
used as evidence in a court of
law.
3
 Computer Forensic
Activities
• Computer forensics activities commonly
include:
– the secure collection of computer data
– the identification of suspect data
– the examination of suspect data to
determine details such as origin and
content
– the presentation of computer-based
information to courts of law
– the application of a country's laws to
computer practice.
4
 The 3 As

• The basic methodology consists

of the 3 As:
– Acquire the evidence without
altering or damaging the original
– Authenticate the image
– Analyze the data without
modifying it

5
 Basic Definition

Cyber: According to the Oxford Dictionary cyber means relating to or

characteristic virtual reality. Law means the System of rules which a
particular country or community recognizes as regulating the actions of its
members and which it may enforce by the imposition of penalties.

Cyber Law & Cyber Law consists of?

Cyber Law is the law governing cyber space. The Information Technology
(Amendment) Act, 2008 deals with cases relating to cyber space. Cyber space
includes computers, networks, software, internet, websites, e-mails, data
storage devices like hard disks, USB disks, PDA’s, phones and ATM machines
and so on. Cyber Law consists of cyber crime, electronic and digital
signatures, intellectual property and data protection and privacy.

6
 Cont..

• Computer crime: computer crime is a situations where

a computer or network was not directly involved in a crime
but still contains digital evidence related to the crime.

• Computer-related: computer-related is used to refer to

any crime that involves computers and networks, including
crimes that do not rely heavily on computers.

• some organizations such as the US Department of Justice

and the Council of Europe use the term cybercrime to
refer to a wide range of crimes that involve computers and
networks.

7
 Language of Computer Crime
Investigation
• Several attempts have been made to develop a standard
language to describe the various aspects of computer
crime investigation.

• Computer crime mainly refers to a limited set of offenses

that are specifically defined in laws such US Computer
Fraud and Abuse Act and the UK Computer Abuse
Act are computer crime acts which is defined by US.

• These crimes include theft of computer services,

unauthorized access to protected computers, software
piracy and the alteration or theft of electronically stored
information, extortion committed with the assistance of
computers, obtaining unauthorized access to records
from banks, credit card issuers, or customer reporting
agencies, traffic in stolen passwords and transmission of
destructive viruses or commands. 8
 Cont..
• Computer forensics : Computer forensics usually refers
to the forensic examination of computer components and
their contents such as hard drives, compact disks, and
printers.

• Forensic entomology : forensic entomology as "bug

forensics "only to computers limits the scope of the term,
neglecting important aspects of the field such as
communication systems, embedded systems, and digital
image, audio, and video analysis.
• Digital forensic science : to describe the field as a whole
• Digital evidence examination: . This term is specific
enough to be clear in the context of digital forensic
science, computer forensics, incident response, or any
other situation that involves the examination of digital
evidence.
9
 Digital Evidence in the Courtroom
• Individuals processing evidence must realize that, evidence
must meet certain standards to be admitted.
• The US Federal Rules of Evidence, the UK Police and Criminal
Evidence Act (PACE) and Civil Evidence Act, and similar rules of
evidence in other countries were established to help evaluate
evidence.

1. Admissibility-Warrants
• The most common mistake that prevents digital evidence
from being admitted by courts is that it was obtained without
authorization.
• The main exceptions are
• plain view – Rules that allows law enforescement officer to
seize evidence of crime
• consent, -To give permission
• Exigency. - Remand for something
•

10
2. Authenticity and Reliability
• The process of determining whether evidence is worthy is
called authentication.
• Authentication means satisfying the court that
(a) the contents of the record have remained unchanged,
(b) that the information in the record does in fact
originate from its purported(original) source, whether
human or machine, and
(c) that extraneous information such as the apparent date
of the record is accurate.

11
3. Casey's Certainty Scale

• Computers can introduce errors and uncertainty in various ways,

making it difficult to assess the trustworthiness of digital evidence
meaningfully.
• Although courts are warned to consider the computer systems involved
carefully, little guidance is provided.
• Computer machinery may make error because of malfunctioning of
hardware, the computer's mechanical apparatus.
• The certainly values (C-values) provide a method for a digital evidence
examiner to denote the level of certainty he/she has in a given piece of
evidence in a given context.
• The primary purpose of this Certainty Scale is to help others understand
how much weight an examiner has given pieces of digital
evidence when making a conclusion based on that evidence.
• generated a piece of digital evidence and its contents,
which may be documents or statements.
• it is non-technical and therefore easily understood by
non-technical people such as those found in most juries.

12
4. Best Evidence

• When dealing with the contents of a writing, recording, or

photograph courts sometimes require the original evidence.
• This was originally intended to prevent a witness from
misrepresenting such materials by simply accepting their
testimony(witness statement) regarding the contents.
• With the advent of photocopiers, scanners, computers, and
other technology that can create effectively identical
duplicates, copies became acceptable in place of the original,
unless "a genuine question is raised as to the authenticity of
the original or the accuracy of the copy or under the
circumstances it would be unfair to admit the copy of
the original"
• Because an exact duplicate of most forms of digital evidence
can be made, a copy is generally acceptable. In fact,
presenting a copy of digital evidence is usually more
desirable because it eliminates the risk that the original will be
accidentally altered.
13
5. Direct versus Circumstantial Evidence

• Direct evidence establishes a fact. Circumstantial

evidence may suggest one. It is a common
misconception that digital evidence cannot be direct
evidence because of its separation from the events.

14
6.Hearsay

• Digital evidence might not be admitted if it contains

hearsay because the speaker or author of the evidence
is not present in court to verify its truthfulness.

• Evidence is hearsay where a statement in court repeats

a statement made out of court in order to prove the truth
of the content of the out of court statement. Similarly,
evidence contained in a document is hearsay if the
document is produced to prove that statements made in
court are true.

• The evidence is excluded because the crucial aspect of

the evidence, the truth of the out of court statement
(oral or documentary), cannot be tested by cross-
examination.
15
7.Scientific Evidence
• In addition to challenging the admissibility of digital evidence
directly, tools and techniques used to process digital evidence
have been challenged by evaluating them as scientific
evidence. Because of the power of science to persuade, courts
are careful to assess the validity of a scientific process before
accepting its results.
• If scientific process is found to be questionable, this may
influence the admissibility or weight of the evidence, depending
on the situation.
• In the United States, scientific evidence is evaluated using four
criteria developed in 1993. These criteria are:
a) whether the theory or technique can be (and has been) tested;
b) whether there is a high known or potential rate of error, and the
existence and maintenance of standards controlling the
technique's operation;
c)whether the theory or technique has been subjected to peer
review and publication;
d) Whether the theory or technique enjoys "general acceptance"
16
within the relevant scientific community.
8. Presenting Digital Evidence
• Preparation is one of the most important aspects of testifying in
court (National Center for Forensic Science 2003).
• Conclusions should be stated early in testimony rather than as
a punch line at the end because there is a risk that the
opportunity will not arise later.
• During cross-examination, attorneys (lawyer) often attempt to
point out flaws and details that were overlooked by the digital
investigator. The most effective response to this type of
questioning is to be prepared with clear explanations and
supporting evidence.
• In addition to presenting findings, it is necessary to explain how
the evidence was handled and analyzed to demonstrate
chain of custody and thoroughness of methods. Also, expect to
be asked about underlying technical aspects in a relatively
non-technical way, such as how files are deleted and recovered
and how tools acquire and preserve digital evidence. Simple
diagrams depicting these processes are strongly recommended.
17
• Cyber crime Law: United State
Perspective, Indian Perspective,
Conductive Digital Investigation,
Handling a Digital Crime Scene:
Principles, Preservation,

18
 4. Cyber crime Law: United State
Perspective
• Chapter reviews how law in the United States deals
cybercrime. As the United States is a federal system, there
are two basic levels of cybercrime law: federal cybercrime
law and state cybercrime law.
• U.S. law deals with the major cybercrimes: the crimes that
target computers and computer systems (e.g.,
unauthorized access, malware, and denial of service
attacks) and the crimes in which computers and computer
systems are used as tools to commit traditional crimes
(e.g., fraud, extortion, illegeal contents etc).
• Federal Cybercrime Law
• State Cybercrime Law
• Constitutional Law
• Fourth Amendment
• Fifth Amendment and Encryption

19
1. Federal Cybercrime Law
4.1 Computer Fraud and Abuse Act
• It focuses on the Computer Fraud and Abuse Act such as identity
theft, abuuse contents, and copyright and trademark offenses.
• Congress adopted the Computer Fraud and Abuse Act (1986), but
it has since been amended on several occasions.
• amendments have all been designed to update certain
provisions of the Act in light of advancements in computer
technology
• Section 1030(a) makes it a federal crime to do any of the
following:
1. Knowingly access a computer without authorization or exceed
authorized access and obtain information that is legally protected
against disclosure.
2. Intentionally access a computer without authorization or exceed
authorized access and obtain information from (i) a financial
institution, credit card company, or consumer reporting agency.
3. With the intent to extort money or any thing of value like
(i) threat to damage a computer, (ii) threat to obtain information
from,
20
4.1.1 Section 1030(a)(5) Offense: accounts for the largest
number of prosecutions(legal proceeding against person), perhaps
because it creates three crimes. The first consists of knowingly
transmitting a program, information, code, or command and
thereby intentionally damaging a protected computer. Other two
are hacking, or unauthorized access, to a computer or computer
system.
4.1.2 Section 1030(a)(4) Offense: As noted above, § 1030(a)(4)
makes it a federal crime to access a protected computer without
being authorized to do so, or by exceeding the scope of authorized
access, and obtain “anything of value” and thereby further a
scheme to defraud.
4.1.3 Section 1030(a)(6) Offense : makes it a crime to traffic “in
any password or similar information through which a computer
may be accessed without authorization” if either of two conditions
are met. The first is “affects interstate or foreign commerce”; the
other condition is that the computer is “used by or for the
Government of the United States.”
4.1.4 Section 1030(a)(7) Offense: criminalizes the use of
computer technology to commit extortion.

21
4.2 Identity Theft: The federal criminal code contains two identity
theft provisions: Section 1028(a)(7) of Title 18 of the U.S. Code
defines a basic identity theft offense. makes it a federal crime to
knowingly transfer, possess, or use “a means of identification of
another person” without being authorized.
4.4 Copyright Infringement(against law)(Section 506(a))
Copyright infringement in the form of software piracy is a crime.
For a work to be “original,” it must have “originated” with—have
been created by—the author claiming the copyright; originality
does not require novelty but to be original an item cannot simply
be a copy of another.
4.5 Trademarks and Trade Secrets
The Lanham Act is the primary source of protection for trademarks
(Act of July5, 1946). It defines “trademark” as “any word, name,
symbol, or device, or any combination thereof” that is used by a
person or which a person has a bonafide intention to use in
commerce “to identify and distinguish his or her goods from those
manufactured or sold by others and to indicate the source of the
goods, even if that source is unknown” (15 U.S. Code § 1127).

22
 2. State cybercrime law
4.2.1 Access Crimes: Every U.S. state prohibits simple hacking
(gaining unauthorized access to a computer) and aggravated
hacking (gaining unauthorized access to a computer for the
purpose of committing theft, vandalism, or other crimes)
4.2.2 Malware: Computer contaminant” means any set of computer
instructions that are designed to modify, damage, destroy, record,
or transmit information within a computer, computer system, or
computer network without the intent or permission of the owner of
the information.
4.2.3 Denial of Service: DDoS attack as “techniques or actions
involving the use of one (1) or more damaged computers to
damage another computer or a targeted computer system in order
to shut the computer or computer system down and deny the
service of the damaged computer or computer system to
legitimate users”.
4.2.4 Computer Forgery: “Any person who creates, alters, or
deletes any data contained in any computer or computer
network, who, if such person had created, altered, or deleted a
tangible document or instrument would have committed forgery …
shall be guilty of the crime of computer forgery”.

23
4.2.5 Computer Fraud and Theft: Computer theft can encompass
any of several different crimes, including information theft,
software theft, computer hardware theft, and theft of computer
services. It can also encompass the theft of computer hardware .
And it can consist of using a computer to steal other types of
property.
4.2.6 Computer Extortion: One approach they take is to include
computer extortion within the definition of computer fraud.
4.2.7 Crimes Against Children:

3 Constitutional law
• In the United States, constitutional law exists at two levels:
The U.S. Constitution is the constitution that applies throughout the
territorial
Two of the U.S. Constitution’s provisions are particularly relevant to
the conduct of cybercrime investigations.
The Fourth Amendment & Fifth Amendment

24
 4. Fourth Amendment
• The Fourth Amendment creates a right to be free from
“unreasonable” searches and seizures(forcefully taking
ownership)
• To be “reasonable,” a search or seizure must be conducted either
a lawfully authorized search or arrest warrant.
• Court has applied the Fourth Amendment to areas in which
technology and privacy intersect.
4.4.1 Wiretapping: Content of Communications
The progress of science is not likely to stop with wire tapping.
Ways may be developed by which the government, without
removing papers from secret drawers, can reproduce them in
court, and expose to a jury the most intimate occurrences of the
home. Can it be that the Constitution affords no protection against
such fraud.
4.4.2 Wiretapping: Traffic Data
• In a subsequent decision, the Supreme Court dealt with the
related issue of whether the transmittal information—the traffic
data—generated by a telephone call is private under the Fourth
Amendme

25
4.4.3 Technology Not in General Public Use
The Supreme Court’s 2001 decision in Kyllo v. United States is its
most recent parsing of the Katz standard. The issue in Kyllo was
whether “the use of a thermal- imaging device aimed at a private
home from a public street to detect relative amounts of heat
within the home constitutes a ‘search’ within the meaning of the
Fourth Amendment”

5 Fifth Amendment and encryption

• The Fifth Amendment states that no one can be “forcefully to be a
witness against himself”
• The Fifth Amendment privilege only comes into play when
following element is present. The first is compulsion(power to
force a person to act); the Fifth Amendment does not protect
communications that are made voluntarily;
• The compulsion must seek to extort “testimony”—oral or written
communications—from an individual because the Fifth
Amendment privilege does not encompass physical evidence

26
• One area in which the Fifth Amendment can come into
play involves the use of encryption.
• Encryption can be used to protect the contents of
online communications or data files stored in a
computer or on other storage media. If files are
encrypted with an essentially unbreakable encryption
algorithm;
• If the owner of the files committed the key to memory,
then he/she can claim the Fifth Amendment privilege
and refuse that fraud.

27
 Conducting Digital Investigation
Digital investigations inevitably vary depending on technical
factors such as the type of computing or communications device,
whether the investigation is in a criminal, civil, commercial,
military, or other context, and case-based factors such as the
specific claims to be investigated.
6.1 Digital Investigation Process Models
• describe how one conducted a digital investigation tended to
focus on practical stepwise approaches to solving particular
investigative challenges, within the context of particular technical
computing environments.
• Proposal of a number of models for describing investigations,
which have come to be known as “process models.”
• motivations
1. models serve as useful points of reference for reflecting on the
state and nature of the field
2. framework for training and directing research,
3. for benchmarking performance against generally accepted
practice.

28
• Process models have defined as linear process.
• For example, in 1999, McKemmish defined forensic computing as:
The process of identifying, preserving, analyzing and presenting digital
evidence in a manner that is legally acceptable.
• This activities are the basis of the process model
• Figure 6.1. The most common steps for conducting a complete and
competent digital investigation are:
1. Preparation: Generating a plan of action to conduct an effective
Digital investigation, and obtaining supporting resources and materials.
2. Survey/Identification: Finding potential sources of digital evidence
(e.g., at a crime scene, within an organization, or on the Internet).
3. Preservation: Preventing changes of in situ digital evidence, including
isolating the system on the network, securing relevant log files, and
collecting volatile data that would be lost when the system is turned
off. This step includes subsequent collection or acquisition.
4. Examination and Analysis: Searching for and interpreting trace
evidence. Some process models use the terms examination and
analysis interchangeably.
5. Presentation: Reporting of findings in a manner which satisfies the
context of the investigation, whether it be legal, corporate, military, or
any other.

29
30
6.1.1 Physical Model

• The overall process model has 17 phases organized

into five groups: Readiness, Deployment, Physical
Crime Scene Investigation, Digital Crime Scene
Investigation, and Presentation, summarized in Table
6.1 for both physical and digital investigations.
• (Carrier & Spafford, 2004) said that
• A computer being investigated can be considered a
digital crime scene and investigations as a subset of
the physical crime scene where it is located. Physical
evidence may exist around a server that was attached
by an employee and usage evidence may exist around
a home computer that contains contraband.
Furthermore, the end goal of most digital investigation
is to identify a person who is responsible and therefore
the digital investigation needs to be tied to a physical
investigation.
31
32
• 6.1.2 Staircase Model
• sequence of ascending stairs in Figure 6.2, provides a practical
and
methodical approach to conducting an effective digital
investigation (Casey & Palmer, 2004).
• Steps are defined from bottom to top in a systematic,
determined manner in an effort to present a compelling story
after reaching the final step of persuasion/testimony.
• The categories in Figure 6.2 are intended to be as generic as
possible. The unique methods and tools employed in each
category tie the investigative process to a particular forensic
domain. The terms located on the riser of each step are those
more closely associated with the law enforcement perspective.
• the steps in this process often proceed simultaneously and it
may be necessary to take certain steps more than once at
different stages of an investigation.
• Finally, as with most processes, there is a relationship between
successive steps. That relationship can often be described by
the input and output expected at each stage,

33
34
6.1.3 Evidence Flow Model
• The main goal of this model is to completely describe
the flow of information in a digital investigation, from
the moment digital investigators are alerted until the
investigation reaches its conclusion.
• By concentrating on the flow of information,
appropriate controls can be implemented at each step
of the process to handle evidentiary data, written
reports, or communications relating to the
investigation.
6.1.4 Subphase Model
• Beebe and Clark contend that most investigative
process models are too high level and do not address
the “more concrete principles of the investigation”.
Their solution is to create a multitiered framework,
taking the steps common in other models and adding
subphases with defined objectives to help
investigators implement each step properly.
35
• As a proof of concept, Beebe and Clark use the analysis process,
providing three objectives-based subphases, namely, survey,
extract, and examine with the following objectives for file system
analysis:

• 1. Reduce the amount of data to analyze

• 2. Assess the skill level of the suspect(s)
• 3. Recover deleted files
• 4. Find relevant hidden data
• 5. Determine chronology of file activity
• 6. Recover relevant ASCII data
• 7. Recover relevant non-ASCII data
• 8. Ascertain Internet (non-e-mail) activity history
• 9. Recover relevant e-mail and attachments
• 10. Recover relevant “personal organizer” data (e.g.,
calendar, address
• books, etc.)
• 11. Recover printed documents
• 12. Identify relevant software applications and
configurations
• 13. Find evidence of unauthorized system modification
(e.g., Trojan
• applications)
36
• 14. Reconstruct network-based events
6.1.5 Roles and Responsibilities Model
• The FORZA model ascends to an even higher level of
abstraction by providing a framework of roles and
responsibilities in digital investigations. The goal of this
framework is to address not just the technical aspects of a
digital investigation but also the legal and managerial
issues.
6.2 Scaffolding for Digital Investigations
• Although such occurrences and activities are not
central to digital investigations, they provide
necessary scaffolding to help build a solid case. This
scaffolding also includes accusation/alert, threshold
considerations, and case management.
• In addition, digital investigators will generally have to
make some form of threshold assessment to decide
what level of attention to give a certain case relative
to all of the other cases they are handling.
37
6.2.1 Incident Alert
Every process has a starting point—a place, event, or for
lack of a better term, a “shot from a starting gun” that
signals that the race has begun.
6.2.2 Authorization
Before approaching digital evidence, it is important to be
certain that the search is not going to violate any laws
6.2.3 Threshold Considerations
digital investigators must establish thresholds in order to
prioritize cases and make decisions about how to allocate
resources.
6.2.4 Transportation
Moving evidence from the crime or incident scene back to the
forensic laboratory effects of which range from loss of
confidentiality to destruction of evidence.
6.2.5 Verification
• Assessing the completeness and accuracy of acquired data
and documenting its integrity are important
6.2.6 Case Management
• Helps to binding together all of the activities and outcomes.
38
 6.3 Applying the Scientific Method in Digital
evidence
• Although process models that define each step of an
investigation can be useful for certain purposes, such
as developing procedures, they are too complex and
rigid to be followed in every investigation.
• All steps of the investigative process are often
intertwined and a digital investigator may find the
need to revisit steps in light of a more refined
understanding of the case.
6.3.1 Formation and Evaluation of Hypotheses
6.3.2 Preparation
6.3.3 Survey
6.3.4 Preservation
6.3.5 Examination
6.3.6 Analysis
6.3.7 Reporting and Testimony

39
• 6.4 Investigative Scenario: Security Breach
• An investigative scenario involving a network security breach is
outlined here to demonstrate how the various steps in a digital
investigation tie together.
6.4.1 Preparation and Case Management
IT help desk.
6.4.2 Accusation or Incident Alert
• unusually high numbers of failed logon attempts to a server it
confirms that there has been unauthorized use of the
administrator account on the system
6.4.3 Assessment of Worth
• most valuable intellectual property.
6.4.4 Authorization
• Developing situation and obtains approval to gather evidence and
report back any findings.
6.4.5 Survey
• digital investigators would waste
• substantial time and effort trying to locate sources of digital
evidence, and
• might ultimately find that there was insufficient information to
reach any
• conclusions

40
6.4.6 Preservation
6.4.7 Transportation
6.4.8 Examination
6.4.9 Analysis
6.4.10 Reporting

41
 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
• New communication systems and digital technology have
made dramatic changes in the way.
• Businessmen are increasingly using computers to create,
transmit and store information in electronic form instead of
traditional paper documents. It is cheaper, easier to
store and retrieve and speedier to communicate.
• Electronic commerce eliminates need for paper based
transactions.
• The Law of Evidence is traditionally based upon paper-
based records and oral witness. Hence, to facilitate e-
commerce, the need for legal changes.
• The legal recognition to electronic records and digital
signatures in turn will facilitate through the electronic
communication like Internet.
• In May 2000 Indian Parliament passed the Information
Technology Bill and came to be known as the Information
Technology Act, 2000. Cyber laws are contained in the IT
Act, 2000. 42
Cont..
• This Act was amended by Information Technology
Amendment Bill 2006, passed in Loksabha on Dec 22nd and
in Rajyasbha on Dec 23rd of 2008.
• Objectives of the IT 2008 Act are:
·Carried out by means of electronic data interchange, and
other means of electronic communication, commonly
referred to as "electronic commerce“
· To facilitate electronic filing of documents with
Government departments
· To facilitate electronic storage of data
· To facilitate and give legal sanction to electronic fund
transfers between banks and financial institutions
· To give legal recognition for keeping of books of
accounts by banker’s in electronic form.
· To amend the Indian Penal Code, the Indian Evidence Act,
1872, the Banker’s Book Evidence Act, 1891, and the
Reserve Bank of India Act, 1934.

43
 Important section of IT act
• Section 1:
It shall extend to the whole of India and, save as otherwise
provided in this Act, it applies also to any offence committed
outside India by any person.

• Section 2: Definitions
a) "Access"
b) "Addressee"
c) “Affixing Electronic Signature"
d) "Asymmetric Crypto System"
e) "Certifying Authority" means a person who has been granted a
license to issue a Electronic Signature Certificate.
f) "Communication Device"
g) "Computer"
h) “Computer network“
i) "Computer Resources“ means computer, communication device,
computer system, computer network, data, computer database
or software;

44
(j) "Controller" means the Controller of Certifying Authorities
(k) "Data" means a representation of information, knowledge, facts,
concepts or instructions

• Section 3: Defines Digital Signatures

The authentication to be affected by use of asymmetric crypto
system
and hash function

• Section 4 Legal Recognition of Electronic Records

Where any law provides that information or any other matter shall
be in writing or in the typewritten or printed form, then,
notwithstanding anything contained in such law, such requirement
shall be deemed to have been satisfied if such information or
matter is
(a) rendered or made available in an electronic form; and
(b) accessible so as to be usable for a subsequent reference

45
• Section 5: Legal recognition of Electronic
Signature
• Section 6: Use of Electronic Records and
Electronic Signature in Government and its
agencies
Where any law provides for
1. the filing of any form
2. the issue or grant of any license,
3. the receipt or payment of money in a particular
manner,
• Section 7 : Retention of Electronic Records
• Section 8: Publication of rules, regulation, etc,
in Electronic Gazette
• Section 11: Attribution of Electronic Records
An electronic record shall be attributed to the originator
• Section 12: Acknowledgement of Receipt
• Section 14: Secure Electronic Record
46
• Section 16 : Security procedures and Practices (Amended
vide ITAA 2008)
The Central Government may for the purposes of sections 14 and 15
prescribe the security procedures.
It is regard to the commercial circumstances, nature of transactions
and such other related factors as it may consider appropriate.
• Section 17: Appointment of Controller and other officers
• Section 18: The Controller may perform all or any of the
following functions, namely
(a) exercising supervision over the activities of the Certifying
Authorities;
(b) certifying public keys of the Certifying Authorities
(c) laying down the standards to be maintained by the Certifying
Authorities;
(d) specifying the qualifications and experience which employees of
the Certifying Authorities should possess;
(e) specifying the conditions subject to which the Certifying
Authorities shall conduct their business;

47
• Section 21: License to issue electronic signature
certificates
• A license granted under this section shall –
• (a) be valid for such period as may be prescribed by
the Central Government;
• (b) not be transferable
• (c) be subject to such terms and conditions as may be
specified by the regulations.
• Section 23: Renewal of license
• Section 29: Access to computers and data
• Section 37: Suspension of Digital Signature
Certificate
• Section 40: Generating Key Pair
• Section 43: Penalty for damage to computer,
computer system, etc
If any person without permission of the owner or
any other person who is in charge of a computer,
computer system or computer network -
48
(a) accesses or secures access to such computer, computer system
or computer network or computer resource (ITAA2008)
(b) downloads, copies or extracts any data, computer data base or
information from such computer, computer system or computer
network including information or data held or stored in any
removable storage medium;
(c) introduces or causes to be introduced any computer contaminant
or computer virus into any computer, computer system or
computer network;
• Section 52: Salary allowance and other terms and
conditions of service of Chairperson and Member.
The salary and allowances payable to, and the other terms and
conditions of service including pension, gratuity and other
retirement benefits
• Section 53: Filling up of vacancies (Amended vide ITAA
2008)
If, for reason other than temporary absence, any vacancy occurs in
the office of Chairperson or Member as the case may be then the
Central Government shall appoint another person in accordance
with the provisions of this Act

49
• Section 62: Appeal to High court
Any person aggrieved by any decision or order of the Cyber authority
may file an appeal to the High Court within sixty days from the
date of communication of the decision or order of the Cyber
Appellate Tribunal to him on any question of fact or law
• Section 65: Tampering with Computer Source Documents
shall be punishable with imprisonment up to three years, or with fine
which may extend up to two lakh rupees, or with both.
• Section 66: Computer Related Offences (Substituted vide
ITAA 2008)
imprisonment for a term which may extend to two three years or with
fine which may extend to five lakh rupees or with both.
• Section 71 Penalty for misrepresentation
imprisonment for a term which may extend to two years, or with fine
which may extend to one lakh rupees, or with both
• Section 85 Offences by Companies

50
 Modus Operandi
• Modus operandi (MO) is a Latin term that means "a method of
operating." It refers to the behaviors that are committed by a
criminal for the purpose of successfully completing an offense.
• A criminal's MO consists of learned behaviors that can evolve and
develop over time.
• It can be refined, as an offender becomes more experienced,
sophisticated, and confident.
• It can also become less competent and less skilful over time,
decompensating by virtue of a deteriorating mental state, or
increased used of mind-altering substances.
• an offender's MO behavior is functional by its nature. It most often
serves (or fails to serve) one or more of three purposes:
 protects the offender's identity;
 ensures the successful completion of the crime;
 facilitates the offender's escape.

51
 Motive & Technology

• The term motive refers to the emotional,

psychological, or material need that impels, and is
satisfied by, a behavior. Criminal motive is generally
technology independent.

• Classifying offenders - to classifying offense behaviors

(turning it from an inductive labeling system to a
deductive tool). They include the following types of
behaviors:
 Power Reassurance
 Power Assertive
 Anger Retaliatory (Sadistic)
 Opportunistic and Profit oriented.

52