Unit II

CYBERSPACE AND THE LAW & CYBER FORENSICS

CYBERSPACE
Cyberspace can be defined as an intricate environment that involves interactions between
people, software, and services. It is maintained by the worldwide distribution of information
and communication technology devices and networks.
With the benefits carried by the technological advancements, the cyberspace today hasbecome
a common pool used by citizens, businesses, critical information infrastructure, military and
governments in a fashion that makes it hard to induce clear boundaries among these different
groups. The cyberspace is anticipated to become even more complex in the upcoming years,
with the increase in networks and devices connected to it.

REGULATIONS
There are five predominant laws to cover when it comes to cybersecurity:
Information Technology Act, 2000 The Indian cyber laws are governed by the Information
Technology Act, penned down back in 2000. The principal impetus of this Act is to offer
reliable legal inclusiveness to eCommerce, facilitating registration of real-time records with the
Government.
But with the cyber attackers getting sneakier, topped by the human tendency to misuse
technology, a series of amendments followed.
The ITA, enacted by the Parliament of India, highlights the grievous punishments and penalties
safeguarding the e-governance, e-banking, and e-commerce sectors. Now, the scopeof ITA has
been enhanced to encompass all the latest communication devices.
The IT Act is the salient one, guiding the entire Indian legislation to govern cybercrimes
rigorously:
Section 43 - Applicable to people who damage the computer systems without permission from
the owner. The owner can fully claim compensation for the entire damage in such cases.
Section 66 - Applicable in case a person is found to dishonestly or fraudulently committing
any act referred to in section 43. The imprisonment term in such instances can mount up to
three years or a fine of up to Rs. 5 lakh.
Section 66B - Incorporates the punishments for fraudulently receiving stolen communication
devices or computers, which confirms a probable three years imprisonment. This term can also
be topped by Rs. 1 lakh fine, depending upon the severity.
Section 66C - This section scrutinizes the identity thefts related to imposter digital signatures,
hacking passwords, or other distinctive identification features. If proven guilty, imprisonment
of three years might also be backed by Rs.1 lakh fine.

CYBER SECURITY Page 18

Section 66 D - This section was inserted on-demand, focusing on punishing cheaters doing
impersonation using computer resources.
Indian Penal Code (IPC) 1980
Identity thefts and associated cyber frauds are embodied in the Indian Penal Code (IPC), 1860
- invoked along with the Information Technology Act of 2000.
The primary relevant section of the IPC covers cyber frauds:
Forgery (Section 464)
Forgery pre-planned for cheating (Section 468)
False documentation (Section 465)
Presenting a forged document as genuine (Section 471)
Reputation damage (Section 469)
Companies Act of 2013
The corporate stakeholders refer to the Companies Act of 2013 as the legal obligation necessary
for the refinement of daily operations. The directives of this Act cements all the required
techno-legal compliances, putting the less compliant companies in a legal fix.
The Companies Act 2013 vested powers in the hands of the SFIO (Serious Frauds Investigation
Office) to prosecute Indian companies and their directors. Also, post the notification of the
Companies Inspection, Investment, and Inquiry Rules, 2014, SFIOs has become even more
proactive and stern in this regard.
The legislature ensured that all the regulatory compliances are well-covered, including cyber
forensics, e-discovery, and cybersecurity diligence. The Companies (Management and
Administration) Rules, 2014 prescribes strict guidelines confirming the cybersecurity
obligations and responsibilities upon the company directors and leaders.
NIST Compliance
The Cybersecurity Framework (NCFS), authorized by the National Institute of Standards and
Technology (NIST), offers a harmonized approach to cybersecurity as the most reliable global
certifying body.
NIST Cybersecurity Framework encompasses all required guidelines, standards, and best
practices to manage the cyber-related risks responsibly. This framework is prioritized on
flexibility and cost-effectiveness.
It promotes the resilience and protection of critical infrastructure by: Allowing better
interpretation, management, and reduction of cybersecurity risks – to mitigate data loss, data
misuse, and the subsequent restoration costs Determining the most important activities and
critical operations - to focus on securing them Demonstrates the trust-worthiness of
organizations who secure critical assets Helps to prioritize investments to maximize the
cybersecurity ROI Addresses regulatory and contractual obligations Supports the wider
information security program By combining the NIST CSF framework with ISO/IEC 27001 -
cybersecurity risk management becomes simplified. It also makes communication easier

CYBER SECURITY Page 19

throughout the organization and across the supply chains via a common cybersecurity directive
laid by NIST.
Final Thoughts As human dependence on technology intensifies, cyber laws in India and across
the globe need constant up-gradation and refinements. The pandemic has also pushed much of
the workforce into a remote working module increasing the need for app security. Lawmakers
have to go the extra mile to stay ahead of the impostors, in order to block them attheir advent.
Cybercrimes can be controlled but it needs collaborative efforts of the lawmakers, the Internet
or Network providers, the intercessors like banks and shopping sites, and, most importantly,
the users. Only the prudent efforts of these stakeholders, ensuring their confinement to the law
of the cyberland - can bring about online safety and resilience.
ROLE OF INTERNATIONAL LAWS
In various countries, areas of the computing and communication industries are regulated by
governmental bodies  There are specific rules on the uses to which computers and computer
networks may be put, in particular there are rules on unauthorized access, data privacy and
spamming  There are also limits on the use of encryption and of equipment which may be
used to defeat copy protection schemes  There are laws governing trade on the Internet,
taxation, consumer protection, and advertising  There are laws on censorship versus freedom
of expression, rules on public access to government information, and individual access to
information held on them by private bodies  Some states limit access to the Internet, by law
as well as by technical means.
INTERNATIONAL LAW FOR CYBER CRIME
Cybercrime is "international" that there are ‘no cyber-borders between countries’  The
complexity in types and forms of cybercrime increases the difficulty to fight back  fighting
cybercrime calls for international cooperation  Various organizations and governments have
already made joint efforts in establishing global standards of legislation and law enforcement
both on a regional and on an international scale
THE INDIAN CYBERSPACE

Indian cyberspace was born in 1975 with the establishment of National Informatics Centre
(NIC) with an aim to provide govt with IT solutions. Three networks (NWs) were set up
between 1986 and 1988 to connect various agencies of govt. These NWs were, INDONET
which connected the IBM mainframe installations that made up India’s computerinfrastructure,
NICNET (the NIC NW) a nationwide very small aperture terminal (VSAT) NW for public
sector organisations as well as to connect the central govt with the state govts and district
administrations, the third NW setup was ERNET (the Education and Research Network), to
serve the academic and research communities.

New Internet Policy of 1998 paved the way for services from multiple Internet service
providers (ISPs) and gave boost to the Internet user base grow from 1.4 million in 1999 to over
150 million by Dec 2012. Exponential growth rate is attributed to increasing Internet

CYBER SECURITY Page 20

access through mobile phones and tablets. Govt is making a determined push to increase
broadband penetration from its present level of about 6%1. The target for broadband is 160
million households by 2016 under the National Broadband Plan.
NATIONAL CYBER SECURITY POLICY
National Cyber Security Policy is a policy framework by Department of Electronics and
Information Technology. It aims at protecting the public and private infrastructure from
cyberattacks. The policy also intends to safeguard "information, such as personal information
(of web users), financial and banking information and sovereign data". This was particularly
relevant in the wake of US National Security Agency (NSA) leaks that suggested the US
government agencies are spying on Indian users, who have no legal or technical safeguards
against it. Ministry of Communications and Information Technology (India)
defines Cyberspace as a complex environment consisting of interactions between people,
software services supported by worldwide distribution of information and communication
technology.
VISION
To build a secure and resilient cyberspace for citizens, business, and government and also to
protect anyone from intervening in user's privacy.
MISSION
To protect information and information infrastructure in cyberspace, build capabilities to
prevent and respond to cyber threat, reduce vulnerabilities and minimize damage from cyber
incidents through a combination of institutional structures, people, processes, technology, and
cooperation.
OBJECTIVE
Ministry of Communications and Information Technology (India) define objectives as follows:

• To create a secure cyber ecosystem in the country, generate adequate trust and
confidence in IT system and transactions in cyberspace and thereby enhance adoption
of IT in all sectors of the economy.
• To create an assurance framework for the design of security policies and promotion and
enabling actions for compliance to global security standards and best practices by way
of conformity assessment (Product, process, technology & people).
• To strengthen the Regulatory Framework for ensuring a SECURE CYBERSPACE
ECOSYSTEM.
• To enhance and create National and Sectoral level 24X7 mechanism for obtaining
strategic information regarding threats to ICT infrastructure, creating scenarios for
response, resolution and crisis management through effective predictive, preventive,
protective response and recovery actions.

CYBER SECURITY Page 21

INTRODUCTION: CYBER FORENSICS
CYBER FORENSICS:
Computer forensics is the application of investigation and analysis techniques to gather and
preserve evidence.
Forensic examiners typically analyze data from personal computers, laptops, personal digital
assistants, cell phones, servers, tapes, and any other type of media. This process can involve
anything from breaking encryption, to executing search warrants with a law enforcement team,
to recovering and analyzing files from hard drives that will be critical evidence in the most
serious civil and criminal cases.

The forensic examination of computers, and data storage media, is a complicated and highly
specialized process. The results of forensic examinations are compiled and included in reports.
In many cases, examiners testify to their findings, where their skills and abilities are put to
ultimate scrutiny.

DIGITAL FORENSICS:

Digital Forensics is defined as the process of preservation, identification, extraction, and

documentation of computer evidence which can be used by the court of law. It is a science of
finding evidence from digital media like a computer, mobile phone, server, or network. It
provides the forensic team with the best techniques and tools to solve complicated digital-
related cases.

Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the
digital evidence residing on various types of electronic devices.

Digital forensic science is a branch of forensic science that focuses on the recovery and
investigation of material found in digital devices related to cybercrime.
THE NEED FOR COMPUTER FORENSICS
Computer forensics is also important because it can save your organization money From a
technical standpoint, the main goal of computer forensics is to identify, collect, preserve, and
analyze data in a way that preserves the integrity of the evidence collected so it can be used
effectively in a legal case.
CYBER FORENSICS AND DIGITAL EVIDENCE:

Digital evidence is information stored or transmitted in binary form that may be relied on in
court. It can be found on a computer hard drive, a mobile phone, among other places. Digital
evidence is commonly associated with electronic crime, or e-crime, such as child pornography
or credit card fraud. However, digital evidence is now used to prosecute all types of crimes,
not just e-crime. For example, suspects' e-mail or mobile phone files might contain critical
evidence regarding their intent, their whereabouts at the time of a crime and their relationship
with other suspects. In 2005, for example, a floppy disk led investigators to the BTK serial
killer who had eluded police capture since 1974 and claimed the lives of at least 10 victims.

CYBER SECURITY Page 22

In an effort to fight e-crime and to collect relevant digital evidence for all crimes, law
enforcement agencies are incorporating the collection and analysis of digital evidence, also
known as computer forensics, into their infrastructure. Law enforcement agencies are
challenged by the need to train officers to collect digital evidence and keep up with rapidly
evolving technologies such as computer operating systems.

FORENSICS ANALYSIS OF EMAIL:

E-mail forensics refers to the study of source and content of e-mail as evidence to identify the
actual sender and recipient of a message, data/time of transmission, detailed record of e-mail
transaction, intent of the sender, etc. This study involves investigation of metadata, keyword
searching, port scanning, etc. for authorship attribution and identification of e-mail scams.

Various approaches that are used for e-mail forensic are:

• Header Analysis – Meta data in the e-mail message in the form of control information
i.e. envelope and headers including headers in the message body contain information
about the sender and/or the path along which the message has traversed. Some of these
may be spoofed to conceal the identity of the sender. A detailed analysis of these
headers and their correlation is performed in header analysis.

• Bait Tactics – In bait tactic investigation an e-mail with http: “<imgsrc>” tag having
image source at some computer monitored by the investigators is send to the sender of
e-mail under investigation containing real (genuine) e-mail address. When the e-mail
is opened, a log entry containing the IP address of the recipient (sender of the e-mail
under investigation) is recorded on the http server hosting the image and thus sender
is tracked. However, if the recipient (sender of the e-mail under investigation) is using
a proxy server then IP address of the proxy server is recorded. The log on proxy server
can be used to track the sender of the e-mail under investigation. If the proxy server’s
log is unavailable due to some reason, then investigators may send the tactic e-mail
containing a) Embedded Java Applet that runs on receiver’s computer or b) HTML page
with Active X Object. Both aiming to extract IP address of the receiver’s computer and
e-mail it to the investigators.

• Server Investigation – In this investigation, copies of delivered e-mails and server logs
are investigated to identify source of an e-mail message. E-mails purged from theclients
(senders or receivers) whose recovery is impossible may be requested from servers
(Proxy or ISP) as most of them store a copy of all e-mails after their deliveries. Further,
logs maintained by servers can be studied to trace the address of the computer
responsible for making the e-mail transaction. However, servers store the copies of e-
mail and server logs only for some limited periods and some may not co-operate with
the investigators. Further, SMTP servers which store data like credit card number and
other data pertaining to owner of a mailbox can be used to identify person behind an e-
mail address.

• Network Device Investigation – In this form of e-mail investigation, logs maintained

by the network devices such as routers, firewalls and switches are used to investigate

CYBER SECURITY Page 23

 the source of an e-mail message. This form of investigation is complex and is used only
when the logs of servers (Proxy or ISP) are unavailable due to some reason, e.g. when
ISP or proxy does not maintain a log or lack of co-operation by ISP’s or failure to
maintain chain of evidence.

• Software Embedded Identifiers – Some information about the creator of e-mail,

attached files or documents may be included with the message by the e-mail software
used by the sender for composing e-mail. This information may be included in the form
of custom headers or in the form of MIME content as a Transport Neutral Encapsulation
Format (TNEF). Investigating the e-mail for these details may reveal some vital
information about the senders e-mail preferences and options that could help client side
evidence gathering. The investigation can reveal PST file names, Windows logon
username, MAC address, etc. of the client computer used to send e- mail message.

• Sender Mailer Fingerprints – Identification of software handling e-mail at server can

be revealed from the Received header field and identification of software handling e-
mail at client can be ascertained by using different set of headers like “X- Mailer” or
equivalent. These headers describe applications and their versions used at the clients to
send e-mail. This information about the client computer of the sender can be used to
help investigators devise an effective plan and thus prove to be very useful.

EMAIL FORENSICS TOOLS

Erasing or deleting an email doesn’t necessarily mean that it is gone forever. Often emails can
be forensically extracted even after deletion. Forensic tracing of e-mail is similar to traditional
detective work. It is used for retrieving information from mailbox files.

• MiTec Mail Viewer – This is a viewer for Outlook Express, Windows Mail/Windows
Live Mail, Mozilla Thunderbird message databases, and single EML files. It displays a
list of contained messages with all needed properties, like an ordinary e-mail client.
Messages can be viewed in detailed view, including attachments and an HTML
preview. It has powerful searching and filtering capability and also allows extracting
email addresses from all emails in opened folder to list by one click. Selected messages
can be saved to eml files with or without their attachments. Attachments can be
extracted from selected messages by one command.

• OST and PST Viewer – Nucleus Technologies’ OST and PST viewer tools help you
view OST and PST files easily without connecting to an MS Exchange server. These
tools allow the user to scan OST and PST files and they display the data saved in it
including email messages, contacts, calendars, notes, etc., in a proper folder structure.

• eMailTrackerPro – eMailTrackerPro analyses the headers of an e-mail to detect the

IP address of the machine that sent the message so that the sender can be tracked down.
It can trace multiple e-mails at the same time and easily keep track of them. The
geographical location of an IP address is key information for determining the threat
level or validity of an e-mail message.

CYBER SECURITY Page 24

 • EmailTracer – EmailTracer is an Indian effort in cyber forensics by the Resource
Centre for Cyber Forensics (RCCF) which is a premier centre for cyber forensics in
India. It develops cyber forensic tools based on the requirements of law enforcement
agencies.

DIGITAL FORENSICS LIFECYCLE:

Collection: The first step in the forensic process is to identify potential sources of data and
acquire data from them.
Examination:After data has been collected, the next phase is to examine the data, which
involves assessing and extracting the relevant pieces of information from the collected data.
This phase may also involve bypassing or mitigating OS or application features that obscure
data and code, such as data compression, encryption, and access control mechanisms.
Analysis: Once the relevant information has been extracted, the analyst should study and
analyze the data to draw conclusions from it. The foundation of forensics is using a methodical
approach to reach appropriate conclusions based on the available data or determine that no
conclusion can yet be drawn.
Reporting: The process of preparing and presenting the information resulting from the analysis
phase. Many factors affect reporting, including the following:
a. Alternative Explanations:When the information regarding an event is incomplete, it
may not be possible to arrive at a definitive explanation of what happened. When an
event has two or more plausible explanations, each should be given due consideration
in the reporting process. Analysts should use a methodical approach to attempt to prove
or disprove each possible explanation that is proposed.

b. Audience Consideration. Knowing the audience to which the data or information will
be shown is important.

CYBER SECURITY Page 25

 c. Actionable Information. Reporting also includes identifying actionable information
gained from data that may allow an analyst to collect new sources of information
FORENSICS INVESTIGATION:
Forensics are the scientific methods used to solve a crime. Forensic investigation is the
gathering and analysis of all crime-related physical evidence in order to come to a conclusion
about a suspect. Investigators will look at blood, fluid, or fingerprints, residue, hard drives,
computers, or other technology to establish how a crime took place. This is a general definition,
though, since there are a number of different types of forensics.
TYPES OF FORENSICS INVESTIGATION
• Forensic Accounting / Auditing
• Computer or Cyber Forensics
• Crime Scene Forensics
• Forensic Archaeology
• Forensic Dentistry
• Forensic Entomology
• Forensic Graphology
• Forensic Pathology
• Forensic Psychology
• Forensic Science
• Forensic Toxicology

CHALLENGES IN COMPUTER FORENSICS

Digital forensics has been defined as the use of scientifically derived and proven methods
towards the identification, collection, preservation, validation, analysis, interpretation, and
presentation of digital evidence derivative from digital sources to facilitate the reconstruction
of events found to be criminal.But these digital forensics investigation methods face some
major challenges at the time of practical implementation. Digital forensic challenges are
categorized into three major heads as per Fahdi, Clark, and Furnell are:

• Technical challenges
• Legal challenges
• Resource Challenges

TECHNICAL CHALLENGES

As technology develops crimes and criminals are also developed with it. Digital forensic
experts use forensic tools for collecting shreds of evidence against criminals and criminals use
such tools for hiding, altering or removing the traces of their crime, in digital forensic this
process is called Anti- forensics technique which is considered as a major challenge in digital
forensics world.

Anti-forensics techniquesare categorized into the following types:

S. No. Type Description

1 Encryption It is legitimately used for ensuring the privacy of

CYBER SECURITY Page 26


2 Data hiding in storage space
3 Covert Channel
information by keeping it hidden from an
unauthorized user/person. Unfortunately, it can also
be used by criminals to hide their crimes
Criminals usually hide chunks of data inside the
storage medium in invisible form by using system
commands, and programs.
A covert channel is a communication protocol which
allows an attacker to bypass intrusion detection
technique and hide data over the network. The
attacker used it for hiding the connection
between him and the compromised system.

Other Technical challenges are:

• Operating in the cloud

• Time to archive data
• Skill gap
• Steganography

LEGAL CHALLENGES

The presentation of digital evidence is more difficult than its collection because there are many
instances where the legal framework acquires a soft approach and does not recognize every
aspect of cyber forensics, as in Jagdeo Singh V. The State and Ors case Hon’ble High Court of
Delhi held that “while dealing with the admissibility of an intercepted telephone call in a CD
and CDR which was without a certificate under Sec. 65B of the Indian Evidence Act, 1872 the
court observed that the secondary electronic evidence without certificate u/s. 65B ofIndian
Evidence Act, 1872 is not admissible and cannot be looked into by the court for any purpose
whatsoever.” This happens in most of the cases as the cyber police lack the necessary
qualification and ability to identify a possible source of evidence and prove it. Besides, most
of the time electronic evidence is challenged in the court due to its integrity. In the absence of
proper guidelines and the nonexistence of proper explanation of the collection, and acquisition
of electronic evidence gets dismissed in itself.

Legal Challenges

S.No. Type Description

1 Absence of guidelines and
standards
2 Limitation of the Indian The Indian Evidence Act, 1872 have limited approach,
Evidence Act, 1872
In India, there are no proper guidelines for the
collection and acquisition of digital evidence. The
investigating agencies and forensic laboratories are
working on the guidelines of their own. Due to this,
the potential of digital evidence has been destroyed.
it is not able to evolve with the time and address the E-
evidence are more susceptible to tampering, alteration,
transposition, etc. the Act is silent on the method of
collection of e-evidence it only focuses on the
presentation of electronic
evidence in the court by accompanying a certificate
as per subsection 4 of Sec. 65B[12]. This means no

CYBER SECURITY Page 27

 matter what procedure is followed it must be proved
with the help of a certificate.

Other Legal Challenges

• Privacy Issues
• Admissibility in Courts
• Preservation of electronic evidence
• Power for gathering digital evidence
• Analyzing a running computer

Resource Challenges

As the rate of crime increases the number of data increases and the burden to analyze such huge
data is also increasing on a digital forensic expert because digital evidence is more sensitive as
compared to physical evidence it can easily disappear. For making the investigation process
fast and useful forensic experts use various tools to check the authenticity of the data but dealing
with these tools is also a challenge in itself.

Types of Resource Challenges are:

• Change in technology

Due to rapid change in technology like operating systems, application software and hardware,
reading of digital evidence becoming more difficult because new version software’s are not
supported to an older version and the software developing companies did provide any backward
compatible’s which also affects legally.

• Volume and replication

The confidentiality, availability, and integrity of electronic documents are easily get
manipulated. The combination of wide-area networks and the internet form a big network that
allows flowing data beyond the physical boundaries. Such easiness of communication and
availability of electronic document increases the volume of data which also create difficulty in
the identification of original and relevant data.

CYBER SECURITY Page 28