Monday, July 30, 2012

Cyber Forensic Investigation Solutions in India Are Needed

Cyber forensics requires application of both technical and legal mind to a situation. If either of them is missing, the entire purpose of cyber forensics exercise would be frustrated. Cyber forensics also requires a greater degree of care and expertise as compared to electronic discovery whose purposes may be limited in nature.

India has a unique cyber culture that requires effective cyber forensics and electronic discovery capabilities. Further, cyber security research and development is also required to be enhanced in India. Companies and firms providing cyber forensics services in India must also innovate so that international cyber threats can be effectively tackled. These companies and firms must also invest in producing world class cyber forensics solutions in India.

On the education front as well we need to do a lot in India. Indian educational system is academic in nature with little scope for professional and vocational studies. The traditional educational system would take decades to reform and we need parallel initiatives in this regard that are free from procedural hassles and bureaucratic hurdles.

Corruption in higher legal education in India is rampant and it needs to be curbed. PhDs in India are dying and if the Indian government does not intervenes immediately; there is no scope and future for cyber forensics education in India as well. Virtual campuses are the solution for corrupt higher education in India and they must be encouraged in India.

At Perry4Law Techno Legal Base (PTLB) we are managing a techno legal e-learning platform that is providing cyber forensics trainings and courses world wide. We are also providing cyber crime investigation trainings in India.

In order to effectuate and strengthen the cyber forensics investigation solutions in India, Perry4Law, PTLB and Perry4Law Techno Legal ICT Training Centre (PTLITC) are also managing the exclusive techno legal cyber forensics tools and software repository of India. It consists of the most advanced cyber forensics tools and software that can be used in a varied of situations.

We are also in the process of developing cyber forensics best practices that would be compatible with Indian requirements. We expect a more pro active and direct role by Indian government in this crucial field that has been ignored for long.

Sunday, July 22, 2012

IP Address Tracking Methods And Techniques For E-Mails

An Internet Protocol Address (IP Address) is the starting point for not only initiating communications across the Internet but also to trace back the same to a particular Computer System. Of course, an IP Address is not always as it seems to be and there may be instances of IP Address Spoofing where the IP Address is forged to mislead the Traceability exercise. This is also the reason why an IP Address should not be the exclusive criteria to arrest and convict an accused.

Nevertheless, tracing the “Real Culprit” essentially involves the exercise of IP Address Tracing as the first step. In this article I would discuss some of the issues connected with tracking of IP Address from an E-Mail. The scope of this article is not to explain how to obtain E-Mail Headers but to discuss how to “Interpret” E-Mail Headers. So I would presume that you are aware of the procedure to obtain E-Mail Headers from your respective E-Mail Clients. Reading of Anonymity and Traceability in Cyberspace (PDF) by Richard Clayton would be a good idea in this regard.

Generally, the details of IP Address can be found in Log Files, in the Received Header fields of an E-Mail, in Tcpdump Traces, by Pinging or doing a Whois Query of a Website, etc. Once the IP Address has been ascertained, it is imperative to Track who is using the concerned IP address.

With Static IP Addresses the problem of Tracking a person is comparatively easy. However, Dynamic IP Addresses keep on changing with every use. It is absolutely essential to “Correlate” the details of such Dynamic IP Address with “Exact Time” as well as concerned “Log Entries”. Further, IP Spoofing must also be kept in mind though it is primarily used for Distributed Denial of Service Attacks (DDOS).

However, the threat of “Spoofed E-mail Headers” is real and a special care must be taken while analysing E-Mail Headers as they may carry “Spoofed Information”. Mutual Authentication and Correlation of the E-Mail Header Information is required to reach a “Conclusive Decision” in this regard.

So before analysing the E-Mail Headers for relevant IP Address, one must ensure that there is no case of E-Mail Spoofing. In E-Mail Spoofing the sender of the E-mail forges the sender address and other parts of the E-Mail Header are altered to appear as though the email originated from a different source. This is possible when the Simple Mail Transfer Protocol (SMTP) fails to provide any Authentication and this allows sending of Spoofed E-Mails.

E-Mails generate “Received Headers” as they travel from different host and so by reading them in order, you can reconstruct the original source of the E-Mail. However, reading E-Mail Header fields to ascertain true IP Address of the sender requires good working knowledge in this regard. The most common and trusted method in this regard is to analyse the Headers from “Top to Bottom” till the “Chain of Coherence” is broken by a suspicious or forged entry. The “Last Trusted Received Header” field may tell you the IP Address of the sender of E-Mail. So instead of jumping directly to the last E-Mail Received Header in all cases to ascertain the IP Address of the sender it would be appropriate to work downwards though the First Header fields to the last and assess their “Integrity”.

In cases of Spoofed E-Mails, the “Last Received Header Rule” may not apply. In order to know the Authenticity of Headers of such Spoofed E-Mail, one must perform both “Reverse Lookup” and “Forward Lookup” of the IP Addresses in the E-Mail.

Another aspect to be noted is that in case of GMail generally it may not be possible to ascertain the IP Address of the sender of an E-Mail because Google puts the IP Address of its own Servers while a Gmail account holder sends an E-Mail. You have to get a “Court Order” to force Google to disclose the IP Address of the sender. However, if someone sends you an E-Mail from the GMail account using a client like Thunderbird, Outlook or Apple Mail, you may still find the “Originating IP Address”.

Finally, basic level “Alertness” is also essential on the part of Law Enforcement Agencies and their Technicians. For instance, Lakshmana Kailash K of India spent 50 days in Indian Jail because the Police/Internet Service Provider (ISP) made an “Apparent but very Common Mistake” while providing details of the person who used the IP Address that resulted in the commission of the offense.

The Indian Police and ISP were confused with what I call “AM/PM Syndrome” and did not bother to check the “Exact Time” of the commission of the crime. Mistakes like these have no space in the Cyber Forensics and Cyber Law fields.

While ascertaining the IP Address of an E-Mail all these factors must be kept in mind. Automatic Scripts/Software are good for ascertaining the IP Address but the end result originating out of such Automatic Scripts/Software must be “Corroborated” with manual inspection. I would share more on this issue in my subsequent articles.

Thursday, July 19, 2012

Hidden Internet: The Unexplored, Hidden And Deep Web And Internet

The tussle between Anonymity and Traceability has been going on for many years. Law Enforcement Agencies are pushing for lesser Anonymity and greater Traceability whereas Civil Liberty Groups and Netizens are demanding greater Anonymity and Privacy. The battle is epic and it is not going to end soon.

Anonymity has both uses and misuses. Just like any legitimate Invention and Technology, Internet can be both abused for criminal activities and used for greater benefit of Human race. Similarly, Internet has also many benefits and it is used in numerous manner, some known while other still unknown.

While the known part can be viewed and analysed through numerous methods including search results through search engines yet a majority of World Wide Web (WWW) is still out of the plain sight and reach of most of us. This hidden Web is known by many as Deep Web though I personally prefer to call it “Hidden Internet”.

The Hidden Internet may be residing in plain sight or it may be hidden by using special techniques and methodologies. For instance, access to a Website or Blog may be restricted to its owners alone through use of robots.txt file. However, even such restricted Blog can be accessed through use of cracking methods or by the owner company of the concerned Blog.

Further, there are many Crawlers that do not comply with the settings and restrictions placed by robots.txt files. This may expose those files and documents that are otherwise not intended to be disclosed. This is where Google Hacking comes into picture.

By its very nature, Hidden Internet is designed to defeat indexing of its contents by search engines. Its contents are visible and accessible to only selective few who have not only the knowledge of such contents but also have means and methods to access the same.

Hidden Internet is different from Dark Internet as in the case of former the Computers storing and processing the contents are still accessible though to selective few alone. Dark Internet on the other hand is a group of Computers that are simply out of the Internet and cannot be accessed at all.

According to an estimate based upon the study of University of California, Berkeley in the year 2001, Hidden Internet consists of about 7,500 terabytes of information. Another study in 2004 has indicated that there are around 300,000 deep web sites in the entire Hidden Internet and around 14,000 deep web sites existed in the Russian part of the Web in 2006. Thus, Hidden Internet is much bigger and carries more information that our present accessible Internet.

The contents and information stored in the Hidden Internet can be found in the form of Dynamic Contents, Unlinked Contents, Private Web, Contextual Web, Limited Access Contents, Scripted Contents, Non-HTML/Text Contents, etc. These contents and information is not available for normal search engines for indexing. Search engines are now planning to tackle this issue and they are devising methods to access contents and information residing in the Hidden Internet.

In fact, some search engines have been specifically designed to access contents of Hidden Internet. However, there is still a long road to cover by search engines and Law Enforcement Agencies around the World to tackle the vices of Hidden Internet. Efforts in the direction of making the entire search process “Automatic” are going on at global level.

The more difficult challenge is to categorise and map the information extracted from multiple Hidden Internet sources according to end-user needs. Hidden Internet search reports cannot display URLs like traditional search reports. End users expect their search tools to not only find what they are looking for quickly, but to be intuitive and user-friendly. In order to be meaningful, the search reports have to offer some depth to the nature of content that underlie the sources or else the end-user will be lost in the sea of URLs that do not indicate what content lies beneath them.

The format in which search results are to be presented varies widely by the particular topic of the search and the type of content being exposed. The challenge is to find and map similar data elements from multiple disparate sources so that search results may be exposed in a unified format on the search report irrespective of their source.

I would try to cover the Security, Forensics and Law Enforcement Issues of Hidden Internet in my subsequent posts. This post is intended to provide the basic level information about Hidden Internet while discussing our subsequent posts and nothing more.